Info Security

Subscribe to Info Security  feed
Updated: 19 min 55 sec ago

FBI Investigates Attack on Critical Water Utility

Wed, 10/17/2018 - 16:25
FBI Investigates Attack on Critical Water Utility

According to a media release from Onslow Water and Sewer Authority (ONWASA) issued on October 15, 2018, a critical water utility in North Carolina was targeted in a cyber-attack. Federal and state officials are now working with the water utility as part of the investigation into the attack on some of its computer systems.

“In the wake of the Hurricane Florence disaster...ONWASA’s internal computer system, including servers and personal computers, were subjected to what was characterized as 'a sophisticated ransomware attack,' wrote Jeffrey Hudson, CEO, ONWASA.

Hudson also reported that no customer information was compromised. In addition to the FBI, the Department of Homeland Security and the state of North Carolina were also called in to assist.

According to Hudson, the water utility was targeted with virus attacks from a malware system on October 4. While he believed the virus was brought under control, the problem persisted, so external security experts were called in to work with ONWASA IT staff. A sophisticated malware virus, dubbed RYUK, was then launched on October 13.

In the aftermath of the attack, ONWASA received an email from the attackers, who are believed to be based in another country, according to Hudson. “The email is consistent with ransomware attacks of other governments and corporations...ONWASA will not negotiate with criminals nor bow to their demands. The FBI agrees that ransoms should not be paid,” he wrote.

As such, this ransomware attack will require that ONWASA rebuild several of its databases.

"As most ransomware is delivered through malicious email links, educating users on the danger of clicking on links from even trusted email sources can prevent many ransomware infections to begin with,” said Adam Laub, senior VP, product marketing, STEALTHbits Technologies Inc.

"Reducing end user access to file data, in particular, is also an effective mitigation technique because ransomware and other malware often relies on the access rights of the user who’s been compromised.  If they don’t have access privileges, then neither does the malware. Finally, backing up data – at least the data you really care about – can make even a successful ransomware attack a nonissue, relatively speaking."

Categories: Cyber Risk News

9 in 10 Orgs Don't Have Desired Security Culture

Wed, 10/17/2018 - 14:31
9 in 10 Orgs Don't Have Desired Security Culture

In a new survey on cybersecurity culture, 90% of the nearly 5,000 technology professionals who participated identified a gap in their existing culture and the cybersecurity culture they would like to have, according to ISACA and CMMI Institute.

The Cybersecurity Culture Report revealed the results of more than 4,800 technology professionals surveyed about security awareness and behaviors in enterprises, particularly how awareness integrates into daily operations and leadership priorities.

"Cybersecurity management is critical for successfully securing a modern, digital organization," said Kai Roer, CEO of CLTRe. "Building and maintaining security culture is a process. It requires a number of steps, and when done correctly, it will both boost the security culture and provide documentation and stepping stones to close the gap between as-is and to-be states." 

According to the survey, though, a mere 5% of respondents said their organization is well positioned to mitigate both internal and external threats. Only a third (34%) of respondents are aware of the role they play in creating a cyber-aware culture within their organizations, suggesting that many companies are not effectively getting the message out to all employees that they are a first line of defense when it comes to cyber-attacks.

“Enlisting the entire workforce to mitigate an enterprise’s cyber risk is an emerging practice,” Doug Grindstaff II, SVP of cybersecurity solutions at CMMI Institute, said in a press release. “We are hearing a lot of feedback about how organizations can move the needle on employee involvement. It’s challenging, but organizations are rightly concerned by the growing sophistication of cyberattacks.”

In fact, the survey found that in the small number of organizations that are satisfied with their cybersecurity culture, there is a strong correlation between widespread employee involvement and a security-minded culture. Within those organizations that have successfully created a cultural shift, 92% indicated that top executives embrace their cybersecurity awareness programs and demonstrate a deep understand of the underlying issues.

Yet 42% of organizations have not developed a cybersecurity culture management plan or policy, which ISACA said is the first step in building cybersecurity culture. The survey found that a lack of funding is a significant hurdle. Those companies that don’t yet have the culture that they want are spending only 19% of their annual budgets on training and tools, whereas those who believe their efforts to create a cyber-secure culture have been successful are spending 43% of their annual budgets.

"Spending on security culture is a crucial part of a security program," said Roer. "However, not all organizations are the same, and not all industries require the same level of security. It is, therefore, our opinion that benchmarking annual spending is not giving an accurate image of the needs to build and maintain good security culture.

"Instead, we suggest that creating a good understanding of the organizations current security posture, including its risk profile and risk acceptance, is key to success. Combine that analysis with a security culture benchmark, and you get a very potent perspective on where you are, where you want to be, and in addition, all the ammunition you need to get the funding you need, be it 19% or 43% of your annual security spending." 

Categories: Cyber Risk News

Global Cybersecurity Skills Gap Reaches Three Million

Wed, 10/17/2018 - 12:01
Global Cybersecurity Skills Gap Reaches Three Million

Organizations globally are suffering a crippling cybersecurity workforce “gap” of 2.9 million employees today, putting the majority at greater risk of attack, according to the latest estimates from (ISC)².

The global certifications body has introduced a new gap analysis methodology, which explains why the figures are so much higher than the predicted 1.8 million industry shortfall by 2022, a spokesperson confirmed to Infosecurity.

While previous models subtracted supply from demand, the new calculation considers things like the percentage of organizations with open positions and estimated growth of companies of different sizes. It also polled IT staff in small businesses that may not be security professionals but spend 25% or more of their day on these tasks.

The new 2018 (ISC)² Cybersecurity Workforce Study is therefore a more holistic and realistic representation of the picture on the ground, (ISC)² claimed.

The fast-growing APAC region is suffering the biggest shortfall of 2.14 million, followed by North America (498,000), EMEA (142,000) and Latin America (136,000).

Nearly two-thirds (63%) of organizations worldwide said they have a cybersecurity skills shortage and over half (59%) claimed this is putting them at “moderate” or “extreme” risk of attack.

Although nearly half (48%) said they plan to increase staff numbers in the next 12 months, it’s difficult to know where these are going to come from given the scale of shortages.

However, one positive new trend appears to be a wider representation of women in the industry, who now comprise a quarter (24%) of the workforce, more than double previous estimates (11%).

“By broadening our view of the workforce to include those with collateral cybersecurity duties within IT and ICT teams, we discovered that professionals are still facing familiar challenges, but also found striking differences compared to previous research, including a younger workforce and greater representation of women,” argued (ISC)² CEO, David Shearer.

Key barriers to career progression mentioned by respondents were unclear career paths (34%), lack of organizational knowledge (32%) and the cost of education to prepare for a career (28%).

Categories: Cyber Risk News

NCSC Tackles 10 Attacks on Government Per Week

Wed, 10/17/2018 - 09:46
NCSC Tackles 10 Attacks on Government Per Week

The UK’s National Cyber Security Centre (NCSC) has blocked more than 10 cyber-attacks per week in its first two years of operation, blaming nation states for the majority of incidents.

The government body was spun out of GCHQ in 2016 with a goal of making the UK one of the safest places to live and work online.

Since then, it has dealt with 1100 attacks and helped central and local government become more resilient via its Active Cyber Defence (ACD) strategy.

The idea here is to employ simple-to-use, tried-and-tested online tools and techniques to mitigate the risk from high volume, commodity attacks like phishing.

The strategy has seen remarkable success over the past year.

Thanks to a Web Check service, public sector bodies have identified over 2,300 urgent vulnerabilities to fix, with all local authorities in England, Wales and Scotland signing up.

Meanwhile, a Protective DNS service blocks malicious sites from being accessed by government staff and notifies managers of any issues that need fixing. It has apparently now detected and blocked attempts to access over 30 million malicious websites.

A Takedown Service has also been successful, removing over 138,000 phishing sites hosted in the UK and a further 14,116 worldwide spoofing the government.  

The NCSC claimed that thanks to these efforts the UK’s share of visible global phishing attacks has roughly halved, from 5.3% in June 2016 to 2.4% in July 2018.

Finally, a Mail Check service using DMARC has helped government bodies to authenticate the emails they send so that receivers can spot more easily if they are genuine or fake.

From a figure of just over 200 in September 2017, nearly 900 government domains now use DMARC.

“You don’t need to beat cybercrime — and it would be unrealistic to think we could,” argued NCSC technical director, Ian Levy. “But we do want to make it as hard as possible and that means making it as unprofitable and risky as we can for cyber-criminals to act in the UK.”

Elsewhere, NCSC CEO, Ciaran Martin, claimed most of the attacks it has had to tackle over the past two years have come from nation states. He has been vocal in the past at calling out Russian attempts to infiltrate critical national infrastructure and destabilize the geopolitical system.

“We are calling out unacceptable behavior by hostile states and giving our businesses the specific information they need to defend themselves. We are improving our critical systems. We are helping to make using the Internet automatically safer,” he said in a statement.

“As we move into our third year, a major focus of our work will be providing every citizen with the tools they need to keep them safe online. I’m confident that the NCSC will continue to provide the best line of defense in the world to help the UK thrive in the digital age.”

Talal Rajab, head of cyber and national security at techUK, welcomed the NCSC’s contribution over the past two years.

“This report documents a vast body of work that has been undertaken including incident response, active cyber-defense, skills and education, industry engagement and protecting CNI,” he added.

“The NCSC is a leader in all of these, working with partners across industry to deliver a world leading cyber-capabilities in the UK. TechUK has been delighted to support these initiatives and is looking forward to increased engagement with the NCSC over the next year.”

Categories: Cyber Risk News

Millions of US Voter Records for Sale

Wed, 10/17/2018 - 08:39
Millions of US Voter Records for Sale

An estimated 35 million voter records from 19 states are up for sale on a dark web forum, in what may be an inside job ahead of the mid-terms.

Anomali and Intel 471 researchers discovered a seller offering full names, phone numbers, physical addresses, voting history and other unspecified voting data.

Some 23 million records are up for sale for just three states, although no record counts were provided for the remaining 16 states. The sales price for each voter list ranges from $150 to $12,500 depending on the state.

A crowdfunding project is underway to pay the seller: a move which would offer the full lists for free to members of a particular hacking forum. Records for Kansas have apparently already been published, with Oregon next in line.

Although access to state voter registration lists is provided to political campaigns, journalists and academic researchers, there are rules forbidding their use for commercial purposes or republishing online.

If the seller is telling the truth, this haul could be useful for identity fraudsters and even those who want to interfere in the upcoming mid-terms.

“When these lists are combined with other breached data containing sensitive information, e.g., social security number and driver’s license, on underground forums it provides malicious actors with key data points for creating a target profile of the US electorate,” noted Anomali.

“This type of information can facilitate criminal actions such as identity fraud or allow for false submissions of changes online to voter registrations, making some legitimate voters ineligible to cast ballots. In a voter identity theft scenario, fraudsters can cause disruptions to the electoral process through physical address changes, deletion of voter registrations, or requests for absentee ballots on behalf of the legitimate voter.”

The seller claimed to receive weekly updates of the registration data from contacts within the state governments, which if true could highlight a major insider risk.

“Threat actors frequently recruit and fool insiders into helping them to pull off data theft and abuse schemes. This research seems to indicate that insiders either knowingly or unwittingly helped the nefarious party to obtain voter information,” said Dtex CEO Christy Wyatt. 

“Government-sector research we conducted earlier this year revealed that 53% of agencies have been hit with an insider incident.”

The affected states are: Georgia, Idaho, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, New Mexico, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, West Virginia, Wisconsin and Wyoming.

Categories: Cyber Risk News

Bug in New iOS Lets Attacker Access iPhone Pics

Tue, 10/16/2018 - 16:01
Bug in New iOS Lets Attacker Access iPhone Pics

A new vulnerability discovered in Apple’s latest iOS, 12.0.1, released last week, allows an attacker with physical access to an iPhone entry into photos on a locked phone, according to Jose Rodriguez, a Spanish security researcher.

While the bypass bug, reported by The Hacker News, does require that an attacker have physical access to an iPhone, an attacker could still access the photo albums and send selected pictures using Apple Messages even if the phone is locked.

Rodriguez reported the bug and provided a proof-of-concept video via YouTube in which he demonstrated various steps of the attack, which starts with an incoming call to the targeted iPhone.

After tapping the "message" option on the iOS call screen, Rodriguez selected the "custom" option, which then displayed the Messages user interface, at which point he entered random letters before calling on Siri to activate VoiceOver.

This latest bug comes only two weeks after Rodriguez discovered two similar VoiceOver vulnerabilities that gave unauthorized access to user contacts and photos, according to AppleInsider.

When the conditions of the bug are met, the iPhone displays a black screen. A left swipe on the black screen delivers an attacker to the photo library. As Rodriguez demonstrated in his proof of concept, a double tap then returns him to the Messages app where he is able to insert images into the Messages text box.

In total, the attack is a 10-step process that works on all current iPhone models running the latest version of the Apple mobile operating system, including the iPhone X and XS devices. 

Though the bug is concerning, the attacker must have a “certain level of precision” to perform the process and achieve the desired outcome, said AppleInsider

Categories: Cyber Risk News

Execs Fear Orgs Unprepared for Incident Response

Tue, 10/16/2018 - 15:23
Execs Fear Orgs Unprepared for Incident Response

Executive-level security professionals fear their organizations are not well positioned to respond to a cyber-attack, according to the results of a new poll from Deloitte.

In a poll of more than 3,150 security professionals across all industries and sectors taken during a webcast on cyber preparedness and war-gaming, survey respondents indicated that in large part, cybersecurity remains siloed. As a result, many employees across the organizations are not well versed in how to respond to a cyber incident. In addition, participants reported that they were only somewhat confident in their organization’s ability to respond to and remediate a cyber incident despite the reality that their organizations had experienced a cybersecurity incident within the past 12 months.

While it's become commonplace to espouse that all employees play a role in cyber awareness, 30% of CEOs and executive-level respondents said their greatest challenge is that employees don’t understand the organization’s incident response plan. That lack of understanding seems to correlate with a lack of resources. For 20% of respondents, a lack of access to the funding, tools and skills needed to respond to cyber incidents is a handicap.  

“We used to say it’s ‘not if, but when’ an organization will experience a cyber incident. That message has evolved well beyond a single incident to ‘how often’ or ‘how to respond to and withstand persistent attacks,’” said Andrew Morrison, principal, Deloitte Risk and Financial Advisory Cyber Risk Services, Deloitte & Touche LLP, in a press release.

“Improving internal processes and providing employees with the knowledge, practice and skills needed to succeed can help organizations mitigate risk through preparedness, as well as increase overall business resilience to future attacks.”

Yet nearly half of respondents (49%) said that their organizations do not conduct cyber war-gaming exercises so that all employees can better understand what to do in the event of a cyber incident. As a result, 34% of participants reported not knowing their own role within their organization’s cyber incident response plan.

“Cyber war games are an important way to raise awareness of the latest cyber risks and attack types, as well as cyber risk management and adaptive response capabilities an organization needs during, after and preparing for the next cyber incident,” said Daniel Soo, cyber war-gaming leader for Deloitte cyber risk services and Deloitte Risk and Financial Advisory principal.

“The most impactful war games are those that use live knowledge of an organization’s current threat environment to support the decision-making process across operations, finance, regulatory, marketing and beyond.”

Categories: Cyber Risk News

Tech Support Scams Decline as Consumers Get Savvy

Tue, 10/16/2018 - 11:55
Tech Support Scams Decline as Consumers Get Savvy

Global exposure to and losses from tech support scams has dropped over the past two years as consumers become more savvy, although in the UK the number suffering financially increased slightly, according to Microsoft.

The computing giant polled over 16,000 internet users in 16 countries worldwide to better understand how trends are evolving.

The latest figures revealed that 63% of consumers experienced a tech support scam, down from 68% in 2016. Those who lost money fell from 6% to 3%.

However, alongside direct monetary loss, a further 8% of consumers spent time and money checking and ‘repairing’ their PCs. That’s not to mention the 76% who reported moderate to severe stress as the result of being hit by a scam.

The report claimed that fewer pop-up ads and windows have helped reduce consumer exposure to the scams. These typically masquerade as alerts from a reputable provider like Microsoft and trick the victim into believing that their machine has been infected.

Consumers are also becoming more skeptical about unsolicited contact from a tech support ‘operative.’

Over a third (38%) said that if they were contacted by ‘tech support’ they’d try to block the company the scammer claimed to come from and 33% would look up the issue online.

Interestingly, younger netizens are more likely to be tricked into handing over their money. This may be because a higher percentage are exposed to pop-ups because of visiting high-risk torrent sites and similar. Microsoft also warned that these more ‘tech savvy’ youngsters are more likely to be over-confident.

Although the overall figures for tech support scam victims appears to be coming down globally, the UK bucked the trend.

Here, 62% of respondents said they had experienced a scam, with 6% losing money as a result, an increase from just 2% in 2016.

Microsoft urged UK victims to contact Action Fraud.

Categories: Cyber Risk News

Cybersecurity Salaries Rise 6% in One Year

Tue, 10/16/2018 - 11:22
Cybersecurity Salaries Rise 6% in One Year

Salaries for cybersecurity professionals have risen by 6% in one year, double the national average of 2.9%, according to Acumin Consulting’s latest annual Salary Survey.

The firm analyzed 56 key cybersecurity positions across its database of end users, system integrators, consultancies and public sector divisions to provide a holistic view of salaries across organization type and role seniority.

Acumin’s findings revealed that education and compliance roles saw the biggest increases (20%) in the last year, with security analysts also benefiting from an average salary rise of 13%. Those in the role of information security officer saw the lowest increase (1.5%), whilst application security specialists and product directors saw their wages up by two percent.

“Our 2018 Salary Survey provides a snapshot of the issues that have been driving boardroom agendas this year, namely data protection regulation and user education,” said Simon Hember, group business development director at Acumin. “With the pressures brought down on organizations by the GDPR, professionals with skills in compliance and process are commanding record salaries.”

However, it appears the public sector is failing to meet the salaries being offered by private sector organizations.

“Opportunities for security professionals in the public sector should be booming, especially given the government’s commitment to the National Cyber Security Strategy and GCHQ’s recent drive to recruit 2000 roles to deal with the threat of nation state actors,” Hember added. “However, it’s no surprise that the public sector is struggling to offer the salaries, and attractive packages that can be offered by private sector organizations or indeed well-funded security start-ups.”

Categories: Cyber Risk News

UK’s MoD Exposed in 37 Security Breaches: Report

Tue, 10/16/2018 - 09:50
UK’s MoD Exposed in 37 Security Breaches: Report

The UK’s Ministry of Defence (MoD) appears to have exposed highly sensitive data and systems to the risk of compromise after reports revealed 37 breaches of security protocol last year.

The heavily redacted reports don’t indicate whether the security breaches led to sensitive military information falling into enemy hands, but their scale should be alarming.

The cybersecurity slip-ups include sending sensitive information unprotected over the internet — where it could potentially have been intercepted by cyber-spies.

Peripherals were connected to ministry networks without checking first for malware, and phones and laptops were taken overseas where they were apparently at risk of malware infection or interception of communications.

In some cases, devices, documents and even rooms were left unsecured, raising the prospect that unauthorized third parties could access them, according to Sky News.

A statement sent from the ministry argued that disclosing more info could increase the risk of a cyber-attack against it.

“The MoD takes the security of its personnel and establishments very seriously but we do not comment on specific security arrangements or procedures,” it added.

The UK’s MoD is not the only defense department to have been found wanting when it comes to cybersecurity recently.

Reports emerged over the weekend that as many as 30,000 Pentagon staff may have had their personal and financial data stolen via a third-party contractor.

Even more concerning, a Government Accountability Office (GAO) report recently found critical vulnerabilities in nearly all US weapons systems under development.

Eset cybersecurity expert, Jake Moore, argued that the number of security breaches recorded by the MoD is concerning.

“Human error still occurs and this report simply echoes that you can have endless computing power and other unmanned mitigation techniques in place, yet the human firewall can still easily be a target and let these attacks in,” he added. “Such prevention techniques as robust and effective staff training will no doubt reduce the number of reported attacks on the MoD.”

Categories: Cyber Risk News

UK Launches “World First” IoT Code of Practice

Tue, 10/16/2018 - 09:01
UK Launches “World First” IoT Code of Practice

The UK government claims to be leading the way with a newly released Code of Practice (CoP) designed to drive security-by-design in the manufacture of IoT products.

Developed in partnership with the National Cyber Security Centre (NCSC), the ICO and others, the "world first" CoP aims to improve baseline security in the sector and ensure smart devices that process personal data are aligned with the GDPR.

It’s focused initially on the consumer space.

HP and Centrica Hive are the first two IoT-makers to sign up, and the government hopes its mapping document will make it easier for others to follow.

Regulation is also being developed to improve the security of consumer-grade IoT products, according to the government.

The move can be seen as a response to the risks posed to individuals and businesses from unsecured consumer IoT devices, as exploited most famously by the Mirai botnet attacks of 2016.

It also comes as the British Standards Institution (BSI) readies a new kitemark scheme for consumers and businesses to help them better identify products they can trust to be reliable and secure.

The CoP received a cautious welcome from security experts, but many argued it doesn’t go far enough.

“A code of practice is a step in the right direction, but more needs to be done. The industry should follow best practices and self-regulate, before regulators put a static, cumbersome device security framework in place,” argued John Sheehy, VP of strategy at IOActive.

“Security must be built in from the design phase of any new connected device. It cannot be an afterthought, which only makes it more costly to the manufacturer. Until the industry takes a long-term view on cybersecurity risk or faces material financial consequences, we are likely to see things get worse before they get better.”

Andy Kays, CTO at Redscan, added that global standards are needed to improve IoT security across the development lifecycle.

“Right now, cybersecurity is often last in a long list of some manufacturers’ priorities. New features and services are driving sales, not robustness. Manufacturers are selling prototypes as fully-fledged products to generate attention and get to market as quickly as possible,” he added.

“Retailers need to do their part in helping to protect consumers by ensuring that they choose to stock products that meet recognized security standards.”

Matt Walmsley, EMEA director at Vectra, was sceptical of the CoP’s impact.

“Voluntary codes of practices will likely only attract organizations who are already proactive and bought into addressing the issues the CoP seeks to address,” he argued.

“In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the frame work’s recommendations.”

Categories: Cyber Risk News

Endpoint Attacks Increase as Patching Slows

Tue, 10/16/2018 - 09:00
Endpoint Attacks Increase as Patching Slows

While it’s no surprise that organizations are being compromised, a new study released by Ponemon Institute found that the rate at which organizations are compromised is quite alarming.

The study, 2018 State of Endpoint Security Risk, found a 20% increase in the number of companies that have been compromised by attacks originating at their endpoints over the last 12 months.

The Barkly-sponsored survey included 660 IT and security professionals. All participants had identified zero-day and fileless attacks as the paramount concern when it comes to threats. Of all the participants, nearly two-thirds of organizations have been compromised in the past 12 months.

As a result, 70% of participants said they have replaced antivirus solutions in the past 12 months or have plans to replace them in the coming 12 months. Identifying the greatest challenges when it comes to security gaps, survey respondents cited the high volume of false positives, inadequate protections and high management complexity as their top frustrations.

Additionally, four out of five participants said they struggle to keep up with patching and reported an average delay of 102 days for patching endpoints. Despite the prevalence of zero-day attacks, the survey found that 43% of respondents said they are taking more time to test and roll out patches.

“This study confirms the biggest gap organizations need to address is proactively blocking zero-day and fileless attacks, which are responsible for the majority of today’s endpoint compromises,” said Mike Duffy, CEO of Barkly. 

For those companies that have suffered an endpoint attack in the last 12 months, the cost of attacks has also increased. Companies that reported endpoint attacks that bypassed defenses reported a 42% cost increase year-over-year, bringing the average cost of an endpoint attack for an organization to $7,120,000 in 2018. That works out to be $440 per endpoint, and the price tag is almost doubled that for small-to-midsized business that shell out an average of $763 per endpoint.

Of the successful attacks, 76% leveraged unknown and polymorphic malware or zero-day attacks. These techniques increase the odds of success, making attackers using zero-day attack vectors four times more likely to compromise endpoints, compared to traditional attack techniques.

“This increase in successful attacks have exposed a gap in protection that existing solutions and processes are not addressing,” said Larry Ponemon, chairman and founder of Ponemon Institute, in a press release. “Antivirus products missed more attacks than they stopped in 2018 and organizations believe their current antivirus is effective at blocking only 43% of attacks. There is a clear need for more effective solutions to block zero-day and fileless attacks.”

Categories: Cyber Risk News

#Cyberrecoded: Get the Certification that is Right for You

Tue, 10/16/2018 - 08:30
#Cyberrecoded: Get the Certification that is Right for You

Speaking at the Cyber Recoded conference in London, Steven Furnell, professor of cybersecurity at the University of Plymouth, discussed the quantity of certifications and the need to understand what is most suited for a person.

Pointing to industry reports around the shortage of skilled people in the industry, Furnell said that this “means organizations are employing and wages are increasing significantly,” while the National Cybersecurity Strategy shows that actions to tackle the skills shortage are in progress. However, Furnell admitted that there is “no single path” to a career, and there is a range of certifications you can gain and use.

Referring to the level of skills and focus, Furnell explained that there is a differing level of what certifications require and what they say about the person, and even with a vendor-issued certification, it “doesn’t necessarily mean skills in a particular product, but skills of some degree.”

He added that with different providers and certifications, not all are the same. He highlighted Comptia’s Security as being “very much geared towards entry level practitioners” which does not require prior experience, however the salary expectations for someone with a Security or a CISSP were very similar.

He said: “The industry is not aware of what a certification brings to the table, but does that mean it is the wrong thing to look at? Experience is the key, and not just getting the certification, but where you get them [employees] from and what they bring to the organization.”

He concluded by saying that security requires proper education and knowing how to fit in, but that professionalism cannot just be taught; you need the right attitude “and if you want to be a pen tester, it is the level of professionalism in which you do that role.”

Categories: Cyber Risk News

Octopus Targets Central Asian Diplomats

Mon, 10/15/2018 - 15:40
Octopus Targets Central Asian Diplomats

An attack aimed at Central Asian diplomatic organizations, dubbed the Octopus Trojan, is able to disguise itself as a popular online messenger, according to researchers at Kaspersky Lab.

The Trojan, a malicious program for Windows, has possible links to DustSquad, a Russian-language cyber-espionage actor that focuses on Central Asian users that Kaspersky researchers have been monitoring for two years.

Attackers successfully leveraged the news that the widely used Telegram messenger may become banned in Kazakhstan. The Trojan was distributed in a package that appeared to be a legitimate version of the Telegram messenger for Kazakh opposition parties, researchers said. Once installed, Octopus gives attackers remote access to victims’ computers.

“The launcher was disguised with a recognizable symbol of one of the opposing political parties from the region, and the Trojan was hidden inside. Once activated, the Trojan gave the actors behind the malware opportunities to perform various operations with data on the infected computer, including (but not limited to) deletion, blocks, modifications, copying and downloading,” researchers wrote.

Via remote access, the attackers were able to spy on victims, steal sensitive data and gain backdoor access to the systems. “We have seen a lot of threat actors targeting diplomatic entities in Central Asia in 2018,” said Denis Legezo, security researcher, Kaspersky Lab, in a press release.

“DustSquad has been working in the region for several years and could be the group behind this new threat. Apparently, the interest in this region’s cyber affairs is growing steadily. We strongly advise users and organizations in the region to keep an eye on their systems and instruct employees to do the same.”

Kaspersky Lab recommends that organizations educate staff on digital hygiene in order to reduce risk. In addition, robust endpoint security solution with application control functionality can strengthen defenses.

Categories: Cyber Risk News

iPhone a Growing Target of Crypto-Mining Attacks

Mon, 10/15/2018 - 15:15
iPhone a Growing Target of Crypto-Mining Attacks

Apple has increasingly been the target of crypto-mining attacks, and according to Check Point, iPhone attacks increased by nearly 400% over the last two weeks in September. 

In its most recently published Global Threat Index, Check Point researchers said they are continuing to investigate the reasons behind this sharp increase but reported that crypto-miners continued to be the most common malware in September 2018. Coinhive continued to hold the number-one position, which it has occupied since December 2017.

While Coinhive currently impacts 19% of global organizations, researchers also reported that the information-stealing Trojan Dorkbot held onto second place with a 7% global impact. The report also noted significant increase in Coinhive attacks against PCs. Attackers used the Coinhive mining malware to target iPhones, which aligned with a rise in attacks against users of the Safari browser, the primary browser used by Apple devices.

The mining malware that rivals Coinhive, known as Cryptoloot, ranked third place overall on the Threat Index, making it the second-most prevalent crypto-miner in the index. Differentiating itself from Coinhive, Cryptoloot requests a smaller revenue percentage from websites than its top competitor.

“Crypto-mining continues to be the dominant threat facing organizations globally,” Maya Horowitz, threat intelligence group manager at Check Point, said in a press release. “What is most interesting is the fourfold increase in attacks against iPhones and against devices using the Safari browser during the last two weeks of September. These attacks against Apple devices are not using new functionality, so we are continuing to investigate the possible reasons behind this development.”

“In the meantime, attacks such as these serve as a reminder that mobile devices are an often-overlooked element of an organization’s attack surface, so it’s critical that these devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defenses.”

Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) was the top most exploited vulnerability for the seventh-consecutive month, with a reported global impact of 48% of organizations.

Categories: Cyber Risk News

Attack Vectors Long Quiet Make Loud Q3 Comeback

Mon, 10/15/2018 - 13:55
Attack Vectors Long Quiet Make Loud Q3 Comeback

Cyber-criminals eased into the year with a somewhat quiet first and second quarter, but according to a new report from Malwarebytes, attackers made some noise in Q3 2018.  In the Cybercrime, Tactics and Techniques Q3 2018, researchers found that business detections were up 55% compared to 4% for consumers, indicating that cybercriminals are targeting victims who promise a greater return on their investments.

One notable shift in tactics was with the use of traditionally consumer-leaning malware, which the report said are now being leveraged in business attacks. The number of Trojan detections for both businesses and consumers rose 86% from last quarter.

Ransomware, cryptojacking and adware also contributed to this increase in business attacks. In addition, older strains of banking Trojans experienced a comeback, and researchers discovered the emergence of new ones, making this form of malware the number-one detection for both businesses and consumers.

Information-stealing malware, like Emotet and LokiBot grew in Q3. Researchers reported an overall increase of 5% or 1.7 million more detections in Q3 than in Q2. Emotet detections rose by 37% and ranked in the top six malware for business.

Exploit kits also had a busy quarter, with Underminder and Fallout standing out among exploit kit activity. Though not used as a singular weapon, exploit kits were added as components of web-based attacks. Attackers notably targeted Asia and expanded from South Korea into Japan.

Ransomware attacks on businesses were up 88%. Although consumer detections decreased, researchers noted the development of 40 new ransomware variants, though not all were released into the wild. Gandcrab evolved to become more lethal, and Magniber expanded into new regions.

In related news, Malwarebytes researchers noted that over the last few months, MirkoTan (a Latvian company that makes routers and ISP wireless systems) has been dealing with a stream of attacks affecting its products’ operating systems. The string of attacks began in late April when a critical flaw in RouterOS was identified.

Jérôme Segura, lead malware intelligence analyst at Malwarebytes today wrote about a new attack that has emerged, with threat actors using social engineering to get users to install a fake update with a piece of malware that scans random IP ranges to identify vulnerable routers and exploit them. Once infected, the routers are injected with a Coinhive script that forces the users behind the router to mine for cryptocurrency while they browse the internet.

Categories: Cyber Risk News

#Cyberrecoded: Students Should Get Involved to Get Hired

Mon, 10/15/2018 - 13:15
#Cyberrecoded: Students Should Get Involved to Get Hired

Build contacts, start or join a hacking society and follow security’s trends and news to get a good start in the industry.

Speaking at the Cyber Recoded conference in London, a panel of graduates in their first jobs spoke on the 'Getting Past the Gatekeepers' panel about their experiences on getting the necessary experience that employers are looking for.

The panelists, who came from a mixture of universities across the UK and from different academic backgrounds, talked of the need to gain contacts and get involved in local security groups in order to achieve mentoring and career advice opportunities.

Chloe Ungar, student at Leeds Beckett University and intern at Hedgehog Cyber Security, said that it is invaluable to have a network around you, such as a hacking society as it “takes away scary aspects [of security], gives you confidence and allows you to experience things” more than just doing a degree would. “Without the society, I would not have pushed myself to go to conferences where I met the company who would become my employer.”

The panelists were unanimous on engaging with societies and groups both local and national, as well as joining DEF CON groups and rookie track opportunities at Security BSides events.

Asked by moderator Daniel Nash if industry were interested in experience such as working with hacking societies, James Stevenson from BT said that “if you’re passionate about it, someone else will be passionate about it.”

Jack Wilson, former Abertay University student, said that their HackSoc allowed members to present research in their meetings and gain experience in speaking.

In terms of finding work, Stevenson said he had been actively writing and producing podcasts before applying for jobs, and employers were more interested in that sort of work.

Ungar said she had identified the company she wanted to work for and met them having emailed, and heard back within half an hour, at 4 am. Brett Calderbank, who had worked in policy and governance before working in a SOC, said it was important to keep on top of what is happening in the industry, “as this is such an evolving industry.”

Nash concluded by saying that if there is no society then start your own, as while it is a lot of effort it will pay dividends for experience. 

Infosecurity asked which of the panelists had picked the company they wanted to work for, and what qualities they were looking for in an employer? Ungar said she found her employer at a BSides London conference, and she was attracted to a smaller company “where every employee counts.”

Wilson explained he had started to look for a graduate scheme six months before graduating, and gathered enough information to determine what he liked and what they [potential employer] were looking for, while Stevenson said it was important to identify the company and even if they say no, take the feedback and improve yourself, and keep on applying.

Categories: Cyber Risk News

Pentagon Staff Hit by Major Data Breach

Mon, 10/15/2018 - 11:01
Pentagon Staff Hit by Major Data Breach

The US Department of Defense has suffered a major breach of employee’s personal and financial information, according to reports.

An unnamed official told AP that the incident may have affected as many as 30,000 civilian and military personnel.

A statement seen by the newswire confirmed that the incident had been discovered at the beginning of October, although it’s not clear when the breach took place.

“The department is continuing to gather additional information about the incident, which involves the potential compromise of personally identifiable information (PII) of DoD personnel maintained by a single commercial vendor that provided travel management services to the department,” the statement noted. “This vendor was performing a small percentage of the overall travel management services of DoD.”

The vendor is not being disclosed for security reasons but the Pentagon is said to be taking steps to cancel its contract.

“The department is continuing to assess the risk of harm and will ensure notifications are made to affected personnel,” the statement continued.

The news comes just days after a damning Government Accountability Office (GAO) report found critical vulnerabilities in nearly all weapons systems under development.

It claimed the Pentagon is only “just beginning to grapple" with the challenges highlighted in the report.

“One test report indicated that the test team was able to guess an administrator password in nine seconds,” the GAO claimed. “Multiple weapon systems used commercial or open source software, but did not change the default password when the software was installed, which allowed test teams to look up the password on the internet and gain administrator privileges for that software.”

To add insult to injury, when confronted with the findings, weapons program officials are said to have dismissed some test results as “unrealistic.”

Categories: Cyber Risk News

WannaCry Cost NHS £92 Million

Mon, 10/15/2018 - 09:50
WannaCry Cost NHS £92 Million

The infamous WannaCry ransomware campaign of 2017 caused losses in the region of £92m for the NHS, the government has revealed.

In a progress update titled Securing cyber resilience in health and care, the Department of Health and Social Care caveated the figures by saying they are only broad estimates.

Broken down further, around £19m was lost directly as a result of access to info and systems being unavailable, leading to cancelled appointments and similar.

Over 19,000 appointments and operations are said to have been cancelled as a result of WannaCry.

“It is anticipated that 1% of care was disrupted over a one week period, based upon an estimate of the average level of care provided by the NHS in a one week period,” the report explained. “It is estimated that there was approximately £19m of lost output. However demand for NHS services fluctuates, therefore this should only be considered an approximate estimate.”

A much larger £72m was lost in the aftermath with additional IT support drafted in to help restore data and systems.

“Assuming each of the 80 severely affected trusts would have required the equivalent of five days FTE additional resource of an IT specialist, the cost of IT support at the time of the attack would have been £0.5m,” the report explained.

“After the attack we have estimated an average level of resource required by organizations based upon their size and the severity of disruption. There were a few anecdotal reports of costs by individual organizations, but not enough data to make a robust estimate. Therefore the figures quoted below should be considered an approximate estimate.”

WannaCry is said to have disrupted services across one-third of hospital trusts and around 8% of GP practices.

Mollie MacDougall, threat intelligence manager at Cofense, argued that ransomware could have life-threatening consequences for patients.

“If there is one lesson healthcare organizations can learn from these trends, it is to have appropriate anti-phishing programs in place that build on existing security capabilities, to include augmenting incident response efforts with real-time human-intelligence,” she added.

“Phishing keeps proving itself to be a successful vehicle for delivering damaging malware like ransomware, and as threat actors continue to find ways to bypass automated defenses, so too must network users be educated and armed to be a successful last line of defense against them.”

Categories: Cyber Risk News

Facebook Breach Hit 30 Million

Mon, 10/15/2018 - 08:55
Facebook Breach Hit 30 Million

A major breach announced by Facebook last month affected 20 million fewer customers than at first predicted, but for 14 million unlucky users hackers managed to access virtually all their profile info.

The social network’s VP of product management, Guy Rosen, explained in an update on Friday that of the 50 million people whose access tokens were thought to be affected, 30 million actually had the tokens stolen.

“For 15 million people, attackers accessed two sets of information — name and contact details (phone number, email, or both, depending on what people had on their profiles),” he said.

“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For one million people, the attackers did not access any information.”

So far, there’s no sign that the attackers accessed third-party apps, Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, or advertising/developer accounts.

There was also more info on exactly how the attackers managed to carry out the attack.

According to Rosen, they “already controlled” a set of accounts, and had developed an automated technique to move from one to another, stealing access tokens for the friends of those accounts, and the friends of these friends etc.

By doing this, they obtained access tokens for around 400,000 users. Then “the attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people,” said Rosen.

Customized messages will be sent to those affected over the next few days with advice on how to protect themselves from follow-on scams. Users can also check here to see if they were affected.

Categories: Cyber Risk News