When considering a career in cyber or a career change into it, you don’t have to know everything but do consider your greatest achievements.
Speaking at BSides Las Vegas in the opening session of the Hire Ground track, Lesley Carhart from Dragos Security highlighted two characters who were in other careers and looking for a change and another who was starting their career.
In the case of switching roles, Carhart asked the audience, “What is the one thing scares you most on making next move?” She also asked what alarms them the most and what makes them the most hesitant.
In terms of highlighting work experience on a résumé, she recommended adding three sections: action, impact and quantification. Action is what you have done and what you did to maintain your position. Impact is why what you did was important to the team and the company. Quantification is about the financial scope – what money was made or saved – and the numbers of people who were trained or nodes that were serviced. “This shows what pace you were working in and the value what you were doing,” she said.
In terms of understanding cybersecurity, Carhart said that no one really understands everything. Most people fall into a category and feel like impostors or are too terrified to ask a question.
“You will never ever know everything in infosec, and no one else does either; and the more you focus on one niche, the harder it is to keep up with others; and the more you learn, the more you find you don’t know,” she said. “Keep trying to learn: there are plenty who will help you; and help others.”
A critical subset of the ever-expanding internet of things (IoT), medical devices are increasingly vulnerable to attacks from botnets and malware, which is why the Cloud Security Alliance (CSA), in conjunction with the Open Web Application Security Project (OWASP), today announced the release of OWASP Secure Medical Device Deployment Standard V2.
Recognizing the increasing number of attacks that are targeting IoT devices, CSA and OWASP saw the growing need for increased security in deploying medical devices. Announced at Black Hat today, the newest guide has been updated to ensure improved security of devices used in healthcare facilities.
Developed in conjunction with the CSA IoT working group, version 2.0 contains many enhancements, particularly in regard to purchasing controls. With guidance from the Federal Drug Administration, the comprehensive updates focus on security audits and evaluation and privacy impact assessment. The changes to support evaluation controls are intended to better guide the secure deployment of medical devices within a healthcare facility.
"Too many of today's network-enabled security devices are still not being deployed with security in mind, exposing healthcare providers and their patients to data breaches at best and potential negative health consequences at worst. With ransomware and botnets targeting IoT devices, it is more essential than ever that devices are developed and deployed with security in mind," said OWASP project leader and author of the original paper Christopher Frenz in today’s press release.
The goal is to provide a clear roadmap that will ensure healthcare organizations follow best security practices for medical devices and IT systems. "The growth of electronic medical records and network-enabled devices has allowed healthcare providers to enhance their level of service and the efficiency with which they provide care. However, this same interconnectedness has opened a Pandora's box of security issues involving legacy systems and healthcare devices that were not designed with security in mind," said Hillary Baron, research program manager, CSA.
Ensuring consumer security requires an understanding of what data consumers value, as well as an awareness of their perceptions and experience with breaches. This is what Radware attempted to learn when it queried more than 3,000 consumers in its survey, Consumer Sentiments: Cybersecurity, Personal Data and the Impact on Customer Loyalty.
Of those who participated in the survey, 55% said that data theft ranked top of the list when it came to theft of their personal property. By comparison, 23% said they were concerned about the theft of their wallets, while 10% feared having their car stolen. Only 6% of respondents worried about the theft of their cell phone and house keys.
“It’s no surprise that data theft ranks so high in the minds of Americans as a major risk,” said Anna Convery-Pelletier, chief marketing officer for Radware, in today’s press release. “It’s easy to buy a new car or a new cell phone, but having private data exposed can have permanent consequences for both the consumer and the brand where the breach occurred. When an organization does not properly secure its network, it is putting its brand reputation in jeopardy and risking its customer base.”
Having their Social Security numbers pilfered was the biggest concern for 54% of respondents, yet only 18% had the same worry when it came to their banking information. As little as 9% of the survey respondents said that having their healthcare records stolen was a paramount concern, yet healthcare records have a black market value of anywhere from $10 to $1,000, while Social Security numbers are valued between $2 and $25.
A notable disparity exists between the data that consumers are the most worried about protecting and the dollar value that data has to cyber-criminals, which the reports suggested underscores the fluidity of the value of personal information. “Just like financial markets, the value of personal information rises and falls based on political, economic and social factors. The economic principles of supply and demand also affect how cyber-criminals sell and purchase stolen information.”
Attackers are harnessing the power of the internet, leveraging the proliferation of devices in the ever-expanding internet of things (IoT) to launch terabit-per-second–scale distributed denial-of-service (DDoS) attacks, according to NETSCOUT’s 2018 Threat Intelligence Report.
DDoS attackers represent a wide range of actors with various motivations. While some are malware authors, others are opportunistic criminals taking advantage of affordable services for hire. “They are a busy group, constantly developing new technologies and enabling new services while utilizing known vulnerabilities, pre-existing botnets and well-understood attack techniques,” the report wrote.
Additionally, DDoS attacks continue to grow in size, volume, frequency and targets with advanced persistent threat (APT) groups expanding beyond traditional areas. Attackers are using new DDoS attack vectors and methods, with 2018 giving way to the DDoS terabit attack era. Thus far, the largest DDoS attack ever recorded was at 1.7Tbps, NETSCOUT Arbor wrote in a press release.
The first half of 2018 saw 47 DDoS attacks larger than 300Gbps, nearly seven times the number of attacks seen during the same period in 2017. “DDoS activity now often involves hundreds of thousands—or even millions— of victims who largely serve to amplify the attack or end up as collateral damage, as indicated by the SSDP diffraction attacks that originated in 2015 and resurfaced this year,” the report wrote.
The threat landscape is moving more rapidly as attacks modify their tactics, according to Hardik Modi, head of ASERT. “Methods that are commonplace in the DDoS threat tool kit have sprung to crimeware and espionage. This accelerating internet-scale threat paradigm changes the frontiers for where and how attacks can be launched, observed and interdicted.”
The report also found that state-sponsored activity has become more commonplace with a broad tier of nation-state APT groups leveraging internet-scale attacks, such as NotPetya, CCleaner and VPNFilter. In addition, crimeware actors, inspired by these large-scale global attacks, have adopted the self-propagation technique, which allows malware to easily spread more rapidly.
The vast majority of IT decision makers appear to believe the hype surrounding artificial intelligence as a means to enhance cybersecurity.
An ESET poll of 900 IT leaders in the US, UK and Germany found a disappointing 75% believe AI is a ‘silver bullet’ to helping them counter online threats.
Respondents from the US (82%) were much more willing to believe the hype than their counterparts in the UK (67%) and Germany (66%).
Most of those polled claimed that AI and machine learning would help their organization to detect and respond to threats faster (79%) and help solve skills shortages (77%).
There’s certainly evidence to suggest that the emerging technology can help IT teams in this way — by spotting patterns indicative of a threat more quickly than human eyes could, and automating detections to take the strain off stretched cybersecurity teams.
However, no single technology should be viewed as a ‘silver bullet,’ according to ESET CTO, Juraj Malcho.
“If the past decade has taught us anything, it’s that some things do not have an easy solution — especially in cyber-space where the playing field can shift in a matter of minutes. In today’s business environment, it would be unwise to rely solely on one technology to build a robust cyber defense,” he said.
“However, it is also interesting to see such a gap between the US and European respondents. The concern is that overhyping this technology may be causing technology leaders in the UK and Germany to tune out. It’s crucial that IT decision makers recognise that, while ML is without a doubt an important tool in the fight against cybercrime, it must be just one part of an organization’s overall cybersecurity strategy.”
In fact, AI also offers cyber-criminals a potential advantage, according to NTT Security EMEA SVP, Kai Grunwitz.
“Just as it helps us find the needle in the haystack — the malware threat hiding in plain sight — it could also enable them to automate the discovery of vulnerabilities in key systems,” he argued earlier this year.
“Imagine what havoc could be reaped by self-learning malware designed to continually adapt to its environment, with no input required from its masters? As always, the upper hand is with the attacker, who only needs to find one vulnerability to succeed, whereas we defenders must make only one mistake to let them in.”
To that end, 91% of cybersecurity professionals are concerned about hackers using AI against them, according to Webroot.
The FCC’s attempt to maintain that its comments page crashed last May as a result of a co-ordinated DDoS attack was actually built on falsehoods, it has admitted.
The regulator was forced to make the admission ahead of an inspector general report into the case due to be released shortly.
The comments section crashed after millions took to the site to complain about its controversial decision to overturn net neutrality rules brought in under the stewardship of Trump appointee and new chairman Ajit Pai.
It’s thought a late-night piece by comedian John Oliver, in which he encouraged individuals to complain to the FCC about the decision, also swelled numbers.
However, new statements suggest the regulator has been lying.
Pai sought to play the partisan card by blaming an Obama appointee for the mess whilst trying to abnegate himself from all responsibility.
“With respect to the report’s findings, I am deeply disappointed that the FCC’s former chief information officer (CIO), who was hired by the prior administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people,” he said.
“I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.”
Democrat FCC member, Jessica Rosenworcel, had a different take, focusing on the issue of net neutrality.
“The inspector general Report tells us what we knew all along: the FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus,” she said in a statement.
“What happened instead is obvious—millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.”
Although the Senate recently voted to overturn Pai’s net neutrality repeal it’s still likely to be forced through by the Republican-dominated lower House. Detractors have argued that the repeal will lead to throttling, blocking and paid prioritization , creating an uneven playing field dominated by large ISPs and service providers.
US military personnel will have to switch off any devices using GPS functionality if they are deployed in “operational areas” after a new Pentagon memo.
Spokesman Army Col. Robert Manning III told reporters yesterday that GPS use can “potentially create unintended security consequences and increased risk to the joint force and mission” in locations around the world.
“Effective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and non-government-issued devices, applications and services while in locations designated as operational areas,” said Manning.
“The rapidly evolving market of devices, applications and services with geolocation capabilities presents a significant risk to the Department of Defense personnel on and off duty, and to our military operations globally.”
The memo from deputy defense secretary, Patrick Shanahan, takes account of the rapid rise in personal fitness apps, smart wearables and other technology used by soldiers in their spare time which could give enemy operatives clues as to their location, routines and numbers.
It’s more than likely to have come after a report last month revealed how popular fitness app Polar Flow could be manipulated to reveal the location and uncover the identities of thousands of military personnel.
That report in turn came just a few months after fitness app Strava was found to be revealing potentially sensitive information about military bases and supply routes via its global heat-map website.
"Our military is operating in a new, hyperconnected world where off-the-shelf products are introducing threats to national security," said Bill Leigher, a retired US Navy rear admiral who’s now director of government cyber solutions at Raytheon.
"For instance, we have seen indications where family Facebook postings have been used to analyze the movement of military units and thus compromised operations. Knowing this, information on a specific service member that was scraped from his or her GPS connected device, paired with social media postings about where they work, what their military occupational specialty is and other like info could be used to generate an intelligence picture that is much more detailed that traditional intelligence sources alone might provide.”
Individual commanders will now be responsible for implementing the policy, with exceptions only allowed after conducting risk assessments.
Mobile banking Trojans ranked as a top security nuisance in the second quarter of 2018, including threats from a new cyber-espionage group, “Operation Parliament," which is reportedly targeting high-profile companies the Middle East and North Africa, especially Palestine, according to researchers at Kaspersky Lab.
Kaspersky Lab has published its Q2 IT Threat Evolution Report, and mobile banking Trojans topped the list of cyber headaches in Q2 2018, reaching an all-time high of more than 61,000 installation packages for mobile banking. Those numbers represent more than a threefold growth over Q1 2018. Out of all malware, US users were most often attacked with mobile banking malware in Q2.
By imitating other attack groups, Operation Parliament has remained somewhat under the radar, taking care to verify victim devices prior to infecting them. “The attacks, which started early in 2017, target parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others,” Kaspersky Lab researchers wrote in today’s post.
Another operation, ZooPark, has also targeted the Middle East with several variations of malware specifically aimed at Android devices using two distribution vectors: telegram channels and watering holes. In the latest version, researchers noted a more complex spyware, suggesting that it may have been purchased from a surveillance tools vendor.
The report also noted the continued use of VPNFilter, malware used to infect different brands of routers, in addition to an ongoing campaign in Central Asia attributed to Chinese-speaking threat actor LuckyMouse. Additionally, the continued tracking of Olympic Destroyer revealed that it has started a new campaign.
“Our telemetry, and the characteristics of the spear-phishing documents we have analyzed, indicate that the attackers behind Olympic Destroyer are now targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine,” researchers wrote.
Last month’s cyber-attack on SingHealth, which resulted in the breach of 1.5 million health records, might have been the work of an advanced persistent threat group, according to information disclosed by S. Iswaran, Singapore’s minister for communications and information in Parliament today.
Though reluctant to provide any specifics about which state might be behind the attack, Iswaran said that the detailed analysis of the attack, done by the Cyber Security Agency (CSA) of Singapore, indicated that it was likely a state-linked group because of the level of sophistication used by the attackers.
According to a 20 July press release, "CSA has ascertained that the cyber-attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration."
When pressed to attribute the attack to a specific state, Iswaran reportedly said,“In this sort of matter, while one can have a high level of confidence, one may not be able to have the certainty that you might need in order to specifically assign responsibility, and this is the kind of evidentiary threshold that may not stand up in a court of law. But at the operational level, the agencies that are involved have a high level of confidence,” according to Today Online.
Some of the tools reportedly used to compromise SingHealth included “customized malware that was able to evade SignHealth’s anti-virius software and security tools,” Iswaran told the Associate Press.
Among the millions of records compromised during the attack, which occurred between 27 June and 4 July 2018, were the health records of Singapore’s Prime Minister Lee Hsien Loong. The attack was made public on 20 July, at which point the government established a Committee of Inquiry (COI) to investigate the attack and determine the events leading up to the attack.
In reference to what has been called Singapore’s worst ever data breach, Iswaran told the AP, "Ensuring cybersecurity is a ceaseless battle, like our battle against terrorism. It involves changing technology and sophisticated perpetrators who are constantly developing new techniques and probing for fresh weaknesses.”
ICBA Bancard Inc. subsidiary TCM Bank, a company that aids community banks in issuing credit cards to their customers, announced that the personal data of thousands of people who applied for credit cards with their local banks was exposed, according to Brian Krebs.
The information that was leaked between early March and mid-July 2018 included the names, addresses, dates of birth and Social Security numbers of thousands of people across the more than 750 community banks that work with TCM Bank. The leak was reportedly discovered on 16 July, then fixed the following day. TCM told KrebsonSecurity that the leak was from one of the third-party vendors that manages its website.
As a network of community banks, TCM Bank handles documents filled with personally identifiable information (PII), including credit card applications. In this instance, misconfiguration – a critical application-security risk – resulted in the a leak of customer information.
“Vulnerabilities and misconfigurations in websites are incredibly common, even among highly regulated financial services companies. Many businesses, across all industries, are still unaware of online business risks or have delayed taking appropriate action,” said Jessica Marie, cybersecurity evangelist at WhiteHat Security.
That the receiving organization is duty bound to protect the data customers share with it is a stance that policymakers have taken, as seen in regulations such as GDPR and New York Department of Financial Service's cybersecurity requirements. Increasingly, organizations are being held responsible for the security of their third parties, said Matan Or-El, CEO and co-founder of Panorays.
“When partnering with third parties, organizations cannot relieve themselves from the responsibility of security. In the eyes of the affected consumers, they provided the data to the organization and they hold that organization responsible.”
A potential result of a data breach for any organization is damage to brand and reputation, which is ironically what these community banks were trying to build by offering bank-branded credit card options to their customers.
“Trust is one of the most important elements in the relationship between banks and consumers. Customers trust their banks with the most sensitive of data, and any sort of breach can do real and lasting damage to the bank’s reputation in the eyes of consumers,” said Fred Kneip, CEO, CyberGRX.
“When an enterprise engages with a third party such as TCM Bank, they become responsible for that third party’s security controls. If there are easy-to-exploit vulnerabilities in their network, that becomes a part of your security posture. Companies need to understand that their third parties’ security controls are constantly vulnerable to new exploits or configuration changes, which creates a need to monitor and mitigate these risks as they arise.”
The FBI has been forced to post a public service announcement warning of the dangers of unprotected IoT devices.
In another sign of the growing threat posed by compromised smart devices, the update late last week claimed that attackers are using them as proxies to maintain anonymity and obfuscate network traffic.
Doing so enables them to engage in click fraud, trade illegal goods, send spam emails, and mask their internet browsing. IoT devices can also be conscripted into botnets which can be rented out, sold or used directly for credential stuffing and other attacks, the alert claimed.
The FBI warned of several warning signs that users’ smart devices may have been taken over: a major spike in monthly internet usage, high ISP bills, slow or inoperable devices, unusual outgoing DNS queries and traffic and slow internet connections.
Everything from routers and NAS devices to DVRs, Raspberry Pis, and even smart garage door openers could be at risk.
“Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses. Cyber actors use the compromised device’s IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic,” the notice continued.
“Cyber actors typically compromise devices with weak authentication, unpatched firmware or other software vulnerabilities, or employ brute force attacks on devices with default usernames and passwords.”
The risks posed by insecure consumer IoT devices have long been known — ever since the Mirai botnet DDoS-ed a string of big-name sites back in 2016. But with an estimated 20.4 billion connected 'things' in operation by 2020, the threat continues to rise.
That’s why the British Standards Institution launched a kitemark initiative earlier this year, in a bid to improve the baseline security of products by helping buyers to better identify smart devices they can trust to be reliable and secure.
In the meantime, the FBI urged users to reboot devices regularly, change default log-ins, use AV, ensure they’re up-to-date with patches, and isolate IoT devices from other network connections.
Privacy International has written to the investigatory powers commissioner (IPC) requesting an urgent review into potentially unlawful use by the UK police of mobile phone extraction (MPE) technology.
Created by the controversial Investigatory Powers Act 2016, the role of IPC is to provide oversight of the intelligence services and police.
The rights group wants the IPC lord justice Fulford to investigate whether there’s a proper legal basis for the police to be using MPE tech and whether it’s “necessary and proportionate” to do so given its intrusive nature.
"We are concerned that the police are able to download all of the contents of people's phone, when no one seems to be sure whether there is a law or statute that says they can do this. Policing isn't meant to be a free-for-all, where they can make up their own rules as they go along,” argued Privacy International solicitor Millie Graham Wood.
“We are really worried that the police's use of this highly intrusive technology is growing at an alarming rate, without any proper scrutiny, and crucially without people knowing their rights when faced with a police officer who wants to search their phone.”
The move follows the release of the group’s Digital Stop and Search report in March which collected FoI responses from 47 police forces, over half (55%) of which admitted they were using MPE tools, with a further 17% trialling the technology.
It revealed confusion over the legal basis for their use, stemming from a lack of guidance at a national and regional level.
Data is often extracted from devices without the user’s knowledge, stored insecurely and for an indefinite period, and taken not just from suspects but also victims and witnesses, even for investigations of low-level crimes, the report claimed.
“Having issued a complaint to the information commissioner, raising potential breaches of data protection legislation, we have now contacted Sir Adrian Fulford, the investigatory powers commissioner, to ask him to consider whether the way mobile phone extraction technology has been used by the police constitutes intrusive surveillance such that it should fall within his remit,” concluded Graham Wood.
“If the use of mobile phone extraction technologies constitute either interception or hacking, then this raises a fundamental issue as to the legality of the actions by a large number of police forces over a lengthy period of time."
Taiwanese semiconductor firm TSMC has revealed that a malware outbreak which affected its IT systems last week could result in a 3% hit to revenue.
The iPhone chipmaker said in an update on Sunday that the virus “affected a number of computer systems and fab tools” on Friday evening local time, but that it was believed there would be no lasting damage.
“The degree of infection varied by fab. TSMC contained the problem and found a solution. As of 14:00 Taiwan time, about 80% of the company’s impacted tools have been recovered, and the Company expects full recovery on August 6,” it said.
“TSMC expects this incident to cause shipment delays and additional costs. We estimate the impact to third quarter revenue to be about 3%, and impact to gross margin to be about one percentage point. The Company is confident shipments delayed in third quarter will be recovered in the fourth quarter 2018, and maintains its forecast of high single-digit revenue growth for 2018 in U.S. dollars given on July 19, 2018.”
The world’s largest dedicated semiconductor foundry said that neither data integrity nor confidential information were compromised by the incident.
“This virus outbreak occurred due to mis-operation during the software installation process for a new tool, which caused a virus to spread once the tool was connected to the Company’s computer network,” it explained.
“TSMC has taken actions to close this security gap and further strengthen security measures.”
The incident comes at a bad time for the firm as it looks to ramp up production for the second half of the year in preparation for some big-name autumn product launches. Aside from Apple, clients include the likes of Qualcomm, Nvidia and AMD.
TSMC said it was is working closely with these customers on their wafer delivery schedule.
A national nonprofit organization, SecureSet Foundation, created by SecureSet Academy, aims to increase diversity in the cybersecurity workforce by offering financial assistance, according to a press release from SecureSet Academy.
The creation of the SecureSet Foundation will enable individuals to enhance and build their professional skills in the field of cybersecurity, which will also help to fill the talent pipeline. Formed in response to employers that have been collaborating with SecureSet, the foundation’s goal is to help meet immediate concerns over the lack of diversity in the global cybersecurity field.
“According to a report from Frost & Sullivan, women comprise a mere 11 percent of the cybersecurity workforce and globally men are four times more likely to hold C- and executive-level positions and nine times more likely to hold managerial positions than women,” the press release stated. “Data from the latest (ISC)2 report shows the disparity in representation is mirrored across cybersecurity professionals who identify as a racial or ethnic minorities.”
Industry leaders have long understood the need to develop nontraditional recruitment methods that will attract candidates with a variety of nontechnical skills who are capable of complex problem-solving. As is often the case with cybersecurity recruiting efforts, military veterans and women make attractive candidates for the foundation as well.
The SecureSet Foundation hopes to narrow the gap between talented candidates and job applicants by delivering cybersecurity education while defraying the financial burden for those candidates who are interested in transitioning to or entering into the cybersecurity field.
“As it stands, the cybersecurity industry is in dire need of fresh faces and new perspectives, particularly at a time when the job market already has a negative unemployment rate,” said Brad Davis, executive director of SecureSet Foundation. “Reaching new, previously untapped individuals and providing them with the skills and education to become part of the cybersecurity workforce is a critical piece of addressing the shortage of qualified professionals in this field.”
“A lack of diversity is a critical problem for any industry and is particularly acute when it comes to cybersecurity,” said Bret Fund, CEO and founder of SecureSet. “By promoting a more diverse population of cybersecurity professionals and offering grants to underserved populations, we can tackle new threats with the best combination of creative, and technologically savvy, minds possible from a wide array of backgrounds and experiences.”
A newly discovered adversarial group has been targeting operations in electrical utilities in the US, according to Dragos. The activity group, dubbed RASPITE, has reportedly been active in some capacity since early to mid-2017.
Dragos has confirmed that RASPITE is now targeting ICS, specifically electric utilities in the US, Europe, Middle East and East Asia. While researchers have confirmed that this new group is targeting electric utilities, there is no current indication the group has the capability of destructive ICS attacks, including widespread blackouts like those in Ukraine.
Detailed in a blog post, analysis of the group’s activity revealed that the group currently focuses on initial access operations within the electrical utility sector. They gain access to their target networks by leveraging strategic website compromise. RASPITE also maps to LeafMiner, a group that Symantec recently reported on in the Middle East.
“RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials,” the blog post stated. Deploying install scripts grants them remote access to the victim machine via a malicious service that beacons back to RASPITE-controlled infrastructure.
“Dragos caught RASPITE early in its maturity, which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques, which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” said Sergio Caltagirone, director of threat intelligence, Dragos.
"At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups. Although Dragos does not conduct country-specific attribution of industrial control threats, generally threats focused on industrial control are state sponsored due to the inherent risk, limited financial gain and potential blow back from the operations.”
Following Trump’s meeting last week with the National Security Council, national security adviser, John Bolton, has actively taken to the pen and the podium, announcing what steps the current administration has taken to advance election security and defend against cyber-attacks on critical infrastructure.
In a 2 August letter responding to the letter he received from five senators critical of Trump's response to Russia, Bolton expressed his pleasure at having the chance to explain the “extensive, historic actions the Trump Administration has already taken to ensure the integrity of our elections and to defend against foreign malign influence.”
Referring to Trump’s efforts as unprecedented, Bolton went on to write that the actions Trump has taken, which include sanctions, the closure of Russian consulates and banning the use of Kaspersky Lab software because of its ties with Russian intelligence, “will also deter Russia and other adversaries from attempting to disrupt American elections.”
Then at yesterday’s White House press conference Bolton tried to impress upon the fact that members of the administration meet frequently to discuss cybersecurity, particularly as it pertains to election security. Bolton said, "In my tenure as National Security Advisor – less than two months – we've already had two full National Security Council meetings chaired by the President and, as I say, countless other discussions as well."
“Since January 2017, the President has taken decisive action to defend our election systems from meddling and interference,” he continued.
His affirmation reiterated the words of Vice President Mike Pence, who said at the Department of Homeland Security Cybersecurity Summit in New York City, “We’ve already done more than any administration in history to protect the ballot box, and we’ve barely just begun."
Bolton went on to explain that Trump’s decisive actions include “measures to heighten the security and resilience of election systems and processes, to confront Russian and other foreign malign influence in the United States, to confront such aggression through international action and to reinforce a strong sanctions regime.”
Many of the actions remain classified so as not to publicly disclose information that could potentially benefit adversaries, though the administration has offered to share that classified information with Congress.
The UK government has pledged £100m to drive digital transformation in the police force, helping it tackle cybercrime and improve its controversial use of biometrics.
The home secretary has already approved £70m of the Police Transformation Fund allocation to four projects.
A National Enabling Programme will create a unified IT system across police forces to “deliver more joined-up working within and between forces,” while a Digital Policing Portfolio aims to create an online hub where members of the public can report low-level incidents, rather than at their local station.
However, the Specialist Capabilities Programme has the biggest impact in the cyber-policing sphere, aiming to improve resource-sharing between forces.
“In cybercrime, for example, the program seeks to ensure forces can tackle digitally-dependent crime, with oversight provided through regional organized crime units (ROCUs),” the government claimed.
The idea throughout is that these initiatives drive efficiencies and cash savings, freeing up police to focus on frontline tasks rather than being saddled with back-office bureaucracy.
Perhaps the most controversial area to receive funding is biometrics. A Transforming Forensics program is designed to “improve how biometric services and digital forensics are used, including the development of a 24/7, faster, fingerprint identification service.”
It’s an area in which the police in the UK have so far consistently failed.
A Big Brother Watch report from May called on the police to abandon its “dangerous and inaccurate” facial recognition technology after FoI responses from three forces revealed a false positive rate of 98%, despite an investment of millions of pounds of taxpayer funds.
The wider investment in IT for the police force is to be welcomed, although there’s still a concerning dearth of officers trained in cyber-skills, according to several reports.
Most recently thinktank Reform called on the government to create a digital academy to train specialist cyber police officers, and increase the number of volunteers with these skills.
It recommended a new digital academy capable of graduating 1700 officers and staff each year, and an increase in the current 40 volunteers with cyber-skills to 12,000.
Facebook’s outspoken CSO Alex Stamos has announced he has accepted a role at Stanford University and will leave the firm later this month.
The former Yahoo CSO’s last day at the social network will be August 17, and he will join the university as full-time teacher and researcher from September.
“I have had the pleasure of lecturing at Stanford for several years, and now I will have the honor of guiding new generations of students as an adjunct professor at the Freeman-Spogli Institute for International Studies,” he explained in a Facebook update.
“This fall, I am very excited to launch a course teaching hands-on offensive and defensive techniques and to contribute to the new cybersecurity master's specialty at FSI. I am also looking forward to other opportunities to contribute to Stanford's focus on ethically designing and implementing new technologies.”
It had been reported that Stamos fell out with his superiors after advocating a more transparent line on Russian manipulation of the site ahead of the 2016 US election.
While at Yahoo, Stamos also clashed with NSA boss Mike Rogers on government requests that tech firms effectively build crypto-backdoors into their products. He resigned from his role at the internet pioneer after reportedly finding out Yahoo had built scanning software to comply with classified government demands for customer data.
There will be question marks over his successor at Facebook. Whoever takes the role will have a major task continuing to build trust in the company.
Just this week the social network took some early steps on that journey by announcing the shut down of a handful of fake accounts and pages linked to the infamous Russian Internet Research Agency (IRA), blamed for much of the pre-2016 election interference on social media.
So far there’s no word on who will step into Stamos’ shoes but Facebook will want to avoid the kind of three-month gap that preceded his arrival at such a crucial juncture for the firm, if nothing else to reassure investors of its commitment to improving security.
The government is relying on a “skeleton staff” of security analysts to root out and respond to online threats, according to a new FoI request.
SIEM specialist Huntsman Security wanted to find out the level of preparedness within government to tackle serious cyber-attacks. The National Cyber Security Centre (NCSC) claimed in April to have responded to more than 800 “significant incidents” since October 2016.
Unfortunately, the FoI requests revealed that many agencies appear under-resourced. The Scottish Prison Service and Scottish Public Pensions Agency said they have no full-time security analysts, while the Northern Ireland Assembly has just two.
Several other departments reported no increase in staff numbers over the past few years.
Huntsman Security argued that the lack of skilled analysts on the frontline could expose the government to the risk of successful attacks or employee burn out.
“As organizations come under great cyber-pressure from adversaries and their analysts become more and more stretched, the risk of a spiraling increase of successful attacks is likely,” said Piers Wilson, head of product management. “The consequences of a successful breach of government and other organizations are severe so they need to limit any likely deficiencies in their cybersecurity protection by better supporting the analysts that protect them.”
However, he acknowledged that skills shortages are a global problem, with predictions of a shortfall in skilled professionals of 1.8 million by 2022.
Government departments must invest now in managed services and machine learning/automation to relieve these skills gaps, as the cost of dealing with a serious attack is likely to exceed any initial outlay now, the firm argued.
The news comes at a time of heightened pressure on the UK’s critical infrastructure and government networks, as state-sponsored actors — particularly from Russia — step up their efforts to disrupt and eavesdrop.
The vast majority of small to medium-sized businesses (SMBs) rank security as their top priority, though less than a third of those organizations have a dedicated IT security professional on staff, according to 2018 SMB IT Security Report, released today by Untangle.
More than 350 SMBs worldwide participated in the survey, which attempted to gauge their state of IT security by looking at trends in budget and resource constraints, breaches, IT infrastructure, cloud adoption and the general state of IT. The report found that SMBs continue to struggle when it comes to deploying IT security solutions, largely because of tight security budgets and a lack of expert staff. With more companies planning to implement SD-WAN solutions, increasing reliance on cloud infrastructure is a growing concern for network security.
Additionally, the report revealed that 75% of SMBs have fewer than five physical locations and 60% of those businesses have fewer than 100 end-user devices; however, 34% of all respondents said they do not have BYOD policy. While almost 80% of respondents ranked security as very important to the business, more than half of them are spending less than $5,000 per year for IT security. Of those, half are spending less than $1,000 per year.
Less than 30% of businesses have at least one dedicated IT security professional, and more than 50% of businesses said that they distribute IT security responsibilities across other roles. Budget constraints are the biggest obstacle in advancing the IT security for 47% of survey respondents, while 37% said that they have limited time to research and understand new threats. Another 34% said the skills gap is a problem because they lack the manpower to monitor and manage security (multiple responses allowed).
“SMBs have less expertise and fewer dollars to dedicate to IT security, but they are the primary target of a growing number of phishing and malware threats, particularly as they move towards more cloud-based tools,” Scott Devens, CEO at Untangle, said in a press release. “This report confirms that SMBs are in dire need of easy-to-deploy, intuitive solutions to protect their networks that don’t require hiring additional personnel or time-intensive commitments from existing staff.”