A panel discussion on the final day of the Infosecurity Europe Virtual Conference was dedicated to cybersecurity in SMEs, and in particular, practical methods these organizations can use to most effectively protect themselves from cyber-attacks.
Bridget Treacy, partner, Hunton Andrews Kurth, who moderated the panel, firstly outlined exactly why it is so important to talk about this topic: “We all tend to assume that cyber-threats are a risk for large organizations,” she said. “Actually, if you look at Verizon’s 2019 Data Breach Investigations Report, you will see that 43% of all cyber-attacks actually target small businesses, and SMEs often have really valuable data.”
The panellists agreed that, fundamentally, the threats faced by SMEs are similar to those of large businesses. They also face the same additional challenges as a result of the COVID-19 crisis. Nick Ioannou, head of IT at Ratcliffe Groves Partnership, said: “It’s more of the same – phishing, ransomware, but its more the focus [that’s changed] because criminals know a lot of people are working from home now…and also the way they are implemented – people get phoned up now; it doesn’t all have to be all over email because everyone is dispersed so it’s a lot harder to double check.”
For SMEs with significantly smaller budgets and internal cybersecurity expertise compared with large businesses, a more considered and targeted approach to counteracting cyber-threats is a necessity, and this is particularly so with regards to investments in security systems.
“Often organizations of all sizes and SMEs in particular hear about a new threat and they look for the technology to go and address that threat without actually giving full consideration to the risk that threat poses to them,” said Maxine Holt, senior research director, cybersecurity at Omdia. “If you look at risk rather than the threat itself, that can really help you improve your organization’s security posture because you’re just going to think about what’s going to affect you particularly.”
Additionally, a lower reliance on tech, and more emphasis on good practices among staff, is especially vital for companies with limited resources, establishing a more preventive approach to cybersecurity. Dai Davis, partner, Percy Crow Davis & Co, said: “Once you’ve identified the risk to your business, it’s a matter of getting the right people processes in place to ensure that you minimize that risk.”
This in no way means technology systems are unimportant; it must be ensured that tech that is implemented does not hinder the productivity and growth of small companies. Jason Maude, chief technology advocate, Starling Bank, explained: “As soon as your technology starts to run your users down too much, they will find ways around it.”
Another topic discussed by the panel was GDPR, and how compliance with the regulations should be approached by SMEs. In Maude’s view, it is something that should be embraced for the long-term benefits it can bring: “It’s encouraging you to be really efficient with your data to make sure that you know what data you have and to use it correctly,” he added.
Japan is to review laws relating to cyber-bullying following the untimely death of professional wrestler and reality TV show star Hana Kimura.
Kimura killed herself on May 23 by inhaling toxic gas in her Tokyo home. The 22-year-old had been subjected to online bullying after appearing in the last season of hit reality TV show Terrace House, which aired on Japan's Fuji Television and was also streamed on Netflix.
The vivacious pink-haired wrestler's death was confirmed in a statement released by her wrestling promoter, Stardom Wrestling, on May 23.
"We are very sorry to report that our Hana Kimura has passed away," it said. "Please be respectful and allow some time for things to process and keep your thoughts and prayers with her family and friends."
Prior to her death, Kimura had posted photos on social media that implied that she was being cyber-bullied and was struggling with self-harm. Her final Instagram post, uploaded on Friday, May 22, was a photo of the star posing with her cat accompanied by a caption that simply read "goodbye."
Terrace House follows the lives of six people as they share a house together in Tokyo's Setagaya. Before filming was halted due to the COVID-19 health crisis, Kimura had been filmed arguing with fellow cast member and comedian Kobayashi Kai after he accidentally ruined one of her expensive wrestling costumes while doing laundry.
It was this incident that had allegedly resulted in Kimura receiving a deluge of hateful messages through social media.
Wrestling journalist Adam Pacitti, who described the death of Kimura as "an absolute tragedy," tweeted: "I hope this serves as a reminder that interactions on social media can have a serious effect on the mental health of anyone, no matter who they are. Be kind."
According to Reuters, Japan will be holding a series of hearings to consider legal changes that will help cyber-bullying victims seek justice.
Junko Mihara, a member of the ruling Liberal Democratic Party who is leading the party’s team on online harassment, said: “People must understand where the line between constructive criticism and abuse lies."
Kimura's death comes after the outbreak of COVID-19 in Japan caused internet usage to increase.
NATO has issued a statement condemning cyber-attacks perpetrated in the midst of the ongoing global health pandemic.
In particular, the organization slammed cyber-criminals who chose to target essential healthcare services, including hospitals caring for those infected with COVID-19 and medical research institutes trying desperately to find a cure for the novel coronavirus.
The statement was issued yesterday in English, French, and Russian. In it, NATO said: "We condemn destabilizing and malicious cyber activities directed against those whose work is critical to the response against the pandemic, including healthcare services, hospitals and research institutes."
The organization described such digital onslaughts as life-threateningly dangerous and also injurious to global efforts to succeed against a virus that has infected 6.29 million people around the world and killed over 380,000.
"These deplorable activities and attacks endanger the lives of our citizens at a time when these critical sectors are needed most and jeopardize our ability to overcome the pandemic as quickly as possible," stated NATO.
Included in the statement was a message of support to those who had been impacted by cyber-assaults.
"We stand in solidarity with those who have been affected by malicious cyber activities and remain ready to assist Allies, including by continuing to share information, as they respond to cyber incidents that affect essential services," said NATO.
"In line with their national responsibilities and competences, Allies are committed to protecting their critical infrastructure, building resilience and bolstering cyber defenses, including through full implementation of NATO’s Cyber Defense Pledge."
NATO said that cyber defense was part of its core task of collective defense as stated at the 2018 Summit in Brussels and action would be taken by the organization against cyber-criminals.
"Reaffirming NATO’s defensive mandate, we are determined to employ the full range of capabilities, including cyber, to deter, defend against and counter the full spectrum of cyber threats," stated the organization.
"NATO will continue to adapt to the evolving cyber threat landscape, which is affected by both state and non-state actors, including state-sponsored."
The statement concluded with a reminder that "we all stand to benefit from a rules-based, predictable, open, free, and secure cyberspace."
Password management company NordPass has urged the general public not to include people's names in their passwords.
Research released by the company found thousands of netizens worldwide are opting to protect their sensitive information with a password that includes a name.
According to NordPass, the name that cropped up most frequently in passwords is "Ashley." The company discovered that the gender-neutral moniker was used 94,557 times to protect sensitive data.
The second most common name, used 78,914 times, was the similarly gender-neutral "Charlie." The third and fourth most popularly used names, employed 71,035 times and 64,992 times respectively, were Michael and Nicole.
Other gender-neutral names that featured heavily in passwords were Jordan—used 58,698 times—and Taylor, which appeared 46,375 times.
Traditionally gender-specific names commonly used in passwords included Jessica, Hannah, Michelle, Daniel, Justin, and Joshua.
The names correspond quite well with the US Social Security Administration's list of 100 most popular given names for babies born from 1919 to 2018. For example, Ashley ranks 17th, Michelle ranks 21st, and Nicole ranks 39th on the list of names for girls. For boys, Michael ranks 4th, Charles ranks 10th, and Jordan comes in at 83rd.
Passwords based around names are easier for cyber-criminals to crack as the combination of characters is more predictable.
According to the Department of Homeland Security, "most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them."
Ruby Gonzalez, head of communications at NordVPN, said people's names were just one on a list of things that should be avoided when choosing a password.
“While choosing your own, your girlfriend’s, or daughter’s name as a password might seem a good idea as you’ll never forget it, it’s also a great way to make a hacker's job easier. As it’s a very obvious choice, the victim’s or their relative’s name will be one of the first options hackers will try,” says Ruby Gonzalez, head of communications at NordVPN.
“People also shouldn’t use any other obvious choices, such as their address, favorite band, sports team, pet's name, the word 'password,' and any alternations of it.”
A data breach has occurred at the San Francisco Employees’ Retirement System (SFERS), potentially exposing the personal details of 74,000 of its members to cyber-criminals. In a data breach notification filed yesterday, SFERS said that an unauthorized person had gained access to a database hosted in a test environment one of its vendors had set up on February 24 2020.
Upon learning of the breach on March 21, the server was promptly shut down by the vendor. Although SFERS confirmed that no social security numbers or bank account numbers were included in the data file, it admitted that sensitive information such as names, addresses, date of births, beneficiary details and website usernames and security questions and answers, could have been viewed or copied.
Commenting on the breach, Michael Borohovski, director of software engineering at Synopsys, said: “A breach like this is interesting, both because it leads to almost guaranteed identity theft (if the information actually was accessed and downloaded), since it’s a treasure trove of financial information, identifying information and security questions.”
He added: “The retired employees of San Francisco need to be extremely careful and verify, personally, through existing contact info they already had, that their beneficiaries actually sent an email, should the retirees receive one.”
It is likely that the decision to place this kind of data in a testing environment will come under the spotlight, as these “are much more prone to bugs and vulnerabilities than a production environment,” according to Borohovski.
Javvad Malik, security awareness advocate at KnowBe4, added: “Test environments are usually not secured or monitored to the same level as production environments, and it is never advisable to use real data in test cases. Rather, dummy data, or heavily redacted data, should be used so that even if it is leaked or breached, it does not impact any real customers.”
The pension industry has been increasingly targeted by cyber-criminals in recent years. Last month it was reported that The Pensions Regulator faced a 148% increase in cyber-attacks in 2019.
As part of an adoption of hardware security tokens for Apple devices, users of Google services will now be able to use WebAuthn-approved tokens to securely access accounts.
Users of Apple devices running iOS 13.3 and above will now be able to use YubiKeys on their iPhone and iPad when accessing Google's iOS apps and web services on the Safari browser. Also, hardware-based authentication can be used via the Lightning connector for YubiKey 5Ci, and for near-field communication (NFC) via YubiKey 5 NFC and Security Key NFC.
For individuals with YubiKey models that may not be NFC enabled, it is also possible to use the Apple Lightning to USB Camera Adapter. This enablement will also allow Google accounts to be protected, including for Meet and YouTube.
Ashton Tupper, director of Global communications at Yubico, said: “Many individuals and organizations around the world rely on Google products to power their day-to-day applications and communications, and provide fast and simple logins into many other web-based services. Now, this new functionality on iOS opens the door to every single Google user, to heighten their mobile security with increased YubiKey options.”
Christiaan Brand, product manager for Google Cloud, said this capability will simplify the security key experience on compatible iOS devices, and allows users to use more types of security keys for their Google Account and the Advanced Protection Program.
“We highly recommend users at a higher risk of targeted attacks to get security keys (such as Titan Security Key or your Android or iOS phone) and enroll into the Advanced Protection Program,” Brand said. “If you’re working for political committees in the United States, you may be eligible to request free Titan Security Keys through the Defending Digital Campaigns to get help enrolling into Advanced Protection.”
Digital security and privacy company Avast has issued a warning after it discovered three VPN Apps, available on the Apple App Store, which it claimed are fraudulent and appear to be ‘fleeceware’ – apps that are not ‘malicious’ but do not provide the services they claim to and/or are sold at far higher prices than they should be.
The three apps in question, Beetle VPN, Buckler VPN and Hat VPN Pro, have apparently been downloaded over 420,000, 271,000 and 96,000 times, respectively, between April 2019 and May 2020, according to data from Sensor Tower.
According to Avast, the apps claim to be VPNs and charge $9.99 a week for a weekly subscription once their free three-day trial expires.
Investigating the legitimacy of the apps, Avast researchers installed and purchased subscriptions to each. However, when they tried to use the VPNs, the apps only provided subscription options once again. After attempting to purchase the subscriptions again, Avast researchers were notified they already have a subscription and thus were unable to establish a VPN connection using any of the apps.
“Fleeceware apps fall into a grey area, because they are not malicious per se, they simply charge users absurd amounts of money for weekly, monthly or yearly subscriptions for features that should be offered at much lower costs,” said Nikolaos Chrysaidos, head of mobile threats and security at Avast. “In this case, the VPNs are being sold for $9.99 (USD) a week, when trustworthy VPNs cost 10-times less.”
With many people turning to VPN apps to protect their data while working remotely, this illustrates how important it is for users to research VPN apps before installing them, Chrysaidos added, including looking into who is behind the product, their track record with other products and user reviews, and experience in offering security and privacy apps.
Zoom has risked alienating security and privacy advocates by announcing that only its premium service will feature end-to-end encryption, in order for it to comply more easily with FBI access requests.
CEO, Eric Yuan, reportedly said on an analyst call yesterday that the entry-level version of the hugely popular video conferencing app would effectively not be as secure as its paid equivalent.
“Free users for sure we don’t want to give [end-to-end encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” he said.
The stance sets the platform apart from many tech companies like Apple and Facebook who are doubling down on end-to-end encryption on devices and for messaging, even in the face of vehement opposition from governments.
US attorney general William Barr and FBI director Christopher Wray have taken up where their predecessors left off in demanding that tech firms engineer de facto backdoors into their products to allow law enforcement to access communications of suspects.
Encryption experts, meanwhile, agree with Apple and others in saying it’s impossible to do so without degrading security for all users.
Yuan’s comments would also seem to be at odds with the firm’s commitments made back in April to improve trust, security and privacy for all users.
It effectively means that only those who can pay for it are provided with the most secure form of encryption.
The irony is that Zoom has brought on board numerous big-name cryptography and security experts to bolster its image and improve the security of the platform.
These include John Hopkins cryptography expert Matthew Green, former Google privacy technology lead, Lea Kissner, cybersecurity consultancy NCC Group, former Yahoo and Facebook CSO, Alex Stamos and Luta Security.
The number of malicious Android apps detected in the first three months of the year is double that of the same period last year, according to new data from Upstream.
The mobile technology company’s Secure-D platform discovered over 29,000 malicious apps on the Google platform in Q1 2020 versus around 14,500 in Q1 2019.
What’s more, nine of the top 10 most popular malicious apps of the first three months of 2020 were available at some point on Google Play. Around 30% of the top 100 for 2019 were also available on the official marketplace.
Cyber-criminals are increasingly hiding their malware in leisure apps such as games, social, news and video players, to appeal to the large numbers of users now stuck at home.
Upstream said its security platform blocked 89% of the 326 million mobile transactions it processed because they were fraudulent. Many (32 million) were related to use of Snaptube, a video downloader app which was found to be engaging in mass advert and premium service subscription fraud which could have cost unwitting users tens of millions of dollars.
In fact, Upstream said the number of global transactions it blocked as fraudulent increased 55% from Q1 2019 to 2020.
It also revealed that the number of infected mobile devices it detected increased 7% to 11.2 million.
“With the majority of the world having shifted indoors, there were some darker forces acting to make a profit from the lockdown situation. At Secure-D, we've seen a sharp increase in bad actors publishing ‘leisure’ apps on the Google Play Store, which trick users into subscribing for premium services,” explained Geoffrey Cleaves, head of Secure-D at Upstream.
“Being in lockdown also means prepaid customers will find it difficult to get out the front door to top up their data bundles. In the meantime, malware could be eating into those data bundles. I suspect we may see a drop in mobile internet traffic, and successful billing attempts, in predominantly prepaid developing markets while lockdowns are in force.”
Chinese telecoms equipment giant Huawei is under pressure again after a report revealed new documents which apparently show a concerted attempt to cover-up its links with a ‘partner’ business in Iran which tried to break US sanctions.
The firm in question, Skycom, is at the center of a US case against Huawei in which it accuses it and CFO Meng Wanzhou, daughter of the owner, of fraudulently obtaining US goods for its Iran business via Skycom.
Meng is the subject of an indictment on charges including bank fraud and wire fraud and is currently awaiting extradition from Canada to the US. She and Huawei deny the charges and claim that Skycom, which was dissolved inn 2017, was a separate business partner operating in Iran.
However, new documents obtained by Reuters reportedly show that Huawei did indeed control Skycom and desperately tried to split the two operations whilst covering up the relationship once it was made public back in 2013.
“In consideration of trade compliances, A2 representative office is trying to separate Skycom and Huawei,” one document reportedly said. A2 is said to be Huawei’s code for Iran.
According to Reuters, Huawei also installed one of its own execs to be Skycom’s general manager in Iran from March 2013.
The documents, written in English, Chinese and Farsi, are also said to reveal Huawei actively working to shut down Skycom’s Tehran office and creating a new business in Iran to take over contracts from the firm worth tens of millions of dollars.
The US indictment also alleges that Meng personally gave a PowerPoint presentation to HSBC, which opened both Huawei and Skycom accounts, in which she claimed it was merely a “business partner” of Huawei. The US alleges she deceived the bank in order to move money out of the country.
She was arrested in Vancouver in 2018, with a judge last week allowing the extradition case to continue, rejecting her lawyer’s argument that the charges against her aren’t crimes in Canada.
Infosecurity has reached out to Huawei for comment on the story.
An investigation has been launched after hackers gained access to the emergency radio system used by the Chicago Police Department over the weekend.
As officers worked hard to keep the peace amid riots and looting triggered by the death of George Floyd, hackers jammed their radio comms with slogans and music, endangering the safety of the public and those out protesting peacefully and lawfully.
While reports of gun violence were called in, police scanners were blocked with N.W.A.'s '80s hip-hop track "F*** the Police" and Tay Zonday's "Chocolate Rain," which alludes heavily to institutional racism in the United States.
Dispatchers struggled to communicate with police to determine where fires had broken out and find out where ambulances needed to be sent.
“They’re not letting me copy you at all,” a frustrated dispatcher told one officer seeking assistance on Sunday night.
“It’s a very dangerous thing that they’re doing,” said Dan Casey, deputy director of public safety information technology in the Office of Emergency Management and Communications.
Casey told the Chicago Sun Times that recordings of the rogue transmissions have been passed on to local and federal authorities, who will investigate.
On Sunday a video was posted on YouTube in which two men laugh as music is played over a scanner on a Chicago police frequency while an officer attempts to radio for support. The video has attracted over 189,000 views.
The Chicago police department has some encrypted radio frequencies, but most patrol officers use radios that aren’t capable of withstanding hacking.
“We are looking at a multiyear plan to secure the radio channels,” said Casey.
However, Casey said that some frequencies will remain unencrypted to allow other law enforcement agencies to communicate with the Chicago Police Department.
Disrupting police radio, an act known as “jamming,” is illegal and can incur a hefty custodial sentence. In 2018, the US Supreme Court upheld an eight-year prison sentence for Rajib Mitra, who jammed police radio frequencies in Madison, Wisconsin, around Halloween in 2003.
In 2011, Mitra was sentenced to a further 6.5 years behind bars for possession of child sexual abuse material. Files depicting the abuse were seized from Mitra's home computer during the initial 2003 radio jamming investigation but were so heavily encrypted that it took police years to decipher them.
Companies need to understand the differences between management and leadership, and provide the means to work effectively with employees and teams during challenging times.
Speaking at the Infosecurity Europe Virtual Conference, Sajed Naseem, CISO for New Jersey Courts, said businesses need to identify “all degrees of bad,”citing a recent senior sporting official, and identify the “least bad” challenge.
Naseem said that a lot of leadership is about knowing how you feel, how your team feels and how teams connect to other teams. He called leadership the “skills of motivating, guiding and empowering a team towards a socially responsible vision” and “in cybersecurity, leadership is required to provide opportunities to make cyberecurity stronger in the organization.”
Whereas management, he added, requires “a set of well-known processes like planning, budgeting, structuring jobs, measuring performance and problem solving. The difference between management and leadership is that cybersecurity management “must make sure upper management’s business objectives and cybersecurity tie together and there are no misunderstandings.”
With regards to questions that should be asked in order to achieve the goal of creating an effective management/leadership strategy, Nassem cited the following:
- Who will set the vision?
- Who will set the strategy?
- Who will break the silos?
- How will digital transformation be sustained?
- Who will shop for the 'groceries?'
- Who will stand up to say the “budget is decreasing” and “the workforce is expected to be cut?”
- Who will speak with empathy in the decreasing workforce?
- Who will stand up against “budget is decreasing” and “workforce is expected to be cut”?
- Who will make the right decision even when it isn’t a popular one?
- Who will say “I don’t know” and who will find out the answers?
- Who will look past the fears?
Naseem also encouraged knowing each member of your team, and to ensure they are engaged, and that you are engaged with them.
To conclude, Naseem encouraged CEOs to hire and support cybersecurity people, and to keep them abreast of mergers and acqusitions so they can measure cyber-readiness and performance. “Your business may be a money making business, but if you miss cybersecurity, you miss the point.”
Confidential documents have been swiped from a US military nuclear missile contractor in a cyber-attack, according to Sky News.
Today the news service reported that cyber-criminals were able to gain unauthorized access to the computer network of New Mexico company Westech International.
Headquartered in Albuquerque's Louisiana Boulevard, Westech was established in 1995 by founder Dr. Betty Chao to provide services to federal agencies and commercial enterprises. The company has a staff of 150 employees hired to carry out various Department of Energy (DOE) and Department of Defense (DoD) contracts at 15 locations in 11 American states.
Westech, as a sub-contractor for Northrup Grumman, provides critical support for the United States' Minuteman III nuclear deterrent. The intercontinental ballistic missile LGM-30G Minuteman III is a three-stage missile with a range of over 6,000 miles.
As of February 2018, America's ICBM force consisted of 400 Minuteman III missiles located at the 90th Missile Wing at F.E. Warren AFB, Wyoming; the 341st Missile Wing at Malmstrom AFB, Montana; and the 91st Missile Wing at Minot AFB, North Dakota.
Westech provides engineering and maintenance support for the Minuteman III ICBMs.
According to Sky News, files stolen from Westech in the cyber-attack have been leaked online. The files appear to contain sensitive data, including company emails, payroll, and what Sky describes as "personal information."
Westech confirmed that the company had been hacked and that its computers had been encrypted. No information was shared regarding when the attack took place or how the criminals gained entry to Westech's computer system.
A spokesperson for Westech told Sky News that an investigation into what data the criminals had accessed and exfiltrated was still ongoing.
"We recently experienced a ransomware incident, which affected some of our systems and encrypted some of our files," said the spokesperson.
"Upon learning of the issue, we immediately commenced an investigation and contained our systems.
"We have also been working closely with an independent computer forensic firm to analyze our systems for any compromise and to determine if any personal information is at risk."
Abe Crannaford admitted hacking into the servers of the American multinational tech giant in mid-2017 and early 2018. Once inside, the 24-year-old extracted information relating to Apple employees that he later shared via his Twitter account.
It was alleged that Crannaford also provided links to the corporation's firmware on GitHub.
Crannaford pleaded guilty in February to two counts of unauthorized access or modification of restricted data. These offenses could have seen the guilty man locked up for two years and fined a maximum of $10,000.
However, instead of imposing a custodial sentence on Crannaford, Magistrate Doug Dick placed the malicious hacker under a recognizance order. The order, handed out on June 3 in Eden Local Court, requires Crannaford to abide by the law for an 18-month period.
In addition, Dick fined Crannaford $5,000. If the hacker reoffends within the period of recognizance, he will be ordered to pay an extra $5,000 penalty.
Dick said that by targeting people's privacy, Crannaford's crime targeted a matter of vital importance to today's general public.
"What you did strikes at the heart of modern society—people rightly worry about their privacy," Dick told Crannaford.
Ines Chiumento, Crannaford's defense lawyer, suggested that by awarding hackers for finding exploits and bugs through its bounty program, Apple "in some sense" promotes hacking. Chiumento argued that such a program sent mixed messages to impressionable youngsters.
"Apple does promote in some sense the ability to delve into a computer and find a bug or a glitch—and then knowing about it helps the company improve its product," Chiumento said.
"With that ability being treasured and sought out, it's difficult to send a message to young people [about the illegality and punitive measures] if the companies don't send the same message."
The Commonwealth prosecutor acknowledged the existence of Apple's bounty program but said Crannaford's "intrusions into websites and restricted data" occurred on multiple occasions and were shared with others, "so the concept of a bounty is contrary to his actions."
Dick told Crannaford: "In the beginning I can believe you may have been enticed by a 'bounty,' but these charges relate to later matters."
Employee work from home habits are putting businesses at a higher risk of cyber-attacks, according to a study by CyberArk. It revealed that a large proportion of remote workers in the UK regularly engage in practices including using unmanaged, insecure BYOD devices to access corporate systems (60%).
Working from home has risen at an exponential rate in the UK and elsewhere as a result of the COVID-19 pandemic. This is posing additional security risks for businesses, due to firms rushing to put in place applications and services that enable remote work as well as more insecure connections.
These risks are being increased further by bad cybersecurity behaviors by remote workers, according to CyberArk’s new analysis.
In a survey of 300 remote office workers and 300 IT professionals in the UK, the security firm also found that 57% of remote workers use communication tools such as Zoom and Microsoft teams, which have had well-publicised security problems in recent months.
Risky cyber-practices were shown to be particularly prevalent amongst working parents included in the study, who face additional distractions such as childcare and home-schooling. Of this cohort, 57% insecurely save passwords in browsers on their corporate devices while 89% said they reuse passwords across applications and devices. Additionally, 21% allow other members of their household to use their corporate devices for activities like schoolwork, gaming and shopping.
Despite the additional security risks posed by the huge rise in remote working, 57% of IT professionals surveyed said they haven’t increased their security protocols in this period.
Rich Turner, SVP EMEA, CyberArk, said: “Responsibility for security needs to be split between employees and employers. As more UK organizations extend remote work for the longer-term, employees must be vigilant. This means constantly updating and never re-using passwords, verifying that the operating systems and application software they use are up-to-date, and ensuring all work and communication is conducted only on approved devices, applications and collaboration tools.
“Simultaneously, businesses must constantly review their security policies to ensure employees only have access to the critical data and systems they need to do their work, and no more. Decreasing exposure is critical in the context of an expanded attack surface.”
The impact of the COVID-19 pandemic is the most prominent trend in cybersecurity for 2020, according to Infosecurity Magazine's latest State of Cybersecurity Report.
As outlined in a session at the Infosecurity Europe Virtual Conference, in the annual report, which this year surveyed 75 people including 25 cyber-practitioners, 25 people working in academia and 25 venture capitalists and entrepreneurs, 30% of those polled said that COVID-19’s impact on cybersecurity is an influential trend affecting the industry.
Reasons for this varied, including the escalation of phishing and malicious attacks related to the pandemic, as well as the mass movement remote workforces, deployment of VPN and collaboration tools, and the rapid nature in which they were deployed.
BluBracket CEO and founder Ajay Arora said the spread of COVID-19 “has completely changed the cybersecurity landscape” as companies are straining to quickly enable remote workers securely. Tech innovator and entrepreneur Dmitry Akulov said even before COVID-19, more and more companies were becoming more and more dependent on remote work, but the pandemic accelerated that. “I believe that the pandemic will have lasting results on the workplace with more and more businesses who were (at first) slow to the race allowing for workers to stay remote (at least partially),” he added.
“Now more than ever, it’s crucial for companies to create an emergency security plan. It has become important to educate your workers on the risks they face, not just keeping security issues as an internal task that gets handled by experts. We must all become to some degree experts in security for the safety of companies worldwide. Security will no longer be an issue for the IT guy, security is now dependent on all of us.”
Arno Robbertse, chief executive of ITC Secure, cited increased cyber-attacks against the healthcare industry as cyber-criminals make use of the pandemic in various attack vectors. “Examples we’ve seen include phishing emails pretending to be from the World Health Organization, to more sophisticated forms of intrusion via encryption methods,” he said.
Otavio Freire, Safeguard Cyber CTO and president, also cited the “issues of disinformation and cybersecurity” as continuing to converge. He said: “COVID-19 is just one example where it is both being tuned on corporations and consumers for ransomware and spear-phishing, and used by nation states to further destabilize and wreak havoc on countries and its citizens by creating panic and confusion.”
However, we have also seen support operations form as a result of the pandemic, including C5 creating the C5 Cyber Health Allliance to secure European healthcare organizations, the formation of the CV19 volunteer group and malicious URL collection services launched.
These he collaborative initiatives will provide the necessary support and means for hospitals and clinics to protect their internal systems and defend against unwanted cyber-threats.
The other top five trends were cloud (26%), Machine Learning and AI (25%), the human factor (24%) and phishing (18%). In total, 34 trends were cited in this year’s research, which was conducted between March and May 2020.
Surprisingly compliance did not feature in this year’s top five trends, after it was the top trend in our 2018 report, and came in third place in 2019. Also not appearing in the top five were ransomware, IoT and patch management.
Download the Infosecurity 2020 State of Cybersecurity Report here
Speaking at the Infosecurity Europe Virtual Conference Dr Jessica Barker, co-CEO of Cygenta, discussed the importance and effectiveness of positive reinforcement in managing the human element of risk.
Dr Barker said: “Using the ‘carrot’ or rewarding people is the most effective avenue to go down. In security, we have this tradition of always being very negative and first thinking how we can ‘scare’ people and how we can use authority to tell people off if they get things wrong. That has created such a negative culture around security.”
Dr Barker argued that, when managing human-related risk, it is much more effective to use positivity. “For example, with phishing simulations, there are a couple of things organizations could be doing better. The first is, if we are reporting on how many people have clicked or haven’t clicked on a phishing email, organizations will generally always focus on how many people clicked,” ignoring the positive message of how many people did not click, which is very often higher.
In that case, businesses should use “positive reinforcement and social proof to demonstrate that the majority of people are engaging with positive behavior and encourage the minority to join them next time.”
Beyond that, Dr Barker continued, the behavior we really want to see with regards to phishing simulation is reporting: how many people reported an incident, how long did it take, do some emails get reported more than others? “These are the kind of metrics that are far more insightful and useful and focus on the behaviors we actually want to be seeing, rather than just trying to drive down the click rate.”
If we only focus on the negatives and punish people for clicking on phishing links or for reporting incidents, all we are doing is “driving a culture of fear – driving incidents underground and creating more distance between security and the rest of the business. That creates more risk.
“We know the culture of fear around security doesn’t work – what we need is a much more empowering, much more positive culture.”
In a session at the Infosecurity Europe Virtual Conference, a panel of security experts were asked to define the human element of risk to help organizations quantify and manage it.
David Boda, head of information security at Camelot (National Lottery) said that a significant factor in defining human risk is understanding that a large amount of human risk is generated as a result of accidental actions.
“There’s obviously a place for monitoring malicious activity, but the vast amount of what I see is accidental and human behavior often comes down to people just trying to get their jobs done but struggle to do so for whatever reason – and that creates risk.
“I think it’s our job as security professionals to try and understand the root causes of that and try to help people to do their jobs in a risk-managed way.”
For Dr Jessica Barker, co-CEO of Cygenta, defining the human element of risk requires us to put the human at the forefront of processes at all times. “When we’re defining the human side of risk, it is important we consider the fact that, with all technology or element of security, people are involved at every stage of the lifecycle – the designing, developing, use, testing, destroying or deleting.”
Therefore, we need to think about our developers and how they are trained in cybersecurity, “taking the conversation much wider than just to people that are using technology,” she added.
Mark Osborne, CISO of JLL, also highlighted the important role that CISOs must play in defining and managing human-related risk.
“Most CISOs tend to like a ‘bogeyman’ – they want to make a bit of a drama [of human risk]. We’re always talking about the ‘insider threat,’ but really even the most educated and diligent user is going to click on a phishing link. I think, in this day and age, breaches can not only be classed as accidental, they’re also down to neglect or a lack of intent to comply.”
Osborne argued that the security rules implied on businesses therefore need to be better-enforced by CISOs who are the ones that “tend to let the side down, rather than the users.”
A prolific ransomware group has begun auctioning data stolen from victim organizations that refuse to pay up, marking an escalation in its monetization efforts.
The gang behind the REvil (aka Sodinokibi) variant this week took to its dark web blog to announce the first auction, related to a Canadian agricultural company it compromised which has declined to pay a ransom.
The group claimed the three-database trove contains accounting documents and other “important information” which may be of use to competitors. A starting price of $50,000 was set for the 22,000+ files.
REvil has threatened to auction stolen data before: when it claimed to have stolen 756GB of data from New York-based celebrity law firm Grubman Shire Meiselas & Sack.
On that occasion the promised auction of data relating to client Madonna never materialized, although there are signs it may yet happen, with a starting price of $1 million.
However, it’s unclear how much of this is classic cybercrime bluster. A previous post claimed the group had “a ton of dirty laundry” on Donald Trump, even though reports suggested he was never a client of the law firm. It conveniently later claimed that a private bidder had bought all the info on the US President, so it would not be releasing the trove.
REvil’s latest auction tactics can be viewed either as sign of its insatiable greed, or of a group struggling to extort as much money from victims during the pandemic.
According to Group-IB, it is one of the top three “greediest ransomware families with highest pay-off.”
The group is noted for targeting managed service providers (MSPs) to access customer documents, as well as local governments in the US. It uses quasi-APT tactics such as exploitation of VPN system vulnerabilities to gain a foothold in systems, Mimikatz to steal credentials, and PsExec to perform lateral movement and reconnaissance.
Almost 80% of US companies have suffered at least one cloud security breach over the past 18 months, with misconfiguration the number one concern among CISOs, according to Ermetic.
The cloud security vendor commissioned IDC to interview 300 US cybersecurity leaders in organizations ranging in size from 1500 to more than 20,000 employees. The aim was to better understand the level of risk their organizations are facing and where their biggest challenges are.
Over two-fifths (43%) reported 10 or more breaches over the past year-and-a-half, while 79% said they’d suffered at least one incident.
The top three threats were listed as security misconfiguration of production environments (67%), lack of visibility into access in production environments (64%) and improper IAM and permission configurations (61%).
Configuration errors are a common occurrence in the cloud space, thanks to the growing complexity of deployments, limited in-house expertise and growing interest from researchers and cyber-criminals.
The findings align somewhat with Verizon’s most recent Data Breach Investigations Report (DBIR), which revealed that 22% of breaches last year were down to human error, with misconfiguration featuring strongly. In fact, the report claimed that breaches featuring configuration mistakes had jumped nearly 5% from the previous year.
Ermetic also argued that users and applications often accrue excessive access permissions in public cloud deployments. These are often granted by default or go unnoticed, but can be hijacked by attackers to steal data, deliver malware or disrupt business processes,
Perhaps unsurprisingly given their challenges, the CISOs IDC spoke to claimed their top three cloud security priorities are compliance monitoring (78%), authorization and permission management (75%) and security configuration management (73%).
“Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments,” said Shai Morag, CEO of Ermetic. “In fact, two-thirds cited cloud native capabilities for authorization and permission management, and security configuration as either a high or an essential priority.”