Tuesday 31 December 2019

Cyber Attacks are the Norm

By Babur Nawaz Khan, Product Marketing, A10 Networks

As we 2019, its time to have a look at the year 2020 and what it would have in store for enterprises.

Since we are in the business of securing our enterprise customers’ infrastructures, we keep a close eye on how the security and encryption landscape is changing so we can help our customers to stay one step ahead.

In 2019, ransomware made a comeback, worldwide mobile operators made aggressive strides in the transformation to 5G, and GDPR achieved its first full year of implementation and the industry saw some of the largest fines ever given for massive data breaches experienced by enterprises.

2020 will no doubt continue to bring a host of the not new, like the continued rash of DDoS attacks on government entities and cloud and gaming services, to the new and emerging. Below are just a few of the trends we see coming next year.

Ransomware will increase globally through 2020
Ransomware attacks are gaining widespread popularity because they can now be launched even against smaller players. Even a small amount of data can be used to hold an entire organisation, city or even country for ransom. The trend of attacks levied against North American cities and city governments will only continue to grow.

We will see at least three new strains of ransomware types introduced:

  • Modular or multi-leveled/layered ransomware and malware attacks will become the norm as this evasion technique becomes more prevalent. Modular attacks use multiple trojans and viruses to start the attack before the actual malware or ransomware is eventually downloaded and launched 
  • 70% of all malware attacks will use encryption to evade security measures (encrypted malware attacks)
To no surprise, the cyber security skills gap will keep on widening. As a result, security teams will struggle with creating fool-proof policies and leveraging the full potential of their security investments

Slow Adoption of new Encryption Standards
Although TLS 1.3 was ratified by the Internet Engineering Taskforce in August of 2018, we won’t see widespread or mainstream adoption: less than 10% of websites worldwide will start using TLS 1.3. TLS 1.2 will remain relevant, and therefore will remain the leading TLS version in use globally since it has not been compromised yet, it supports PFS, and the industry is generally slow when it comes to adopting new standards. Conversely, Elliptical-curve cryptology (ECC) ciphers will see more than 80% adoption as older ciphers, such as RSA ciphers, are disappearing.

Decryption: It’s not a Choice Any Longer
TLS decryption will become mainstream as more attacks leverage encryption for infection and data breaches. Since decryption remains a compute-intensive process, firewall performance degradation will remain higher than 50% and most enterprises will continue to overpay for SSL decryption due to lack of skills within the security teams. To mitigate firewall performance challenges and lack of skilled staff, enterprises will have to adopt dedicated decryption solutions as a more efficient option as next-generation firewalls (NGFWs) continue to polish their on-board decryption capabilities

Cyber attacks are indeed the new normal. Each year brings new security threats, data breaches and operational challenges, ensuing that businesses, governments and consumers have to always be on their toes. 2020 won’t be any different, particularly with the transformation to 5G mobile networks and the dramatic rise in IoT, by both consumers and businesses. The potential for massive and widespread cyber threats expands exponentially.

Let’s hope that organisations, as well as security vendors, focus on better understanding the security needs of the industry, and invest in solutions and policies that would give them a better chance at defending against the ever-evolving cyber threat landscape.

Monday 30 December 2019

Only Focused on Patching? You’re Not Doing Vulnerability Management

By Anthony Perridge, VP International, ThreatQuotient

When I speak to security professionals about vulnerability management, I find that there is still a lot of confusion in the market. Most people immediately think I’m referring to getting rid of the vulnerabilities in the hardware and software within their network, but vulnerability management encompasses a much broader scope.

Vulnerability management is not just vulnerability scanning, the technical task of scanning the network to get a full inventory of all software and hardware and precise versions and current vulnerabilities associated with each. Nor is it vulnerability assessment, a project with a defined start and end that includes vulnerability scanning and a report on vulnerabilities identified and recommendations for remediation. Vulnerability management is a holistic approach to vulnerabilities – an ongoing process to better manage your organisation’s vulnerabilities for the long run. This practice includes vulnerability assessment which, by definition, includes vulnerability scanning, but also other steps as described in the SANS white paper, Implementing a Vulnerability Management Process.

Just as the process of vulnerability management is broader than you might think, the definition of a vulnerability is as well. A vulnerability is the state of being exposed to the possibility of an attack. The technical vulnerabilities in your network are one component, but there is another important aspect that is often overlooked – the vulnerabilities specific to your company, industry and geography. You can’t only look internally at the state of your assets. You must also look externally at threat actors and the campaigns they are currently launching to get a more complete picture of your vulnerabilities and strengthen your security posture more effectively.

In The Art of War, Sun Tzu captured the value of this strategy well when he stated, “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Prioritise Patching Based on the Threat
As stated above, with respect to vulnerability management, most security organisations tend to focus on patching but because they don’t have the resources to patch everything quickly, they need to figure out what to patch first. To do this security teams typically take a thumbnail approach – they start with critical assets, the servers where their crown jewels are located, and work down to less critical assets. While a good starting point, their prioritisation decisions are based only on internal information. As Sun Tzu points out, knowing yourself but not the enemy will yield some victories but also defeats.

Having a platform that serves as a central repository allows you to aggregate internal threat and event data with external threat feeds and normalise that data so that it is in a usable format. By augmenting and enriching information from inside your environment with external threat intelligence about indicators, adversaries and their methods, you can map current attacks targeting your company, industry and geography to vulnerabilities in your assets. Intelligence about a campaign that presents an immediate and actual threat to your organisation leads to a more accurate assessment of priorities and may cause you to change your current patch plan to prioritise those systems that could be attacked at that moment. The result is intelligence-driven patch management that hardens your processes to thwart the attack


Bridge the Visibility Gap
Unfortunately, the reality is that not every company has 100% visibility into their assets and vulnerabilities, so mapping external threat data to internal indicators to hone a patch plan sometimes has limited value. However, there is still tremendous value in gathering information from global threat feeds and other external intelligence sources to determine if your business is under a specific attack. The MITRE ATT&CK framework is one such source. It dives deep into adversaries and their methodologies so security analysts can use that information to their advantage.

Bringing MITRE ATT&CK data into your repository allows you to start from a higher vantage point with information on adversaries and associated tactics, techniques and procedures. You can take a proactive approach, beginning with your organisation’s risk profile, mapping those risks to specific adversaries and their tactics, drilling down to techniques those adversaries are using and then investigating if these techniques could be successful or if related data have been identified in the environment. For example, you may be concerned with APT28 and can quickly answer questions including: What techniques do they apply? Have I seen potential indicators of compromise or possible related system events in my organisation? Are my endpoint technologies detecting those techniques? With answers to questions like these you can discover real threats, determine specific actions to harden your network and processes, and mitigate risk to your business.

A holistic approach to vulnerability management, that includes knowing yourself and your enemy, allows you to go beyond patching. It provides awareness and intelligence to effectively and efficiently mitigate your organisation’s risk and position your team to address other high-value activities – like detecting, containing and remediating actual attacks, and even anticipating potential threats.

Friday 20 December 2019

12 days of Christmas Security Predictions: What lies ahead in 2020

Marked by a shortage of cyber security talent and attackers willing to exploit any vulnerability to achieve their aims, this year emphasised the need for organisations to invest in security and understand their risk posture. With the number of vendors in the cyber security market rapidly growing, rising standard for managing identities and access, and organisations investing more in security tools, 2020 will be a transformational year for the sector.

According to Rob Norris, VP Head of Enterprise & Cyber Security EMEIA at Fujitsu: “We anticipate that 2020 will be a positive year for security, and encourage public and private sector to work together to bring more talent to the sector and raise the industry standards. As the threat landscape continues to expand with phishing and ransomware still popular, so will the security tools, leaving organisations with a variety of solutions. Next year will also be marked by a rush to create an Artificial Intelligence silver-bullet for cyber security and a move from old-fashioned password management practices to password-less technologies.”

“As cyber criminals continue to find new ways to strike, we’ll be working hard to help our customers across the world to prepare their people, processes and technology to deal with these threats. One thing to always keep in mind is that technology alone cannot stop a breach - this requires a cultural shift to educate employees across organisations about data and security governance. After all, people are always at the front line of a cyber-attack.”

What will 2020 bring with Cybersecurity?

In light of this, Rob Norris shares his “12 Days of Christmas” security predictions for the coming year.

1. A United front for Cyber Security Talent Development
The shortage of cyber security talent will only get worse in 2020 - if we allow it to.

The scarce talent pool of cyber security specialists has become a real problem with various reports estimating a global shortage of 3.5 million unfulfilled positions by 2021. New approaches to talent creation need to be considered.

The government, academia, law enforcement and businesses all have a part to play in talent identification and development and will need to work collaboratively to provide different pathways for students who may not ordinarily be suited to the traditional education route. Institutions offering new cyber security courses for technically gifted individuals are a great starting point, but more will need to be done in 2020 if the shortage is to be reduced.

2. Cloud Adoption Expands the Unknown Threat Landscape 
It will take time for organisations to understand their risk posture as the adoption of cloud services grows.

While the transition to cloud-based services will provide many operational, business and commercial benefits to organisations, there will be many CISO’s working to understand the risks to their business with new data flows, data storage and new services. Traditional networks, in particular, boundaries and control of services are typically very well understood while the velocity and momentum of cloud adoption services leaves CISO’s with unanswered questions. Valid concerns remain around container security, cloud storage, cloud sharing applications, identity theft and vulnerabilities yet to be understood, or exposed.

3. The Brexit Effect 
Brexit will have far-reaching cyber security implications for many organisations, in many countries.

The UK and European markets are suffering from uncertainty around the UK’s departure from the European Union, which will affect the adoption of cyber security services, as organisations will be reticent to spend until the impact of Brexit is fully understood.

The implications of data residency legislation, hosting, corporation tax, EU-UK security collaboration and information sharing are all questions that will need to be answered in 2020 post-Brexit. There is a long-standing collaborative relationship between the UK and its EU counterparts including European Certs and Europol and whilst the dynamics of those working relationships should continue, CISO’s and senior security personnel will be watching closely to observe the real impact.

4. SOAR Revolution 
Security Orchestration, Automation and Response (SOAR) is a real game-changer for cyber security and early adopters will see the benefits in 2020 as the threat landscape continues to expand.

Threat intelligence is a domain that has taken a while for organisations to understand in terms of terminology and real business benefits. SOAR is another domain that will take time to be understood and adopted, but the business benefits are also tangible. At a granular level, the correct adoption of SOAR will help organisations map, understand and improve their business processes. By making correct use of their technology stack and associated API’s early adopters will get faster and enhanced reporting and will improve their security posture through the reduction of the Mean Time To Respond (MTTR) to threats that could impact their reputation, operations and bottom-line.

5. Further Market Fragmentation will Frustrate CISOs 
The number of vendors in the cyber security market has been rapidly growing and that will continue in 2020, but this is leading to confusion for organisations.

The cyber security market is an increasingly saturated one, often at the frustration of CISO’s who are frequently asked to evaluate new products. Providers that can offer a combined set of cyber security services that deliver clear business outcomes will gain traction as they can offer benefits over the use of disparate security technologies such as a reduction in contract management, discount provisioned across services, single point of contacts and reduction in services and technologies to manage.

Providers that continue to acquire security technologies to enhance their stack such as Endpoint Detection and Response (EDR) or technology analytics, will be best positioned to provide the full Managed Detection and Response (MDR) services that organisations need.

6. Artificial Intelligence (AI) will need Real Security 
2020 will see a rise in the use of adversarial attacks to exploit vulnerabilities in AI systems.

There is a rush to create an AI silver-bullet for cyber security however, there is currently a lack of focus on security for AI. It is likely we will see a shift towards this research area as “adversarial” approaches to neural networks could potentially divulge partial or complete data points that the model was trained on. It is also possible to extract parts of a model leading to intellectual property theft as well as the ability to craft “adversarial” AI which can manipulate the intended model. Currently, it is hard to detect and remediate these attacks.

There will need to be more focus on explainable AI, which would allow for response and remediation on what are currently black-box models.

7. Organisations will need to Understand how to make better use of Security Tools and Controls at their Disposal 
Customers will need to take better advantage of the security measures that they already have available. 

The well-established cloud platforms already contain many integrated security features but organisations are failing to take advantage of these features, partly because they do not know about them. A greater understanding of these features will allow organisations to make smarter investment decisions and we expect to see a growing demand for advice and services that allow organisations to optimally configure and monitor those technologies to ensure they have minimal risk and exposure to threats.

Fujitsu predicted last year that securing multi-cloud environments will be key going forward and organisations continue to need to find a balance of native and third-party tools to drive the right solution for their objectives.

8. Do you WannaCry again? 
The end of support for Windows Server 2008 and Windows 7 will open the door for well-prepared attackers.

January 2020 sees the official end of support life for all variants of Windows Server 2008 and Windows 7, which share elements of the same code base. This means that both end-user devices and data center servers will be equally vulnerable to the same exploits and opens the possibility that organisations could be susceptible to attacks that cause large outages.

In 2017, Wannacry surfaced and caused some well-publicised outages including well-known organisations from across the healthcare, manufacturing, logistics and aerospace industries. Microsoft had released patches two months before and recommended using a later version of the impacted components. We also learned in 2017, via Edward Snowden, that nation-states have built up an armoury of previously undisclosed exploits. These exploits are documented to target the majority of publicly available Operating Systems and so it stands to reason that cyber criminals could have also built a war chest of tools which will surface once the end of vendor support has passed for these Operating systems.

9. Rising the Standard for Managing Identities and Access
Federated Authentication, Single Sign-On and Adaptive Multi-Factor will become standard, if not required, practices in 2020.

2020 will see organisations continuing their adoption of hybrid and multi-cloud infrastructures and a ‘cloud-first’ attitude for applications. This creates the challenge of managing the expanding bundle of associated identities and credentials across the organisation.

Identities and associated credentials are the key attack vector in a data breach - they are ‘keys to the kingdom’. Without sufficient controls, especially for those with privileged rights, it is becoming increasingly difficult for organisations to securely manage identities and mitigate the risk of a data breach. Capabilities such as Federation Authentication, Single Sign-On and Adaptive Multi-Factor address the challenge of balance between security and usability, and we see this becoming standard, if not required, practice in 2020.

10. Extortion Phishing on the Rise 
Taboo lures enhanced phishing and social engineering techniques will prey on user privacy.

We are seeing an increase in a form of phishing that would have a recipient believe their potentially embarrassing web browsing and private activity has been observed with spyware and will be made public unless a large ransom is paid.

Since their widespread emergence last year, the techniques used by these extortionists to evade filters continue to develop. Simple text-only emails from single addresses now come from ‘burnable’ single-use domains. Glyphs from the Cyrillic, Greek, Armenian and extended Latin alphabets are being used to substitute letters in the email to bypass keyword filters and Bitcoin wallets are rotated often and used to associate a recipient with a payment.

The psychological tricks used in the wording of these emails will develop and likely aid their continued success.

11. Passwords become a Thing of the Past 
We will see increasing adoption of end-to-end password-less access, especially in scenarios where Privileged Access Management (PAM) is required.

Next year we will see a move from old-fashioned password management practices to password-less technologies. The increasing number of cases where privileged credentials and passwords are required, but are painful to manage in secure and cost effective, way will drive this shift. Passwords are easy to forget and the increasing complexity requirements placed upon users increases the chances of passwords having to be written down – which is self-defeating. Biometric technologies and ephemeral certificates will provide a more secure and user-friendly way to manage credentials and ensure assets and data are kept secure.

12. Ransomware not so Random
As more organisations employ negotiators to work with threat actors, ransomware is likely to decrease next year.

In 2019, we observed a shift in the way certain ransomware ransom notes were constructed. Traditionally, ransomware notes are generic template text informing the victim that their files are encrypted and that they must pay a set amount of Bitcoin in order to have their files unencrypted.

When threat actors successfully deploy ransomware network-wide and achieve other deployment objectives, they inform their victims their files are encrypted. Crucially, however, they do not reveal the price they demand for their decryption. Instead, threat actors seek to open a dialogue with the victim to discuss a price. This change has seen organisations employ negotiators to work with threat actors on managing and, hopefully, reducing the demand and we expect this to continue in 2020.

Thursday 19 December 2019

How the Cyber Grinch Stole Christmas: Managing Retailer Supply Chain Cyber Risk

Cyber threats are always a prominent risk to businesses, especially those operating with high quantities of customer information in the retail space, with over 50% of global retailers were breached last year.  BitSight VP, Jake Olcott, has written guidance for retailers, on how to manage their supply-chain cyber risk to help prevent the 'Cyber Grinch' from not just stealing Christmas, but throughout the year, with four simple steps.


Cyber risk in retail is not a new concept. Retail is one of the most targeted industries when it comes to cyber-attacks. In fact, over 50% of global retailers were breached in the last year. Given the sensitive customer data these organizations often possess — like credit card information and personally identifiable information (PII) – it’s not surprising that attackers have been capitalizing on the industry for decades.

The Christmas shopping season can increase retailers’ cyber risk, with bad actors looking to take advantage of the massive surge of in-store and online shoppers that comes with it. What is important for retailers to keep in mind is that it’s not only their own network they have to worry about when it comes to mitigating cyber risk, but their entire supply chain ecosystem – from shipping distributors and production partners to point-of-sale technologies and beyond.

Take for example the infamous 2017 NotPetya attack that targeted large electric utilities, but actually ended up stalling operations for many retailers as a result. This nation-state attack had a snowball effect, wreaking havoc on shipping companies like FedEx and Maersk who are responsible for delivering many retail orders. FedEx operations were reduced to manual processes for pick-up, sort and delivery, and Maersk saw infections in part of its corporate network that paralyzed some systems in its container business and prevented retail customers from booking ships and receiving quotes.

For retailers, a cyber disruption in the supply chain can fundamentally disrupt operations, causing catastrophic harm to brand reputation, financial performance and regulatory repercussions – and the stakes are even higher during the make-or-break holiday sales period.

Here are some important steps they can take now to mitigate supply chain cyber risk this holiday season and beyond.
 
Step 1: Inventory your Supply Chain
A business today relies on an average of 89 vendors a week that have access to their network in order to perform various crucial business. As outsourcing and cloud adoption continue to rise across retail organizations, it is critical that they keep an up-to-date catalogue of every third party and service provider in the digital (or brick-and-mortar) supply chain and their network access points. These supply chain ecosystems can be massive, but previous examples have taught us that security issues impacting any individual organization can potentially disrupt the broader system.

An inventory of vendors and the systems they have access to allows security teams to keep track of all possible paths a cybercriminal may exploit and can help them better identify vulnerabilities and improve response time in the event of an incident.

Step 2: Take control of your Third-Party Accounts
Once you have a firm grasp of the supply chain, a critical focus should be to identify and manage any network accounts held by these organizations. While some suppliers may need access to complete their daily tasks, this shouldn’t mean handing them a full set of keys to the kingdom on their terms.

Retailers should ensure each vendor has an email account and credentials affiliated and managed by the retailer – not by the supplier organization and certainly not the user themselves. By taking this step, the retailer can ensure they are the first point of notification if and when an incident occurs and are in full control over the remediation process.


Step 3: Assess your Suppliers’ Security Posture
Retail security teams often conduct regular internal audits to evaluate their own security posture but fail to do so effectively when it comes to their supply chain relationships.

While a supplier’s security posture doesn’t necessarily indicate that their products and services contain security flaws, in the cyber world, where there’s smoke, there’s eventually fire. Poor security performance can be indicative of bad habits that could lead to increased vulnerability and risk exposure.

Having clear visibility into supplier security performance can help retailers quickly pinpoint security vulnerabilities and cyber incidents, while significantly speeding up communication and action to address the security concern at hand.

Step 4: Continuously Monitor for Changes
Third-party security performance assessment should not be treated as a one-and-done item on the supply chain management checklist.

The cyber threat landscape is volatile and ever-evolving, with new vulnerabilities and attack vectors cropping up virtually every day. That means retailers need solutions and strategies in place that provide a real-time, continuous and measurable pulse check of supplier security posture to ensure they are on top of potential threats before they impact the business and its customers.

Just as retailers track billions of packages and shipments in real-time to ensure there are no mistakes or bumps in the road, their vendor risk management program should be treated with the same due care.

This holiday season and beyond, it is critical that retailers invest in supply chain security management to reduce the risk of data breaches, slowdowns, and outages – and the costs and reputational damage that come along with them. After all, retailers are only as secure as their weakest third-party.

Tuesday 10 December 2019

Plundervolt! A new Intel Processor 'undervolting' Vulnerability

Researchers at the University of Birmingham have identified a weakness in Intel’s processors: by 'undervolting' the CPU, Intel’s secure enclave technology becomes vulnerable to attack.
A little bit of undervolting can cause a lot of problems

Modern processors are being pushed to perform faster than ever before – and with this comes increases in heat and power consumption. To manage this, many chip manufacturers allow frequency and voltage to be adjusted as and when needed – known as ‘undervolting’ or ‘overvolting’. This is done through privileged software interfaces, such as a “model-specific register” in Intel Core processors.

An international team of researchers from the University of Birmingham’s School of Computer Science along with researchers from imec-DistriNet (KU Leuven) and Graz University of Technology has been investigating how these interfaces can be exploited in Intel Core processors to undermine the system’s security in a project called Plundervolt.

Results released today and accepted to IEEE Security & Privacy 2020, show how the team was able to corrupt the integrity of Intel SGX on Intel Core processors by controlling the voltage when executing enclave computations – a method used to shield sensitive computations for example from malware. This means that even Intel SGX's memory encryption and authentication technology cannot protect against Plundervolt.

Intel has already responded to the security threat by supplying a microcode update to mitigate Plundervolt. The vulnerability has a CVSS base score of 7.9. high under CVE-2019-11157.
David Oswald, Senior Lecturer in Computer Security at the University of Birmingham, says: “To our knowledge, the weakness we’ve uncovered will only affect the security of SGX enclaves. Intel responded swiftly to the threat and users can protect their SGX enclaves by downloading Intel’s update.”

Monday 9 December 2019

MoJ Reports Over 400% Increase in Lost Laptops in Three Years

Apricorn, the leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives, today announced new findings from Freedom of Information (FoI) requests submitted to five government departments into the security of devices held by public sector employees. The Ministry of Justice (MoJ) lost 354 mobile phones, PCs, laptops and tablet devices in FY 2018/19 compared with 229 between 2017/2018. The number of lost laptops alone, has risen from 45 in 2016/17 to 101 in 2017/18 and up to 201 in 2018/2019, an increase of more than 400% in three years.

FoI requests were submitted to the MoJ, Ministry of Education (MoE), Ministry of Defence (MoD), NHS Digital and NHS England during September-November 2019. Of the five government departments contacted, three out of five government departments responded. The MoE also reported 91 devices lost or stolen in 2019, whilst NHS Digital have lost 35 to date in 2019.

“Whilst devices are easily misplaced, it’s concerning to see such vast numbers being lost and stolen, particularly given the fact these are government departments ultimately responsible for volumes of sensitive public data. A lost device can pose a significant risk to the government if it is not properly protected” said Jon Fielding, Managing Director, EMEA, Apricorn.

When questioned about the use of USB and other storage devices in the workplace, or when working remotely, all three departments confirmed that employees use USB devices. The MoJ added that all USB ports on laptops and desktops are restricted and can only be used when individuals have requested that the ports be unlocked. Each of the responding departments noted that all USB and storage devices are encrypted.

“Modern-day mobile working is designed to support the flexibility and efficiency increasingly required in 21st-century roles, but this also means that sensitive data is often stored on mobile and laptop devices. If a device that is not secured is lost and ends up in the wrong hands, the repercussions can be hugely detrimental, even more so with GDPR now in full force”, noted Fielding.

In a survey by Apricorn earlier this year, roughly a third (32%) of respondents said that their organisation had already experienced a data loss or breach as a direct result of mobile working and to add to this, 30% of respondents from organisations where the General Data Protection Regulation (GDPR) applies were concerned that mobile working is an area that will most likely cause them to be non-compliant.

All responding sectors did confirm that they have security policies in place that cover all mobile, storage and laptop devices.

“Knowing that these government departments have policies in place to protect sensitive data is somewhat reassuring, however, they need to be doing a lot more to avoid the risk of a data breach resulting from these lost devices. Corporately approved, hardware encrypted storage devices should be provided as standard. These should be whitelisted on the IT infrastructure, blocking access to all non-approved media. Should a device then ‘go missing’ the data cannot be accessed or used inappropriately” Fielding added.

About the FoI Requests
The research was conducted through Freedom of Information requests submitted through Whatdotheyknow.com. The requests, submitted between September and November 2019, along with the successful responses can be found at: https://www.whatdotheyknow.com/list/successful.

Friday 6 December 2019

Accelerated Digital Innovation to impact the Cybersecurity Threat Landscape in 2020

Its December and the Christmas lights are going up, so it can't be too early for cyber predictions for 2020.   With this in mind, Richard Starnes, Chief Security Strategist at Capgemini, sets out what the priorities will be for businesses in 2020 and beyond.


Accelerated digital innovation is a double-edged sword that will continue to hang over the cybersecurity threat landscape in 2020.  As businesses rapidly chase digital transformation and pursue the latest advancements in 5G, cloud and IoT, they do so at the risk of exposing more of their operations to cyber-attacks. These technologies have caused an explosion in the number of end-user devices, user interfaces, networks and data; the sheer scale of which is a headache for any cybersecurity professional. 

In order to aggressively turn the tide next year, cyber analysts can no longer avoid AI adoption or ignore the impact of 5G. 

AI Adoption
Hackers are already using AI to launch sophisticated attacks – for example AI algorithms can send ‘spear phishing’ tweets six times faster than a human and with twice the success. In 2020, by deploying intelligent, predictive systems, cyber analysts will be better positioned to anticipate the exponentially growing number of threats.

The Convergence of IT and OT
At the core of the Industry 4.0 trend is the convergence of operations technology (OT) and information technology (IT) networks, i.e. the convergence of industrial and traditional corporate IT systems. While this union of these formerly disparate networks certainly facilitates data exchange and enables organisations to improve business efficiency, it also comes with a host of new security concerns.

5G and IoT
While 5G promises faster speed and bandwidth for connections, it also comes with a new generation of security threats. 5G is expected to make more IoT services possible and the framework will no longer neatly fit into the traditional security models optimised for 4G. Security experts warn of threats related to the 5G-led IoT growth anticipated in 2020, such as a heightened risk of Distributed Denial-of-Service (DDoS) attacks.

Death of the Password
2020 could see organisations adopt new and sophisticated technologies to combat risks associated with weak passwords.

More Power to Data Protection Regulations
In 2020, regulations like GDPR, The California Consumer Privacy Act and PSD2 are expected to get harsher. We might also see announcements of codes of conduct specific to different business sectors like hospitality, aviation etc. All this will put pressure on businesses to make data security a top consideration at the board level.

Tuesday 3 December 2019

Cyber Security Roundup for November 2019

In recent years political motivated cyber-attacks during elections has become an expected norm, so it was no real surprise when the Labour Party reported it was hit with two DDoS cyber-attacks in the run up to the UK general election, which was well publicised by the media. However, what wasn't well publicised was both the Conservative Party and Liberal Democrats Party were also hit with cyber attacks. These weren't nation-state orchestrated cyberattacks either, black hat hacking group Lizard Squad, well known for their high profile DDoS attacks, are believed to be the culprits.

The launch of Disney Plus didn’t go exactly to plan, without hours of the streaming service going live, compromised Disney Plus user accounts credentials were being sold on the black market for as little as £2.30 a pop. Disney suggested hackers had obtained customer credentials from previously leaked identical credentials, as used by their customers on other compromised or insecure websites, and from keylogging malware. It's worth noting Disney Plus doesn’t use Multi-Factor Authentication (MFA), implementing MFA to protect their customer's accounts would have prevented the vast majority of Disney Plus account compromises in my view.

Trend Micro reported an insider stolen around 100,000 customer accounts details, with the data used by cyber con artists to make convincing scam phone calls impersonating their company to a number of their customers. In a statement, Trend Micro said it determined the attack was an inside job, an employee used fraudulent methods to access its customer support databases, retrieved the data and then sold it on. “Our open investigation has confirmed that this was not an external hack, but rather the work of a malicious internal source that engaged in a premeditated infiltration scheme to bypass our sophisticated controls,” the company said. The employee behind it was identified and fired, Trend Micro said it is working with law enforcement in an on-going investigation.

Security researchers found 4 billion records from 1.2 billion people on an unsecured Elasticsearch server. The personal information includes names, home and mobile phone numbers and email addresses and what may be information scraped from LinkedIn, Facebook and other social media sources.

T-Mobile reported a data breach of some their prepaid account customers. A T-Mobile spokesman said “Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. We promptly reported this to authorities”.

A French hospital was hit hard by a ransomware attack which has caused "very long delays in care". According to a spokesman, medical staff at Rouen University Hospital Centre (CHU) abandon PCs as ransomware had made them unusable, instead, staff returned to the "old-fashioned method of paper and pencil". No details about the strain of the ransomware have been released.

Microsoft released patches for 74 vulnerabilities in November, including 13 which are rated as critical. One of which was for a vulnerability with Internet Explorer (CVE-2019-1429), an ActiveX vulnerability known to be actively exploited by visiting malicious websites.

It was a busy month for blog articles and threat intelligence news, all are linked below.

BLOG
NEWS
VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE HUAWEI NEWS AND THREAT INTELLIGENCE

Monday 2 December 2019

Three Consequences of a Misaddressed Email

Article by Andrea Babbs, UK General Manager, VIPRE SafeSend

With the number and sophistication of cyber attacks increasing significantly, organisations have had to become aware and adapt to new and evolving digital threats. Yet, many would still consider the simple error of sending an email to the wrong contact trivial, at most embarrassing, but not of concern when it comes to data security. However, misaddressed emails have far-reaching consequences that can seriously impact an organisation, especially in highly regulated industries such as healthcare and finance. From fines to data breaches, what are the potential ramifications of sending an email to the wrong address?

Reputational and Financial Damage

While accidentally dialling a wrong number can be a little embarrassing, the same cannot be said for sending an email to the wrong contact. You could try to correct the error with a follow-up email to apologise and request that the recipient delete the message, but even if you’ve spotted the error it’s often too late. Moreover, the misuse of CC and BCC functions could expose your entire contact database, potentially giving your competitors an opportunity to lure your customers or employees away, or worse – exposing customer emails to potential hackers.

BitMEX, one of the world’s largest cryptocurrency trading platforms accidentally leaked thousands of private customer email addresses when they sent out a mass mailshot without using the BCC function. While the company maintains that customer privacy remains a top priority, its customers were left wondering how they could trust BitMEX with huge personal assets in the aftermath of this data protection failure.

A similar incident in 2018 led to the Independent Inquiry into Child Sexual Abuse (IICSA) being fined £200,000 by the Information Commissioner’s Office (ICO) for failing to protect the identity of possible victims of child abuse after a human error accidentally exposed victim identities to third parties, when they included their email addresses in the ‘To’ rather than ‘BCC’ field. In the age of increased data protection regulations, this example demonstrates just how seriously the ICO takes these types of data breaches. The pain of embarrassment from sending an email to the wrong contact pales in comparison to the business pain from financial penalties.

Intellectual Property Loss
Should confidential corporate information fall into the wrong hands, the consequences could be devastating. Crucial company information such as trade secrets or blueprints of an unpatented new product leaking into the public domain could easily be intercepted by the competition, resulting in a lost competitive advantage.

All it takes is a simple missed or added character in the email address, autocorrect taking over, or simply pressing send too soon and the information that was once confidential is sitting in the wrong inbox. It could be that of an unknown individual, competitor, or even a cyber-criminal.

In 2018, Commonwealth Bank staff inadvertently sent 651 emails to an overseas company as they forgot to include ‘.au’ at the end of the domain that should have read ‘cba.com.au’. This data leak occurred over a long period without anyone noticing, so could have potentially exposed sensitive company data or private customer information to competitors, putting the company at serious risk. However, luckily on this occasion, the company confirmed that no customer data had been compromised.

Data Breach
The ICO found that misaddressed emails are the largest source of data loss for organisations – over 269 billion emails are sent around the world each day. Gone are the days when employees operated from a single office-based computer, the modern workforce is now working from potentially several locations across a number of devices. Combine this with increasing pressures on staff juggling deadlines and deliverables to perform better and faster, it’s no surprise that most don’t spend time verifying the accuracy of the email address they are about to send confidential information to – no organisation is immune to human error.

Hackers can capitalise on this complacent email culture by cleverly disguising emails to look like they are coming from inside the company, but actually, have a similar spoofed domain name that the employee would probably fail to spot on a first glance. Potentially opening the organisation up to a devastating hacking, malware or ransomware attack and a clear reason why Business Email Compromise (BEC) scams continue to be popular with cybercriminals.

Conclusion

The ramifications of misaddressed emails go far beyond just an embarrassing mishap – the threat that comes from accidental data leakage can be just as damaging as the external threat of cybercrime, especially as these leaks often go unnoticed for a period of time. Businesses need a clear strategy to address the issue of misaddressed emails and mitigate the associated risks to remain compliant and secure. What is required is a tool that prompts users for a double-check of their email based on set parameters, who it is being sent to, the contents and attachments. But this isn’t about adding time or delay to employees that are already under pressure – it’s about increasing awareness and improving email culture where mistakes can so easily be made.

Tuesday 26 November 2019

Tips for Brits to stay Secure on Black Friday

As Brits plan to go to extreme lengths to grab a bargain this Black Friday but are leaving themselves exposed to cyber-criminals?
  • Brits are gearing up to grab a bargain this Black Friday and Cyber Monday, with 17% already considering pulling a sickie.
  • Over half of UK online shoppers will use a mobile device to shop for deals, but more than one in five (21%) will shop on unsecured smartphones or using open wifi networks (19%).
  • F-Secure is warning people to install security software on any devices they’re shopping online with as last year the average count of spam increased by 45% during Cyber Monday.
  • Brits are one and a half times more likely to be affected by financial fraud than people in other countries with 26% of people reporting they or someone in their family has been affected by credit card fraud, compared to an average 17% in other countries.
  • New research highlights the lengths Brits will go to grab a bargain online, even though they may be leaving themselves vulnerable to cybercrime.
Ahead of the big shopping weekend, 17% of those surveyed admitted that they would consider pulling a sickie during Black Friday and Cyber Monday; 32% stated they were already putting items in their basket in anticipation; while a dedicated 18% admitted they would shop on their mobile phone while on the toilet to secure the best deals*.

Over half of UK online shoppers use a mobile device to shop for deals on Black Friday and Cyber Monday**, but more than one in five (21%) will shop on unsecured smartphones (with no security software installed). And nearly 1 in 5 (19%) intend to shop on their commute or during their lunch break using free public wifi (17%)*, all of which puts them at greater risk from cybercriminals who are also looking to cash in.

With Black Friday a growing phenomenon in the UK, and now the busiest retail period of the year, it’s no surprise that last year GCHQ predicted consumer loses of around £30 million due to online fraud.

The Common Security Pitfalls with Online Shipping at Peak Times
F-Secure has found that the biggest security pitfalls people fall into during online shopping peaks are:
  • Not having any protection on their mobile devices with three in four (75%) admitting that they don’t have security software installed to protect themselves from spam*.
  • Making one fateful click on a fake promotional email that promises an incredible deal, with over two thirds (69%) admitting they click on the links in emails rather than going directly to the website.
  • Having easy to guess passwords or the same password across multiple account log-ins, with only three in ten (30%) people ensuring all their accounts have strong, unique passwords, and just under one in eight (12%) using a password manager*. 
Tom Gaffney, cybersecurity consultant at F-Secure said: “When using a mobile phone, people are more likely to be in a System 1 mode of thinking where their guard is down and they make fast, unconscious, automatic decisions. People are much more error prone in this state of mind and more susceptible to cybercrime like phishing attacks. Add to this the heightened number of phishing emails - an increase of 45% during Cyber Monday and 21% leading up to the New Year in 2018 - and you’ve created a hackers field day.”

He continued: “Hackers prey on our vulnerabilities around this time of year so we’re urging consumers to be extra vigilant and to use software protection online to keep themselves safe.”

Additional international research by F-Secure, a company which has three decades of experience stopping advanced cyber attacks, shows that Brits are one and a half times more likely to be affected by financial fraud than people in other countries. Just over a quarter (26%) of people reported that they or someone in their family have been affected by credit card fraud, compared to an average 17% in other countries. Additionally, almost twice as many Brits (9%) reported unauthorised access to their online bank, in comparison to an average of 5% in other countries.


Top Tips to Stay Secure this Black Friday
To help keep consumers safe when shopping online this Black Friday, F-secure have shared their top five tips:

1. Forget your Passwords

If you can remember your passwords, they’re too weak. So what do you do with more than a dozen passwords you cannot remember? Use a password manager.

2. Secure all your Accounts with Two-Factor Authentication

The best password in the world can still be compromised if it is not properly secured by the site you’ve trusted with. Use two-factor authentication to secure your accounts whenever possible.

3. If you’re going to Shop on your Smart Phone, use a Retailer’s App

On your phone you maybe even more vulnerable to some basic scams. Since URLs are harder to view on a smaller screen, you could be tricked by the explosion of tricky newer top-level domains, such as .family or .club. Stick the official apps on your device and you won’t have to worry about checking those web addresses.

4. Use one Web Browser for all of your Shopping and Financial Transactions

It doesn't matter if it's Chrome, Firefox, Edge Opera or Safari. Pick one browser and only use it for anything that involves shopping, banking or checking your financial accounts. And don’t touch it for anything else—especially social media.

5. Take a Break from Clicking on the Links within Emails.
Criminals take advantage of holiday distractions and expectations of gifts and packages being shipped to your home. Keep your focus by avoiding clicking on links in all emails and going directly to a retailer or shipper’s site.

Consumers can find out more about F-secures online safety tools here: https://www.f-secure.com/gb-en/home

Consumer research for this articles statistics was carried out by Vital Research and Statistics, on behalf of F-secure, and surveyed a sample comprised of 2,005 UK adults. Research was carried out online between 1st November 2019 and 4th November 2019.

Friday 22 November 2019

The Challenges of UK Cyber Security Standards

Article by Matt Cable, VP Solutions Architect and MD Europe, Certes Networks

Public sector organisations in the UK are in the midst of changing cyber security regulations. In mid-2018, the Government, in collaboration the NCSC, published a minimum set of cyber security standards. These standards are now mandated, along with a focus on continually “raising the bar”. The standards set minimum requirements for organisations to protect sensitive information and key operational services, which – given the way in which these services are increasingly dispersed – is driving significant changes in public sector network architecture and security.

In addition to setting today’s ‘minimum’ standards, however, the guidance also sets a target date of 2023 by which public sector organisations will be expected to have adopted a ‘gold-standard’ cyber security profile. Matt Cable, VP Solutions Architect and MD Europe, Certes Networks, therefore outlines the essential considerations that will help organisations select an encryption solution provider that can easily integrate into any network infrastructure as they migrate from Legacy MPLS to SDN or SD-WAN network architectures.

The Principles
For both public and private sector organisations, customer experience is key. From finance and utilities, to local authorities and smart cities, customer touchpoints are increasingly dispersed, remote and application-driven, necessitating a move from Legacy MPLS to SDN or SD-WAN. However, under the Government’s new minimum cyber security standards framework, ensuring sensitive information and key services are protected is a critical consideration.

The UK’s National Cyber Security Centre (NCSC) has therefore issued principles for cyber secure enterprise technology to organisations, including guidance on deploying and buying network encryption, with the aim of reducing risks to the UK by securing public and private sector networks. This guidance bears parallels with the US National Institute of Standard and Technology’s (NIST) Cybersecurity Framework and therefore applies equally to US and other federal organisations in a similar scenario.

Similar to the NIST framework, the NCSC guidance shares the same principle that networks should not be trusted. It recommends that to keep sensitive information protected, encryption should be used between devices, the applications on them, and the services being accessed. IPsec is the recommended method for protecting all data travelling between two points on a network to provide an understood level of security, with further guidance outlining a specific ‘gold-standard’ cipher suite profile known as PRIME.

The guidance is based on the network vendor being CAS(T) certified (CESG (Communications Electronics Security Group) Assured Services (Telecommunications)), which involves an independent assessment focused on the key security areas of service availability, insider attack, unauthorised access to the network and physical attack.

However, there are challenges.

Challenge #1 – Public Sector Adherence to CAS(T)
Many public sector organisations are no longer mandating CAS(T) based services and therefore the risk appetite is expected to be lowered, mainly to support the emergence of internet and SD-WAN suppliers network solutions. This is key as the current NCSC recommendation Foundation standards for IPsec will expire in 2023, and users are being encouraged to move quickly off legacy platforms.

Challenge #2 – Impact to Cloud Service Providers and Bearer Networks
This guidance, such as the protection of information flows on dedicated links between organisations, also applies to cloud service providers, or in the inter-data-centre connections in such providers' networks.

The underlying bearer network is assumed not to provide any security or resilience. This means that any bearer network (such as the Internet, Wi-Fi 4/5G, or a commercial MPLS network) can be used. The choice of bearer network(s) will have an impact on the availability that an encrypted service can provide.

Challenge #3 – Partner Collaboration
NCSC explicitly states in its guidance that establishing trustworthy encrypted network links is not just about technology. It is also important that the management of these networks links is carried out by appropriate individuals, performing their assigned management activities in a competent and trusted fashion, from a management system that protects the overall integrity of the system. Thus, for encryption solution providers, the partner’s service credentials impact how the end user may use the technology.

The Solution
IPsec helps protect the confidentiality and integrity of information as it travels across less-trusted networks, by implementing network-based encryption to establish Virtual Private Networks (VPNs).

Under PRIME principles, devices which implement cryptographic protection of information using IPsec should:

  • Be managed by a competent authority in a manner that does not undermine the protection they provide, from a suitable management platform
  • Be configured to provide effective cryptographic protection
  • Use certificates as a means of identifying and trusting other devices, using a suitable PKI
  • Be independently assured to Foundation Grade, and operated in accordance with published Security Procedures
  • Be initially deployed in a manner that ensures their future trustworthiness
  • Be disposed of securely
Keeping the network design simple is one of the most effective ways to ensure the network provides the expected security and performance. The use of certificates generated in a cryptographically secure manner allows VPN gateways and clients to successfully identify themselves to each other while helping to mitigate brute force attacks.

Conclusion
There are many encryption solutions to help agencies and federal governments who want to move from Legacy MPLS to SDN or SD-WAN. Layer 4 encryption, for example, can integrate easily into any network and encrypt data in transit without disrupting performance or replacing the current network architecture.

Selecting a provider that can offer a PRIME compliant solution – such as Layer 4 encryption - is key in conforming to both today and tomorrow’s cybersecurity standards. And with NCSC starting to treat all networks as untrusted networks (especially those agencies using internet), PRIME is becoming the gold standard for which NCSC will measure regulatory compliance.

Therefore, it is important to consider a vendor that can offer a security solution that is not only compliant but is simple and uncomplicated, minimising disruption, resources and costs.

Thursday 21 November 2019

How Much is Your Data Worth on the Dark Web?

You may not know much about the dark web, but it may know things about you.

What is the Dark Web?

The dark web is a part of the internet that is not visible to search engines. What makes the dark web, dark? it allows users to anonymise their identity by hiding their IP addresses. This makes those using the dark web nearly impossible to identify.

Only 4% of the internet is available to the general public, which means a vast 96% of the internet is made up of the deep web. It’s important to note here, that the dark web is just a small section of the internet but it’s a powerful small sector.

How much are your bank details worth?
The dark web is full of stolen personal bank credentials. It’s common to see MasterCard, Visa, and American Express credentials on the dark web from a variety of different countries.

Credit card data in the US, UK, Canada and Australia increased in price anywhere from 33% to 83% in the time from 2015 to 2018. The average price for a UK Visa or Mastercard in 2015 was £9, however, this did increase to £17 in 2018. This is approximately an 83% increase. Bank accounts that can transfer funds in stealth mode to United Kingdom banks are considerably more expensive. An account with a £12,500 account balance goes for around £700.


How much are your subscription services worth?
The sale value of your PayPal credentials depends on the available account balance. PayPal details can be sold for as little as £40 and this can increase to £820 - £2,500 for an available balance of £6580.

Your Amazon, British Airways, Facebook, Fortnite and Netflix logins are also available on the dark web. These can go for around £7 which is surprising as they hold various information about your banking and identity. Stolen hotel loyalty programs and auctions accounts can cost as much as £1,150 due to the extensive information they provide the buyer.

Are you surprised to learn that even reward programs and viewing subscriptions can be purchased on dark web markets?


How much is your whole identity worth on the dark web
The average modern person now has many online accounts. These can range from email and Facebook to online shopping, food delivery and banking. Combine all of those accounts and the typical internet user's identity is worth around £987 to hackers. The personal loss for victims is of course much higher.

Jade works for Total Processing, an advanced independent payment gateway provider who answers only to our customers.

Wednesday 20 November 2019

GTP Security: Securing 5G Networks with a GTP Firewall

Anthony Webb, EMEA Vice President at A10 Networks

It is often written that 5G will usher in the Fourth Industrial Revolution and change the economy. The speeds and capacity that 5G network promises to bring has the potential to be an indispensable technology. Verizon estimated that by 2035, 5G “will enable £10.5 trillion of global economic output and support 22 million jobs worldwide.

Therefore, 5G is not only important because it has the potential to support millions of devices at ultrafast speeds, but also because it has the potential to transform the lives of people around the world. But with this new opportunity also comes higher security risks as cyberattacks grow in sophistication and volume and use lightly protected mobile and IoT devices in their botnets or targeted attacks.

GTP today

Since the early days of 3G or 2.5G, GPRS Tunnelling Protocol (GTP) has been used to carry traffic and signalling through mobile networks and has continued to do so in 4G/LTE and recent 5G non-standalone architectures. But GTP was never designed with security in mind and therefore has no inherent security mechanisms.

As traffic, devices and interconnection partners surge, so does the use of GTP. The transition to 5G is happening and most operators will opt to deploy 5G in stages, using a common 4G core as they build out the 5G RAN. As a result, threats to 4G core elements from GTP-based attacks will still be present during this hybrid period. This where operators must now include a GTP firewall as part of their current network security posture and as they evolve the network to 5G.

GTP vulnerabilities have been well known by the industry and documented in GSMA reports. What is required is a GTP firewall which stops attackers from trying to exploit GTP vulnerabilities on the interfaces exposed to the network. These attacks target both mobile subscribers and mobile network infrastructure. The most common GTP security issues include confidential data disclosures, denial of service, network overloads, and a range of fraud activities. In 5G, additional security measures have been added, but GTP will continue to play an important role, especially in roaming.

What is required?

The simple answer is scalable security. Mobile operators face the challenge of securing roaming and EPC interfaces where GTP protocols are used extensively in and are known to have vulnerabilities that can be readily exploited by malicious actors. As vulnerable devices and partners expand, so does the attack surface available for malicious purposes. Operators need to meet the growing security challenges while also providing a seamless subscriber experience.

As they move towards 5G, with likely a 4G common core for many years, operators will need to tackle the risks inherent in GTP, as threats continue to grow against a much larger volume of traffic and applications. Roaming traffic, with its high complexity and large number of interconnect partners and hubs, can be an especially vulnerable and attractive target for malicious actors.

Common Threats

The most common threats from a GTP based attacks include the following:
Eavesdropping – intercepting and snooping into GTP traffic gaining valuable and confidential subscriber information

  • Fraud: Attackers can use services at the expense of the operator or another subscriber using invalid or hijacked IMSI
  • Injection of malicious GTP messages: Disrupting sessions and creating DDoS
  • Subscriber denial of service: Spoofing subscriber IDs to generate malicious messages that cause service disruption for an individual subscriber
  • Message Suppression and Modification: Prevent message delivery or allow malicious content delivery, disrupting service
  • Network Overload/DDoS: Malicious, malformed or invalid signalling packets are sent that overwhelm network elements or cause vulnerable elements to fail
GTP Firewall 
A GTP firewall provides security and scalability, while protecting the mobile core against GTP-based threats mentioned above through GTP interfaces in the access networks and GRX/IPX interconnect to support uninterrupted operations. The GTP firewall can be inserted into multiple interfaces carrying the GTP traffic. The primary use case is being inserted on S5-Gn and S8-Gp (roaming firewall) interfaces.