New research revealed that 86% of IT and security leaders believe their organization needs to improve its awareness of internet of things (IoT) threats, according to Trend Micro.
Connected devices are increasingly being used as gateways to the corporate networks. By compromising these devices, attackers can gain access to the greater corporate network, where they are then able to conduct even more damaging attacks.
In a survey carried out by Vanson Bourne, 1,150 IT and security decision makers across the US, UK, France, Germany and Japan revealed that the majority of participating organizations lack an understanding of cybersecurity in relation to the deployment of IoT projects. Survey participants held either C-level or management positions in companies across many sectors, including retail, media and construction.
“A common theme in cyberattacks today is that many are driven by a lack of security awareness, and this is accentuated with IoT security,” said Kevin Simzer, chief operating officer for Trend Micro in a press release.
“It’s a good first step to see that IT leaders recognize awareness levels need to rise across the organization. We recommend business leaders clearly acknowledge the IoT security challenges affecting their company, understand where their security requirements, and invest accordingly to make their security goals a reality.”
Despite an awareness that 59% of IoT attacks target corporate office devices, more than half of the participants said they have not yet identified the key capabilities that should be prioritized in their security solutions. Also, 37% claimed they’re not always able to define their security needs before implementing IoT solutions, according to the survey.
Organizations are exposed to damaging cyber-attacks stemming from this lack of security awareness in IoT, according to Trend Micro, given that manufacturing and the supply chain are next in line for the types of IoT devices that are most frequently targeted.
To mitigate the risks of cyber-attacks resulting from compromised IoT, survey participants said they have a need for vulnerability management solutions and tools that monitor networks for anomalous behavior. Trend Micro recommends a strong network defense approach to ensure IoT devices do not add security risk at any part of a corporate network.
The Media Trust has discovered a recent malvertising campaign involving Apple Pay that is part of a large-scale phishing and redirect campaign targeting iPhone users visiting premium newspapers and magazines.
In today’s blog post, Michael Bittner, digital security and operations manager at The Media Trust wrote that the campaign was discovered when the security team helped “a winner of several Pulitzer Prizes and one of the largest daily newspapers in the West Coast, thwart a large-scale phishing and redirect campaign targeting iPhone users visiting premium newspapers and magazines.”
Disguised as a legitimate ad, the malware, dubbed PayLeak, delivers those newspaper or magazine visitors who click on the ad to a malicious domain registered in China. Upon arriving, the malware then checks to see whether the visitor’s device is in motion or at rest, upright or lying down and whether it is an Android or iPhone. In addition to determining whether the browser platform in use is Linux x86_64, Win32 or MacIntel, the malware also confirms whether there is malware detection technology running on the device.
When those conditions are detected, Android users are redirected to a fraudulent phishing site that falsely claims that they have won an Amazon gift card. The iPhone users, however, receive two successive popups. The first one is an alert that the device itself needs updating, followed by an additional notice that the Apple Pay app needs updating.
The popup messages are highly sophisticated, particularly the Apple Pay credit card information screen, which is convincingly identical in appearance to that of the Apple Pay, where users enter their credit card details.
Credit: The Media TrustCredit: The Media Trust
Unsuspecting users then share their credit card information, while the malware logs additional device information, iOS version and IP, then sends that data to a malicious command-and-control server. According to Bittner, this information can potentially be used for a future man-in-the-middle attacks.
“Targeted sites with weaker security measures, such as those that do not monitor their digital environments for unauthorized code, could risk leaking their users’ sensitive information and leave the latter exposed,” Bittner warned.
In a targeted campaign directed at multiple organizations across law enforcement, media, pharmaceutical and other public sectors, hackers with alleged ties to the Russian government have been trying to infiltrate US government computers and networks, according to a new report published by FireEye.
Malicious phishing activity believed to be conducted by the advanced persistent threat (APT) hacking group APT29, also known as Cozy Bear, was detected on November 14, 2018. According to the FireEye report, “The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.”
Attackers reportedly compromised the email server of a hospital and a consulting company’s corporate website in order to distribute phishing emails. “The phishing emails were made to look like secure communication from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy,” FireEye said.
Impersonating an official from the US Department of Public Affairs, attackers distributed the phishing emails, which dropped a publicly available form from the US Department of State using a Cobalt Strike Beacon. The majority of targeted victims reported having received fewer than three emails, though the report noted that one target received 136 emails.
The activity is still being analyzed, and while FireEye has identified key similarities in tactics that correlate with past Cozy Bear activity, “the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file.”
Brandon Levene, head of applied intelligence at Chronicle, confirmed that the TTPs used in this case are identical – down to the metadata – to those attributed to APT29 in 2016. “It’s odd that the exact same techniques were reused given that they have nation-state resources to develop malware,” Levene said.
“If the reports that media is a target are true, it would be interesting and could show that attackers are attempting to observe and manipulate news cycles. For instance, attackers would have advance notice of news stories and could prepare social media posts to go out when the news hits that could discredit the news or otherwise manipulate it.”
FireEye also noted that if evidence supports the suspicion that the activity is coming from Cozy Bear, this will be the first uncovered activity of the group in at least a year. “The attackers will likely remain active and come back with more sophisticated intrusion attempts since this campaign was quickly discovered. They’re going to be forced back to the drawing board,” said Levene.
The government is failing to act with a “meaningful sense of purpose or urgency” to tackle the growing threat to critical national infrastructure (CNI), despite itself acknowledging the risks, according to a new parliamentary report.
Noting the impact of WannaCry on the NHS, increasingly destructive attacks launched by nation state like Russia, and the threat from organized crime groups which “are becoming as capable as states,” it cited the National Cyber Security Centre (NCSC)’s assessment that a major CNI attack is a matter of “when not if.”
“Identifiable political leadership is lacking. There is little evidence to suggest a ‘controlling mind’ at the center of government, driving change consistently across the many departments and CNI sectors involved,” it warned.
“Unless this is addressed, the government’s efforts will likely remain long on aspiration and short on delivery. We therefore urge the government to appoint a single Cabinet Office minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.”
Although the NCSC is doing good work, its limited resources threaten to be overwhelmed, while important regulation in the form of the NIS Directive covers only certain sectors, and in any case has been driven by leadership from the EU.
Part of the problem lies with the 2016 National Cyber Security Strategy, which doesn’t set out clearly defined objectives for protecting CNI. The government should therefore publish annual reports to improve transparency, which would also provide an opportunity to tweak the strategy in response to changing threats, the committee advised.
The government should also review each sector’s inter-dependencies and maturity and gain greater visibility into why the market has so far failed to deliver improved cyber resilience. A CNI-wide threat- and intelligence-led penetration testing program was recommended.
Regarding the necessary cultural change needed to improve cybersecurity in CNI organizations, the committee urged the government to consider improving board-level expertise and accountability, encouraging the management of supply chain risk, and the promotion of cyber insurance.
“We are struck by the absence of political leadership at the center of government in responding to this top-tier national security threat,” said committee chair, Margaret Beckett.
“There are a whole host of areas where the Government could be doing much more, especially in creating wider cultural change that emphasizes the need for continual improvement to cyber resilience across CNI sectors.”
Experts welcomed the report’s findings.
“The Joint Committee is right to point out the importance of securing not just critical infrastructure itself, but the entire supply chain that supports it. We must never forget to question what an adversary might do to tamper with supply or design chains, even in areas such as open source software, where a cyber-criminal could introduce defects that practically an entire industry might use for many years,” said McAfee chief scientist, Raj Samani.
“Greater levels of transparency around technology design are vital. We need more visibility into what different components do, and how they do it. We also need greater visibility into what they should and shouldn’t be doing. More effort must be made to secure the most sensitive components of technology upon which we rely every day.”
Talal Rajab, head of cyber and national security at industry body, techUK, added that the issue required “utmost vigilance.”
“Much has changed since the strategy was published in 2016, with the threat to government and businesses constantly evolving,” he argued. “As the current strategy draws to a close, it is vital that cybersecurity becomes business as usual across all areas of government. The appointment of a Cabinet Office Minister designated as a cybersecurity lead could help ensure government remains one step ahead of the threat and drive real change across departments.”
The number of data security incidents reported to the Information Commissioner’s Office (ICO) has jumped 29% from Q1 to Q2, according to the latest figures.
While 3146 incidents were reported to the watchdog between April and June this year, the number rose to 4056 for the succeeding three months, highlighting the continued impact of the GDPR which mandates 72-hour breach notifications.
The overall increase in reported incidents year-on-year is a whopping 490%.
“Similar to what we observed in the ICO’s previous report, this doesn’t necessarily mean that organizations are experiencing more incidents — but it definitely means that more are now being reported,” said Egress Software Technologies CEO, Tony Pepper. “The increased awareness for organisations to tread carefully has been fuelled by GDPR, as well as the significant data breach incidents that recognizable brands have suffered.”
Disclosure of data usually accounted for the majority of incidents reported in each sector, followed by “security”.
The “general business” category accounted for the majority of incidents during the July-September period (847), followed by health (619), legal (311) and local government (300).
However, according to Egress, the biggest rise in reported incidents came from the media sector (633%), albeit from a low figure. General business (87%), legal (63%), transport and leisure (57%) and finance (49%) also saw significant increases.
The two biggest fines issued by the ICO during the period were the maximum £500,000 levied against Equifax for its notorious 2017 breach and £175,000 against private healthcare provider Bupa.
The value of fines increased 24% in the year to September 30 versus the previous year, to reach nearly £5m, but there are potentially much bigger penalties on the way under the new regime, a law firm has warned.
While the GDPR has raised awareness of data breaches and improved reporting, it is also threatening to overwhelm the regulator. The ICO complained in September that it has been receiving 500 calls per week to its helpline since the new law landed in May.
Two men have been jailed for their part in the 2015 cyber-attack on TalkTalk which cost the firm tens of millions of pounds.
Matthew Hanley, 23, and Connor Allsopp, 21, both of Tamworth, pleaded guilty to offenses under the Computer Misuse Act and were jailed for 12 and eight months respectively.
Hanley is said to have hacked a key database, obtaining and supplying files to others which enabled them in turn to hack TalkTalk websites. He also admitted handing over a spreadsheet of TalkTalk customer details to others for use in fraud.
Allsopp admitted supplying a file of customer details to an online user for fraud as well as details of vulnerabilities in the database which would have enabled others to hack it.
Hanley appears to have been the main hacker, with Allsopp instructed to sell the stolen data on his behalf — including the personal and financial details of an estimated 8000 TalkTalk customers.
Although Hanley was arrested just days after the incident, on October 30 2015, police found his machines had been wiped and encrypted. However, they managed to piece together enough evidence to force a guilty plea last year.
Detective constable Rob Burrows from the Met's Falcon Cyber Crime Unit argued that the scheme could have put thousands of people at risk of fraud.
“Hanley hacked into TalkTalk's database with the sole intention to steal customer personal data and sell it to criminals and fraudsters for his and Allsopp’s financial gain. Allsopp was a willing participant in the crime,” he added.
“Hanley thought he was clever covering his tracks, concealing and destroying evidence on his computers, however the extensive investigation, specialist skills and technical expertise utilized by our team led to the identification of these two virtual offenders, bringing them into the ‘real world’”
The TalkTalk breach is said to have cost the firm in the region of £77m, although the real figure could be even higher when customer churn and other factors are added in.
Some 156,000 customers were affected, and the ISP itself was fined a near-maximum £400,000 by the ICO for security and data protection failings. A 17-year-old admitted back in 2016 that he was able to hack the firm — it's believed by exploiting SQL injection flaws on forgotten web pages.
A security flaw in Instagram’s Download Your Data, a tool released in April this year, reportedly could have exposed user passwords, but the bug has now been fixed, according to multiple news reports. Apparently, the issue was that as part of the Download Your Data process, a URL containing the user’s password would have been emailed to the user.
“While this may seem somewhat harmless (the user sees his/her own password), it is actually quite dangerous. E-mail is not a secure communication channel for transmitting passwords,” said Amit Sethi, senior principal consultant at Synopsys.
“Several e-mail servers might have had access to the passwords, they may have been transmitted in clear text in some cases, and they would have been stored on some email servers and on the users’ devices. Some users may have even accessed the URLs on public computers, which may have exposed their passwords to other users. Given that users often reuse passwords on multiple sites, the impact goes beyond just Instagram accounts.”
Because email was involved, Sethi said that manual security testing would be required to find this security issue. “This is yet another example that illustrates why we cannot rely solely on automated tools for testing applications.”
Infosecurity Magazine contacted Instagram, but as of the time of publication, the company had not responded. The Information reported that Instagram notified its users about a flaw that potentially left passwords publicly exposed. An Instagram spokesperson told The Information that the issue was discovered internally and only impacted “a small number of people.”
“Regardless of the number of individuals affected, this event raises major concerns about the way that Instagram is handling its users' data. In light of the fact that Facebook owns Instagram and has been experiencing a number of security debacles of its own, it should come as little surprise that Instagram is now exhibiting similar issues,” said Rich Campagna, CMO, Bitglass.
The need for comprehensive cybersecurity measures is widely known today; however, many companies continue to display poor stewardship over the personal details belonging to customers, employees, and other parties. Unless organizations begin to respect the importance of protecting customer data, we will continue to see more big-name companies making costly mistakes that harm countless individuals.”
A San Diego, California–based communications provider, Voxox, exposed a database containing at least 26 million text messages, including password reset links, two-factor authentication (2FA) codes and shipping notifications. The database was not password protected, which lead to the exposure of the personal information, phone numbers and 2FA codes in near real time.
“Unfortunately, these 26 million 2FA codes, password reset links and delivery tracking details leave the exposed individuals easy targets for threat actors engaged in account hijacking,” said Mark Weiner, CMO, Balbix. “A basic misconfiguration like the one that caused this exposure should never occur; implementing a password is a simple but crucial first step in securing data. The organization and its customers might still be secure if they had early visibility into vulnerabilities across their entire attack surface –including passwords – and been able to correct it shortly after launching the service.
“It is mathematically impossible for humans to conduct the continuous monitoring of all IT assets and infrastructure needed to stay ahead of attack vectors. Security platforms developed with artificial intelligence and machine learning are essential to support security teams and proactively manage risk.”
The latest exposure raises questions about whether organizations have become too reliant on passwords and 2FA to verify user identities and whether user credentials can ever be fully secured.
“In this latest example, the use of a simple two-factor authentication method – a one-time passcode sent over SMS – could be easily intercepted in near time, eroding any possibility of establishing a level of trust,” said Keith Graham, chief technology officer of SecureAuth. “As organizations seek to prevent credential-based breaches, they must move beyond password and simple two-factor authentication methods, which are no longer enough to safeguard against today’s attacks.”
Still, the messages were sent in clear text with the ability to link a user’s mobile phone number to a service provider, which Michael Magrath, director, global regulations and standards, OneSpan Inc., said opens the door to serious privacy infringements. "The fact that one-time password (OTPs) codes were sent via SMS in clear text reinforces NIST’s decision to classify SMS-OTP as a restricted form of authentication in its 2017 revision of Special Publication 800-63-3, Digital Identity Guidelines. Like passwords, SMS OTPs are vulnerable to attacks and can be intercepted and reused.
“The only good news to come out of this for California-based Voxox is that these security infractions occurred before the California Consumer Privacy Act of 2018 goes into effect in January 2020.”
According to tweets from Microsoft, the company is investigating reports that Azure and Office 365 are again suffering issues that are leaving users unable to login using multifactor authentication (MFA). When users enter their login credentials and are sent an SMS with a two-factor authentication (2FA) code, the screen does not advance for the user to enter the code, according to a Reddit discussion.
Azure Support also tweeted, “Engineers are actively investigating an ongoing issue affecting Azure Active Directory, when Multi-Factor Authentication is required by policy.”
News of the issue comes less than a month after a reported login problem that left many admins and users unable to access their accounts for several hours. This latest issue is affecting global users, including people from Norway, Australia and the United States expressing frustrations via social media sites.
The most recent status update from Azure as of publication time stated: “Starting at 04:39 UTC on 19 Nov 2018 customers in Europe and Asia-Pacific regions may experience difficulties signing into Azure resources, such as Azure Active Directory, when Multi-Factor Authentication is required by policy.
“Engineers have deployed the hotfix which eliminated a connection between Azure Identity Multi-Factor Authentication Service and a backend service. The deployment of this Hotfix took some time to take effect across the impacted regions. We are seeing a reduction in errors, and customers may be seeing signs of recovery and authentications are succeeding.”
Since the hotfix has been deployed, engineers are continuing to monitor the ongoing performance and will provide updates as necessary.
“Another day, another Office 365 disruption, and another nuisance for admins and employees alike. With less than a month between disruptions, incidents like today’s Azure multifactor authentication issue pose serious productivity risks for those sticking to a software-as-a-service monoculture,” said Pete Banham, cyber resilience expert at Mimecast.
“With huge operational dependency on the Microsoft environment, no organisation should trust a single cloud supplier without an independent cyber resilience-and-continuity plan to keep connected and productive during unplanned, and planned, email outages. Every minute of an email outage could costs businesses hundreds and thousands of pounds. Without the ability to securely log in, knowledge worker employees are unable to do their jobs. The question is if your work email and productivity are dependent on Office 365, how much have these hours of disruption cost you so far?”
Vision Direct has apologized after customers' personal and financial details were found to have been leaked.
According to a statement, the data was compromised between November 3 and 4 2018 “when entering data on the website and not from the Vision Direct database” and included full names, billing addresses, email addresses, passwords and telephone numbers. Payment card information, including card number, expiry date and CVV, was also compromised. However, PayPal users are unaffected, Vision Direct confirmed.
“As the information was compromised as it was being entered into the site, any existing personal data that was previously stored in our database was not affected by the breach,” it said. “All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach.”
Anyone who visited the website and did not enter details should not be affected, it confirmed.
“We understand that this incident will cause concern and inconvenience to our customers,” Essential Retail reported. “We are contacting all affected customers to apologize and continue to inform you of any updates in the next few days.”
40% of UK Shoppers Want Cyber Monday Bargains, Half Willing to Buy from Previously Breached Retailers
A new survey of 1000 UK consumers has found that 40% of UK shoppers are planning to make the most of big-name discounts available on Black Friday and Cyber Monday, with half of those stating they are happy to buy from retailers that have suffered a breach in the past.
The findings, from DomainTools, show that UK shoppers are just as keen as their US counterparts to spend online this winter period, and are even willing to overlook security concerns at previously breached retailers.
However, on a more positive note, DomainTools did discover that 63% of respondents are more likely to cross reference email domains with legitimate retailers’ URLs, which can go a long way to preventing successful phishing attacks.
“The results of the survey provide us with both positive and negative outcomes,” said Corin Imai, senior security advisor at DomainTools.
“While it’s undoubtedly encouraging that respondents are more likely to check email addresses for tell-tale signs of phishing, it is concerning that so many remained happy to use companies which had been breached in the past. If customer details are accessed by cyber-criminals, it can leave them vulnerable to a variety of further crimes, up to and including identity theft. Consumers should be sending the message to companies that data protection matters.”
Without any notable opposition to the Senate’s version of the bill, the House agreed to a reorganization of the Cybersecurity and Infrastructure Security Agency (CISA) Act earlier this week, according to FCW.
Replacing the National Protection and Programs Directorate, the new agency will oversee the cybersecurity of federal computer systems and will be a government liaison on cybersecurity issues with critical infrastructure providers, such as banks, hospitals and airports.
"This is just a new sign and a lick of paint on another DC bureaucracy. CISA is focused on securing federal infrastructure as a part of the Bush-era Frankenstein’s Monster DHS, so they will continue to spend vast amounts of money on systems, while 91% of attacks will succeed via phishing attacks,” said Colin Bastable, CEO, of Lucy Security.
“From the perspective of protecting government departments, businesses and citizens against phishing attacks by 'upgrading' the security skills of the people, CISA will bring zero benefits," said Bastable. "Effective cybersecurity requires a holistic approach, securing people and systems as part of an integrated plan. The weakest points are the people – it only takes one successful attack.”
In addition to businesses needing to defend against cyber-attacks, there is also a need for federal, state and local government departments to protect themselves and a Federal Bureau of Cybersecurity to protect people, businesses and non-federal assets, according to Bastable.
“This is a national issue: Americans treat consumer protection as a national priority, and yet cyber insecurity is treated as a fact of national life that we should somehow tolerate and accommodate," he said. "A dedicated Federal Bureau of Cybersecurity will treat cyber insecurity as the consumer safety issue that it is, and respond with serious intent to protect Americans as voters, social media users, health insurance consumers and taxpayers."
In order to effectively defend critical infrastructure, the government must be able to detect, respond to and recover from these types of attacks. George Wrenn, CEO and founder, CyberSaint Security, said, “As the former CSO of a global critical infrastructure organization, I've seen first-hand that adopting the National Institute of Standards and Technology's Cybersecurity Framework is a robust first step in lowering the cybersecurity risk in our government agencies and critical infrastructure organizations. The focus on cybersecurity for organizations such as these is critical to our safety as a nation, and I'm pleased to see this issue enter the spotlight."
BlackBerry announced that it has finalized an agreement in which it will acquire Cylance for $1.4 bn in cash, plus the assumption of unvested employee incentive awards. With Gartner citing security as the top barrier to successful internet of things (IoT) implementation, BlackBerry aims to improve its offering to enable the enterprise of things (EoT). By applying Cylance’s artificial intelligence, algorithmic science and machine learning, the new platform is expected to prevent known and unknown threats to fixed endpoints, according to a press release.
The BlackBerry Spark platform will join Cylance’s cybersecurity software with next-generation secure chip-to-edge communications and promises to deliver trusted connections between any endpoint.
“Cylance’s leadership in artificial intelligence and cybersecurity will immediately complement our entire portfolio, UEM [Unified Endpoint Management] and QNX in particular. We are very excited to onboard their team and leverage our newly combined expertise,” said John Chen, executive chairman and CEO of BlackBerry. “We believe adding Cylance’s capabilities to our trusted advantages in privacy, secure mobility and embedded systems will make BlackBerry Spark indispensable to realizing the enterprise of things.”
Founded in 2012 and privately held, Cylance has over 100 patents and patent applications in cybersecurity and machine learning. The company delivers endpoint protection services to more than 3,500 enterprise customers, boasting that more than 20% of those are Fortune 500 companies.
“Our highly skilled cybersecurity workforce and market leadership in next-generation endpoint solutions will be a perfect fit within BlackBerry, where our customers, teams and technologies will gain immediate benefits from BlackBerry’s global reach,” said Stuart McClure, co-founder, chairman, and CEO of Cylance. “We are eager to leverage BlackBerry’s mobility and security strengths to adapt our advanced AI technology to deliver a single platform.”
The deal is expected to close prior to February 2019, which is the end of BlackBerry’s current fiscal year.
A new report looked at the number of companies that allow users to access corporate data on personal devices and found that most organizations enabling BYOD lack proper security controls, according to Bitglass.
With the advent of the cloud, more employees are taking advantage of being able to work from anywhere at anytime on any device, including non-company issued devices. The Bitglass 2018 BYOD report found that 85% of enterprises now allow data access from personal devices for employees, partners, customers, contractors and even suppliers. As a result, more than half (51%) of participating firms report a rise in mobile security threats this year. Based on a survey of nearly 400 enterprise IT professionals, the study also found that 43% of organizations are not able to determine whether the personal devices that are accessing corporate data have actually downloaded malware.
In addition, only 56% of companies use the basic protections of remote wipe and mobile device management tools, though these tools do lead the pack in adoption of companies employing BYOD, according to the report. Only 30% of firms are confident that they are properly defending against malware on personal and mobile devices.
“BYOD increases employee mobility, and consequently, organizational flexibility, efficiency and collaboration,” the report said. Though the main drivers for enabling BYOD are employee mobility (74%), employee satisfaction (54%) and reduction in cost (49%), only 19% of organizations reported enabling BYOD because it reduces security risks. As little as 15% of organizations reported that they do not enable BYOD for any users.
“While most companies believe mobile devices are being targeted more than ever, our findings indicate that many still lack the basic tools needed to secure data in BYOD environments,” said Rich Campagna, CMO of Bitglass, in a press release. “Enterprises should feel empowered to take advantage of BYOD’s myriad benefits, but must employ comprehensive, real-time security if they want to do so safely and successfully.”
A Japanese minister in charge of cybersecurity has shocked lawmakers after revealing that he doesn’t use a computer, and struggles to grasp the concept of a USB stick.
Yoshitaka Sakurada, 68, is deputy chief of the government’s cybersecurity strategy office.
However, responding to an independent lawmaker at a Lower House Cabinet Committee meeting this week, he’s reported as saying: “I don’t use computers because since I was 25 I have been in a position of authority where secretaries and employees handle such tasks for me.”
Sakurada also admitted “I don’t know the exact details” when asked by another lawmaker about the measures that are in place to guard the nation’s nuclear power stations against cyber-attacks.
He also appeared confused when asked if USB drives were being used in said nuclear facilities, according to reports.
Sakurada’s shaky performance comes after he was criticized last week over his handling of basic questions on the upcoming 2020 Olympic Games in Tokyo — another area he is in charge of as minister.
At one point he reportedly claimed the budget for the event was 1500 yen, which amounts to around £10/$10.
According to local news wire Kyodo, the debate was interrupted frequently while his aides were forced to step in to answer questions on his behalf.
While Sakurada’s unusual decision never to use a PC could be viewed as the ultimate security strategy, his apparent lack of understanding of basic details is some cause for concern.
Olympic Games events usually attract the attention of nation state operatives and cyber-criminals. The last event in Pyeongchang earlier this year saw a major attack leave the official Winter Games website down for 12 hours shortly before the opening ceremony.
MPs are unhappy at the government’s response to their committee report on cybersecurity skills in critical infrastructure (CNI), claiming it fails to address the immediate challenges facing the industry.
The Joint Committee on the National Security Strategy published its initial report in July, claiming the skills gap in the sector was “cause for alarm” and that the government had to “explore more creative options” to improve skills capacity in the sector and across government.
A government response to the report out this week acknowledged the problems and set out several things it is doing to improve the pipeline of talent, including the CyberDiscovery and CyberFirst programs. It also referred to the Cyber Skills Immediate Impact Fund as helping to address shorter term skills issues, and a bursaries scheme to assist with Masters degrees.
The government also acknowledged the need to “think creatively” and said it was considering extending the NCSC’s Industry 100 initiative to build more skills capability.
However, committee chair, Margaret Beckett, was unimpressed.
“The committee remains to be convinced that government has grasped the immediate challenge of keeping CNI secure from cyber-threats,” she responded in a statement.
“Many of the plans set out in this response will come to fruition in a decade’s time. It fails to answer our questions about today and tomorrow – and this is concerning.”
Those plans also include funding for teaching improvements such as: a Continuing Professional Development (CPD) program which aims to upskill 8000 teachers so they can deliver GCSE computer science courses, and a £500/year commitment to creating new “T levels” courses by 2020.
The government also clashed with the committee over the level of cybersecurity training provided to civil servants.
The former recommended that “basic cyber security training and continuing professional development” be made compulsory for all, while the government responded that it already offers basic training via a Responsible for information – General User including Government Security Classifications course.
However, there were some signs of progress. Beckett welcomed the government’s commitment to publishing a coherent cybersecurity skills strategy by the end of the year.
“Today’s response from the government accepts the need to think creatively about current and future challenges relating to cyber skills. This is a start. The government sets store by its 2016 National Cyber Security Strategy, and today’s response to our report acknowledges that in terms of a standalone skills strategy, there is more to do,” she said.
“We have been assured that government has begun work on that strategy, which they promise by the end of 2018. When it arrives, we will look carefully to ensure that this is the case.”
Security researchers are urging parents to think twice about buying GPS-enabled smart watches to keep their children safe, after revealing that scores of models are riddled with vulnerabilities.
Pen Test Partners’ initial research detailed security issues with the MiSafes device first launched three years ago. The idea, like all similar devices, is that it keeps track of the wearer’s movements at all times, reassuring parents.
However, hacking the watch is “well within the capability of an attacker with basic coding skills using only free tools,” the firm wrote.
Doing so will reportedly allow an attacker to change the device’s ID number and therefore access a user’s account, enabling them to locate and view a photo of the child; listen in to conversations between parents and their children; and call or message the child.
Attackers could also cause the watch SIM to dial premium rate numbers, potentially running up a huge bill.
“Our research was carried out on watches branded ‘Misafes kids watcher’ and appears to affect up to 30,000 watches. However, we discovered at least 53 other kids tracker watch brands that are affected by identical or near-identical security issues,” warned Pen Test Partners.
“So far, we have gathered data that indicates at least one million tracker watches in use today are affected.”
Aaron Zander, IT engineer at HackerOne, argued that until manufacturers are forced to build security into smart products from the start, consumers shouldn’t expect it to be included.
“So how do you purchase safe smart toys for your kids? You don’t,” he added.
“But if you must, don't go for the cheapest options and try to minimize capabilities like video, Wi-Fi and Bluetooth. Also, if you do have a device and it does have a security flaw, reach out to your government representatives, write your regulating bodies, make a stink about it, it’s the only way it gets better.”
Despite the session’s name, “Two Points of View: Collaboration and Disclosure: Balancing Openness About Cyber Security with Managing Risk and Reputation,” panelists at today’s Infosecurity North America conference were actually in agreement about sharing threat intelligence.
Moderated by Joseph Gittens, director, standards, Security Industry Association, the panelists explored the different channels by which information can and should be shared. Participating in the talk were Andrew Conte, AVP security leadership team, at The Guardian Life Insurance Company of America, and James O’Shea, head of re-engineering, cybersecurity and IT infrastructure, at RBC Capital Markets. Both participants noted that their comments were their own and not representative of the thoughts or policies of their employers.
“This is just for fun,” O’Shea said, which Conte echoed.
Of great concern is how threat vectors are expanding in recognized brands, but with the value of personally identifiable information (PII) these days, protecting the customers PII is critical. To do that, companies need to understand new and emerging threats, so being a member of an information-sharing organization is a great opportunity to learn about those threats. "They are good at de-anonymizing where the threats came from and sharing that information,” Conte said.
As you mature as an organization, you should be thinking about the other information channels by which you can come to understand threats. "Criminals are criminals and they are going to try to convert something that you have into something of value that they can use for something else. Those sorts of things happen in other industries all the time,” O’Shea said.
Including law enforcement in cyber war-gaming is incredibly useful as well, and depending on the type of organization, you may naturally have a relationship with law enforcement already. Sectors that are regulated, such as critical infrastructure, are examples of the types of organizations that have those front-line partnerships on call.
For non-critical infrastructure organizations, there are professional organizations across the country, whether it’s ISACA or (ISC)2 or other types of member groups.
“People are never going to turn away people who want to join together and work on the problem,” O’Shea said. Additional good sources of information are within the legal industry, whether its in-house counsel or outside of the organization. “Look laterally,” O’Shea said.
Gittens asked whether the security industry ought to have a general good neighbor policy, and the panel then hypothesized about the likelihood that there could someday be legislation that imposes liability for failure to share threat intelligence.
“It’s something to think about,” O’Shea said.
It’s months past when the EU’s General Data Privacy Regulations (GDPR) went into effect, and many are wondering, “Where are we now?” Among the many aspects of the GDPR talked about at today’s Infosecurity North America conference, Nashira Layade, SVP, CISO at Realogy Holdings Corp., and Elena Elkina, partner at Aleada Consulting, spent a bit of time focusing on data-subject requests.
In particular, one of the three types of data-subject requests is the right to be forgotten, which in itself can be tricky, Layade said. “Understanding where the data is will help you with data-subject requests, but the right-to-be-forgotten request means that you also have to look at the requirements on how long you are supposed to hold onto that data. Always check with your legal team to make sure you are complying with all of the regulations.”
It’s also key to understand the 30-day-response requirement. The data-subject request demands a response within 30 days, but that doesn’t mean that the activity will be carried out within those 30 days, according to Layade.
Certainly there will be situations where an organization may need more time to act, which is something that should be discussed with legal. Either way, the response has to be delivered in the designated time frame.
As more regulations and legislative acts are brought forth, complying with all of them could feel overwhelming. Usually, though, compliance with one will cross over and lead to compliance across the board. “I would not focus on a regulation-by-regulation basis, because you are going to drive yourself crazy. What is your organization’s risk profile? Start there,” Layade said.
For some organizations, GDPR has had little impact on their data privacy impact assessment practices. Layade said that her organization has two different processes for risk assessment, which include the technology side and the data side.
“GDPR didn’t change anything for us because we do impact assessments on a six-month basis. For those who are just starting out on the journey, though, you should consider evaluating certain GRC [governance, risk and compliance] tools that automate your privacy impact assessments. Those assessments should be automated to increase efficiency and make the process more streamlined and easier to implement,” Layade said.
“If you are just implementing, think about the goal of why these regulations were even required by regulators. If there is potential for high risk, you need controls. Assess your product and your business processes. Don’t just think about products. Think about the process as well,” Elkina said.
In his opening keynote presentation kicking off the second day of this year’s Infosecurity North America conference in New York, the technical director of cybersecurity threat operations center for the NSA, Dave Hogue, talked about how innovations in policy, technology, and people can lead to break-through results in one of the largest 24-7-365 operational environments across the US government.
Hogue said the threat operation center is equivalent to security operation centers in industry, and his teams are on the front line of defending against cyber threats every day. The fully operational teams are divided into threat analysts and countermeasure engineers.
Noting that the NSA director often describes cyber as the ultimate team sport, Hogue said this philosophy is embodied in operations center, which has representatives from different government agencies, including the FBI, among their team. “If something happens that affects one agency network, they are there and given the information needed to do their jobs.”
On the unclassified Department of Defense information networks it defends, there are 36 million emails coming in every day. While it’s a challenge to defend against that magnitude, Hogue said that 85% of user emails are rejected daily. In addition, once a vulnerability is disclosed, the network is scanned within 24 hours.
“It is incredibly easy for adversaries to take advantage of released vulnerabilities, so you need to understand your attack surface and understand how fast you can push patches out, because vulnerabilities are turned around extremely quickly,” Hogue said.
Increased attacks from nation-state actors have grown more sophisticated, with the majority of geopolitical events coming from Russia, Iran, North Korea and China. Commenting on events coming from Russia, Hogue said, “We see their cyber activity very much guided by what they are doing in real time. Every time we severed their malware or took down their IP addresses, they established a new one.”
China, on the other hand, has transformed how it conducts its activity, but it continues to use cyber-espionage as a prime enabler to acquire transformative technologies as part of its long-term plan to be a global superpower.
The NSA is diligent in deploying its cyber defenses, and because of those efforts, Hogue said it has not responded to an intrusion using a zero-day exploit in the last 24 months. As is the case with the private sector, 90% of its cyber incidents are due to human error. In fact, 93% of the 2017 incidents were preventable with basic best practices of application whitelisting, role-based access controls and two-factor authentication.
Five key strategies that will lead to successful defense include instituting well-managed and defendable perimeters and gateways; ensuring visibility and continuous monitoring of the network to include traffic and endpoints; hardening networks, endpoints and services to best practices; creating and fostering a culture of curiosity and embracing innovative approaches; and using comprehensive and automated threat intelligence sources.