Speaking at the Gartner Security and Risk Management Summit in London, Gartner director analyst Sam Olyaei said that the topic of “questions on security and risk that you must be prepared to answer at your board meetings” was one of the most popular subjects.
He said that the company was getting around 100 enquires a year seven years ago on this subject, and now that number is over 700 a year. Pointing at Gartner research from 2016, which said that by 2020 “100% of large enterprises will be asked to report to their boards of directors on cybersecurity at least annually,” he said that we’re getting close to that number, as 2018 research showed that 91% of billion dollar companies had briefed the board on their cybersecurity program at least once in the last year.
Olyaei said that this shows the “cultural disconnect between security and the business” and that the business has “expectations for security and risk that we cannot manage.” Olyaei added that it is not enough to say that we are creating an impact, but security practitioners have to show evidence, data and examples of what they are doing.
Olyaei argued that most security leaders feel that the board is monitoring risk, and feel that the board understands the risks and monitors them on a regular basis, “but we find most board members are not that confident in their security leaders to manage risks on their behalf.”
He said: “We feel that in a couple of years, your performance as security and risk leaders will be on demonstrating value at enterprise risk level.” This is because the board care about three things:
- Revenue/mission and operating income
- Future cost avoidance and immediate decrease in operating expenses
- Risk, including regulatory and compliance, especially brand and reputation
“Most board questions are based on the maturity of the organization,” he said, explaining that a new board will be unfamiliar with compliance requirements, and ask “trade off questions” that security practitioners “would call stupid questions.” The questions are as follows:
The trade off – Questions like “are we secure?” and “can we prevent this from happening?”
The risk – What is an appropriate risk? accounts for 80% of questions, Olyaei said. Boards also want to know what keeps security practitioners up at night.
The performance – Boards want to know about return on investment and see benchmarks, and want to know what other companies are doing, spending and how many staff they have.
The threat landscape – “A lot of board members listen to webcasts and sit on other boards, and ask about an incident at company X, or an increase in ransomware attacks, and a lot of the time the board wants to ask legitimate questions as they are concerned about threats,” he said.
The incident – Olyaei said that security has moved to a phase of “if, rather than when,” and security practitioners should be prepared to talk and answer at board level about issues around security incidents. “When an incident happens, the first action of a board member is to panic,” he said. “Provide details on impact and keep at a point where you don’t dwell on the past.”
Olyaei concluded by saying that there will likely be more questions in the future, and encouraged delegates to know the make up of the board and any security leaders involved. He said that the typical “wave” of questions are as follows:
- Why is security so expensive?
- Are we secure and compliant?
- Why can’t security move faster?
- Why can’t we have competitive advantage from security?
- Why can’t we be a digital company?
Organizations are failing to adequately support secure remote working practices, according to new research from digital services provider Capita.
Despite the undoubted productivity benefits stemming from more flexible working practices, only half (52%) of the 2000 UK knowledge workers Capita surveyed said BYOD was an option for them. Even fewer, just 14%, said they were encouraged to use their own device.
The vast majority of employees (92%) said they believe it’s the organization’s job to secure remote working, yet over two-fifths (42%) claimed current security policies make it difficult to do their job.
Capita IT & Networks’ head of workspace and collaboration, Ian Hart, told Infosecurity that there continues to be a conflict between user expectations and the reality of what employers provide for remote working.
“While the technology to meet these cultural working expectations is available and has been used to deliver flexible services to consumers for a number of years, a lot of organizations are still struggling to modernize their own internal IT services,” he argued.
“For many, partial adoption of cloud services while maintaining existing older IT platforms has created more problems for both end users and those managing the service.”
By failing to completely modernize their IT systems and give staff access to their preferred technologies, enterprises aren’t able to become user centric, Hart explained.
“Naturally, CIOs cannot allow unfettered access to corporate systems, but they also must ensure they are not acting as a blocker to employees’ productivity,” he added.
“By providing employees with a single robust user identity, organizations can protect all the services that sit behind it and remove the reliance on a specific trusted device or connection to access corporate services. In addition, by replacing traditional desktops and applications with a more user-centric and modern IT environment, organizations can have better control over the sensitive material they need to protect, while, allowing employees to work more flexibly and safely from any location.”
Microsoft patched 79 unique CVEs in this month’s security update round, including two zero-days and three vulnerabilities in Windows which had been publicly disclosed.
Microsoft also fixed a quartet of critical bugs in its Remote Desktop Client: CVE-2019-0787, CVE-2019-0788, CVE-2019-1290, and CVE-2019-1291. According to Qualys senior director Jimmy Graham, “to exploit these vulnerabilities an attacker would need to get a user to connect to a malicious or compromised RDP server.”
Recorded Future intelligence analyst Allan Liska flagged CVE-2019-1257 for immediate attention. This remote code execution vulnerability affects SharePoint Server 2019, SharePoint Enterprise Server 2016 and SharePoint Foundation 2010 and 2013.
He warned that attackers are often quick to exploit SharePoint bugs.
“SharePoint is a common target for attackers not only because of the sensitivity of the information often contained on SharePoint servers, but because they tend to provide full access to victim networks,” Liska added. “The vulnerability stems from the fact that certain versions of SharePoint do not properly check the source markup of an application package. An attacker can create a specially crafted application package and upload it to the SharePoint server and use the package to execute arbitrary code.”
It was a pretty light patch load for Adobe this month: the firm fixed just two critical vulnerabilities in its Flash Player, which should nevertheless be prioritized on workstations, experts warned.
Ivanti’s director of security solutions, Chris Goettl, explained that Microsoft released service stack updates for all operating systems yesterday, as part of ongoing adjustments to the software update process.
Although service stack updates are rated critical they don’t actually resolve any immediate software flaws, he said.
“They are also not part of the cumulative update chain. Servicing stack updates are a separate update that needs to be installed outside of the normal cumulative or security-only bundle,” Goettle continued.
“This is a critical update to Microsoft’s update system within the OS. This means some changes are coming down the line and there will be a point where you cannot apply the Windows updates on the system if the servicing stack update is not applied.”
He urged system admins to start testing these as soon as possible and have them in place before November.
An international law enforcement operation has led to the arrest of 281 individuals on charges linked to Business Email Compromise (BEC) and the seizure of nearly $3.7m.
The “Operation reWired” initiative was coordinated by the US Department of Justice (DoJ), Department of Homeland Security, US Treasury, the Postal Inspection Service and the Department of State along with law enforcers in nine other countries.
The vast majority of arrests came in Nigeria (167), although 74 individuals were placed behind bars in the US, 18 in Turkey and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia and the UK.
Prosecutors claimed to have made arrests in connection with both corporate BEC scams and attempts to part individuals with their cash, especially the elderly.
Operation reWired began in May this year with arrests, money mule warning letters and asset seizures and repatriations.
Among the cases listed by the DoJ were those of Kenneth Ninalowo, 40, of Chicago, Illinois who is alleged to have laundered over $1.5m of proceeds from BEC scams, including a community college and an energy company which were tricked into sending $5m to fraudulent bank accounts.
Also arrested were Nigerian nationals, Emmanuel Igomu, 35, of Atlanta, Georgia, and Jude Balogun, 29, of San Francisco, who are alleged to have received funds connected to a $3.5m BEC scam that defrauded a Georgia-based health care provider.
In addition, Cyril Ashu, 34, of Austell, Georgia; Ifeanyi Eke, 32, of Sandy Springs, Georgia; Joshua Ikejimba, 24, of Houston, Texas and Chinedu Ironuah, 32, of Houston, Texas were charged in connection with a $10m BEC operation that impacted hundreds of victims in the US.
It’s unclear whether any of the arrests made impacted the notorious London Blue gang, whose prodigious exploits have been tracked and revealed by security firm Agari over the past year.
The era of having staff at McDonald's restaurants ask if you want fries with that is set to end, as the burger giant invests in AI voice-assistant technology.
McDonald's has entered into an agreement to buy voice-based tech start-up Apprente as part of a plan to improve customer service. The Silicon Valley AI company was founded in 2017 specifically to develop a voice-based AI system for fast-food ordering in a gamble that can now be said to have definitely paid off.
In contrast to speech-to-text systems, Apprente describes its technology as "sound-to-meaning," because instead of transcribing what a customer says and then determining meaning from the transcript, Apprente's tech goes directly from speech signals to result.
The burger corporation is hoping that the new technology will make the ordering process simpler and more accurate and allow customers to get their mitts on the restaurant's famous fast food even faster. It will certainly eliminate any slowdowns that stem from misunderstood accents.
The purchase is being made with the primary intention of introducing voice-assistant technology at McDonald's drive-thrus, but use of the voice-based tech may be extended.
In a statement released today, a McDonald's spokesperson said: "We believe that the broader voice-based technology also has the potential to reach customers when, where, and how they want through incorporation into mobile ordering or kiosks."
Apprente's staff, which includes employees trained in machine learning and computational linguistics, will form a new internal team called McD Tech Labs, which will be integrated into the McDonald's Corporation. The team will work at McDonald's newly renovated Innovation Center near Chicago.
McDonald's statement continued: "This latest investment in advanced technology capabilities and talent builds on several key initiatives the company has introduced over the last three years to improve both the restaurant employee and customer experience, from the acquisition of Dynamic Yield, to the expansion of McDelivery, as well as the development of McDonald’s Global Mobile App, Mobile Order and Pay, indoor and outdoor digital menu boards, and self-order kiosks.
"With this move, we’re investing in the talent and technology that will ultimately make our customer and restaurant employee experience better."
An investigation by Trend Micro into the dark dealings of the cyber underground has found a rapid increase in the monetization of IoT attacks.
In a report released today, the global security software company revealed that forums across Russian, Portuguese, English, Arabic, and Spanish language-based markets are all brimming with chatter of how to compromise devices and then exploit them for profit. Routers and IP cameras were the most prominently discussed devices.
Financially driven attacks were found to be most prominent in the Russian and Portuguese markets, which are also the most criminally sophisticated. In these forums, cybercriminal activity is focused on selling access to compromised devices—mainly routers, webcams, and printers—so they can be leveraged for attacks.
The greatest threat is posed to consumer IoT devices, but businesses are also at risk as hackers are increasingly wising up to the possibility of compromising connected industrial machinery to launch digital extortion attacks.
In light of their findings, researchers at Trend Micro have made four sagacious predictions that reach varying levels of doom. The first is that the move from 4G to 5G will work very much in the hackers' favor, opening up more avenues for exploitation than they've ever had before.
The second is that attacks on VR devices and cryptocurrency mining kits are going to take off big time, with more advanced threats like low-level rootkits and firmware infections on the horizon as well.
A third prophetic warning is that digital extortion attacks are going to rise as programmable logic controllers (PLCs) and HMIs are increasingly found online. Manufacturers should be cognizant that their machinery is at risk of being hijacked and their production lines halted by hackers chasing big-dollar ransoms.
Finally, the company's team of security experts reckon that attacks on routers are going to evolve entirely as ISPs become better acquainted with tactics that take advantage of DNS settings.
“We’ve lifted the lid on the IoT threat landscape to find that cybercriminals are well on their way to creating a thriving marketplace for certain IoT-based attacks and services,” said Steve Quane, executive vice president of network defense and hybrid cloud security for Trend Micro.
“Criminals follow the money—always," said Quane. "Enterprises must be ready to protect their Industry 4.0 environments.”
A $1.5 million cybersecurity training and operations center is to open in Louisiana's capital city, Baton Rouge.
The center's long-term objective is to respond to cyber-attacks inflicted on government institutions, schools, and private companies in the Pelican State. However, its immediate purpose will be to support cyber-related missions at major military installations in Louisiana, including Barksdale Air Force Base’s Global Strike Command.
The Louisiana Cyber Coordination Center will be housed in the Water Campus in the city's downtown area. Confirmed tenants so far are the Louisiana National Guard (LANG), Louisiana State University's nonprofit affiliate research company Stephenson Technologies Corp. (STC), and defense contractor Radiance Technologies.
LANG will lease 11,000 square feet of space in the new center, which 40 members will use periodically for training and as a base for cybersecurity operations.
STC and Radiance will sublease 3,000 square feet each from LANG. Each company is expected to hire at least ten new staff members from the local Louisiana talent pool of cybersecurity professionals.
“When I created the Louisiana Cybersecurity Commission in 2017, we established a goal of making Louisiana a leader in this fast-growing field," said Louisiana governor John Bel Edwards. "Our top mission is ensuring the safety of sensitive information for Louisiana’s families, our military, our schools, our health-care facilities, and our private-sector employers. We want everyone’s data and privacy to be safe and secure. So, it’s incumbent upon us to invest in cybersecurity measures that protect our citizens from damaging attacks. Establishing this facility will provide one of the greatest tools for that safety, and it will continue our mission of becoming a global cybersecurity leader.”
“This cyber center is exactly what the Louisiana National Guard and the State of Louisiana needed to facilitate the fulfillment of its cybersecurity mission," said Maj. Gen. Glenn Curtis of the Louisiana National Guard. “Over time, for those who are authorized to use this facility, this cyber center will act as the central civilian interface for coordinating cybersecurity information sharing, performing cybersecurity threat analysis, and promoting shared and real-time situational awareness between and among the public and private sectors.”
To secure the project, the State of Louisiana has agreed to provide $1.5 million through Louisiana Economic Development to build out the existing 11,000 square feet to meet strict government standards and a further $500,000 to support lease payments for up to five years. Other project partners, including the Water Campus, are investing $250,000 for facility operations.
Speaking at the Gartner Security & Risk Management Summit 2019 in London Tina Nunno, distinguished VP analyst, Gartner, explored the difficulties security and risk managers can face in dealing with ‘political’ discussions in the workplace, and outlined strategies for navigating difficult conversations across a business.
Within an organization, politics and difficult conversations are “where the rubber hits the road,” Nunno said. “It’s in the face-to-face interactions where we are having some type of a conflict or we need to communicate something that’s quite difficult, and we need to survive it.”
Nunno explained that the desired outcome of any political or difficult conversation is to resolve issues constructively, establish a positive outcome for all involved and optimize the long-term relationship between the players.
To do that, Nunno outlined three paths that can be taken to navigate challenging workplace conversations, all of which build upon one another. These are de-escalation, synchronization and neutralization.
De-escalation requires you to strive to control the pace and tone of the discussion. “Creating calm and appeasement are two different things; with the first both win, and with the second both lose.”
She advised a four-step approach for mastering de-escalation in a difficult discussion, which includes Avoid, Ask, Engage and Calm.
- Avoid: do not use language triggers to prevent escalations, including “you’re wrong,” judgement terms, past tense and use “we” instead of “I” in conversations
- Ask: uncover agendas, both hidden and stated. “Questions are a really powerful tool” and most people are loathed to not answer a direct question
- Engage: decide where the discussion will take place
- Calm: manage yourself and the other person’s state of mind so you are open to one another’s point of view
The next path that can then be taken to navigate challenging conversations is synchronization, Nunno said, again using four steps: Empathize, Agree, Redirect and Align. “In synchronization, we are attempting to agree and come to a positive place.”
- Empathize: acknowledging the feelings of the other person will accelerate the shift to thinking
- Agree: find common ground
- Redirect: put the other person in a more constructive direction
- Align: success is when both parties feel good about cooperating
The third and final step that Nunno outlined is neutralization. “This is when you can use something other than reason – power – to stop the situation and move to a better place,” she said. Once more, Nunno put forward four steps to adhere to: Message, Obstruct, Agitate and Restore.
- Message: decide which message you want to send and to whom
- Obstruct: this requires power and a willingness to use it
- Agitate: determine the criticality of the message and the number of people that need to hear it
- Restore: “restoration is not simply explaining why you were right and they were wrong, restoration is accountability, dignity and moving forward together”
To conclude, Nunno shared three key pieces of advice for being an effective verbal diplomat that can resolve conflicts through conversations:
- Select and practice a short set of discussion techniques and have them ready to deploy
- Combine discussion techniques in a formulaic way that makes sense to you
- Manage political discussions to optimize both your relationships and outcomes
At the Gartner Security & Risk Management Summit 2019 in London, Andy Powell, CISO at Maersk, outlined the key lessons learned from the NotPetya malware attack the company, along with many others, suffered in 2017.
“Maersk was not alone [in being hit by NotPetya] and anybody that thinks that Maersk was the single biggest example, is wrong. There were a lot of companies bigger than Maersk suffering even worse, but they were not as transparent as Maersk,” Powell said.
Therefore, the first key lesson learned from NotPetya is that “transparency is everything,” Powell explained. “Our clients at Maersk loved us for the fact that we told them, from day one, what was going on, and we included them throughout in what we were doing.”
Another lesson learned was that “the world has changed,” Powell continued. “From a company perspective, NotPetya told us that, unless you are a government organization or a very, very highly invested-in bank, you are not going to stop a state-sponsored weapon [such as NotPetya] if it is targeted at you. We were the collateral victim of a state-sponsored attack and look what it did, so if you are trying to build a company to stop 100% of state-sponsored weapons, forget it. If you adopt a strategy around that, you will fail.”
What organizations must do, is adopt a two-part strategy. “First and foremost, you need a balance of proactive and reactive [capabilities]. You need to retain the ability to manage an incident because you will assume that it will occur.” In an era when there are going to be a lot of state-sponsored weapons being used in cyber-attacks, you need to implement a reactive and proactive balance.
Powell said that organizations also need to learn and understand “the way in which our businesses are changing. The attack surface is massively changing. The old fortified front door, ‘let’s stop them there’ approach, must go. We are all digitizing and creating one-to-one relationships with our customers, which we need to protect.”
There’s also the fact that companies like Maersk rely heavily on operational technology (OT) which, if disrupted, can cost organizations millions of dollars, Powell added. So it’s about “how we protect OT – not just conventional enterprise IT – as a network that can be compromised.”
Finally, lessons must be learned about crisis management, he said. “There is no such thing as a divide between technology and business in any company anymore, particularly when it comes to cyber. You have got to operate as one.”
Speaking in the opening keynote session of day two at the Gartner Security & Risk Management Summit 2019 in London, Adam Banks, chief technology and information officer at Maersk, reflected on the company’s response and recovery following the NotPetya attack in 2017.
Banks said that when Maersk was hit by NotPetya, the company was “not unusually weak,” and this is really important, because too often organizations feel immune to cyber-attacks because they do not consider themselves to have obvious security flaws.
However, Maersk was (and is) a company that is extremely data-centric. “Whilst we have a global flow of cargo, we equally have a global flow of information,” but because of the import/export work Maersk does, it cannot “lock up” data or create a centralized data pool and “put every form of defense around it.” The value of the data is in its distribution.
When NotPetya first hit, Maersk was unable to determine exactly what was occurring, Banks explained. It took several hours to establish the cause of the attack, and the wide-spread impact. IT services, end-user devices and applications/servers were dramatically affected. As many as 49,000 laptops were destroyed and 1200 applications were inaccessible.
“I didn’t go home for 70 days,” Banks said, as he worked tirelessly with the rest of the business to respond and recover.
“The first thing we did was to make some fairly big decisions about how to manage this. Mearsk is an asset-centric business with an asset-centric crisis management approach,” but that was not going to be effective in dealing with the global fallout of NotPetya, Banks explained. “I abandoned corporate crisis management and implemented a financial services crisis management model, because financial services normally only ever have global crises.”
In the first one to three days of the outbreak of NotPetya, Maersk:
- Worked with Deloitte in cyber-forensics
- Decided to be as open as possible about the incident, both internally and externally
- Designed a new Windows build
- Strengthened as far as possible
- Retrieved an undamaged copy of the Active Directory
In the first four to nine days of the outbreak of NotPetya, Maersk:
- Built 2000 laptops
- Rebuilt the Active Directory
- Spoke to the individual responsible for creating the NotPetya malware
From nine days onwards following the outbreak of NotPetya, Maersk:
- Continued to work through the ever growing list of affected applications: in two weeks all global applications were restored and in four weeks all laptops were rebuilt
Over 99% of cyber-threats require human interaction to work, highlighting the importance of user awareness programs and layered defenses, according to Proofpoint.
The security vendor’s 2019 Human Factor report is based on an 18-month analysis of data the firm collected across its global customer base.
It adds some concrete findings to the general trend observed by many in the industry over the past few years that attackers are increasingly targeting the “weak link” in the cybersecurity chain: corporate employees.
Specific staff members, dubbed "Very Attacked People" (VAPs), are targeted most often — perhaps because they have access to corporate funds or sensitive data, or even because they are easily discoverable by outsiders.
Some 36% of VAPs identified in the report could be found online via corporate websites, social media, publications, and other methods.
To stand the best chance of success, attackers targeting humans typically mimic legitimate email patterns: fewer than 5% are sent at weekends and the biggest number (30%+) come on Mondays.
Education, finance, and advertising/marketing were the most targeted industries, with education having one of the highest average number of VAPs across any vertical, Proofpoint claimed.
In 2018, the sector accounted for the largest number of imposter attacks, along with the engineering and automotive verticals.
Microsoft products and services accounted for nearly one in four phishing attacks in 2018, with messages focused on harvesting user credentials for lateral movement, future attacks and internal phishing.
“Cyber-criminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure,” said Kevin Epstein, vice president of threat operations for Proofpoint.
“To significantly reduce risk, organizations need a holistic people-centric cybersecurity approach that includes effective security awareness training and layered defenses that provide visibility into their most attacked users.”
The need for phishing training, automated security scanning and micro-segmentation have been replaced by container security, incident response and business email compromise technology in the top ten security projects for the year.
According to Gartner distinguished VP analyst Neil MacDonald, these projects can help users “reduce risk and improve posture” but too often, “the fear of imperfection holds us back.” Speaking at the Gartner Security and Risk Management Summit in London, of the top ten projects from 2018, five remain the same, while five change. The remaining top five were:
Privileged Access Management – MacDonald recommended tying this into “trouble ticket systems” and advised adding multi-factor authentication for all admins, and put in privileged access management where there is administrator access.
CARTA-Inspired Vulnerability Management – MacDonald said that there is an admission that you will never be completely patched, so users need to patch the critical vulnerabilities that are of most risk. “I believe patching is broken and should be a priority project for this year,” he said.
Detection and Response – MacDonald recommended the use of endpoint detection and response (EDR) technologies to provide a more full detection capability, and advised investing in EDR and incident response processes. Alternatively, he said to consider using premium support and outsourcing.
Cloud Security Posture Management (CSPM) – MacDonald said that “business units are making mistakes in configuration of AWS and Azure.” For a single cloud provider, he recommended looking for native capabilities or cloud access security broker (CASB) technology. For multi-cloud use, prioritize remediation, sign 1-2 year contracts and reassess often.
CASB – The final project of the top five is CASB, which MacDonald said is “becoming a mainstream technology.” He recommended starting with cloud application discovery, favoring a multi-mode CASB (using proxy and APIs).
For the new five projects, these were:
Business Email Compromise – MacDonald said that this has been switched from anti-phishing “as it is not enough” and that BEC is not an anti-malware problem, but a “poorly-designed access problem.” He advised combining technical controls as a solution.
Dark Data Discovery – He said that this is technology to crawl data sources, understand what is sensitive and not and what should be archived. He advised implementing a “defensible deletion” or other data management strategy.
Security Incident Response – MacDonald said that services are needed to create an incident response plan, and be able to “engage it before it happens.” He advised looking for an incident response provider who understands your operations and processes.
Container Security – MacDonald said that this will happen with or without security because of developers, “and it is our job to secure them, and the good news is there are vendors doing this.” He advised integrating or automating this technology natively into your development process, and scanning for known vulnerabilities.
Security Ratings Services – The final new project involves creating a web of interconnectivity where a vendor gives a score of security posture. He said that this will allow visibility of the supply chain, and he advised making security risk services part of a comprehensive program
In conclusion, he recommended picking at least two projects: implement an intelligent, CARTA-inspired approach to vulnerability management project, and MFA for admins.
The five that were removed were:
- Active Anti-Phishing Project
- Application Control on Server Workloads
- Automated Security Scanning
- Micro-Segmentation and Flow Visibility
- Software-Defined Perimeter
Asked why only five of the ten were changed, MacDonald acknowledged that delegates have “resource, staff and budget constraints and you cannot do all ten, so look at the list and see which affect you.”
Mozilla has announced plans to start rolling out DNS-over-HTTPS (DoH) by default to US users from the end of September, in a bid to improve cybersecurity across the web.
The Firefox browser-maker’s senior director of engineering, Selena Deckelmann, explained in a blog post that only a small percentage of users would see the new feature at first, while the changes are monitored.
DoH should in theory make the web safer and improve user privacy by encrypting DNS query traffic so that third parties cannot eavesdrop on a user’s connection and/or redirect them to phishing/malware sites via man-in-the-middle attacks.
However, because the connection becomes encrypted, concerns have been raised that it prevents ISPs from applying content filters requested by parents to protect their children’s browsing. Similarly, enterprise admins may find it interferes with their own network configurations.
To take account of this, Deckelmann said Mozilla plans to disable DoH if it detects opt-in parental controls, and to respect enterprise configuration unless DoH is explicitly enabled.
“Firefox already detects that parental controls are enabled in the operating system, and if they are in effect, Firefox will disable DoH,” she explained. “Similarly, Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. If an enterprise policy explicitly enables DoH, which we think would be awesome, we will also respect that.”
Kevin Bocek, VP of security strategy & threat intelligence at Venafi, broadly welcomed the move as improving online security, adding that many privacy-conscious users already employ widely available DNS encryption services.
However, he argued that criticism of DoH for weakening ISPs’ ability to filter harmful material misses a potentially more concerning issue.
“Proposals to encrypt DNS as standard would mean all traffic on browsers that use it will bypass locally held DNS nameservers, and go straight to a central server under the control of Mozilla, Google or one of its peers,” Bocek explained.
“In effect, this gives these companies control over our search information and internet activity, which in turn gives them a greater level of control over the internet itself. So while these changes are a boost for online privacy advocates, the prospect of a small number of for-profit firms having such influence is worrying.”
A leading Japanese car parts manufacturer has become the latest corporate victim of Business Email Compromise (BEC), after revealing losses of four billion yen ($37.3m).
Toyota Boshoku Corporation, a subsidiary of the Toyota Group, sells seats, textile components, interior lights and other parts.
However, on August 14 its European subsidiary was duped into making a large fund transfer outside of the company, it revealed in a news release.
“Recognizing the high possibility of criminal activity, we promptly established a team comprising legal professionals, then reported the loss to local investigating authorities,” it explained. “While cooperating in all aspects of the investigation, we are devoting our utmost efforts to procedures for securing/recovering the leaked funds.”
Few other details have been released at present while the investigation is ongoing, but the company said it may need to amend its March 2020 earnings forecast if it has not been able to recover any of the funds.
Javvad Malik, security awareness advocate at KnowBe4, argued that BEC is fundamentally predicated on socially engineering the victim into making the money transfer.
“The first step should be raising awareness amongst staff of these attacks, particularly those who work in finance or have the ability to set up new payments or amend existing ones,” he added.
“Secondly, and perhaps more importantly, procedures need to be in place which prevent one user from being able to authorize or create a new payment. Rather, segregation of duties should be put in place whereby more than one user approval is needed to initiate payment, as well as having established and trusted mechanisms through which any requests can be queried.”
According to FBI figures, BEC scammers made around $1.3bn in 2018, around half of the total reported losses ascribed to cybercrime during the year.
A separate report from the US Treasury earlier this year claimed attacks on US victims alone made cyber-criminals $300m each month in 2018.
Biometric boarding is being offered to passengers flying in and out of New York's John F. Kennedy Airport on Lufthansa.
Germany's largest airline collaborated with U.S. Customs and Border Protection (CBP) and partners at the international airport in Queens, New York, to introduce the new facial recognition technology at JFK's Terminal 1.
One-step biometric boarding, which aims to be faster and more efficient than other methods, works by matching live images captured at the airport with data supplied by the CBP.
As passengers approach self-boarding gates, their images are captured by sophisticated facial recognition cameras. These images are then securely sent to a CBP database to be matched in real-time to existing images of the passengers from previously submitted passport photos, visas, or other travel documents.
Verification of a match is virtually instantaneous, allowing passengers to board in a matter of seconds without having to show a paper or electronic boarding pass at the gate. The success rate of the matching technology is over 99 percent.
Lufthansa first launched one-step biometric boarding at Los Angeles' LAX airport in March 2018, where the company created a stir by managing to board 350 passengers onto an A380 in roughly 20 minutes. Later in the year, the airline extended biometric boarding to MCO in Orlando, and the system was rolled out to Miami International Airport in February 2019.
They aren't done yet. Bjoern Becker, senior director, product management ground and digital services for Lufthansa, said: "We anticipate for this technology to continue growing and to introduce it to more gateways throughout the United States.”
Last fall the International Air Transport Association forecast that the number of air passengers will reach 8.2 billion globally in 2037. Should this prediction ring true it’s likely that speedy biometric boarding will eventually become compulsory around the world. However, right now Lufthansa passengers still have a choice over how they board.
A statement released by Lufthansa said: "Those who are wary of the scanners will still have the option to board traditionally with an agent. Lufthansa ensures passenger privacy by only transmitting travelers’ photos and avoids storing them in any Lufthansa database."
Researchers at ESET have found an undocumented backdoor linked to malware used by the Stealth Falcon Group to attack individuals in the Middle East.
The infamous threat group has been launching spyware attacks against journalists, political activists, and dissidents since 2012. Individuals targeted by the group are sent an email containing a weaponized document, which delivers a PowerShell-based backdoor.
By probing into the activities of Stealth Falcon, ESET researchers discovered a previously unreported executable backdoor they have named Win32/StealthFalcon. The backdoor appears to have been created in 2015 and can be used to carry out data collection and exfiltration and to employ further malicious tools.
Compared to traditional communication, Win32/StealthFalcon talks with its command and control (C&C) server in an unusual but smart way. Instead of communicating via API functions, this particular backdoor uses the standard Windows component Background Intelligent Transfer Service (BITS).
Choosing BITS was a savvy move by the threat group for two reasons. First, the BITS mechanism is exposed through a Component Object Model (COM), which makes it harder for a security product to detect.
Second, BITS was designed to transfer large amounts of data without consuming a lot of network bandwidth. It's commonly used by updaters, messengers, and other applications designed to operate in the background, meaning that it's likely to be permitted by most firewalls. That's a pretty useful design feature when you're going for stealth.
Another feature of Win32/StealthFalcon is that it is extremely reliable. The transfer resumes automatically after being interrupted by a network outage, the user logging out, or a system reboot.
The ESET investigation also uncovered a small number of attacks carried out with this malware in the United Arab Emirates, Saudi Arabia, and Thailand. An attack was also perpetrated in the Netherlands, where the target was a diplomatic mission of a Middle Eastern country.
Researchers found similarities between the newly discovered executable backdoor and the PowerShell script with backdoor capabilities previously attributed to the Stealth Falcon group. The evidence suggests that both backdoors are the work of the same group.
Stealth Falcon has been linked by Amnesty International’s senior technologist Claudio Guarnieri to another threat group, Project Raven, which allegedly employs former NSA operatives to attack similar targets in the Middle East.
The majority of organizations do not have a workforce strategy in place, and are not forward-thinking in their recruitment and retaining strategies.
Speaking at the Gartner Security and Risk Management Summit in London, Gartner director analyst Sam Olyaei said that the majority of companies are “stuck” when it comes to hiring, and have no time to look into the future of emerging technologies.
Citing sources, which claim a shortage of skilled people and security staff of anywhere between three and six million people, Olyaei said that many organizations are “playing catch up” as most do not have a strategy, or career paths lined up for people. Also a lack of mentorship programs was off-putting to a number of people, with Women in Cybersecurity research citing that 78% of young women rule out a career in cybersecurity because of this.
“Most organizations look for perfect a candidate and that almost never exists,” he said, adding that there should be more opportunities for “digitally business oriented folks.”
Of those who are succeeding, Olyaei said that the insurance, banking and consumer product verticals were most successful in hiring, as well as those companies that have roles established, offer travel and conference opportunities, and training and education for certifications.
“The roles that are in demand don’t really change” he pointed out, but he often sees roles that were unfilled six to 12 months ago and focus on traditional information security, rather than future roles. He cited the examples of:
- Digital risk officer
- Data security scientist
- Security champion
- Digital ecosystem manager
- Chief of staff
Looking at job descriptions, Olyaei argued that while there is demand for certifications and these are “important for career progression,” if you change the wording on a job description you can capture a wide variety of people.
“It is easier to teach technical things” than more business-related issues, he said, saying that he is seeing more of a shift to descriptions talking about skills to create a strategy, and to be able to present to business leaders.
He explained that this requires a shift in the mindset of hiring, as business moves “at a faster speed; it's more agile, and about ecosystem too” and new people will want to come in and break down silos. “Don’t hire on requirements for experience, and place less emphasis on the ability of a person using Nessus on Lexus (for example,) and you can attract digital folks who have competencies,” he said.
He concluded by highlighting the digital skills to look for as:
- Business acumen
- Digital dexterity
- Outcome driven
“Develop one strategy for security and align it to the organization,” Olyaei said, adding that the “more you invest in training, the longer the staff stay.”
Cyber-thieves targeting a pension fund for law enforcement officers employed by the state of Oklahoma have made off with $4.2 million.
The money was stolen from a fund of more than $1 billion set aside to pay pensions and benefits to around 1,500 retired highway troopers, park rangers, state agents, and other law enforcement officers.
The theft occurred on August 26, 2019, when the perpetrators managed to hack into the email account of an investment manager working on behalf of the Oklahoma Law Enforcement Retirement System (OLERS) agency. A separate pension fund managed by the Oklahoma Police Pension and Retirement System (OPPRS) was not affected.
In a statement posted to their website ten days after the theft occurred, OLERS declared that "no pension benefits to members or beneficiaries have been impacted or put at risk," and that "all benefits will continue to be paid in a timely fashion as always."
An investigation into the crime has been launched by the FBI, and attempts are being made to recover the stolen money. OLERS is extremely confident regarding the outcome of such efforts, stating on their website, "We are certain the stolen funds will be recovered."
OLERS executive director Duane Michael told The Oklahoman newspaper on Thursday that $477,000 has been retrieved so far.
Retired state trooper and president of OLERS Roy Rogers added that the agency’s insurance will cover the loss if the funds cannot be recovered in full.
In a bid to prevent the re-occurrence of such a crime, employees at the agency are receiving cybersecurity training.
The individual whose email account was compromised by hackers will remain in their position, with the agency taking the view that such incidents are now an unfortunate part of daily life.
Rogers said of cybercrime, "It happens every day. It can happen to an individual. It can happen to a state. It can happen to a company . . . this kind of crime has just got rampant."
A similar crime took place in 2016, when hackers stole $100,000 from a Pennsylvania borough's police pension fund. And in Iowa in 2017, hackers stole the identities of more than 100 retired public employees to illegally claim their pension payments.
Trends and 'mega trends' for 2019 and the future include cloud delivery, business strategy and communication and the continued battle with passwords as a form of authentication.
Speaking at the Gartner Security and Risk Management Summit in London, Peter Firstbrook, VP analyst at Gartner, said that the “controls of security are shifting, and the focus needs to shift to new forms of controls.”
Firstbrook said the mega trends of the next 10 years will be:
- The skills gap is real and growing, as the reality is, it is hard to find qualified security professionals
- Regulations and privacy concerns are not going away
- Cloud application scale and complexity will continue to grow, as organizations move to the cloud and complexity increases with more of use of containers, APIs and virtualization
- Attackers are showing no signs of letting up, and their “creativity” continues to increase
Firstbrook said that all of these mega trends are external “and beyond your control” and are all things that have to be accommodated for. When it comes to internal mega trends, Firstbrook said that these include: realizing that “perfect is not possible” and companies adapting to that concept when planning to detect and respond, that cloud delivery is here for security services and that communication is key, especially as we talk the language of the business and help it understand choices for resolving risks.
For the overall 2019 trends, Firstbrook identified seven major trends:
Fusion of products and services: He said that some MSSPs are now “OEM’ing” other security products, and he encouraged anyone using managed services to determine how easy those products are to use.
Cloud center of excellence: He recommended establishing a chief cloud architect to take responsibility of cloud, and invest in new tools like Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP) and Cloud Access Security Broker (CASB) “and this is key going forward, and you need to invest in them now.”
Data security governance framework: To better manage data controls, Firstbook said that organizations invested in tools like data loss prevention and tokenization, but did not get the best value from them and didn’t start with business environment in mind.
Dawn of passwordless authentication: Firstbook said that organizations are now getting rid of passwords, and the Microsoft CTO has recently pledged to get rid of them. With 35% of smartphones now having some sort of biometric authentication on them, and options like tokens from Duo and Yubico, there is an alternative.
SOCs and Correlated alerts: Firstbrook said that businesses are not getting value from SOCs, and he could see EDR “become the SIEM of record.” He also said that he sees companies like Microsoft, Cisco, Fortinet and Palo Alto Networks all invest in incident response tools for their own products. “In the new SOC, think of new ways to implement,” he said.
CARTA (Continuous Adaptive Risk and Trust Assessment) Proliferates: Launched a couple of years ago by Gartner, Firstbrook said that this is accepting that you do not have perfect authentication and defenses, and acknowledging that you will get infected by an authenticated person “who are not who they say they are.” He said that this is proliferating into tools and into network intrusion software.
Risk appetite statements emerge – The final trend was for business stakeholders to create a mission statement that allows them to establish a view of risk, getting everyone to understand and agree with the team what it, and having a conversation with execs on what risks they are willing and are not willing to take.
As the digital society evolves, security and risk management can keep up if they have a suitable vision.
Speaking at the Gartner Security and Risk Management Summit in London, Tom Scholtz, distinguished VP analyst at Gartner, said that while “digital society is evolving” it is “adding complexity to challenges.” Scholtz added that those organizations that differentiate will be those that innovate.
While he admitted that “no one has all of the answers” on how to deal with the challenging digital environment, good practices have evolved and the implications are now around: pervasive connectivity, critical context, variable trust and reputable identity in the digital era.
Scholtz said that those companies who are succeeding are those “who have a view of where they are going” and have both adaptive governance and infrastructure.
He argued that the most important part of effective governance in the digital world is to establish the path of accountability, and to determine who is responsible for protecting resources. “It doesn’t rest with the CISO,” he said, “but it may rest with the CIO and most organizations will have a shared infrastructure and information, and if you cannot identify the business owner, the CIO becomes the proxy owner of the business.”
In order to establish governance, Scholtz said that this comes down to deciding your acceptable risk, enabling risk control and assuring control effectiveness to define your risk appetite. “This is about owning accountability,” he said. “In the digital world, focus less on policies and more on principles to guide controls and to be more effective.”
He recommended anticipating the disruptors of:
- AI and machine learning
- Hybrid delivery models
- Skills shortage
- IoT and OT
- Quantum computing
- Robotic process automation
“Adopt the drivers that are right for your organization, and [know] the main threats and vulnerabilities to your infrastructure,” he said. He added that if you know what your business is doing and what the CIO is doing, this will influence your vision and enable you to identify your current state.
“At a minimum, do a vulnerability assessment and maturity assessment, and prioritize the gaps and analyze and execute on it,” he concluded.