Friday, 22 January 2021

Data Loss Prevention: Artificial Intelligence vs. Human Insight

The cybersecurity landscape continues to evolve as cybercriminals become ever more sophisticated, and digital security tools accelerate to mitigate the risks as much as possible. 2020 presented even more opportunities for hackers to strike, for example, using email phishing scams such as purporting to be authentic PPE providers, or from HMRC to dupe unsuspecting victims. More recently we have seen how phishers are now using the vaccine rollout to trick people into paying for fake vaccines. 

Artificial Intelligence and Machine Learning have been heralded as innovative technologies to help thwart evolving exploits and are a key part of any cybersecurity arsenal. But AI is not necessarily the right tool for every job. Humans are still able to perform intricate decision making far better than machines, especially when it comes to determining what data is safe to send outside of the organisation. As such, relying on AI for this decision making can cause issues, or worse, lead to leaked data if the AI is not mature enough to fully grasp what is sensitive and what is not. So where can AI play an effective part in a cyber defence strategy and where can it present challenges to the user? Oliver Paterson, Product Expert VIPRE Security Awareness Training and SafeSend, explains.

Spotting Similarities
One of the primary challenges for AI to mitigate the risk from accidental insider breaches is being able to spot similarities between documents or knowing if it is ok to send a particular document to a specific person. Company templates such as invoices appear to be very similar each time they are sent, with minor differences that typically, Machine Learning and AI fail to pick up. The technology will register the document as it usually would, despite there being very few differences in the numbers or words used, and would typically allow the user to send the attachment. Whereas in this example, a human would know which invoice or sales quote should be sent to which customer or prospect.

Deploying AI for this purpose in a large corporation would likely only stop a small proportion of emails from being sent. But even when the AI detects an issue to flag, it will alert the administration team rather than the user. This is because if the AI believes that the email shouldn’t be sent, it doesn’t want the user to override it and send the email anyway. This can therefore become an additional burden for the admin team and cause frustration for the user at the same time.

Data Storage
AI can also be very data-intensive when used for this defence strategy. This is due to the fact that in this setup, every email must be sent to an external system, off-site, to be analysed. Especially for industries that deal with highly sensitive information, the fact that their data is going somewhere else to be scanned is a concern. Moreover, with Machine Learning, the technology has to keep a part of this sensitive information in order to learn rules from it and use it again and again, to make an accurate decision the next time. Given the Machine Learning nature of these types of solutions, they cannot work straight off the shelf, but have a learning phase that lasts a few months, and therefore cannot provide instant security controls.

Understandably, a lot of companies, especially at enterprise-level, are not comfortable with their sensitive data being sent elsewhere. The last thing they want is it being stored off-site, even if it is just for analysis. AI, therefore, adds an unnecessary and unwanted element of risk to sensitive material.

The Role of AI in Cybersecurity
AI does have a critical role to play in many elements of a business’ cyber defence strategy. Antivirus technology, for example, operates a strict ‘yes or no’ policy as to whether a file is potentially malicious or not. It’s not subjective, through a strict level of parameters, something is either considered a threat or not. The AI can quickly determine whether it’s going to crash the device, lock the machine, take down the network and as such, it is either removed or allowed. It is important to note that VIPRE uses AI and ML as key components in their email and endpoint security services for example as part of their email security attachment sandboxing solution where an email attachment is opened and tested by AI in an isolated environment away from a customer’s network.

So while AI might not be an ideal method for preventing accidental data leakage through email, it does have an important part to play in specific areas such as virus detection, sandboxing and threat analysis.

Conclusion
With so much reliance on email within business practices, accidental data leakage is an inevitable risk. The implications of reputational impact, compliance breach and associated financial damage can be devastating. A cyber-aware culture with continuous training is essential, and so is the right technology. Providing a technology that alerts users when they are potentially about to make a mistake – either by sending an email to the wrong person or sharing sensitive data about the company, its customers or staff – not only minimises errors, it helps to create a better email culture. Mistakes are easily made in a fast-paced, pressured working environment – especially with the increase in home working not providing the immediate peer review that many are used to. But rather than leaving this responsibility to Artificial Intelligence, this type of technology, combined with trained human insight, can enable users to make more informed decisions about the nature and legitimacy of their email before acting on it. Ultimately, supporting organisations to mitigate against this high-risk element of business, and reinforcing compliance credentials through a cyber-aware culture

Tuesday, 5 January 2021

The Top Cybersecurity Certifications in 2021

What are the Most Valued Cybersecurity Certifications in 2021?
This is an important question for employers, recruiters, seasoned security professionals, and especially for those planning a cybersecurity career. The Information Security Careers Network (ISCN) recently surveyed its LinkedIn community of over 90,000 members about the 50 leading cybersecurity industry certifications and courses. The results of which have been compiled into the following definitive top ten list of the most desired cybersecurity certifications in 2021.

CyberSecurity Certificates in High Demand by Employers
The Top Ten CyberSecurity Certificates and Courses


10. SANS Penetration Testing Courses
The selection of penetration testing courses and certifications offered by the SANS Institute are well regarded for helping both beginners and experts alike to increase technical cybersecurity expertise and paygrades. The SANS/GIAC Penetration Tester (GPEN)
9. Cybersecurity or Information Security University Degree
A cybersecurity or information security university degree is recommended for those looking to 'jumpstart' into a cybersecurity career, and for those seeking senior management and leadership roles as a career goal. However, most cybersecurity professionals surveyed by ISCN did not rate a degree as valuable to building up a ‘real world’ experience within dedicated junior security roles.

First or second class cybersecurity themed degrees with work experience (i.e. a sandwich course) from a reputable university can help a candidate's CV stand out from the crowd, but don't expect to walk straight into senior security professional roles without building up years of in-role experience.

The Times Higher Educational guide provides a list of the top universities offering computer science degrees.

8. Certified Cloud Security Professional (CCSP) by ISC2
Despite dropping a couple places from last year's ISCN survey, the Certified Cloud Security Professional (CSSP) from ISC2 remains popular among survey respondents, with 15% of them stating their intention to complete the course within the next 12-24 months.  

The popularity of CSSP has grown due to the migration from on-premise IT to cloud computing systems in recent years, with organisations short of expert security resources to help secure the cloud services which they are now highly dependent upon. 

CSSP is suitable for mid to advanced-level professionals involved with information security, IT architecture, governance, web and cloud security engineering, risk and compliance, as well as IT auditing. CCSP credential holders are competent in the following six domains:
  • Architectural Concepts and Design Requirements
  • Cloud Data Security
  • Cloud Platform and Infrastructure Security
  • Cloud Application Security
  • Operations
  • Legal and Compliance
Aside from the passing the CCSP exam, to achieve the certification, ISC2 requires information security professionals have a minimum of 5 years of work experience, including a minimum of 1 year of cloud security experience and 3 years of information security experience

7. CompTIA Security+
CompTIA Security+ is considered one of the best introductory security qualifications, suited for those taking their first steps in building a cybersecurity career.  As a globally recognised security certification, holding the CompTIA Security+ certification demonstrates knowledge of the baseline skills necessary to perform core security roles and functions. 

CompTIA Security+ provides a good platform to build an IT security career, useful for gaining junior security roles to help buildup all-important in-role experience and serves as a good foundation in taking on the more advanced topics found on the elite security certifications. 26% of survey respondents praised CompTIA Security+ relevance to real-world scenarios.

6. Certified Chief Information Security Officer (CCISO) by EC-Council
Increasing in popularity in recent years is the Certified Chief Information Security Officer (CCISO) by the EC-Council, which is suitable for those seeking to be promoted into senior managerial, leadership, and executive-level positions. 
33% of cybersecurity professionals stated that this course is one of the best for equipping participants to succeed in managerial positions. 

CCISO is considered the industry-leading CISO role training course. To achieve this certification, five years of experience is required in each of the course's five domains, along with passing the CCISO exam.
  1. Governance and Risk Management
  2. Information Security Controls, Compliance, and Audit Management
  3. Security Program Management and Operations
  4. Information Security Core Competencies
  5. Strategic Planning, Finance, Procurement, Vendor Management
5. Cisco Certified Network Professional (CCNP) Security
The Cisco Certified Network Professional certification (CCNP) Security remains a network security certification desired by employers, with 23% of surveyed respondents citing CCNP Security as a certification in demand. As a professional technical certification, Cisco's CCNP requires the passing of a core exam and a 'concentration exam' of your choice.

4. Certified Ethical Hacker (CEH) by EC-Council
EC-Council’s Certified Ethical Hacker (CEH) qualification consistently ranks near the top of security accreditations which are in highest demand within the security industry. The CEH course teaches practically on how to use the latest commercial-grade hacking tools, techniques, and methodologies to ethically and lawfully hack organisations.

The CEH online training course covers 18 security domains, comprehensively covering over 270 attack methods and technologies, while the certification requires passing a four-hour 125 exams questions the course domains, technologies, and hacking techniques.  Achieving CEH certification will open the door to financially lucrative and in high demand penetration tester roles, so little surprise that 21% of respondents stated their intent take CEH course within the next 12-24 months.

The EC-Council also provides following well-valued courses and certifications which didn't quite make it into this top ten.
3. Certified Information Security Manager (CISM) by ISACA
As its title suggests, the Certified Information Security Manager (CISM) by ISACA is suited for security management roles and is one of the most respected certifications within the security industry.  The CISM is not suited for beginners, a minimum of five years dedicated in role cybersecurity \ information security experience is required to take the course. 

The CISM course is designed for security managers, so has a strong focus on governance, strategy, and policies, which are split across four subject matter domains:
  1. Information Security Governance (24%)
  2. Information Risk Management (30%)
  3. Information Security Program Development and Management (27%)
  4. Information Security Incident Management (19%)
According to a 2020 salary study by Forbes, CISM was 3rd place overall with an impressive annual salary of £110,000 ($148,622 USD), which was the highest dedicated security certification listed by the study.

2. PWK OSCP by Offensive Security

As an online ethical hacking course, it is self-paced and introduces penetration testing tools and techniques through hands-on experiences. PEN-200 trains not only the skills but also the mindset required to be a successful penetration tester. Students who complete the course and pass the exam earn the Offensive Security Certified Professional (OSCP) certification.

The course was ranked highly in the survey results.  Cybersecurity professionals said the course provided strong relevance to the ‘real world’, ranking the OSCP qualification in second place in terms of how much it was ‘in-demand’ by employers.

1. Certified Information Security Professional (CISSP) by ISC2
The ISC2 Certified Information Systems Security Professional (CISSP) remains the security certification in the greatest demand within the security industry. A whopping 72% of those surveyed said the CISSP certification was in the most in-demand by employers.

CISSP is a longstanding and globally well-respected information security professional certification. Like the CISM, the CISSP is not aimed at beginners. The certification requires 5 years of information security in role experience, or 4 years if you hold a cyber / information security-related degree. 

The CISSP three-hour exam of 100 to 150 questions has proven notoriously difficult to pass for some because the CISSP course covers a very broad spectrum of information security disciplines, which are split across eight domains.  

The CISSP 8 domains are:
  1. Security and Risk Management (15%)
  2. Asset Security (10%)
  3. Security Architecture and Engineering (13%)
  4. Communication and Network Security (13%)
  5. Identity and Access Management (IAM) (13%)
  6. Security Assessment and Testing (12%)
  7. Security Operations (13%)
  8. Software Development Security (11%)
ISC2 also offer several CISSP 'concentrations' courses and exams for those holding the CISSP accreditation, which demonstrates an advanced knowledge in specific areas of security. While CISSP concentrations tend not to be specifically sorted by employers in job ads, CISSP concentrations can help you to stand out from the crowd as a specific security subject matter expert.

For those nearer the start of their cybersecurity career journey, ISC2 offer the Associate of ISC2, as a gateway towards achieving the CISSP.

Let us know your top ten in the comments.

Survey data for this post is kindly provided by the Information Security Careers Network (ISCN).

Friday, 1 January 2021

Cyber Security Roundup for January 2021

A suspected nation-state sophisticated cyber-attack of SolarWinds which led to the distribution of a tainted version the SolarWinds Orion network monitoring tool, compromising their customers, dominated the cyber headlines in mid-December 2020.  This was not only one of the most significant cyberattacks of 2020 but perhaps of all time. The United States news media reported the Pentagon, US intelligence agencies, nuclear labs, the Commerce, Justice, Treasury and Homeland Security departments, and several utilities were all compromised by the attack. For the full details of the SolarWinds cyber-attack see my article Sunburst: SolarWinds Orion Compromise Overview

Two other cyberattacks are possibly linked to the SolarWinds hack was also reported, the cyber-theft of sophisticated hacking tools from cybersecurity firm FireEye, a nation-state actor is suspected to be responsible. And the United States National Security Agency (NSA) advised a VMware security vulnerability was being exploited by Russian state-sponsored actors.

Amidst the steady stream of COVID-19 and Brexit news reports, yet another significant ransomware and cyber-extortion attack briefly made UK headlines. Hackers stole confidential records, including patient photos, from UK cosmetic surgery chain 'The Hospital Group', and threatening to publish patient's 'before and after' photos. The UK cosmetic surgery firm, which has a long history of celebrity endorsements, confirmed it was the victim of a ransomware attack, and that it had informed the UK's Information Commissioner's Office about their loss of personal data.

Spotify users had their passwords reset after security researchers alerted the music streaming platform of a leaky database which held the credentials of up to 350,000 Spotify users, which could have been part of a credential stuffing campaign. Security researchers at Avast reported 3 million devices may have been infected with malware hidden within 28 third-party Google Chrome and Microsoft Edge extensions.

A McAfee report said $1 Trillion was lost to cybercrime in 2020, and companies remained unprepared for cyberattacks in 2021.

Stay safe and secure.

BLOG

VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Tuesday, 29 December 2020

    Trends in IT-Security and IAM in 2021, the “New Normal” and beyond

    Article by Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH

    Yes, there is hope for 2021, but the challenges of the “New Normal” are here to stay. CISOs have to prepare and start acting now, because cybersecurity and the IT-infrastructure will have to face threats that have only just started.

    The year 2020 was the year working from home lost its oddity status and became normality. Big names like Google and Twitter are planning long-term and hold out the prospect of working from home on a permanent basis. More than 60 percent of companies are trying the same and have implemented home office policies in 2020. But with great flexibility comes great responsibility: Everyone responsible for Cybersecurity and a secure IT infrastructure is now dealing with new challenges closing the last gaps and weak points when it comes to allowing access to company resources. Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH, the specialist for secure identity access management (IAM), authentication and authorization, shows the top 3 issues CISOs have to look out for:

    1. The Problem with Insider Threats will only get Worse
    With more and more people working from home, the use of personal devices and working on private networks only increases and further fuels the risk of insider threats. This does not come as a surprise. As early as in 2018, Verizon's Data Breach Investigation Report already recorded an increase in threats from "internal actors," meaning employees who knowingly or unknowingly illegally disseminated data and other company information. According to the 2020 report, insiders were responsible for a data breach in a flabbergasting 30% of cases.

    The case of Twitter in the summer of 2020 illustrates the damage vividly an insider threat can create. Hackers used social engineering to exploit the insecurity of IT employees and thus gain access to internal systems. Of course, it is quite unlikely that any of Twitter’s employees acted with malicious intent, still, they became the tool for an attack. The result: although the ATOs (Account Take Over) was used for fairly obvious scam posts, the attackers captured well over $100,000.

    No company is immune to such attacks, and even strict cybersecurity policies have little effect because they are very difficult to enforce or monitor when people are working from home. Therefore, it can be assumed that the number of insider threats will increase by more than 20% in 2021.

    2. Ransomware and Shadow-IT are bound to become the CISOs nightmare
    Working from home came suddenly for most companies and pretty much overnight, and even still, most corporations are not sufficiently prepared for the challenges that lie ahead. Unlike in the office, where the IT department can reasonably reliably control the distribution of software on employee PCs, the use of home networks and private devices opens up new attack vectors for hackers.

    Employees often use third-party services, download free software, or use private cloud services as a workaround when corporate services are not available. The storage of documents, access to data or other sensitive information on private devices will also continue to increase without CISOs being able to control this. Since private devices and networks are usually inadequately protected, they serve as a gateway for ransomware, which then attacks corporate networks, encrypts data and extorts high ransoms. Gartner analysts have already predicted a 700% increase in 2017 - the growth from the New Normal will dwarf those numbers and give CISOs many sleepless nights. Due to system and network vulnerabilities, misconfigurations, phishing, and the increase in credential attacks, we will likely see an exponential increase in ransomware attacks in 2021.

    3. Mobile Devices Become a Favourite Target for Hackers
    Developments such as multi-factor authentication (MFA) is improving the security of access to corporate services. On the flip side, it has put mobile devices in the crosshair of hackers. As smartphones are now practical for almost all online activities, the number of attack vectors has grown steadily along with them. In addition to malware, which can be easily installed via third-party apps, especially on Android, and data manipulation or the exploitation of recovery vulnerabilities (such as the interception of magic links or PIN text messages), social engineering is a particularly popular field here.

    In addition to the widespread phishing e-mail, vishing (manipulation of employees by fictitious calls from IT staff) and smishing (which works similarly to phishing but uses SMS instead of e-mail) will increase sharply. Hackers will come up with new tricks to compromise mobile devices, and that can only make digital fraud worse.

    2021: The Year We Abolish Trust
    In a year in which we will have to learn a lot of things anew, CISOs are well-advised to not build anything on trust – neither their network infrastructure nor their IAM. Zero-trust architectures that question all access to corporate resources must become the standard in the age of the New Normal. Restricting resource access to a physical address or IP address, or to VPN access, is counterproductive and difficult to manage if employees are to work from remote locations. Digital identity will shift from user identity to the combined identity of the device and the user. Only this will enable modern and secure identity & access management.

    Wednesday, 23 December 2020

    Fact vs. Fiction: Film Industry's Portrayal of Cybersecurity

    Article by Beau Peters

    The movie industry is infamous for its loose depictions of hacking and cybersecurity. Hollywood often gets a lot wrong about hacking and digital protections, but what does it get right?

    The power of film in influencing the future of technology and the experts that create it is immense. Because of this, it is important to assess what the facts are versus movie fiction.  Here, we’ll explore the film industry’s portrayal of cybersecurity.

    Cybersecurity in Movies
    From WarGames to Blackhat, hacking and cybersecurity movies have glamorized the world of digital safety and the compromising of said safety. However, each Hollywood outing does so with varying levels of realism, typically embracing excitement over reality. 
    In the 1983 WarGames movie, a young hacker almost triggers World War 3
    These portrayals have led to common tropes and views of the cybersecurity industry in their attempts to prevent and combat hacking attempts. Among these tropes are some of the following portrayals, each occurring with varying degrees of absurdity.

    1 Hacking is exciting, fast, and often ethical
    The trope of a computer-savvy individual slamming on a keyboard for a few seconds and saying “I’m in” is common enough to be a defining joke about cybersecurity in film. Hacking is shown to be a process that takes minutes with has instant results. This is often far from reality, where hacking attempts can take weeks or even months to produce results.

    And the results of actual digital break-ins are often far from ethical. Movies tend to show hacking as a victimless crime, but real-life hacking tends to mean data theft that can have severe implications on people’s lives.

    2. There is a visually distinct or compelling element of hacking 
    Hollywood has to keep an audience engaged. Because of this, hacking and cybersecurity are often paired with some visually striking element that would simply be ridiculous in reality.

    Jurassic Park has a great scene exemplifying this trope. Under attack from a velociraptor, a child logs on to a computer and proceeds to navigate through a 3D maze representing the computer system’s files. In reality, typing in a few commands would have achieved a result faster. However, this wouldn’t have been as exciting.

    3. Hacking and cybersecurity are defined by excessively fast typing
    You always know a hacker or a computer systems expert by their excessively fast keyboard smashing. In movies and TV, computer experts are always clicking away at a keyboard at speeds few of us could match, speeds that would unlikely result in very productive work due to mistakes and time needed to assess the situation.

    However, fast typing is a staple of hacking movies. The faster you type, the faster you can get in or defend a system.

    When compared to the reality of cybersecurity systems, these Hollywood portrayals often come up short. Though some movies are getting better at portraying hacking and security, they rarely capture the grittier, less exciting truth. 

    Cybersecurity in Reality
    In reality, hacking is a much more time consuming and boring process, with results that have real impacts on the lives of everyday people. Hollywood neglects some of these finer points in favour of spectacle, as can be expected. Cybersecurity comes with its own set of tedious practices as well as the glamorous aspects of navigating computer systems.

    Here are just a few ways that hacking and cybersecurity operate in the real world that movies tend to obscure or fail to depict:

    1. Hacking is about information more than profit.
    While cybercriminals can sometimes come away with a profit, doing so is incredibly difficult and not very common. Ransomware is sometimes used to extort profits from corporations, a process that occurs when a cybercriminal uses malware to hold a system hostage until a payment is made. However, break-ins usually result in little more than data theft or blockages with costly implications for businesses and individuals.

    For example, Distributed Denial of Service (DDoS) attacks are used to slow or stop the computer processes of a business. This doesn’t necessarily result in any money for the hackers, but the downtime can cost companies thousands to millions of dollars.

    2. Hackers rely heavily on phishing and social engineering.
    Breaking into a system often requires access to valid user IDs and account passwords. This means hackers tend to use phishing and social engineering methods to mine information. They use all kinds of bots and scams to try and trick average individuals into clicking a link or divulging personal information.

    However, this means that a lot of good can be done in the cybersecurity world without even needing to code. Simply teaching teams what to look for in avoiding scams and fraud can be a great way to approach cybersecurity incident management and keep private data safe.

    3. White-hat hackers are real, and they make good money.
    One thing movies get right sometimes is that hackers can be the good guys. There is a whole category of ethical hackers who often work as bounty hunters to find flaws in a company's cybersecurity systems. These so-called “white hat” hackers attempt to break in and are paid a bounty if they can reveal security deficiencies.

    Sometimes, white-hat hacking comes with a significant paycheck. The bounty platform HackerOne has paid out $40 million across 2020 alone, making seven different hackers millionaires in a single year.

    With the desperate need for individuals in the cybersecurity field, the truth around hacking is important to note. While Hollywood can make hacking seem glamorous and exciting, the truth is that many hacking processes come with dangerous implications. However, hacking can also be used to benefit the safety of information in ethical bounty situations.

    With the emergence of cloud computing as a standard for remote workspaces, security professionals are needed now more than ever. Secure public and private cloud solutions are required for a functioning application marketplace, and cybersecurity professionals play a key role in maintaining that safety.

    While cybersecurity isn’t always exciting, the results of keeping systems safe are much more rewarding than the black-hat alternatives.

    Conclusion
    The movie industry propagates a view of the cybersecurity field that is often far from reality. However, by acknowledging the departures from the truth, we get a better idea of the need and value of cybersecurity solutions as a whole, especially in the modern world of accelerated digital innovation.

    While hacking and cybersecurity might not be anywhere near as exciting as they are in movies, working in cybersecurity—whether as a systems expert or a white-hat hacker—can mean a big paycheck and a safer world for the people you know and love. And that reality is better than any movie.

    Tuesday, 22 December 2020

    Six Trends Shaping the 2021 Cybersecurity Outlook

    Article by Tom Kellerman, Head of Cybersecurity Strategy, Rick McElroy, Head of Security Strategy and Greg Foss, Senior Cybersecurity Strategist, VMware Carbon Black

    Everything is different, and yet the same. As we look ahead to the cybersecurity landscape in the next 12 months, it is from a position no one predicted this time last year. Business operations have changed beyond recognition with most employees working from home in a transition that happened almost overnight. Stretched security teams have been challenged to rapidly deploy robust remote working facilities to maintain productivity. Most were writing the ‘pandemic playbook’ as they went along.

    Ironically, one of the few certainties of the situation was that cybercriminals would take advantage of disruption to escalate campaigns. In that sense, nothing changed, except that the opportunity was suddenly much greater. As a result, nine in ten security professionals surveyed by our Threat Analysis Unit said they were facing increased attack volumes, which they attributed to the newly distributed working environment.

    The effects of COVID-19 will continue to impact the cybersecurity sector for some time, but they are not the only considerations. This year we’ve seen cybercrime and cybercriminal groups continue along a path of technical and industry innovation that will see new strategies and tactics gain traction in 2021. We have also seen cyber defences tested like never before and, for the most part, they have held firm; there is reason for cybersecurity professionals to be optimistic.

    With this in mind, the following are six trends we expect to see, and key areas cybersecurity professionals should keep their eyes on in 2021.

    1. Remote-Working Focuses Attacker Attention on Mobile Compromise
    As business becomes more mobile than ever and remote working persists, mobile devices and operating systems will be increasingly targeted. As employees use personal devices to review and share sensitive corporate information, these become an excellent point of ingress for attackers. If hackers can get into your Android or iPhone, they will then be able to island-hop into the corporate networks you access, whether by deactivating VPNs or breaking down firewalls.

    We will also see hackers using malware such as Shlayer to access iOS, ultimately turning Siri into their personal listening device to eavesdrop on sensitive business communications.

    Combating these risks requires a combination of new mobile device policies and infrastructure designed to facilitate continued remote working, as well as raising employee awareness of the persistent risks and the importance of digital distancing.

    2. Continuing Direct Impacts on Healthcare
    In terms of direct impact of COVID-19 the healthcare sector, at the heart of crisis response, will see the adaptations it made to try and maintain patient services become a vulnerability. With growing reliance on telemedicine for routine medical appointments lucrative personally identifiable information (PII) is being accessed from remote locations and as a result is more easily intercepted by hackers. At the same time, vaccine-related data pertaining to trials and formulae is some of the most sought-after intellectual property right now and the drive to get hold of it for financial or political gain is putting healthcare and biotech organisations under intense pressure from external threats and insider risk.

    That said, the strain on healthcare cybersecurity is not going unheeded; we will see increased IT and security budgets in the sector to combat the growth in external threats.

    3. Emerging Tactical Trends: Cloud-Jacking and Destructive ICS Attacks
    As the new year dawns, we will see tried and tested tactics evolving to become more sophisticated and take advantage of changes in network architecture. Cloud-jacking through public clouds will become the island-hopping strategy of choice for cybercriminals as opportunity proliferates due to the overreliance on public clouds by the newly distributed workforce.

    It won’t be only the virtual environment under threat. Increasing cyber-physical integration will tempt nation state-sponsored groups into bolder, more destructive attacks against industrial control system (ICS) environments. Critical National Infrastructure, energy and manufacturing companies will be in the crosshairs as OT threats ramp up. Our analysts are seeing new ICS-specific malware changing hands on the dark web and we are likely to see it in action in the coming year.

    4. The Ransomware Economy Pivots to Extortion and Collaboration
    Another familiar tactic taking on a new twist is ransomware. Ransomware groups have evolved their approach to neutralise the defensive effect of back-ups and disaster recovery by making sure they’ve exfiltrated all the data they need before the victim knows they’re under attack. Once the systems are locked attackers use the data in their possession to extort victims to pay to prevent the breach becoming public. And if that fails, they can sell the data anyway, meaning the victim is doubly damaged.

    Ransomware is such big business that the leading groups are collaborating, sharing resources and infrastructure to develop more sophisticated and lucrative campaigns. Not all collaborations will be successful, however, and we’ll see groups disagreeing on the ethics of targeting vulnerable sectors such as healthcare.

    5. AI Utilised for Defensive and Offensive Purposes
    Technology innovation is as relevant to attackers as it is to defenders and, while artificial intelligence and machine learning have significant benefits in cybersecurity, we can expect to see adversaries continue to advance in the way AI/ML principles are used for post-exploitation activities. They’ll leverage collected information to pivot to other systems, move laterally and spread efficiently – all through automation.

    The silver lining is that in 2021 defenders will begin to see significant AI/ML advancements and integrations into the security stack. Security automation will be simplified and integrated into the arsenal of more organisations – not just those with mature SOCs. As awareness of how attackers are using automation increases, we can expect defenders to fix the issue, maximising automation to spot malicious activity faster than ever before.

    6. Defender Confidence is Justifiably on the Rise
    To finish on a resoundingly positive note, this year we saw cyber defences placed under inconceivable strain and they flexed in response. Yes, there were vulnerabilities due to the rapidity of the switch to fully remote working, but on the whole security tools and processes are working. Defender technology is doing the job is it designed to do and that is no small feat.

    The mission-critical nature of cybersecurity has never been more apparent than in 2020 as teams have risen to the challenge of uniquely difficult circumstances. In recognition of this we will see board-level support and a much healthier relationship between IT and security teams as they collaborate to simultaneously empower and safeguard users. 2020 has been the catalyst for change for which we were more than ready.

    Monday, 21 December 2020

    Predicated Data Classification Trends for 2021

    Article by Adam Strange, Data Classification Specialist, HelpSystems

    In the digitally accelerated COVID-19 environment of 2021 what are the top data security trends that organisations are facing? Here is HelpSystems Data Classification Specialist, Adam Strange’s take on the outlook and trends for 2021.

    Ongoing Growth in Remote Working will Create Data Security Threats
    • The far-reaching impact of COVID-19 includes the intensified threat of malicious cyber attacks as well as an escalating number of damaging data breaches across almost every sector of business. The rapid shift to remote working during the pandemic left many employers exposed to hackers and highlighted multiple examples of serious network and data vulnerabilities.
    • For example, in a recent article, Infosecurity Magazine quotes research finding that attacks on the biotech and pharmaceutical industry alone rose by 50% in 2020 compared to 2019. And in the defence sector, The Pentagon is seeing a huge rise in cyber attacks through the pandemic, where unprecedented numbers of employees are forced to communicate through their own devices. 
    • As more companies move to facilitate a semi-permanent remote workforce, data security ecosystems will evolve to become more complex and advanced data management and classification solutions will be a critical technology investment.
    • ‘Insider threat’ will be categorised as the most prominent tier 1 data security risk in 2021, necessitating stricter corporate guidelines and protocols in data classification, as well as comprehensive employee education programmes around data security. 
    • HelpSystems’ recent research interviewed 250 CISOs and CIOs in financial institutions about the cybersecurity challenges they face and found that insider threat - whether intentional or accidental - was cited by more than a third (35%) of survey respondents as one of the threats with the potential to cause the most damage in the next 12 months. 
    • Further, the latest Information Commissioner’s Office (ICO) report confirmed that misdirected email remains one of the UK’s most prominent causes of security incidents, demonstrating the need for all organisations to control the dissemination of their classified data. 
    • HelpSystems’ technologies in data security and classification are enabling businesses to regain control of sensitive data, identify sensitive data by scanning and analysing data at rest and classify and protect personal data by detecting PII at creation. 
    A Security Culture needs to be Embedded into Organisations, especially as Insider Breach Risk continues to Grow
    • In 2021 data governance will take centre stage in data security and privacy strategies. Companies will create Centres of Excellence (COE) to embed a solid data security culture across teams and corporate divisions and to formalise in-house data management processes, rolling out divisional best practice and placing data classification at the foundation of their data security strategy.
    • Employees play a vital role in ensuring the organisation maintains a strong data privacy posture. For this to be effective, organisations need to ensure that they provide regular security awareness training to protect sensitive information. In terms of how they go about doing this, they must invest in user training and education programmes. 
    • The security culture of the firm must be inclusive towards all employees, making sure they are continually trained so that their approach to security becomes part of their everyday working practice, irrespective of their location, and security becomes embedded into all their actions and the ethos of the business. 
    • Data classification solutions will allow businesses to protect data by putting appropriate security labels in place. HelpSystems data classification uses both visual and metadata labels to classify both emails and documents according to their sensitivity. Once labelled, data is controlled to ensure that emails, documents and files are only sent to those that should be receiving them, protecting sensitive information from accidental loss, through misdirected emails and the inadvertent sharing of restricted documents and files. 
    Supply Chain Ecosystem Risk will get Bigger
    • Accenture quote that 94% of Fortune 100 companies experienced supply chain disruptions from COVID-19, and that as much as 40% of cyber threats are now occurring indirectly through the supply chain.
    • 2020 has been the year where businesses realised more than ever that data security across the supply chain was only as strong as its weakest link, where exposing a business’s network and sensitive data to its suppliers had the potential to carry significant additional risk. 
    • HelpSystems’ recent report interviewed 250 CISOs and CIOs from financial institutions about the cybersecurity challenges they face and nearly half (46%) said that cybersecurity weaknesses in the supply chain had the biggest potential to cause the most damage in the next 12 months. 
    • But sharing information with suppliers is essential for the supply chain to function. Most organisations go to great lengths to secure intellectual property (IP), personally identifiable information (PII) and other sensitive data internally, yet when this information is shared across the supply chain, it doesn’t get the same robust attention. 
    • The demand for greater resilience across supply chain operations in 2021 will require businesses to move quickly to overhaul existing tech investments and prioritise data governance. Organisations must ensure basic controls are implemented around their suppliers’ IT infrastructure and that they have robust security measures in place. 
    • Advanced data classification capabilities will deliver assurance and control to numerous industries including finance, defence and government. HelpSystems advises organisations to ensure their suppliers have a robust approach to security and information risk with security frameworks such as ISO 27001 and Cyber Essentials in place. 
    • Organisations should implement a data classification scheme and embed data risk management into the procurement lifecycle processes from start to finish. By effectively embedding data risk management, categorisation and classification into procurement and vendor management processes, businesses will prevent their suppliers’ vulnerabilities becoming their own and more effectively secure data in the supply chain. 
    Data Privacy Regulations set to Increase
    • An increased focus on data privacy and protection of personal data and the continuing shift in privacy law, as reflected in the EU’s landmark GDPR in 2018 and, this year, the US’s CCPA, and the CPRA set to take effect in 2023, has changed the data regulatory landscape. We can expect to see similar US compliance rulings come into force beyond California through 2021.
    • In addition to individual state privacy rulings, we can expect to see federal US-wide regulation come into force. 
    • This new phase in privacy regulation will be complex and enforcement will demand changes in people, process and technology - proper corporate data governance programmes, employee training and solid data management systems in every organisation to counter reputational risk and hefty fines. 
    • Data automation will also be a priority as companies struggle to deliver relevant data protection strategies for every level of business and its users, across all platforms and infrastructures to conform with individual state and international laws. 
    • HelpSystems’ unified security, compliance and data classification solutions simplify compliancy reporting enabling business to easily generate the documentation necessary to identify security issues, give auditors the information that they need and prove compliance. 

    Saturday, 19 December 2020

    Sunburst: SolarWinds Orion Compromise Overview

    On 13th December 2020, it came to light SolarWinds IT systems were compromised by hackers between March 2020 and June 2020. SolarWinds provides software to help organisations manage their IT networking infrastructure. The attackers exploited their SolarWinds IT access to covertly insert a vulnerability, coined 'Sunburst', within the SolarWinds Orion platform software builds. 

    The following SolarWinds Orion versions are considered to be compromised. 
    • Orion Platform 2019.4 HF5, version 2019.4.5200.9083
    • Orion Platform 2020.2 RC1, version 2020.2.100.12219
    • Orion Platform 2020.2 RC2, version 2020.2.5200.12394
    • Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
    The vulnerability within these 'tainted' SolarWinds Orion versions permits an attacker to compromise the server on which the SolarWinds Orion product is installed and runs.  Given SolarWinds is a popular network traffic monitoring product, thousands of organisations are said to be impacted by a potential hidden 'backdoor' into their internal networks, which is open to be exploited by malicious hackers, granting them remote access to their internal IT systems and confidential data.  Organisations with the compromised versions of SolarWinds Orion present should immediately disconnect the software's host server from their network, and conduct a digital forensic investigation to determine if their IT systems were remotely compromised.

    How to Update SolarWinds Orion to a Safe Version
    Upgrading to Orion Platform version 2020.2.1 HF 2 ensures the platform is not vulnerable to the SUNBURST vulnerability. The update is currently available at customerportal.solarwinds.com. Hotfix installation instructions are available in the 2020.2.1 HF 2 Release notes here.

    The Impact
    In the order of 18,000 organisations from 19 different countries, including the UK, are known to have downloaded the tainted SolarWinds Orion software. Around 50 organisations are known to have been compromised by hackers via the vulnerability, so far.  The United States news media reported the Pentagon, US intelligence agencies, nuclear labs, the Commerce, Justice, Treasury and Homeland Security departments and several utilities were compromised.

    As for the UK, Paul Chichester, NCSC Director of Operations, said “This is a complex, global cyber incident, and we are working with international partners to fully understand its scale and any UK impact. That work is ongoing and will take some time, but simply having SolarWinds does not automatically make an organisation vulnerable to real world impact.' Given that NCSC statement and what has been publically disclosed to date, it is clear the United States governing apparatus are the primary targets of the cyber-attack.

    Russia Accused of Orchestrating this Cyber Attack
    Given the sophistication of the attack and the reported compromises (aka targets) of United States government departments and utilities, it has all the hallmarks of a significant nation-station orchestrated cyber-attack. The fingers of suspicion are pointing directly at Russia, with the Russian backed hacking group APT29 'Fancy Bear' cited as the culprits by many security researchers and intelligence analysts. US Secretary of State Mike Pompeo and Attorney General Bill Barr both publically stated they believe Moscow are behind the attack, as did the chairs of the Senate and House of Representatives' intelligence committees. Russia Denies 'Baseless' SolarWinds claims, while outgoing President Donald Trump seemed to be blaming China for the attack in a Tweet on 19th December.

    Further Information
    Indicators of Compromise (IOCs)

    SolarWinds.Orion.Core.BusinessLayer.dll
    32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
    dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
    eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed
    c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77
    ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c
    019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
    ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
    a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
    d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af
    0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589
    6e4050c6a2d2e5e49606d96dd2922da480f2e0c70082cc7e54449a7dc0d20f8d

    CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp
    d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600

    appweblogoimagehandler.ashx.b6031896.dll
    c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71

    Additional DLLs
    e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d
    20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9
    2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d
    a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d
    92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690
    a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2
    cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6

    TEARDROP
    b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07
    1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c

    Network indicators
    avsvmcloud[.]com
    deftsecurity[.]com
    freescanonline[.]com
    thedoccloud[.]com
    websitetheme[.]com
    highdatabase[.]com
    incomeupdate[.]com
    databasegalore[.]com
    panhardware[.]com
    zupertech[.]com

    13.59.205[.]66
    54.193.127[.]66
    54.215.192[.]52
    34.203.203[.]23
    139.99.115[.]204
    5.252.177[.]25
    5.252.177[.]21
    204.188.205[.]176
    51.89.125[.]18
    167.114.213[.]199

    Tuesday, 8 December 2020

    The Dangers of Security Vulnerability Scoring Dependency

    Article by Nathan King, Director, Cyberis

    Vulnerability scoring has an important role in most enterprise threat and vulnerability management programmes because it provides multiple benefits to internal security teams when identifying any weaknesses. Additionally, it can also help verify control performance.

    The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system insecurities and attempts to assign scores to them, allowing responders to prioritise their feedback and resources according to the threat.
    CVSS is an open industry standard for assessing the severity of computer system insecurities
    This system, among similar others, has gained widespread industry adoption because it is simple to understand and usually produces repeatable results. However, adopting such systems can also result in failures to detect, manage and respond to security defects. The main reason for this is that vulnerability scoring systems are pretty good at measuring vulnerabilities, yet are unsuited to handling weaknesses. 

    The Difference between Vulnerabilities and Weaknesses
    The MITRE Corporation (an American not-for-profit organisation which manages federally-funded research and development centres) simply defines a weakness as “a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software”. This definition can be expanded to a general notion that “weaknesses are errors that can lead to vulnerabilities”, making it applicable to other assets, not just software and including systems, networks and controls.

    CVSS v3, for example, cannot really be used to measure the characteristics and severity of a weakness that has no currently defined vulnerability. We encounter this problem routinely when customers request CVSS ratings for application penetration tests where weaknesses are usually more evident.

    Manage the Weaknesses
    How weaknesses are managed alongside vulnerabilities is critical to the success of technical risk management programmes. It is common to see weaknesses inadequately assessed, measured and remediated and they are often overlooked, or fall off the radar completely. This is because remediation of critical and high severity vulnerabilities with verified scores are prioritised by overstretched security teams.

    Let’s consider BlueKeep, a security vulnerability discovered in Microsoft’s Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution. It is a remotely-exploitable, wormable vulnerability present in older versions of the RDP implementation.

    If we ran a perimeter vulnerability scan today, which identified a notably unpatched RDP service, it would be scored by CVSS as 9.8 or in other words, ‘critical’. But how would the vulnerability scanner report the exposure of the same RDP service prior to BlueKeep’s public disclosure? Potentially in several different ways, but more than likely it would misclassify the exposure, despite it requiring immediate treatment as an obvious weakness, given its poor security reputation alone.

    Another example where problems arise is in unsupported systems where vulnerabilities have not yet surfaced. The weakness here is obvious, but unsupported systems alone cannot be systematically scored. We often find that vulnerability scanners fudge high CVSS values to compensate, so perhaps this is a pragmatic, qualitative approach to handling weaknesses which cannot be measured. But if this qualitative approach is not applied to all weaknesses, unidentified gaps and inconsistencies, will be inevitable in the assurance activity.

    Both examples consider vulnerability scanners, which are intrinsically affected by vulnerability scoring, but any service or security process that uses vulnerability scoring at its core is at risk of mishandling the weaknesses.

    The Advice
    It is important to review any tools and internal processes which assess security defects by vulnerability scoring at their core. Understand how they identify and interpret the severity of weaknesses alongside vulnerabilities. And remember that CVSS assumes that a vulnerability has already been discovered and verified; anything outside of this scope may be misrepresented or missed entirely.

    Also, do not dismiss qualitative approaches in your threat and vulnerability management programme because they can be invaluable in gaining a comprehensive view of technical security issues and assurance. Although qualitative assessments are also subject to bad press, they can be pragmatic, particularly when conducted by someone who is an authority in a particular subject area.

    A varied programme of technical assessments should provide a broader view of priorities, both short and long term. Make sure your assurance programme delivers across all your particular objectives, by reviewing your vendor’s way of working carefully. For example, high-quality penetration tests should provide context and visibility of application and system weaknesses over a longer-term, not just a snapshot of the verified vulnerabilities.

    Pandemic Working and Remote Access Vulnerability Trends
    The continued working from home protocol has meant organisations’ IT systems are still being stretched to the limit, with many new challenges coming to the fore and without the traditional visibility into their infrastructures. Solutions that were rolled out in an emergency when the COVID-19 pandemic hit are still in use nearly a year on. Perimeters have become more porous, and in many cases, rarely-used remote access systems became critical business infrastructure overnight. These business trends provide opportunities for adversaries, who will be looking for vulnerabilities in remote access software and remote access components.

    Considering weaknesses pragmatically, and the possible exposure if a vulnerability is identified, is crucial to maintaining information security and managing the commensurate risks in the current environment. A simple score from a vulnerability scan of the perimeter simply does not capture the risk.

    Additional sources: