Cyber Risk News
Ransomware continued to cause EMEA organizations most problems last year, accounting for over a quarter (29%) of malware detections compared to the global figure of just 7%, according to NTT Security.
The managed security services giant analyzed the wealth of data from its monitoring, management and incident response operations across the globe to compile its annual Global Threat Intelligence Report for 2018.
It found that while ransomware was the number one threat in EMEA, spyware and keyloggers comprised just 3% of total malware detections, despite making up 26% of the global figure.
NTT Security Global Threat Intelligence Center senior manager, John Heimerl, explained that a lot of the activity in EMEA has been fueled by headline-grabbing incidents such as WannaCry and NotPetya, which struck entire industries and “were designed to deliver maximum impact and cause huge disruption.”
“This suggests that attack campaigns in EMEA have been focusing more on quick wins which ransomware can deliver, rather than long-term access other attack vectors can provide,” he added.
However, on the plus side, the GTIR revealed that while the volume of global ransomware is rising, incident response engagement fell from over 22% of incidents in 2016 to just over 5% in 2017. That indicates that organizations are improving their detection and response.
“It’s clear that organisations are prioritizing incident response much more than they have done in the past, at least when it comes to ransomware. Our 2017 Risk:Value Report showed that nearly half of all respondents indicated they have an incident response plan in place, with another third working on their plans,” Heimerl continued.
“However, just because organizations are getting better at managing some incidents, they cannot afford to be lulled into a false sense of security.”
In fact, ransomware as a money-making scheme is increasingly being eschewed in favor of cryptojacking, according to several recent reports.
Cryptojacking attacks soared by 8500% in 2017 thanks to the growing value of digital currency, according to Symantec.
Cisco claimed earlier this year that cyber-criminals could make in excess of $100m per year through crypto-mining botnets.
Amazon put a quick stop to an issue in Alexa’s skill set after Chexmarx researchers reported that her skill set could be expanded to listen in on users not just some of the time but all of the time.
According to a Checkmarx research paper, Alexa skills can be developed in different languages using the Alexa skill set, which integrates with the AWS-Lambda function. The personal assistant device is always listening for the user’s voice so that when recognized, Alexa is activated.
Under normal circumstances, users receive an audio indication after tasks are completed to let them know that Alexa has gone to sleep. This makes it clear that she’s no longer recording. Yet, the researchers were able to augment Alexa’s skills so that she was continually recording.
"We went through the whole process of how Alexa communicates with the user and tried to take the view of the hacker and go step by step to see how we could leverage something that might seem benign, that might not seem risky but make it a risk," Amit Ashbel, cyber security evangelist at Checkmarx, told ZDNet.
The researchers chose the seemingly benign calculator skill as the hiding spot for the malicious task. Any user who activated the app would then unknowingly install the eavesdropper skill. Once Alexa solved all of the requested math problems, she stayed on despite the user thinking the session was over.
As the microphone function was still activated, the device both listened to and transcribed whatever tidbits of information Alexa overheard. "You think the session is over, but actually it is continuing all the time, recording your words and sending your transcription to the hacker. There's no limit to the length of the session, the number of words or sentences, it just keeps on going until you turn it off," said Erez Yalon, manager of application security research at Checkmarx.
Notable from the video is the obvious flaw in the attack itself. Alexa remains lit up like a Roman candle, an indication that the device is still active.
After Checkmarx disclosed their research to Amazon, the problem was resolved so that silent cycles are no longer permissible. "It now also detects longer than usual sessions and warns users, so maybe they've mitigated future attacks," Yalon added.
Being in compliance with different regulations has a bottom-line impact on business, but smaller organizations lack the time and knowledge necessary to engage with PCI (Payment Card Industry) programs.
That's according to the Acquirer PCI Sentiment Survey recently released by Sysnet Global Solutions. The feeling among acquiring organizations is not good, with less than 10% expressing that they were happy with their current compliance rate.
While most acquirers understand that the smaller merchants likely don't understand what they need to do, 64% of the respondents said that small merchants don't make security enough of a priority. In order to drive compliance, an overwhelming majority of respondents said that improved communication (76%) and education (72%) along with managed security and compliance service (72%) would be most helpful.
Less than half (48%) felt that technology services such as P2PE (Point-to-Point Encryption) would effectively drive compliance, while only 44% saw charging noncompliance fees as initiatives that would drive smaller merchants toward compliance.
The survey revealed a lack of consensus on whether to charge noncompliance fees and for how long they should be levied. While 21% felt it was appropriate to charge PCI noncompliance fees indefinitely, the same number said that it was never appropriate to charge a fee. The remaining 58% agreed that fees should not be charged beyond two years time.
Perhaps the most interesting statement, with which 52% of respondents agreed, was that "Some acquirers view noncompliance fees as unethical, describing PCI noncompliance fee revenue as ‘a drug the industry needs to wean itself off.'"
More than half of the participants agreed that noncompliance fees contribute to merchant attrition. One respondent commented that these charges are "taking advantage of customers by forcing them to pay extra fees and carry all the risks associated with noncompliance."
When asked if they felt it was likely that regulations might be introduced to control PCI charges, 60% of the participants answered that they somewhat agreed.
Interestingly, less than half of the survey respondents agreed that PCI DSS (Data Security Systems) does enough to ensure a small business is actually protected against cyberattacks. "Some feel that PCI DSS does not drive good practices and behaviors for small merchants, while others believe that it only provides the tool to use to defend against cyberattacks," the survey noted.
Fifty-four percent of the senior executives at acquiring institutions said that they currently provide cybersecurity tools that help to reduce PCI scope.
For those who appreciate the healing power of music, new research could prove to be a magical security tool. By correlating traffic types from NetFlow logs with sounds of instruments, researchers at Imperva were able to translate changes in network traffic into song.
Inspired by a TED Talk called "Can We Create New Sense for Humans" presented by Dr. David Eagleman, adjunct professor in the Department of Psychiatry & Behavioral Sciences at Stanford University, Imperva's team wondered whether tapping into the sense of sound could change the way they interpret network traffic.
"Auditory perception, we learned, has a lot of advantages oversight, especially in terms of processing spatial, temporal and volumetric information. The ability to register the most delicate differences in frequency resolution and amplitude opens up a Pandora’s Box worth of possibilities in data perception," Imperva wrote in a blog post.
Turns out that sonification is an effective monitoring tool, so they set to work to figure out how to make the internet sing. In order to collect NetFlow data, they created a Python 3 script, then processed the data into Open Source Control messages which were then converted into sound using a Ruby-based algorithmic synthesizer.
Assigning different instrumental sounds to the varied traffic types created a melody that revealed the ebb and flow of the traffic levels and also revealed shifts in pitch and volume.
A significant shift in traffic would be the harbinger of a DDoS attack. So as not to rely solely on shifts in volume as an alert, the team decided to add an additional mechanism that would really sound an alarm bell and activate a mitigation service. Their choice? The sound of a tomato being squeezed.
"I think we can confidently say this was the first time a tomato has been used in DDoS mitigation. No less important, we’re fairly certain that this was the first time that Wemos or similar technologies (e.g., Arduino) have been used to interact with a Sonic Pi, which was sort of the whole point," the researchers wrote.
The Imperva team proved that cybersecurity research can be both pleasant and fun. More importantly, what they have created could have great potential when it comes to mitigating DDoS attacks. They hope to see the sonorous songs of data become more commonplace in the future of security monitoring.
The UK Department for Work and Pensions (DWP) is to spend nearly £15m on GDPR compliance, in line with estimates for FTSE 100 firms and indicative of the size of the compliance burden placed on many large organizations.
The figures for the DWP came from a new report from think tank Parliament Street, which issued Freedom of Information requests to all government departments on their GDPR compliance spending.
Only a handful replied, but the findings revealed a huge disparity between the DWP spending of £14.7m and the figures given by The Treasury (£201,000), the Department for Transport (£547,000) and the Ministry of Justice (£547,000).
Included in the DWP’s spending plans were a program of education and awareness raising for all staff, system remediation and a review of the existing records storage arrangements.
It’s unclear whether it is spending on average more than other government departments, and if those figures are so high as a result of poor planning.
However, the think tank recommended the creation of a central government online hub to share GDPR compliance resources, strategies and best practices and to help them negotiate discounts on legal advice, software licenses and more.
The report also recommended government departments put more work out to tender to specialist organizations, claiming: “too much of this work is managed ‘in-house’ and external organizations should be given the opportunity to contribute to the process.”
In fact, the £15m figure touted by the DWP is pretty much in line with the estimated average spend of FTSE 100 companies, according to separate research from management consultancy Sia Partners.
“The minimum and average implementation cost per employee is consistent across firm size, with implementation costing £300-£450 on average per employee across all sectors,” the firm claimed.
Aside from banks, which have the highest spend, there are two distinct groups: £15m-£19m for energy, commodities & utilities, retail goods and technology & telecommunications firms; and all other sectors spending around the £5m-£11m mark.
A new report from KPMG this week revealed that over half (54%) of global organizations don’t feel ready for the GDPR, which lands in a month’s time.
Some 43% of UK businesses have experienced a security breach or cyber-attack in the past 12 months, a slight drop from a year previously, according to the latest government research.
The Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2018 is comprised of interviews with over 1500 UK businesses and 50 follow-up in-depth interviews.
Although the figure dropped overall for firms hit by a breach or attack, from 46% last year, it rose from 68% to 72% for large businesses.
Breaches were found to be more common among organizations holding personal data on customers (47%), where BYOD policies operate (49%) or where they use cloud computing.
The average cost per breach has increased consistently over the past three years and now stands at over £22,000 for large businesses, according to the study.
Of concern given the impending arrival of the GDPR, is that despite most senior management (74%) saying they prioritize cybersecurity, just 30% have a dedicated board member responsible for security and 20% never update their senior managers on cybersecurity issues.
In this regard, not much has changed from the previous year, according to the government.
Also worrying is the fact that only 20% of respondents claimed to have sent staff on internal or external cybersecurity training courses in the past 12 months, while 10% even claimed that those currently in cybersecurity roles don’t have the skills required to do their jobs effectively.
Unfortunately, awareness of government initiatives and communications around cybersecurity remains low. Just 3% recalled using government information, advice or guidance, with most organizations unaware of most initiatives,” said McAfee chief scientist, Raj Samani.
“Given that 84% of organizations that used government resources found the information useful, it is clear that more needs to be done to promote their use. With such a wealth of information and partnerships with leading security providers, it is imperative that more is done to promote and educate businesses on what resources they have and how it can help.”
The cost of an insider-related breach has escalated to over $8.7m, according to the latest research from the Ponemon Institute.
The analyst was commissioned by ObserveIT to poll 700 IT and security practitioners around the world in order to compile the 2018 Cost of Insider Threats study.
While the cost of an insider security incident stood at nearly $8.8m, the average global cost of a regular breach according to IBM is $3.6m, less than half.
The average insider threat also takes on average more than two months to contain, according to the report.
Most respondents (64%) said negligent employees accounted for the majority of incidents, followed by malicious insiders (23%).
All types of insider threat activity are increasing. Since 2016, the average number of incidents involving malicious insiders has soared by 53%, while employee/contractor negligence has increased by 26%. The average number of credential theft incidents has more than doubled over the past two years, increasing by 170%.
That’s fuelling an increase in imposter attacks – the most expensive type of insider incident at an average of $648,846. This is followed by malicious insider incidents ($607,745) and contractor negligence ($283,281).
“Insider threats continue to threaten organizations across the globe, ultimately resulting in loss of mission critical data, downtime and lost productivity, and even reputational damage,” said ObserveIT CEO, Mike McKee.
“Understanding the growing costs and time associated with preventing and managing insider threats, organizations need to invest in a holistic cybersecurity solution to assist with real-time detection, deterrence, education and prevention.”
The latest Verizon DBIR found that insiders were to blame for a quarter (28%) of all breaches analyzed and that user error was a factor in 17% of breaches.
A separate report from Gemalto released recently also highlighted the dangers of negligent insiders.
Although accidental loss was the cause of just 18% of data breaches, it accounted for 76% of the total 2.6bn records compromised over the previous year, the security vendor claimed.