The UK has agreed to spend up to £15m to boost cybersecurity in Commonwealth nations, as part of a wide-ranging inter-governmental commitment to fighting online threats.
The 53-state Commonwealth is seen by many as a throwback to the days of the British Empire, but nonetheless represents almost a third of the world’s population.
As such, the “Commonwealth Cyber Declaration” leaders were expected to sign at a Heads of Government meeting in London this week could be an important step in tackling global cybercrime.
According to Number 10, the declaration sets out a vision for a free and open internet and commits members to improving national cybersecurity and international co-operation against “those who seek to undermine our values, security, even the integrity of elections.”
As part of the funds set aside for this initiative, the UK is giving £5.5 million to “low and middle income” Commonwealth countries so they can carry out national cybersecurity capacity reviews before the next meeting in 2020.
Australian Prime Minister, Malcolm Turnbull, New Zealand PM Jacinda Ardern and Canadian PM Justin Trudeau joined Theresa May on Wednesday for an intelligence partners meeting at the National Cyber Security Centre (NCSC).
In addition, digital secretary Matt Hancock and Singaporean foreign minister Vivian Balakrishnan signed a Memorandum of Cooperation (MoC) on cybersecurity capacity building. It will commit the countries to working together on emergency response, training and more to deliver a program over two years.
“I have called on Commonwealth leaders to take action and to work collectively to tackle this threat. Our package of funding will enable members to review their cybersecurity capability, and deliver the stability and resilience that we all need to stay safe online and grow our digital economies,” said May.
“The Commonwealth plays a pivotal role in shaping the future for many of its members. We have put security on the agenda for the first time so we can work together and build a safer future both for Britain, and for the 2.4 billion people around the world who live in the Commonwealth.”
Mark Weir, Cisco UK & Ireland director of cybersecurity, welcomed the extra funding as a vital next step in creating a “neighborhood cyber-watch.”
“To help reduce cyber-criminals' success rates and reduce the impact on businesses and countries, there has to be a greater willingness to share insight, learnings and knowledge,” he added. “These criminals are getting smarter by the day and growing in sophistication and power. We need to build a collective and collaborative community to ensure we don’t just keep up, but stay one step ahead.”
The news comes as some of the world’s biggest tech and cybersecurity firms came together this week to agree on a new commitment to improving co-operation on threats. The Cybersecurity Tech Accord includes Facebook, Microsoft, Cisco, Oracle, Trend Micro and many others as founding members.
At the RSA Conference in San Francisco on April 18 2018, three leading instructors and contributors from the SANS institute shared what they believe to be the five most dangerous new attack techniques in cybersecurity.
Repositories and Cloud Storage Data Leakage
Ed Skoudis named repositories and cloud storage data leakage as one of the techniques. “Software today is built in a very different way than it was 10 or even 5 years ago, with vast online code repositories for collaboration and cloud data storage hosting mission-critical applications,” he explained. “However, attackers are increasingly targeting such infrastructures, looking for passwords, crypto keys, access tokens, and terabytes of sensitive data in such repositories and cloud storage.” As a result, defenders need to focus on data inventories, appointing a data curator for their organization and educating system architects and developers about how to secure data assets in the cloud.
Big Data Analytics, De-Anonymization, and Correlation
“The battle is shifting from hacking machines to hacking data - gathering data from disparate sources and fusing it together to de-anonymize users, find business weaknesses and opportunities, or otherwise undermine an organization's mission,” explained Skoudis. Defenders need to start analyzing risks associated with how their seemingly innocuous data can be combined with data from other sources to introduce business risk, he said, “all while carefully considering the privacy implications of their data and its potential to tarnish a brand or invite regulatory scrutiny.”
Exploitability in ICS/SCADA: Intent & Method
James Lyne explained how the grand majority of malicious code has undeniably been focused on fraud and profit. “Yet, with the relentless deployment of technology in our society, the opportunity for political or even military influence only grows greater,” he said. “Rare, publicly visible attacks like Triton/TriSYS show capability and intent to compromise some of the highest risk components of industrial environments.” This translates to an increase in the number of active campaigns, or more adversaries developing backup disruption capabilities. “Many systems in this domain lack the mitigations of modern operating systems and applications. Attackers have demonstrated they have the inclination and resource to diversify their attacks, such as to the aforementioned SIS, which opens up new and concerning possibilities.”
Attackers Monetize Compromised Systems Using Crypto-Miners
Johannes Ullrich talked about how attackers “no longer bother with data. Last year, we discussed how ransomware was used to sell data back to its owner. Crypto-currencies were the tool of choice to pay for ransom.” Due to the flood of stolen data offered for sale, he continued, “most commonly stolen data like credit card numbers of PII has dropped significantly in value. Attackers will instead install crypto coin miners.” These attacks are stealthier and less likely to be discovered.
Software developers often assume that hardware is flawless, said Ullrich, which he described as a dangerous assumption. “Hardware is no less complex than software and mistakes have been made just as they are made in software. Patching hardware is a lot more difficult and often not possible without replacing entire systems or suffering significant performance penalties.” Developers need to learn to create software without relying on hardware, he continued. “Software need to authenticated and encrypt data within the system. Some emerging homomorphic encryption algorithms may allow developers to operate on encrypted data without having to decrypt it first.”
At RSA 2018 in San Francisco Johnnie Konstantas, senior director, Enterprise Cybersecurity Group, Microsoft, Rob Lefferts, director, Microsoft and Sam George, director, Azure IoT, discussed the latest trends in the threat landscape and explored how defenders can reach outside their organizations to leverage pooled resources for better protection.
Konstantas said that easy marks are still under attack from adversaries, who continue to be attractive to ‘low-hanging fruit’ attack vectors.
What’s more, “the very definition of the network is changing,” she added, “we’re seeing what we once considered to be the network disappear. That means our thinking around security has to evolve with the shape of a new network which is about the intelligence cloud.”
The very state in which you have to protect is expanding meteorically, she added, and we can no longer identify the weak links in our network because “everything is a sensor, everything is connected. It becomes almost impossible to compute all the pathways into your critical data, which is why you can no longer do this alone – there is a heavy need for us to come together as an industry and provide integrated means by which you can expedite your responses.”
To do that, Lefferts explained how Microsoft is taking a cloud-based, communitive approach in a new platform to meet the security needs of consumers, highlighting four key areas of collaboration which are:
- Identity and access management
- Threat detection
- Information protection
- Security management
“We’re encouraging partners to work with us,” Lefferts said, and the results show “what we can do when we work together, taking advantage of assets and intelligence” to offer greater identity & access management and threat detection.
The key element in doing that is using cloud-based intelligence, and George said that is particularly important when it comes to security the IoT. “We see a tremendous amount of fragmentation in the IoT device space and security space,” he added, but “the cloud really comes into play in keeping IoT devices secure.”
Speaking at RSA 2018 in San Francisco Ed Cabrera, chief cybersecurity officer at Trend Micro, examined the attack surface of smart factories and industrial robots.
Cabrera explained that for smart factories increased automation, increased connectivity and increased complexity, combined with the increased attack sophistication of adversaries, comes increased risk.
To outline the real-life threats that smart factories face as a result, he considered the likelihood and impact of five attack scenarios that are possible when the weaknesses in smart factories and robot architectures/implementations are exploited.
The first is plant disruption, something that we saw in 2017 with the Mirai botnet attacking South America and countries in Africa.
The second is digital extortion, something that has become very prevalent with the number of ransomware families growing greatly over the last few years. “There’s definitely a return on investment going on in the digital underground with digital extortion,” Cabrera said, “and this is a scenario that is only going to grow.”
The third attack scenario that he considered is that of physical damage, and whilst this is perhaps less likely or frequent than other scenarios, “the impact can be very high with loss of life, property disruption, etc.”
Next is production line process interference, and from a motivational perspective this is an attack scenario that would appeal to hacktivist groups and criminal enterprises.
Lastly is sensitive data exfiltration, “that is attacks going after sensitive data for corporate espionage or nation state [motives]. The likelihood of that is high and activity does happen.”
To conclude, Cabrera discussed ways to mitigate and defend against these types of risks, suggesting that increased visibility, prevention, detection, response and collaboration will result in risk reduction.
To achieve that, he advised taking the following three steps:
- Framework first: align IT/OT risk management with business goals, strategies and objectives
- Design a sound framework: understand CIA AIC = risk resilience, red teaming exercises, prevention through IT/OT security configuration and architecture, detection through joint SOC/NOC fusion centers, response through joint IT/OT IR teams and collaboration
- Partner early and often
About 48 million records of detailed personal information on tens of millions of individuals have been leaked, containing Cambridge Analytica–style information gathered and scraped from multiple sources.
The culprit, as is the case all too often, is a misconfigured cloud storage repository, in this case belonging to a company called LocalBlox. LocalBlox bills itself as a personal and business data search service, but it’s bread and butter is data-harvesting and the creation of psychometric profiles of individuals. It says that it’s “the First Global Customer Intelligence Platform to search, combine and validate deep business and people profiles – at scale,” according to its website, which also proclaims that “the need for deeper, more accurate data about individual businesses and consumers is becoming more urgent to compete.”
According to the UpGuard Cyber Risk Team, which said it gained confirmation of the breach from LocalBlox co-founder Ashfaq Rahman, the data that was left publicly accessible includes names, physical addresses, dates of birth, scraped data from LinkedIn job histories and Facebook, Twitter handles and more. In addition, it appears the prominent real estate site Zillow is used in the process as well, with information being somehow blended from the service's listings into the larger data pool.
“In the wake of the Facebook/Cambridge Analytica debacle, the importance of massive sets of psychographic data is becoming more and more apparent,” UpGuard researchers said in a blog. “This combination [of information] begins to build a three-dimensional picture of every individual affected – who they are, what they talk about, what they like, even what they do for a living – in essence a blueprint from which to create targeted persuasive content, like advertising or political campaigning. If the legitimate uses of the data aren’t enough to give pause, the illegitimate uses range from traditional identity theft, to fraud, to ammunition for social engineering scams such as phishing.”
The Amazon Web Services S3 bucket, since secured, contained 1.2 TB of information at the time of exposure. UpGuard said that the database tracks an IP address, matching collected data to that IP address when possible and thus providing a clearer image of the behavior and background of the user at that IP address.
Interestingly, the exposed source fields also point to aggregated content, purchased marketing databases or information caches sold by payday loan operators to businesses seeking marketing data; other fields are more ambiguous, such as a source field labeled “ex.”
“The data gathered on these people connected their identity and online behaviors and activity, all in the context of targeted marketing, i.e. how best to persuade them,” UpGuard said. “Your psychographic data can be used to influence you. It is what makes exposures of this nature so dangerous, and also what drives not only the business model of LocalBlox but of the entire data analytics industry.”
About 70% of respondents in a recent survey are concerned that a successful cyber-attack could cause a catastrophic failure, such as an explosion.
According to a Tripwire survey, in which respondents included 151 IT and operational technology (OT) security professionals at energy and oil and gas companies, almost all (97%) are concerned that attacks could cause operational shutdowns, and 96% believe they could impact the safety of their employees.
"Energy companies have accepted the reality that digital threats can have tangible consequences," said Tim Erlin, vice president of product management and strategy at Tripwire. "This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so."
There were conflicting perceptions of security readiness among respondents: A full 91% are worried about attacks on their industrial control systems (ICS), yet 65% feel their company invests sufficiently in ICS security. At the same time, 62% said that lack of budget and investment continues to be the biggest barrier in meeting ICS security goals.
Of those who said their company does not invest sufficiently, 56% believe it would take a significant attack to get their companies to a proper level of investment. About 59% said their companies increased security investments because of ICS-targeted attacks; and as far as feared threats, 45% said ransomware has had the most significant impact in increasing their security investment, compared to 44% who said Trisis/Triton and Industroyer/Crashoverride and 11% who said Stuxnet.
While a defense-in-depth, layered approach to security is considered a best practice, only 35% of respondents said they implement a multilayered approach to locking down ICS. About a third (34%) said they focus primarily on network level security, and 14% said ICS device security.
"It's encouraging to see that companies have increased their security investment somewhat,” Erlin said. “However, it’s concerning that more than half would wait for an attack to happen before investing properly, given what's at stake with critical infrastructure. The energy industry should invest in establishing more robust cybersecurity strategies, with a proper foundation of critical security controls and layers of defense."
IT managers lack visibility to about 45% of their organization’s network traffic, creating significant security challenges. In fact, nearly a quarter of them are blind to as much as 70% of their network traffic.
Sophos’s global survey, The Dirty Secrets of Network Firewalls, polled more than 2,700 IT decision-makers from midsized businesses in 10 countries, including the US, Canada, Mexico, France, Germany, UK, Australia, Japan, India and South Africa – and found that, unsurprisingly, 84% of respondents agree that a lack of application visibility is a serious security concern.
Without the ability to identify what’s running on their network, IT managers are blind to ransomware, unknown malware, data breaches and other advanced threats, as well as potentially malicious applications and rogue users. Sophos pointed out that network firewalls with signature-based detection are unable to provide adequate visibility into application traffic due to a variety of factors, such as the increasing use of encryption, browser emulation and advanced evasion techniques.
“If you can’t see everything on your network, you can’t ever be confident that your organization is protected from threats. IT professionals have been ‘flying blind’ for too long and cybercriminals take advantage of this,” said Dan Schiappa, senior vice president and general manager of products at Sophos. “With governments worldwide introducing stiffer penalties for data breach and loss, knowing who and what is on your network is becoming increasingly important. This dirty secret can’t be ignored any longer.”
On average, organizations spend seven working days remediating 16 infected machines per month. Smaller organizations (100–1,000 users) spend on average five working days remediating 13 machines, while larger organizations (1,001–5,000 users) spend on average 10 working days remediating 20 machines, according to the survey.
“A single network breach often leads to the compromise of multiple computers, so the faster you can stop the infection from spreading, the more you limit the damage and time needed to clean it up,” said Schiappa. “Companies are looking for the kind of next-generation, integrated network and endpoint protection that can stop advanced threats and prevent an isolated incident from turning into a widespread outbreak. Sophisticated exploits such as MimiKatz and EternalBlue reminded everyone that network protection is critical to endpoint security and vice versa. Only direct intelligence sharing between these two can reveal the true nature of who and what is operating on your network.”
IT managers are very aware that firewalls need an upgrade in protection. In fact, the survey revealed that 79% of IT managers polled want better protection from their current firewall. Ninety-nine percent want firewall technology that can automatically isolate infected computers, and 97% want endpoint and firewall protection from the same vendor, which would allow for direct sharing of security status information.
UK identity fraud hit an all-time high last year, driven heavily by online attacks, according to the latest stats from Cifas.
The fraud prevention service’s annual Fraudscape report compiles data from 306 participating organizations, so can be seen more as a snapshot of trends than a comprehensive tally of incidents.
It claimed identity fraud stood at 174,523 cases in 2017, up 1% on previous years and driven mainly by online trends.
"It remains a predominantly internet-based offence, with 84% of identity fraud occurring through online channels," a Cifas spokesperson told Infosecurity.
Online retail fraud jumped by 49%, while Cifas claimed that 80% of fraudulent applications are now made online.
Other industries hit by increases in fraud included telecoms (47%) and insurance (1600%).
It is likely that many of these attempts also included an online element as scammers looked to move away from card fraud by targeting mobile phone contracts, online retail accounts, retail credit loans and short-term loans.
A PwC report from February claimed that nearly half of UK organizations (49%) have suffered from cyber-related fraud in the past two years.
Cifas also warned of an 11% growth in bank accounts being used by money mules, representing over 32,000 cases. Many of these individuals are youngsters, presumably attracted by the prospect of easy money but unaware of the implications of their actions.
Cifas recorded a 27% growth in the number of 14-24-year-olds identified as money mules.
“With more and more people sharing data, transacting, setting up businesses, dating and chatting online this [fraud] trend is only going to continue,” said MP Conor Burns.
“That is why I set up the All-Party Parliamentary Group on Financial Crime and Scamming last year, to raise awareness of this issue within parliament. Fraudscape shows how prevalent this crime is and all of us — government, industry, third sector and individuals have a role and responsibility in preventing it.”
Lisa Baergen, director at NuData Security, described UK identity fraud as “appallingly high” and put it down to more fraudsters willing to commit crimes, more data available on the black market, and more financial institutions and merchants vulnerable to attacks.
“Organizations that transact online, such as banks, e-commerce stores, travel agencies and other vendors can take a more nuanced approach to authentication by evaluating as much contextual information about customer’s interactions as possible to determine if it truly is the right user,” she explained.
“Multi-layered technology that includes passive biometrics and behavioral analytics can distinguish good from bad users even when new devices and correct credentials are used because they rely on a different set of data — the customer’s behavior. Removing the value of stolen credentials from the hands of criminals can re-balance the online identity proofing environment for consumers and organizations.”
MPs have slammed the NHS for failing to agree on its plans to help prevent another WannaCry, nearly a year after the ransomware attack caused widespread disruption.
The Public Accounts Committee (PAC) has set a June deadline for an update from the health service on estimated costs for the vital cybersecurity investment needed to protect its systems going forward.
A National Audit Office report from October revealed that an estimated 19,000 operations and appointments had to be cancelled as a result of WannaCry, which disrupted 34% of NHS England Trusts, and caused infections at a further 603 primary care and other NHS organizations, including 595 GP practices.
The PAC said that although the NHS and Department of Health had learned lessons from the attack, there’s a “lot of work to do” to improve cybersecurity. It cited the recent Russian nerve agent attack as highlighting the escalating threat from hostile nations.
PAC chair, Meg Hillier, said it was “alarming” that plans to implement the lessons learned are still to be agreed, nearly a year after WannaCry.
“Our report sets out how and why the Department of Health and Social Care and its national bodies should take the lead in ensuring these lessons are quickly translated into action. I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment,” she said.
“Government must get a grip on the vulnerabilities of and challenges facing local organizations, as well as the financial implications of WannaCry and future attacks across the NHS. Cybersecurity investment cannot be properly targeted unless this information is collected and understood.”
Rob Bolton, general manager of Western Europe at Infoblox, said that specialized legacy equipment and software is holding up the migration to newer, more secure operating systems.
“For example, in our recent survey of healthcare IT professionals, nearly one in five healthcare IT professionals reported that medical devices on the network are currently running on Windows XP – which is no longer supported by Microsoft, thereby introducing potential vulnerabilities – while 7% couldn’t even identify what system their medical devices are running on, meaning that they are unable to patch them,” he added.
Odd-job marketplace TaskRabbit has taken its website offline and urged users to change any online passwords reused on the platform after a suspected breach.
The IKEA-owned firm posted a brief statement on the holding page, claiming it is investigating a “cybersecurity incident.”
“Our entire team is working around the clock with an outside cybersecurity firm and law enforcement to determine the specifics. The app and the website are offline while our team works on this. In the interim, we have dispatched a large team to work with Taskers and clients via phone to help them schedule and complete pending tasks,” it said.
“We’re working to get the site back online as quickly as possible and continuing our investigation into the incident. We will be back in contact with you with more information once we have it. As an immediate precaution, if you used the same password on other sites or apps as you did for TaskRabbit, we recommend you change those now.”
The final piece of advice would seem to suggest that at least some log-ins have been compromised as a result of the “incident.”
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, claimed that taking its site offline threatens the firm’s brand, but that it was probably the right approach.
"If the company had continued to process sensitive information such as card data while vulnerability was open, the cost could have been far greater,” she added. “Stopping business temporarily is sometimes the best option, and is certainly a far better approach than that taken by Equifax, for example, which continued operation in spite of a vulnerability."
Last week, UK train company Great Western Rail was forced to reset passwords for one million accounts after a small number, around 1000, were accessed by unauthorized parties.
At RSA 2018 in San Francisco today Adrian Sanabria, director of research at Savage Security, presented a session on why he believes it’s time to kill the pen test.
Sanabria explained that whilst the concept of pen testing does and will continue to have value, there are problems in the design and execution of many current pen test methods that result in them failing to be effective.
Sanabria said that pen testing made a lot of sense in the 90s, as back then “everything that you could use to hack into an organization was pretty much going to be discovered in a pen test. The landscape is vastly different these days.”
What’s more, whilst current pen testing tools get better and better in terms of their sophistication, the precipitants of them really don’t know how to make things better aside from applying a patch or changing a default credential – that’s not really solving the problem, Sanabria argued. “Amazing tools are out there but the technology and level of maturity of pen testing as a skill has far outgrown the average company’s ability to defend themselves.”
There’s also the issue of pen tests being “a very slow and expensive way to work your way through just a few of the CIS Top 20” whilst they don’t help you with the basics.
Ultimately, Sanabria said that current pen tests aren’t working; they’re not making organizations safer and they’re not making defenders better because they:
- Focus on symptoms, not root causes
- Focus on preventative controls, not detection
- Focus on depth, not breadth
- Focus on finding issues, not fixing them
- Have a lack of improvement metrics
However, there is a need for them, he concluded, as they can convince organizations to take security seriously. Any replacement for pen tests will have to also satisfy that requirement, but they need to be made more effective and give defenders what they really need: maturity, confidence and resilience.
In their RSA Conference session titled ‘Building the cybersecurity innovation pipeline’ in San Francisco on April 17 2018, Grant Bourzikas, CISO & VP McAfee Labs and Chatelle Lynch, SVP and Chief Human Resources Officer, McAfee Labs, discussed the importance of diversity in building a high-performing security team.
Bourzikas, who has three hundred security professionals in his team – and insists on being present for the interviews of every single one – explained how important it is to sell the company to the interviewee. “I interview every person we bring in because we’re investing in them, but much of that time is spent on a sales pitch for working for McAfee,” he said. “My success is based entirely on the people that work for me,” he added.
High-performing teams depend on diversity of thought, Bourzikas explained, “unfortunately the current talent pool is predominantly white males.”
In order to attract a more diverse talent pool, “we need to get into their heads, work out what motivates them, what they are passionate about,” he said. Bourzikas advised targeting internships as “they are impressionable and we need more good quality cybersecurity professionals with the right mindset to fulfill the two million cybersecurity job shortages that we will have by the end of 2019.”
Chatelle Lynch argued that diversity needs to be built into the industry’s DNA. “There is so much unconscious biased,” she said. “We get better with diversity.”
Lynch explained that somewhere between the ages of 11 and 15, “we lose girls who had interest in STEM at age 11 and by the age of 15, they have lost the desire to pursue a STEM career.” She suggested that role model exposure is critical to the success of creating a more diverse workforce.
Finally, Bourzikas advised the audience to ask five pertinent questions of their business, and offered five potential answers:
- 1: How can we attract talent?
A: Drive diversity at entry level positions
- 2: How do we retain talent?
A: Invest in your team
- 3: How do we have a talent pipeline for cybersecurity?
A: Look for potentials not in cyber
- 4: How can we utilize community outreach?
A: Create a passion for learning and inquisitiveness
- 5: How can we transform our current talent strategy?
A: Start with top talent - teach cyber
Cryptominers surged to the top of detected malware incidents, displacing ransomware as the No. 1 threat.
Comodo Cybersecurity Threat Research Labs’ first-quarter global malware report shows that the world is already a very different place from 2017. During Q1 2018, Comodo Cybersecurity detected 28.9 million cryptominer incidents out of a total of 300 million malware incidents, amounting to a 10% share. The number of unique cryptominer variants grew from 93,750 in January to 127,000 in March. At the same time, the data shows this criminal attention came at the expense of ransomware activity, with new variants falling from 124,320 in January to 71,540 in March, a 42% decrease.
The surge in cryptominers started in 2017, after the price of Bitcoin skyrocketed to $20,000. Cryptominer attacks then leaped in 2018 as cryptocurrencies’ market capitalization topped $264 billion.
Also, Monero has become the leading target for cryptominers’ malware, replacing Bitcoin. Its features favor cybercriminals: It hides transaction parties and amounts; cannot be tracked, blacklisted or linked to previous transactions; creates blocks every two minutes, providing more frequent opportunities for attack; and is designed for mining on ordinary computers.
“Malware, like cyberspace itself, is merely a reflection of traditional, real-world human affairs, and malware is always written for a purpose, whether it’s crime, espionage, terrorism or war,” said Kenneth Geers, chief research scientist at Comodo Cybersecurity. “Criminals’ proclivities to steal money more efficiently were evident with the surge in cryptomining.”
Meanwhile, the report found that password stealers have become more sophisticated and dangerous. Comodo Cybersecurity observed cybercriminals increasingly developing and updating malware with the goal of stealing users’ credentials. Pony Stealer, for instance, now demonstrates new capabilities in both stealing data and in covering its tracks.
The firm also said to expect a ransomware resurgence, despite a radical decrease in the number of overall detections. Ransomware's overall share of incidents dropped from 42% in August 2017 to just 9% in February 2018, but researchers said that it could morph into a weapon of data destruction – as seen with NotPetya – rather than a tool to extort a ransom.
Also, hot zones can be identified by malware type. Countries that have the most acute challenges associated with Trojans, viruses and worms include Brazil, Egypt, India, Indonesia, Iran, Mexico, Nigeria, Philippines, Russia and South Africa. Meanwhile, countries in a higher socioeconomic category (which can afford more professional cyber-defenses) are often plagued by a higher ratio of application malware.
When it comes to the oft-discussed gender gap in cybersecurity, men tend to think women have equal career advancement, while women say that’s not the case.
In fact, according to ISACA’s annual State of Cybersecurity 2018 report, a 31-point perception gap exists between male and female respondents, with 82% of male respondents saying men and women are offered the same opportunities for career advancement in cybersecurity, compared to just 51% of female respondents.
Of those surveyed, about half (51%) of respondents report having diversity programs in place to support women cybersecurity professionals.
The report also found that while gender disparity exists, it can be mitigated through effective diversity programs. In organizations that have one, men and women are much more likely to agree that men and women have the same career advancement opportunities. A full 87% of men say they have the same opportunities, as compared to 77% of women.
Thus, while a perception gap remains, it is significantly smaller than the 37-point gap among men and women in organizations without diversity programs (73% of men in organizations without diversity programs say advancement opportunities are equal, compared to 36% of women).
Aside from the gender stats, the report also found that the worldwide cybersecurity skills gap continues to present a significant challenge, with 59% of information security professionals reporting unfilled cyber/information security positions within their organization.
Further, 54% said it takes at least three months to fill open positions. Individual contributors with strong technical skills continue to be in high demand and short supply; more than 70% of respondents say their organizations are seeking this kind of candidate.
Time to fill open cybersecurity positions has decreased slightly, however, down from last year’s 62% saying it takes three months or more. Also, security managers are seeing a slight improvement in the number of qualified candidates: Last year, 37% of security professionals said fewer than 25% of candidates for security positions were sufficiently qualified. This year, the number of respondents dropped to 30%.
“This research suggests that the persistent cybersecurity staffing problem is not a financial one. Even though enterprises have more budget than ever to hire, the available workforce lacks the skills organizations critically need,” said ISACA CEO Matt Loeb. “More of those dollars will need to be invested in technical cybersecurity training, along with effective retention programs. Practitioners who acquire and demonstrate hands-on technical cybersecurity skills will find themselves in significant demand.”
A group of 34 tech companies, including Facebook and Microsoft, have formed a cybersecurity consortium, pledging to work together to “act responsibly, to protect and empower our users and customers, and thereby to improve the security, stability, and resilience of cyberspace.”
The group, which also includes Arm, Cisco, HP, Nielsen, Nokia, Oracle, Telefónica and Trend Micro, has published a Cybersecurity Tech Accord that promises to protect the group’s collective users and customers from cyberattacks by designing offerings that prioritize security and privacy and that are developed with an eye to reducing vulnerabilities. Part of that includes securing the supply chain to prevent tampering.
It also said that the companies won’t work with governments on offensive capabilities.
“Protecting our online environment is in everyone’s interest,” said Microsoft president Brad Smith in a blog post. “The companies that are part of the Cybersecurity Tech Accord promise to defend and advance technology’s benefits for society. And we commit to act responsibly, to protect and empower our users and customers, and help create a safer and more secure online world.”
Crucially, the group said that members would work with each other, establishing partnerships with industry leaders and security researchers to improve technical collaboration, perform coordinated vulnerability disclosure, and share information on threats. Meanwhile, user education will be a priority, with more information and better tools to enable consumers and businesses to understand the threats and protect themselves against them.
“Separate from the fact that some of the major social networks and cloud operators are missing, the key to any meaningful outcome is better communication to users, of how to use the security capabilities within the various vendors’ tools,” David Ginsburg, vice president of marketing at Cavirin, told Infosecurity. “In several cases, the capabilities are there, but they are too difficult to deploy, or, in some cases, tools from multiple vendors will provide contradictory guidance. This practical aspect is tremendously important.”
Despite the good feels, Mike Banic, vice president of marketing at Vectra, added that the pledge doesn’t include any enforcement actions, and as a voluntary plan it is less likely to have an effect than regulation would.
“The impending EU General Data Protection Regulation (GDPR) will have more impact [on improving security], since it has real teeth in the form of fines that can be as much as 4% of annual revenue if the personal information of EU-based citizens is exposed or misused, and organizations must provide notification within 72 hours,” he said. “An example to consider is the timeline of the Equifax breach where personally identifiable information (PII) was exposed and notification was not within the notification period. With so many organizations operating in EU nations or processing EU-based citizen’s data, evaluating their security program to ensure GDPR compliance is such a high priority that this alliance may go unnoticed.”
Speaking in the opening keynote session of RSA 2018 in San Francisco today the Honorable Kirstjen Nielsen, secretary, United States Department of Homeland Security (DHS), discussed strategies the DHS is using to reach its cybersecurity goals to protect the country’s citizens and organizations from cyber-attacks, breaches and cybercrime.
“Digital security is converging with personal and physical security, and the public is starting to realize how much both are intertwined,” she said. “The threat picture is getting dimmer, not brighter,” Nielsen added, and “if the past year showed us anything it’s that our cyber-enemies are bolder and savvier than ever before.”
The DHS is therefore responding with a more forward-leading posture, and Nielson outlined five particular areas that will be addressed to provide a new approach for a new age of security.
The first is a focus on systemic risk; “we must be more aware of vulnerabilities built into the very fabric of the internet, and we must be more aware of single points of failure, concentrated dependencies and cross-cutting, underline functions.” To do that, the DHS is ensuring this perspective shapes all engagement with the private sector and its risk assessments.
The next is collective security, which involves a viewpoint that “your risk is now my risk. It sounds very simple,” Nielson said, “but what that means is you can no longer protect yourself in a vacuum. We have a weakest link problem and the consequences affect us all – everyone is cyber-vulnerable.” As a result, the DHS aims to have far greater awareness of dangerous threats before they hit networks, but being “faster, smarter and more effective in responding to cyber-incidents” cannot be done alone; “the bad guys are crowdsourcing their attacks, so we need to crowdsource our defenses.”
The third area is a need to refresh thinking about the federal role in cybersecurity, Nielson said. “I’m not talking about federal regulators,” she explained, “we need to be federal empowerers, using our resources to offer voluntary systems and unique tools to address cyber-market failure.” The DHS approach to this is two-fold: helping creators build defenses into the design and creation of their products, and educating more consumers to be security conscious and ensure services match up with their needs and wants.
Next is an understanding that prevention can only go so far, and we need to “urgently focus on something I have called ‘advanced persistent resilience’,” Nielson said. The DHS has therefore adopted an aggressive posture on defending election infrastructure.
Lastly, there is a need for better cyber-deterrence, something our digital lives and very way of being now depend on. “If we don’t start identifying and punishing our assailants they will overtake us. As secretary of Homeland Security I am working with my counterparts and President’s cabinet to fight back,” Nielson concluded.
After an impressive performance by Kevin K.O. Olusola to open the RSA Conference keynotes in San Francisco on April 17 2018, Rohit Ghai, President of RSA Security, presented an optimistic view of the industry, explaining why he believes cybersecurity is getting better, not worse.
“The headlines of last year are a reminder that unprecedented digital risk exists, and it casts a dark shadow over whether what we’ve done over the last several decades matters at all,” he said. “It absolutely does matter − cybersecurity is getting better, not worse.”
He argued that the cybersecurity industry concentrates too much on hacker advances rather than its own advances. “Let’s talk about the future of security, not the future of threats,” he said. “Our security community is getting stronger and moving faster.”
The New York Times aren’t going to cover how technology has managed to stop a huge data breach, and there’s a reason for that, explained Ghai. “After all, we don’t want to reveal the details of our security posture.
“We can, however, celebrate our success as a community. We need to focus on the cybersecurity silver linings – do more of what’s working and do it faster.”
Paying attention to the psychology of defense, not just the technology of defense is crucial, advised Ghai. “The spirit of the defender matters as much as the shield.”We need to focus on the cybersecurity silver linings – do more of what’s working and do it fasterRohit Ghai, President of RSA Security
For years, he said, the cybersecurity industry has motivated itself by fear of what happens if we fail. “We should start inspiring ourselves with the glory of what we enable if we are successful.”
He advised focusing on the cybersecurity silver linings, which he broke down as follows:
End of the silver bullet fantasy
“We are no longer lusting after latest shiny gizmos. We need to focus on getting a bit better every day, rather than focusing on becoming totally unhackable one day.”
We need to focus on security hygiene. “Hackers are human after all and they do have finite resources and follow the past of least resistance. They are attracted to juicy or easy targets. It’s ok to be a juicy target, being an easy target is not so great. WannaCry was our wake-up call”
Quicksilver law of cyber defense
New technology is a weapon for both the offense and the defense. “They have the same technology that we have. New technology equals new vulnerabilities. It’s as much a target as a weapon. We are getting better and better at getting to the ball before our opponent.”
Magic of sterling teamwork
“There is huge power in security that is designed in rather than bolted on. We need to move security upstream into the heart of the DevOps perspective. As an industry, we are teaming better than ever and everyone is chipping in.”
“Cyber incidents put everyone’s career at stake,” continued Ghai. “It takes a lifetime to build trust and only a moment to lose it. Our collective risk as an industry is that we fail to avoid a breach of trust in technology itself.
“Our biggest successes will never make headline news. But our work isn’t about this, it’s about protecting people and tech in an increasingly difficult world and about enabling the digital adventurers so they can make the world safer.”
Christopher D. Young, chief executive officer at McAfee, took to the stage in the opening keynote session of RSA 2018 in San Francisco on April 17, outlining how the cybersecurity industry can learn from the threat of air travel hijacking and the developments made in air traffic security as a result.
Young said that as the threat of real-life skyjacking evolved over time, so did the balancing act of air traffic security to keep people safe without dramatically impacting their travelling experience.
“Airlines really do a remarkable job of this,” he added. “If you look at the air travel industry, they are absolutely obsessive about safety and security – from the pilot to the first officer, to the flight attendants to everyone who works in the air travel ecosystem, security is job number one.”
Whilst airline security can never be 100% perfect, Young said great strides have been taken to ensure that even the most minute possible threats and capabilities that could disrupt air travel are captured.
However, “cybersecurity has not yet reached the level of priority that it needs to be at in order for us to truly be able to manage the attack landscape we face,” he argued.
That’s because many people still don’t believe cybersecurity is their job or their responsibility, and part of it is because organizations often fail to take up and be a part of cultural changes to drive progress. “We can make cultural change possible but the industry needs to change first”.
Yong said that it’s therefore time to learn from the past in order to go farther and faster in protecting the digital world.
After all, the security response after the 9/11 terrorist attack was not built around new tech or ground-breaking ideas, it was just a change in culture.
“We can’t wait for a digital 9/11 to force us to change [in cybersecurity],” he concluded.
In his keynote presentation at RSA Conference in San Francisco on April 17 2018, Brad Smith, President at Microsoft, told the audience that it is the industry’s responsibility to push the governments of the world towards a new digital Geneva Convention.
He outlined six commitments that would make up a Digital Geneva Convention:
- No targeting of tech companies, private sector or critical infrastructure
- Assist private sector efforts to detect, contain, respond to and recover from events
- Limit offensive operation to avoid a mass event
- Exercise restraint in developing cyber weapons
- Commit to nonproliferation of activities for cyberweapons
- Report vulnerabilities to vendors rather than stockpile or sell them
“Cyberspace has become the new battlefield,” said Smith, “and the tech sector has the first responsibility. We are the first responders on this new battlefield, and it needs to be a shared responsibility with industry and with customers around the world.”
The most serious cyber-attacks are carried out by nations, said Smith. “We need governments to do more, and we need them to do more work with us so we can do more work for them.”
Brad Smith reflected on 2017 as the year that could have been labelled “Cyber-geddon. It was not the best year, it was a wake-up call that could be dated back to the May 12 (WannaCry) and June 27 (NotPetya)”, the latter of which represented the evolution of intent. This year, the industry should focus not on what it will be hit by, but more on what it can bring to improve the world.”
Smith explained how last year saw governments “attacking civilians in a time of peace. It’s essential that we convey the message to governments of the world that these cyber-attacks are not just attacks on machines, but they endanger people’s lives. We need to open eyes to the impact of these attacks and rally the world to address it.” This, added Smith, is the responsibility the cybersecurity industry has to the world.Cyberspace has become the new battlefield...and the tech sector is the first responderBrad Smith, President, Microsoft
In December 2017, Governments of the United States, United Kingdom, Canada, Japan, Australia and New Zealand united to attribute the WannaCry attack to North Korea. “This unprecedented step was a sign of progress, but also of the progress that still needs to come,” he argued.
The world needs for security to be truly put first, said Smith. “We have found a new way of working that does this, and that needs to be our goal as an industry. We have to look beyond technology itself to truly put security first, which is why Microsoft launched its Defend Democracy project.
“There is so much expertise and important work happening in the industry, but we need to work together in a principled manner.”
This morning, it was announced that 34 technology companies have come together to stand up for cybersecurity with a global tech sector accord. The mission, Smith explained, is to:
- Protect all of our users and customers everywhere
- Oppose all cyberattacks on innocent citizens and enterprises
- Provide tools and information to help the community protect themselves
- Deepen co-operation and information sharing between companies
You can read more about the tech sector accord here.
Organizations are getting much better at stopping cyber-attacks, but still suffered on average 30 security breaches last year, causing damage or data loss, according to Accenture.
The global consultancy polled 4600 cybersecurity practitioners in companies with revenues over $1bn across 15 countries, to compile its 2018 State of Cyber Resilience Executive Summary.
It found that 87% are now preventing "focused" attacks, up from 70% last year, but that still leaves 13% of online raids penetrating defenses.
The report also claimed that over half (55%) of global enterprises took one week or less to detect a breach, compared to just 10% last year, while 89% detected within a month.
FireEye estimated a global median dwell time of 101 days in its most recent M-Trends report.
Accenture respondents placed cyber-threat analytics (46%) and security monitoring (46%) as the number one most-needed technologies to fill existing gaps. An additional 83% agreed that AI, machine/deep learning, user behavior analytics and blockchain are “essential to securing the future of organizations.”
“While the findings of this study demonstrate that organisations are performing better at mitigating the impact of cyber-attacks, they still have more work to do. Building investment capacity for wise security investments must be a priority for those organizations who want to close the gap on successful attacks even further,” said Kelly Bissell, managing director of Accenture Security.
“For business leaders who continue to invest in and embrace new technologies, reaching a sustainable level of cyber-resilience could become a reality for many organizations in the next two to three years. That’s an encouraging projection.”
Global organizations breached a record 2.6 billion documents last year, up 88% on 2016, according to Gemalto.
Like Verizon’s Data Breach Investigations Report, the firm’s study last week highlighted the importance of mitigating insider risk.
Accidental loss, including improper disposal of records, misconfigured databases and other issues, caused the exposure of 1.9 billion records – a 580% increase from 2016.