Most FTSE 100 companies are not being transparent with their board or the wider public about security strategy, according to new Deloitte research.
The global consultancy analyzed reporting practices on cyber-risk covering all FTSE 100 annual reports in the year ending 30 September 2017.
It found that just 21% disclosed that they provide cybersecurity updates to the board on a regular, monthly to bi-annual, basis. Even fewer (20%) disclosed details of specific cyber-risk testing, such as ethical hacking, designed to find vulnerabilities in their IT systems.
The research revealed that FTSE 100 firms are either under-investing in cybersecurity or failing to be transparent about their efforts, which could be a missed opportunity to reassure investors and customers they understand the online threat.
Organizations must focus their efforts on analyzing the business for any weaknesses which could be exposing them to hackers, argued Pete Banham, cyber-resilience expert at Mimecast.
“It has never been more imperative for businesses to implement a cyber resilience strategy,” he added. “This should include strong methods of protection, combined with a reliable archive and recovery strategy for data that will ensure uninterrupted access and use of vital systems like email in the event of a breach.”
The opacity in reporting highlighted by Deloitte will need to change when the GDPR lands in May, according to the firm’s head of cyber risk services, Phill Everson.
“As we see GDPR regulations introduced from May 25 this year this becomes even more important as they require regulators to be notified within 72 hours of a breach,” he explained. “In preparation, companies will be looking at their processes for delivering security updates to the right people in a timely manner. However, with just two months to go to GDPR, our analysis shows there is still some work to do.”
However, things are moving in a more positive direction. Some 89% of respondents claimed to recognize cyber threats as a “principal risk” and identified multiple impacts of a breach including disruption to business and operations (70%), data loss (58%), reputational damage (56%) and financial loss (54%).
“Over the past two years, one in five companies disclosed the creation of a brand new role or body to have overall accountability on cyber,” Everson continued. “This shows that companies are upgrading their approach to match the raised level of threat. This brings the total number of FTSE 100 companies with a clearly identified person or team with cybersecurity responsibility to 38, but we would like to see 100%, and expect investors would as well.”
New Android malware that stealthily mines the Monero cryptocurrency is posing as a legitimate Google Play update app (complete with Google Play’s icon), so far affecting users in India and China where third-party app stores are more popular.
According to Trend Micro researchers, the malware is being used in a notably successful and active campaign; in one case, operators withdrew over $5,000 worth of Monero from one wallet.
Dubbed HiddenMiner, it lives up to its name by using various obfuscation techniques, including anti-emulator capabilities, to evade detection and automated analysis. It also hides from the victim by emptying the app label, using a transparent icon and hiding the app from the app launcher.
The malware requires users to activate it as a device administrator; once downloaded it will persistently pop up until victims click the "Activate" button. Once granted permission, HiddenMiner will start mining Monero in the background and will automatically run with device administrator permission until the next device boot. There’s no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted, which will drain the battery and potentially cause a device to overheat.
The bad code is just the latest malware to hop on the Monero-mining bandwagon; Monero takes fewer resources to effectively mine than other forms of virtual currency.
“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave,” said the researchers in a blog. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”
Amid a data privacy scandal that has blown up worldwide, Facebook has decided to make a few changes to “review developers' actions for evidence of misuse, implement additional measures to protect data, and give people more control of their information.”
For one, the social network is expanding its bug bounty program to reward people for reporting misuses of data by app developers. Details are as yet scant, but the change seems apropos given the revelations that Cambridge Analytica was able to scrape private user data on 50 million Americans using an internecine path around convoluted terms of service, Facebook login loopholes and an obsolete API that the platform made available up until 2014.
Facebook has also paused app review while it reviews its current situation and policies – again, likely a wise move given that the US's Federal Trade Commission has opened up a closed-door inquiry into the company’s privacy practices.
Other efforts to reduce the potential of future scandals include an in-depth investigation of all apps that had access to large amounts of information before Facebook changed its platform in 2014 to reduce data access and full audits of any apps with suspicious activity. The company will also inform users if an app is removed for data misuse of personally identifiable information and will ban the developer.
Additionally, Facebook said that developers that build applications for other businesses, that is, the Cambridge Analyticas of the world, “will need to comply with rigorous policies and terms,” which it promised to publish in the coming weeks.
“We know these changes are not easy, but we believe these updates will help mitigate any breach of trust with the broader developer ecosystem,” said Ime Archibong, vice president of platform partnerships at Facebook, in a blog.
The General Data Protection Regulation (GDPR) is set to take effect on May 25, and research suggests that while businesses are busy scrambling to fill data protection officer (DPO) vacancies, other areas of the organization, especially the legal department, could be taken by surprise.
According to logistics firm BDO, about half (48%) of legal team respondents in a recent survey claim GDPR is not applicable to their organization. Given that any US or foreign company that deals with EU citizens’ personal data – the definitions of which are not entirely clear – will be subject to the GDPR’s stringent requirements, that perception is likely not in line with reality.
“It behooves every organization – whether they touch EU personal data or not – to regularly review how information is used and managed to maximize its value and minimize risk,” said Karen Schuler, BDO National Information Governance practice leader. “GDPR is just the catalyst for a higher standard of data privacy and protection to which every company should aspire.”
This confusion comes as digital assets increasingly become corporate counsels’ purview: Among respondents whose organizations have a defined information governance program, 42% of those programs are led by legal, surpassed only by the CIO (47%).
At the same time, legal officers’ cyber-responsibilities continue to expand: 73% of respondents believe their boards are more involved in cybersecurity than they were 12 months ago. About a third (34%) of the counsel surveyed say their organizations will increase cyber-investment by 10% or more in the next 12 months.
The survey also uncovered that, to keep pace with mounting digital risks, almost half (46%) of senior counsel plan to increase their investment in information governance in the next 12 months.
“Ultimately, today’s corporate counsel must take a holistic view of their organization’s digital risk profile – assessing risk based on data flows, cross-functional interdependencies and global operations – and play a proactive, rather than reactive, role in risk-based strategic planning,” said Stephanie Giammarco, partner and BDO Technology & Business Transformation Services practice leader.
New research from SolarWinds MSP has revealed that whilst awareness surrounding cyber-attacks is increasing it is not equating to better preparedness, with confusion about the risks posed and a lack of means to defend against them evident.
The 2017 Cyberattack Storm Aftermath study, commissioned with the Ponemon Institute, surveyed 200 senior-level execs in the US and US about emerging threats, specifically those propagated by the Vault 7 leaks and the WannaCry/NotPetya attacks fueled by the EternalBlue Shadow Brokers leak.
The results found that whilst the majority (69%) of respondents had a high awareness of both WannaCry and NotPetya threats, only 28% (WannaCry) and 29% (NotPetya) felt they would be able to prevent those attacks. What’s more, 44% of the respondents who were aware of the WannaCry patch failed to implement it, with that figure 55% for the NotPetya patch.
Speaking to Infosecurity Tim Brown, VP of security, said that the key to prevention is applying the appropriate patches, but too many businesses are failing to make that connection.
“That shows a lack of knowledge on what the action plan associated with a vulnerability should be,” he added. “People often don’t think of basic security hygiene as one of the most important things they need to do, but it really is – although it’s really not easy. Doing the basics well is not ‘sexy’ or ‘cool’, it’s a lot of hard work that needs to get done, but no technology is going to really save you from that hard work.”
Another significant finding from the report was that more than half of execs felt they did not have sufficient budget to prevent, detect and contain significant cybersecurity threats.
“Budget is always an issue, and basically your security budget always first goes towards meeting your regulatory requirements. How you move the needle towards more security is always a challenge. You have to be able to explain in more business terms the ‘what if’ scenarios.
To conclude Larry Ponemon, founder of the Ponemon Institute, said the lack of knowledge among senior-level security execs highlighted in the report is worrying.
“They know that attacks are on the increase, but many don’t know what they are and seem unable to effectively prevent them,” he added. “Better use needs to be made of the resources available, such as US CERT alerts, and the service providers that most businesses are using to outsource protection. Those providers also need to step up and provide education on where most attacks are coming from and how they can be prevented.”
Twitter yesterday started banning all crypto-currency advertising in a bid to head off rising levels of fraud permeating the burgeoning industry.
A statement from the micro-blogging giant had the following:
"We have added a new policy for Twitter Ads relating to a cryptocurrency. Under this new policy, the advertisement of Initial Coin Offerings (ICOs) and token sales will be prohibited globally."
According to reports, the ban will also stretch to ads from crypto-currency exchanges and wallet services, unless they come from publicly listed companies.
The decision by Twitter follows similar moves by Facebook and Google and follows rising levels of fraud and cyber-risk as investors rush to cash in on the crypto-currency digital gold rush.
One industry expert welcomed the news. Alexey Burdyko, CEO of blockchain company Play2Live, claimed the long-term impact should benefit the nascent crypto-currency industry by protecting its user base.
“One of the goals of dropping the ads is to protect investors from fraudulent, scam projects looking to take advantage of investors. These scammers are damaging trust in new token sales – so should this goal be achieved, trust will be rebuilt over time, and future crypto-launches will reap the rewards,” he told Infosecurity.
“The presence of scams in this space is beyond any doubt – they are out there, and they are finding ways of parting people from their money.”
An Ernst & Young report from January claimed that 10% of all ICO funds are stolen by hackers or fraudsters, amounting to almost $400m in losses thus far.
Phishing is particularly popular, with attackers scooping up to $1.5m per month by either tricking the recipient into making a fund transfer or handing over the private keys to their digital wallets.
Burdyko added that investors and ambitious start-ups will find a way around the social ads ban.
“The impact of the ban on crypto ads across social media may affect the level of engagement that new token-sale campaigns are receiving, as large-scale awareness will be harder to achieve,” he said.
“However, there are alternative means of promoting such projects, and those potential investors that are serious about backing new crypto-currencies will research and seek out the best new campaigns regardless of social media advertising.”
More than half (57%) of global IT leaders believe their mobile workers have been hacked over the past 12 months, with public Wi-Fi hotspots the prime location, according to iPass.
The connectivity solutions provider polled CIO and IT decision makers from the UK, US, Germany and France to compile its iPass Mobile Security Report 2018.
Almost all respondents (94%) believe BYOD has introduced greater security risk to the organization, with 81% noting Wi-Fi security incidents over the past year – in locations like cafes (64%), airports (60%) and hotels (52%).
These unsecured hotspots represent a goldmine for hackers to launch covert man-in-the-middle and other attacks designed to spread malware and harvest user log-ins.
Many of these security holes will be plugged by the forthcoming WPA3 standard, which will support individual data encryption tunnels, but there are caveats, according to Raghu Konka, iPass VP of engineering.
“As with any new standard, it will take some time before WPA3 becomes mainstream,” he told Infosecurity.
“For starters, the onus will be on every hotspot owner to make sure access points are WPA3 compatible. Even now there is no guarantee that every hotspot is using the latest level of encryption and that is unlikely to change even with WPA3.”
VPNs are the only sure-fire way to stay secure whilst on public Wi-Fi, he claimed.
However, UK IT leaders were least confident (38%) that their mobile workers are using a VPN every time they go online.
Despite this, almost half (42%) of them claimed to have no plans to ban the use of free Wi-Fi hotspots by employees – much higher than their counterparts in the US (9%), Germany (10%) and France (12%).
“UK organizations seemingly have no problem embracing mobile working, but when it comes to implementing a corporate policy around it they seem to be more laissez-faire. With heightened mobile security risks, they need to do a better job of enforcing secure mobile working policies,” continued Konka.
“Employees remain one of the biggest mobile security threats, so it is imperative organizations continually educate their mobile workforce about the dangers of free Wi-Fi, and encourage them to use measures such as corporate VPNs as second nature.”
There have been calls for an immediate independent review after a new Privacy International investigation revealed that police are secretly extracting large volumes of highly sensitive data from UK users’ phones – even those not suspected of any crime.
The Digital Stop and Search report builds on previous research from the Bristol Cable in January last year detailing how law enforcers were investing hundreds of thousands intrusive UFEDs (Universal Forensic Extraction Devices) from the likes of notorious Israeli vendor Cellebrite.
Privacy International received FOI responses from 47 police forces and 26 of them (55%) admitted using the technology, with a further 17% trialing or planning to trial it. The data extraction has been going on in some form for over six years.
Such tools can find data even the user may not know they have on their device, including: emails, messages, GPS locations, call data, photos, contacts, calendar info, web browsing, social media accounts, online banking, health and fitness data, cloud storage and much more.
It is extracted from self-service kiosks at the police station, from frontline support service ‘hubs’ serving several forces, or via portable mobile phone extraction kits when out and about, the report revealed.
Privacy International’s concern is that data is often extracted without the user’s knowledge, stored insecurely and for an indefinite time, and taken not just from suspects but also victims and witnesses – even for investigations of low-level crimes.
There’s confusion among the police over the legal basis for this activity, stemming from a lack of national and local guidance, PI claimed.
This can lead to serious procedural failings. A 2015 report from the Police and Crime Commissioner (PCC) for North Yorkshire Police claimed that poor training led to practices which undermined prosecution of murder and sexual assault cases. It also found serious breaches of data security practices, including failure to encrypt citizens’ data and the loss of files.
Tottenham MP, David Lammy, claimed the lack of transparency around police use of these tools is a serious cause for concern.
“My review of our criminal justice system found that individuals from ethnic minority backgrounds still face bias in parts of our justice system, and it is only because we have transparency and data collection for everything from stop and search incidents to crown court sentencing decisions that these disparities are revealed and we are able to hold those in power to account,” he argued.
“Given the sensitive nature and wealth of information stored on our mobile phones there is significant risk of abuse and for conscious or unconscious bias to become a factor without independent scrutiny and in the absence of effective legal safeguards.”
PI solicitor, Millie Graham Wood, added that it’s highly disturbing the police have the power take such sensitive information in secret from a user without even needing a warrant.
“The police are continually failing to be transparent with the thousands of people whose phones they are secretly downloading data from,” she argued.
“An immediate independent review into this practice should be initiated by the Home Office and College of Policing, with widespread consultation with the public, to find the right balance of powers for the police and protections for the public. Let’s be clear: at the moment, the police have all the power and the public have no protections.”
While adoption of cloud computing continues to surge, security concerns are showing no signs of abating. After several years of a downward trend, 90% of cybersecurity professionals confirm they are concerned about cloud security, up 11 percentage points from last year’s cloud security survey. The top cloud security challenges are protecting against data loss and leakage (67%), threats to data privacy (61%) and breaches of confidentiality (53%).
The 2018 Cloud Security Report from Crowd Research Partners, based on an online survey of cybersecurity professionals in the 400,000-member Information Security Community on LinkedIn, shows that a lack of qualified security staff and outdated security tools are significant obstacles to enabling a secure cloud posture at many enterprises. Only 16% of organizations report that the capabilities of traditional security tools are sufficient to manage security across the cloud, which is a 6% drop from 2017. A full 84% say traditional security solutions either don’t work at all in cloud environments or have only limited functionality.
Cybersecurity professionals are also struggling with visibility into cloud infrastructure security (43%), compliance (38%) and consistent security policies across cloud and on-premises environments (35%).
“While workloads continue to move into the cloud, the study reveals that cloud security concerns are on the rise again, reversing a multi-year trend,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the Information Security Community. “With half of organizations predicting a rise in cloud security budgets, protecting today’s cloud environments require more and better trained security professionals and innovative, cloud-native security solutions to address the concerns of unauthorized access, data and privacy loss, and compliance in the cloud.”
When it comes to the biggest perceived threats to cloud security, misconfiguration of cloud platforms jumped to the No. 1 spot in this year’s survey as the single biggest threat. This is followed by unauthorized access through misuse of employee credentials and improper access controls (55%), and insecure interfaces or APIs (50%).
On the defense side, for the second year in a row, training and certification of current IT staff (56%) ranks as the most popular path to meet evolving security needs. Fifty percent of respondents use their cloud provider’s security tools, and 35% deploy third-party security software to ensure the proper cloud security controls are implemented.
Meanwhile, encryption of data at rest (64%) and data in motion (54%) top the list of the most effective cloud security technologies, followed by security information and event management (SIEM) platforms (52%).
And finally, 49% of organizations expect cloud security budgets to increase, with a median increase of 22%.
Bad bots are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, data theft, spam, digital ad fraud and downtime. In 2017, bad bots accounted for 21.8% of all website traffic, a 9.5% increase over the previous year. Good bots increased by 8.7% to make up 20.4% of all website traffic.
According to Distil Networks’ fifth annual Bad Bot Report, which details the analysis of hundreds of billions of bad bot requests at the application layer, gambling companies and airlines suffer from higher proportions of bad bot traffic than other industries, with 53.1% and 43.9% of traffic coming from bad bots, respectively. E-commerce, healthcare and ticketing websites meanwhile suffer from highly sophisticated bots, which are difficult to detect.
A full 83.2% of bad bots report their user agent as web browsers Chrome, Firefox, Safari or Internet Explorer; 10.4% claim to come from mobile browsers such as Safari Mobile, Android or Opera.
Additionally, 82.7% of bad bot traffic emanated from data centers in 2017, compared to 60.1% in 2016. The availability and low cost of cloud computing explains the dominance of data center use.
“This year bots took over public conversation, as the FBI continues its investigation into Russia’s involvement in the 2016 US presidential election and new legislation made way for stricter regulations,” said Tiffany Olson Jones, CEO of Distil Networks. “Yet as awareness grows, bot traffic and sophistication continue to escalate at an alarming rate. Despite bad bot awareness being at an all-time high, this year’s Bad Bot Report illustrates that no industry is immune to automated threats and constant vigilance is required in order to thwart attacks of this kind.”
For the first time, Russia became the most blocked country, with one in five companies (20.7%) implementing country-specific IP block requests. Last year's leader, China, dropped down to sixth place with 8.3%.
In terms of tactics, the analysis found that account takeover attacks occur two to three times per month on the average website, but immediately following a breach, they are three times more frequent, as bot operators know that people reuse the same credentials across multiple websites.
About 74% of bad bot traffic is made up of moderate or sophisticated bots, which evade detection by distributing their attacks over multiple IP addresses or simulating human behavior such as mouse movements and mobile swipes.
Also, bots can be distributed on multiple hosts to perform automated distributed denial of service (DDoS) but can also be "low and slow," use browser automation or other evasion techniques to bypass existing web application security controls, such as IP blacklisting and rate limiting.
In the second half of 2017, nearly 40% of all analyzed industrial control systems (ICS) in energy organizations were attacked by malware at least once – closely followed by 35% of engineering and ICS integration networks.
The cybersecurity of industrial facilities remains an issue that can lead to very serious consequences affecting industrial processes, as well as businesses losses. While analyzing the threat landscape in different industries, Kaspersky Lab ICS CERT recorded that nearly all industries regularly experience cyber-attacks on their ICS computers. However, energy and engineering were attacked more than others.
The report found that for all other industries (manufacturing, transportation, utilities, food and healthcare) the proportion of ICS computers attacked ranged from 26% to 30% on average. The vast majority of detected attacks were accidental hits.
The sector that demonstrated the most noticeable growth of ICS computers attacked during the second half of 2017 (compared to the first half of 2017) was construction, with 31% attacked. The relatively high percentage of attacked ICS computers in the construction industry compared to the first half of 2017 could indicate that these organizations are not necessarily mature enough to pay the required attention to the protection of industrial computers. Their computerized automation systems might be relatively new, and an industrial cybersecurity culture is still being developed in these organizations, Kaspersky noted.
“The results of our research into attacked ICS computers in various industries have surprised us, said Evgeny Goncharov, head of Kaspersky Lab ICS CERT. “For example, the high percentage of ICS computers attacked in power and energy companies demonstrated that the enterprises’ effort to ensure cybersecurity of their automation systems after some serious incidents in the industry is not enough, and there are multiple loopholes still there that cybercriminals can use.”
Meanwhile, the lowest percentage of ICS attacks – 15% – has been found in enterprises specializing in developing ICS software, meaning that their ICS research/development laboratories, testing platforms, demo stands and training environments are also being attacked by malicious software, although not as often as the ICS computers of industrial enterprises. Kaspersky Lab ICS CERT experts point to the significance of ICS vendors’ security, because the consequences of an attack spreading over the vendor’s partner ecosystem and customer base could be very dramatic.
Among the new trends of 2017, Kaspersky Lab ICS CERT researchers discovered a rise in mining attacks on ICS. This growth trend began in September 2017, along with an increase in the cryptocurrency market and miners in general.
“But in the case of industrial enterprises, this type of attack can pose a greater threat by creating a significant load on computers, and as a result, negatively affecting the operation of the enterprise’s ICS components and threatening their stability," the firm noted.
Overall, from February 2017 to January 2018, cryptocurrency mining programs attacked 3% of industrial automation system computers, in most cases accidentally.
The number of vacancies for Data Protection Officers (DPOs) has surged by 709% since the rules of the General Data Protection Regulation (GDPR) were ratified nearly two years ago, according to Indeed.
The jobs site claimed in new figures that the nationwide recruitment drive has attracted the attention of job-seekers, with the number of candidates looking for such roles soaring 297% in the same period.
Appointing a Data Protection Officer is a key requirement of the new EU privacy laws and could result in a fine of up to 2% of global annual turnover or €10m, whichever is higher.
You will be required to appoint a DPO if you are a public authority, your core activities require “large scale, regular and systematic monitoring of individuals” or your core activities include “large scale processing of special categories of data or data relating to criminal convictions and offences.”
DPOs are essential to such organizations, responsible for monitoring internal compliance, advising on impact assessments and data protection obligations, and acting act as a contact point for data subjects and the supervisory authority.
As highly skilled independent experts in data protection, they command a significant salary, currently standing at an average of £47,483 – nearly double the average UK wage of £27,600, according to Indeed.
With the GDPR compliance deadline of May 25 fast-approaching, one company has launched a virtual DPO service designed to help organizations get in line before the cut-off date.
An outsourced team of cybersecurity and risk mitigation lawyers work alongside ThinkMarble’s in-house security analysts and incident responders to offer bespoke GDPR compliance services to firms.
Research from 2017 found that a fifth (22%) of organizations still hadn’t hired a DPO, and that more than half (52%) of these firms weren’t planning to until the second half of 2018 or beyond.
Information commissioner, Elizabeth Denham, claimed last year: “it’s scaremongering to suggest that we’ll be making early examples of organizations for minor infringements or that maximum fines will become the norm.”
However, the regulator is likely to take a dim view of organizations which haven’t taken the basic step of appointing a DPO before the May deadline.
Iran has hit back at US sanctions levied in response to alleged attacks on hundreds of global universities and a media company for financial gain.
The Mabna Institute is said to have stolen 31TB of IP and other valuable data from over 300 educational institutions in the US, UK, Germany, Japan, Israel and elsewhere.
The US government claimed on Friday that the Iranian military effectively outsourced the hacking work to the Institute in order to help domestic universities and research organizations gain access to non-Iranian scientific resources.
“Iran is engaged in an ongoing campaign of malicious cyber activity against the United States and our allies. The IRGC outsourced cyber intrusions to The Mabna Institute, a hacker network that infiltrated hundreds of universities to steal sensitive data,” said US Treasury under secretary Sigal Mandelker.
The two founders of the Institute were among the 10 people indicted, meaning they could face extradition to the US if they travel outside of Iran and their assets are subject to seizure by the US authorities. The Institute itself was also placed under sanctions.
Tehran’s foreign ministry spokesperson, Bahram Quassemi, condemned the sanctions as provocative and illegal, according to the BBC.
“The US will definitely not benefit from the sanctions gimmick, aimed at stopping or preventing the scientific growth of the Iranian people” he said in a statement.
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, claimed the naming and shaming of the individuals continues a trend of state-sponsored attack attribution.
“By applying sanctions quickly against the Iranian hacker network involved in this incident, the United States is signalling that any cyber-attack against the country will have consequences,” he added.
“It is another recent example of the US both calling out malicious state-sponsored cyber behavior and taking action against it. However, the sanctions applied by the US Treasury Department will have very limited effect on people without US-based assets or bank accounts.”
The UK government is aiming to capitalize on the rise in online threats to sell the nation’s cybersecurity expertise worldwide, despite heavy criticism in the past for its own security failings.
Published on Monday, the Cyber Security Export Strategy aims to support the ongoing work of the 2016-21 National Cyber Security Strategy, which saw £1.9bn pounds of public spending committed to the sector.
The Department of International Trade (DIT) document sets out a plan to support UK companies bidding for contracts with overseas governments and CNI providers.
It also claims the DIT will “curate bespoke offers for the top buyers” in six sectors highlighted as those set to receive biggest investment in security over the coming years. It claims it will run trade missions and pitch UK companies to address identified capability gaps.
The third pillar of the DIT’s approach is to help improve global branding and marketing for UK cybersecurity companies, alongside new content on a great.gov.uk site.
The new strategy seems to be aimed primarily at supporting SMEs which could otherwise struggle to make an impact on the global stage. It claims UK Export Finance is available for those in need of monetary support to export goods and services.
The new strategy could be seen as a response to Brexit, which experts have argued will have a hugely negative impact on the UK’s cybersecurity industry.
It’s already claimed that hiring of European practitioners is getting harder for UK firms, and there are question marks over information sharing and other region-wide agreements currently benefiting UK businesses, not to mention the tariff-free trade of the single market.
However, the sight of the government attempting to tout its expertise in cyber around the globe is somewhat ironic considering the parlous state of NHS cybersecurity. The health service was decimated by WannaCry ransomware last year, and in February, a committee reported that all 200 Trusts had failed basic security tests.
In February 2017, parliament slammed the government’s cybersecurity efforts as uncoordinated, inconsistent and failing the wider public sector outside Whitehall.
However, most experts cautiously welcomed the new DIT strategy.
“It’s great to see the government acknowledge the strength of the UK cybersecurity sector. Against a backdrop of ever-evolving threats, growing digital transformation and regulatory pressures, there has never been such global demand for effective cybersecurity products and services,” said RedScan CTO, Andy Kays.
Thales eSecurity EMEA VP, Peter Carlisle, added that the strategy demonstrates a clear government commitment to collaboration with the private sector.
“By not only honing our skills here in the UK, but by exporting our expertise overseas too, this will ensure that we ward off attacks from foreign actors whilst simultaneously strengthening our own capabilities,” he claimed.
Others were more sceptical.
“The Cyber Security Export Strategy sends out a message in no uncertain terms that security is and will remain top of the agenda. With heightening tensions between foreign nations and an increasing risk of threat actors sabotaging businesses, governments, hospitals and schools, the UK has an opportunity to lead by example and grow an already burgeoning sector,” said Smoothwall corporate security specialist, Rob Wilkinson.
“But it smacks, too, of a country trying to rebuild its reputation following major breaches including WannaCry in the NHS, Petya and businesses like Wonga. A lot of work has to be done to keep organizations safe in this country as well as countries abroad.”
The criminal operation is reported to have hot banks in more than 40 countries and cost €1 billion since it first appeared in late 2013. Initially beginning with the Anunak malware, which targeted financial transfers and ATM networks of financial institutions: this was later updated to Carbanak and was used in until 2016.
“In all these attacks, a similar modus operandi was used,” the report said. “The criminals would send out to bank employees spearphishing emails with a malicious attachment impersonating legitimate companies. Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.”
The international police cooperation, coordinated by Europol and the Joint Cybercrime Action Taskforce, was central in bringing the perpetrators to justice, with the owner, coders, mule networks, money launderers and victims all located in different geographical locations around the world.
Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said: "This global operation is a significant success for international police cooperation against a top level cyber-criminal organization.
“The arrest of the key figure in this crime group illustrates that cyber-criminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cyber-criminality.”
Craig Young, computer security researcher at Tripwire, said: “These attacks were among the most sophisticated publicly reported bank robberies. The attackers used their malware to embed themselves into financial institutions where they would study processes and mannerisms for months before making a move to steal money. This allowed the attackers to simulate legitimate behavior so that they could siphon millions of dollars from a single institution without immediately raising alarms.”
Ross Rustici, senior director of intelligence services at Cybereason, called this “positive news for cybersecurity across the globe” as the manner in which this individual was caught continues to demonstrate the importance of public-private partnerships and the global nature of cybercrime.
“The inclusion of police agencies in at least five different countries demonstrate how difficult it can be to track a single actor through all of their online activity and the jurisdictional challenges law enforcement faces while pursuing these criminals,” he said.
Lucas claimed that Trustico “is suffering significantly as a result of the misrepresentation of the position” and is considering its position legally with respect to these issues and others in an effort to set the record straight “as it considers itself to have been unfairly and wrongly maligned.”
He claimed that Trustico was fully permitted under the terms of the Symantec subscriber agreement to take action to revoke certificates on customers’ behalf, and after DigiCert refused to revoke – stating that they would only do so by either performing a verification of control over the domain or receiving the private keys associated with the certificate – Trustico expressed to DigiCert its “significant discomfort with handing over the private keys to the certificates” as private keys are held by Trustico in trust, and so are secure.
Given its concerns, Trustico, acting in what it considered to be the best interests of its customers, selected to disclose the private keys so that DigiCert would perform a revocation as they were refusing to do so otherwise.
In an eight-point clarification, Lucas said that DigiCert knew that Trustico held (in trust) private keys of certain customers as a private key generating tool “has been a popular product offering for customers” and was developed in partnership with Symantec.
He added: “Trustico never deliberately exposed private keys. The revocation request was made in accordance with the Baseline Requirements and private keys were only provided under protest following DigiCert’s request for authentication purposes. Trustico intentionally provided private keys in a format which did not create risk to its customers.”
Lucas also said that notice was given to customers about revoking the certificates, but some notices ended up in junk mailboxes or rejected by hosts, and all affected customers were issued with a number of previous communications regarding the distrust issue.
“As the only party other than Trustico with access to the serial numbers for each certificate, only DigiCert was able to undertake a match of the keys provided to issued certificates (by reference to serial numbers),” Lucas said.
“Trustico believes there were no security concerns for customers in what it did. Providing the private key and serial number would have been a security concern; the provision of one but not the other did not present a risk.”
In the original story, the certificates issued by Trustico acting as a SSL certificate authority (CA) reseller for Symantec were revoked earlier this year after DigiCert chief product officer Jeremy Rowley said that Trustico “shared with us that they held the private keys and the certificates were compromised, trying to trigger the Baseline Requirement's 24-hour revocation requirement.”
At the time, Rowley said that Trustico had not provided any information about how certificates had been compromised, or how they acquired the private keys. “As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys.” He clarified that certificates were only revoked if the private keys were received.
In clarification, Trustico said that “private keys were only generated at our customers request through the private key generating tool; this service was optional” and that all data was stored “in accordance with its obligations under data protection law and company policy.”
Microsoft is getting tougher on clients that do not update their software, as it outlines in its latest advisory. The tech giant has created CredSSP updates for security vulnerability CVE-2018-0886, which was originally patched on March 13 2018.
The CVE-2018-0886 security flaw is a remote code execution vulnerability that exists in the CredSSP. An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. The patch released by Microsoft addresses the vulnerability by correcting how CredSSP validate requests during the authentication process.
According to Microsoft’s latest advisory, the RDP update will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated from April 17 2018. It recommends that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible.
The vulnerability was originally flagged to Microsoft in August 2017 by Preempt. The company wrote that the flaw affected all Windows versions to date, and noted that the vastness of the issue was great given that “RDP is the most popular application to perform remote logins.” The company used internal research to highlight that almost all enterprise customers were using RDP and were at risk.
The Internet Engineering Task Force (IETF) has published its 1.3 version of the Transport Layer Security (TLS) protocol. The application allows client/server applications to communicate over the internet in a way that is designed to prevent eavesdropping, tampering and message forgery.
The IETF is a body of engineers from all over the world who collaborate on standards like this – and its approval of TLS 1.3 has been long in coming – over four years and 28 drafts.
According to a draft working document published on March 20, protocol 1.3 has several major differences from its predecessor. These include: removal of algorithms that are considered legacy, the addition of a 0-RTT mode, all public-key-based key exchanges now provide forward secrecy, all handshake messages after the ServerHello are now encrypted and new key derivation function re-designs, which allows easier analysis by cryptographers due to their improved key separation properties.
There might be potential concerns about 0-RTT data, as the security properties are weaker than those for other kinds of TLS data. Specifically, the document stated: “This data is not a forward secret, as it is encrypted solely under keys derived using the offered PSK.
“There are no guarantees of non-replay between connections. Protection against replay for ordinary TLS 1.3 1-RTT data is provided via the server's Random value, but 0-RTT data does not depend on the ServerHello and therefore has weaker guarantees. This is especially relevant if the data is authenticated either with TLS client authentication or inside the application protocol.”
The document continued to say that 0-RTT data cannot be duplicated within a connection (i.e. the server will not process the same data twice for the same connection) and an attacker will not be able to make 0-RTT data appear to be 1-RTT data, because it is protected with different keys.
One week after the Cambridge Analytica data breach went public, Facebook is continuing to lose trust with its users as many go to delete their accounts. However, for many users, the surprises keep coming, as they were shocked to find out Facebook had been collecting call records and SMS messages.
According to Ars Technica, a user from New Zealand, Dylan McKay was looking through data Facebook had collected, which he had downloaded from the social network site. While scanning through information the tech giant had about his contacts, McKay discovered that Facebook had about two years’ worth of phone call metadata from his Android phone, including names, phone numbers and the length of each call made or received.
Since this original flag, many users have also taken to Facebook with their own Facebook data archives.
Following the report by Ars Technica, Facebook posted a blog on March 25 2018, which said: “You may have seen some recent reports that Facebook has been logging people’s call and SMS (text) history without their permission. This is not the case.
“Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about and provides you with a better experience on Facebook. People have to expressly agree to use this feature. If at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.
“We introduced this feature for Android users a couple of years ago. Contact importers are fairly common among social apps and services as a way to more easily find the people you want to connect with. This was first introduced in Messenger in 2015, and later offered as an option in Facebook Lite, a lightweight version of Facebook for Android.”
The blog goes onto say that Facebook never sells the data, and the feature does not collect the content of users’ text messages or calls.
A panel of industry experts gathered at Cloud Security Expo 2018 this week to discuss the threat of ransomware, strategies for defending against it and what the future might hold for a malware type that has notoriously caused so much damage to so many victims.
Moderator: Adrian Davis, managing director EMEA, (ISC)2
Paul Edmunds, head of technology, National Cyber Crime Unit
Paul Holland, information security leader, Hiscox
Kiran Bhagotra, CEO/founder, ProtectBox
Opening the discussion, Davis asked the panel whether they thought ransomware was the biggest threat to data security, and why.
Kiran Bhagotra: “My answer would be no, and the reason for that is you need a holistic approach to cybersecurity – you need people, you need process, and then the technology. Ransomware is a malware, but there are various malware delivery methods, so the actual cause of the problem is the thing that delivers it.”
Paul Edmunds: “The thing about 'threat' is that it’s different from risk. In the wild, ransomware probably is the biggest threat.”
Paul Holland: “I’m going to say no – I’ve not seen it as the biggest threat the whole time. For me the biggest threat has always been the insider, for various different reasons. Ransomware is obviously a very big threat though and when it hits, it hits you really badly.”
Davis then asked the panel if headlines about ransomware can make it seem a greater threat than it realistically is.
Paul Holland: “We saw that with WannaCry and NotPetya last year – the fact it got so much press and publicity means everybody knows about it, whereas a lot of the other threats people aren’t particularly aware of.”
Kiran Bhagotra: “I think the thing that publicity has done is help people understand what malware is, and because they know what it is but they then can’t tackle it, that’s where this whole ‘voodoo’ thing comes about that ransomware is the biggest threat.”
Moving the discussion on, Davis asked what tools are available to best defend against ransomware.
Paul Holland: “It certainly comes down to patching your systems. If your systems are up-to-date then the ransomware isn’t really going to be able to get hold of them in the first place. It’s also about the awareness of your insiders and training your own staff to make them understand what’s going on and stop them clicking on links.”
Paul Edmunds: “There is this thing about defense in depth, and that perimeter security is not good enough. You have to have strategies in place to at least contain the effect and impact of ransomware.”
To conclude, Davis asked the panel what the next-generation of threats will be, and if cyber-criminals are evolving quicker than defenses are.
Paul Edmunds: “There are a lot of problems now around the connected network, and the fact that mobile malware is being seen now and becoming more prominent. There’s just a growth in vulnerabilities and different attack vectors.”
Kiran Bhagotra: “I don’t think cyber-criminals are moving faster than us, but they just know how we all function. They’re very good at knowing where the weak spot is and they’re very organized about the manner they go about things. I don’t think we’re quite as coordinated as they are.”