Feed aggregator

Cyber Is a Boardroom Issue in 2018

Info Security - Tue, 10/30/2018 - 15:31
Cyber Is a Boardroom Issue in 2018

Based on studies and interviews with corporate board members and chief information security officers (CISOs), the Cyber Balance Sheet, published by Focal Point Data Risk and produced by the Cyentia Institute, found that boardrooms are engaging in more conversations about security.

While the talks about cyber risk are more commonplace, the C-suite and security leaders are still struggling to effectively translate security risks into an effective decision-making framework that enables the business to operate within its proper risk appetite.

Not surprisingly, the report found that many organizations lack a formal cyber-risk appetite. Years of data breach headlines increase awareness, but less than half of respondents could describe their organization’s cyber-risk appetite quantitatively. This gap revealed why leaders second-guess and struggle to effectively weigh risks of new technologies, supply chains and other change factors.

In addition, metrics reportedly muddy what matters when it comes to boardroom reporting. Security leaders continue to share statistics like “compliance status” and “security program maturity.” Despite the need for decision makers to act swiftly with regard to risks from third parties and supply chains, those topics are less frequently included in the stats shared with the board.

As a result, the report found that finding the balance of topic coverage that yields the necessary return on reporting remains a problem. To fix the metrics puzzle, boards are pressing CISOs to find new reporting metrics that spur the most strategic, valuable returns in resourcing and evolving cybersecurity.

“This year’s Cyber Balance Sheet Report dispels the ‘cyber is a boardroom issue’ cliché by showing that not only have board members already received the cyber risk message loud and clear, they are actively initiating more discussion about breaches and threats that could upend their organizations,” said Andrew Cannata, Focal Point’s CISO and national cybersecurity practice leader, in a press release.

“The more important issue uncovered by the research is that this surge of interest – while commendable – seldom resolves executives’ two most important questions: ‘What is our risk appetite?’ and ‘Are we operating in or out of this comfort zone?’ When these questions are buried or unanswered, it becomes a recipe for miscalculation and false assurances. Helpfully, security teams and business leaders can use the report’s anecdotes and data to revisit how they frame risk management with leadership.”

Categories: Cyber Risk News

States Average a C- in Election Security

Info Security - Tue, 10/30/2018 - 15:05
States Average a C- in Election Security

Results of the Election Cybersecurity Scorecard, published by the Center for Strategic & International Studies (CSIS), found that states average a C- in election security. In a live webcast from the CSIS headquarters today, panelists discussed the results of the scorecard and what it means for election security. The panel looked at the progress made since the 2016 election and the gaps that remain.

In evaluating election security, CSIS identified four categories: campaigns, voter registration and election management systems, voting systems and election night reporting. The scorecard ranked threats by four degrees ranging from moderate to extreme.

According to the scorecard, the greatest threats exist in the ongoing attacks that target campaigns. “In 2018, cyber attacks by Russian hackers have allegedly targeted multiple Congressional campaigns, including Senator Claire McCaskill,” the CSIS wrote. Of all four categories, campaigns had the highest risk, with a "severe" rating.

In part, the inconsistency of security is a contributing factor to the severe risk level. “Cybersecurity practices for political campaigns remain inconsistent, although efforts by Department of Homeland Security (DHS) and the FBI to provide cybersecurity training and support to campaigns have had some effect. Extremely tight budgets, mostly-volunteer staffs, poor cybersecurity awareness, and the use of distributed, ad-hoc systems by campaigns have made improving campaign security difficult in spite of significant publicity around attacks on campaigns and campaign officials, particularly for local and state elections,” the scorecard said.

In the remaining three categories, the risk is serious, though the CSIS found that security in voter registration and election management systems and voting systems is improving. However, the security of election night reporting was rated as "weak."

Overall, the CSIS found that while elections in the US are vulnerable to cyber-threats, “we are not investing in strong security.” Despite the lack of investment and the continued attempts to exploit vulnerabilities in campaigns and voting systems, progress is being made.

CSIS found that 44 states participated in a DHS exercise to practice incident response plans and information sharing. In addition, all 50 states are now members of Multi-State Information Sharing & Analysis Center (MS-ISAC), and 548 state and local election organizations are members of Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).

“The real risk here is around system vulnerabilities. The first step in protecting these critical systems is admitting that they are all vulnerable and looking for one tool or piece of software is not the answer," said Jon Check, senior director, cyber protection solutions, Raytheon. "While reports show that it would be extremely difficult for an adversary to change the outcome of a national election by hacking into voting machines and changing enough votes, past hacks have proven our election integrity is far from secure. 

"But it’s not all doom and gloom. The more data we mine and conversations we start around election security, the more we can help solve the awareness issue. We need to build back confidence in the security of our systems, which will involve industry and government partnerships to harden voting systems and build up better network resiliency. It will take a combination of these partnerships, good cyber-hygiene and proven tools to ensure secured elections and restore our citizens faith in our electoral process.”

Categories: Cyber Risk News

UK Construction Firms Hemorrhage Log-Ins to Dark Web

Info Security - Tue, 10/30/2018 - 12:30
UK Construction Firms Hemorrhage Log-Ins to Dark Web

Over 600,000 breached corporate log-ins belonging to staff at the UK’s leading construction, architecture and property firms are available for sale on the dark web, according to RepKnight.

The cyber intelligence firm used its BreachAlert dark web monitoring tool to locate the credentials. Over 450,000 were from construction firms, 110,00 were from architecture practices and just over 47,000 were linked to property developer businesses.

A spokesperson confirmed to Infosecurity that most of these likely found their way onto the dark web via breaches of third-party sites employees had signed up to using their corporate email.

As RepKnight warned, these log-ins could be used by hackers to access a trove of sensitive corporate IP including tenders, proposals, plans and client data.

There’s also a risk that attackers could locate stores of customer data, representing a risk to GDPR compliance.

One strategy highlighted by RepKnight was for attackers to use the log-ins to covertly access the corporate email accounts of targeted individuals, selected perhaps after some LinkedIn-based research because of the role they have with the company.

They could then set-up redirects to accounts under their control. The vendor claimed to have recently discovered a client who had over 5000 emails re-directed to a malicious third-party in just a five-day period.

“With the growth in digital information sharing across the construction project lifecycle, the possibility of a data breach occurring at some stage becomes ever more real,” argued RepKnight cybersecurity analyst, Patrick Martin.

“Because of this, these firms must ensure that they have ‘high visibility’ of their data at all times and have safety measures in place to protect it — especially because most of their sensitive data often lives outside the firewall. Monitoring for cyber-attacks or data breaches inside their corporate network is no longer enough, as it is possible that a breach can happen anywhere across the entire supply chain of your business.”

The findings call to mind separate research from the firm in January this year which revealed over one million corporate email addresses belonging to 500 of the UK’s top law firms, 80% of which had an associated password.

Alongside multi-factor authentication, use of password managers and strong authentication security policies, firms can consider dark web intelligence services to scan for compromised credentials.

Categories: Cyber Risk News

GDPR Alert as Average ICO Fines Double in a Year

Info Security - Tue, 10/30/2018 - 12:05
GDPR Alert as Average ICO Fines Double in a Year

The value of fines issued by the Information Commissioner’s Office (ICO) has increased 24% in the year to September 30 versus the previous year, according to new data.

Law firm RPC calculated that the total cost of financial penalties issued by the UK’s data protection watchdog stood at £4.98m, up from £4m in the previous 12 months.

The average fine doubled, to £146,000, in another timely reminder for firms to ensure they pay attention to GDPR compliance.

The law firm believes the new EU-wide privacy law, introduced in May this year, will result in higher fines for large firms. However, SMEs should be spared, in the short-to-medium-term at least, and firms will not be picked deliberately by the ICO to make an example of.

RPC partner, Richard Breavington, described the hike in fines as a “wake-up call” to businesses.

“Given that there seems to be no slowdown in the number of cyber-attacks today businesses need to see how they can mitigate the risks to their customer when there is an attack,” he added.

“For example, businesses should ensure that they take out cyber insurance policies so that they can bring in experts to contain the impact of an attack and limit the exfiltration of data.”

Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK & Ireland, argued that the ICO fine is just one aspect of data breach costs to consider.

“We must also consider the cost that a recovery, compensation claim, reputational damage or potential loss of customers can have,” she added.  

“Changes in data protection legislation aim to give individuals more ownership and control over what’s happening to their personal data. The focus needs to be on the interests and rights of data subjects — employees, customers and all stakeholders: everyone you come into contact with. Their interests need to be the principal focus if companies are to avoid hefty fines.”

Categories: Cyber Risk News

US Bans Exports to Chinese DRAM-Maker

Info Security - Tue, 10/30/2018 - 10:00
US Bans Exports to Chinese DRAM-Maker

The stand-off between the world’s two superpowers continued this week as the US banned exports to a Chinese tech manufacturer on national security grounds.

As of October 30, Fujian Jinhua Integrated Circuit Company will be added to the Entity List because it poses a “significant risk of becoming involved in activities that are contrary to the national security interests of the United States.”

The Fujian-based DRAM maker is nearing completion of a vast $5.7bn wafer-manufacturing plant, which will help drive the Made in China 2025 strategy of self-reliance. Chips are one key area where the country's leaders believe it is too reliant on US parts at the moment.

However, Fujian Jinhua is currently locked in a legal dispute with main rival, US chip maker Micron Technology over IP theft.

The Commerce Department appeared to side with Micron in its statement, claiming that the “likely U.S.-origin technology” to be produced at the new Fujian plant would threaten “the long term economic viability of U.S. suppliers of these essential components of U.S. military systems.”

“When a foreign company engages in activity contrary to our national security interests, we will take strong action to protect our national security,” said commerce secretary, Wilbur Ross. “Placing Jinhua on the Entity List will limit its ability to threaten the supply chain for essential components in our military systems.”

In many ways the issue represents a microcosm of the overall US-China dispute, in that the former is belatedly reacting to years of state-sponsored IP theft by the latter.

However, cutting off the supply chain is unlikely to change the long-term trend — if anything it will accelerate Xi Jinping’s push for China’s total self-reliance in technology.

The move calls to mind the ban on exports slapped on ZTE after it broke sanctions on sales to Iran and then lied about it. Although temporarily lifted, that imposition could have forced the telecoms firm out of business, it was claimed at the time.

Categories: Cyber Risk News

Budget 2018: UK private finance changes must not derail current projects

Outlaw.com - Mon, 10/29/2018 - 18:13
Changes to the way private sector investment is used for public infrastructure projects in the UK must not delay essential existing and planned projects, an expert has warned.
Categories: Cyber Risk News

IBM to Acquire Red Hat for $34bn

Info Security - Mon, 10/29/2018 - 17:14
IBM to Acquire Red Hat for $34bn

In what it is calling the “most significant tech acquisition of 2018,” IBM announced today that it will acquire Red Hat, a global provider of open source cloud software.

The two companies have finalized an agreement subject to Red Hat shareholder and regulatory approvals, which is expected to close in late 2019. According to IBM, the “acquisition will be free cash flow and grow margin accretive within 12 months, accelerate revenue growth and support a solid and growing dividend.” The total value is approximately $34bn, with IBM paying out $190.00 in cash per share. The deal is reportedly IBM’s largest deal ever and the third-largest in the US tech industry, said CNBC.

In an interview with CNBC, IBM CEO Ginni Rometty said, “This is all about resetting the cloud landscape, and this is to create the number-one company that will be the number-one cloud provider.” As more organizations continue to transition their workloads to the cloud, cloud providers will need to be hybrid and able to handle multi-cloud environments.  

As reported by IBM and confirmed by Red Hat, Red Hat will continue to operate as a distinct unit within IBM’s hybrid cloud team. Red Hat has always been and will continue to be open source, according to Jim Whitehurst, CEO of Red Hat, who will join IBM’s senior management team. In discussing the deal, Whitehurst said that Red Hat is a neutral sell that works across all platforms. For customers, the deal is not only about maintaining choice and running across all platforms but also about being able to build unique offerings.

"Open source is the default choice for modern IT solutions, and I'm incredibly proud of the role Red Hat has played in making that a reality in the enterprise," said Whitehurst in a press release. "Joining forces with IBM will provide us with a greater level of scale, resources and capabilities to accelerate the impact of open source as the basis for digital transformation and bring Red Hat to an even wider audience – all while preserving our unique culture and unwavering commitment to open source innovation."

“Linux is now the number-one platform not just on prem. It is the number-one destination in the cloud,” Rometty said. “So now we own the platform and the destination.”

Categories: Cyber Risk News

Hackers Target Fortnite with V-Buck Scams

Info Security - Mon, 10/29/2018 - 16:30
Hackers Target Fortnite with V-Buck Scams

According to new research released by ZeroFOX, Fortnite has become a hotbed for scammers targeting the in-game currency of the popular online game. Between early September and early October, ZeroFOX generated more than 53,000 alerts related to Fortnite scams, of which 86% came from social media and 11% from web domains, according to today’s blog post.

Fortnite is free to play, which ZeroFOX said is a driving force for many gamers; however, players can make in-game purchases with the game’s V-Buck currency. Despite each individual transaction only costing a few dollars, Fortnite is reportedly making an estimated $300 million a month on in-game purchases, making this an increasingly attractive target for scammers, who are looking to trick users into getting their V-Bucks on the cheap or even for free. Of the games estimated 43 million players, all of whom are required to be at least 12 years old, many are falling victim to the scams, according to the research.

While the V-Bucks are only available through Fortnite, scammers have reportedly crafted fraudulent coupon sites and “V-Buck generators” to trick players into sharing personal information that includes their game credentials, credit card information and home addresses, said ZeroFOX.

“Games with a microeconomy, especially Fortnite, are prime targets for attackers to leverage their security attacks, scams and spam against,” said Zack Allen, director of threat operations at ZeroFOX. “These economies are a great way to make money without attracting too much attention to yourself because of the lack of regulation and the nuances of the economy (try describing a 'V-Buck' to any local law enforcement officer, you most likely will get a blank stare).

“Due to the professionalism of these sites and the relative ease it takes to make a new website, players should be especially aware because a scam can turn into something malicious quickly. Surrendering your username and password in a phishing attack or downloading and executing malware are not out of reach in terms of probability for these websites.”

Categories: Cyber Risk News

EFF Says DMCA Expansion Doesn't Go Far Enough

Info Security - Mon, 10/29/2018 - 13:21
EFF Says DMCA Expansion Doesn't Go Far Enough

Security researchers can now examine more infrastructure and other complex systems without the fear of legal consequences, according to Zero Daily. A rule by the Library of Congress's Copyright Office has expanded the ability of security to discover vulnerabilities that threaten digital security.

The Federal Register said that the rule went into effect October 28, 2018, and gives this summary of it: “The Librarian of Congress adopts exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works, codified in the United States Code. As required under the statute, the Acting Register of Copyrights, following a public proceeding, submitted a Recommendation concerning proposed exemptions to the Librarian of Congress. After careful consideration, the Librarian adopts final regulations based upon the Acting Register's Recommendation.”

However, the Electronic Frontier Foundation (EFF) said the ruling does not go far enough, stating that the exemptions are still too narrow and complex. Before the final ruling, EFF submitted a request for exemptions and explained: “We cited a broad range of examples where Section 1201 interfered with people’s use of their own digital devices. But the Office expanded the exemption only to 'smartphone[s],' 'home appliance[s],' and 'home system[s], such as a refrigerator, thermostat, HVAC or electrical system.'”

In requesting that the Copyright Office work toward improving exemptions, EFF legal director Corynn McSherry said, “It’s absurd that a law intended to protect copyrighted works is misused instead to prevent people from taking apart or modifying the things they own, inhibit scientists and researchers from investigating safety features or security enhancements and block artists and educators from using snippets of film in noncommercial ways. The exemption process is one highly flawed way of alleviating that burden."

While EFF supports the changes, the organization remains steadfast in its position that DMCA is an unconstitutional restriction on freedom of speech and added, “EFF represents entrepreneur Andrew 'bunnie' Huang and Professor Matthew Green in a lawsuit seeking to overturn Section 1201. Having finished this year’s rule-making, we look forward to continuing that case.”

Categories: Cyber Risk News

EFF Says DMAC Expansion Doesn't Go Far Enough

Info Security - Mon, 10/29/2018 - 13:21
EFF Says DMAC Expansion Doesn't Go Far Enough

Security researchers can now examine more infrastructure and other complex systems without the fear of legal consequences, according to Zero Daily. A rule by the Library of Congress's Copyright Office has expanded the ability of security to discover vulnerabilities that threaten digital security.

The Federal Register said that the rule went into effect October 28, 2018, and gives this summary of it: “The Librarian of Congress adopts exemptions to the provision of the Digital Millennium Copyright Act (DMCA) that prohibits circumvention of technological measures that control access to copyrighted works, codified in the United States Code. As required under the statute, the Acting Register of Copyrights, following a public proceeding, submitted a Recommendation concerning proposed exemptions to the Librarian of Congress. After careful consideration, the Librarian adopts final regulations based upon the Acting Register's Recommendation.”

However, the Electronic Frontier Foundation (EFF) said the ruling does not go far enough, stating that the exemptions are still too narrow and complex. Before the final ruling, EFF submitted a request for exemptions and explained: “We cited a broad range of examples where Section 1201 interfered with people’s use of their own digital devices. But the Office expanded the exemption only to 'smartphone[s],' 'home appliance[s],' and 'home system[s], such as a refrigerator, thermostat, HVAC or electrical system.'”

In requesting that the Copyright Office work toward improving exemptions, EFF legal director Corynn McSherry said, “It’s absurd that a law intended to protect copyrighted works is misused instead to prevent people from taking apart or modifying the things they own, inhibit scientists and researchers from investigating safety features or security enhancements and block artists and educators from using snippets of film in noncommercial ways. The exemption process is one highly flawed way of alleviating that burden."

While EFF supports the changes, the organization remains steadfast in its position that DMAC is an unconstitutional restriction on freedom of speech and added, “EFF represents entrepreneur Andrew “bunnie” Huang and Professor Matthew Green in a lawsuit seeking to overturn Section 1201. Having finished this year’s rule-making, we look forward to continuing that case.”

Categories: Cyber Risk News

Girl Scouts Alerted to Possible Data Breach

Info Security - Mon, 10/29/2018 - 11:15
Girl Scouts Alerted to Possible Data Breach

Thousands of members of the Girl Scouts in California may have had their personal information stolen after one of its official email accounts was accessed by an unauthorized third party last month.

Reports suggest that as many as 2800 girl scouts in Orange County may have been affected in an incident which lasted just a day.

Affected information could include names, email and home addresses, driver’s license details, insurance policy numbers and health history information.

Those hit by the breach were contacted last week.

They were told that the attack began on September 30 when an unauthorized third party gained access to an official Girl Scouts Orange County Travel email account, which was used to “send emails to others” — presumably phishing emails.

“Some of the emails stored in this account, which included emails with dates as far back as 2014 through October 1, 2018, contained information about our members,” the note explained. “Out of an abundance of caution, we are notifying everyone whose information was in this email account.”

The anonymous third party had access to the account for only one day from September 30 to October 1 this year.

Identity data belonging to children is particularly attractive to hackers as it can often be monetized more easily before the alarm is raised.

That’s because there are often limited financial records associated with the identities of minors, making it easier to open new fake accounts in their name.

In 2017, over a million US children were affected by identity fraud, resulting in losses of $2.6 billion and families forced to pay $540 million, according to research from Javelin Strategy & Research earlier this year.

The report claimed that 60% of child identity fraud victims know the fraudster, versus just 7% of adult victims.

Categories: Cyber Risk News

Canadian Crypto-Exchange Shutters After $6m ‘Hack’

Info Security - Mon, 10/29/2018 - 10:23
Canadian Crypto-Exchange Shutters After $6m ‘Hack’

Customers of a little-known Canadian cryptocurrency exchange are set to lose all their coins after hackers allegedly made off with around $6m, although some suspect an exit scam.

MapleChange took to Twitter on Sunday morning to claim that it had “sustained a hack” and was investigating the issue.

“Due to a bug, some people have managed to withdraw all the funds from our exchange. We are in the process of a thorough investigation for this,” it continued in a separate tweet soon after. “We are extremely sorry that it has to come to end like this. Until the investigation is over, we cannot refund anything.”

The firm confirmed that it was unable to refund any Bitcoin or Litecoin funds, but that it was trying to do so for other currencies, asking customers to PM their details.

“We are sending all of the coin developers the wallets containing the coins we have left. So far, LMO and CCX have been handed over the funds,” it said.

Around 913 BTC ($5.8m) was apparently ‘stolen’ in the raid, with some reports suggesting that this might actually be an exit scam.

Although the firm still appears to be active on Twitter, its domain is now defunct.

“There is no incentive for using small exchanges. Use established exchanges that are regulated, & transparent,” tweeted cryptocurrency analyst, Joseph Young.

“Small exchanges also focus on maximizing profitability, not security or investor protection.”

Changpeng Zhao, CEO of the world’s biggest Bitcoin exchange, Binance, argued that customers should steer clear of exchanges which don’t store funds in cold wallets. These are typically more secure than hot wallets as they’re not connected to the internet.

“Avoid using exchanges that doesn't have anything in their cold wallets,” he tweeted.

It’s unclear how many customers MapleChange has, but its Twitter account has less than 2,000 followers, versus 236,000 for Binance’s Zhao.

Categories: Cyber Risk News

Facebook Removes Scores of Fake Iran-Linked Accounts

Info Security - Mon, 10/29/2018 - 09:43
Facebook Removes Scores of Fake Iran-Linked Accounts

Facebook revealed on Friday that it has removed 82 Pages, Groups and accounts linked to Iran which it said were spoofed to appear as if run by US and UK citizens.

In total, the social network took down 30 Pages, three Groups and 33 accounts on Facebook, as well as 16 accounts on Instagram — accusing them of “coordinated inauthentic behavior.”

“The Page administrators and account owners typically represented themselves as US citizens, or in a few cases UK citizens — and they posted about politically charged topics such as race relations, opposition to the President, and immigration,” explained head of cybersecurity policy, Nathaniel Gleicher.

“Despite attempts to hide their true identities, a manual review of these accounts linked their activity to Iran. We also identified some overlap with the Iranian accounts and Pages we removed in August.”

Facebook’s initial research seems to indicate limited exposure for the content: around one million accounts are said to have followed at least one of the Pages, around 25,000 accounts joined at least one of the Groups, and more than 28,000 accounts followed at least one of the Instagram accounts in question.

In addition, those behind the spoof accounts spent less than $100 in advertising, and of the seven events hosted, only 110 people expressed an interest in at least one event, it said.

However, separate reports claim slightly different findings: Facebook page I Need Justice Now had more than 13 million video views, the Digital Forensic Research Lab told the BBC.

The social network claimed it now has over 20,000 employees working specifically on safety and security, with AI tools also helping to detect fake accounts.

The revelations come just days before the crucial midterm elections in the US and during ongoing Brexit-related tensions in the UK.

Categories: Cyber Risk News

Election Security Is Risky at State and Local Levels

Info Security - Fri, 10/26/2018 - 14:26
Election Security Is Risky at State and Local Levels

As the 2018 midterm elections near, many remain concerned about the security of election infrastructure at the national level, though Steve Grobman, CTO at McAfee, said the realistic security risk lies in an attacker tampering with information and targeting individual counties and states.

“A realistic attack wouldn’t require mass voting manipulation or the hacking of physical machines. Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels,” Grobman wrote in an October 24 blog post.

Because attackers look for the easiest point of entry that will yield the most effective results, hackers are more likely to have success by targeting specific states or congressional districts by spoofing the domains, according to Grobman. McAfee found 20 key swing states that have non-government domains, each of which could easily be spoofed to spread misinformation.

“Government websites in general are popular targets of malicious campaigns because they make bad actors’ jobs easy,” said Mike Bittner, digital security and operations manager of The Media Trust. “They are too often poorly secured, third parties/contractors that support them, who often have even poorer security measures, and the people and organizations that use them enter a lot of sensitive information.

“The root cause of these sites' insecurity is increasingly strapped budgets that prevent government organizations from replacing legacy systems and machines with new ones or making needed updates. Given the extensive use of these sites and the sensitive information they receive, county governments should thoroughly vet their third parties, audit third parties' security measures, continuously scan their sites in real time and work closely with their third parties on identifying and foiling any unauthorized activities.”

States must also protect voter registration systems, poll books, vote tabulation, publishing systems and more, said RiskSense CEO Srinivas Mukkamala. Assessing devices, applications, databases and networks for vulnerabilities, missing patches and misconfigurations is often beyond their capabilities, which is why Mukkamala proposed that AI-assisted penetration testing – a service that is already in use in some states – as a solution to the election security problem.

“While internet-connected systems used for online voter registration and election-night reporting have a significant attack surface, an end-to-end assessment of election systems is needed to understand which vulnerabilities truly matter,” said Mukkamala.

Amitai Ratzon, CEO of Pcysys, agreed but added, "Automated penetration testing is the simplest measure to help prevent election hacking. It can be implemented across networks seamlessly and with ease, is agent-less and operates 24/7."

Categories: Cyber Risk News

CISOs Challenged by Budget and Rise in Attacks

Info Security - Fri, 10/26/2018 - 14:00
CISOs Challenged by Budget and Rise in Attacks

Having a lack of influence in the boardroom is one reason why 84% of CISOs in North America believe there is no way to avoid a cybersecurity breach, according to a new report from Kaspersky Lab.

Results from the report What It Takes to Be a CISO: Success and Leadership in Corporate IT Security, an annual survey conducted by PAC on behalf of Kaspersky Lab, revealed that the job of the CISO is made increasingly more difficult because cyber-threats continue to rise while organizations embark upon their digital transformation journeys. Of the 250 IT decision makers who participated in the survey, 57% said that the complexity of cloud and mobility infrastructures are their top challenges.

The second-greatest challenge was not far behind, with 54% citing managing personal data and sensitive information as a primary problem. The third-ranked top challenge reported by 50% of respondents was the continued rise in cyber-attacks.

When it comes to the threats themselves, financially motivated criminal gangs are viewed as the greatest IT security risk by 40% of respondents, while 29% are concerned about malicious insider threats, particularly as CISOs see these threats as extremely difficult to prevent.

Because they lack influence in the boardroom, CISOs reported that justifying the budgets needed to effectively protect the organization is difficult. Though the pressure to defend against cyber-threats continues to mount, CISOs are faced with significant budget challenges because they can’t guarantee a clear return on investment (ROI), the report said. As a result, 36% of CISOs are unable to secure the IT security budgets they need because they can’t promise that the spend will deliver 100% protection against cyber-attacks.

“Historically, cybersecurity budgets were perceived as a low-priority IT spend, but this is no longer the case,” said Maxim Frolov, vice president of global sales at Kaspersky Lab, in a press release.

“Today, cybersecurity risks are top of the agenda for CEOs, CFOs and risk officers. In fact, a cybersecurity budget is not just a way to prevent breaches and the disastrous risks associated with them – it’s a way to protect business continuity, as well as a company’s core profile investments.”

Categories: Cyber Risk News

Copy of Chinese Spy Chip Used in Security Training

Info Security - Fri, 10/26/2018 - 13:32
Copy of Chinese Spy Chip Used in Security Training

Following reports that Chinese spies infiltrated the supply chain of servers assembled by Supermicro Computers Inc., the New York–based CYBERGYM has launched a new infrastructure-security combat training program.

Driven by the belief that threats posed by these types of supply chain and infrastructure hacks are significant, CYBERGYM said it developed the training to help organizations prepare for such an attack. In an effort to make the training as realistic as possible, the engineers and white-hat hackers at CYBERGYM developed a virtual model of the surveillance chip identified in the Bloomberg report. The virtual model emulates the actual attack scenario, which will allow participants to respond to a real-life chain of events, GYMBERGYM said.

Available in cyber-warfare arenas in the US, Europe, Asia and Australia, the training provides organizations with the strategies needed to defend against complex, hardware-based attacks, which requires advanced forensic analysis.

As such, the training program entails multiple forensic layers, including memory, network, PLC and operating system, in order to bolster the organization’s anomaly detection skill set. The training is multi-leveled and augments the critical forensics data collection skills sets of trainees so that they organization is equipped with security personnel who can effectively analyze, mitigate and remediate hardware or infrastructure level attack damages.

"Our program is based on multilayered forensics and is designed to fundamentally enhance both human training and policy implementation," said Ofir Hason, CEO of CYBERGYM, in a press release.

"The story, while contested, has nevertheless brought into sharp focus the very real likelihood of organization’s suffering infrastructure infiltration at the hands of hackers. To fight this type of core and complicated attack, organizations need to be able to quickly analyze the events, collect the relevant forensics and work collaboratively with their IT supply chain partners to mitigate and prevent escalation – processes that are benefited greatly by access to hands-on, real-world training scenarios. In this sense, time and performance are crucial.”

Categories: Cyber Risk News

One-Fifth of US Consumers Never Return to Breached Brands

Info Security - Fri, 10/26/2018 - 10:08
One-Fifth of US Consumers Never Return to Breached Brands

Over a fifth (21%) of US consumers will never return to a brand that has suffered a data breach, according to new research providing a timely reminder of the need for effective cybersecurity.

Contact center payments firm PCI Pal polled 2000 US consumers to produce a State of Security report which highlights the importance of trust and privacy to the average American.

As well as those who will never return to a business post-breach, a sizeable majority (83%) claimed they would stop spending for several months after a breach or serious incident.

In addition, 45% said they spend less with brands they perceive to have insecure data practices, and over a quarter (26%) will not give a company their business if they don’t trust it with their data.

Consumers are concerned not just about online security. Over a quarter (28%) questioned how their data is recorded over the phone and over two-fifths (42%) said they’re uncomfortable sharing sensitive data like credit card details over the phone.

The findings chime somewhat with RSA Security research from earlier this year which revealed that 69% of global consumers are prepared to boycott any company they believe does not take data protection seriously.

It also found the vast majority (62%) blame the company first in the event of a data breach, rather than the hacker.

The findings should be another reminder to organizations of the importance of a strong cybersecurity posture.

PCI Pal COO, James Barham, argued the findings reveal a change in how US consumers are prioritizing security and privacy.

“Consumer-facing brands should pay attention — not just adopting stronger security practices but incorporating them into their marketing and communications strategies if they want to keep customers loyal and spending with them,” he added.

It’s a change in consumer behavior being driven to a certain extent globally by the advent of the GDPR. Although it’s an EU law, it applies to any company processing EU citizens’ data, so the advent of the first major fine for a US company will be a significant moment in awareness raising.

Just this week, Apple CEO Tim Cook argued for a GDPR-style federal data privacy law.

Categories: Cyber Risk News

No Place for Security as Cryptocurrency Skills Demand Soars

Info Security - Fri, 10/26/2018 - 09:29
No Place for Security as Cryptocurrency Skills Demand Soars

Demand for cryptocurrency skills has rocketed by over 1000% over the past two years, but a disconnect between cybersecurity and the fast-emerging sector is exposing organizations to greater risk, according to Trend Micro.

The security vendor analyzed data from popular recruitment site ITJobsWatch, revealing UK demand for cryptocurrency skills has jumped by 1130% since 2016.

Yet cybersecurity is apparently nowhere to be seen on the list of the top 30 skills most commonly associated with cryptocurrency roles. That list is led by blockchain (73%), finance (50%), Java (46%), bitcoin (31%) and JavaScript (28%), according to the vendor.

Similarly, crypto skills do not seem to be a priority for cybersecurity professionals, failing to make the top 30 despite emerging areas like GDPR (8%) starting to make an impact.

This security/crypto skills gap is leaving cryptocurrency exchanges dangerously open to attack, according to Bharat Mistry, Trend Micro principal security strategist.

“If cybersecurity professionals were more aware of crypto and the risks the platform is open to then they could secure or reduce the attack surface for crypto exchanges,” he told Infosecurity.

These organizations are already being impacted by cyber-attacks: over recent months there’s been a $60m raid on Zaif, a $31m theft at Bithumb and an attack on Coincheck which netted hackers $500m.

What’s more, a report from Ernst & Young earlier this year revealed that 10% of all initial coin offering (ICO) funds are lost to hackers. Experts claimed that some crypto ventures aren’t resilient enough to DDoS, phishing attacks, or web exploits, and that the underlying code of smart contracts is often riddled with vulnerabilities.

More cybersecurity expertise in the industry would help mitigate some of these risks.

Trend Micro also warned of the growing cryptojacking threat, claiming that it recorded a 956% increase in detection of this malware between 1H 2017 and 1H 2018.

The global cybersecurity skills shortage is now almost three million, according to the latest data.

Categories: Cyber Risk News

BA Breach: An Extra 185K Customers Notified

Info Security - Fri, 10/26/2018 - 08:45
BA Breach: An Extra 185K Customers Notified

British Airways is notifying an additional 185,000 passengers that their card details may have been stolen in a recently revealed Magecart digital skimming attack on its website and app.

The airline revealed in a statement on Thursday that the website-related breach discovered in September actually affected an extra 77,000 customers — with name, billing address, email address and card details including number, expiry date and CVV potentially accessed. It also hit another 108,000 customers who had the same data taken except for their card CVV.

These customers made reward bookings between April 21 and July 28, 2018, widening the time frame in which hackers had access to card data. Originally it was thought that the malicious Magecart skimming code was inserted on August 21 and sat there exfiltrating passenger card details for 16 days.

The statement implies the same actors are behind this April-July breach.

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” BA continued. “Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.”

BA also revealed that its original estimate of 380,000 payment card details affected in the incident was too high, and that 244,000 were actually compromised. That means the total as it stands today is nearly half a million.

The airline reiterated its commitment to reimburse any customers who suffer financial losses as a result of the incident, and to offer credit monitoring to those who want it.

The firm also trumpeted the fact that there have so far been “no verified cases of fraud” as a result of the incident.

However, experts claimed that this statement should not reassure customers.

"Credit card details and supporting personal information may have already been sold on the dark web, but because this information has no clear tie to BA as the source it's impossible to track,” argued Simon Migliano, head of research at Top10VPN.com.

Jason Rebholz, senior director of strategic partnerships at Gigamon, added that until BA has completed its investigation, the full impact of the breach is unlikely to be known.

“Investigations into security incidents can take a lot of time,” he argued. “It is important that organizations have as complete information as possible when they go public, otherwise they will face a backlash when they have to continually modify their statements.”

Categories: Cyber Risk News

Facebook fined £500k for UK data protection law breaches

Outlaw.com - Thu, 10/25/2018 - 15:07
Facebook has been fined £500,000 by the UK's Information Commissioner's Office (ICO) after the watchdog found that the company was responsible for serious breaches of UK data protection laws.
Categories: Cyber Risk News

Pages