Cyber-attacks on middle-market organizations have risen significantly since the outbreak of COVID-19 reached pandemic proportions.
According to global data gathered by specialist insurer Beazley Group, middle-market organizations have been especially hard hit by online social engineering attacks.
In the report "Beazley Breach Insights – Q2 2020," published today, the insurer said: "The arrival of the global pandemic provided cybercriminals with the perfect cover for ramping up email attacks.
"Coinciding with the increase in remote working during the second quarter, our global data has shown employees have been more likely to fall for social engineering scams, with organizations in the middle market most likely to be victimized."
Of all the social engineering attacks reported to Beazley Breach Response (BBR) Services globally in Q2 2020, 60% of organizations targeted were in the middle market (defined as over $35m in annual revenue), up from 46% in Q1.
In more than 80% of the incidents reported, the attack was stymied before a direct financial loss occurred.
Fraudulent instruction attacks also primarily hit middle-market organizations, which were the target in 55% of incidents, compared to 24% in Q1.
“Middle market organizations have been resilient in maintaining their day-to-day operations during the pandemic and, in turn, their employees are more available to be targeted. Additionally, cybercriminals are executing more sophisticated attacks and middle market organizations provide richer targets," said Kimberly Horn, Beazley’s global claims team lead for cyber and tech.
“As our global breach data has demonstrated, if an incident is responded to early enough, an organization can often avoid a direct financial loss such as stolen funds. Modest investments in training and process changes could reduce the likelihood of falling victim,” she added.
In their report, the insurer suggests that employees who took up remote working because of the pandemic may be more susceptible to suspicious emails.
"While the increase in distractions that come with caring for family members while working have been widely discussed, physical separation from the workplace is also a factor," states the report.
"Without a coworker to converse with at the next desk, employees are less likely to do a 'sense check' of a suspicious email."
Organizations must become agile to respond effectively to the changing threat landscape, particularly in light of the turbulent events of 2020, according to Jonathan Care, senior director analyst at Gartner, speaking during the Gartner Security and Risk Virtual Summit. He noted: “We’ve seen drastic changes in how we as a society work and play as a result of the COVID-19 pandemic, and bad actors have taken notice.”
In doing so however, organizations must be careful not to be overly swayed by certain threats that may gain a lot of news coverage, but do not necessarily pose the greatest danger. Instead, a “risk-based approach” should be employed that focuses on the fluidity of threats.
Care said: “As threats and organizational risk-pots change over time, we must evolve how we address the threat landscape.” This notion has never been more applicable amid new behaviors brought about by COVID-19. He added: “Threats continue to change and diversify. New business opportunities drive new security requirements that we must address.”
Ransomware is currently the number one threat to organizations, according to Gartner. Care outlined that these attacks have become increasingly sophisticated, including the use of fileless malware that can bypass some preventive controls and attackers adding persistence to keep malware dormant for long periods. Therefore, adequate planning to react quickly to this type of threat is needed, such as being able to detect the type of malware being used and having capabilities to isolate infected systems quickly.
Care also said that due to changing working practices, many organizations are moving away from email as the primary communication method to other collaborative tools. This change is being exploited by attackers. “The low hanging fruit now are cloud services, which are often exposed to the internet and suffer from misconfigurations and can be susceptible to credential stuffing attacks,” he commented.
In regard to phishing, more targeted tactics like spear-phishing and whaling are becoming more prominent; in one example given, deepfake technology was used to successfully impersonate an executive and convince someone to wire money to a hacker’s bank account. Care said that as well as new tools, “attention to the people and processes in use” is crucial to protect against these methods.
Account takeover is another type of threat that has grown this year. One particularly dangerous example is the expanding practice of SIM swapping, enabling criminals to take over a phone number and reset passwords as a result. While multi-factorial authentication (MFA) remains the best way of defending against this, Care added that organizations must be aware that “attackers are shifting their tactics to bypass the MFA controls you have in place.”
Care also highlighted the increasing risk of attacks emanating from organizations’ supplier and partner relationships. He gave an example of organizations which enable employees to download and use consumer grade utilities, which if compromised, can be used to launch attacks on their systems. “If supply chain is currently not part of your threat environment, then it needs to be on the list of threats that need consideration as you examine those connections and relationships that you have,” he outlined.
Constant monitoring of the threat landscape is therefore critical for organizations to adequately protect themselves. Care concluded: “Understanding the trends and risks allows us to invest in the right equipment to navigate the rough waters ahead.”
The current top trends in security and risk management for threat-facing, disruption and the organization have been detailed at the Gartner Security and Risk Virtual Summit.
Speaking at the event, research VP Peter Firstbrook pointed at “mega trends that are beyond your control,” which include: the skills gap, regulation and privacy, application scale and complexity, endpoint diversity, attackers and the impact of COVID-19. He said that COVID-19 has accelerated a lot of the trends Gartner has been seeing in the last 10 years, and if your organization is mature “you’re probably in a good space to handle COVID.”
The top eight trends he cited were as follows:
Extended Detection and Response (XDR) – Firstbrook said this tool is replacing SIEM and SOAR tools and providing organizations to be “more operationally secure in their operations than by investing and trying to integrate a best of breed set of products.”
He said that XDR unites security tools into a common data format and make correlations between events, and gives the user an integrated incident response experience where products are combined into one. “Start prioritizing the product that you need to focus in on, so start focusing on where you think it is important to have integrated information and to do incident response,” he said.
Security Process Automation – This is a trend across products, as vendors invest in this to address the skills gap, and to make it “easier to get repetitive tasks done.” Firstbrook recommended looking at long manual processes and ways to automate that, and to develop a playbook to know what steps to go though. Also, look for products with API and automation technology built in.
Securing Artificial Intelligence – Firstbrook said this is becoming a security and risk manager’s responsibility. “A lot of organizations have invested in AI and machine learning, but very few have looked at how that AI might be gained by a malicious attacker,” he said. He recommended looking at machine learning algorithms, and what attacks can be made against them.
Impact of Cyber on the Physical World – This includes IoT and machinery, as Firstbrook said the duties of security and risk managers become about more than traditional information security to include safety too. This includes factory machinery that is not as well protected, as well as building security where “siegeware” attackers lock you out of a building or mess with the HVAC system. “These are issues that information security doesn’t address, so we see organizations reorganize and put someone from infosec or cybersecurity to work across disciplines – operational security, supply chain security and product management security,” he said. “These are all areas that need to be addressed that not necessarily are.”
Form Trust and Safety Teams – These teams form a “digital perimeter” which includes points where the customer interacts with your environment: your call center, website, social media, some physical presences. Firstbrook recommended forming at least a part time trust and safety team to include marketing, a brand manager, legal, privacy “and look at the environment holistically” and inventory controls to organize around that
Privacy – Firstbrook said this is becoming an influential discipline of its own, as it has been a part time job of the organization in the past, but now it is becoming a full time role. “The reason they are doing this is because organizations are concerned about financial loss, concerned about losing customers and worried about suffering from reputational damage.”
To do this efficiently, businesses should focus on assessing the data and business risk that a business has in its environment. The three areas to focus on are: consent and making sure customers opt in to share data with you, transparency so they know what you’re storing and why you’re storing it, and self-management to be able to manage and delete data.
Secure Access Service Edge (SASE) – Firstbrook said this is enabling your WAN architecture to look more like local area network (LAN) architecture. “So how do you regain visibility and control into these applications and services that exist outside of your environment, with the users that are also outside the environment?” He recommended SASE as the way to do it, as it is the integration of network security controls with new tech like remote access technology and CASB, which merge into a single platform “to provide all of this connectivity across all of the internet, and make the internet feel like your WAN.”
Cloud Workload Protection – This is seeing a number of disruptive vendors come in, where cloud applications are protected from development to production, as we see applications built bespoke, in containers and across SaaS services. “So you need an inventory of what they are using, where they are and what protocols are they using, and where the credentials being are stored – managing all of that has become very complex,” he said.
In conclusion, Firstbrook recommended taking a step back to “look at the broader picture and not just at individual problems.”
IT leaders have suffered significantly higher numbers of data breaches as a result of outbound email in the last 12 months.
According to research by Egress, 93% of 538 IT leaders surveyed reported a breach in the past year due to an email error, with 70% of those believing remote working increases the risk of sensitive data being put at risk from outbound email data breaches.
Egress CEO Tony Pepper said the problem is only going to get worse with increased remote working and higher email volumes, which create prime conditions for outbound email data breaches of a type that traditional DLP tools simply cannot handle.
“Instead, organizations need intelligent technologies, like machine learning, to create a contextual understanding of individual users that spots errors such as wrong recipients, incorrect file attachments or responses to phishing emails, and alerts the user before they make a mistake,” he said.
The most common breach types were replying to spear-phishing emails (80%), emails sent to the wrong recipients (80%) and sending the incorrect file attachment (80%).
Speaking to Infosecurity, Egress VP of corporate marketing Dan Hoy, said businesses reported an increase in outbound emails since lockdown, “and more emails mean more risk.” He called this a numbers game which has increased risk as remote workers are more susceptible and likely to make mistakes the more they are removed from security and IT teams.
According to the research, 76% of breaches were caused by “intentional exfiltration.” Hoy confirmed this is a combination of employees innocently trying to do their job and not cause harm by sending files to webmail accounts, but this does increase risk “and you cannot ignore the malicious intent.”
This is where better technology could better resolve the problem, he said, as current technology (such as static rule-based data loss prevention) does not catch these issues and problems increase. “Technology needs to shoulder more of the burden,” Hoy added.
Furthermore, almost two-thirds (62%) of businesses rely on people to identify outbound email data breaches, whilst 24% of IT leaders said the employee who sent the email would disclose their error. In terms of action taken, 46% of respondents said the employee who caused a breach was given a formal warning, while legal action was taken in 28% of cases. In 27% of serious breach cases, respondents said the employee responsible was fired.
Hoy pointed to the 62% statistic and the fact that we are “still reliant on people to self report incidents” and called outbound email errors combined with remote workers as a “perfect storm.” Regarding employees being reprimanded, he said it is an interesting debate as to where responsibility lies.
Pepper said: “Relying on tired, stressed employees to notice a mistake and then report themselves or a colleague when a breach happens is unrealistic, especially given the repercussions they will face. With all the factors at play in people-led data breach reporting, we often find organizations are experiencing 10-times the number of incidents than they are aware of.
“It’s imperative that we build a culture where workers are supported and protected against outbound email breach risk with technology that adapts to the pressures they face and stops them from making simple mistakes in the first place. As workers get used to more regular remote working and reliance on email continues to grow, organizations need to step up to safeguard both employees and data from rising breach risks.”
Speaking during the Gartner Security and Risk Virtual Summit, research director David Gregory said the COVID-19 pandemic could be “considerable, in terms of the number of people who might be available” to fill security job roles. Despite this, he said it is unlikely this will lead to the right skills being available.
Globally, Gregory said that it was predicted that the skills gap would remain, and he suspected the impact of COVID-19 would not affect that.
He said a “fundamental issue is business are often guilty of looking in the wrong place for the wrong people with the wrong skills,” and it is the view of Gartner that there are underlying problems holding organizations back in this area. This includes businesses trying to find the “right candidate, even though this is never guaranteed.”
He also said a demand for “instant results” has led to a demand for instant talent rather than forming a long-term strategy, and organizations “develop their resilience strategy in silos, so working in this way we’re not able to see the bigger picture.”
Citing Gartner statistics which showed 61% of survey respondents said they are struggling to find and hire security professionals, Gregory said this requires an organizational response, as if a business operates in silos, “they will never understand full business concerns.” He also said that whilst IT and technical knowledge is important, business should be able to “engage with people at all levels of the organization, coupled with business acumen, which will be every bit as valuable in the future.”
He said the following skills are in demand, and can be developed and trained, and may also be suitable for outsourcing:
- Information security/cybersecurity analyst
- Security engineer/architect
- Vulnerability analyst/penetration tester
- Cyber-threat analyst
- Risk assurance analyst
- Information security/cybersecurity manager
“Now, more than ever, there is a need to ensure we have the right skills and competencies within our organizations,” he said. “The impact of COVID-19 will provide significant business challenges and lead almost certainly to organizations having to do more with less. There will be a need to focus on ensuring that the right skills are available to drive your organization through and beyond these difficult times.”
Gregory also said the COVID-19 pandemic will allow organizations to remove a “need to be in the office” mentality to hiring, “and the recruitment net can be cast over a wider geographic area for roles that can now be fulfilled remotely.”
For a strategic workforce planning process, Gregory recommended these steps:
- Understand business strategy, define value drivers/capabilities
- Segment roles by impact on capability delivery
- Scan the environment to identify key factors driving future-state scenarios
- Construct scenarios for the future state of the workforce
- Assess the current state of the workforce, define gaps against the future states
- Develop action plans to close gaps, monitor process and adjust for change
“There will be a need to bridge the skills gap inside the organization,” he said. “Taking a market-driven predictive approach connects those employees and learners to those in-demand skills. So to stay ahead of the curve, there is a need to consider reviewing the skills and recruitment strategy within your organization.”
A way to do this is to create job ladders so employees can see a career path, rather than just a job, which can better ensure employees remain with a company and make an organization “a destination of choice.”
New data from FICO has revealed that UK banks achieved the largest reduction in card fraud losses in 2019 compared to other countries across Europe.
That’s according to the updated FICO European Fraud Map, which discovered that UK banks have reduced fraud losses by £52m since 2018.
In contrast, more than half of the 18 European countries included in the data set saw increases in card fraud losses in 2019, with France and Italy seeing the largest increases (€8m and €6m respectively) when taking into account associated values.
However, the FICO European Fraud Map did record a 2% reduction in fraud losses across all 18 of the European countries last year.
FICO partners with the majority of banks in Europe to support their fraud prevention activities,.
“Following a frustrating increase in 2018 – largely caused by an explosion of data compromise ‘bust out’ events – much of Europe has once again turned the tide on fraudsters, achieving a combined 2% overall reduction,” said Toby Carlin, director of fraud consulting in EMEA at FICO. “British consumers should be reassured that the UK achieved the largest single reduction in fraud at 8%. This is a testament to the anti-fraud activities and investments by UK banks, which reduced fraud losses in 2019 by £52 million – that’s a million pounds every week.”
Carlin added that 2020 has been a challenging environment for all, with COVID-19 having significant impacts on the transaction mix and related threats.
“This has exposed many frameworks that were already pressured, with fraudsters now attempting to make up for lost time with increased volume and ferocity of their attacks. While our Fraud Map focuses on plastics fraud and, in particular, card-not-present fraud, this is just part of the story. The biggest threat today comes from digital fraud and scams which continue to increase exponentially across all markets.”
Over half (56%) of UK businesses plan to increase their digital skills training budgets for staff next year, suggesting changes to working practices as a result of the COVID-19 pandemic will be sustained. This is according to a survey of 200 senior business decision makers in large and medium sized companies by IT services provider Transputec.
The study also found that more than half (53%) of businesses are aiming to grow their IT infrastructure budget next year, while 60% of decision makers are planning to expand the use of digital collaboration tools to enable staff to connect more effectively and improve their well-being.
A third (33%) said they want to recruit a chief digital officer to help facilitate these changes, and 41% are seeking to hire candidates with high levels of digital skills.
In addition, close to half (44%) of UK businesses want to accelerate remote working going forward in order to reduce costs, such as by downsizing office space. Almost half (49%) of those surveyed expect to see growth next year, indicating that many businesses have already adapted well to a remote working model.
Sonny Sehgal, CEO of Transputec, commented: “COVID-19 has already had a devastating impact on UK business, and we’re not out of the woods yet. Fortunately, cutting edge technology has facilitated a mass shift to remote and digital working, and as a result, many businesses have observed benefits of lower overheads and more streamlined and efficient operations through managed services.
“Therefore, we can expect flexible working to stay with us for the long-term, even after it is deemed safe to return to the office on a permanent basis. Therefore, businesses must continue to bolster digital initiatives and prioritize the use of cloud-enabled digital collaboration tools, for example, if they wish to remain buoyant.”
Despite the business benefits of home working, the surge in this practice during COVID-19 has highlighted a number of cybersecurity issues, including the use of insecure video communication platforms and risky security behaviors by remote staff.
The use of illegal stream-ripping services dramatically increased by 1390% in the period between 2016 and 2019, a study published by PRS for Music has found.
Stream-ripping services, which enable users to illegally create permanent offline copies of audio or video streams, are now “overshadowing all other illegal online music activity in the UK,” according to the research, which was conducted by online rights monitoring company INCOPRO.
Following analysis of data taken from INCORPRO’s Identify database, it was revealed that websites promoting these services now make up 80.2% of the 50 most popular music-infringing sites.
There was, however, a significant drop in the proportion of BitTorrent sites from the top 50, from 14 to six. This is likely due to greater geo-blocking and enforcement efforts across the wider music industry.
The legitimate service most frequently exploited by stream-ripping in this period remained YouTube, with 70 out of 100 services observed found to exclusively offering ‘YouTube ripping’. This is followed by Spotify, which has overtaken SoundCloud, while other heavily targeted licensed platforms included Deezer, Amazon Music and Tidal.
The research also noted that the main source of funding for stream-ripping services was advertising, with the biggest categories generic/other (52%), scams (34%) and malware/potentially unwanted programs (PUPs) (14%).
Simon Bourn, head of IP and litigation at PRS for Music, commented: “This report shows that music piracy is very much still alive and kicking, and that stream-ripping is now responsible for a mammoth proportion of the overall piracy problem. Streaming royalties now account for over 20% of our members’ income, and the popularity of this illegal activity has a severe and direct impact on the royalties we can collect for them from legitimate services. Each time a stream is ripped, the user is then listening to and consuming that rip outside of the licensed ecosystem.”
Andrea C. Martin, CEO at PRS for Music, highlighted the importance of protecting digital income streams in light of the COVID-19 crisis: “The prolonged absence of income from live performance means that revenues generated on legitimate digital platforms are more important than ever. While the report shows that our efforts are going in the right direction, it is equally clear that we must persist and continue to work closely with both government and the wider music industry to foster a secure digital environment for music creators and consumers alike.”
A New Jersey man who physically installed keyloggers onto the computer networks of his rivals to steal trade secrets has been sent to prison for nearly eight years.
Ankur Agarwal, of Montville, pleaded guilty to two counts of obtaining information from computers and one count of aggravated identity theft in federal court in Newark back in October 2019. The 45-year-old admitted stealing 15,000 files relating to emerging technology from two different companies.
According to court documents, Agarwal trespassed on the New Jersey premises of a Texas-based tech company in February 2017. The cyber-criminal then illegally installed hardware keylogger devices on the company's computers to capture the keystrokes of its employees.
From the data provided by the keyloggers, Agarwal was able to extract the usernames and passwords of the employees and gain access to the company's computer system.
Once inside the company's network, Agarwal installed his personal computer and a hard drive. Prosecutors said that Agarwal then stole data relating to the development of an emerging technology from the company's computers.
To exfiltrate the data, Agarwal used a computer code that he had made specifically for that purpose. He executed the exfil script against multiple computers and on more than one occasion.
Agarwal confessed to hacking into a second company based in New York. He was able to enter the company's premises in New Jersey after fraudulently creating an access card for himself.
The Justice Department said: “This fraudulently obtained access badge, bearing another individual’s name, allowed Agarwal to physically trespass onto Company Two’s premises.”
While trespassing at the second company, Agarwal again targeted data relating to emerging technology and stole it. His criminal activities were detected by employees at the company in April 2018.
On September 1, 2020, US District Judge Susan Wigenton sentenced Agarwal to 94 months behind bars. He was further sentenced to three years of supervised release and ordered to pay a fine of $25,000.
Agarwal consented to a forfeiture judgment that required him to forfeit his computers, storage devices, and related equipment.
US Attorney Craig Carpenito credited special agents of the FBI’s Cyber Division with the investigation that lead to the conviction of Agarwal.
An attempt to infect a Missouri county's website with malware has been foiled.
Threat actors deployed Trojan horse malware in an attempt to gain access to the website of St. Louis County earlier this month.
Staff in the IT department took down the county website on September 1 after detecting multiple attacks on the county's server.
Recently appointed IT director Charles Henderson said on Monday that the unsuccessful attack had been an attempt to take control of the website. According to Henderson, none of the county's data was compromised, lost, stolen, or corrupted as a result of the cyber-attack.
Threat actors were observed mimicking legitimate traffic in an effort to exploit a vulnerability in the website's management system. Henderson said the incident was a close call, with the attackers managing to bypass all but one of the county's cyber-defenses.
“All that it would have taken is for a single Trojan to get past . . . and the server would have been compromised,” Henderson told the Saint Louis Dispatch.
Rather than risk the attackers penetrating that final layer of defense, Henderson's team opted to take the site down and install a new site that was in development, ready to be launched in a few months' time.
"We took the web server down for maintenance with the intent of closing the security vulnerability and bringing the site back up,” Henderson said.
“After examining their attack method and the options available to us, we determined that we could not, with confidence, defend the server against further attacks and with only a single layer of defense available we recommended that we not bring the system back online.”
Operations in Camden County, Missouri, were disrupted in April this year following a "sophisticated encryption attack."
Elsewhere in the Show-Me State, around 360, 212 patients of Kansas City–based Saint Luke’s Foundation (SLF) were affected by the recent ransomware attack on Blackbaud, a third-party vendor.
A public notice issued last month by Saint Luke's stated that the cyber-criminal who carried out the ransomware attack removed a copy of SLF’s backup file for the purpose of extorting funds from Blackbaud.
US government agencies and private-sector companies have been warned to be on high alert for cyber-attacks by threat actors affiliated with the Chinese Ministry of State Security (MSS).
A joint security advisory on the cyber-threat was issued yesterday by the Cybersecurity and Infrastructure Security Agency (CISA) and the United States Department of Justice.
CISA said that it had observed MSS-affiliated cyber-threat actors "using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target US Government agencies."
Publicly available information and open source exploit tools leveraged in the attacks have included China Chopper, Mimikatz, and Cobalt Strike.
The attacks have been going on for over a year, often targeting vulnerabilities in popular networking devices such as Microsoft Exchange email servers, Citrix and Pulse Secure VPN appliances, and F5 Big-IP load balancers.
CISA said that the best defense against the most frequently used attacks was to maintain a rigorous patching cycle.
"If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network," states the advisory.
Victims of the attacks described by CISA had usually neglected to take every possible step to protect their digital assets.
"In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits," read the advisory.
"Widespread implementation of robust configuration and patch management programs would greatly increase network security."
CISA added that companies that made an effort to stay up-to-date with their cybersecurity could reduce the speed and frequency of cyber-attacks "by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools."
According to a recent US Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries in a campaign that lasted over a decade. Industries affected by the attacks include the high-tech manufacturers of medical devices, civil and industrial engineering, business, education, gaming, solar energy, pharmaceuticals, and defense.
Passwordless authentication “is an aspiration and not necessarily a destination,” said David Mahdi, senior director analyst at Gartner during the Gartner Security and Risk Virtual Summit. This is because many organizations are still reliant on legacy technology that does not necessarily support passwordless authentication.
Nevertheless, a gradual move in this direction as new technologies like SAAS-based applications are rolled out is something that organizations should be looking at in order to reduce the risk of breaches occurring. Mahdi noted: “Bad actors keep going after passwords and it continues to be problematic,” adding that “in breach after breach, identity is being leveraged as one of the main surfaces to get in and target a vulnerability, or conduct attacks like phishing.”
The poor usability often associated with traditional passwords also “leads users to cut corners,” according to Mahdi.
So what alternatives should organizations look to introduce that offer greater usability and security?
In regard to single-factor options, Mahdi outlined the importance of ensuring such methods provide the same flexibility as usernames and passwords, which can be used on any device. One important method that can be used in this category are tokens: these include QR code scans via a mobile app, out of band SMS and FIDO2 security keys. “These tokens are handy in that they are portable, so whether it’s contactless or the right USB interface, I can interface to the multiple devices I have and under the hood it’s using public key cryptography to achieve that authentication and security,” explained Mahdi.
Biometric authentication technology has grown in significance over recent years, ranging from face, to voice and retina scanning. Mahdi highlighted that attempts are ongoing to enhance the convenience of this form of authentication further, such as ensuring it can work even when part of your face is covered. “Certainly biometric methods have really increased and they’re quite ubiquitous,” he added. “They will help in that fight against passwords – they really are an enabling mechanism.”
There are also a number of multi-factorial authentication (MFA) options that organizations should be considering, which are particularly secure but continue to provide usability. A major type is PIN protected and biometric-enabled smart cards, often utilized across highly sensitive organizations like government departments. “These cards really bring together what you have, because of the card, what you know, because of the PIN, and sometimes you can have biometrics tied in, so what you are as well,” said Mahdi.
Finally, Mahdi discussed zero-factor alternatives, which are based on multiple recognition signals that people use such as geo-location, instead of requesting that a user actively does something. He commented: “These can be really passive and can help in balancing usability and security.”
While not impenetrable, Mahdi believes these passwordless forms of authentication have the potential to substantially enhance security and productivity in organizations in the future. “If employees can access their services faster with higher security, it means they’ll be able to access more content, more services and do it in a very effective and seamless way,” he concluded.
The impact of the COVID-19 pandemic has led to uncertainly and anxiety in society, but also sweeping changes in the way businesses operate and plan for the future.
Speaking during the Gartner Security and Risk Virtual Summit, research VP Roberta Witty called the impact of COVID-19 life changing and stated it has pushed resilience to be a board-level discussion, acting as “an industry refresh to reshape business for at least the next decade.”
Witty said that many organizations did not have the time to undertake due diligence for the rapid transition, and supply chain was impacted “as China shut down for a few months” and employees reported being stressed, tired and anxious. “Business leaders need to respond rapidly to ensure their organizations remain secure and resilient,” she said.
Citing Gartner research, Witty said 73% of board of directors considered economic slowdown as the top threat shaping their business strategy, but the focus has shifted to resilience, providing essential services that the business requires and “coping with the unexpected in how we work and deliver our products and services.”
She explained that resilience must be at the heart of any project, as “we are in this for the long haul” and this can be achieved by understanding where you are. “Many [businesses] were prepared for traditional business disruption, but few were prepared for a crisis of a global scale lasting months if not years,” Witty said. “We’re living our lives and running businesses with the pandemic all around us, impacting everything we do.”
Adding that “business continuity management is at the heart of every resilience program,” Witty said the biggest change Gartner sees is organizations realizing that monitoring risk and managing operations on day to day basis “must be tightly coupled with crisis planning.”
Among the changes being made, Witty said decisions that would have taken months are now being done in an afternoon, as organizations are “flatter and faster” and layers of the business are compressed. She also said more critical roles are being developed and “work being reworked” as more agile teams are launched and talent reallocated.
“We’re also seeing a shift from design for efficiency to design for resilience,” which Witty said could be a challenge. “We’re also seeing more technology being used, the rapid move to remote work and collaboration tools that go along with that, plus the rapid deployment of digital systems to support these interactions has been substantial.”
Also, there is a growth in data collection in all areas of business “to make better strategic and operational decisions about our businesses.”
Witty also claimed the remote working trend will continue, as we see the emergence of new top tier employees, while the supply chain is pressure-tested and strengthened. “Lastly there will be an increase in organizational complexity over the next few months because of more mergers and acquisitions, nationalization and as big companies get bigger.”
Concluding, Witty said the pandemic has “shaken us personally and organizations to the core” and we need to decide if we lean into the change, or stay stuck in the past. “We cannot rely on the same old habits, so be creative and imaginative,” she said. “So what will you do to move the world forward, and how will you make changes to make someone else’s dreams come true?”
The UK’s National Cyber Security Centre (NCSC) has released a new Vulnerability Reporting Toolkit, designed to help organizations manage vulnerability disclosure in a streamlined, process-driven manner.
The government-backed GCHQ unit explained in a blog post yesterday that the new toolkit was built with knowledge distilled from two years of running the NCSC’s Vulnerability Co-ordination Pilot and Vulnerability Reporting Service.
It was built according to the three best practices of vulnerability disclosure: good communication, a clear policy and ease-of-use. On the latter, the NCSC advocated the proposed IETF standard security.txt, also supported by the US Department of Homeland Security and NZ CERT, as an easy way for individuals to find all the information they need.
“The toolkit is not an all-encompassing answer to vulnerability disclosure, but it is a great start. If you don't have a vulnerability disclosure process, then the toolkit can help you create one. We believe it’s worth establishing a process in advance (that is, before you need to create a process when responding to a vulnerability disclosure),” the NCSC’s “Ollie N” said.
“The toolkit is deliberately easy to implement, so you can adopt it at short notice. Even if you already have a process in place, please take a look at the toolkit as it may help you to improve on what you’ve already set up.”
As the first edition of the toolkit, the current iteration is designed to cover just the basics. However, over time it will be adapted to include details on how to build an internal process that can triage and fully manage a vulnerability disclosure.
The NCSC’s advice comes ahead of new IoT laws being drawn up by the government which will compel all manufacturers of consumer smart gadgets to run vulnerability disclosure programs.
Earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) issued new requirements for all government agencies to develop and publish vulnerability disclosure policies (VDPs).
Security professionals are still making a poor job of getting business leaders to understand strategies.
Speaking during the Gartner Security and Risk Virtual Summit, VP analyst Jeffrey Wheatman claimed security professionals are “fighting a battle with ourselves and our business stakeholders” as security does a poor job of articulating strategies and getting stakeholders to understand “why the things we do are important.”
He claimed that even during the COVID-19 pandemic, this is still the case, and security needs to know how to take steps to create a cybersecurity strategy that resonates with stakeholders. He also claimed that everyone is seeking to create a one-page strategy, which management understand but which does resonate with the technical team, or the strategy can be more technical and granular, where technology team knows what to do, but the management team does not.
“Clearly we need to figure out how we can bring these two extremes together and articulate what we are doing and why; to tell a simple story,” he said. Wheatman said this involves five steps:
- Start with your business goals
- Identify your risks
- Make the risks real
- Articulate the program objectives
- Map strategy to tactics
As part of this, Wheatman recommended focusing on what the company does, what risks it faces and how they are addressed. “That construct is very important, this is not us in security, it is not you in the business, it is we working together to achieve a common set of goals and objectives,” he said.
He advised the best way to get company engagement is to focus on what business stakeholders care about, namely: growing revenue, managing costs, focusing on customer retention, growing the sales force, being number one in the market and being the best in class. “If you cannot use these, where can you get your business goals from? Look at the annual report executive summary of what the company is going to accomplish this year, what are the core values and initiatives?” he said. “Essentially, this is what the board and C-level executives get measured on at the end of the year, so focus on those.”
To identify risks, Wheatman said a common question Gartner receives is “tell us what our risks are.” He said there may be commonality in your vertical, but “your risks are your risks” and so identify them by doing a risk assessment, focus on the executive summary, look for published reports, talk to your peers and ISAC, if you have one.
He also recommended keeping risks to between eight and 10, as many more will not be digestible and you’ll be shifting to threats and vulnerabilities.
Wheatman also recommended mapping your strategy to a framework which others use as this will give you a justification for expenditure.
“If you think about the five elements of the story, it is how we’re going to do it, how we’re going to invest, the time and human capital and tooling, here’s how we’re going to measure our success, and here’s the process for continuous improvement,” he said. “So think about these things as the next step, once you’ve gone through the initial five steps to build this out.”
He recommended linking back to business goals, particularly in growing revenue, and to link actions to goals. “You must target your audience and target what they care about and the things they are compensated on and measured on at the end of the year,” he concluded. “Identify your risks and make those risks real for your audience.”
Tens of thousands of US veterans have had their personal information illegally accessed in a data breach incident announced on Monday.
The US Department of Veterans Affairs (VA) Office of Management revealed that 46,000 veterans had been affected by the incident.
“The Financial Services Center (FSC) determined one of its online applications was accessed by unauthorized users to divert payments to community health care providers for the medical treatment of veterans. The FSC took the application offline and reported the breach to VA’s Privacy Office,” it continued.
“A preliminary review indicates these unauthorized users gained access to the application to change financial information and divert payments from VA by using social engineering techniques and exploiting authentication protocols.”
The VA Office of IT is conducting a comprehensive security review before system access is allowed again, it added.
To protect these veterans, the FSC is alerting the affected individuals, including the next-of-kin of those who are deceased, of the potential risk to their personal information,” the statement concluded.
“The department is also offering access to credit monitoring services, at no cost, to those whose social security numbers may have been compromised.”
Thomas Richards, principal security consultant at Synopsys, argued that social engineering is a common tactic to gain unauthorized access to applications and systems.
“If, for business reasons, these applications must be public facing they should be secured with multi-factor authentication to prevent any compromised credentials from being used,” he added. “Organizations should also conduct regular assessments against their staff to raise awareness around social engineering threats, thus reducing the chance of a successful attack."
Back in September last year, security researchers discovered a spoofed VA recruitment site crafted to deploy spyware on visitors’ computers.
Around 2000 e-commerce stores running the popular Magento software were attacked over the weekend, in the largest recorded campaign of its kind, according to researchers.
Sansec’s Threat Research Team warned that the 1904 Magecart attacks it detected targeted e-stores running the now out-of-date Magento version 1. A total of 10 stores were infected on Friday, followed by 1058 on Saturday, 603 on Sunday and 233 on Monday, it said.
The security firm estimates that tens of thousands of customers unwittingly had their payment details stolen over the weekend in the attacks.
“This automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015. The previous record was 962 hacked stores in a single day in July last year,” it added.
“The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming. Criminals have been increasingly automating their hacking operations to run web skimming schemes on as a many stores as possible.”
Sansec suggested that, as many of the sites had no previous history of security incidents, the attackers may have found a new way to compromise their servers — potentially exploiting a zero-day in Magento 1 that was advertised online.
The firm warned that, if this is the case, 95,000 stores could also be exposed to the exploit, as they’re running Magento 1 and no more patches are being produced by developer Adobe.
“Official PCI requirements are to use a malware and vulnerability scanner on the server, such as Sansec’s eComscan,” it said. “Sansec also recommends to subscribe to alternative Magento 1 patch support, such as provided by Mage One.”
Back in June, Sansec spotted a spate of new Magecart infections on e-commerce sites like Claire’s. It’s possible that those groups behind these digital skimming attacks feel there are rich pickings to be had as shoppers under lockdown flood online stores and IT teams struggle to support business-critical infrastructure, leaving security gaps to exploit.
Privacy issues have been detected in an official application of the Joe Biden campaign.
The Vote Joe app uses relational organizing to allow users to share data about themselves and their contacts with a voter database run by Target Smart, a service claiming to have over 191 million voter records.
A user who syncs their contacts with the Vote Joe app will be presented with a corresponding voter entry from the Biden campaign's voter database. The user's contact data is then harvested and used to enrich the database entry.
The App Analyst noted: "An issue occurs when the contact in the phone does not correspond with the voter, but the data continues to enrich the voter database entry. By adding fake contacts to the device, a user is able to sync these with real voters."
Commenting on the relational organizing employed by the app, Brandon Hoffman, CISO at Netenrich, said: "An influencer could easily just sync their phone loaded with a list of pre-planted fake social media 'contacts' and 'profiles' that will be used to further their information campaign.”
Anyone who signs up for the app with an unverified email can query the voter database using a first and last name, and state. The returned information includes which elections the voter has participated in with either a checkmark to signify their participation or an X to denote that they did not vote.
"The returned object appears to contain 'Y' to signify 'Yes they voted,' but there are other values such as 'B' and 'R.' These values may represent how Target Smart suspects the user voted, using an 'R' value to potentially represent 'Red' or 'Republican' and the 'B' value to represent 'Blue' or 'Democrat,'" they wrote.
Additional voter data revealed included specific date of birth, "voterbase_id" (a value unique to Target Smart and not an official voter ID), and some Target Smart fields corresponding to the voter's Senate, congressional, and House districts.
The app states: “We’ll let you know which of your friends and family members could use that extra touch to help make sure they vote in 2020.”
A large proportion of employees are using their own devices to access data belonging to their company, according to a new study by Trend Micro.
Researchers found that 39% of workers use personal smartphones, tablets, and laptops to access corporate data, often via services and applications hosted in the cloud.
The Head in the Clouds study, which surveyed more than 13,000 remote workers globally, found that many of the personal devices used to access company data were not as secure as their corporate equivalents.
A further finding of the study was that more than half (52%) of global remote workers have IoT devices connected to their home network, with 10% using lesser-known brands.
Since home networks typically offer security protection that is inferior to that which a business can afford to implement, researchers expressed concern that attackers could access home networks, then use unprotected personal devices as a stepping stone into the corporate networks they’re connected to.
Getting access to personal devices may not present much of a challenge to threat actors, given that over one-third (36%) of remote workers surveyed did not have basic password protection on all personal devices.
"The fact that so many remote workers use personal devices for accessing corporate data and services suggests that there may be a lack of awareness about the security risks associated with this," commented cyberpsychology expert Dr. Linda K. Kaye.
"Tailored cybersecurity training which recognizes the diversity of different users and their levels of awareness and attitudes around risks would be beneficial to help mitigate any security threats which may derive from these issues."
The research also revealed that 70% of global remote workers connect corporate laptops to the home network, opening up the possibility for malware infections to be brought from the home into the office.
“IoT has empowered simple devices with computing and connectivity, but not necessarily adequate security capabilities,” said Bharat Mistry, principal security strategist at Trend Micro.
“This threat is amplified as an age of mass remote work blurs the lines between private and company devices, putting both personal and business data in the firing line."
The notion of zero trust in cybersecurity is a misunderstood term, according to Neil MacDonald, VP and distinguished analyst at Gartner. Speaking during the Gartner Security and Risk Virtual Summit, MacDonald noted that extending trust is in fact necessary for organizations to work efficiently.
The main issue is too much “implicit trust” in existing security practices that are based upon using physical location and ownership and control. This does not work well in a modern digital business, in which there are multiple devices used across multiple locations. Instead, “our goal is to replace that implicit trust with continuously assessed explicit trust levels based on risk,” explained MacDonald.
Ultimately, zero trust is moving away from a traditional perimeter based model, where physical locations define trust, to a model in which explicit trust is decided based on various factors, including identity, location, user behavior and sensitivity of the data being handled.
For organizations to apply such an approach successfully, the first focus should be on zero trust networking, according to MacDonald. This is because the TCP/IP network was built at a time when trust could be assumed, but things have changed significantly. “IP addresses are weak identifiers at best and they can easily be spoofed,” he noted. This means authentication needs to take place first before connection is granted rather than afterwards.
Legacy VPNs, which grant access externally, are therefore not fit for purpose and must be phased out. MacDonald commented: “We want to adopt a way of thinking which says the network location doesn’t matter, the network’s always untrusted; always assume it’s compromised, everything needs to be encrypted.”
Then from the moment access is allowed, continuous monitoring of the user’s behavior must take place.
The next aspect is to apply these zero trust principles within organizations’ internal data centers. “The problem is most data center networks are flat – when the bad guy gets in they move unimpeded laterally,” explained MacDonald. “What we need are data centers that are built for a breach.”
In this approach, similarly to how submarines protect themselves against a water leak, a breach should be contained in one area, a method known as identity-based segmentation. This can include removing end-users from the data center network or ring fencing critical applications like the SAP app.
He went on to outline other areas in which this zero trust principle can be applied so organizations can more effectively protect themselves from cyber-criminals, These include the removal of admin rights from end-user systems, implementing default deny on critical servers, encrypting all data on default and implementing multi-factor authentication (MFA) for all administrators.
MacDonald stated that the ongoing shift to the cloud can serve as the catalyst for these types of initiatives to be introduced over time. He added: “You can’t flip a light switch and go to zero trust, but we can pragmatically take these steps.”