Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

The State Of Cloud Confusion: Who's Your Cloud Built For?

cloud-computing

Today’s question: How does a business get into the cloud? 

It’s not a trick question. It’s actually a freighted question with any number of nuanced answers -- and, appearances aside, not every business is already cloud-aware or cloud-bound.

Let’s assume you’re a small or midsize business poised to make the move and that you’re working with a clean slate, even at this late date. Do you dial up a managed service provider that’s moonlighting? Track down an IT consultant linked to Microsoft Azure or Amazon Web Services? Go directly into the big provider maw? Keep it boutique? 

There’s no immediate wrong answer here, which can be both reassuring and vexing. With the cloud’s ubiquity, identifying your path has become harder, not easier, with the passage of time.  I’ve seen this tale told by consultants, full of static and noise, and frequently not signifying anything definitive. Given that the temptation is to do what’s convenient, not what’s smart, perhaps that opening question should be rephrased as: What’s the state of confusion today?

That’s an important query because confusion and uncertainty tend to favor “safe” choices, and increasingly, today’s default choice is likely to be a big gun, a commodity provider. By way of analogy, consider Dell computers. When Dell broke through in the PC business in the 1980s, the company helped usher in the term “mass customization,” which only seemed like an oxymoron. With apologies to Burger King, Dell shoppers pretty much could have it their way. And whatever the veracity of the pitch, it worked. A market leader was born.

The premise behind Dell’s approach to mass customization, as in Ford’s and Nike’s and so many other industrial producers over the last several decades, is that offering (and, from the consumer’s point of view, acquiring) a commodity is a good thing. “Commodities with benefits” would appear to work out for all concerned, delivering a tailored mix of predictability and affordability. 

Cloud computing isn’t exempt from this phenomenon; indeed, it’s enjoying something of a heyday. The big, publicly traded cloud providers now dominate the market. But is the commodity model truly working for the business rank-and-file? How well, and for whom, is that model actually functioning?

From my experience, the premise under which commodity cloud players operate is that all clouds are equal. They maintain that the value-add that anyone else offers is negligible -- it’s clearly in their interest to make that claim -- and a growing clutch of providers now subscribe to an “if you can’t beat ‘em, join ‘em” mentality.

I believe that’s a potentially profound loss to the user community, since product/service differentiation absolutely does exist and must continue to exist. Under this new scenario, providers win either way, but as in any quasi-monopoly environment, the elimination of choice slams users. A homogenized industry primarily serves itself, not the customers who nurtured the industry in the first place.

But back to the questions. Today’s savvy business owner needs to ask: Is your cloud provider trying to solve a business problem or sell the cloud? Is your cloud built for you -- or is it built for everyone else?

Here’s how to determine the answer: Find a vendor who has thought through your business problems and solved them for you before you even show up. In four crucial areas, I believe there are ways to separate the opportunists from those who regard a relationship with your organization as valuable and potentially enduring:

• Onboarding: Will you be paying a service or other third party to get things rolling, or is onboarding included as part of the provider’s suite of services? Strapping in isn’t a trivial matter; it entails moving applications, transferring data, helping users log in, etc. Are you left to your own devices or does someone have your back?

• Security: Have you had a conversation with the provider about what it will take to make your system secure? Did that conversation address firewalls, security policies and procedures, multifactor authentication, intrusion detection and prevention software, and the like?  

• Backups: In the cloud, backing up is like breathing; everyone needs it. Is backup baked in, or does your vendor suggest you shop around? 

• Support: To what degree is technical support part of the package? Is support truly end-to-end on all applications -- which is what virtually every business needs -- or is the support blanket porous?

The common denominator in each of these use cases is DIY. I believe that a provider who expects you, as the customer, to do the heavy lifting is a provider who doesn’t deserve your business. Commodity providers may look to the customer to reinvent the wheel -- to configure,  source and pay for any number of critical tasks -- and it’s an untenable multiplication of effort nearly a decade into the cloud computing era. 

Not having to start from scratch is avoidable, but only if the customer has the wherewithal to understand on day one that not all clouds are created equal.

Resource: https://www.forbes.com/sites/forbestechcouncil/2019/08/23/the-state-of-cloud-confusion-whos-your-cloud-built-for/#13a29bbf5baf

  0 Comments
0 Comments
Continue reading

We aren't prepared for the next wave of cybersecurity risks

cyber-attack-aug-2019

The traditional way regulators motivate the financial industry is by seeking consensus among the constituents on best practices, but that is too backward looking. The cyber risk threats of today pale in comparison to the cyber risks to come.

Immediate investment is needed even though the payoff is perhaps a decade or more into the future. The collective action problem that always rears its head in the competitive financial industry must stand aside to protect our national treasure — our global financial system — from cyber attacks. Our government must lead the way.

Financial industry cyber threats have become a real concern to all financial institutions. The World Economic Forum’s Global Risks Perception Survey (GRPS) lists data fraud or theft and cyber attacks among the top five most likely risk events, after environmental risks. Data fraud and disruptive cyber attacks are manmade and technology driven.

Technology continues to play a profound role in shaping the financial risk landscape. In 2018, there were massive data breaches, new hardware weaknesses exposed and research that pointed to the potential uses of artificial intelligence to engineer more devastating cyber attacks.

A large majority of respondents in the World Economic survey expected increased risk in 2019 of cyber attacks leading to theft of money and data (82 percent) and disruption of operations (80 percent).

5G mobile network technology is currently being rolled out. Once adopted, far more devices will be connected to the internet. This will lead to a massive increase in data collection by businesses, causing cybersecurity risks to multiply.

Add to this the concerns of cyber risks from the advent of quantum computing, a game-changing computer technology that will have an immense impact on current methods of cryptography that underlie all cybersecurity.

Data on cyber risk is notoriously scarce since there is no common standard to record it, and firms have no incentive to report risks. For example, in the U.K., only 49 cyber attacks were reported in 2017 to U.K. financial authorities, pointing to significant under-reporting of successful cyber attacks in the financial sector. 

In the U.S, in 2018 the Securities and Exchange Commission clarified disclosure of cyber risk for listed firms. Among the 4,000 annual reports published in 2017, only 7 percent included a reference to cyber risk, mainly in the finance and services sectors. 

Overall, financial institutions in more than 50 countries have been victims of cyber attacks. Banks account for the bulk of the attacks (91 percent), followed by insurance companies (7 percent). Among banks, retail banking activities (39 percent) and credit cards services (25 percent) were the main business lines targeted.

The World Economic Forum’s Global Risks Perception Survey cites further evidence that cyber attacks pose risks to critical infrastructure. This, the report states, prompted countries to strengthen their screening of cross-border partnerships on national security grounds.

For example, China’s cybersecurity law presents a significant challenge for other countries. It requires them to store sensitive data in China and to favor Chinese network equipment over foreign ones.

As a result, U.S. firms operating in China, whether American technology firms or banks, have to keep their networks’ data in China and in many cases have to source servers, routers and other equipment and products from Chinese suppliers. Companies found in violation could have their business permits and licenses revoked.

Now a new threat looms. Born out of the quantum physics world, quantum computers possess traits and abilities that both defy logic and inspire the imagination. It appears that quantum computers will eventually be able to solve some of the mathematical problems previously thought to be unsolvable, including crypto code breaking.

The advent of the quantum computer poses a serious threat since most encryption in practice today is dependent on unsolvable mathematical problems based on today’s computers’ computational capacities.

Today, computer-driven encryption is thought to be so secure that a classical computer is estimated to take 6 quadrillion years to break current key encryption codes. However, some researchers estimate a large quantum computer could break the code in minutes.

Cybersecurity threats from quantum computers are undeniably an obvious danger. The National Institute of Standards and Technology (NIST), as part of its standardization mandate within the U.S. Department of Commerce, is now looking ahead to the security threat from quantum computing.

With quantum computing will come the capability to defeat the data encryption that protects information transmitted over credit card, e-commerce and other secure networks.

In 2012, NIST launched a Post Quantum Cryptography (PQC) standards project to promote development of encryption systems that will work with current, classic machines, while also being resistant to the capacity of quantum machines.

The Institute for Quantum Computing, University of Waterloo (Canada), has said that there is a one-in-seven chance that public key cryptography will be broken by quantum computing by 2026. 

Other initiatives are underway. The Financial Services Information Sharing and Analysis Center (FS-ISAC) was established by the financial services sector in response to 1998's presidential directive — later updated by the 2003 Homeland Security Presidential Directive, which mandates that the public and private sectors share information about physical and cybersecurity threats and vulnerabilities to help protect the U.S. critical infrastructure.

The World Economic Forum asks the question: “Is the world sleepwalking into a crisis? Global risks are intensifying but the collective will to tackle them appears to be lacking.”

Inevitably, when standards bodies and governments do sign off on quantum-secure encryption, the U.S. financial industry may find itself unprepared to deploy it quickly.

It may lack the investment and forward thinking necessary to keep its networks secure and, thus, concede leadership to others. Our government must lead the way.

Allan D. Grody is president of Financial InterGroup Advisors, a strategy, research and acquisition consultancy.

Resource: https://thehill.com/opinion/cybersecurity/437739-we-arent-prepared-for-the-next-wave-of-cybersecurity-risks

  0 Comments
0 Comments
Continue reading

VMware buys Carbon Black and Pivotal, valued together at $4.8 billion

VMWare

Software company VMware on Thursday said it’s acquiring Carbon Black at an enterprise value of $2.1 billion and Pivotal at an enterprise value of $2.7 billion. The deals are expected to close by the end of January 2020. Shares of Pivotal were up as much as 7% after the announcement, while VMware shares fell as much as 4%.

These are VMware’s largest acquisitions yet. The deals build on VMware’s strength helping companies run their software in their own data centers. They could help VMware compete better in the security market and hybrid-cloud infrastructure operations.

VMware isn’t talking about cost synergies that could come out of buying two other enterprise-focused companies. However, CEO Pat Gelsinger told CNBC the companies will be operating profitably under VMware next year.

Gelsinger said that by year two, Carbon Black and Pivotal will have contributed more than $1 billion in revenue incrementally, which will mean VMware will have more than $3 billion in hybrid cloud and software-as-a-service revenue.

Also on Thursday VMware announced earnings for the second quarter of its 2020 fiscal year. The company reported $1.60 in earnings per share, excluding certain items, on $2.44 billion in revenue. Analysts polled by Refinitiv had been expecting $1.55 in earnings per share, excluding certain items, on $2.43 billion in revenue for the quarter.

Carbon Black vaults VMware into endpoint protection

Carbon Black was founded in 2002 and debuted on the Nasdaq under the symbol “CBLK” in May 2018. The company provides anti-malware and endpoint protection products that can see into many of a company’s devices and tell if they have been hacked.

In the most recent quarter, Carbon Black reported a loss of 13 cents per share, excluding certain items, on $60.9 million in revenue, with 19% annualized revenue growth. Carbon Black shares are up 2% in the past year.

Carbon Black shareholders will get $26 per share in cash from VMware for a total of $1.9 billion in cash. The price per share is 14% higher than the stock’s $22.75 closing price on Wednesday.

The endpoint security marketplace is crowded, and Carbon Black competes heavily with rivals such as CrowdstrikeCylanceFortinet and Symantec. The space has been ripe for consolidation in recent years, particularly from traditional hardware companies. Blackberry acquired Cylance in 2018 in an effort to beef up its new business proposition as a cybersecurity company, and Broadcom said that it would acquire Symantec’s enterprise business earlier this month.

Though crowded, the endpoint protection marketplace is also poised for growth. While more diverse devices go online — including more corporate-owned devices — further enabled by 5G technology, that means more and different endpoints that can serve as an entryway for criminals.

Carbon Black touted its relationships with VMware as well as IBM when it filed to go public last year. CTFN reported earlier this month that Carbon Black hired Morgan Stanley to explore opportunities to sell itself. CTFN also reported that Cisco and IBM had expressed interest, according to Bloomberg.

Gelsinger did not confirm that Carbon Black talked with Cisco or IBM but said public companies do perform “customary market checks” to ensure a deal is beneficial.

Carbon Black’s CEO, Patrick Morley, will run a security business unit that VMware is forming, and VMware will move some existing assets into it, Gelsinger said.

He said VMware has been developing a thesis that infrastructure and applications should be secure by default and shouldn’t need extra treatment by a security team. Breaches are happening to VMware’s customers even after they have deployed security products, Gelsinger said. “It ain’t working,” he said.

Based in Waltham, Massachusetts, Carbon Black had 1,138 employees at the end of 2018, and customers include Belk, DA Davidson, Evernote and Netflix, according to the company’s website.

Pivotal has a long history with VMware

Pivotal and VMware go way back: The company was created from assets spun out of VMware and Dell (VMware’s controlling owner) in 2013. Its products help companies build and deploy their software across different server infrastructure, including public clouds. Competitors include IBM, Oracle and SAP, among others, as well as cloud providers such as Amazon and Microsoft. Pivotal’s customers include Boeing, Citi, Ford and Home Depot, according to its website.

Pivotal shares have fallen 47% in the past year.

VMware said it’s buying Pivotal for a blended price per share of $11.71, including $15 per share in cash to holders of Pivotal’s Class A stock, and an exchange of VMware’s Class B common stock for Pivotal Class B shares owned by Dell. The ratio is 0.0550 shares of VMware’s Class B stock for every share of Pivotal’s Class B stock.

The news of the Pivotal purchase is not a complete surprise, as VMware said last week it was proceeding with an agreement to buy all outstanding Class A shares of Pivotal. Dell is the majority stockholder of both Pivotal and VMware, and both VMware and DellEMC contributed assets to Pivotal when it was formed in 2013.

VMware is paying $800 million in cash for Pivotal, and Dell will now own 81.09% of VMware as a result of the deal. However, Gelsinger said the Pivotal deal isn’t part of some plan to make VMware a wholly owned subsidiary of Dell.

“Dell is extraordinarily supportive of an independent VMware,” Gelsinger told CNBC.

“Customers were starting to say, ‘I’m relying on PCF [the Pivotal Cloud Foundry product] and the PaaS [platform as a service] of Pivotal. I’m relying on VMware. I don’t see you guys being as integrated in that full solution as I want you to if I’m going to commit my next-gen application development,’” Gelsinger said. ”‘I need to have higher integration, higher velocity of these pieces working there.’ They encouraged us to take this step.”

Gelsinger said the Pivotal deal follows the acquisition of Heptio, which was founded by two of the creators of Kubernetes open-source project for managing software in the form of containers — an alternative to the virtual machine technology that VMware popularized. Cloud infrastructure providers offer services for managing containers at scale across servers, so developers don’t need to worry about the complexity, and Heptio helped some companies use Kubernetes.

Pivotal also offers products for working with Kubernetes — a product called Pivotal Container Service that VMware and Google worked on in collaboration with Pivotal.

“Heptio was very much, ‘Oh, what are you guys doing?’” Gelsinger said. When he asked the VMware board for hundreds of millions of dollars to do the Heptio deal, they asked him what he was going to do with it, he said.

Pivotal had 2,949 employees as of Feb. 1. In the most recent quarter Pivotal reported a loss of 3 cents per share, excluding certain items, on $185.7 million in revenue and lower-than-expected guidance, sending shares lower.

Resoure: https://www.cnbc.com/2019/08/22/vmware-earnings-q2-2020-acquires-carbon-black-pivotal.html

 

  0 Comments
0 Comments
Continue reading

MSP Responsible for 22 Texas Cities Ransomware

ransomware_headpic

The threat actor that hit multiple Texas local governments with file-encrypting malware last week may have done it by compromising a managed service provider. The attacker demanded a collective ransom of $2.5 million, the mayor of a municipality says.

New details from the Department of Information Resources (DIR) announce that the number of victims has been established to 22, with evidence pointing to a single party responsible for the attacks.

Steady recovery

Things appear to be on the right track, as some entities have already resumed normal activity, DIR informs in an update on the situation. More than 25% of the victims have moved from the response and assessment stage to remediation and recovery.

The names of all the municipalities impacted by the attack remain undisclosed, but two of them announced the hit publicly.

The City of Borger issued a statement saying that the incident impacted its financial operations and services. The city cannot accept utility or other payments and Vital Statistics services (birth and death certificates) are offline.

Keene is another city affected by this ransomware attack. This administration, too, cannot process card payments or utility disconnections.

Keen Mayor Gary Heinrich said that the threat actor demanded $2.5 million in exchange for the key that decrypts the locked files.

MSP is the common denominator

Heinrich told NPR that the threat actor deployed the ransomware through the software from the managed service provider (MSP) used by the administration for technical support.

MSPs are a convenient solution for entities that cannot manage the IT infrastructure themselves. This would not be unusual with smaller local governments that may lack qualified staff for this type of task.

An external company providing this service typically uses software that allows remote access to a client's network. This way, the MSP can monitor the activity and fix problems, as well as install system updates or applications.

According to Heinrich, the City of Keen uses the same external company that provides IT support services to many of other impacted municipalities.

MSPs have started to be a frequent target for ransomware operators as a successful compromise offers access to multiple clients.

Resource: https://www.bleepingcomputer.com/news/security/hackers-want-25-million-ransom-for-texas-ransomware-attacks/

 

  0 Comments
0 Comments
Continue reading

Cybersecurity Is About To Explode. Here’s Why!

2019-cyber-trends

Just about every American knows that the threat of cybercrime looms on a daily basis. Every time we use a computer that’s connected to the internet, there is at least a small chance of becoming the victim of a cyber-attack, such as a virus, ransomware, or phishing. In 2017 alone, an estimated 15 million Americans were victims of identity theft.

Corporations are even more likely to be targeted for data theft and other cyber-attacks. We’re becoming used to exciting headlines about data breaches and the concern that our personal data may have been compromised through an attack on a corporation or government agency. Unlike individuals, however, organizations have more resources to fight back and the cybersecurity is on the cusp of explosive growth.

Now that we use the internet in just about every facet of our lives, the issue of cyber-attacks is coming to the forefront of discussions about the economy, our security, and our privacy. It’s become big enough that thought leaders, lawyers, and even academics are weighing in. Let’s take a look at where this fast-growing industry is headed—and how ambitious people can find opportunities to succeed.

Up, up and Away: Cybersecurity Goes Big

Hackers have grown alongside the internet, ever since it reached consumer use. Simple systems were simpler to hack, and today’s cybercriminals are much more sophisticated than they were twenty years ago. The challenge for cybersecurity experts isn’t to stop cybercriminals for good—that simply isn’t possible or realistic—but to adapt and evolve on a continuous basis, staying several steps ahead of hackers.

Large corporations are starting to hire large security teams and are even employing the services of ethical hackers to identify their networks’ vulnerabilities through the eyes of potential cybercriminals. Innovations in the field include the use of new security technology like the blockchain and using psychology to trick, mislead, and confuse hackers before they ever reach sensitive data. Companies in a variety of industries are pouring resources into cybersecurity to protect their data and to protect themselves from the consequences of a data breach.

With the increased cybersecurity workload across industries, the demand for cybersecurity experts is growing rapidly. From August 2017 to September 2018, there were around 313,735 job openings in the cybersecurity field in the private and public sectors. At that time, there were more than 700,000 people already working in the industry across the country.

Governments are especially desperate to hire security professionals since even local governments are responsible for important public and private data that can be sold by cybercriminals to other countries or individuals with bad intentions. Some cybercriminals target government agencies and hold their data hostage, demanding a ransom for its safe return.

Here’s Why?

Just about every American knows that the threat of cybercrime looms on a daily basis. Every time we use a computer that’s connected to the internet, there is at least a small chance of becoming the victim of a cyber-attack, such as a virus, ransomware, or phishing. In 2017 alone, an estimated 15 million Americans were victims of identity theft.

Corporations are even more likely to be targeted for data theft and other cyber-attacks. We’re becoming used to exciting headlines about data breaches and the concern that our personal data may have been compromised through an attack on a corporation or government agency. Unlike individuals, however, organizations have more resources to fight back and the cybersecurity is on the cusp of explosive growth.

Now that we use the internet in just about every facet of our lives, the issue of cyber-attacks is coming to the forefront of discussions about the economy, our security, and our privacy. It’s become big enough that thought leaders, lawyers, and even academics are weighing in. Let’s take a look at where this fast-growing industry is headed—and how ambitious people can find opportunities to succeed.

Up, up and Away: Cybersecurity Goes Big

Hackers have grown alongside the internet, ever since it reached consumer use. Simple systems were simpler to hack, and today’s cybercriminals are much more sophisticated than they were twenty years ago. The challenge for cybersecurity experts isn’t to stop cybercriminals for good—that simply isn’t possible or realistic—but to adapt and evolve on a continuous basis, staying several steps ahead of hackers.

Large corporations are starting to hire large security teams and are even employing the services of ethical hackers to identify their networks’ vulnerabilities through the eyes of potential cybercriminals. Innovations in the field include the use of new security technology like the blockchain and using psychology to trick, mislead, and confuse hackers before they ever reach sensitive data. Companies in a variety of industries are pouring resources into cybersecurity to protect their data and to protect themselves from the consequences of a data breach.

The Growing Demand for CyberSecurity Experts Among Government Agencies

With the increased cybersecurity workload across industries, the demand for cybersecurity experts is growing rapidly. From August 2017 to September 2018, there were around 313,735 job openings in the cybersecurity field in the private and public sectors. At that time, there were more than 700,000 people already working in the industry across the country.

Governments are especially desperate to hire security professionals since even local governments are responsible for important public and private data that can be sold by cybercriminals to other countries or individuals with bad intentions. Some cybercriminals target government agencies and hold their data hostage, demanding a ransom for its safe return.

Like major corporations, the United States government is pouring billions of dollars into security, allocating most of their resources to departments like Defense and the Department of Homeland Security, which are at high risk for cyber-attacks. These agencies, which protect the country and prepare for disasters, must be heavily protected from global hackers, which is boosting demand from the government for trained security experts.

There’s a Future in a Career in Cybersecurity

ecause both the public and private sector now recognize the importance of cybersecurity, opportunities to work in this field are growing rapidly. Qualified professionals have the upper hand in their job hunt and often have a lot of choices when it comes to where they work and may need to decide between computer science vs cyber security. It’s a great time to break into the industry since the need for security experts isn’t likely to drop anytime soon.

Like many fields in the technology industry, cybersecurity jobs are growing much more quickly than across all industries. Information Security Analyst opportunities, for example, are growing 28% faster than average and offer salaries averaging $98,350 per year. There are many other careers within the field with similar high salaries and fast growth. You can take your pick of which industry you want to work in because just about every company needs to be concerned about the safety and security of their networks.

Get Started Now

If you want to work in the field of cybersecurity, don’t wait. Employers need qualified individuals to protect their assets, and it may take some time to get the skills and certifications you need to succeed. Take advantage of the massive growth coming in cybersecurity and launch your new career!

Resource: http://thetechnews.com/2019/08/17/cybersecurity-is-about-to-explode-heres-why/

 
  0 Comments
0 Comments
Continue reading

20 TEXAS CITIES HIT BY COORDINATED RANSOMWARE ATTACK, STATE'S IT DEPARTMENT SAYS

652329-ransomware-photo-credit-should-read-rob-engelaar-afp-getty-images

Twenty local government entities across Texas have been hit by a coordinated ransomware attack, the state's Department of Information Resources (DIR) announced on Friday.

"Currently, DIR, the Texas Military Department, and the Texas A&M University System's Cyberresponse and Security Operations Center teams are deploying resources to the most critically impacted jurisdictions," the department, which is leading the state's response, said in a press release. "Further resources will be deployed as they are requested."

Ransomware attacks have been gaining currency among hackers in recent years as a preferred method of extortion, especially among municipal entities. Digital intruders will plant malicious code inside the networks of an agency's information systems—often exploiting the relatively unsophisticated or out-of-date cyber defenses of ill-prepared cities—and shut down access to computers or specific databases.

Users are then extorted for cash in order to regain access to their systems, and they are nearly always asked to pay in Bitcoin, a blockchain currency that is virtually untraceable, allowing hackers to pull off these complex operations from a single room halfway around the world.

It is unknown how much the hackers were demanding from Texas officials, which systems are currently offline and whether the impacted cities are expected to pay the ransom.

Baltimore was the victim of the most high-profile ransomware attack in 2019 when unknown hackers crippled government operations for over a month. As was the case in this instance, it is often cheaper to comply with the ransom-takers than to attempt to recover files forensically. But the city ultimately decided to spend around $18 million to recover its own files and manage costs associated with the fallout; the hacker was only demanding $76,000 in Bitcoin, but the FBI advised against paying the ransom.

Payoffs do have another, less-pronounced benefit, especially for corporations. News of digital intrusions can damage public reputations, so compliance with a hacker's demands allows agencies and businesses to move on from the attack discreetly, without harming confidence in their ability to protect user data.

A report from Cybersecurity Ventures estimated that damages from ransomware attacks cost as much as $8 billion globally in 2018.

In the fall, then-Homeland Security Secretary Kirstjen Nielsen held a cybersecurity summit in New York, calling the dangers of digital attacks graver than other, traditional threats.

"Cyberattacks now exceed the danger of physical attacks," she said. "This has forced us to rethink homeland security."

Resource: https://www.newsweek.com/texas-ransomware-bitcoin-hackers-1454865

  0 Comments
0 Comments
Continue reading

Patch time! Microsoft warns of new worm-ready RDP bugs

worms

Microsoft’s Patch Tuesday bought some very bad news yesterday: more wormable RDP vulnerabilities, this time affecting Windows 10 users.

CVE-2019-1181 and -1182 are critical vulnerabilities in Remote Desktop Services (formerly Windows Terminal) that are wormable – similar to the BlueKeep vulnerability that people have already created exploits for. Wormable means that the exploit could, in theory, be used not only to break into one computer but also to spread itself onwards from there.

These new vulnerabilities, which Microsoft found while it was hardening RDS, can be exploited without user interaction by sending a specially-crafted remote desktop protocol (RDP) message to RDS. Once in, an attacker could install programs, change or delete data, create new accounts with full user rights, and more. CVE-2019-1222 and -1226 also address these flaws.

Unlike BlueKeep, these new RDP vulnerabilities affect Windows 10, including server versions, as well as Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

Microsoft said that these vulnerabilities haven’t yet been exploited in the wild, but urged customers to get ahead of the game by patching quickly:

It is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide.

Computers with network level authentication (NLA) are partly protected, because crooks would need to authenticate before making a request, meaning that an attack couldn’t spread without human interaction on NLA-enabled systems.

Microsoft also fixed several other critical bugs in this Patch Tuesday, including a remote code execution (RCE) vulnerability in Internet Explorer’s scripting engine (CVE-2019-1133 and -1194). Attackers can exploit the bug via a specially crafted website or by sending a malicious ActiveX control marked “Safe for initialization” to any MS Office program that uses the Internet Explorer rendering engine.

Edge users didn’t get away scot-free either. There’s a similar bug (CVE-2019-1131, -1139 to -1141, and CVE-2019-1195 to -1197) in that product’s Chakra Scripting Engine. It allows for remote code execution in the current user context, and it’s exploitable via malicious websites.

Microsoft fixed a critical RCE bug in its Hyper-V hypervisor (CVE-2019-0720), which exploits poor input validation in the Hyper-V Network Switch and could be exploited by a malicious application running in the guest OS. There are also some related denial-of-service (DoS) bugs patched in Hyper-V.

CVE-2019-0736, -0965, and -1213 are RCE bugs in the Windows DHCP server that an attacker can exploit by sending malicious DHCP responses to a client, while CVE-2019-1188 is a flaw in the way that Windows processes files with a .LNK extension. LNK files point to executable files, but improper processing enables remote code execution. Attackers could exploit this bug via removable drives or remote shares.

Flaws in the way that Windows processes fonts (CVE-2019-1145, and -1149 to -1152) allow an attacker embedding maliciously crafted fonts in a website or file to execute code remotely on the system.

There were also some bugs in Microsoft Office. A flaw (CVE-2019-1199-1200) in the way that Outlook handles objects in memory means that an attacker could execute code remotely using a malicious file delivered via email or a website. Outlook’s preview pane is an attack vector there, as it is for a bug in Microsoft Word (CVE-2019-1201 and -1205) that allows for remote code execution from maliciously-crafted Word documents.

The final critical bug in the bunch was CVE-2019-1183, which is a flaw in the Windows VBScript Engine that allows malicious websites or ActiveX objects to trigger remote code execution on the target system. However, Microsoft is in the process of getting rid of browser-based VBScript and has now turned it off by default in Internet Explorer 11 in this round of updates.

Resource: https://nakedsecurity.sophos.com/2019/08/14/microsoft-warns-of-new-worm-ready-rdp-bugs/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=3f87769cd7-Naked+Security+-+Aug+2019+-+ad+B+%28G2and+G4%29&utm_medium=email&utm_term=0_31623bb782-3f87769cd7-455372845

  0 Comments
0 Comments
Continue reading

How to protect your router and home security cameras from hackers

security-camera

When it comes to digital security, lack of knowledge and complacency can result in serious consequences, including identity theft, financial fraud and a massive loss of privacy.

You try to be vigilant with your computers because they contain so much personal information, but chances are you don’t have the same level of diligence when it comes to your router and home security camera. Hackers are counting on this.

 

Router security must be taken seriously

 

A router is essential to your home wireless network, but most people are clueless about router security. They don’t do the two things that can prevent a hack attack: Change the default password credentials and update the firmware (the router’s internal software).

“Most people buy a router, plug it in, they connect everything they need to connect and they don’t think about it again,” said Lawrence Abrams, founder of the website Bleeping Computer.

Remember, your router is a singular point of vulnerability — the one pathway for all your home’s wireless devices that connect to the internet via your home Wi-Fi.

“If an attacker gets access to that router, they have access to your entire internet life,” said Charles Henderson, head of IBM’s X-Force Red security hacking team. “Most people aren’t going to fix something unless it’s readily apparent that it’s broken, and router vulnerabilities often hide in plain sight. If internet access works, most people assume there’s nothing to fix.”

 

Router manufacturers don't always promote security

 

Most internet service providers now offer a single device that contains both a modem (it connects you to the internet) and a router (it enables all the wireless devices in your home or office to use that internet connection).

Some people purchase their own modem and router to eliminate the monthly rental charge. Others buy a router to improve the wireless coverage they get.

Consumer Reports recently released the results of its router testingand found that “many wireless routers lack basic security protections.” CR’s new Digital Lab rated the routers on security and privacy, as well as performance. Only a few models did well in all three categories.

Among the key findings:

  • While some of the 29 routers tested had important security safeguards built in, such as automatically updating the firmware with the latest security improvements, other models tested were missing some basic protections.
  • Eleven routers “accept very weak passwords that many websites and workplace accounts would reject,” the editors said. For example, they’ll accept passwords with fewer than eight characters or no complexity, such as “aaaaaaaaa,” or “12345678.”
  • “One router didn’t require the owner to change the default login credentials from 'admin' and 'password.'”

“Setting up a good password system is not a difficult thing anymore,” said Bobby Richter, head of privacy and security testing at Consumer Reports. “It’s time to implement modern password systems on as many devices as we can, and I think routers are a perfectly good place to start.”

 

How to protect yourself

 

There are things you can do to reduce the risk of a hack attack. Consumer Reports suggests:

  • Update the firmware: Criminals are constantly creating new malware and hacking techniques. Hardware makers respond by pushing out firmware updates. If your router supports “automatic updates,” turn it on. If that’s not an option on your router, you’ll need to go to the manufacturer’s website every few months to check for new software. If the company has stopped releasing firmware, it’s time to get a new router.
  • Turn off router features you don’t use that could pose a security risk: This would include remote access (often called Remote Administration or Remote Management) and Universal Plug and Play (UPnP). Many routers now have UPnP turned on by default. Unless you have a device or software that specifically asks for UPnP, turn it off, Consumer Reports advises, because “UPnP has a history of serious security vulnerabilities."
  • Change default password: You want something long and complex, that’s not obvious to anyone. If you need a little assist, use a password generator.
  • Security settings: Some new routers support WPA3 encryption. Make sure it’s turned on. If not, choose WPA2. Don’t use WEP, an outdated security protocol. Consumer Reports found that some new models still make WEP encryption an option. If your current router only has WEP or WPA encryption, get rid of it.

 

Home security cameras

 

Wireless home security cameras are reasonably priced and easy to install. Unfortunately, they can also be easy to hack, giving a criminal real-time surveillance footage of your home.

“If you're dealing with a professional thief, there's tons of intel they could gather,” said James Banta, a former police detective and home security and safety expert at SecurityNerd. “They can case the place without even being there. They’ll know what’s inside, when somebody is home and when the house is empty.”

If that camera is part of a smart home system, it can provide a way for criminals to access and control the entire system. For example, they might be able to turn off the burglar alarm or unlock the doors.

One of the cool features of an internet-enable security camera is the ability to watch the video in real time. With an app-based doorbell camera, such as Ring and Nest, the risk of a hack attack is pretty low, security experts tell NBC News BETTER. But setting up security cameras on your own and connecting them to your Wi-Fi network is problematic.

“Don’t do that,” Abrams of Bleeping Computer cautioned. “If you can do it, anyone else can do it. By allowing these DIY cameras to be accessible online, you’re just opening yourself up to being hacked.”

 

How to protect yourself

 

Reduce your chances of having your home security camera hacked, by following this advice from Consumer Reports:

  • Keep firmware up to date: If your camera doesn’t automatically download and install these updates, you’ll need to check. Look for an update button under the settings menu in your camera's app.
  • Change default password: As with all your passwords, it needs to be strong and unique and not used for any other account.
  • Set up two-factor authentication, if available: Enable this security feature and you’ll get a onetime-use passcode via text, email, call or authentication app, that must be entered (along with username and password) to log into your account. This can foil a hacker who cracks your password. Without that code, their access is blocked.

Consumer Reports found three cameras that were highly rated for data privacy and security, and offer two-factor authentication: Amazon Cloud Cam (named a CR Best Buy), Nest Cam Indoor NC1102ES and Nest Cam IQ Indoor NC3100US.

“All of these methods can improve your chances of avoiding a hack, but know that they're not foolproof,” CR’s Richter said. “None of these methods will work perfectly on their own, but right now, these measures are our best tools. Use them all!”

Resource: https://www.nbcnews.com/better/lifestyle/how-protect-your-router-home-security-cameras-hackers-ncna1041806 

  0 Comments
0 Comments
Continue reading

Cyberattacks on Construction Companies: Tips & Tricks

construction security tips for small businesses

When we imagine cyberattacks, we often picture hackers breaking into websites and stealing credit card or social security information. We think of companies full of financial or personal information falling victim to these attacks. What we don’t often think of is a construction company’s information being held hostage, its checks for services being redirected to unknown accounts, or construction equipment being hijacked.  Unfortunately, because we aren’t expecting these attacks is exactly why construction companies are exposed.

Hackers are learning that the construction industry is a vulnerable target. These companies constantly manage complex projects while handling data exchanges among many parties including partners, subcontractors, regulators, and suppliers.  Daily communications between these parties occur over e-mail, providing hackers a perfect opportunity to strike.

Typically, hackers will use a fake e-mail account or even mirror a familiar account in order to ask the company to send funds to a “new” or “different” bank account.  Since the communication appears to come from a person that the company deals with on a routine basis, the company assumes that the new bank account is legitimate.  Yet, theft of funds is not the only type of cyberattack construction companies may face; hackers also use information to lock data or destroy or control hardware and equipment.

Construction Companies: 5 Steps to Improved Security

Given the sophistication of today’s cybercriminals, construction companies must recognize their risk as targets and begin implementing protective measures.  The most important steps for companies to take include:

  1. conducting security assessments or routine vulnerability scanning;
  2. updating software, including advanced e-mail filtering;
  3. enforcing password policies;
  4. restricting approval rights and administration privileges; and
  5. obtaining cyber liability insurance policies.

However, general liability policies typically do not cover harm suffered by a cyberattack. About a decade ago, companies were unsuccessfully fighting with policyholders about general liability policies covering losses resulting from a data breach. Today, commercial general liability policies generally explicitly exclude electronic data from its definition of “property damage.”

Cyber Insurance Explained

Given the need for a policy that would cover the loss of data resulting from a cyberattack, insurance companies began offering separate cyber liability insurance policies. First-party cyber liability insurance typically covers the cost of network business interruptions, forensic investigation and restoration, legal fees, credit monitoring, and cyber threat extortion expenses. Third-party cyber liability insurance typically covers wrongful disclosure, content liability risks, and security or privacy breach regulatory proceedings.

Companies must be well educated and represented when obtaining cyber liability insurance. Unfortunately, many companies that offer these policies seek to limit their liability and in turn, except many incidences.  For example, one policy in 2017 attempted to except costs associated with a fraudulent funds transfer that occurred when employees initiated the transfer after receiving a forged e-mail from a hacker.  In 2018, another policy attempted to limit its coverage by arguing that the losses incurred by a company were not directly caused by computer fraud, but rather were incidental.  Now, policies are attempting to invoke an “act of war” exception where companies argue that large attacks from foreign hackers are in fact “acts of war” and therefore not covered by the policy.

Although it is recommended that companies obtain cyber liability insurance policies in an effort to combat the enormous expense that follows a cybersecurity breach, cyber liability insurance policies are not a simple catch all and are certainly not an alternative route for staying current on training employees, frequently updating software, and conducting regular security assessments.

While construction companies may not appear to be the most profitable targets for hackers, they are the perfect combination of numerous moving parts, people, and complex projects. Add to this their lax cybersecurity measures, and hackers have found an opportune target.

Cyber Education Tips

In order to combat the recent uptick in hackers attacking construction companies, we recommend that companies:

  1. train employees about cybersecurity;
  2. frequently update software;
  3. conduct regular security assessments; and
  4. look into obtaining cyber liability insurance.

A cyberattack could cost millions of dollars and your reputation.  In a world where three out of four construction companies have reported a breach in the last year, cybersecurity is not to be taken lightly.

Resource: https://www.channele2e.com/business/vertical-markets/cyberattacks-on-construction-companies-insurance-tips/

 

  0 Comments
0 Comments
Continue reading

Comcast Pledges Affordable Internet for the Welfare Eligible

comcast Comcast

The Internet Essentials program, meant for low-income households with school-age children, initially faced criticism for being overly restrictive. The changes clear the way for an estimated 3 million homes nationwide.

(TNS) — Comcast on Tuesday announced the largest expansion of its discounted Internet services for low-income families since the program started in 2011 and estimates that an additional three million households could be eligible nationwide.

The company now says it’s opening the Internet Essentials door to anyone who qualifies for a welfare program, substantially taking the service beyond its initial mission of helping low-income families with school-age children.

The changes address criticism that Comcast made the program so restrictive in its initial years that it didn’t go far enough in closing the digital divide, or the gap between low-income people who can’t afford the Internet and those who can.

Among those groups targeted are low-income college students, like Iona Livingston, who began using the service after Peirce College in Philadelphia launched a pilot program with Comcast in 2017. Livingston, 53, who is studying for a certificate in medical coding, used to do her class assignments at the Center City insurance company where she works.

“It helps a whole lot,” she said. “I don’t have to worry about leaving here late. I’m able to run home, eat, get myself comfortable, go to my laptop, and sign in. It makes it so much easier.”

Comcast launched Internet Essentials eight years ago, offering families whose children qualified for free lunches access to the Internet for $9.95 a month, about one-fifth the regular cost. (Internet currently costs about $53 a month for regular paying customers in Philadelphia, including modem rental.)

Two million households and eight million people have been connected to the service in cities and towns covered by Comcast — two million of them in the last year, the company said. In Philadelphia, 72,000 households representing an estimated 288,000 people have signed on since 2011. That’s the third-highest number, behind Chicago and Houston, Comcast officials said.

Comcast does not disclose figures on how many of those who signed up over the years remain users. Company officials said their role is to make the connection, and it’s impossible to know why people quit. Some may move out of Comcast territory or opt for higher speeds as their finances improve.

The company also does not disclose how much it has spent on the program but notes that over the last eight years it has invested $650 million in digital literacy training for 9.5 million people.

Since the program started, Comcast has expanded criteria for the offering a dozen times, to families whose children qualify for reduced lunches, to Head Start, to those in public housing, to senior citizens in pilot areas, and last year to veterans.

But this week’s announcement, said David L. Cohen, senior executive vice president of Comcast, is the largest expansion and may be the last one.

“I don’t know who else we expand to,” he said. “With this expansion, we have extended the benefit of the program to the entire target population we want to reach, low-income Americans living within our footprint.”

There are seven new eligibility criteria including anyone on Medicaid. The others are: SNAP: Supplemental Nutrition Assistance Program; TANF: Temporary Assistance for Needy Families; SSI: Supplemental Security Income; LIHEAP: Low Income Home Energy Assistance Program; WIC: Women, Infants, and Children; and Tribal Assistance: including Tribal Temporary Assistance for Needy Families and Food Distribution Program on Indian Reservations.

In addition to low-income college students, Comcast officials expect the expansion will reach more low-income people with disabilities, who may not live in public housing or have children in school, and seniors who hadn’t previously been in pilot programs.

Expanding the criteria alone won’t increase the number of users, he acknowledged.

“As we go on, these people are harder and harder to reach and harder and harder to connect," Cohen said. "There are real barriers to adoption.”

Cohen cited fear of the Internet, lack of computer equipment and cost. To combat those barriers, as part of the program, the company has sold more than 100,000 discounted computers and conducted the digital literacy programs.

As with other expansions, Comcast will look to partner with companies and institutions that can get the word out about the service, Cohen said. Company officials are about to embark on a tour to several cities, starting in Miami, to tout the expansion.

Locally, the impact has been significant, Cohen said. In Philadelphia, from 2013 to 2017, the broadband adoption rate grew from 65 percent to 72 percent, he said. He attributed half of that growth to Internet Essentials.

Not all the company’s efforts to broaden access have worked, Cohen said. Comcast’s pilots with community colleges didn’t gain much traction, he said, perhaps because college students have access to computer labs and libraries.

The pilot program with Peirce, however, went well, he said, noting that more than 50 students have signed on.

“It is an added value for those students who perhaps never had access outside of their work and would like it at home,” said Peirce president Mary Ellen Caro.

Peirce serves a nontraditional student body. The average age of students is 35 and 60 percent qualify for Pell grants targeted at low-income students.

With the new expansion of eligibility, Comcast officials said they won’t need more pilot programs with colleges because low-income students will be covered.

Cohen said that since the program started he has heard from many users who say having Internet at home has made a difference. He cited a woman in Chicago whose son stopped skipping school and started thinking about college after he got a computer to do his homework. Another, he said, saw her children’s grades improve and went back to school for her GED, with the goal of becoming a schoolteacher.

It made a difference for Livingston, the Peirce student, too.

Livingston said she had to give up cable and Internet when she went from two jobs to one. She learned about the Comcast program at Peirce.

“I feel like I get a lot more done with my assignments,” she said.

Resource: https://www.govtech.com/network/Comcast-Pledges-Affordable-Internet-for-the-Welfare-Eligible.html

  0 Comments
0 Comments
Continue reading

Ransomware Attacks on Businesses Are Skyrocketing

652329-ransomware-photo-credit-should-read-rob-engelaar-afp-getty-images Ransomware

The ransomware attacks are also largely targeting machines in the US, which accounted for 53 percent of Malwarebytes's ransomware detections. The good news is that ransomware attacks on consumers have gone down.

There's good news and bad news on the ransomware front: Attacks on consumers are down, but assaults on businesses have been skyrocketing, according to antivirus firm Malwarebytes.

In the second quarter, the company noticed a 363 percent year-over-year increase on ransomware attacks targeting clients running its business software. "Cybercriminals are searching for higher returns on their investment, and they can reap serious benefits from ransoming organizations over individuals," the antivirus firm said in a Thursday report.

Indeed, ransomware incidents have been grabbing headlines for shutting down IT systems at schools and city governments by encrypting data inside a computer and holding it hostage unless victims pay up.

Ransomware that targets consumers will usually only be able to encrypt a single machine. Hit the IT systems of an organization, however, and the malware can lock a whole fleets of computers. Recently, two Florida cities hit with ransomware decided to pay off the attackers about $500,000 and $600,000, respectively, rather than risk losing municipal data.

"Encrypting business-critical files on any number of (computer) endpoints can supply huge benefits to cybercriminals, including much larger ransom demands and an exponentially higher chance of getting paid," the antivirus firm said.

Ransomware attacks against Malwarebytes' consumer software dropped 12 percent year-over-year in Q2. A year ago, consumer machines made up the bulk of all ransomware targets, but attacks are now going after consumers and businesses almost equally.

The ransomware attacks are largely targeting machines in the US, which accounted for 53 percent of Malwarebytes's ransomware detections. Canada came in second at 10 percent.

Coveware, a separate security firm, has also noticed that hackers behind the attacks have been demanding higher ransom amounts. "In Q2 of 2019, the average ransom payment increased by 184 pecent to $36,295, as compared to $12,762 in Q1 of 2019," the company said in a report last month.

According to Coveware, many of the attacks targeting businesses involve delivering the ransomware by exploiting unprotected Windows systems with the Remote Desktop Protocol (RDP) activated. The hackers also like to use phishingemails that try to trick the victim into installing the ransomware.

The FBI and cybersecurity experts generally advise against victims paying the ransom. Doing so incentivizes the hackers to strike again, and there's no guarantee the encrypted data will be restored. Victims should also check whether free decryption software can release their data from the particular ransomware strain that hit their computer.

Resource: https://www.pcmag.com/news/370073/ransomware-attacks-on-businesses-are-skyrocketing

 

 

 
  0 Comments
0 Comments
Continue reading

4 Questions CISOs Need to Ask About Enterprise Cybersecurity

4-questions-cisos-need-to-ask-about-enterprise-cybersecurity-630x330 CISO

Effective internal cybersecurity depends on chief information security officers (CISOs) and other security leaders knowing exactly what’s happening on their network and how it impacts overall protection. The problem is that when things are running smoothly, it’s tempting to go with the flow and avoid asking questions that might come with tough answers.

Here are four questions CISOs need to ask if they’re going to improve enterprise cybersecurity.

1. What’s Our Biggest Weakness?

The goal of cybersecurity is to mitigate vulnerabilities by identifying key weaknesses. Unfortunately, these IT issues aren’t always easy to spot in the CISO role given the amount of non-tech responsibility now owned by these executives. As Security Roundtable noted, the past few years have seen the CISO role evolve from one of risk manager to business enabler, in turn forcing a shift of both perspective and process.

As a result, CISOs must be willing to ask IT teams tough questions about where enterprise cybersecurity is effective and where potential weaknesses exist. Some of the most common include:

  • Cross-site scripting (XSS) — This attack vector remains one of the most successful and lucrative for malicious actors. Almost 28 percent of all bug bounties in 2018 were paid to white-hat hackers who discovered dom-based, reflected, stored and generic XSS vulnerabilities, according to HackerOne. What does this mean for CISOs? Even if they haven’t been a problem yet, XSS flaws almost certainly exist on the corporate network. Better to find them ahead of attackers.
  • Multifactor authentication (MFA) — While introducing two or more factors for authentication significantly increases overall security with minimal disruption to user login processes, many organizations remain hesitant to implement this process. Employee pushback is often a primary challenge, but while CISOs don’t want to fight an uphill battle for better cybersecurity, MFA is worth the work.
  • Insider threats — The majority of organizations now consider internal threats on the same level as outsider attacks. This aligns with HackerOnefindings that information disclosure remains a top-three security weakness: Despite their best efforts, employees often represent the biggest weakness in enterprise cybersecurity. Improved education plays a role in reducing this risk, but CISOs must also take steps to limit privileged access and monitor user activity across corporate networks.

2. How Many Apps Are Really Running on the Network?

Shadow IT. It’s not any CISO’s favorite phrase, but remains a common problem for enterprises. Thankfully, IT teams often have a better handle on — or can find out — exactly what applications and services are really running on corporate clouds. The number is often higher than expected: CSO pointed out that the proliferation of privately managed application programming interfaces (APIs) is quickly becoming “the new shadow IT” as developers and users deploy these APIs without security controls or oversight.

Armed with this knowledge, CISOs must create a plan to deal with shadow IT by determining how much risk benefits the business and how much is too much. Here, three broad strategies apply to turn shadow risk into business benefit:

  1. Ban everything — The most time- and resource-intensive option, some CISOs choose to aggressively pursue and eliminate shadow IT. This requires a top-tier monitoring solution to detect and identify unapproved apps. In addition, CISOs must draft clear guidelines and consequences for staff failure to comply.
  2. Incorporate where possible — This middle ground requires a review of all applications currently in use with the intent to green-light secure software solutions. Here, soliciting user feedback is often the fastest to discovery — so long as it’s made clear that staff won’t face reprimands for coming forward with shadow application details.
  3. Design better solutions — Last but not least: Using in-house and open-source APIs to build applications that deliver key functions provided by shadow IT apps. The reasoning here is that shadow apps exist because employees can’t find the functions or ease-of-use they need from internal applications. By building out in-house alternatives, CISOs gain both security and critical network insight.

3. What’s the Cost of Improved Enterprise Cybersecurity?

Budgets matter, but so do outcomes. Here, CISOs must prepare themselves to hear the “bad news” of what it actually costs to improve cybersecurity.

In many cases, more personnel isn’t the answer. Not only are full-time employees expensive, but the growing cybersecurity skills gap makes it difficult to find best-fit candidates. Instead, CISOs are often better served by emerging technologies such as artificial intelligence (AI), identity and access management (IAM) and automation.

AI can help identify potentially malicious behavior, IAM solutions help limit the chance of an insider breach and automation significantly reduces the chance of human error. What makes this challenging for many CISOs is that solution, service and implementation costs vary across providers and industries, making it difficult to pin down exact cybersecurity spend.

As noted by Bank Info Security, however, it’s often more useful to look at the overall benefit of enterprise cybersecurity than the cost. While current predictions suggest that costs will outweigh direct infosec benefits sometime this year, the long-term benefits to IT security will continue to outpace spending. CISOs must also account for the cost benefits of what doesn’t happen to their organization.

According to Accenture’s “Ninth Annual Cost of Cybercrime Study,” 79 percent of businesses say new technologies introduce vulnerabilities faster than they can be secured. Meanwhile, IBM Security’s “2019 Cost of a Data Breach Report” found that data breaches now cost companies $3.92 million on average.

The bottom line is that costs avoided by securing networks and applications against potential breaches are more than enough to tip the scales in favor of intelligent cybersecurity spend.

4. How Do I Explain This to the Board?

The C-suite wants answers and actionable results. In turn, requests for bigger cybersecurity budgets often look like line items rather than line-of-business benefits.

Here, CISOs need to work with IT teams to create a narrative that frames IT security as a critical part of business success. It’s not always easy: Security Boulevard noted that just 38 percent of companies bring CISOs in on the ground floor of business discussions, meaning they’re often given limited time to make their pitch for enterprise cybersecurity needs.

According to Forrester, CISOs must help boards shift from “a culture of awareness to a culture of trust and understanding.” In practice, this means speaking to business rather than IT impact of potential security risks. Malware attacks don’t just limit network uptime; they could result in reputation loss and regulatory fines. Improved infosec integration doesn’t just streamline IT operations, it saves money every time an attack is identified at the perimeter or unauthorized access requests are refused by applications.

Knowledge Is Power

While discovering new weaknesses, shining a light on shadow IT, analyzing infosec costs and decoding the new language of C-suites isn’t always easy, tackling these top questions can help CISOs enhance enterprise cybersecurityand cement their role as essential business enablers.

  1. Ban everything — The most time- and resource-intensive option, some CISOs choose to aggressively pursue and eliminate shadow IT. This requires a top-tier monitoring solution to detect and identify unapproved apps. In addition, CISOs must draft clear guidelines and consequences for staff failure to comply.
  2. Incorporate where possible — This middle ground requires a review of all applications currently in use with the intent to green-light secure software solutions. Here, soliciting user feedback is often the fastest to discovery — so long as it’s made clear that staff won’t face reprimands for coming forward with shadow application details.
  3. Design better solutions — Last but not least: Using in-house and open-source APIs to build applications that deliver key functions provided by shadow IT apps. The reasoning here is that shadow apps exist because employees can’t find the functions or ease-of-use they need from internal applications. By building out in-house alternatives, CISOs gain both security and critical network insight.

3. What’s the Cost of Improved Enterprise Cybersecurity?

Budgets matter, but so do outcomes. Here, CISOs must prepare themselves to hear the “bad news” of what it actually costs to improve cybersecurity.

In many cases, more personnel isn’t the answer. Not only are full-time employees expensive, but the growing cybersecurity skills gap makes it difficult to find best-fit candidates. Instead, CISOs are often better served by emerging technologies such as artificial intelligence (AI), identity and access management (IAM) and automation.

AI can help identify potentially malicious behavior, IAM solutions help limit the chance of an insider breach and automation significantly reduces the chance of human error. What makes this challenging for many CISOs is that solution, service and implementation costs vary across providers and industries, making it difficult to pin down exact cybersecurity spend.

As noted by Bank Info Security, however, it’s often more useful to look at the overall benefit of enterprise cybersecurity than the cost. While current predictions suggest that costs will outweigh direct infosec benefits sometime this year, the long-term benefits to IT security will continue to outpace spending. CISOs must also account for the cost benefits of what doesn’t happen to their organization.

According to Accenture’s “Ninth Annual Cost of Cybercrime Study,” 79 percent of businesses say new technologies introduce vulnerabilities faster than they can be secured. Meanwhile, IBM Security’s “2019 Cost of a Data Breach Report” found that data breaches now cost companies $3.92 million on average.

The bottom line is that costs avoided by securing networks and applications against potential breaches are more than enough to tip the scales in favor of intelligent cybersecurity spend.

4. How Do I Explain This to the Board?

The C-suite wants answers and actionable results. In turn, requests for bigger cybersecurity budgets often look like line items rather than line-of-business benefits.

Here, CISOs need to work with IT teams to create a narrative that frames IT security as a critical part of business success. It’s not always easy: Security Boulevard noted that just 38 percent of companies bring CISOs in on the ground floor of business discussions, meaning they’re often given limited time to make their pitch for enterprise cybersecurity needs.

According to Forrester, CISOs must help boards shift from “a culture of awareness to a culture of trust and understanding.” In practice, this means speaking to business rather than IT impact of potential security risks. Malware attacks don’t just limit network uptime; they could result in reputation loss and regulatory fines. Improved infosec integration doesn’t just streamline IT operations, it saves money every time an attack is identified at the perimeter or unauthorized access requests are refused by applications.

Knowledge Is Power

While discovering new weaknesses, shining a light on shadow IT, analyzing infosec costs and decoding the new language of C-suites isn’t always easy, tackling these top questions can help CISOs enhance enterprise cybersecurityand cement their role as essential business enablers.

Resource: https://securityintelligence.com/articles/4-questions-cisos-need-to-ask-about-enterprise-cybersecurity/

 

  0 Comments
0 Comments
Continue reading

Scams use false alerts to target Office 365 users, admins

spam-and-phishing

Malicious actors have recently been targeting Microsoft Office 365 users in two separate scams – one that distributes the TrickBot information-stealing trojan via a fake website and a phishing campaign that sends fake alerts with the intent to take over the accounts of email domain administrators.

The scams are respectively detailed in a pair of reports from Bleeping Computer. The first report credits MalwareHunterTeam with uncovering a fake Office 365 site that displays a fake alert to site visitors, falsely stating that their browsers need an update.

Clicking on the update button downloads a malicious executable that installs TrickBot on victims’ computers, at which point the malware begins communicating with a command-and-control server to execute various modules capable of exfiltrating user machine details, installed program information, Windows services information, login credentials, browsing history, form autofill information, and more.

The second report warns that phishers are sending emails disguised as Office 365 admin alerts that purportedly address time-sensitive issues such expired licenses or an unauthorized access incident.

But clicking on the email’s links takes victims to a phishing landing page that asks users to enter their Microsoft login credentials. To make it look authentic, the cybercriminals use a windows.net domain on Azure, plus a certificate from Microsoft.

“As you can imagine, if an admin falls for this scam and enters their credentials in the page they will be stolen by the attackers. Unless that account has some sort of two-factor authentication enabled on it, the attacker would be able to gain access to the Office 365 admin portal,” wrote report author Lawrence Abrams, creator and owner of Bleeping Computer.

Resource: https://www.scmagazine.com/home/security-news/cybercrime/scams-use-false-alerts-to-target-office-365-users-admins/?utm_source=newsletter&utm_medium=email&utm_campaign=SCUS_Newswire_20190723&hmSubId=iYNy2lBVqX41&email_hash=5d5f08ba87aae9b9ab6055f3032d5bb7&mpweb=1325-9325-175786

  0 Comments
0 Comments
Continue reading

What we can learn from the most damaging cyberattack in history

cybersecurity-laptop Cyberattack

Lorina Nash rushed her mother to the emergency room at Lister Hospital in Stevenage, England. The doctors said they needed tests to diagnose the problem. They gave Nash’s mother a blood test, but then the computers crashed and they could not complete the analysis. The doctors put the sample in the hands of a courier and sent him on a three-hour trip to a clinic whose computers were still working. Lorina and her mom waited in what became a largely empty ER, as most patients were sent away.

Ambulances racing to Essex Hospital were redirected elsewhere, as the Accident and Emergency department there had also stopped accepting patients. At North Hampshire Hospital, the CT and X-ray machines froze. Colchester Hospital canceled twenty-five operations. At Chesterfield Royal Hospital the problem was the reverse: without functioning computers, patients could not be released and had to spend another night in the hospital. It was May 12, 2017, and the British National Health Service had been hit by a ransomware cyberattack that was shutting down businesses all over Europe and North America, locking down computers and demanding payment in Bitcoin to unlock them.

The attack tool used became known as WannaCry, and seven months later the Australian, British, and American governments identified the culprit as one of the North Korean government’s hacking groups, sometimes called the Lazarus Group by Western analysts. While WannaCry captured the media’s attention in the United States and many other countries, the events in May were only a prelude to a much more devastating attack a month later by another state actor. Indeed, what was to come was the most devastating single cyberattack in history, so far costing companies more than $20 billion and, more importantly, shutting down key infrastructure.

While WannaCry got the public’s attention, corporate and government IT security professionals had already been aware of the growing risk of ransomware. A year earlier, a virus known as Petya (named after a Soviet weapon in a James Bond movie) had demonstrated significant success in attacking Windows-based systems and then spreading encryption throughout the infected network. Analysis of Petya by U.S. cybersecurity firms later revealed that it employed an attack technique based on the National Security Agency’s EternalBlue weapon.

Then in late June 2017, malware resembling Petya spread with unprecedented speed around the world, attacking Microsoft servers and then jumping to all connected devices on the affected corporate networks. In major companies seemingly selected at random, and at their facilities in scores of nations, computer screens froze and flashed messages demanding payment. It looked like ransomware again. It wasn’t.

Once analysts realized it was not the Petya attack again, they creatively labeled the new attack NotPetya. What cybersecurity experts quickly surmised was that the demand for ransom was fake, a diversion. The attacking software was actually what was known as a wiper, which erased all software on the infected devices. Any device connected on an infected network would be wiped: desktops, laptops, data storage servers, routers, IP phones, mobile phones, tablets, printers.

Operations at major global corporations suddenly ground to a halt. At the pharmaceutical firm Merck, which made more than $40 billion in revenue in 2017 and employed more than sixty thousand workers, production lines froze. Distribution of vaccinations, oncology drugs, and hundreds of other pharmaceuticals stopped. Later, the company would claim the damages cost them almost $900 million.

Maersk, a container ship and port giant, suddenly could not operate the cranes that move millions of shipping containers at its megaports around the world, including New York and New Jersey, Los Angeles, and Rotterdam. Moreover, it had no idea where any given container was, what was in any container, or where any container was supposed to go. Later, the company would publicly own up to $300 million in damages, but a company insider told us that when opportunity costs were accounted for, the true loss was triple that number.

Hundreds of corporations, some in almost every sector, were frozen, including the logistics firm TNT Express (a subsidiary of FedEx), Mondelēz, the snack company, and the DLA Piper law firm. If there had been any doubt that a cyberattack could be global in an instant, that it could disable physical systems, or that it could affect the machinery that keeps the global economy moving, that doubt evaporated on June 27, 2017. Was it cyberwar?

Whether NotPetya was an act of cyber war depends, of course, on your definition. Upon examination, NotPetya was an operation run by a military unit, specifically the Main Directorate of the General Staff of the Russian Federation’s military, often called the GRU or Russian military intelligence. (In the funny-name-game world of cyber wonks, the GRU’s hacking team is also known as Fancy Bear.)

The Russian military did not, we suspect, intend to indiscriminately attack global corporations. What it had intended was a crippling attack on Ukraine on the eve of its national holiday, Constitution Day. The GRU had figured out a truly creative attack vector, a channel that could be used to spread an attack.

What the GRU had noticed was that almost every company and government ministry in Ukraine used the same accounting software. Think of the prevalence of QuickBooks in the United States and you will get the picture. Only in Ukraine, the equivalent software was known as M.E.Doc, from the Ukrainian software company the Linkos Group. Like every other similar application, the M.E.Doc program was periodically updated. Updates were pushed out to licensed users from a server at Linkos. The updates were digitally signed by Linkos and recognized by users’ firewalls, thus allowing the M.E.Doc updates to pass freely into corporate networks.

So the GRU hacked into Linkos and planted a little something extra in the next update to M.E.Doc: an attack package that exploited a known vulnerability in Microsoft server software, combined with a password-hacking tool and instructions to spread to any connected device on the network, wiping them of all software.

The GRU attack worked almost flawlessly, destroying about 10 percent of all devices in Ukraine, including some in every government ministry, more than twenty financial institutions, and at least four hospitals.

Almost flawlessly. What the GRU had apparently not recognized (or maybe they did) was that global companies operating in Ukraine would also be hit, and from their Ukrainian offices the attack would spread over virtual private networks (VPNs) and rented corporate fiber connections back to corporate headquarters in England, Denmark, the United States, and elsewhere.

This kind of mistaken collateral damage is not unique to NotPetya or to the GRU. The software used in the so-called Stuxnet attack on the Iranian nuclear enrichment plant reportedly carried out by the United States in 2010 somehow got out into the world, even though the Natanz plant was not connected to the internet or any other network. Stuxnet quickly spread around the globe, was captured by cybersecurity teams in many countries, and was decompiled, with parts of it later reused in new attack tools.

Stuxnet, however, did not damage anything outside of Natanz, because it was written in a way that the only thing it could hurt was the Iranian nuclear enrichment processor. Nonetheless, the fact that the software spread way beyond its target was reportedly one of the motivations for President Obama’s subsequent directive, Presidential Policy Directive 20, which allegedly restricted further offensive use of cyber tools without his personal approval. (President Trump is reported to have removed those restrictions in 2018.)

Stuxnet revealed to the world, or at least to anyone who cared enough to bother to grab a copy, one of the most sophisticated attack tools ever, containing more than fifty thousand lines of computer code including numerous tricks never used before (so-called zero-day exploits). NotPetya revealed not a thing about Russian GRU attack tools. It exposed nothing of theirs because it was not their tool. It was America’s.

An obscure, important, and contentious debate among cybersecurity experts concerns whether it’s the responsibility of the U.S. government to tell software developers (say, Microsoft) when NSA hackers find a mistake in the company’s code that would permit someone to do something new and malicious, such as hack in and copy customer data, steal money, or wipe out all the software on a network. In the parlance of U.S. government cyber-policy makers, this debate is called the “equities issue” because it involves balancing the interests of intelligence agencies trying to attack with the concerns of government departments such as Treasury and Homeland Security that have an interest in more secure corporate networks.

If the government tells the software developer, then the company issues a “patch” that can fix the problem. If the government does not tell them, then it can hack into interesting foreign networks using the vulnerability in order to learn things to protect the country. (The government creates an “exploit,” a hacking tool that takes advantage of the poorly written computer code.)

After Edward Snowden stole sensitive NSA information and gave it to WikiLeaks (and the Russians), President Obama appointed a five-man group to investigate and make recommendations. Dick Clarke was one of the group that became known as the Five Guys, after the Washington hamburger chain.

Five Guys’ recommendations were all made public, every single word of them, by the Obama White House. One of those recommendations was that when the NSA finds a hole in widely used software, it should tell the manufacturer, with rare exceptions. Those exceptions would be approved at a high level in the government and should be valid for only a finite period. The Obama administration accepted that recommendation.

Microsoft has charged that the NSA knew about a big problem with Microsoft’s server software for five years and did not tell them. Instead, the NSA developed an attack tool, or zero-day exploit, and called it EternalBlue. Presumably, the NSA used EternalBlue to get into foreign networks. Only in March 2017 did Microsoft, having just been informed of its software’s deficiencies by the U.S. government, issue a patch for the problem.

As is always the case when a software company issues a patch, not every one of its users gets the message or believes the warning that it is a critical patch that has to be installed right away. So, despite the patch, the North Korean authors of WannaCry were successful in using the vulnerability two months later, in May 2017, and the Russian GRU used it again, in combination with other tricks, in creating the June 2017 NotPetya disaster.

Those devastating attacks would almost certainly have been avoided if the U.S. government had told Microsoft years earlier. At least, that is what Microsoft said publicly after it figured out what happened.

Why did the government finally tell Microsoft? Our guess, and it is just that, is that by March 2016 the government had figured out that Russia had stolen the U.S. attack kit, knew about the zero day, and was using it or was about to use it.

All of this might not constitute war according to the traditional definition, but it is fairly clear by now that the United States and its allies have been regularly attacked by the Russian military using cyber weapons. The Russian military has not only used cyber weapons to collect intelligence, but it has also deployed cyberweapons to damage, disrupt, and destroy physical objects in the real world, beyond the realm of 1s and 0s. And the Russians are not the only ones. To quote the British Foreign Office, the Russians are simply the most, “reckless and indiscriminate.”

Russia’s GRU successfully penetrated the Pentagon’s classified intranet, as well as the State Department and White House systems. According to the United Kingdom’s National Cybersecurity Center in October 2018, the GRU has engaged in a sustained campaign of low-level cyber war for several years, going back at least to its 2007 attack on Estonia and its 2008 attack on the nation of Georgia.

Famously, the Russian GRU penetrated the Democratic National Committee (which admittedly required little skill) as one part of a multifaceted campaign to affect the outcome of the U.S. presidential election. And of course, there was the most damaging cyberattack in history to date, Not-Petya, about which the White House issued a rare public statement of attribution regarding a cyberattack.

Whether or not you call all of that activity cyber war, it is objectively a lot of damage being done by a military organization. Most significant hacking used to be done by non-state actors, individuals, or clubs. Now, major attacks are usually the work of some nation’s military.

Nations are regularly using their militaries not only to steal secrets, but to damage, disrupt, and destroy sensitive systems inside potential enemy nations. Such operations could easily lead to escalation into broader war, intentionally or unintentionally. The U.S. military, for example, has said that it reserves the right to respond to cyberattacks with any weapon in its arsenal. To be clear, the recent and current levels, pace, and scope of disruptive activity in cyberspace by the military units of several nations is unprecedented, dangerous, and unsustainable in “peacetime.” It cannot continue like this. Either we control and deescalate tensions, or conditions will cease to have any resemblance to peacetime.

If we do not take concerted steps to reduce the risk of cyber war, if we do not engage in a multifaceted program to bring us closer to cyber peace, we risk highly destructive cyberattacks that could cripple modern societies and escalate into the kind of Great Power conflict we have not seen in more than seventy-five years. Thus, we need to make it a major national priority to find ways of defeating nation-state hackers. 

Resource: https://www.linkedin.com/pulse/what-we-can-learn-from-most-damaging-cyberattack-history-clarke/ 

  0 Comments
0 Comments
Continue reading

Ransomware attackers demand $1.8m from US college

5aa7983c1f0a6.image Ransomware attack 2019

Credit where credit’s due: Monroe College, frozen by a ransomware attack since 6:45 a.m. Wednesday 10 July 2019, has seen a silver lining: it’s gone back to ye good old analog, friendlier, more-in-person ways of yore to keep working.

From a statement sent by Marc Jerome, president of Monroe College, a for-profit institution based in the Bronx borough of New York City, to Inside Higher Ed:

Our team is working feverishly to bring everything back online, and we are working with the appropriate authorities to resolve the situation as quickly as possible.

In the meantime, Monroe continues to operate. We’re simply doing it the way colleges did before email and the internet, which results in more personal interactions. As we have done throughout our 86-year history, we are coming together to assure that our students, faculty and staff are well served.

As of yesterday, the college was still relying on what it says is a microsite that it put up last week in response to the outage.

It also sent workaround instructions to students in its latest Tweet, sent last Friday.

Nearly 8,000 students affected

The NY Daily News reports that the attack paralyzed systems at all of Monroe’s campuses in Manhattan, New Rochelle and St. Lucia, where a total of nearly 8,000 students are enrolled.

The attackers told the school that it could get back up and running once it paid 170 Bitcoin. The going price as of Monday for one Bitcoin was US $10,522, putting the total ransom at US $1,788,740.

Will Monroe pay? Or will the college tell the attackers to take a long walk off a short pier, which the US Conference of Mayors last month resolved would be the go-to response for all the government entities that keep getting hit in ransomware attacks?

Jackie Ruegger, executive director of public affairs at the college, said on Friday that Monroe didn’t know who was behind the attack. She didn’t comment on whether the school would be paying the ransom. Ruegger said that the college is working with local law enforcement officials and the FBI.

Attacks keep piling up

As we reported last week, there have been at least three new ransomware attacks against state and local governments since late April, and in Florida alone, we’ve seen three cities get hit over the past few months, including Riviera Beach, which agreed to pay attackers, and Lake City which was hit by Ryuk ransomware, apparently delivered via Emotet. Lake City officials agreed to pay a ransom of about $490,000 in Bitcoin.

But being in good company is no consolation when you’re scrambling to rebuild your network after an attack like this. Monroe, we wish your staff godspeed in recovering.

Unfortunately, we’re reporting on these attacks on a near-weekly basis. They’re likely underreported, at that, given that there’s no centralized government agency to report them to and no legal requirement requiring their reporting.

What to do?

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.

The bottom line is: if all else fails, you’ll wish you had comprehensive backups, and that they aren’t accessible to attackers who’ve compromised your network. Modern ransomware attacks don’t just encrypt data, they encrypt parts of the computer’s operating system too, so your backup plan needs to account for how you will restore entire machines, not just data.

  0 Comments
0 Comments
Continue reading

Cybersecurity: Malware lingers in SMBs for an average of 800 days before discovery

Small and medium-sized businesses lack the IT staff needed to run comprehensive security detection and response, according to Infocyte.

Despite the adoption of advanced cybersecurity tools, SMBs remain particularly vulnerable to long-lasting breaches compared to enterprise companies, due to a lack of IT staff needed to detect and respond to threats, according to Infocyte's Mid-market Threat and Incident Response Report, released Thursday. 
Infocyte measured threats over the 90-day span from April to June 2019, reviewing more than 550,000 forensic inspections on systems across hundreds of customer networks in the mid-enterprise business sector. Unsurprisingly, SMBs are more vulnerable to various types of threats, the report found: 22% of SMBs said their networks have encountered a ransomware attack that bypassed preventative security controls, while fileless malwareattacks are also on the rise. 
Average attack dwell time—the time between an attack penetrating a network's defenses and being discovered—ranged from 43 to 895 days for SMBs, the report found. The average dwell time for confirmed, persistent malware was 798 days. Dwell time for riskware—including unwanted applications, web trackers, and adware—averaged 869 days. 

Dwell time for attacks including ransomware was much lower, averaging 43 days between the infection of the initial Trojan (often Trickbot or Emotet) and remediation, due to how the ransomware informs its victims, the report noted. 

Some 72% of inspected SMB networks found riskware and unwanted applications in their environment that took longer than 90 days to remove, Infocyte found. While riskware is generally a lower risk than other attacks, networks that fail to control riskware also tend to be less ready to respond to high-priority threats once they are uncovered, according to the report. 

"Infocyte's findings should be a wake-up call for SMBs that are overly confident in their organization's cybersecurity posture. The reality is that many lack the resources, technology, expertise, and visibility to protect their organizations, let alone their customers' and partners' data. The long dwell times reported by Infocyte indicate SMBs are at a higher risk of compromise than their larger enterprise counterparts," Aaron Sherrill, senior analyst at 451 Research, said in a press release. "While modern cybersecurity threats that evade legacy preventative and detection tools are a growing security gap for SMBs, many are unable to remediate the threats they do know about in a reasonable timeframe."

Resource: 

https://www.techrepublic.com/article/cybersecurity-malware-lingers-in-smbs-for-an-average-of-800-days-before-discovery/

 

  0 Comments
0 Comments
Continue reading

Five emerging cybersecurity threats you should take very seriously in 2019

The cyberthreat landscape continues to evolve, with new threats emerging almost daily. The ability to track and prepare to face these threats can help security and risk management leaders improve their organization's resilience and better support business goals.

The number of high-profile breaches and attacks making headlines has led business leaders to finally take cybersecurity seriously, said Sam Olyaei, senior principal and analyst at Gartner.

"Today, not only are business leaders and the business community understanding cybersecurity, they know it's important to their business outcomes and objectives," Olyaei said. "The problem is, there is still a lack of understanding as to why it's important."

Firms must work to bridge the gap between communicating the technical aspects of cybersecurity and the business outcomes, such as customer satisfaction, financial health, and reputation, Olyaei said.

Keeping track of new threats and not just established ones like ransomware is key for a strong security posture, said Josh Zelonis, senior analyst at Forrester.  

"Whenever we develop our strategies for how we're going to protect our organizations, it's really easy to look at things that you're familiar with, or that you have a good understanding of," Zelonis said. "But if you're not looking ahead, you're building for the problems that already exist, and not setting yourself up for long-term success. And that is really the number one reason why you need to be looking ahead -- to understand how attack techniques are evolving."

Here are five emerging cybersecurity threats that business, technology, and security leaders need to take seriously this year.

1. Cryptojacking

Ransomware has been one of the biggest threats impacting businesses in the past two years, exploiting basic vulnerabilities including lack of network segmentation and backups, Gartner's Olyaei said.

Today, threat actors are employing the same variants of ransomware previously used to encrypt data to ransom an organization's resources or systems to mine for cryptocurrency -- a practice known as cryptojacking or cryptomining.

"These are strains of malware that are very similar to strains that different types of ransomware, like Petya and NotPetya, had in place, but instead it's kind of running in the background silently mining for cryptocurrency," Olyaei said.

The rise of cryptojacking means the argument that many SMB leaders used in the past -- that their business was too small to be attacked -- goes out the window, Olyaei said. "You still have computers, you still have resources, you still have applications," he added. "And these application systems, computers, and resources can be used to mine for cryptocurrency. That's one of the biggest threats that we see from that standpoint."

2. Internet of Things (IoT) device threats

Companies are adding more and more devices to their infrastructures, said Forrester's Zelonis. "Organizations are going and adding solutions like security cameras and smart container ships, and a lot of these devices don't have how you're going to manage them factored into the design of the products."

Maintenance is often the last consideration when it comes to IoT, Zelonis said. Organizations that want to stay safe should require that all IoT devices be manageable and implement a process for updating them.  

3. Geopolitical risks

More organizations are starting to consider where their products are based or implemented and where their data is stored, in terms of cybersecurity risks and regulations, Olyaei said.

"When you have regulations like GDPR and threat actors that emerge from nation states like Russia, China, North Korea, and Iran, more and more organizations are beginning to evaluate the intricacies of the security controls of their vendors and their suppliers," Olyaei said. "They're looking at geopolitical risk as a cyber risk, whereas in the past geopolitical was sort of a separate risk function, belonging in enterprise risk."

If organizations do not consider location and geopolitical risk, those that store data in a third party or a nation state that is very sensitive will run the risk of threat actors or nation state resources being used against them, Olyaei said. "If you do that then you also impact the business outcome."

4. Cross-site scripting

Organizations struggle to avoid cross-site scripting (XSS) attacks in the development cycle, Zelonis said. More than 21 percent of vulnerabilities identified by bug bounty programs are XSS areas, making them the leading vulnerability type, Forrester research found.  

XSS attacks allow adversaries to use business websites to execute untrusted code in a victim's browser, making it easy for a criminal to interact with a user and steal their cookie information used for authentication to hijack the site without any credentials, Forrester said.

Security teams often discount the severity of this attack, Zelonis said. But bug bounty programs can help identify XSS attacks and other weaknesses in your systems, he added.

5. Mobile malware

Mobile devices are increasingly a top attack target -- a trend rooted in poor vulnerability management, according to Forrester. But the analyst firm said many organizations that try to deploy mobile device management (MDM) solutions find that privacy concerns limit adoption.

The biggest pain point in this space is the Android installed base, Zelonis said. "The Google developer site shows that the vast majority of Android devices in the world are running pretty old versions of Android," he said. "And when you look at the motivations of a lot of IoT device manufacturers, it's challenging to get them to continue to support devices and get timely patches, because then you're getting back to mobile issues."

Organizations should ensure employee access to an anti-malware solution, Forrester recommended. Even if it's not managed by the organization, this will alleviate some security concerns.

  0 Comments
0 Comments
Continue reading

British Airways Fined £183 Million Under GDPR Over 2018 Data Breach

british-airways British Airways Fined

Britain's Information Commissioner's Office (ICO) today hit British Airways with a record fine of £183 million for failing to protect the personal information of around half a million of its customers during last year's security breach. British Airways, who describes itself as "The World's Favorite Airline," disclosed a breach last year that exposed personal details and credit-card numbers of up to 380,000 customers and lasted for more than two weeks. At the time, the company confirmed that customers who booked flights on its official website (ba.com) and British Airways mobile app between August 21 and September 5 had had their details stolen by attackers. The cyberattack was later attributed to the infamous Magecart threat actor, one of the most notorious hacking groups specialized in stealing credit card details from poorly-secured websites, especially online eCommerce platforms. Magecart hackers have been known for using digital credit card skimmer wherein they secretly insert a few lines of malicious code into the checkout page of a compromised website that captures payment details of customers and then sends it to a remote server.

Besides British Airways, Magecart groups have also been responsible for card breaches on sites belonging to high-profile companies like TicketMasterNewegg, as well as sites belonging to other small online merchants. In a statement released today, ICO said its extensive investigation found that a variety of information related to British Airways' customers was compromised by "poor security arrangements" at the company, including their names and addresses, log-ins, payment card data, and travel booking details.

"People's personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience," Information Commissioner Elizabeth Denham said.

 

"That's why the law is clear – when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

However, ICO also said that British Airways has cooperated with its investigation and has made improvements to the security arrangements since the last year data breach came to light. Since the data breach happened after the EU's General Data Protection Regulation (GDPR) took effect on May 2018, the fine of £183.39 million has been imposed on British Airways, which is the equivalent of 1.5% of the company's worldwide turnover for its 2017 financial year but is still less than the possible maximum of 4%.

In response to the ICO announcement, British Airways, owned by IAG, said the company was "surprised and disappointed" by the ICO penalty.

"British Airways responded quickly to a criminal act to steal customers' data," said British Airways chairman and chief executive Alex Cruz.

 

"We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused."

The company has 28 days to appeal the penalty. Until now, the most significant penalty by the UK's data protection watchdog was £500,000, which was imposed on Facebook last year for allowing political consultancy firm Cambridge Analytica to gather and misuse data of 87 million users improperly. The same penalty of £500,000 was also imposed on credit reporting agency Equifax last year for its 2017's massive data breach that exposed the personal and financial information of hundreds of millions of its customers. Since both the incidents in Facebook and Equifax occurred before GDPR took effect, £500,000 was the maximum penalty ICO can impose under the UK's old Data Protection Act.

Resource: https://thehackernews.com/2019/07/british-airways-breach-gdpr-fine.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&_m=3n.009a.2023.rg0ao0cg4y.197q&m=1#email-outer

  0 Comments
0 Comments
Continue reading

US Cyber Command issues alert about hackers exploiting Outlook vulnerability

US Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to plant malware on government networks.

The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday.

The Outlook bug, discovered and detailed by security researchers from SensePost, allows a threat actor to escape from the Outlook sandbox and run malicious code on the underlying operating system.

OUTLOOK VULNERABILITY PREVIOUSLY USED BY IRANIAN HACKERS

The bug was privately reported by SensePost researchers in the fall of 2017, but by 2018, it had been weaponized by an Iranian state-sponsored hacking group known as APT33 (or Elfin), primarily known for developing the Shamoon disk-wiping malware.

At the time, in late December 2018, ATP33 hackers were deploying backdoors on web servers, which they were later using to push the CVE-2017-11774 exploit to users' inboxes, so they can infect their systems with malware.

"Once the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver [CVE-2017-11774] exploits through Exchange's legitimate features," the FireEye report said.

The attacks leveraging the CVE-2017-11774 vulnerability came at the same time that reports surfaced about new sightings of the infamous Shamoon disk-wiping malware -- another hacking tool developed by the APT33 group.

No connection was ever proved at the time about links between FireEye's APT33 report and Shamoon deployments.

However, Chronicle Security researcher Brandon Levene has told ZDNet in an email today that the malware samples uploaded by US Cyber Command appear to be related to Shamoon activity, which took place around January of 2017.

Three of the five malware samples are tools used for the manipulation of exploited web servers, Levene said, while the other two are downloaders which utilized PowerShell to load the PUPY RAT -- most likely on infected systems.

Levene told ZDNet that if the observation of CVE-2017-11774 together with these malware samples holds true, this sheds some light on how the APT33/Shamoon attackers were able to compromise their targets.

When Shamoon attacks happened in the past, Levene said that it had been highly speculated that spear-phishing was involved, but not a lot of information around the initial infection vectors was published other than the FireEye report, which speculated on the infection vectors, rather than provide indisputable evidence.

INCREASED IRANIAN HACKING ACTIVITY

US Cyber Command's Twitter account doesn't issue alerts about financially-motivated hacker crews targeting the US, and is focused on nation-state adversaries only. All in all, the malware samples shared by US Cyber Command today link the new attacks the agency is seeing to old APT33 malware samples -- most likely deployed in new attacks against US entities.

While US Cyber Command has not named APT33 by name, Levene has, as well as Palo Alto Networks (on Twitter), and FireEye (on Twitter [12] and in private conversations with ZDNet).

The US Cyber Command tweet also comes after Symantec warned about increased activity from APT33 back in March.

Furthermore, two weeks ago, CISA, the Department of Homeland Security's cyber-security agency, also issued a similar warning about increased activity from Iranian threat actors, and especially about the usage of disk-wiping malware such as Shamoon, APT33's primary cyber-weapon.

Besides analyzing malware that hits the US government network, the US Cyber Command is also in charge of offensive cyber operations. Two weeks ago, the DOD agency launched a cyber-attack aimed at Iran's rocket and missile system after the Iranian military shot down an expensive US surveillance drone. With Iranian hackers targeting government networks and the US hitting back, you could say the two countries are in the midst of a very silent and very unofficial cyberwar.

And as a side note, Levene has also pointed out that this is the first time that US Cyber Command has shared non-Russian malware via its Twitter account. The agency started publishing malware samples on VirusTotal and issuing Twitter alerts last fall, deeming it a faster way of spreading security alerts about ongoing cyber-attacks and putting the US private sector on notice.

Resource: https://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/

  0 Comments
0 Comments
Continue reading

Get Ready For A Ransomware Tsunami

OK, maybe you can’t say the two cities in Florida hit with ransomware a few weeks ago dodged a bullet, but at least they dodged the digital equivalent of a cruise missile … right?

Riviera Beach and Lake City both paid the ransom. For Lake City, which lost access to its phone and email systems for a couple of weeks, it was 42 bitcoin, worth  $573,000 according to one report and $460,000 according to another. Riviera Beach paid 65 bitcoin, worth $897,650, after three weeks of no access to its computer systems.

Yes, that’s a lot of money. Yes, they took a bullet. But hey, it’s not even close to the estimated $17 million Atlanta is spending to recover from a ransomware attack in March 2018. Or the something north of $18 million it will cost Baltimore to do the same after an attack this past May.

Those Florida city officials can declare, accurately, that they’ve saved their taxpayers a bundle, even if it did mean rolling over for common criminals who likely will never be caught, prosecuted or even identified.

But that gain may be short-lived. They may be setting themselves and other municipalities up for a ransomware tsunami. As any economist will tell you, people respond to incentives. In this case, a thief or band of thieves raked in a payday from one digital holdup that’s enough to put at least one of them into the 1 percent income bracket without even breaking a sweat.

And, of course, the value of those ransom payments wasn’t eroded by any deductions—taxes, Medicare, Social Security. The gross was the net.

That’s the kind of thing other common criminals notice. Hit a local government with ransomware and your chances are pretty good that they’ll fork over $500,000 or more so they can get back in business as quickly as possible.

Graham Cluley, independent blogger and cohost of the Smashing Security podcast, made that point in a recent post carried on Tripwire. “Every time an organization gives in to a ransomware demand, and cybercriminals learn that it is easy to earn such lucrative profits, hackers invest more effort into future attacks,” he wrote.

Indeed, about a week after word of the Lake City and Riviera Beach payments, a third Florida city, Key Biscayne, reported it had been hit as well, by malware called Ryuk, the same one used to attack Lake City. Ryuk is the third piece of the so-called “Triple Threat” attack. The other two are called Emotet and Trickbot.

And this week, officials with the Georgia courts acknowledged that a portion of its digital information systems had been taken down by ransomware. At the time, there was no information on how much the attackers demanded.

Only option still a bad one

Obviously, those officials thought they were doing what was in the best interest of their constituents. And law enforcement officials and security experts acknowledge that there are times when the only option is to pay the ransom.

As Bob Maley, CSO at NormShield and former CISO for the state of Pennsylvania, put it, if a victim organization has no recovery plan or any idea of what the impact of losing everything that has been encrypted, “then the decision becomes one of desperation.”

And the cost to cities like Baltimore and Atlanta for refusing to pay can make that desperation much greater.

“We have seen municipalities across the country attempt to hold off paying ransoms only to suffer incredibly, ultimately end up paying after serious disruption of services, or pay an exorbitant amount of money to avoid paying,” said Kiersten Todt, managing director of the Cyber Readiness Institute.

“That's especially true if human life is at risk from impaired emergency response,” added Phil Reitinger, president and CEO of the Global Cyber Alliance (GCA). “I will throw no stones at a city CISO or mayor who finds that paying thousands in ransom is acceptable rather than suffering millions in recovery expenses, especially given the other significant nonmonetary costs from a paralyzed city.”

But all that still doesn’t make it a good option—for the victim or other potential victims.

For starters, those same attackers could hit the same cities again. Tim Mackey, technical evangelist at Synopsys, noted that ransomware victims are dealing with people they don’t know and will probably never see.

“Payment of a ransom is a trust issue,” he said. “Do you effectively trust that the data will be recoverable following payment? While it’s in the best interests of the attacker to release encrypted files following payment, receipt of encryption keys isn’t the end of it.

“For example, can you ensure the data weren’t corrupted or tampered with? Are you confident the attackers didn’t make copies? Have you taken steps to ensure the attacker doesn’t simply attack you again and demand further payment? In reality, the actual ransom payment may be the least of the incident response costs,” he said.

Change the incentives

A vastly better—and what would seem to be obvious—option would be to make those attacks much more difficult. Create negative incentives. Make it hard for cyber criminals. Yes, doing that will cost money and time, but vastly less than what it costs to pay a ransom or recover from an attack.

As Morgan Wright, a former senior advisor in the U.S. State Department Antiterrorism Assistance Program, http://thehill.com/opinion/cybersecurity/381594-a-ransomware-attack-brought-atlanta-to-its-knees-and-no-one-seems-to" style="box-sizing: border-box; background-color: transparent; cursor: pointer; color: rgb(0, 56, 145); text-decoration: none; -webkit-tap-highlight-color: rgba(0, 0, 0, 0);">sardonically put it in a post on The Hill after the Atlanta attack, “There’s never enough time and money to do it right. But when government screws up, there’s always time and taxpayer money to do it over, usually at a much higher cost.”

So, how to avoid screwing up? There is no way to be perfect, but there are multiple ways to get much closer.

The most obvious is to do regular backups that are not connected to the network. A backup that is accessible through a breach is, obviously, worthless. But if it’s held separately and survives, an organization can rebuild its system quickly at minimal expense, without paying the ransom.

Then there is making sure your employees are an asset, not a risk factor. The attacks on all three Florida cities were enabled by an employee clicking on an attachment in a phishing email. Which sends a clear message—employees need effective security awareness training.

Most employees, except for a rogue here and there, want to protect the organization’s assets. They just need to be taught how to spot suspicious communications—to develop a healthy paranoia. There are multiple organizations that offer credible programs in that.

“Approximately 91% of all attacks on enterprises are caused by phishing,” Todt said. “There are online phishing training courses that municipalities could offer, which could be a reasonably low-cost way to help inform municipal employees of the cyber risks to which they are exposed.”

Besides training, Mackey said another personnel basic is to apply the “principle of least privilege” to employees throughout an organization. That means “limiting the level of trust a given employee has at any point in time to only the level of access required to perform specific tasks.”

Be prepared

Beyond training and policy, organizations should harden the security of their assets.

One fundamental is to keep strict track of the software components running applications, systems and networks, and keep them up to date. Failing to install an available patch for a known vulnerability is like leaving the door to a vault wide open.

Maley said organizations should “know the cyber hygiene of their IT ecosystems in the same way the attackers do, then fix the issues before the attacks happen.”

Other ways to be prepared for a ransomware attack, Mackey said, include “having properly patched virtual machine templates, which can be used to restore entire systems using VDI (virtual desktop infrastructure)-style solutions or other remote-access solutions to ensure that sensitive data isn’t accessible from machines easily infected through phishing attacks or drive-by web ads.”

Reitinger said better security hygiene should include “powerful techniques like using a protective DNS (domain name system) service like Quad9. They make a successful attack far less likely, so there is a significant return on investment.”

Of course, while those measures are excellent investments, municipalities do need money to make them, and few have it, according to Todt. “There is not a municipality in the United States that is fully funded to defend its IT networks against cyberattacks,” she said, adding that she believes the feds should provide some of that funding.

“While we have become dependent on the internet for many government services, we have not provided our state and local governments with the capabilities to make these services resilient in the face of persistent cyberattacks,” she said.

“The federal government needs to establish an active coordination and remediation program that is supported by the Department of Homeland Security (DHS) and the National Security Agency (NSA) for municipalities.”

That money, she said, could help local and state governments “in the most important first steps toward cyber resiliency: map the networks they own, understand what is on them and provide assistance to better secure them.”

Yes, of course it could. But that money, while wished for, is not yet a reality. Nor is it likely to become a reality anytime soon. So, as Todt and other experts say, municipalities should set priorities and make trade-offs to get the most important things done.

Those priorities, she said, are raising awareness of the threat and building security and resiliency into the systems.

Because the ransomware threat is not going away. It is increasing.

  0 Comments
0 Comments
Continue reading
TOP