Skip to content

CyberSecurity Institute

Security News Curated from across the world

Menu
Menu

From:Reply-To:To:Date:Message-ID:List-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=mail=3Dpaulgdavis.com@mail47.atl71.mcdlv.net;

Posted on September 11, 2016December 30, 2021 by admini

[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]

* Threats on the Horizon for Tomorrow’s Global Security Landscape
* The Next Frontier of Malware – Hardware
* Swift warns banks of malware threat
* Survey: Retail IT Professionals Confidence in Cyber Security Capabilities Increase as Data Breaches Rise
* Verizon: Bad Guys Still Phishing for Data
* Email ‘most popular phishing tool’
* Investment grows as DDoS attacks become sophisticated
* MSSPs: The Pros and Cons of Outsourcing Network Security
* Multi-Factor Authentication Heads PCI’s List of Changes
* Jones Day, K&L Gates Bulk Up Cybersecurity Practices
* Be Prepared: How Proactivity Improves Cybersecurity Defense
* What did we learn from BT’s 2016 CIO Report?
* Top 10 web hacking techniques of 2015

Threats on the Horizon for Tomorrow’s Global Security Landscape
At the Information Security Forum, we recently released Threat Horizon 2018, the latest in our annual series of reports which provide businesses a forward-looking view of the increasing threats in today’s always-on, interconnected world.
In Threat Horizon 2018, we highlighted the top three emerging threat themes, as determined by our research, to information security over the next two years.
Over the next two years, technology will increasingly become an integral part of everyday life in modern society, both at a business and a personal level.
Organizations will seek to maximize efficiency and effectiveness through improved connectivity.
However, with these benefits will come associated threats in an expanded and more complex security threat landscape highlighted by the growth of the Internet of Things (IoT).
Dealing with cyber-attacks and avoiding data breaches is enough to keep most organizations busy, but this will become even more challenging as established methods of information risk management are eroded or compromised by a variety of (usually non-malicious) actors.
Governments around the world will take an even greater interest in scrutinizing both new and existing technology products and services used by their citizens.
They will begin to adopt a more intrusive approach in dealing with organizations that handle personal information, especially major technology companies.
These governments will justify their activities on the grounds of regulating disruptive business models and organized crime.
However, their efforts in combating international crime – where many think they should be concentrating their resources – will fall significantly short of the expectation of many organizations.
Information security professionals are facing increasingly complex threats, some new and others familiar but evolving.
Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ba11989fd2&e=20056c7556

The Next Frontier of Malware – Hardware
As recently as two years ago, there has been some rumoured issues related to malware and viruses that get into USB-based hardware devices and can possibly be running from those devices to either steal data or become a launching pad once connected to a device to penetrate deeper that system or the network that it is connected to.
The most dangerous part about this flavour of Malware is that it likely cannot be detected.
Likely can’t be put there except through some physical means of implantation and would be equally difficult to remove from the device once it is infected – if it is even possible to remove at all.
The reality is that this exploit works exceeding well and is nearly impossible to detect or thwart through our current set of tools.
Anti-malware products will need to re-think some of their approaches to detecting hardware embedded malware.
Payloads for these exploits could be adapted to much more damaging variants beyond just data siphoning.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4fff80c6a8&e=20056c7556

Swift warns banks of malware threat
Interbank payment network Swift is warning banks to beware of a new breed of malware that acts to hide fraudulent transactions on local client interface devices and may have been successfully exploited by the unknown hackers who recently stole $81 million from Bangladesh Bank.
Researchers at BAE System now claim that after gaining administrative rights at Bangladesh Bank, the hackers installed a piece of malware named evtdiag.exe which shielded the attackers by changing information on transfer requests made via Swift on the client interface used by the bank to track information about transfer requests.
While the malware appears to have compromised code on a Swift-supplied interface device, Swift maintains that banks’ must take all necessary precautions to lock down their own systems.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d4e9924424&e=20056c7556

Survey: Retail IT Professionals Confidence in Cyber Security Capabilities Increase as Data Breaches Rise
Tripwire, Inc., a leading global provider of end point protection, security and compliance solutions, today announced the results of its 2016 retail cyber security survey.
Conducted by Dimensional Research, the survey evaluated the attitudes of over 200 IT professionals in the retail sector and compared their responses to a similar survey Tripwire conducted in 2014.
“Unfortunately, these results indicate that we can expect retail breach activity to continue in the future,” said Tim Erlin, director of IT security and risk strategy. “The increase in confidence connected with speed of breach detection is particularly surprising, especially in combination with partial implementation of detection tools.
Together these results indicate while retail organizations might feel better about their cyber security capabilities, there’s still a long way to go to close the gap between initial compromise and detection.”
Seventy-five percent of the 2016 respondents believed they could detect a breach within 48 hours, compared with forty-two percent in 2014.
Retail data breaches involving personally identifiable information (PII) have more than doubled since 2014.
When asked if a data breach occurred at their organization where PII was stolen or accessed by intruders, one-third (thirty-three percent) of the respondents said, “yes,” compared with fourteen percent in 2014.
Implementation of breach detection technology has remained flat.
In both 2014 and 2016, fifty-nine percent of the respondents said their breach detection products were only partially or marginally implemented.
Companies with larger revenues monitor configuration parameters on critical payment assets less frequently.
Sixty-five percent of respondents working for organizations with revenues of less than $100 million check their compliance at least weekly, and only fifty-five percent of respondents with revenues of more than $100 million answered similarly.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=97884ae52b&e=20056c7556

Verizon: Bad Guys Still Phishing for Data
Marc Pitler, principal author of the 2016 DBIR, Verizon’s annual look at the global landscape of security threats, points to one stark statistic: More than 63% of all data breaches involved weak, lost or stolen credentials.
That’s one of the main reasons Verizon Communications Inc. (NYSE: VZ) continues to tout multi-factor authentication as a key to lowering security risks.
Pitler authored this year’s report with considerable humor — and you can check it out here — and refers to it as a “scouting report” for those attempting to thwart attacks.
He calls things such as phishing emails “the number one play in the bad guy’s playbook,” because they lead to significant data breaches.
The percentage of users clicking on the corrupted links in phishing emails actually rose slightly from 11% to 13% and while that is not a statistically significant increase, it is a reflection of why phishing remains a tried and true method of attacking networks.
Once an individual takes the bait, things happen quickly.
Infiltration of a network happens in minutes more than 80% of the time, but often discovery of the breach is measured in days, and that detection deficit is getting worse. “If — and some have called ‘if’ the biggest word in the language — there’s any good news, it’s that the number of breaches staying open months or more continues to decline slightly,” Pitler writes in the report.
This year’s numbers were influenced by one large attack, known as Dridex, which was a very large botnet targeting bank credentials, he notes.
It produced a treasure trove of information.
“With better network segmentation and stronger authentication through your internal network, we can limit damage,” Pitler says. “Now we can click in a response plan — who clicked, let’s quarantine that device, find out exactly what has been done, what communications inbound and outbound have happened, and really try to break the chain before the real impact occurs where significant data is exfiltrated from the organization.”
Pitler says mobile devices are not yet a major source of threats, but are still something being watched carefully.
And as the Internet of Things brings many low-level devices onto the network, those are also being scrutinized.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bf1f5d2158&e=20056c7556

Email ‘most popular phishing tool’
The online crime groups were shunning mobiles and newer technologies in favour of phishing campaigns, said the report from Verizon.
Almost 90% of the incidents involved attempts to steal cash, it said.
About 30% of phishing emails had been opened by people in targeted organisations in 2015, said the report, up from 23% in 2014.
And, of the scam emails opened, about 13% had been able to launch malware because staff had run the attachments they had carried.
Statistics gathered for the Verizon report suggest 84% of the organisations questioned took weeks to spot that criminals had won access to internal systems.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ec5d008fb3&e=20056c7556

Investment grows as DDoS attacks become sophisticated
A new report by real-time information services provider Neustar, entitled The Threatscape Widens: DDoS Aggression and the Evolution of IoT Risks, released this month, says it’s no longer the question ‘if’ or ‘when’ a company will be DDoSed – it’s how often and how long will it last.
According to the report, 73 per cent of companies were attacked in 2015, with 82 per cent of those attacked suffering multiple attacks.
Out of that number, 45 per cent said they were attacked six times, or more.
In EMEA, 47 per cent of companies were attacked at least five times.
It also suggests that DDoSing is not its own purpose – it’s a means to an end, in many cases.
More than half of companies (57 per cent) said a DDoS attack is usually followed by data theft, which can be customer data, financial or intellectual property.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a3a6f2a6c3&e=20056c7556

MSSPs: The Pros and Cons of Outsourcing Network Security
If you’re already outsourcing functions such as customer support, web design, or manufacturing, the advantages of outsourcing security might seem familiar to you.
These are some of the key benefits to having a managed provider take care of your cyber security needs:
– Cost Savings
– Security Expertise
– All-Encompassing Customer Support
MSSP Disadvantages Boil Down to Increased Risk
– Before diving into the risks associated with hiring an MSSP, it’s important to understand that MSSPs do not completely eliminate your security costs—for example, you’ll still need an in-house CISO for the MSSP to report to and coordinate with.
MSSPs offer security expertise; but they are meant to supplement your own security team, not replace it.
– One disadvantage that keeps companies from outsourcing their security functions is the risk of letting someone take care of their sensitive data.
– At least when security is in-house, you can take it on yourself to guarantee customer data protection, which leads to another risk-related MSSP disadvantage—a lack of control.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d972c43789&e=20056c7556

Multi-Factor Authentication Heads PCI’s List of Changes
The PCI Security Standards council will deliver its 3.2 data security standard version, effective April 28, strengthening rules for data access, providing criteria for ongoing compliance programs, and reminding merchants and network operators to continue to migrate to a more secure Web protocol, or Transport Layer Security.
The multi-factor requirement is the biggest change in the PCI DSS 3.2, said PCI chief technology officer Troy Leach.
PCI recommends that organizations review how they manage access to their cardholder data environment and review the current administrator roles to identify where the new requirement will require changes to authentication.
Version 3.2 also calls for new criteria titled Designated Entities Supplemental Validation, designed to help service providers maintain security programs through effective compliance oversight, proper scoping of an environment, and assuring effective alerts are in place in critical security controls.
An organization is required to undergo an assessment of these validation processes only if instructed to do so by an acquirer or payment brand.
Even if not mandatory, the PCI council suggests organizations study these security practices, especially new requirements for service providers.
Those requirements include a third party provider maintaining a documented description of the cryptographic architecture and reporting on failures of critical security control systems.
In addition, a new requirement calls for executive management to establish responsibility for protection of cardholder data and the PCI compliance program.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=41e264bb5c&e=20056c7556

Jones Day, K&L Gates Bulk Up Cybersecurity Practices
As cyberthreats and data protection settle into the forefront of general counsel minds, two leading Am Law 100 firms are bolstering their cybersecurity practices with a pair of recent hires.
On Monday, Jones Day announced its addition of former Hunton & Williams counsel Jörg Hladjk in Brussels, where he will lead his new firm’s cybersecurity, privacy and data protection practice.
Also switching shingles this month is Steven Caponi, the former head of Blank Rome’s cybersecurity and data privacy group, who has joined K&L Gates as a partner in Wilmington, Delaware.
Caponi, who advises executives and boards of directors on corporate governance issues related to cyberthreats, previously served as administrative partner for Blank Rome’s operations in Delaware.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cb9e22a18f&e=20056c7556

Be Prepared: How Proactivity Improves Cybersecurity Defense
When responding to an incident, there is always extreme pressure to gather and process digital evidence before it is no longer available or has been modified.
As illustrated in the KPMG 2015 Global CEO Outlook report, half of chief executive officers polled said their organizations are either not prepared or only partially prepared to deal with a major cyber-attack.
One reason these executives gave for this lack of preparedness was because too much attention is being spent on preventing attacks, and not enough on protection and response actions.
Here are five examples of how to shift from a reactive to proactive cyber preparedness model through the process of Digital Forensic Readiness.
-Maintain a business-centric focus
-Don’t reinvent the wheel
-Security intelligence goes beyond threats
-Keep tabs on external relationships
-Understand costs and benefits
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f23a31bf8e&e=20056c7556

What did we learn from BT’s 2016 CIO Report?
Office worker sitting on rooftop in cityBT has recently released its 2016’s CIO report, dissecting the challenges and opportunities available for enterprise organizations, and the CIO, following the mainstream adoption of disruptive digital technologies.
Here, we’ve detailed a few of the lessons learnt from the 2016 report:
– Security is now being dealt with
The report highlights 33% of respondents believe the transition through to cloud computing will act as a catalyst to improve security throughout the organization.
It would appear the implementation of cloud is forcing enterprise to deal with security – it is no longer a subject which can be put off for another day.
– Cloud is no longer a choice
65% of respondents stated their current infrastructures are struggling to deal with the rapid adoption of digital technologies.
There are still challenges to the adoption of a cloud model (security, legacy systems, time constraints and budget), though the CIO’s in questions realize cloud is no longer an option to become more successful, but a necessity to remain relevant.
– The CIO role has changed and there’s no going back
A successful CIO will be able to bridge the gap between IT and the rest of the business, becoming more of a businessman as opposed to a technologist.
The disruptive nature of digital technologies ensure CIO’s now have to be driven by flexibility, adaptive to new ideas, understanding of agile models and more receptive to alternative trends.
This could be seen as quite a shift in what would be the current perception of a CIO.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=089aeefe1b&e=20056c7556

Top 10 web hacking techniques of 2015
After receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces:

FREAK (Factoring Attack on RSA-Export Keys)
LogJam
Web Timing Attacks Made Practical
Evading All* WAF XSS Filters
Abusing CDN’s with SSRF Flash and DNS
IllusoryTLS
Exploiting XXE in File Parsing Functionality
Abusing XLST for Practical Attacks
Magic Hashes
Hunting Asynchronous Vulnerabilities
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d5adcea7e7&e=20056c7556

============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)

If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)

Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e00a959b29)

Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)

Leave a Reply

You must be logged in to post a comment.

Recent Posts

  • AI/ML News – 2024-04-14
  • Incident Response and Security Operations -2024-04-14
  • CSO News – 2024-04-15
  • IT Security News – 2023-09-25
  • IT Security News – 2023-09-20

Archives

  • April 2024
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • April 2023
  • March 2023
  • February 2022
  • January 2022
  • December 2021
  • September 2020
  • October 2019
  • August 2019
  • July 2019
  • December 2018
  • April 2018
  • December 2016
  • September 2016
  • August 2016
  • July 2016
  • April 2015
  • March 2015
  • August 2014
  • March 2014
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • October 2012
  • September 2012
  • August 2012
  • February 2012
  • October 2011
  • August 2011
  • June 2011
  • May 2011
  • April 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • June 2009
  • May 2009
  • March 2009
  • February 2009
  • January 2009
  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004
  • August 2004
  • July 2004
  • June 2004
  • May 2004
  • April 2004
  • March 2004
  • February 2004
  • January 2004
  • December 2003
  • November 2003
  • October 2003
  • September 2003

Categories

  • AI-ML
  • Augment / Virtual Reality
  • Blogging
  • Cloud
  • DR/Crisis Response/Crisis Management
  • Editorial
  • Financial
  • Make You Smile
  • Malware
  • Mobility
  • Motor Industry
  • News
  • OTT Video
  • Pending Review
  • Personal
  • Product
  • Regulations
  • Secure
  • Security Industry News
  • Security Operations
  • Statistics
  • Threat Intel
  • Trends
  • Uncategorized
  • Warnings
  • WebSite News
  • Zero Trust

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org
© 2025 CyberSecurity Institute | Powered by Superbs Personal Blog theme