Info Security

Subscribe to Info Security  feed
Updated: 21 min 33 sec ago

#Infosec19: Shake Up Cybersecurity Training to Keep Ahead of Hackers

Tue, 06/04/2019 - 12:37
#Infosec19: Shake Up Cybersecurity Training to Keep Ahead of Hackers

Cybersecurity training needs to evolve to allow organizations to keep up with today’s sophisticated threat actors, according to Max Vetter, CCO at Immersive Labs.

Vetter was talking at the Infosecurity Europe 2019 event at Kensington Olympia, London today (June 4). During the session, Vetter highlighted the need for innovation in order to match the tools and techniques used by cyber-criminals.

“Attackers’ ability to innovate means they have first mover advantage. If the criminals didn’t innovate, we would have already won,” he told the audience at the conference’s Strategy Talks theatre.

It is creating a need to cultivate the right skills, according to Vetter: “How can we teach people to make sure they can keep ahead of the hackers, legally, while being able to innovate as well?”

Vetter thinks the only way to cultivate the level of talent needed to keep up with cyber-criminals is a shake-up of the way cybersecurity training is done. He points out that current methods often fail because they are “out of date, expensive and trainer dependent” with a “rigid learning style”.

“Certifications are the only way we can do it at the moment, but this method is not great,” Vetter said.

According to Vetter, businesses often make the error of focusing on Red Teams to test systems’ resilience. However, Blue Teams to defend an organization are just as important, he told the audience.

By shaking up the way security professionals are trained, using industry-standard MITRE ATT&CK framework, Vetter thinks organizations can ensure they are one step ahead of attackers.

Specifically, Vetter advocates intelligence-led training to give young hackers the skills to do their job. He advocates being “hands-on, flexible and outcome focused” and to “measure skills and success”.

“We are losing,” says Vetter. “We need to do better at developing people with these skills rather than sending them to jail.”

Categories: Cyber Risk News

#Infosec19: Physical Intrusions Too Often Go Unchallenged

Tue, 06/04/2019 - 12:06
#Infosec19: Physical Intrusions Too Often Go Unchallenged

Security awareness techniques rarely work, as too many employees rarely report or spot intrusions.

Speaking at the opening of the Geek Street stage at Infosecurity Europe 2019, Holly Grace, technical director at Secarma, said that too much security awareness training is taught from a negative approach, and this doesn’t work.

Pointing at common efforts to “tailgate” an intruder, Grace said that when doing a physical security test, she had rarely been challenged as a tailgater, as in one instance she was able to access a door that had been propped open with a bunch of car keys. From this, she was able to get to an empty security desk, and see the security guard’s open email and camera screens.

On the case of physical security barriers, Grace said that often the alarm on these is so quiet that no one would notice it sounding. Another way to bypass barriers is to wait for a scheduled fire alarm, as the workplace leaves together and barriers are either bypassed or opened.

Looking at the “bystander effect,” pointing at academic research Grace said that this relates to how people react to an emergency and non-emergency instances. “In a group, 10% will do something about it, if they are on their own they are more likely to do something,” she said. “A stranger is less likely to react if they are surrounded by other people.”

Grace added that staff will not challenge strangers, and strangers “infrequently get challenged.” She said in an test, she will often go with another tester and when she is challenged, the other person acts as a “plan B.”

“Also, you are less likely to be challenged with two people,” she said. “If staff do not have the courage to challenge them for ID, is there a way to report it? This is a problem with bystander effect.”

In closing, Grace also mentioned problems with phishing emails and bad password practice. For the former, she said that all-too-often people are caught out by phishing emails with simple spelling mistakes, and there is no way for malicious attachments to be spotted and reported by employees.

For passwords, Grace recommended using multi-factor authentication or password managers, but asked how many businesses provide a password manager for staff to use?

Concluding, Grace said that there is a disconnect between what pen testers and cyber-criminals can do, and what staff can report, and “diffused responsibility lowers the chance of a challenge.”

Categories: Cyber Risk News

LORCA Announces Additions to Cybersecurity Program

Mon, 06/03/2019 - 18:38
LORCA Announces Additions to Cybersecurity Program

The London Office for Rapid Cybersecurity Advancement (LORCA) announced its third round of cybersecurity companies that will be joining its program to address the market need of industry today. The 15 "scaleups" responded to an open call and were invited to pitch their solutions to address the focus areas identified by the association: security by design, basics and beyond. 

According to LORCA, this round of companies is the most "international yet," with companies from Italy, Spain and South Korea entering the program. Margot James, Minister for Digital, said, “Ahead of London Tech Week, it’s great to see that LORCA is now welcoming international companies to the capital, making this a truly global effort to ensure we have a Britain that’s fit for the future.”

The 15 companies will take part in a bespoke progam designed around each of their needs, which will be delivered by Plexal's innovation team, the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast, and Deloitte’s cyber team.   

Saj Huq, program director of LORCA, commented on the announcement: “We’re delighted with the caliber of the new additions to our program, with the latest cohort representing a host of new and exciting cyber solutions which we’ll be able to scale and help bring to market.

"We’re particularly pleased with the international flavor which the latest group of scaleups brings to LORCA, fortifying our position as a global cyber hub and the UK’s foremost destination for the most advanced technological solutions.”

Companies selected for the program are: 

  1. CounterCraft: Its Cyber Deception Platform detects, investigates and controls targeted attacks to help enterprises understand why cyber-attackers are targeting them and defend their most business-critical assets.
  2. CTO Technologies: The company’s CyberCentral platform enables the public and private sectors to better manage their security risks by automating manual processes – and alleviating the strain on IT teams.
  3. D-RisQ: The company develops and uses automatic, high-integrity software verification tools that are focused on embedded systems and cybersecurity. The tools have been used in a range of sectors, including autonomous vehicles, aerospace and maritime.
  4. Elemendar: Its AI analyst for cyber-threat intelligence (CTI) tells cyber-defense tools what threats to defend against.
  5. Hack The Box: The online platform provides labs and challenges for cybersecurity training, allowing members to exchange ideas and methodologies. 
  6. HumanFirewall: The company gamifies learning through training and phishing simulations, builds individual risk-profiles, rewards real-time reporting and remediates incidents instantly.
  7. Messagenius: The company's enterprise messaging tool for secure, smart and integrated communications among colleagues looks and works just like the company’s everyday messenger while protecting sensitive information.
  8. Panaseer: Its controls monitoring platform gives CISOs visibility of all assets and the confidence that security controls are working effectively.
  9. Quant Network: Its Overledger, the world’s first blockchain operating system, is considered to be leading the way for innovation and blockchain adoption.
  10. SaltDNA: Its product provides secure voice, messaging, conference calling, broadcasting and image or file transfers for busy executives.
  11. Security Alliance: Its cyber-threat intelligence platform, ThreatMatch, helps security analysts, operations teams and security managers focus on cyber-threats that will have the biggest impact on the organization.
  12. Storage Made Easy: Its multi-cloud software product, Enterprise File Fabric, provides a security and governance blanket for siloed company data.
  13. swIDch: Its patented algorithm enables payments companies to generate Dynamic PANs in a networkless environment without the need for any additional infrastructure.
  14. Threat Status: It's Trillion service collects, analyses and provides alerts on the billions of breached credentials from the deep web, closed forums, paste sites and the dark web, looking for the ones that belong to its clients.
  15. Uleska: This scalable platform provides continuous software security testing within DevOps software or IT projects, automating business-risk reporting and communicates security strategy value without the need for more personnel.

Louise Cushnahan, head of innovation at CSIT, said:“Having 15 companies join this cohort highlights the breadth of innovative and emerging cybersecurity focused activity within the UK ecosystem.”

Categories: Cyber Risk News

AI Is "Fundamental" to Future of SME Cybersecurity

Mon, 06/03/2019 - 18:16
AI Is "Fundamental" to Future of SME Cybersecurity

Research shows that small and medium enterprises (SMEs), while confident that artificial intelligence (AI) will be vital to the future of cybersecurity, do not feel certain about whether their investment in cybersecurity is worth the cost.

The report by AI cybersecurity company Senseon, The State of Cybersecurity, found that 81% of SMEs believe that AI will be able to improve the security posture of their organizations. A further 76% believing the technology will improve their day-to-day working lives. 

Even though SMEs believe AI will positively affect their business, uptake of AI solutions within SMEs has been slow, with a 4% adoption rate. According to the report, aside from the cost (52%), results show that marketing hype is a barrier to adoption of AI (24%) and a lack of knowledge of AI (36%).

The report also looked at other barriers to implementing cybersecurity, finding that over half (53%) of SMEs feel an increased budget would help them deal with cybersecurity workload. Further, security professionals are uncertain whether they will see return on investment on their current solutions; 49% believe the business will see an overall net loss due to cybersecurity investment. 

David Atkinson, CEO and founder of Senseon, commented, “Issues within SMEs surrounding security are centered around stringent budgets, and frantic adoption of more and more tools is likely resulting in needless costs for the businesses." 

"No matter what the maturity of a business or indeed the maturity of its security stack, it is vital that C-suite, IT and security teams rationalize their existing technologies and look to prove a strong return on investment, as well as protecting the business," he continued. "Ultimately, the cost of AI solutions is countered by its ability to automate the detection of threats and to augment the role of security analysts, which saves security teams valuable time by separating the signal from the noise and flagging the genuinely malicious threats.”

The report also shows that 69% of SMEs are looking to implement AI security solutions in the next five years and 44% are planning to invest in AI or machine learning defense in the immediate future. 

Categories: Cyber Risk News

Sophos Acquires Rook Security to Bolster MDR Services

Mon, 06/03/2019 - 17:48
Sophos Acquires Rook Security to Bolster MDR Services

British cybersecurity company Sophos has acquired Rook Security, a provider of managed detection and response (MDR) services. The privately owned Rook provides a team of cyber-threat hunters and incident response experts who "monitor, hunt for, analyze and respond to security incidents" for businesses. 

Combining Rook's services with its recently acquired DarkBytes technology platform, Sophos is planning to create re-sellable MDR services to approximately 47,000 channel partners worldwide. Addition to this, Rook's team of security investigators will be able to use Sophos' security technology and products for the company's customers. 

“Cyber-criminals are relentlessly trying to exploit organizations with techniques ranging from tried-and-true phishing emails to the more recent trend of ‘hacker pen-testing’ to find weaknesses in their surface area. As a result, businesses need 24-hour, seven-days-a-week monitoring and management of what is happening on their network, yet many of them do not have the expertise, can’t keep up or don’t have the security teams in house to optimally configure and manage security around the clock,” says Joe Levy, chief technology officer at Sophos. “With MDR, Sophos’ channel partners will be able to provide businesses of all sizes with expert services that continuously detect, hunt for and respond to security incidents.”

J.J. Thompson, founder and CEO of Rook Security, says that the company is excited by the acquisition: "Together, we can implement faster and more effective threat detection and response capabilities to better protect businesses." 

According to a press release, Sophos is releasing no further details at this time.

Sophos has been splashing the cash in 2019 with the additional acquisition of Avid Secure earlier on in the year. The purchases were for MDR services and cloud infrastructure, bolstering the company's offering. 

Categories: Cyber Risk News

Over Half of UK Firms Failing on Privacy Compliance

Mon, 06/03/2019 - 10:30
Over Half of UK Firms Failing on Privacy Compliance

UK firms are struggling with a complex patchwork of privacy regulations, with more than half now believing they’re failing with compliance efforts, according to new research from Thomson Reuters.

The news wire surveyed data privacy professionals at global organizations with an average of 16,000 employees before and after the GDPR came into force, to compile its latest report.

It found that UK businesses either have greater insight into their capabilities, or are genuinely falling behind their global counterparts when it comes to compliance.

Some 57% said they believe their business is failing to meet global compliance requirements, up from 44% in 2017. This compares with a global average of 48%, which falls further to 42% for US firms and just 31% in France.

UK companies are spending on average £840,000 annually to comply with global regulations, including the GDPR.

The new powers granted to regulators of monetary fines up to €20m or 4% of global annual turnover will be at the forefront of directors’ minds, according to Jim Leason, customer proposition lead for Legal Professionals Europe at Thomson Reuters.

“Many businesses are getting less comfortable over their GDPR compliance. More businesses now than a year ago believe they are failing to comply with all of their global data privacy-related obligations. Obviously, the comfort level businesses have with compliance is heading in the wrong direction,” he argued.

“What also seems to be coming through from our research is a sense that businesses feel legislators and regulators didn’t anticipate the major workload that GDPR entails.”

UK regulator the Information Commissioner’s Office (ICO) said it has received over 14,000 breach reports since the GDPR came into force, four-times more than the previous 12-month period.

Although it has consistently argued that GDPR compliance is an ongoing journey, and that it prefers to educate rather than penalize, major fines could be announced soon as the result of several investigations are published.

Categories: Cyber Risk News

Confusion Reigns as C-Suite Bemoans Lack of Security Resources

Mon, 06/03/2019 - 09:05
Confusion Reigns as C-Suite Bemoans Lack of Security Resources

Most C-level executives believe their organization is more exposed to potential security breaches because it lacks crucial technical, financial or human resources, according to new research from Nominet.

The .uk registry, which also offers DNS security services, polled 400 C-level executives in the UK and US to reveal boardroom attitudes to security risk.

Although most (76%) now understand that a breach is inevitable, 90% believe they’re missing something that would help mitigate cyber threats. These include advanced technology (59%), lack of budget (44%) and lack of staff (41%).

Another challenge highlighted by respondents was senior management reluctant to accept advice (46%).

In fact, knowledge and responsibility gaps at the top could be severely hampering organizations’ ability to respond to such threats. There’s confusion over who is responsible for breach response, with over a third of respondents (35%) claiming it’s the CEO, while 32% pointed to the CISO. The vast majority of respondents (71%) also admitted to having gaps in their knowledge, especially about malware (78%).

There’s also confusion over breach reporting. Although 70% said incidents are initially reported to the security team, 61% do so to the executive team and 40% to the board. A third of CEOs even claim they would fire any employee responsible for a breach, despite the admission that such incidents are inevitable.

Only half of CISOs feel valued by the board in terms of brand and revenue protection, with 18% believing the board thinks they’re an inconvenience. However, over half (52%) of directors said their CISO is a “must have.”

This confusion could be responsible for the moderate to high stress levels that most (91%) CISOs experience, damaging the mental health of over a quarter (27%), according to separate findings from the same research released by Nominet in February.

“This research is very much a case of ‘the good, the bad, and the ugly.’ It’s good to see that business leaders are aligned on the fact that cyber-attacks are pretty much an inevitable part of working life. Acceptance is the first step to protection. There’s also a dedication to keeping customer and client data safe,” argued Nominet CEO, Russell Haworth.

“But the bad comes with the power struggle at the top, with confusion over who should actually take responsibility in case of a data breach or cyber-attack, which is detrimental to the safety and security of the business. And the ugly is how CISOs feel within their organization.”

Categories: Cyber Risk News

IEEE Lifts Restriction on Huawei Employees

Mon, 06/03/2019 - 08:36
IEEE Lifts Restriction on Huawei Employees

The Institute of Electrical and Electronics Engineers (IEEE) has lifted a restriction on Huawei, meaning the firm’s employees can participate once again in reviewing and editing research papers.

The international technical organization had instituted the ban after the US Department of Commerce placed the Chinese giant and its affiliates on an Entity List.

This led to a furious response from the Middle Kingdom, where the China Computer Federation (CCF) said it would suspend all its interactions with the IEEE.

However, after seeking clarification from Washington, the crisis appears to have been averted, for now.

“Our initial, more restrictive approach was motivated solely by our desire to protect our volunteers and our members from legal risk. With the clarification received, this risk has been addressed,” the IEEE said in a statement.

“We appreciate the many questions and comments from our members and volunteers around the world and thank them for their patience as we worked through a legally complex situation. IEEE recognizes that science and technology are a global activity. We are proud of the work our members do around the world and we are dedicated to advancing technological excellence for the benefit of humanity.”

However, it’s not clear whether the lifting of the restriction will only last the duration of the 90-day temporary license recently issued to Huawei, which will allow US firms to continue to sell to the telecoms giant.

Widely reported as a climb down by Washington, the 90-day license could be viewed more accurately as a provision to given US firms more buffer time to adjust to the shock of losing one of their biggest tech clients.

The shutting out of Huawei employees from international associations like IEEE is a portent of things to come if the world’s two superpowers can’t find a way around the current stand-off.

Categories: Cyber Risk News

Chinese Dating Apps Leak US User Data

Fri, 05/31/2019 - 18:20
Chinese Dating Apps Leak US User Data

An unsecured Elastic database associated with dating apps has been discovered by a security researcher, making easily identifiable data exposed. Jeremiah Fowler, who has been working in the security software industry for over 10 years, found the database that held information about US data app customers, including their sexual preferences, lifestyle choices, and whether they were unfaithful to their partners. Fowler wrote on Security Discovery, "it is easy for anyone to identify a large number of users with relative accuracy based on their 'User ID.'"

According to Fowler, the IP address for the database was located on a US server and with the majority of users appearing to be Americans. He found that even though the data was hosted by "multiple dating applications," upon further investigation he found them to be developed by separate companies or individuals. 

He was able to identify the users' real identities online, as the dating applications logged and stored the user’s IP address, age, location, and user names. "Like most people, your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint," wrote Fowler. 

He attempted to contact the email addresses associated with the applications and identify the address and phone number using the Whois domain registration. "The address that was listed there was Line 1, Lanzhou and when trying to validate the address I discovered that Line 1 is a Metro station and is a subway line in Lanzhou," he explained on his blog. "The phone number is basically all 9’s and when I called there was a message that the phone was powered off.

"I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions. Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else."

Terry Ray, senior vice president and Imperva Fellow, told Infosecurity that he agrees with Fowler's sentiments: "There are several strange things about this leaky database, especially the fact that the applications appear to target English speakers yet have, at least in one app, a business location in China, as having all owner or admin contact falsified or unavailable. It makes you wonder who is storing this data from these particular dating apps and what the underlying purpose is.

"Furthermore, why are multiple dating apps storing their data in the same place, yet little or no connection between the apps, their product names or their business contacts?"

At the time of writing his blog, Fowler disclosed that the database was still "publicly accessible" and despite a large number of users, there was no personally identifiable information. He had not received responses to his emails. "What concerns me most is that the virtually anonymous app developers could have full access to user’s phones, data, and other potentially sensitive information," he wrote. "It is up to users to educate themselves about sharing their data and understand who they are giving that data to. This is another wake-up call for anyone who shares their private information in exchange for some kind of service."

According to Verizon, 22% of data breaches in 2017 involved the use of stolen credentials, with 36% of compromised data being personal information such as name, birthday and gender.

"Although the article notes that this database wasn’t storing personally identifiable information, the writer was, in fact, able to ‘identify’ some of the ‘persons’ with the credentials found, this highlights the importance that if you are storing user data, you are responsible for ensuring that data is protected," Ray told Infosecurity. "Further, if you’re an app user and want to remain anonymous, make sure you use different usernames and passwords as much as possible."

Categories: Cyber Risk News

Checkers and Rally's Victims of Data Breach

Fri, 05/31/2019 - 17:43
Checkers and Rally's Victims of Data Breach

On Wednesday, Checkers Drive-In Restaurants alerted customers that it had been dealing with a data security issue involving "malware at certain locations."

On its website, the restaurant group announced that after discovering the issue, it "engaged leading data security experts to conduct an extensive investigation." Federal law enforcement authorities have also been informed in order to address the matter, with all parties working to contain and remove the malware.

"After becoming aware of a potential issue, we retained data security experts to understand its nature and scope," Checkers wrote on its website. "Based on the investigation, we determined that malware was installed on certain point-of-sale systems at some Checkers and Rally’s locations, which appears to have enabled an unauthorized party to obtain the payment card data of some guests." According to the website, not all locations were affected by this issue.

The malware was reportedly designed to "collect information stored on the magnetic stripe of payment cards." This included cardholder name, payment card number, card verification code and expiration date. Checkers has launched an investigation and is working with payment card companies to protect cardholders. 

The restaurant group has recommended that card users "remain vigilant" and review account statements. "If you believe there is an unauthorized charge on your card, please contact your financial institution or card issuer immediately," the website states. 

Other recommendations include ordering a credit report: "When you receive your credit report, review it carefully," the website continues. "Look for accounts you did not open, for names of creditors from whom you haven’t requested credit." 

The law firm of Federman & Sherwood has initiated an investigation into the data breach.

Categories: Cyber Risk News

TA505 Suspected in Chilean Financial Institutions Malware Attacks

Fri, 05/31/2019 - 17:23
TA505 Suspected in Chilean Financial Institutions Malware Attacks

Investigators from CyberInt Research have identified further activities by the suspected Russian-speaking cyber-gang TA505, targeting financial institutions in Chile. The cyber-gang is continuing its "unauthorized and nefarious use of the same TTPs of legit software, this time leveraging MSI Installer to deploy the AMADAY malware family," according to the company.

The AMADAY implant allows cyber-criminals to steal financial institutions’ and retailers’ clients’ email correspondence and sensitive information. This further enables them to steal contact lists, allowing them to target additional organizations by sending seemingly legitimate malicious emails that appear to come from trusted sources.

TA505 has been active since 2014, with high-volume malicious email campaigns distributing the Dridex and Shifu banking Trojans, as well as the Neutrino botnet/exploit kit and Locky ransomware. They appeared again as the source for recent attacks against the global financial and retail industry from December 2018 to present, with attacks worldwide, including India, Italy, Malawi, Pakistan, South Korea and the United States.

“TA505 is highly motivated, very clever, and persistent,” says Adi Peretz, head of research at CyberInt. “It’s critical to monitor their activities to anticipate further attacks. Once the pattern of attacks in Chile was identified, other financial institutions can beef up their security, so they don’t end up being breached."

“Social engineering works because it recruits the weakest link in any cybersecurity operation – we humans,” continues Peretz. “The more prepared companies are, the better they can train their people to maintain security.”

In April 2019, Infosecurity Magazine reported that TA505 was using a TektonIT remote administration tool to target financial and retail institutions. CyberInt found that the tool was "virtually undetectable" by threat protection systems due to it being "legitimate software." 

"Tried and tested attack patterns appear to be consistent across these recently observed campaigns and commence with the delivery of phishing emails that have lure document attachments," according to a CyberInt report. "Utilising legitimate logos, language and terminology consistent with common business interactions or the target organization, the email encourages the potential victim to open the lure document attachment which in turn instructs them to disable security controls within Microsoft Office to allow a nefarious macro to be executed."

Categories: Cyber Risk News

Cybersecurity Jobs Added to Government's Shortage Occupation List

Fri, 05/31/2019 - 13:00
Cybersecurity Jobs Added to Government's Shortage Occupation List

Cybersecurity engineers and analysts have been identified as being on the Shortage Occupation List (SOL), in the first full review of officially recognized careers where the shortages “are most severe and where the consequences of those shortages are most serious” since February 2013.

According to the UK Government’s Migration Advisory Committee (MAC), “job shortages in roles such as cybersecurity analysts/engineers and IT network engineers” are now recognized, while the “occupation as a whole ranked highly in our shortage indicators and had an above average vacancy rate.”

In the previous partial update, published in 2015, the job “cybersecurity specialist” was added under the section “information technology and communications professionals not elsewhere classified.” Then, the shortage related to “a person with a minimum of five years’ relevant experience and demonstrable experience of having led a team.”

Since the 2015 partial update, while the need for more skilled cybersecurity professionals remains in this list, it now states “there will be no minimum experience requirement as applying an experience caveat could hinder the development of cybersecurity at all levels.”

This change in requirement follows criticism of hiring practices, where five to 10 years experience is common and cited as a deterrent to new applicants.

In an email to Infosecurity, Ed Williams, director EMEA of SpiderLabs at Trustwave, said: “The security industry is to blame to some degree, there is very much a gatekeeper philosophy, which is starting to be broken down, but not nearly quick enough from my perspective. This industry is so fast paced and exciting, we should be pulling in the brightest and best - these don’t have to come from Computer Science backgrounds.”

The MAC stated the impact of the skills shortage on cybersecurity development, saying that there have been reported delays to “software improvements and features as they do not have the labor or expertise to fulfil demand” and this has led to “an increasing reliance on workers from outside the UK and there is a growing concern surrounding the future skills base for roles within new technical areas.”

The MAC cited “several sources amongst Government and the private sector” who agreed that there is a shortage of digital skills within the UK, evidenced by consistent vacancies in digital occupations, growth in demand for digital skills as well as documented deficiencies across the population in terms of digital skill. However, the MAC acknowledged that “there is not enough domestic supply of sufficiently skilled labor to fill this demand.”

According to Deloitte’s Digital Disruption Index for 2019, only 18% of respondents believe that UK school leavers and graduates have the right digital skills, while only 25% of digital leaders in the UK believe their workforce has sufficient knowledge and expertise to execute their digital strategy.

In the section 'Digital and IT Occupations,' careers as IT specialist managers, IT project and programme managers, IT business analysts, architects and systems designers, programmers and software development professionals, web design and development professionals and information technology and telecommunications professionals were listed as being in shortage. Cybersecurity careers appeared under section SOC 2139 - information technology and telecommunications professionals. 

The MAC said that “short-term mitigations have helped to fill shortages to some extent, but this has had limited impact as the skills required simply are not available.”

As well as short-term mitigations, the MAC said that long-term strategies also have their limitations; as up-skilling staff “is constrained by the lack of expertise in newer areas such as cybersecurity and secondly, these strategies are yet to mature, and so the scale of their impacts cannot truly be assessed until the future.”

As part of the UK’s Digital Strategy, it stated that “there will be even greater demand for people with specialist digital skills” as the digital economy grows. 

“As we leave the European Union, it will be even more important to ensure that we continue to develop our home-grown talent, up-skill our workforce and develop the specialist digital skills needed to maintain our world leading digital sector,” then Secretary of State for Culture, Media and Sport Karen Bradley MP stated.

She acknowledged then that “a strong pipeline of specialist skills - from coding to cyber” was needed, and initiatives like the NCSC’s Cyberfirst have enabled that. However, a more immediate solution is needed until the next generation begin work.

To be placed on the SOL, a job must meet three requirements:

  • Skilled (are the jobs skilled to the required level?)
  • Shortage (is the job in shortage?)
  • Sensible (is it sensible to try to fill those shortages through migration?)

According to the Migration Advisory Committee, being on the SOL conveys certain advantages:

  • Not having to conduct a Resident Labour Market Test (RLMT)
  • Exemption from the £35,000 minimum income threshold for settlement
  • Priority in the event that the cap binds

In the last Cybersecurity Workforce Study from (ISC)2, it claimed that there is a 2.9 million workforce “gap,” with the APAC region suffering the biggest shortfall of 2.14 million, followed by North America (498,000), EMEA (142,000) and Latin America (136,000).

Categories: Cyber Risk News

Drone Use on the Rise, Public Safety at Risk

Fri, 05/31/2019 - 11:40
Drone Use on the Rise, Public Safety at Risk

Cybersecurity research firm IOActive has issued a stark warning about the potential, unseen risks surrounding the commercialization of drones – calling for manufacturers to take action.

In July 2018, analysts at Technavio predicted that the commercial drone market would grow by 36% (generating $11.61bn) between 2018 and 2022, but with that growth, IOActive has raised concerns about a range of new risks that could follow.

IOActive claimed that if the commercial market for drones is left unchecked, then we could start to see drones being weaponized, presenting potential hazards and threatening the safety of the public.

As drones become more commercially accessible and their functionality improves, they will also become more affordable, but what so often fails to keep pace when new tech such as this grows in popularity are in-built security features that keep it safe from malicious interference.

IOActive pointed to some key drone security risks that could arise as a result, including how malicious actors could program drones to fly to specific GPS coordinates to launch cyber-attacks on Wi-Fi networks (or other types of wireless networks), or even perform man-in-the-middle attacks and disseminate malware.

What’s more, there is also the real risk of disruption – seen recently in the chaos caused by drone sightings at Gatwick airport – and injury, with the potential for hacked drones to be used to ‘dive-bomb’ pedestrians or impact traffic intersections, IOActive explained. Then there’s the privacy issues, IOActive added, highlighting that drones have the capability to take photos and record audio and video in otherwise impossible to reach areas.

“With enough determination anything can be hacked, but the commercialization of the drone market is making it all too easy – and many of the consequences for security, safety and privacy have simply not been thought through,” said Cesar Cerrudo, CTO at IOActive.

“The range of drones is of particular concern as it opens up new areas of vulnerability that many will not have considered.”

Cerrudo urged manufacturers to shoulder their share of the responsibility for the products they are bringing to market to ensure they are as secure as possible.

“The relative speed at which these devices are taking to the sky raises several issues. While the use of drones within the military has been common for many years, those drones have been rigorously tested and built with security in mind – commercial manufacturers do not have the same concerns, they are more focused on getting their product to market than ensuring cybersecurity. This attitude needs to change.”

Categories: Cyber Risk News

UK Universities Facing Daily State-Sponsored Attacks

Fri, 05/31/2019 - 09:30
UK Universities Facing Daily State-Sponsored Attacks

UK universities are facing increased attacks from state-sponsored hackers, who are targeting their research programs.

According to a survey of 75 senior IT leaders across 68 UK universities by VMware and Dell EMC, a quarter of respondents said their institution is targeted on a daily basis, while one in 10 strongly agreed that a successful attack on their research could have a harmful impact on the lives of UK citizens.

The research also found that 24% of UK universities believed their security and defense research may have already been infiltrated, while over half (53%) said a cyber-attack on their institution has led to research ending up in foreign hands.

John Chapman, CISO, UK Public Sector at Dell EMC, said: “In conducting research that may shape the future of the nation and its citizens, universities are under the microscope of some of the world’s most well-resourced and potent cyber-attackers. We hope this study will encourage them to look critically at their cybersecurity readiness. Universities must do more to protect themselves, and the sensitive information they hold, against the ever-expanding range of increasingly sophisticated threats.”

Specifically, cyber-criminals target scientific (54%), medical (50%), economic (37%) and defense research (33%). The research also found that 49% of university IT leaders recognize that a lack of IT investment is one of the forces driving the need for more robust cybersecurity practices.

In a statement sent to Infosecurity, Universities UK said: "Data security is an absolute priority for higher education providers and students alike. Universities UK is working with university leaders and the National Cyber Security Centre to help improve and strengthen security practices to better protect the sector from cyber threats. This includes the development of robust guidance on cybersecurity which we will release later this year.”

Categories: Cyber Risk News

Insight Venture Partners to Acquire Recorded Future

Thu, 05/30/2019 - 18:30
Insight Venture Partners to Acquire Recorded Future

Insight Venture Partners has agreed to acquire a controlling interest in Recorded Future, a threat intelligence company, in addition to the minority stake it already owns. The all-cash transaction puts the value of Recorded Future at more than $780 million. 

According to its press release, Recorded Future is the largest privately held threat intelligence software company in the world, with more than 400 clients. Its solution is powered by its patented machine learning, alerting companies to unknown threats before they affect the business, helping teams respond to alerts 10 times faster. The solution pulls information from technical, open web and dark web sources and aggregates it with customer data. 

Insight Venture Partners is a leading global capital and private equity firm investing in high-growth technology and software companies. Founded in 1995, it has over $20 billion of assets under management and has cumulatively invested in over 300 companies worldwide.

According to Recorded Future's co-founder and CEO, Christopher Ahlberg, the investment will help the company "tap into the full potential of its technical roadmap" and solve some of "the most difficult and unique intelligence challenges" today.  

“My leadership team and I have had the privilege to work with Mike Triplett and the Insight team for a number of years, benefiting from their sage advice, industry knowledge and relationships," he commented. "This transaction is the logical next step for Recorded Future given the opportunities in front of us, as we fully realize the potential and vision of our strategy.”

Triplett, managing director at Insight, said: “Insight’s renewed investment is a testament to the vision and direction laid out by Recorded Future’s leadership team. They envision a world where everyone applies intelligence at speed and scale to reduce risk, remaining hyper-focused on providing clients with the threat intelligence necessary to understand their environments, manage risk, and combat malicious actors through contemporary awareness gained from the implementation of a threat intelligence-led security strategy." 

Pursuant to the terms of this investment, Triplett and Thomas Krane, VP at Insight, will join Recorded Future’s board of directors.

Recorded Future customers have included Bank of America, Nasdaq, Abbott and T-Mobile. 

Categories: Cyber Risk News

Companies and Experts Call on GCHQ to Abandon "Ghost User" Proposal

Thu, 05/30/2019 - 17:35
Companies and Experts Call on GCHQ to Abandon "Ghost User" Proposal

Technology companies, trade associations, civil society organizations and 17 individual experts in digital security and policy have signed an open letter to the UK's Government Communications Headquarters (GCHQ), outlining concerns regarding a proposal by the intelligence center on allowing access to encrypted devices. The letter was shared with GCHQ on May 22, 2019, and made public on May 29, 2019.

GCHQ set forth its proposal for “silently adding a law enforcement participant to a group chat or call” in an Lawfare article in November 2018. This would "add a ghost user into encrypted chats" that would "require providers to suppress normal notifications to users." According to the letter, this would make users "unaware that a law enforcement participant had been added and could see the plain text of the encrypted conversation."

Written by Sharon Bradford Franklin and Andi Wilson Thompson, the letter to GCHQ explains how the ghost proposal would work, the ways in which technology companies would need to change their systems and the dangers that it would present. Specifically, the consortium outlined that if implemented, such access would “undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused.” 

Jake Moore, security specialist at ESET, told Infosecurity that the proposal by GCHQ "makes a mockery of the fundamental basics of encryption."

"Not only is it going against what privacy is all about, but if you create a back door for the good guys, the bad guys won’t be far behind. Encryption is there for multiple reasons and shouldn’t be messed with. GCHQ has always had an issue with breaking serious encryption but to now demand access to private chats has far-reaching implications. 

"Cyber-criminals are not just using WhatsApp and, if a law one day passes to read this application, it will just push them to use another app – if they aren’t already. There are many apps which already promise ultimate privacy and are heavily used and relied upon.”

The open letter from the group asks GCHQ "to abandon the ghost proposal and any other approach that would pose similar risks to digital security and human rights." They also request an open dialogue with the intelligence organizations to address law enforcement access to encrypted chats and messages. 

This news comes after Germany proposed giving access to security authorities to apps such as WhatsApp and Telegram. 

Categories: Cyber Risk News

93% of Companies Are Overconfident of Their Ability to Stop Data Breaches

Thu, 05/30/2019 - 17:27
93% of Companies Are Overconfident of Their Ability to Stop Data Breaches

Organizations are not equipping themselves against privileged access management (PAM) abuse, according to a report by Centrify and Techvangelism. Nearly 80% of organizations were found not to have a mature approach to combating PAM cyber-attacks, yet 93% of the organizations surveyed believe they were somewhat prepared for threats that involve privileged credentials. 

“This survey indicates that there is still a long way to go for most organizations to protect their critical infrastructure and data with mature privileged access management approaches based on zero trust,” says Tim Steinkopf, CEO of Centrify. “We know that 74% of data breaches involve privileged access abuse, so the overconfidence these organizations exhibit in their ability to stop them from happening is concerning."

The report found that companies do not take "the simplest" of measures, with 52% stating they do not use a password vault. In fact, out of the 1,300 organizations across 11 industry verticals in the U.S. and Canada, 43% were identified as having a "nonexistent" PAM approach. 

The survey also revealed that over half of companies surveyed have some questionable privileged access control; for example, 52% use shared accounts for controlling privileged access; 58% of organizations do not use multifactor authentication (MFA) for privileged administrative access to servers, and 51% of organizations do not control access to transformational technologies with privileged access, including modern attack surfaces, such as cloud workloads, big data projects and containers.

Looking at industry-specific trends, 39% of technology organizations have a nonexistent approach to PAM, as do healthcare (45%) and government (42%), which are both highly regulated and handle sensitive data. The financial sector scored highest in the "mature" category, followed by energy and utilities (26%). 

Cathy Hall, PAM practice lead at Sila Solutions Group, wrote about the best practice for PAM for Infosecurity Magazine in April 2019: "The best way to handle ... PAM ... isn’t to simply check a box to satisfy a mandate, it’s to view it as a mission. A mission-based approach ensures that you improve security across your whole enterprise over time, rather than only satisfying a limited, one-time mandate." 

Categories: Cyber Risk News

Report: 50% Increase in Exposed Data in One Year

Thu, 05/30/2019 - 12:05
Report: 50% Increase in Exposed Data in One Year

New research released by digital risk protection specialists Digital Shadows has revealed a 50% increase in exposed data in the last year.

In its report Too Much Information: The Sequel from its Photon Research Team, Digital Shadows discovered that misconfiguration of commonly used file storage technologies was largely to blame for the exposure of 2.3 billion online files in one year. That is a jump of more than 750 million files since the same study was carried out by Digital Shadows in 2018.

Almost half of the files were exposed via the server message block protocol, whilst other technologies such as FTP services (20%), rsync (16%), Amazon S3 ‘buckets’ (8%) and network storage devices (3%) were also cited by Digital Shadows as sources of exposure.

Speaking to Infosecurity Harrison Van Riper, Photon Research analyst at Digital Shadows, said: “It is surprising to see such a large increase in such a short amount of time, indicating that the issue of inadvertent data exposure is not one to be taken lightly.”

However, it is not just the sheer amount of data exposed in the last 12 months or even the means by which it was that causes concern, as the sensitivity of the exposed data is also a significant issue. Digital Shadows warned that with exposed data including passport details, bank records, medical and business information, organizations and individual consumers are at greater risk of GDPR punishments, targeted business compromise, identity theft and ransomware attacks.

“Every day, there are new files being exposed that are potentially sensitive personal or private information for businesses and consumers alike,” Van Riper added. “Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant. Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year. Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”

Categories: Cyber Risk News

Fines Increase & Enforcements Fall in First Year of GDPR

Thu, 05/30/2019 - 09:09
Fines Increase & Enforcements Fall in First Year of GDPR

Data protection monetary penalties have increased by £2m in the past year, while the number of enforcements issued fell by more than 20 from the number issued in 2017.

According to PwC’s 2018 Privacy & Security Enforcement Tracker, monetary penalties issued to UK organizations for breaching data protection laws in the calendar year 2018 totaled more than £6.5m in 2018, over £2m more than the previous year.

The data also showed that while the total sum of fines has increased, the number of enforcements issued fell to 67 in 2018, from 91 in 2017.

After we marked a year since the deadline for GDPR compliance, the data also showed that private sector companies accounted for 86% of the enforcements, but scrutiny remains on the public sector given the sensitive nature of the data it handles. Also, a quarter (25%) of enforcement actions relate to personal data security breaches.

Stewart Room, lead partner for GDPR and data protection at PwC, said that the trend of enforcement remained constant in comparison with previous years, with marketing and security infringements dominating the regulatory agenda.

“The absence of any GDPR fines in 2018 was not surprising, as it takes many months for cases to work through the system, but we know that they are on their way,” he said. “As well as looking at how to improve their levels of legal compliance, I would encourage organizations to focus on how good approaches to the handling of personal data can help them to deliver on their business purpose, to help and sustain the creation of long term value and trust.”

In an email to Infosecurity, Emma Loveday-Hill, senior associate and data protection specialist at Prettys, said that as monetary penalty notices in the last year were issued under the old legislation (the Data Protection Act 1998), where the maximum fine was £500,000, there were still numerous high level fines issued due to the fact that there were a number of serious breaches.

“In terms of the reduction in enforcement notices, this is likely to be due to the fact that the ICO has been busy dealing with the backlog of complaints and issues brought to their attention since the introduction of the GDPR and DPA 2018,” she said.

“Investigations by their very nature take time to carry out, and given the likely number of the complaints and issues raised with the ICO, this has no doubt had an impact on how quickly enforcement notices are handed down.
 
“Our message is still very much ‘watch this space’ as the ICO are just getting started in terms of what they are doing under the GDPR and Data Protection Act 2018, and going forward we are likely to see a higher number of enforcement notices and fines coming through over the coming months as the ICO makes its goal for 2019 a clear one: breaches of data protection law will be taken seriously and financial penalties will be issued as a result of noncompliance.”

Data protection officer Steve Wright said that the drop in enforcements is in contrast to the “sheer quantity of notifications” which has gone up ten fold since May last year. “The ICO are possibly struggling to cope with the sheer weight of notifications, as each one requires trained individuals to examine the notification and the evidence provided (so heavily dependent upon manual inspection),” he said.

“When I was the DPO for a major retailer, the number of Subject Access Requests, complaints and new ‘Rights’ requests had gone from 250 per year to 1800 within six months (in 2018). That presented us with a huge challenge and cost; the amount of planning, process improvement, recruitment and training was nothing short of a huge military style exercise, and fortunately we were prepared for the drop date.

“I’m told this number has now stabilized and is expected to hover around the 1500 unique request per year, but still six fold increase and therefore a new cost of doing business with consumer data is and has hit the consumer facing businesses particularly hard.”

Wright also said that the ICO “has been on a massive learning curve” as the level of understanding about what it deems to be ‘notifiable’, and the ability to sort out the real issues (based on impact to the individual) from the noise, has taken time to learn.

“It stands to reason that just like any business, keeping up with demand is difficult to predict and manage. It also raises the prospects of less enforcement actions, but more interesting and prevalent cases that we can (as an industry) learn from.” 

Categories: Cyber Risk News

Fines Increase & Enforcements Fall in First Year of GDPR

Thu, 05/30/2019 - 09:09
Fines Increase & Enforcements Fall in First Year of GDPR

Data protection monetary penalties have increased by £2m in the past year, while the number of enforcements issued fell by more than 20 from the number issued in 2017.

According to PwC’s 2018 Privacy & Security Enforcement Tracker, monetary penalties issued to UK organizations for breaching data protection laws in the calendar year 2018 totaled more than £6.5m in 2018, over £2m more than the previous year.

The data also showed that while the total sum of fines has increased, the number of enforcements issued fell to 67 in 2018, from 91 in 2017.

After we marked a year since the deadline for GDPR compliance, the data also showed that private sector companies accounted for 86% of the enforcements, but scrutiny remains on the public sector given the sensitive nature of the data it handles. Also, a quarter (25%) of enforcement actions relate to personal data security breaches.

Stewart Room, lead partner for GDPR and data protection at PwC, said that the trend of enforcement remained constant in comparison with previous years, with marketing and security infringements dominating the regulatory agenda.

“The absence of any GDPR fines in 2018 was not surprising, as it takes many months for cases to work through the system, but we know that they are on their way,” he said. “As well as looking at how to improve their levels of legal compliance, I would encourage organizations to focus on how good approaches to the handling of personal data can help them to deliver on their business purpose, to help and sustain the creation of long term value and trust.”

In an email to Infosecurity, Emma Loveday-Hill, senior associate and data protection specialist at Prettys, said that as monetary penalty notices in the last year were issued under the old legislation (the Data Protection Act 1998), where the maximum fine was £500,000, there were still numerous high level fines issued due to the fact that there were a number of serious breaches.

“In terms of the reduction in enforcement notices, this is likely to be due to the fact that the ICO has been busy dealing with the backlog of complaints and issues brought to their attention since the introduction of the GDPR and DPA 2018,” she said.

“Investigations by their very nature take time to carry out, and given the likely number of the complaints and issues raised with the ICO, this has no doubt had an impact on how quickly enforcement notices are handed down.
 
“Our message is still very much ‘watch this space’ as the ICO are just getting started in terms of what they are doing under the GDPR and Data Protection Act 2018, and going forward we are likely to see a higher number of enforcement notices and fines coming through over the coming months as the ICO makes its goal for 2019 a clear one: breaches of data protection law will be taken seriously and financial penalties will be issued as a result of noncompliance.”

Data protection officer Steve Wright said that the drop in enforcements is in contrast to the “sheer quantity of notifications” which has gone up ten fold since May last year. “The ICO are possibly struggling to cope with the sheer weight of notifications, as each one requires trained individuals to examine the notification and the evidence provided (so heavily dependent upon manual inspection),” he said.

“When I was the DPO for a major retailer, the number of Subject Access Requests, complaints and new ‘Rights’ requests had gone from 250 per year to 1800 within six months (in 2018). That presented us with a huge challenge and cost; the amount of planning, process improvement, recruitment and training was nothing short of a huge military style exercise, and fortunately we were prepared for the drop date.

“I’m told this number has now stabilized and is expected to hover around the 1500 unique request per year, but still six fold increase and therefore a new cost of doing business with consumer data is and has hit the consumer facing businesses particularly hard.”

Wright also said that the ICO “has been on a massive learning curve” as the level of understanding about what it deems to be ‘notifiable’, and the ability to sort out the real issues (based on impact to the individual) from the noise, has taken time to learn.

“It stands to reason that just like any business, keeping up with demand is difficult to predict and manage. It also raises the prospects of less enforcement actions, but more interesting and prevalent cases that we can (as an industry) learn from.” 

Categories: Cyber Risk News

Pages