Nothing is more difficult than making predictions, especially in fast advancing cyber security field. Instead of me trowing out wild ideas what might be coming, I have collected here some trends many people and publications have predicted for 2023.
HTTPS: These days HTTPS has effectively become the default transport for web browsing. Most notably, the Chrome browser now marks any older HTTP website as “Not Secure” in the address bar. Chrome to attempt to “upgrade” to the HTTPS version of websites, if you ever accidentally navigate to the insecure version. If a secure version isn’t available, an on-screen warning is shown, asking if you would like to continue. As HTTPS has become more common across the web, Google Chrome is preparing to launch a security option that will block “insecure” downloads through HTTP on Chrome browser.
Malwertising: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users also in 2023. The FBI is warning US consumers that cybercriminals are placing ads in search engine results that impersonate well-known brands, in an attempt to spread ransomware and steal financial information. Cybercriminals are purchasing ads that show up at the very top of search engine results, often purporting to link to a legitimate company’s website. However, anyone clicking on the link is instead taken to a lookalike page that may appear identical, but is in fact designed to phish for login credentials and financial details, or even trick the unwary into downloading ransomware. The FBI has advised consumers to use ad blockers to protect themselves from such threats.
Encrypted malware: The vast majority of malware arriving over encrypted connections that are typically HTTPS web sessions. The vast majority of cyber-attacks over the past year have used TLS/SSL encryption to hide from security teams traditional firewalls and many other security tools. Over 85% of Attacks Hide in Encrypted Channels. WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections. If you are not inspecting encrypted traffic when it enters your network, you will not be able to detect most malware at network level. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.
Software vulnerabilities: Weak configurations for encryption and missing security headers will be still very common in 2023. In 2022 nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability. Read more at Misconfigurations, Vulnerabilities Found in 95% of Applications
Old vulnerabilities: You will see attackers try to use old vulnerabilities again in 2023 because they work. Attackers will take the path of least resistance, and as long as vendors don’t consistently perform thorough root-cause analysis when fixing security vulnerabilities, it will continue to be worth investing time in trying to revive known vulnerabilities before looking for novel ones. There are many companies that do not patch their systems at reasonable time or at all, so they stay vulnerable. Also new variations of old vulnerabilities are also developed: approximately 50% of the observed 0-days in the first half of 2022 were variants of previously patched vulnerabilities.
Security gaps: There are still big gaps in companies’ cyber security. The rapid advancement of technology in all industries has led to the threat of ever-increasing cyberattacks that target businesses, governments, and individuals alike. Lack of knowledge, maintenance of employees’ skills and indifference are the strongest obstacles in the development of many companies’ cyber security. While security screening and limiting who has access to your data are both important aspects of personnel security, they will only get you so far.
Cloud: In a hyperscale cloud provider, there can be potentially several thousand people, working around the globe that could potentially access our data. Security screening and limiting alone still leaves a significant risk of malicious or accidental access to data. Instead, you should expect your cloud provider to take a more layered approach.
MFA: MFA Fatigue attacks are putting your organization at risk in 2023. Multi-factor auth fatigue is real. A common threat targeting businesses is MFA fatigue attacks a technique where a cybercriminal attempts to gain access to a corporate network by bombarding a user with MFA prompts until they finally accept one. This attempt can be successful, especially when the target victim is distracted or overwhelmed by the notifications or misinterprets them with legitimate authentication requests. t’s a huge threat because it bypasses one of the most effective the security measures.
Passwords: Passwords will not go away completely even though new solutions to replace then will be pushed to users. When you create passwords or passphrases, make them good and long enough to be secure. Including a comma character to the password can make it harder for cyber criminals to use if for some reason it leaks out. The reason us that comma in password can obfuscate tabular comma separated values (csv) files, which are a common way to collect and distribute stolen passwords.
EU: The Network and Information Security (NIS) Directive was the first piece of EU-wide legislation on cybersecurity: Network and Information Security 2 also known as NIS2. Rules requiring EU countries to meet stricter supervisory and enforcement measures and harmonise their sanctions were approved by MEPs on late 2022. They will start to affect security decisions in 2023. The new rules will set tighter cybersecurity obligations for risk management, reporting obligations and information sharing. The requirements cover incident response, supply chain security, encryption and vulnerability disclosure, among other provisions. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation. The NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors. Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
USA: CISA has released cross-sector cybersecurity performance goals (CPGs) in response to President Biden’s 2021 National Security Memorandum on improving cybersecurity for critical infrastructure control systems. Since then, the CPGs have been observed by the cybersecurity community as “the floor” and “a baseline” to cybersecurity hygiene and practices. Many organizations overlook OT as part of their cybersecurity strategy, remaining their focus solely to IT systems. Especially in the critical infrastructure sectors, overlooking OT can have serious risks to all operations. As a result, the CPGs released explicitly are scoped to include OT devices.
Android: Android security will advance in 2023 in many ways. Android is adding support for updatable root certificates in the next Android 14 release. Google Play now lets children send purchase requests to guardians.
Loosing the trust: The world’s biggest tech companies have lost confidence in one of the Internet’s behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products.
Need for better communication: At a time when less than a fifth (18%) of risk and compliance professionals profess to be very confident in their ability to clearly communicate risk to the board, it’s clear that lines of communication—not to mention understanding—must be improved.
Supply chain risks: Watch for geopolitical instability to continue to be a governance issue, particularly with the need to oversee third-party and supply chain risk.
Privacy and data protection:Privacy and data protection are the big story for compliance officers in 2023, with expanding regulations soon expected to cover five billion citizens.
Business risks: In 2023, business risks will run the gamut: geopolitical volatility, talent management, DEI (Diversity, Equity, and Inclusion), ESG (Environmental, Social, and Governance), IT security amid continued remote and hybrid work, and business continuity amid the threat of large-scale operational and utility interruptions. There is also a challenge that Executives take more cybersecurity risks than office workers – leaders engage in more dangerous behavior and are four times more likely to be victims of phishing compared to office workers.
Integrated Risk Management: Look for risk to be increasingly viewed as a driver of business performance and value as digital landscapes and business models evolve. Forward-looking companies will embed integrated risk management (IRM) into their business strategy, so they can better understand the risks associated with new strategic initiatives and be able to pivot as necessary. Keep in mind that Executives take more cybersecurity risks than office workers
Zero trust: Many people think that Zero Trust is pretty optimal security practice in 2023. It is good for those new systems to whom it’s model suits, but Zero Trust has also challenges. Incorporating zero trust into an existing network can be very expensive. Zero Trust Shouldnt Be The New Normal article says that the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesnt coexist well with zero trust. To usefully emulate the kind of informed trust model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk. Thats where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.
Poor software: There will be a lot of poor software in use in 2023 and it will cost lots of money. Poor software costs the US 2.4 trillion: cyberattacks due to existing vulnerabilities, complex issues involving the software supply chain, and the growing impact of rapidly accumulating technical debt have led to a build-up of historic software deficiencies.
Microsoft: Microsoft will permanently turn off Exchange Online basic authentication starting early January 2023 to improve security. A future Microsoft Edge update would permanently disable the Internet Explorer 11 desktop web browser on some Windows 10 systems in February. This means that “The out-of-support Internet Explorer 11 (IE11) desktop application is scheduled to be permanently disabled on certain versions of Windows 10 devices on February 14, 2023, through a Microsoft Edge update, not a Windows update as previously communicated”
Google Workplace: Google Workspace Gets Client-Side Encryption in Gmail. Long waited Client-side encryption for Gmail available in beta .
Google is letting businesses try out client-side encryption for Gmail, but it’s probably not coming to personal accounts anytime soon. Google has already enabled optional client-side encryption for many Workspace services.
Passkeys: Google has made passkey support available in the stable version of Chrome. Passkeys use biometric verification to authenticate users and are meant to replace the use of passwords, which can be easily compromised. Passkeys are usable cross-platform with both applications and websites. Passkeys offer the same experience that password autofill does, but provide the advantage of passwordless authentication. They cannot be reused, don’t leak in server breaches, and protect users from phishing attacks. Passkeys are only available for websites that provide support for them, via the WebAuthn API,
War risks: Watch for continued war between Russia and Ukraine real world and cyber world in 2023. Cyber as important as missile defences – an ex-NATO general. The risk of escalation from cyber attacks has never been greater. A cyber attack on the German ports of Bremerhaven or Hamburg would severely impede NATO efforts to send military reinforcements to allies, retired U.S. General Ben Hodges told Reuters.
Cloud takeover: AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Threat actors can take over victims’ cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.
ISC: ICS and SCADA systems remain trending attack targets also in 2023.
Code security: Microsoft-owned code hosting platform GitHub has just announced multiple security improvements, including free secret scanning for public repositories and mandatory two-factor authentication (2FA) for developers and contributors. The secret scanning program is meant to help developers and organizations identify exposed secrets and credentials in their code. In 2022, code scanning helped identify 1.7 million potential secrets exposed in public repositories. Now the feature is available for free for all free public repositories, to help prevent secret exposures and secure the open source ecosystem. With secret scanning alerts, you can track and action on leaked secrets directly within GitHub.
Data destruction: We must develop a cloud-compatible way of doing destruction that meets security standards. Maybe cloud providers can come up with a service to provide this capability, since only they have direct access to the underlying hardware. They have never been shy about inventing new services to charge for, and certainly plenty of companies would be eager to pay for such a service, if the appropriate certificates of destruction were provided.
PCI DSS: PCI DSS 4.0 Should Be on Your Radar in 2023 if you work on field that needs to meet that. The latest version of the standard will bring a new focus to an overlooked yet critically important area of security. For a long time, client-side threats, which involve security incidents and breaches that occur on the customer’s computer rather than on the company’s servers or in between the two, were disregarded. But that’s changing with the release of PCI DSS 4.0. Now, many new requirements focus on client-side security.
SHA-1: NIST Retires SHA-1 Cryptographic Algorithm, not fully in 2023, but starts preparations for phase-out. The venerable cryptographic hash function has vulnerabilities that make its further use inadvisable. According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm using the technique is referred to as a ‘collision’ attack. SHA-1, whose initials stand for secure hash algorithm, has been in use since 1995 as part of the Federal Information Processing Standard and NIST has announced that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms. The US National Institute of Standards and Technology (NIST) recommended that IT professionals start replace the 27 years old SHA-1 cryptographic algorithm with newer, more secure ones. Because SHA-1 is used as the foundation of numerous security applications, the phaseout period will take many years. Tech giants such as Google, Facebook, Microsoft and Mozilla have already taken steps to move away from the SHA-1 cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.
Cloud: Is Cloud Native Security Good Enough? Cloud native technologies enable organizations to tap into the agility required to keep up in the current competitive landscape and to create new business models. But achieving efficient, flexible, distributed and resilient cloud native security is tough. All major public cloud providers -Amazon Web Services (AWS), Microsoft Azure and Google Cloud- of course offer security features and services, which are designed to address significant threats to cloud-based data. However, in spite of this, public cloud providers’ security tools commonly fail to meet operational needs, and their limitations should prompt organizations to consider or reconsider how they are protecting public cloud environments.
Privacy: The Privacy War Is Coming. Privacy standards are only going to increase. It’s time for organizations to get ahead of the coming reckoning.
Ethical hacking: Ethical hacking has become a highly-sought after career route for emerging tech aspirants. The role of ethical hackers enables countless businesses and individuals to improve their security posture and minimize the potential attack risk for organizations. But there are several analysts who believe that becoming a self-taught ethical hacker in 2023 might not be worth it because they are at constant risk of failing to perform properly and many companies might not want to hire an ethical hacker.
MFA: Two factor authentication might not be enough in 2023 for applications that need good security. In the past few months, we’ve seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication (2FA), challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. So for some demanding users 2FA is over. Long live 3FA!
Cloud APIs: With Cloud Comes APIs & Security Headaches also in 2023. Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months. ccording to a survey conducted by Google Cloud, the most troublesome security problems affecting companies’ use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots . About 40% of companies are suffering an incident due to misconfiguration and a third coping with the latter two issues. Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions-
Lack of cyber security workers: Businesses need to secure their assets and ensure the continuous readiness of employees to respond to a cyberattack if they want to move forward safely and avoid losses caused by cybercriminals or malicious attackers. There is an acute shortage of cyber security professionals. As Threat Levels remain high, companies and organizations remain on alert – but face ongoing challenges in finding and retaining the right people with the required skill levels. There is a significant skills gap and a clear need for hiring cyber security experts in organizations across the world.
VPN: Is Enterprise VPN on Life Support or Ripe for Reinvention? While enterprise VPNs fill a vital role for business, they have several limitations. To get work-from-anywhere initiatives off the ground quickly and keep their business afloat, many organizations turned to enterprise virtual private networks (VPNs). This allowed them to connect their remote employees to critical business operations at the corporate site. However, as fast as VPNs were deployed, organizations learned their limitations and security risks. So are traditional VPNs really “dead” as some industry analysts and pundits claim? Or do they simply need a refresh? Time will tell, and this will be discussed in 2023.
AI: Corporations have discovered the power of artificial intelligence (A.I.) to transform what’s possible in their operations
But with great promise comes great responsibility—and a growing imperative for monitoring and governance. “As algorithmic decision-making becomes part of many core business functions, it creates the kind of enterprise risks to which boards need to pay attention.
AI dangers: Large AI language models have potential dangers. AI is better at fooling humans than ever—and the consequences will be serious. Wired magazine article expects that In 2023, we may well see our first death by chatbot. Causality will be hard to prove was it really the words of the chatbot that put the murderer over the edge? Or perhaps a chatbot has broken someone’s heart so badly they felt compelled to take their own life?
Metaverse: Police Must Prepare For New Crimes In The Metaverse, Says Europol. It encourages law enforcement agencies to start considering the ways in which existing types of crime could spread to virtual worlds, while entirely new crimes could start to appear. ReadPolicing in the metaverse: what law enforcement needs to know report for more information.
Blockchain: Digital products like cryptocurrency and blockchain will affect a company’s risk profile. Boards and management will need to understand these assets’ potential impact and align governance with their overall risk and business strategies. Year 2022 already showed how a lot of cryptocurrency related risks realized. More “Crypto travel rules” enacted to combat money laundering and terrorism financing.
Insurance: Getting a cyber insurance can become harder and more expensive in 2023. Insurance executives have been increasingly vocal in recent years about systemic risks and now increasing cyber was the risk to watch. Spiralling cyber losses in recent years have prompted emergency measures by the sector’s underwriters to limit their exposure. There is growing concern among industry executives about large-scale strikes. As well as pushing up prices, some insurers have responded by tweaking policies so clients retain more losses. There are already insurance policies written in the market have an exemption for state-backed attacks, but but the difficulty of identifying those behind attacks and their affiliations makes such exemptions legally fraught. The chief executive of one of Europe’s biggest insurance companies has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow. Recent attacks that have disrupted hospitals, shut down pipelines and targeted government department. “What if someone takes control of vital parts of our infrastructure, the consequences of that?” In September, the US government called for views on whether a federal insurance response to cyber was warranted.
Sources:
Asiantuntija neuvoo käyttämään pilkkua salasanassa – taustalla vinha logiikka
Overseeing artificial intelligence: Moving your board from reticence to confidence
Android is adding support for updatable root certificates amidst TrustCor scare
Google Play now lets children send purchase requests to guardians
Diligent’s outlook for 2023: Risk is the trend to watch
Microsoft will turn off Exchange Online basic auth in January
Google is letting businesses try out client-side encryption for Gmail
Google Workspace Gets Client-Side Encryption in Gmail
The risk of escalation from cyberattacks has never been greater
Client-side encryption for Gmail available in beta
AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range
Microsoft: Edge update will disable Internet Explorer in February
Is Cloud Native Security Good Enough?
Top Reasons Not to Become a Self-Taught Ethical Hacker in 2023
Google Chrome preparing an option to block insecure HTTP downloads
Cyber attacks set to become ‘uninsurable’, says Zurich chief
The Dark Risk of Large Language Models
Police Must Prepare For New Crimes In The Metaverse, Says Europol
Policing in the metaverse: what law enforcement needs to know
Cyber as important as missile defences – an ex-NATO general
Misconfigurations, Vulnerabilities Found in 95% of Applications
Personnel security in the cloud
Multi-factor auth fatigue is real – and it’s why you may be in the headlines next
MFA Fatigue attacks are putting your organization at risk
NIS2 hyväksyttiin – EU-maille tiukemmat kyberturvavaatimukset
Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?
Poor software costs the US 2.4 trillion
Passkeys Now Fully Supported in Google Chrome
Google Takes Gmail Security to the Next Level with Client-Side Encryption
Executives take more cybersecurity risks than office workers
NIST Retires SHA-1 Cryptographic Algorithm
NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm
WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections
Over 85% of Attacks Hide in Encrypted Channels
GitHub Announces Free Secret Scanning, Mandatory 2FA
Leaked a secret? Check your GitHub alerts…for free
Data Destruction Policies in the Age of Cloud Computing
Why PCI DSS 4.0 Should Be on Your Radar in 2023
Google: With Cloud Comes APIs & Security Headaches
Digesting CISA’s Cross-Sector Cybersecurity Performance Goals
Zero Trust Shouldnt Be The New Normal
Don’t click too quick! FBI warns of malicious search engine ads
FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Kyberturvan ammattilaisista on huutava pula
1,768 Comments
Tomi Engdahl says:
Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments
https://www.cisa.gov/news-events/alerts/2023/03/23/untitled-goose-tool-aids-hunt-and-incident-response-azure-azure-active-directory-and-microsoft-365
Today, CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services
Tomi Engdahl says:
Remarks on Chat Control
https://blog.cryptographyengineering.com/2023/03/23/remarks-on-chat-control/
On March 23 I was invited to participate in a panel discussion at the European Internet Services Providers Association (EuroISPA). The focus of this discussion was on recent legislative proposals, especially the EU Commissions new chat control content scanning proposal, as well as the future of encryption and fundamental rights. These are the introductory remarks I prepared
Tomi Engdahl says:
CISA, NSA Issue Guidance for IAM Administrators
https://www.securityweek.com/cisa-nsa-issue-guidance-for-iam-administrators/
New CISA and NSA guidance includes recommended best practices for identity and access management (IAM) administrators.
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week announced new guidance for identity and access management (IAM) administrators.
A framework for the management of digital identities, IAM covers the business processes, policies, and technologies that ensure user access to data.
The basis for proper IAM involves inventorying, auditing, and tracking user identities and access, which represent daunting but necessary operations, especially with state-sponsored groups successfully exploiting vulnerabilities in IAM products and implementations, CISA and the NSA point out.
According to Verizon’s 2022 Data Breach Investigation Report, stolen credentials have been used in most of the observed web application attacks, as well as in nearly half of reported data breaches.
Tomi Engdahl says:
Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
https://www.securityweek.com/intel-boasts-attack-surface-reduction-with-new-13th-gen-core-vpro-platform/
Intel’s newest vPro platform brings threat prevention features with dozens of security capabilities built into the silicon.
Intel on Thursday announced the latest version of its vPro platform for the recently launched 13th Gen Core processors, claiming that it significantly improves security.
The vPro platform is designed to enhance performance, security, manageability and stability. In terms of security, the chip giant says it can provide protection to hardware, firmware, operating systems, and applications through technologies such as Hardware Shield, Control Flow Enforcement Technology (CET), Threat Detection Technology (TDT), and Total Memory Encryption Multi-Key (TME-MK).
Intel claims that the latest version of its vPro platform provides dozens of security capabilities that can help reduce the attack surface of a 13th Gen Core-powered computer by as much as 70% compared to a 4-year-old PC. This is based on an attack surface study conducted by cybersecurity firm IOActive.
A study conducted by IDC found that, compared to non-Intel Windows PCs, Intel-powered Windows devices have a 26% lower risk of major security events and 21% fewer impactful security events, as well as 17% efficiency gains for security teams.
However, it’s worth noting that both studies were commissioned by Intel so they should be taken with a grain of salt.
“New IT-enabled memory encryption will also take virtualization-based security to a game-changing level in Windows,” Intel said. “Customers will have more choice with endpoint detection and response (EDR) vendors enabled with Intel Threat Detection Technology, bringing higher-efficacy detection of the latest threats.”
Tomi Engdahl says:
https://www.securityweek.com/burnout-in-cybersecurity-can-it-be-prevented/
Tomi Engdahl says:
Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
https://www.securityweek.com/analysis-sec-cybersecurity-proposals-and-bidens-national-cybersecurity-strategy/
On March 15, 2023, the SEC announced a proposal for new cybersecurity requirements for covered entities.
Tomi Engdahl says:
Tackling the Challenge of Actionable Intelligence Through Context
https://www.securityweek.com/tackling-the-challenge-of-actionable-intelligence-through-context/
Making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization.
Recognition of the importance of threat intelligence has been building for years. But it has taken center stage as the acceleration of digital transformation and the shift to hybrid work models have expanded the attack surface, and geopolitical events have raised the stakes for defenders to protect critical infrastructure and sensitive data. Government leaders are pointing to threat intelligence sharing and best practices as key components that have helped strengthen cybersecurity and mitigate the impact of cyberwarfare.
Recent surveys corroborate the value organizations place on threat intelligence, but also reveal challenges in making threat intelligence actionable. Based on discussions with 1,350 business and IT leaders, Mandiant’s Global Perspectives on Threat Intelligence report (PDF) finds that while nearly all (96%) respondents are satisfied with the quality of their threat intelligence, 47% struggle to apply threat intel throughout the security organization and 70% say at least a majority of the time they make decisions without adversary insights.
Tomi Engdahl says:
Application Security
‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
https://www.securityweek.com/badsecrets-open-source-tool-detects-secrets-in-many-web-frameworks/
Black Lantern Security introduces Badsecrets, an open source tool for identifying known or weak cryptographic secrets across multiple platforms.
Cybersecurity company Black Lantern this week announced Badsecrets, an open source tool that can help identify known or weak cryptographic secrets across many web frameworks.
This pure Python library has a modular design and is currently offering ten modules, which are meant to be replacements of existing tools for finding known secrets.
In fact, Badsecrets itself is inspired by Blacklist3r, a NotSoSecure project for gathering secret keys related to publicly available web frameworks and auditing applications that might be using these pre-published keys.
The goal of Badsecrets, however, is to “expand on the supported platforms and remove language and operating system dependencies”.
https://github.com/blacklanternsecurity/badsecrets
Tomi Engdahl says:
https://opnsense.org/
Tomi Engdahl says:
CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
https://www.securityweek.com/cisa-ships-untitled-goose-tool-to-hunt-for-microsoft-azure-cloud-infections/
The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.
The U.S. government’s cybersecurity agency CISA has jumped into the fray to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.
The agency rolled out a free hunt and incident response utility called Untitled Goose Tool that offers novel authentication and data gathering methods to manage a full investigation against enterprise deployments of Microsoft Azure, Azure Active Directory (AAD) and Microsoft 365 (M365).
In a note documenting the release, CISA said the Untitled Goose Tool can also gather additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).
https://github.com/cisagov/untitledgoosetool
Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments
https://www.cisa.gov/news-events/alerts/2023/03/23/untitled-goose-tool-aids-hunt-and-incident-response-azure-azure-active-directory-and-microsoft-365
Today, CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services
Tomi Engdahl says:
UK creates fake DDoS-for-hire sites to identify cybercriminals https://www.bleepingcomputer.com/news/security/uk-creates-fake-ddos-for-hire-sites-to-identify-cybercriminals/
The U.K.’s National Crime Agency (NCA) revealed today that they created multiple fake DDoS-for-hire service websites to identify cybercriminals who utilize these platforms to attack organizations.
DDoS-for-hire services, also known as ‘booters,’ are online platforms offering to generate massive garbage HTTP requests towards a website or online service in exchange for money that overwhelm the webserver and take it offline. These illegal services are bought by people aiming to take down a site or disrupt an organization’s operations for various reasons, including espionage, revenge, extortion, and political reasons
Tomi Engdahl says:
EU Council extends product lifetime, clarifies scope in cybersecurity law https://www.euractiv.com/section/cybersecurity/news/eu-council-extends-product-lifetime-clarifies-scope-in-cybersecurity-law/
A new Council text on the Cyber Resilience Act, seen by EURACTIV, removes the five-year limit to the product lifecycle, clarifies the regulations scope and makes automatic security updates the default option for connected devices. The Cyber Resilience Act is a legislative proposal to introduce essential security requirements for devices interconnected via the internet to send and receive data, also known as the Internet of Things (IoT)
Tomi Engdahl says:
UNC961 in the Multiverse of Mandiant: Three Encounters with a Financially Motivated Threat Actor https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated
This blog post covers the details and timeline of each intrusion conducted by UNC961, along with detection opportunities and examples of how Managed Defenses proactive threat hunting, investigation, and response routinely limits the impact on our customers business and prevents their reality from being desecrated. Relevant MITRE ATT&CK® tactics and technique IDs are included in this blog post to indicate the threat actors objectives at various points in the intrusions
Tomi Engdahl says:
New Dark Power ransomware claims 10 victims in its first month https://www.bleepingcomputer.com/news/security/new-dark-power-ransomware-claims-10-victims-in-its-first-month/
A new ransomware operation named ‘Dark Power’ has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid. The ransomware gang’s encryptor has a compilation date of January 29, 2023, when the attacks started. Furthermore, the operation has not been promoted on any hacker forums or dark web spaces yet; hence it’s likely a private project
Tomi Engdahl says:
Shifting Cybersecurity To A Prevention-First Mindset https://www.forbes.com/sites/tonybradley/2023/03/26/shifting-cybersecurity-to-a-prevention-first-mindset/
Cybersecurity threats are continuously evolving as hackers constantly seek new ways to infiltrate organizational networks. There has been a transition over the years from the castle-and-moat approach of perimeter defense to a focus on detection and response, with organizations investing heavily in EDR (endpoint detection and response), MDR (managed detection and response), XDR (extended detection and response), and other security tools to detect and respond to potential threats. However, as cyberattacks become more sophisticated, it seems like a prevention-first philosophy might be the better approach
Tomi Engdahl says:
US to Adopt New Restrictions on Using Commercial Spyware
https://www.securityweek.com/us-to-adopt-new-restrictions-on-using-commercial-spyware/
Executive order will require the head of any U.S. agency using commercial spyware programs to certify that the program doesn’t pose a significant counterintelligence or other security risk.
The U.S. government will restrict its use of commercial spyware tools that have been used to surveil human rights activists, journalists and dissidents around the world, under an executive order issued Monday by President Joe Biden.
The order responds to growing U.S. and global concerns about programs that can capture text messages and other cellphone data. Some programs — so-called “zero-click” exploits — can infect a phone without the user clicking on a malicious link.
Governments around the world — including the U.S. — are known to collect large amounts of data for intelligence and law enforcement purposes, including communications from their own citizens. The proliferation of commercial spyware has made powerful tools newly available to smaller countries, but also created what researchers and human-rights activists warn are opportunities for abuse and repression.
The White House released the executive order in advance of its second summit for democracy this week. The order “demonstrates the United States’ leadership in, and commitment to, advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology,” the White House said in a statement.
Tomi Engdahl says:
Cybercrime
‘Grim’ Criminal Abuse of ChatGPT is Coming, Europol Warns
https://www.securityweek.com/grim-criminal-abuse-of-chatgpt-is-coming-europol-warns/
Criminals are set to take advantage of artificial intelligence like ChatGPT to commit fraud and other cybercrimes, Europe’s policing agency warned.
Criminals are set to take advantage of artificial intelligence like ChatGPT to commit fraud and other cybercrimes,
Europe’s policing agency warned on Monday.
From phishing to disinformation and malware, the rapidly evolving abilities of chatbots will be used not only to better mankind, but to scam it too, Europol said in a new report.
Created by US startup OpenAI, ChatGPT appeared in November and was quickly seized upon by users amazed at its ability to answer difficult questions clearly, write sonnets or code, and even pass exams.
“The potential exploitation of these types of AI systems by criminals provides a grim outlook,” The Hague-based Europol said. Europol’s new “Innovation Lab” looked at the use of chatbots as a whole but focused on ChatGPT during a series of workshops as it is the highest-profile and most widely used, it said.
Criminals could use ChatGPT to “speed up the research process significantly” in areas they know nothing about, the agency found.
This could include drafting text to commit fraud or give information on “how to break into a home, to terrorism, cybercrime and child sex abuse,” it said.
ChatGPT’s ability to quickly produce authentic sounding text makes it “ideal for propaganda and disinformation purposes, as it allows users to generate and spread messages reflecting a specific narrative with relatively little effort.”
ChatGPT can also be used to write computer code, especially for non-technically minded criminals, Europol said.
“This type of automated code generation is particularly useful for those criminal actors with little or no knowledge of coding and development,” it said.
An early study by US-Israeli cyber threat intel company Check Point Research (CPR) showed how the chatbot can be used to infiltrate online systems by creating phishing emails, Europol said.
While ChatGPT had safeguards including content moderation, which will not answer questions that have been classified harmful or biased, these could be circumvented with clever prompts, Europol said.
AI was still in its early stages and its abilities were “expected to further improve over time,” it added.
Tomi Engdahl says:
Tackling the Challenge of Actionable Intelligence Through Context
https://www.securityweek.com/tackling-the-challenge-of-actionable-intelligence-through-context/
Making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization.
Tomi Engdahl says:
Takaovi on edelleen yleisin tapa murtautua järjestelmään
https://etn.fi/index.php?option=com_content&view=article&id=14765&via=n&datum=2023-03-27_15:48:54&mottagare=30929
IBM Securityn X-Force Threat Intelligence -raportti luo vuosittain katsauksen globaaleihin trendeihin kyberturvallisuudessa ja kyberhyökkäyksistä. Viime vuonna kyberhyökkäyksiä tehtiin eniten Aasiassa ja Tyynenmeren alueella (31 prosenttia), Euroopassa (28 prosenttia) ja Pohjois-Amerikassa (25 prosenttia). Yleisin toimintatapa kyberhyökkäyksissä ja tietomurroissa oli vuonna 2022 takaovien (backdoors) käyttö.
Takaovet tarjoavat hyökkääjille etäyhteyden yrityksen järjestelmiin. Erityisesti Euroopassa takaovien käyttöönotto lisääntyi merkittävästi sen jälkeen, kun Venäjä hyökkäsi Ukrainaan.
- Meillä kaikilla on nykyään paljon tietoturvaa suojaamassa tietojamme. Rikollisille kuitenkin riittää, että on yksi heikko kohta, jota käyttäjä ei ole suojannut. Takaovet ovat vähän sama asia kuin jos pankkirosvot pääsisivät käsiksi pankkiholviin ilmastointikanavaa pitkin, sanoo IBM:n Pohjois-Euroopan kyberturvallisuuspalveluiden myyntipäällikkö Annika Virta.
Tomi Engdahl says:
Jyväskylään tulee kyberosaamiskeskus
https://etn.fi/index.php/13-news/14762-jyvaeskylaeaen-tulee-kyberosaamiskeskus
Jyväskylän yliopisto ja Jyväskylän ammattikorkeakoulu järjestävät Digiturvallisuus 2023 -messuilla Jyväskylän Paviljongissa Suomen kyberosaamiskeskuksen julkistustilaisuuden. Julkistustilaisuudessa ovat mukana molempien oppilaitosten rehtorit, Jyväskylän kaupunginjohtaja sekä maakuntajohtaja.
Tomi Engdahl says:
Useimmat joutuvat kyberhyökkäyksen uhriksi
https://etn.fi/index.php/13-news/14770-useimmat-joutuvat-kyberhyoekkaeyksen-uhriksi
Loihde Trust ja Check Point järjestivät tänään kyberturva-aamiaisen, jossa ne kertoivat tuoreen ”Suomalaisten organisaatioiden tietoturva 2023–2025” -tutkimuksen tuloksia. Jopa 62 prosenttia vastaajista uskoi joutuvansa kyberhyökkäyksen kohteeksi seuraavan kahden vuoden aikana. Määrä nousi 76 prosenttiin, kun tarkasteltiin vain suuria, yli 100 miljoonan euron liikevaihdon omaavia yrityksiä.
Loihde Trustilla neuvonantajana edelleen jatkava valkohattuhakkeri Benjamin Särkkä sanoi, että erittäin suuri ongelmia yrityksillä on käyttäjätunnusten ja identiteetin suojaaminen. – Kyse on siis tiedon suojaamisesta ja sen eheyden varmistamisesta.
Tutkimuksen mukaan joka toisessa julkisessa organisaatiossa on tapahtunut tietoturvaloukkaus viimeisen kahden vuoden aikana. Näissä on useimmiten ollut kyse henkilörekisteriin murtautumisessa, tietovuodosta tai palvelunestohyökkäyksestä. Benjamin Särkkä nosti esiin mielenkiintoisen faktan yritysten käytössä olevista kyberoperaatiokeskuksista eli SOCeista.
- Jos yrityksellä on SOC käytössä, 71 prosenttia odottaa kyberhyökkäyksen kohteeksi joutumista seuraavan kahden vuoden aikana. Eli SOC tunnistaa, kuinka laajoja ongelmat ovat. Silti Suomessa on yli 100 miljoonan euron yrityksiä, joilla ei ole SOCcia käytössä, Särkkä ihmetteli.
Tomi Engdahl says:
Vaihda nyt edes SIM-kortin PIN-koodi!
https://etn.fi/index.php/13-news/14772-vaihda-nyt-edes-sim-kortin-pin-koodi
Vaihda nyt edes SIM-kortin PIN-koodi!
Julkaistu: 28.03.2023
Devices Networks Software
Loihde Trust toimittaa yrityksille turvallisuusratkaisuja, mutta miten yrityksen omat ammattilaiset suojaavat datansa ja identiteettinsä. Tietoturvakonsultti Aino Kivilahti suosittelee salasanapankkien terveen järjen käyttöä. – Ainakin kannattaa vaihtaa se kännykän SIM-ortin PIN-koodi, hän evästää.
Kivilahti kertoi aamulla Loihde Trustin ja Check Pointin kyberturva-aamiaisella, että suojattavan identiteetin keskiössä on aina ihminen. Salasanojen hallinta erillisellä password manager -työkalulla on hänen mielestään suositeltava idea. Siinä erillinen sovellus luo vahvat salasanat, joita käyttäjän ei tarvitse enää erikseen muistaa.
Vapaa-ajalla Linux-järjestelmiin – valkoinen hattu päässä, tottakai – murtautuva Kivilahti suosittelee myös HSM-mokkuloita eli esimerkiksi Yubikeyn kaltaisia ratkaisuja. Tässähän ollaan palaamassa takaisin ”vanhaan aikaan”, jolloin fyysisiä tikkuja käytettiin moneen järjestelmään kirjautumisessa.
Entäpä miten valkohattuhakkeri sitten suojaa omat laitteensa? – Jos lähdetään puhelimesta liikkeelle, niin vaihtakaa nyt SIM-korttinne PIN-koodi. Joidenkin tietojen mukaan 80 prosenttia SIM-korttien tunnusluvuista olisi neljä nollaa tai 1234. Joku voisi vain ottaa pöydällä olevasta puhelimesta SIM-kortin ja laittaa sen omaan luuriinsa. Sen jälkeen SMS-pohjainen monivaiheinen tunnistautuminen menettäisi merkityksensä, Kivilahti varoittaa.
Tomi Engdahl says:
Suomi saa digiturvallisuusmessut
https://www.uusiteknologia.fi/2023/03/27/suomi-saa-digiturvallisuusmessut/
Suomen ensimmäiset Digiturvallisuus-messut keräävät torstaina 30.3 Jyväskylään alan kybertoimijat ja yritykset. Tapahtumassa Jyväskylän yliopisto ja ammattikorkeakoulu julkistavat virallisesti myös yhteisen kyberosaamiskeskuksen toiminnan.
Suomen ensimmäisille Digiturvallisuus-messuilla tarjolla on uusinta kyberturvatietoa ja työkaluja eri toimialojen yrityksille digiturvallisuuden rakentamiseen ja johtamiseen. Tapahtumassa tarjoaa myös runsaasti kiinnostavia puheenvuoroja kyberalan ammattilaisille.
Tapahtuman käynnistää 30.3 valtion kyberturvallisuusjohtaja Rauli Paananen avamalla kyberturvallisuusnäkökulmia siitä miten Suomi huolehtii kyberturvallisuudesta kun kybersuurlähettiläs Tarja Fernández Ulkoministeriöstä kertoo kyberturvallisuudestamuuttuneessa geopoliittisessa tilanteessa.
Puolustusvoimista puhujana on kyberarkkitehti Pasi Tarvainen, joka esittelee kyberturvallisuuden teknologioita. Sen perään kyberrikostorjuntakeskuksen päällikkö ja rikostarkastaja Mikko Rauhamaa Keskusrikospoliisista puhuu kyberrikollisuuden uusista ilmiöistä ja trendeistä.
Tomi Engdahl says:
Diagnose your SME’s Cybersecurity and Scan for Recommendations https://www.enisa.europa.eu/news/diagnose-your-sme2019s-cybersecurity-and-scan-for-recommendations
Standing as a major driver for innovation and growth in the EU and as key actors of our economy, SMEs are constantly facing cybersecurity challenges. This is why it is essential to support them in addressing these challenges and in identifying improvements. The cybersecurity maturity assessment tool designed by ENISA supports those small and medium-size businesses who seek to understand their current cybersecurity maturity level
Tomi Engdahl says:
Vulnerabilities: Understand, mitigate, remediate https://www.gdatasoftware.com/blog/2023/03/37717-understand-mitigate-remediate
As the value of data has grown managing vulnerabilities effectively is essential for the success of your organizations’ security and minimizing the impact of successful attacks. Before we delve into specific types of vulnerabilities, it’s important to understand what they are. A vulnerability in cyber security refers to any weakness or gap in an information system or process of an organization that can be exploited by cybercriminals to compromise the confidentiality, Integrity or availability of data, either at rest or in transit
Tomi Engdahl says:
Remote Employees: Update Your Routers (and More WFH IT Tips) https://securityintelligence.com/articles/remote-employees-update-routers/
Managing the overlap between home technology and work technology can be complex. To ensure that your organization remains secure while allowing remote work, it is important to implement best practices such as using password managers, VPNs for remote access, regular cybersecurity training sessions and clear BYOD policies. Additionally, use device encryption on any devices accessing company networks to protect sensitive data from potential threats or malicious activities.
With these steps, you can create an environment where employees are productive and safe in this new hybrid workplace frontier
Tomi Engdahl says:
The End-User Password Mistakes Putting Your Organization at Risk https://www.bleepingcomputer.com/news/security/the-end-user-password-mistakes-putting-your-organization-at-risk/
Businesses rely on their end-users, but those same users often don’t follow the best security practices. Without the right password security policies, a single end-user password mistake can be a costly breach of your organization’s defenses. End-users want to do their work quickly and efficiently. Password prompts can be seen as a nuisance, and users may not know the best practices to follow or understand the importance of following them. Sharing, reusing and weak passwords can put your organization at risk, so having the right policies in place is essential for security!
Tomi Engdahl says:
Ground Control to Major Tom: Ransomware Groups & Hacktivists Targeting Satellite and Space Industry https://blog.cyble.com/2023/03/27/ghostsec-targeting-satellite-receivers/
Threats towards Satellite Communication Networks have been increasing gradually since previous years. The cyber-attack against Viasat’s KA-SAT network partially interrupted KA-SAT’s consumer-oriented satellite broadband service and rendered 5,800 Enercon wind turbines in Germany. This highlights that cyber attacks on components within the SATCOM industry can have a disastrous effect and weaken National Critical Infrastructure operations
Tomi Engdahl says:
Inside The Shadowy World Of Iranian Cyber Espionage Group APT33 https://www.forbes.com/sites/emilsayegh/2023/03/28/inside-the-shadowy-world-of-iranian-cyber-espionage-group-apt33/
Several of the most threatening cyber crime groups today carry the inside industry name of “APT.” APT stands for Advanced Persistent Threat, and an advanced persistent threat (APT) is a clandestine type of cyber attack or group that uses APT techniques in which the attacker gains and maintains unauthorized access to a targeted network and remains undetected for a significant period of time. Despite having similar names, each “APT” group is distinct with separate history, tactics, and targeting. In our hacker series, we already covered APT 28 (Fancy Bear) and APT 10 (Stone Panda). Today, we focus on APT33
Tomi Engdahl says:
APT43: North Korean Group Uses Cyber crime to Fund Espionage Operations https://www.mandiant.com/resources/reports/apt43-north-korea-cybercrime-espionage
Mandiant assesses with high confidence that APT43 is a moderately-sophisticated cyber operator that supports the interests of the North Korean regime. Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting and social engineering to support espionage activities, and financially-motivated cyber crime to fund operations. Tracked since 2018, APT43′s collection priorities align with the mission of the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence service. The group’s focus on foreign policy and nuclear security issues supports North Korea’s strategic and nuclear ambitions.
Tomi Engdahl says:
Venäläiset hakkerit muuttaneet strategiaansa – kyberiskut lisääntyneet Euroopassa, kertoo tuore raportti
https://f7td5.app.goo.gl/esZ32t
Lähetyskanava @updayFI
https://www.hs.fi/ulkomaat/art-2000009482398.html?utm_source=upday&utm_medium=referral
Venäläiset hakkerit muuttaneet strategiaansa – kyberiskut lisääntyneet Euroopassa, kertoo tuore raportti
Sodan alussa suurin osa kyberhyökkäyksistä koski vain Ukrainaa. Vuoden 2023 alussa ylivoimainen enemmistö häiriötilanteista tapahtui EU-maissa.
VIIME vuoden lopussa kyberiskut lisääntyivät huomattavasti Puolassa, Baltian maissa ja Pohjoismaissa, korkeaan teknologiaan sekä digitaaliseen turvallisuuteen keskittyvä yritys Thales kertoo tuoreessa raportissaan.
Ruotsissa tehtiin muihin Pohjoismaihin nähden erityisen paljon kyberiskuja.
Iskut ovat tähän mennessä olleet melko harmittomia palvelunestohyökkäyksiä, mutta laajemmin niiden tavoitteena on lisätä päätöksentekijöiden ja kansalaisten huolta, Thalesissa työskentelevä kyberturva-asiantuntija Jukka Nokso-Koivisto sanoo.
Tomi Engdahl says:
SecurityScorecard Guarantees Accuracy of Its Security Ratings
https://www.securityweek.com/securityscorecard-guarantees-accuracy-of-its-security-ratings/
SecurityScorecard is offering free digital forensics and incident response (DFIR) services to customers that have scored an ‘A’ rating if they have been breached.
SecurityScorecard delivers security posture assessments by analyzing companies’ external surface visibility. It is so convinced on the accuracy of these assessments that it is now offering free digital forensics and incident response (DFIR) services to customers that are breached.
The offer, called Score Guarantee, is dependent on two things. First, the customer must have scored an ‘A’ rating in its surface analysis, and second, the complementary DFIR is limited to 20 hours.
The Score Guarantee is not related to cyberinsurance. Although the firm and its ratings are used by insurance underwriters, the Score Guarantee is neither underwritten by insurers, nor intended to be an alternative to insurance. It is purely the firm’s statement of confidence in its own services.
In reality, a company sufficiently security aware and active to receive an ‘A’ rating is likely to have separate cyberinsurance. However, SecurityScorecard is sufficiently confident in its ratings, that the guarantee is independent of the usual retentions, deductibles, exclusions, or additional conditions of cyberinsurance.
For example, it is not subject to the cyberinsurance war exclusion clause. Mitchell Bezzina, VP of product marketing & GTM, told SecurityWeek, “Our guarantee would apply regardless of the insurance company’s decision to cover the incident. We have no exclusions related to the type of incident.”
The Guarantee is entirely unrelated to any cyberinsurance. “Whether or not a company has cyber insurance is a decision personal to that customer and its risk management strategy,”
SecurityScorecard’s confidence comes from its own research showing that companies receiving an a ‘A’ rating are 7.7-times less likely to suffer a cyber-incident than companies receiving an ‘F’ rating.
https://securityscorecard.com/product/score-guarantee/
Tomi Engdahl says:
Video: How to Build Resilience Against Emerging Cyber Threats
https://www.securityweek.com/video-how-to-build-resilience-against-emerging-cyber-threats/
Enjoy this session as we walk through three recent use cases where a new threat caught organizations off-guard.
Innovative cyber attacks are on the rise—threatening corporate and government infrastructure, supply chains, brand reputations, and revenues. One of the best ways to prepare for the evolving threats of tomorrow is to revisit the details of recent major cybersecurity incidents. The benefit of hindsight can help us spot warning signs and avoid poor security practices in our organizations.
Tomi Engdahl says:
Incident Response
Microsoft Puts ChatGPT to Work on Automating Cybersecurity
https://www.securityweek.com/microsoft-puts-chatgpt-to-work-on-automating-cybersecurity/
Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.
The world’s largest software maker is putting ChatGPT to work in the cybersecurity trenches.
Microsoft on Wednesday rolled out an AI-powered security analysis tool to automate incident response and threat hunting tasks, showcasing a security use-case for the popular chatbot developed by OpenAI.
The new tool, called Microsoft Security Copilot, is powered by OpenAI’s newest GPT-4 model and will be trained on data from Redmond’s massive trove of telemetry signals from enterprise deployments and Windows endpoints.
Cybersecurity experts are already using generative AI chatbots to simplify and enhance software development, reverse engineering and malware analysis tasks and Microsoft’s latest move adds several new use-cases for defenders.
Introducing Microsoft Security Copilot
https://www.securityweek.com/microsoft-puts-chatgpt-to-work-on-automating-cybersecurity/
Empower your defenders to detect hidden patterns, harden defenses, and respond to incidents faster with generative AI—now in preview.
Defend at machine speed
Amplify your team’s impact and efficiency with intelligent guidance informed by 65 trillion daily signals.
Tomi Engdahl says:
Kyberhyökkäyksissä sodan takia selkeä muutos – näissä maissa
https://www.uusiteknologia.fi/2023/03/29/kyberhyokkayksissa-sodan-takia-selkea-muutos-naissa-maissa/
Perinteisen sodan lisäksi Venäjän ja Ukrainan kybersodankäynnistä siirryttiin it-yritys Thalesin tietoturvaraportin mukaan selvästi Euroopan laajuiseen korkean intensiteetin hybridi-kybersotaan. Yhä useammin ne keskittyvät kriittiseen kansalliseen infrastruktuuriin, esimerkiksi ilmailuun, energiasektoriin, terveydenhuoltoon, pankkeihin ja julkisiin palveluihin. Suomeen kohdistui viime vuonna kahdeksan häirintätapausta.
Viime vuoden aikana kohdistuneita kyberhyökkäyksiä tarkastellaan Thalesin Cyber Threat Intelligence -yksikön tuoreessa raportissa, jonka mukaan Ukrainan konfliktiin liittyvissä kyberhyökkäyksissä tapahtui myös merkittävä käänne vuoden 2022 kolmannella neljänneksellä.
Ukrainan ja Venäjän lisäksi eniten häirintää on kohdistunut Puolaan, Latviaan ja Ruotsiin. EU-maissa konflikteihin liittyvät poikkeamat ovat lisääntyneet jyrkästi viimeisten kuuden kuukauden aikana. Suomeen kohdistettuja tietoturvan poikkeamia oli viime vuonna vain kahdeksan.
Samalla kyberhyökkäysten maantiede on muuttanut Thalesin raportin mukaan muotoaan viimeisten 12 kuukauden aikana. Konfliktin alussa suurin osa hyökkäyksistä koski vain Ukrainaa (50,4 % vuoden 2022 ensimmäisellä neljänneksellä, kolmannella neljänneksellä 28,6 %).
EU-maissa konflikteihin liittyvät poikkeamat ovat lisääntyneet jyrkästi viimeisten kuuden kuukauden aikana (9,8 prosentista 46,5 prosenttiin maailmanlaajuisista hyökkäyksistä). Kesällä 2022 tietoturvapoikkeamia oli EU-maissa lähes yhtä paljon kuin Ukrainassa (85 vs. 86). Vuoden 2023 ensimmäisellä neljänneksellä ylivoimainen enemmistö (80,9 %) poikkeamista on tapahtunut EU-maissa.
Tomi Engdahl says:
Microsoft tuo nyt OpenAI-mallit tietoturvaan
https://etn.fi/index.php/13-news/14776-microsoft-tuo-nyt-openai-mallit-tietoturvaan
Microsoft kertoi eilen tuovansa uuden sukupolven tekoälyn osaksi tietoturvaa julkaisemalla Microsoft Security Copilot -ratkaisun. Sen avulla voi tunnistaa uhkia ja vastata niihin nopeasti sekä ymmärtää yleistä uhkaympäristöä entistä paremmin. Security Copilot hyödyntää samoja OpenAI-malleja, joihin netin vallannut ChatGPT-botti perustuu.
Security Copilot on ensimmäinen ja toistaiseksi ainoa generatiiviseen tekoälyyn perustuva tietoturvatuote, jonka avulla hyökkäyksiltä puolustautuvat tahot pääsevät hyödyntämään tekoälyn nopeutta ja mittakaavaetuja. Työkalu on suunniteltu toimimaan saumattomasti yhdessä tietoturvatiimien kanssa.
Copilot – kutsutaan sitä nyt sitten vaikka perämieheksi – tuo näkyvyyden toimintaympäristön tapahtumiin, hyödyntää olemassa olevaa tietoa, löytää uhkatapahtumista vastaavuuksia ja tekee entistä valistuneempia ja tehokkaampia päätöksiä koneiden nopeudella.
Maailmassa tapahtuu 1287 salasanojen murtoyritystä sekunnissa. Hyökkäysten estäminen ei onnistu hajanaisilla työkaluilla ja infrastruktuurilla.
Security Copilot helpottaa tätä monimutkaista tehtävää ja parantaa tietoturvatiimien kyvykkyyksiä tiivistämällä ja tulkitsemalla uhkiin liittyvää tietoa. Tämä auttaa puolustautujia löytämään nopeasti olennaisen tiedon verkkoliikenteen seasta ja havaitsemaan haitallisen toiminnan.
Security Copilot auttaa lisäksi tietoturvatiimejä tunnistamaan muita havaitsematta jääviä uhkia etsimällä vastaavuuksia hyökkäyksiin liittyvistä tiedoista ja tekemällä niistä yhteenvedon, priorisoimalla tapahtumia ja suosittelemalla parhaita toimintatapoja, jotta erilaisiin uhkiin voidaan vastata nopeasti ja ajoissa.
Security Copilot oppii ja kehittyy jatkuvasti varmistaakseen, että tietoturvatiimeillä on käytössään ajantasaiset tiedot hyökkääjistä sekä heidän taktiikoistaan, menetelmistään ja toimintatavoistaan. Tuote tukee vaativia tietoturvatoimia ja käyttötarkoituksia tarjoamalla jatkuvan käyttöoikeuden edistyksellisimpiin OpenAI-malleihin.
Microsoft Security Copilot on tällä hetkellä suljetun testiryhmän käytettävissä. Lisätietoa aiheesta löytyy täältä.
https://news.microsoft.com/ai-security-2023/
Tomi Engdahl says:
Tuntuuko siltä, että kännykkäsi salakuuntelee sinua? Saatat olla oikeassa
https://tekniikanmaailma.fi/tuntuuko-silta-etta-kannykkasi-salakuuntelee-sinua-saatat-olla-oikeassa/
Tiedätkö tunteen, kun olet keskustellut jostain esineestä tuttavan kanssa ja hetkeä myöhemmin nettimainokset tuputtavat kyseistä tuotetta? Et ole yksin. NordVPN-tietoturvafirman kyselyn mukaan moni ihminen kokee vastaavaa.
Kännyköiden salakuuntelu nousee keskusteluun tasaisin väliajoin. Some-palvelut, kuten Facebook, joutuvat selittämään, etteivät salakuuntele kännykän käyttäjiä, ja Sirin kaltaiset puheentunnistussovellukset ovat kritiikin kohteena. Yleisesti voidaan todeta, etteivät sovellukset ilman lupaa puhelinta kuuntelekaan, vaan niille on annettu siihen lupa hyväksymällä käyttöehdot. Luonnollisesti hyväksyntä on ehtona sovellusten käytölle.
Tomi Engdahl says:
Web Fingerprinting Gets Frighteningly Good: Sees Through VPNs and Incognito Mode
https://www.ghacks.net/2023/03/21/web-fingerprinting-gets-frighteningly-good-sees-through-vpns-and-incognito-mode/
Web fingerprinting is not a new technique to identify visitors on the Internet, but it is a technique that has become frighteningly good in recent time.
Fingerprinting describes a set of methods that sites and advertisers use to track users across the Internet. These methods do not rely on cookies and other common forms of tracking, which mostly rely on storing data on user devices, but use device parameters and other information to compute a fingerprint.
It should not come as a surprise that some browsers, mostly those focused on privacy, have implemented anti-fingerprinting protections in recent years. Brave Browser introduced language and font fingerprinting protections in 2022, and Mozilla’s Firefox web browser anti-fingerprinting protections as part of the browser’s Tracking Protection feature.
Tomi Engdahl says:
Google finds more Android, iOS zero-days used to install spyware https://www.bleepingcomputer.com/news/security/google-finds-more-android-ios-zero-days-used-to-install-spyware/
Google’s Threat Analysis Group (TAG) discovered several exploit chains using Android, iOS, and Chrome zero-day and n-day vulnerabilities to install commercial spyware and malicious apps on targets’ devices. The attackers targeted iOS and Android users with separate exploit chains as part of a first campaign spotted in November 2022
Tomi Engdahl says:
WiFi protocol flaw allows attackers to hijack network traffic https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-attackers-to-hijack-network-traffic/
Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form. WiFi frames are data containers consisting of a header, data payload, and trailer, which include information such as the source and destination MAC address, control, and management data.
These frames are ordered in queues and transmitted in a controlled matter to avoid collisions and to maximize data exchange performance by monitoring the busy/idle states of the receiving points
Tomi Engdahl says:
How to Build a Research Lab for Reverse Engineering 4 Ways https://thehackernews.com/2023/03/how-to-build-research-lab-for-reverse.html
Malware analysis is an essential part of security researcher’s work.
But working with malicious samples can be dangerous it requires specialized tools to record their activity, and a secure environment to prevent unintended damage. In this article, we’ll look at 4 ways to create a reverse engineering lab, discuss how to save time, and, potentially, improve the detection rate using a cloud service, and a recommended list of tools for a comprehensive setup
Tomi Engdahl says:
APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage
Today we are releasing a report on APT43, a prolific threat actor operating on behalf of the North Korean regime that we have observed engaging in cybercrime as a way to fund their espionage operations.
Mandiant tracks tons of activity throughout the year, but we dont always have enough evidence to attribute it to a specific group. Dive into the report now for in-depth analysis on APT43 targeting and TTPs, examples of their campaigns and operations, and an annex of malware and indicators
Tomi Engdahl says:
Refreshed ‘cyber security toolkit’ helps board members to govern online risk https://www.ncsc.gov.uk/blog-post/refreshed-toolkit-helps-board-members-to-govern-cyber-risk
The toolkit helps boards ensure that cyber resilience and risk management are embedded throughout their organisations. It will help you to make informed cyber decisions that are aligned to your wider organisational risks, and ensure cyber security is assigned appropriate investment against other competing business demands
Tomi Engdahl says:
Hyökkäykset haastoivat elintarviketuotantoa ja -jakelua alan ensimmäisessä kyberharjoituksessa Jyväskylässä https://www.epressi.com/tiedotteet/tietoturva/hyokkaykset-haastoivat-elintarviketuotantoa-ja-jakelua-alan-ensimmaisessa-kyberharjoituksessa-jyvaskylassa.html
Elintarvikearvoketju on ruokaturvan kannalta kriittinen kokonaisuus ja alan yrityksillä on myös erityinen rooli kansallisen huoltovarmuuden näkökulmasta. Elintarvikealalla ruoan turvallisuuden eteen on tehty työtä pitkään, mutta nykypäivänä on huomioitava myös kyberturvallisuuden varmistaminen. Alkutuotannon, elintarviketeollisuuden sekä kaupan ja jakelun liiketoimintaympäristöt ovat vahvasti digitalisoituneita ja kiinnostavat täten kyberrikollisia. Toimintakyvyn varmistaminen vaatii yrityksiltä jatkuvaa varautumista erilaisiin häiriötilanteisiin sekä tilanteiden harjoittelua. Harjoitukseen osallistui noin 100 henkilöä.
Harjoituksesta vastasi Jyväskylän ammattikorkeakoulun IT-instituutin kyberturvallisuuden tutkimus-, kehitys- ja koulutuskeskus JYVSECTEC
Tomi Engdahl says:
Liian hyvä on harvoin totta suomalaiset ovat menettäneet kymmeniä miljoonia verkkohuijareille
https://yle.fi/a/74-20025059
Pankkien tilaston mukaan suomalaiset menettivät digihuijareille viime vuonna yli 30 miljoonaa euroa. Asiantuntijan mukaan summa on todellisuudessa huomattavasti suurempi. Vuonna 2022 suomalaiset menettivät pankkien tilaston mukaan digihuijareille 32,4 miljoonaa euroa. Summa voisi olla suurempi, mutta pankit ovat onnistuneet estämään tai palauttamaan yli 14 miljoonan euron päätymisen rikollisten tileille
Tomi Engdahl says:
Why Endpoint Resilience Matters
https://www.securityweek.com/why-endpoint-resilience-matters/
When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own security.
Tomi Engdahl says:
UK Introduces Mass Surveillance With Online Safety Bill
https://www.securityweek.com/uk-introduces-mass-surveillance-with-online-safety-bill/
The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into end-to-end content
The Online Safety Bill is the enactment of two long held UK government desires: the removal of harmful internet content, and visibility into end-to-end (E2E) content. The latter is just a byproduct of enforcing the former. Both are justified on national security (terrorism) and protection of children requirements (child pornography).
At the time of writing, this bill (PDF) has passed through the House of Commons, and is currently at committee stage in the House of Lords. It is likely (not certain) that it will become law. While this would be a UK law, its reach expands to any internet platform providing services to people in the UK.
The primary gist of the bill is that platform providers are responsible for the content available on their platforms, irrespective of who generates the content. If content is deemed harmful (child pornography, terrorist recruitment, revenge porn, bullying, self-harm, and anything the government defines as ‘illegal’), the provider can be required to remove that content.
All of this sounds reasonable; but the problems start with visibility and enforcement. Enforcement is to be undertaken by the government’s own Office of Communications regulator, Ofcom. To be able to determine compliance with the law, Ofcom must have visibility on the content. That, in simple terms, implies mass government surveillance of any internet available to users within the UK.
But what if the information on the platform is protected with end-to-end encryption within a messaging or communications application? That doesn’t matter; it is still subject to the law, and Ofcom must be provided access to the cleartext content. In short, the Online Safety Bill will require messaging app providers to implement some form of backdoor into the encrypted data – although the government asserts this isn’t a ban on E2E encryption itself.
Ofcom’s weapons include fines up to £18 million ($22 million) or 10% of global revenue (GDPR’s maximum is 4% of global revenue), blocking the platform, and even criminal liability for senior managers.
The problem is that end-to-end encryption and backdoors are mutually exclusive. The UK government insists that this needn’t be so, but it is a technological reality.
https://bills.parliament.uk/publications/49376/documents/2822
Tomi Engdahl says:
What Makes an Effective Anti-Bot Solution?
https://www.securityweek.com/what-makes-an-effective-anti-bot-solution/
While there are likely many different approaches, here are a few points that are important for enterprises to consider when evaluating bot solutions.
By now, many security and fraud professionals understand the risks that bots introduce to our online applications and to our businesses in general. In a previous piece, I discussed and summarized some of these risks to help security and fraud teams understand the need to articulate the threat of bots to executives and the board in their own language. Indeed, this type of communication has been increasingly common, resulting in higher awareness around the bot problem.
Not surprisingly, as awareness of the bot problem has grown, so has the stream of marketing material aimed at enterprise buyers. Regardless of which risks security and fraud teams are concerned about, they need a way to cut through the marketing rhetoric in order to properly evaluate bot solutions. How can enterprise buyers objectively evaluate bot solutions? How can they evaluate who can truly deliver what they promise, what approaches will be effective in their environments, and which vendors will be able to stay one step ahead of the evolving threat landscape?
When it comes to bot management solutions, iterative solutions reign supreme. Those vendors that study attackers and continually feed that knowledge back into the solution have much higher efficacy rates than those that do not.
Tomi Engdahl says:
Why Endpoint Resilience Matters
https://www.securityweek.com/why-endpoint-resilience-matters/
When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own security.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/14785-moni-haittaohjelma-perustuu-vanhaan-koodiin