Wednesday, 3 March 2021

Reasons Why the Security Industry is Protecting the Wrong Thing

Article by Paul German, CEO, Certes Networks 

Why is it that the security industry talks about network security, but data breaches? It’s clear that something needs to change, and according to Paul German, CEO, Certes Networks, the change is simple. For too long now, organisations have been focusing on protecting their network, when in fact they should have been protecting their data. Paul outlines three reasons why the security industry has been protecting the wrong thing and what they can do to secure their data as we move into 2021.

They’re called data breaches, not network breaches, for a reason

Looking back on some of the biggest data breaches the world has ever seen, it’s clear that cyber hackers always seem to be one step ahead of organisations that seemingly have sufficient protection and technology in place. From the Adobe data breach way back in 2013 that resulted in 153 million user records stolen, to the Equifax data breach in 2017 that exposed the data of 147.9 million consumers, the lengthy Marriott International data breach that compromised the data from 500 million customers over four years, to the recent Solarwinds data breach at the end of 2020, over time it’s looked like no organisation is exempt from the devastating consequences of a cyber hack.

When these breaches hit the media headlines, they’re called ‘data breaches’, yet the default approach to data security for all these organisations has been focused on protecting the network - to little effect. In many cases, these data breaches have seen malicious actors infiltrate the organisation’s network, sometimes for long periods of time, and then have their pick of the data that’s left unprotected right in front of them. 

So what’s the rationale behind maintaining this flawed approach to data protection? The fact is that current approaches mean it is simply not possible to implement the level of security that sensitive data demands as it is in transit without compromising network performance. Facing an either/or decision, companies have blindly followed the same old path of attempting to secure the network perimeter and hoping that they won’t suffer the same fate as so many before them.

However, consider separating data security from the network through an encryption-based information assurance overlay. Meaning that organisations can seamlessly ensure that even when malicious actors enter the network, the data will still be unattainable and unreadable, keeping the integrity, authentication and confidentiality of the data intact without impacting the overall performance of the underlying infrastructure.

Regulations and compliance revolve around data

Back in 2018, GDPR caused many headaches for businesses across the world. There are numerous data regulations businesses must adhere to, but GDPR, in particular, highlighted how important it is for organisations to protect their sensitive data. In the case of GDPR, organisations are not fined based on a network breach; in fact, if a cyber hacker was to enter an organisation’s network but not compromise any data, the organisation wouldn’t actually be in breach of the regulation at all.

GDPR, alongside many other regulations such as HIPAA, CCPA, CJIS or PCI-DSS, is concerned with protecting data, whether it’s financial data, healthcare data or law enforcement data. The point is: it all revolves around data, but the way in which data needs to be protected will depend on business intent. With new regulations constantly coming into play and compliance another huge concern for organisations as we continue into 2021, protecting data has never been more important, but by developing an intent-based policy, organisations can ensure their data is being treated and secured in a way that will meet business goals and deliver provable and measurable outcomes, rather than with a one-size-fits-all approach.

Network breaches are inevitable, but data breaches are not

Data has become extremely valuable across all business sectors and the increase in digitisation means that there is now more data available waiting for malicious actors.

From credit card information to highly sensitive data held about law enforcement cases and crime scenes, to data such as passport numbers and social ID numbers in the US, organisations are responsible for keeping this data safe for their customers, but many are falling short of this duty. With the high price tag that data now has, doing everything possible to keep data secure seems like an obvious task for every CISO and IT Manager to prioritise, yet the constant stream of data breaches show this isn’t the case. 

But what can organisations do to keep this data safe? To start with, a change in mindset is needed to truly put data at the forefront of all cyber security decisions and investments. Essential questions a CISO must ask include: Will this solution protect my data as it travels throughout the network? Will this technology enable data to be kept safe, even if hackers are able to infiltrate the network? Will this strategy ensure the business is compliant with regulations regarding data security, and that if a network breach does occur, the business won’t risk facing any fines? The answer to these questions must be yes in order for any CISO to trust that their data is safe and that their IT security policy is effective.

Furthermore, with such a vast volume of data to protect, real-time monitoring of the organisation’s information assurance posture is essential in order to react to an issue, and remediate it, at lightning speed. With real-time, contextual meta-data, any non-compliant traffic flows or policy changes can be quickly detected on a continuous basis to ensure the security posture is not affected, so that even if an inevitable network breach occurs, a data breach does not follow in its wake.

Trusting information assurance

An information assurance approach that removes the misdirected focus on protecting an organisation’s network and instead looks at protecting data, is the only way that the security industry can move away from the damaging data breaches of the past. There really is no reason for these data breaches to continue hitting the media headlines; the technology needed to keep data secure is ready and waiting for the industry to take advantage of. The same way that no one would leave their finest jewellery on display in the kitchen window, or leave their passport out for the postman to see, organisations must safeguard their most valuable asset and protect themselves and their reputation from suffering the same fate as many other organisations that have not protected their data.

Monday, 1 March 2021

Cyber Security Roundup for March 2021

 

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, February 2021.

Serious Linux Vulnerability
Last month a newly discovered critical vulnerability in 'sudo', a fundamental program present in all Linux and Unix operating systems caught my eye. The sudo vulnerability aka CVE-2001-3156, seemed to go under the radar after it was announced and patches were released on 26th January 2021. I wrote a blog post about my concerns given Linux is embedded everywhere, yet many of these systems are rarely, and even never updated with security updates. From IoT devices to internet-based services, the security of countless devices and web-based services' are dependant upon a secure Linux account privilege model. While these Linux operating systems remain unpatched to prevent exploitation of the CVE-2021-3156 vulnerability, there are waiting to be hacked.

Npower App Hack
Npower removed its mobile app after an attack exposed "some customers' financial and personal information." The energy firm did not say how many accounts were affected by the breach, which was first reported by MoneySavingExpert.com. Npower said "We identified suspicious cyber-activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website. This is known as 'credential stuffing'," the firm said in a statement. We've contacted all affected customers to make them aware of the issue, encouraging them to change their passwords and offering advice on how to prevent unauthorised access to their online account." The Information Commissioner's Office (ICO) confirmed it had been informed.

Total Fitness Ransomware Attack
UK media didn't report UK gym chain Total Fitness had been hit by a ransomware attack. In a statement released by Total Fitness on 5th February, the gym chain said,
"On 26th January, Total Fitness’ threat detection software exposed a cyber-attack affecting our internal systems, processes, and communications. Immediately following the attack, our well-rehearsed recovery and continuity plans were instigated which included the lock down and securing of all Total Fitness information.

Total Fitness is continuing to respond to the ongoing ransomware attack likely to be by international serious and organised cyber-crime groups. The matter is subject to a live criminal investigation.

Our Incident Response Team are informing and collaborating with expert organisations including the National Cyber Security Centre, the North West Regional Organised Crime Unit, the National Crime Agency and the Information Commissioner's Office on what is a complex and sophisticated criminal act."

Total Fitness kindly linked several pieces of UK National Cyber Security Centre (NCSC) business ransomware prevention guidance at the bottom of their statement, seemingly they hadn't followed the last linked guidance, which is a basic business good practice to prevent ransomware attacks.
I became aware of the Total Fitness cyber breach after several of their members contacted me for advice following the receipt of an email by Total Fitness, which said there was "a low risk" their personal information was compromised. 

Total Fitness email
"We’re emailing to let you know that Total Fitness’ IT systems were attacked by a highly sophisticated international organised cyber-crime network.  We believe the risk is low for you and your data. To reassure you immediately, we can confirm that your highly sensitive information such as username, password, and credit card information have not been compromised."

Sero and CD Projekt Ransomware Attacks
While the Bakuk ransomware gang claimed it had infiltrated Serco last year, Serco confirmed a cyberattack on 31st January to Sky News.  A Serco spokesperson said there had been no impact on any of its UK operations, given the attack centred on isolated European systems. The Babuk group claimed to have had access to Serco’s systems for three weeks and to have already exfiltrated a terabyte of data. The cybercriminals made specific references to Serco partners, including Nato and the Belgian Army, and threatened Serco with consequences under the General Data Protection Regulation (GDPR). There was further confirmation that the UK NHS Test and Trace programme was unaffected by the incident.

CD Projekt Red, the developers of the controversial Cyberpunk 2077 game, was hit with a 48-hour ransom demand by the HelloKitty ransomware operation. In a ransom note, the attackers said they had stolen the source code for Cyberpunk 2077 and the Witcher 3 game.  CD Projekt Red announced they would not be paying the ransom,  which led to the attackers auctioning the stolen data on a hacker forum. There have since been claims that full copies of the Cyberpunk game source code have been made available on the dark web. CD Projekt Red later in the month said it was delaying an update to their Cyberpunk game until late March due to the cyberattack.

Kia \ Hyundai Reported Ransomware Attack
According to reports, the DopplePaymer ransomware gang hit both Kia and parent company Hyundai, demanding a $20 million extortion payment. Kia's online services have suffered outages assumingly due to the cyberattack, however, Kia is denying the reports releasing a statement which said We are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack”.  Meanwhile, Hyundai America said "Hyundai Motor America is experiencing an IT outage affecting a limited number of customer-facing systems. Those systems are in the process of coming back online. We would like to thank our customers for their continued patience. At this time, we can also confirm that we have no evidence of Hyundai Motor America or its data being subject to a ransomware attack”

Attempted Florida City Water Supply Positioning Cyberattack
Hackers attempted to poison the water supply of the city of Oldsmar in Florida, by remotely infiltrating the water treatment facility's controlling IT system, using it to increase the Sodium Hydroxide (NaOH) levels in the water. The computer systems of a water treatment facility were remotely breached twice on 5th February, through an insecure TeamViewer remote access application. On the last intrusion, the hackers tried to increase the NaOH levels but were foiled as an operator who was watching the attack in real-time. “What it is, is that somebody hacked into the system, not just once but twice, and controlled the system, took control of the mouse, moved it around, opened the programme and changed the levels from 100 to 11,100 parts-per-million with a caustic substance,” said the city sheriff Bob Gualtieri. 

Further to the attack on Oldsmar, Florida’s water facility, CTO of Cymulate Avihai Ben-Yossef warned, "in 2020 we saw a dramatic increase in Nation-State actors attempting attacks on critical infrastructure like power and utility companies.  The number of warnings, and specifically where they originate, insinuate that the level of activity has been elevated. Moreover, we are now witnessing these Nation State actors attempting to gain a foothold into utilities in order to build proactive attack capabilities - and they are trying to manipulate them with deadly consequences.  

The change is partly due to the fact that a few hackers who have gained these attack capabilities are also more inclined to be aggressive - with Iran being the number one proponent. In Israel, Iranian state actors attempted, without success, to attack Israeli water utilities last year. While this isn’t the first effort to manipulate US water supplies, this new attack in Florida is the first time we have seen an attempt with lethal consequences. This is in contrast to the spate of ransomware attacks like those currently victimising Florida hospitals, which points to a different trend where criminal attackers aim to profiteer. "

Nation-Station Solarwinds Attack Update
Microsoft wrapped up its SolarWinds cyberattack investigation by concluding in a blog post that none of its systems was used to attack others thanks to Microsoft's adoption of a 'Zero Trust' model. The Microsoft blog post encouraged all organisations to follow suit in adopting a 'zero trust mindset', stating 'Microsoft points out that organizations should go one step further by adopting it as a mindset – accept that all of the initial lines of defense can fail and that security controls need to be layered across all systems critical to an organization”.

I completely agree with Microsoft on this one, 'Zero Trust' architectures are the future to secure enterprises, taking a "never trust and always verify" approach on all users and devices (inside the network) which connect with the organisation's infrastructure, IT systems, and data.

Stay safe and secure.

BLOG

Friday, 26 February 2021

The Ransomware Group Tactics which Maximise their Profitability

Article by Greg Foss, Senior Cyber Security Strategist, VMware Carbon Black


Wherever there is disruption, cybercriminals see opportunity. Alongside the devastating health and economic impacts of the global coronavirus pandemic, we have also seen a huge escalation in ransomware attacks as people shifted to working from home. VMware Carbon Black threat researchers have recorded a 900% year on year increase in ransomware attacks in the first half of 2020.

Attacks are not only more frequent, but they are also more sophisticated, as adversaries strive to maximise the revenue potential from each hit. As modular and more extensive malware has become ubiquitous, adversaries are diversifying and adopting more strategic and multi-stage tactics. They’ve identified factors such as high financial and regulatory penalties and reputational damage that offer more leverage to extort money from victims. As a result, it is now easier than ever for criminals with minimal skill to execute highly impactful attacks.

Destructive attacks and the sale of direct access into corporate networks are also rising trends and the lucrative payoff potential from all these is changing how adversaries approach their craft; a typical ransomware attack today is designed to do a lot more than simply encrypt data.

Shift from spray and pray to cultivate and curate – rise of the hands-on ransomware attack

In the past, a ransomware attack typically originated in a phishing email where the victim unwittingly opened an infected document or clicked a link that executed actions to immediately encrypt the environment and demand a ransom. Adversaries launched high volumes attack campaigns, on the assumption that some would make it through defences and pay-day would follow.

The current approach is much more hands-on-keyboard, with the attacker actively involved in orchestrating targeted attacks that will deliver multiple opportunities to monetise the results. In the attacks we’re seeing today, the eventual encryption and ransom demand comes a long way down the line; victims should assume that attackers have been inside their network for a significant period, have mapped out their infrastructure, and have already exfiltrated their most sensitive assets. The new evolution of ransomware attacks involves:

Research Phase: the adversary gathers intelligence about your organization through open-source intelligence gathering (OSINT) – everything from social media, geographical footprint, publicly exposed IP addresses found on Shodan. Paying special attention to organisations employees. All of this helps to establish an attack plan, most commonly targeted towards unsecured edge-devices, with Microsoft’s Remote Desktop Protocol (RDP) being leveraged by far and away

Reconnaissance: Adversaries scan your organisation from the internet, looking at edge devices that could be a potential entry point, extrapolating what the rest of your environment might look like and what resources are worth targeting. They might identify home users with publicly exposed devices and target them with a phishing email, but more typically we see adversaries go after poorly configured edge devices, such as a Windows server with Remote Desktop Protocol exposed and no multifactor authentication in place as an ideal access vector.

Access and Consolidation: On entry, the attacker conducts initial post-exploitation reconnaissance to gain access to a credential and elevate their privileges so they can pivot from the Demilitarised Zone (DMZ) into the internal systems and map out the internal infrastructure. At this point, most ransomware groups we’ve been following will try to back-door additional systems with redundant access to a secondary command and control server, additionally with the goal of infecting the back-up server even getting their payloads deployed within the backups themselves. They probably won’t use this – it’s insurance in case their initial route gets cut off - but from a victim’s perspective, this is something you need to look out for in incident response.

Slow and Steady Data Exfiltration: to avoid triggering the controls companies have in place to prevent large scale data exfiltration, attackers will look for a discreet way to get the data out of the organisation. This might be through a user within the environment, moving files slowly or overtly to a compromised user and offloading the files to another server – such as a compromised web server – which serves as a collection point for the stolen data. Or they might move the data out slowly through protocols such as DNS.

By now the attacker has achieved the first part of their goal. They have stolen data that they can monetise directly, and they have persistence on the victim’s systems. The victim is still unaware and now the attacker starts to plan for the next stage of their attack.

Extortion – Reputations and Data Held to Ransom
This is where we are seeing the convergence of data theft and ransomware. Once attackers launch the encryption phase of the attack, they lock up the victim’s data and demand payment in a traditional ransomware style.

Businesses with good data back-ups and recovery capabilities might be tempted to call the attacker’s bluff – until the extortion starts. Attackers threaten to release parts of the stolen data on the web to publicise the exploit if payment is not forthcoming. So even if the business can recover its data, its reputation and company secrets are still on the line.

The Maze Cartel is an arch-exponent of this technique. When victims don’t pay, they publish stolen data on their website. It is bold and shows the capabilities and power these groups exercise. We’re also seeing these groups collaborating and sharing infrastructure and code, which is making attacks harder to attribute and increasing their overall capabilities.

If the victim bows to pressure and pays the ransom their data has still been breached and is for sale on the dark web, adding another revenue stream for the attacker. Of equal concern should be the fact that the adversary still has a redundant command and control access that they can sell or use to conduct further attacks.

How to Combat Evolving Ransomware Attacks
You have to treat ransomware like you would any other breach – this is someone who is in your environment and they have access to a lot of sensitive data. You need to conduct full incident response and recovery following each of these attacks, looking especially for signs of residual access to your environment following ransomware data theft.

To protect networks, defenders need to deploy endpoint protection, making sure they are blocking ransomware and have layered visibility of what is happening within the network. Understand the details of what your processes are doing and segment your networks effectively so that the scenario described above is not easy for an attacker to achieve.

Watch for evidence of initial access reconnaissance activity, configure alerts for large-scale data exfiltration, look for redundant command and control access and bear in mind that attackers are playing the long game. They are aiming to retain their foothold in the environment for as long as possible, so you might be looking for something that activates on a weekly or even monthly cycle, so its easy to miss. If you have suffered an attack, you should hire an incident response firm to look for these hard-to-find indications that your network is still being curated for future attacks.

It’s important to understand that this new approach is bespoke work. It’s targeted and long-term tradecraft and the pay-off is higher as a result; attackers will use every means at their disposal to get the most return on their efforts and grow their profits in the current highly disrupted environment.

Thursday, 25 February 2021

Fintech Cybersecurity Trends in 2021

Article by Beau Peters

When the pandemic struck, online bad actors took it as an opportunity to double-down on their attacks through ransomware, malware, and social engineering. Newly remote workers and remotely connected workplaces had to adapt rapidly to a greater digital threat as well as a public health crisis.

Now, cybersecurity may just be the most important aspect of financial technology (fintech) in the modern world. With 2020 being the worst year on record in terms of files exposed in data breaches, a thorough security approach is necessary to combat modern dangers.

Fintech relies on cybersafety more than any other digital platform. Luckily, new tech trends could help keep our financial data safe even with an increase in risk. Here’s what you should know. 

The Rising Risks
The widespread shift to a work-from-home (WFH) economy left countless networks vulnerable to cyber attacks. Hastily implemented cloud data processes and security needs failing to keep pace with tech innovations have left financial data exposed. Meanwhile, greater reliance on mobile devices for everything from managing our bank accounts to checking credit scores leaves fintech users more at-risk than ever.

Among the many security risks of personal finance technology are the following:
  • Hundreds of fintech ventures are funded each year, with little change in the security landscape.
  • New users unfamiliar with cybersecurity concerns can inadvertently expose their data.
  • Fraud and identity theft are on the rise, with online shopping hacks and COVID-related scams popular among cybercriminals. 
These vulnerabilities and more demonstrate the risk to data in the modern digital world. The coronavirus pandemic only makes the situation worse, as companies look to quickly transition to remote work, often without time for due diligence in instituting security protocols and employee training.

Insider threat is predicted to be the number one risk to data classification in the year ahead, requiring stricter corporate guidelines in data protection and better employee education. The heightened risk of a pandemic economy requires innovative solutions in approaching fintech. Fortunately, emerging trends in the financial technology sector may have the potential to turn the tide of cybercrime and keep our financial data safe. 

Fintech Trends for 2021 and Beyond
Even in the deluge of attacks on our digital systems, defender confidence has remained strong. This is due to the trends shaping the cybersecurity and fintech sectors, applications of intelligent processes that can predictively model attacks and pre-emptively counter them. The fintech industry is rising to meet the increased demand of the modern era, and this means broader benefits and heightened security for all consumers.

Among the trending innovations making fintech more secure, these technologies stand out: 

1. Multi-cloud data storage.
A singularly public cloud storage system may not meet the needs of many financial institutions. Instead, the safety of a private cloud is often preferable. Luckily, multi-cloud solutions offer the best of both worlds, giving businesses greater transparency and security in their data usage while providing a back-up system for vulnerable data.

2. AI fraud detection. 
Financial institutions like MasterCard are adopting artificial intelligence and machine learning processes to predict and prevent fraud. These systems analyze data to rank client risk and examine behaviours, flagging any vulnerabilities. Because an AI can better analyze massive amounts of data to catch unauthorized usage faster, these tools can help secure fintech as 5G connectivity comes to the Internet of Things (IoT). 

3. Secure Access Service Edge (SASE) networks.
SASE network architecture, like multi-cloud storage, brings multiple systems together to link security solutions for the greatest effect. This trend in fintech combines wide-area networking with network security services to offer a comprehensive cloud service. As tech consolidation remains a trend among businesses, these solutions can help protect fintech while offering greater functionality, all in one simple package.

4. Blockchain systems.
Blockchains are highly secure and decentralized data flow systems. They offer all but immutable data stored in cryptographic hashes. This makes hacking such a system particularly difficult, as doing so requires decrypting every node in the link. For global finance, these systems make secure and seamless transactions possible, which is why they will likely become a staple of fintech soon. 

5. Regulatory technologies (Regtech). 
As political administrations change and governments increasingly seek to encourage broader cybersecurity regulations, the prominence of regtech can help sustain fintech security. These technologies are built to manage big data usage to ensure compliance with government standards. Often, this includes data encryption and de-identification processes meant to ensure consumer privacy. 

As the pandemic of cybercrime compounds the dangers of the coronavirus pandemic, fintech innovators are moving forward with solutions through technologies like these. From hybrid cloud storage that works to back-up data to regtech that makes compliance with government standards easier, fintech platforms can be better protected on all fronts. 

As a result, consumers will ideally see a more secure future for their financial data. 

A More Secure Future
As innovations like AI and machine learning became a standard of fintech cybersecurity, we can look forward to a world of safer data. This will require, however, highly certified and trained cybersecurity professionals who can assist companies in adopting and maintaining the new fintech.

Right now, the shortage of cybersecurity professionals is estimated to be as high as 3.5 million, and while AI can fill in, it cannot replace the need for human oversight. This makes cybersecurity a career that is more or less safe from automation, like many other careers that will likely remain safe from the practice. Instead of displacing work as AI might do to 20 million-plus manufacturing jobs, artificial intelligence stands to supplement skill shortages to make effective security more accessible.

With trends like blockchain and regtech emerging as helpful tools in the fight against cybercrime, the next step will be training a large enough security workforce to properly integrate this tech for the best results. Then, the potential of fintech tools can be effectively maximized for safer data security in the marketplace.

Friday, 5 February 2021

The Linux Flaw you can't afford to Ignore (CVE-2021-3156)

Linux and Unix operating systems require regular patching like any IT system, but as security professionals, ethical hackers, and criminal hackers will tell you, regular Linux and Unix patching is often neglected.

CVE-2021-3156 sudo Vulnerability
Last week (26th January 2021) a new critical rated Linux\Unix vulnerability was made public under CVE-2021-3156. Specifically, the vulnerability is within the 'sudo' program, which is an abbreviation of 'superuser do', well that's how I remember it. Sudo is a powerful and fundamental program found within all Linux and Unix distributions, allowing users to execute programs with the security privileges of another user. A typical use of sudo is where you need to run a program with privilege level (i.e. administrator) access rights.
The sudo 'heap overflow' vulnerability was discovered by Qualys researchers, the exploit allows any unprivileged user to gain root level (i.e. administrative) privileges.  Qualys has posted a blog and video which explains and demonstrates the exploitation technique, which as exploits go is fairly quick and easy to do. See CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) | Qualys Security Blog

Patches are available
Qualys rightly did not publically disclose the vulnerability until the sudo program author was able to write and release a fixed (patched) version of sudo. The fixed sudo version1.9.5p2 has been made available to download at www.sudo.ws.

Linux vendors have also released patches for the sudo vulnerability, including
At the time of writing this post, it has been reported MacOS Big Sur is also vulnerable, but Apple has not released a patch.

The Security Concern
This vulnerability in sudo has been present for nearly 10 years, all sudo versions prior to sudo 1.9.5p2 are to be considered vulnerable. The issue is Linux is embedded everywhere, yet many systems are rarely, and even never updated. From IoT devices to internet-based services, the security of countless devices and web-based services' are dependant upon a secure Lin
ux account privilege model. While their Linux operating systems remain unpatched to prevent exploitation of the CVE-2021-3156 vulnerability, they sit there insecure and waiting to be hacked.

Monday, 1 February 2021

Cyber Security Roundup for February 2021


A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, January 2021.

Throughout January further details about the scale and sophistication of SolarWinds suspected nation-state hack came to light. A growing number of cybersecurity vendors like CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks, Qualys and Mimecast all confirming as being targeted in the supply-chain espionage attack. The finger of suspicion is pointing directly at Russia, with the Russian backed hacking group APT29 'Fancy Bear' cited as the culprits by many security researchers and intelligence analysts. US Secretary of State Mike Pompeo and Attorney General Bill Barr both publically stated they believe Moscow are behind the attack, as did the chairs of the Senate and House of Representatives' intelligence committees. 

US government investigators and Microsoft have uncovered additional evidence, confirming the cyberattack started as far back as October 2019, with about 30% of victims having no direct connection to using SolarWinds CISA and the National Security Agency updated guidance to address configuration issues in Microsoft’s Office 365, with Microsoft confirming in a blog post it had “detected malicious SolarWinds binaries in our environment”. Mimecast confirmed a related certificate compromise after they were informed by Microsoft as part of their investigative efforts.

The End of Emotet?
There was positive cybersecurity news in January, with the European law enforcement agency Europol, working together with other international police agencies, to take down the Emotet botnet. Emotet is one of the most popular forms of malware used by ransomware cybercriminals to initially gain access into their victim's networks. Europol said in a statement an undisclosed number of servers, computers and other devices used by Emotet had been seized. Check Point commented on the news "Emotet was among the most popular malware variants seen in 2020, accounting for 7% of the organizations attacked for the month of December and 100,000 users every day as Christmas and New Year’s approached. After similar stints on top in September and October, the trojan saw a dropoff in November before roaring back ahead of the holidays."

The demise of Emotet came too late for Hackney Council, following its October ransomware attack by a suspected cybercriminal group, with the Council's staff and residents personal details found posted on the dark web in January. The Cybersecurity and Infrastructure Security Agency (CISA), part of the United States Department of Homeland Security, launched a new educational campaign encouraging governments, schools and private companies to take steps to protect their systems and data from ransomware. The CISA ransomware guidance is certainly of value to the same groups on this side of the pond, with CISA aptly commenting upon the release of guidance 'Anyone can be the victim of ransomware, and so everyone should take steps to protect their systems.

Cyber Security Careers Advice
I wrote a blog post detailing the Top Ten Cybersecurity Certifications in 2021, which was based on the data from a recent survey of a 90,000+ strong LinkedIn cybersecurity professional group. I also updated the Cyber Security Careers Advice page on The IT Security Expert website.  Also posted on Data Loss Prevention, Artificial Intelligence vs. Human Insight

Bye Bye Flash
Flash Player was finally put to bed by Adobe at the start of the new year after the software giants officially discontinued Flash after years of Flash security problems. Adobe asked users to uninstall the software before it blocked all Flash content from 12 January 2021. 

Flash was first released in 1996, making it possible to operate sophisticated web applications, animations, and games when web browser technology (way before HTML5) was unable and internet connection speeds were slow. Steve Jobs hammered one of the first nails into Flash's coffin ten years ago, openly criticising Flash and banning it from Apple mobile products. On the security front, there has been a whole raft of zero-day and critical vulnerabilities with Flash over the years (e.g.1234), with cybercriminals and nation-state groups pouncing on the countless security flaws to remotely execute malicious code and take over computers. 

Adobe has provided instructions for removing Flash on Windows and Mac computers on its website. It has warned: "Uninstalling Flash Player will help to secure your system since Adobe does not intend to issue Flash Player updates or security patches after the end-of-life date.", so make sure to say your final goodbyes or good riddance, but do double-check you have removed Flash from computers, especially if your computer goes back a few years.

Stay safe and secure.

BLOG

Friday, 22 January 2021

Data Loss Prevention: Artificial Intelligence vs. Human Insight

The cybersecurity landscape continues to evolve as cybercriminals become ever more sophisticated, and digital security tools accelerate to mitigate the risks as much as possible. 2020 presented even more opportunities for hackers to strike, for example, using email phishing scams such as purporting to be authentic PPE providers, or from HMRC to dupe unsuspecting victims. More recently we have seen how phishers are now using the vaccine rollout to trick people into paying for fake vaccines. 

Artificial Intelligence and Machine Learning have been heralded as innovative technologies to help thwart evolving exploits and are a key part of any cybersecurity arsenal. But AI is not necessarily the right tool for every job. Humans are still able to perform intricate decision making far better than machines, especially when it comes to determining what data is safe to send outside of the organisation. As such, relying on AI for this decision making can cause issues, or worse, lead to leaked data if the AI is not mature enough to fully grasp what is sensitive and what is not. So where can AI play an effective part in a cyber defence strategy and where can it present challenges to the user? Oliver Paterson, Product Expert VIPRE Security Awareness Training and SafeSend, explains.

Spotting Similarities
One of the primary challenges for AI to mitigate the risk from accidental insider breaches is being able to spot similarities between documents or knowing if it is ok to send a particular document to a specific person. Company templates such as invoices appear to be very similar each time they are sent, with minor differences that typically, Machine Learning and AI fail to pick up. The technology will register the document as it usually would, despite there being very few differences in the numbers or words used, and would typically allow the user to send the attachment. Whereas in this example, a human would know which invoice or sales quote should be sent to which customer or prospect.

Deploying AI for this purpose in a large corporation would likely only stop a small proportion of emails from being sent. But even when the AI detects an issue to flag, it will alert the administration team rather than the user. This is because if the AI believes that the email shouldn’t be sent, it doesn’t want the user to override it and send the email anyway. This can therefore become an additional burden for the admin team and cause frustration for the user at the same time.

Data Storage
AI can also be very data-intensive when used for this defence strategy. This is due to the fact that in this setup, every email must be sent to an external system, off-site, to be analysed. Especially for industries that deal with highly sensitive information, the fact that their data is going somewhere else to be scanned is a concern. Moreover, with Machine Learning, the technology has to keep a part of this sensitive information in order to learn rules from it and use it again and again, to make an accurate decision the next time. Given the Machine Learning nature of these types of solutions, they cannot work straight off the shelf, but have a learning phase that lasts a few months, and therefore cannot provide instant security controls.

Understandably, a lot of companies, especially at enterprise-level, are not comfortable with their sensitive data being sent elsewhere. The last thing they want is it being stored off-site, even if it is just for analysis. AI, therefore, adds an unnecessary and unwanted element of risk to sensitive material.

The Role of AI in Cybersecurity
AI does have a critical role to play in many elements of a business’ cyber defence strategy. Antivirus technology, for example, operates a strict ‘yes or no’ policy as to whether a file is potentially malicious or not. It’s not subjective, through a strict level of parameters, something is either considered a threat or not. The AI can quickly determine whether it’s going to crash the device, lock the machine, take down the network and as such, it is either removed or allowed. It is important to note that VIPRE uses AI and ML as key components in their email and endpoint security services for example as part of their email security attachment sandboxing solution where an email attachment is opened and tested by AI in an isolated environment away from a customer’s network.

So while AI might not be an ideal method for preventing accidental data leakage through email, it does have an important part to play in specific areas such as virus detection, sandboxing and threat analysis.

Conclusion
With so much reliance on email within business practices, accidental data leakage is an inevitable risk. The implications of reputational impact, compliance breach and associated financial damage can be devastating. A cyber-aware culture with continuous training is essential, and so is the right technology. Providing a technology that alerts users when they are potentially about to make a mistake – either by sending an email to the wrong person or sharing sensitive data about the company, its customers or staff – not only minimises errors, it helps to create a better email culture. Mistakes are easily made in a fast-paced, pressured working environment – especially with the increase in home working not providing the immediate peer review that many are used to. But rather than leaving this responsibility to Artificial Intelligence, this type of technology, combined with trained human insight, can enable users to make more informed decisions about the nature and legitimacy of their email before acting on it. Ultimately, supporting organisations to mitigate against this high-risk element of business, and reinforcing compliance credentials through a cyber-aware culture

Tuesday, 5 January 2021

The Top Cybersecurity Certifications in 2021

What are the Most Valued Cybersecurity Certifications in 2021?
This is an important question for employers, recruiters, seasoned security professionals, and especially for those planning a cybersecurity career. The Information Security Careers Network (ISCN) recently surveyed its LinkedIn community of over 90,000 members about the 50 leading cybersecurity industry certifications and courses. The results of which have been compiled into the following definitive top ten list of the most desired cybersecurity certifications in 2021.

CyberSecurity Certificates in High Demand by Employers
The Top Ten CyberSecurity Certificates and Courses


10. SANS Penetration Testing Courses
The selection of penetration testing courses and certifications offered by the SANS Institute are well regarded for helping both beginners and experts alike to increase technical cybersecurity expertise and paygrades. The SANS/GIAC Penetration Tester (GPEN)
9. Cybersecurity or Information Security University Degree
A cybersecurity or information security university degree is recommended for those looking to 'jumpstart' into a cybersecurity career, and for those seeking senior management and leadership roles as a career goal. However, most cybersecurity professionals surveyed by ISCN did not rate a degree as valuable to building up a ‘real world’ experience within dedicated junior security roles.

First or second class cybersecurity themed degrees with work experience (i.e. a sandwich course) from a reputable university can help a candidate's CV stand out from the crowd, but don't expect to walk straight into senior security professional roles without building up years of in-role experience.

The Times Higher Educational guide provides a list of the top universities offering computer science degrees.

8. Certified Cloud Security Professional (CCSP) by ISC2
Despite dropping a couple places from last year's ISCN survey, the Certified Cloud Security Professional (CSSP) from ISC2 remains popular among survey respondents, with 15% of them stating their intention to complete the course within the next 12-24 months.  

The popularity of CSSP has grown due to the migration from on-premise IT to cloud computing systems in recent years, with organisations short of expert security resources to help secure the cloud services which they are now highly dependent upon. 

CSSP is suitable for mid to advanced-level professionals involved with information security, IT architecture, governance, web and cloud security engineering, risk and compliance, as well as IT auditing. CCSP credential holders are competent in the following six domains:
  • Architectural Concepts and Design Requirements
  • Cloud Data Security
  • Cloud Platform and Infrastructure Security
  • Cloud Application Security
  • Operations
  • Legal and Compliance
Aside from the passing the CCSP exam, to achieve the certification, ISC2 requires information security professionals have a minimum of 5 years of work experience, including a minimum of 1 year of cloud security experience and 3 years of information security experience

7. CompTIA Security+
CompTIA Security+ is considered one of the best introductory security qualifications, suited for those taking their first steps in building a cybersecurity career.  As a globally recognised security certification, holding the CompTIA Security+ certification demonstrates knowledge of the baseline skills necessary to perform core security roles and functions. 

CompTIA Security+ provides a good platform to build an IT security career, useful for gaining junior security roles to help buildup all-important in-role experience and serves as a good foundation in taking on the more advanced topics found on the elite security certifications. 26% of survey respondents praised CompTIA Security+ relevance to real-world scenarios.

6. Certified Chief Information Security Officer (CCISO) by EC-Council
Increasing in popularity in recent years is the Certified Chief Information Security Officer (CCISO) by the EC-Council, which is suitable for those seeking to be promoted into senior managerial, leadership, and executive-level positions. 
33% of cybersecurity professionals stated that this course is one of the best for equipping participants to succeed in managerial positions. 

CCISO is considered the industry-leading CISO role training course. To achieve this certification, five years of experience is required in each of the course's five domains, along with passing the CCISO exam.
  1. Governance and Risk Management
  2. Information Security Controls, Compliance, and Audit Management
  3. Security Program Management and Operations
  4. Information Security Core Competencies
  5. Strategic Planning, Finance, Procurement, Vendor Management
5. Cisco Certified Network Professional (CCNP) Security
The Cisco Certified Network Professional certification (CCNP) Security remains a network security certification desired by employers, with 23% of surveyed respondents citing CCNP Security as a certification in demand. As a professional technical certification, Cisco's CCNP requires the passing of a core exam and a 'concentration exam' of your choice.

4. Certified Ethical Hacker (CEH) by EC-Council
EC-Council’s Certified Ethical Hacker (CEH) qualification consistently ranks near the top of security accreditations which are in highest demand within the security industry. The CEH course teaches practically on how to use the latest commercial-grade hacking tools, techniques, and methodologies to ethically and lawfully hack organisations.

The CEH online training course covers 18 security domains, comprehensively covering over 270 attack methods and technologies, while the certification requires passing a four-hour 125 exams questions the course domains, technologies, and hacking techniques.  Achieving CEH certification will open the door to financially lucrative and in high demand penetration tester roles, so little surprise that 21% of respondents stated their intent take CEH course within the next 12-24 months.

The EC-Council also provides following well-valued courses and certifications which didn't quite make it into this top ten.
3. Certified Information Security Manager (CISM) by ISACA
As its title suggests, the Certified Information Security Manager (CISM) by ISACA is suited for security management roles and is one of the most respected certifications within the security industry.  The CISM is not suited for beginners, a minimum of five years dedicated in role cybersecurity \ information security experience is required to take the course. 

The CISM course is designed for security managers, so has a strong focus on governance, strategy, and policies, which are split across four subject matter domains:
  1. Information Security Governance (24%)
  2. Information Risk Management (30%)
  3. Information Security Program Development and Management (27%)
  4. Information Security Incident Management (19%)
According to a 2020 salary study by Forbes, CISM was 3rd place overall with an impressive annual salary of £110,000 ($148,622 USD), which was the highest dedicated security certification listed by the study.

2. PWK OSCP by Offensive Security

As an online ethical hacking course, it is self-paced and introduces penetration testing tools and techniques through hands-on experiences. PEN-200 trains not only the skills but also the mindset required to be a successful penetration tester. Students who complete the course and pass the exam earn the Offensive Security Certified Professional (OSCP) certification.

The course was ranked highly in the survey results.  Cybersecurity professionals said the course provided strong relevance to the ‘real world’, ranking the OSCP qualification in second place in terms of how much it was ‘in-demand’ by employers.

1. Certified Information Security Professional (CISSP) by ISC2
The ISC2 Certified Information Systems Security Professional (CISSP) remains the security certification in the greatest demand within the security industry. A whopping 72% of those surveyed said the CISSP certification was in the most in-demand by employers.

CISSP is a longstanding and globally well-respected information security professional certification. Like the CISM, the CISSP is not aimed at beginners. The certification requires 5 years of information security in role experience, or 4 years if you hold a cyber / information security-related degree. 

The CISSP three-hour exam of 100 to 150 questions has proven notoriously difficult to pass for some because the CISSP course covers a very broad spectrum of information security disciplines, which are split across eight domains.  

The CISSP 8 domains are:
  1. Security and Risk Management (15%)
  2. Asset Security (10%)
  3. Security Architecture and Engineering (13%)
  4. Communication and Network Security (13%)
  5. Identity and Access Management (IAM) (13%)
  6. Security Assessment and Testing (12%)
  7. Security Operations (13%)
  8. Software Development Security (11%)
ISC2 also offer several CISSP 'concentrations' courses and exams for those holding the CISSP accreditation, which demonstrates an advanced knowledge in specific areas of security. While CISSP concentrations tend not to be specifically sorted by employers in job ads, CISSP concentrations can help you to stand out from the crowd as a specific security subject matter expert.

For those nearer the start of their cybersecurity career journey, ISC2 offer the Associate of ISC2, as a gateway towards achieving the CISSP.

Let us know your top ten in the comments.

Survey data for this post is kindly provided by the Information Security Careers Network (ISCN).

Friday, 1 January 2021

Cyber Security Roundup for January 2021

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, December 2020.

A suspected nation-state sophisticated cyber-attack of SolarWinds which led to the distribution of a tainted version the SolarWinds Orion network monitoring tool, compromising their customers, dominated the cyber headlines in mid-December 2020.  This was not only one of the most significant cyberattacks of 2020 but perhaps of all time. The United States news media reported the Pentagon, US intelligence agencies, nuclear labs, the Commerce, Justice, Treasury and Homeland Security departments, and several utilities were all compromised by the attack. For the full details of the SolarWinds cyber-attack see my article Sunburst: SolarWinds Orion Compromise Overview

Two other cyberattacks are possibly linked to the SolarWinds hack was also reported, the cyber-theft of sophisticated hacking tools from cybersecurity firm FireEye, a nation-state actor is suspected to be responsible. And the United States National Security Agency (NSA) advised a VMware security vulnerability was being exploited by Russian state-sponsored actors.

Amidst the steady stream of COVID-19 and Brexit news reports, yet another significant ransomware and cyber-extortion attack briefly made UK headlines. Hackers stole confidential records, including patient photos, from UK cosmetic surgery chain 'The Hospital Group', and threatening to publish patient's 'before and after' photos. The UK cosmetic surgery firm, which has a long history of celebrity endorsements, confirmed it was the victim of a ransomware attack, and that it had informed the UK's Information Commissioner's Office about their loss of personal data.

Spotify users had their passwords reset after security researchers alerted the music streaming platform of a leaky database which held the credentials of up to 350,000 Spotify users, which could have been part of a credential stuffing campaign. Security researchers at Avast reported 3 million devices may have been infected with malware hidden within 28 third-party Google Chrome and Microsoft Edge extensions.

A McAfee report said $1 Trillion was lost to cybercrime in 2020, and companies remained unprepared for cyberattacks in 2021.

Stay safe and secure.

BLOG

VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE