[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* Threats on the Horizon for Tomorrow’s Global Security Landscape
* The Next Frontier of Malware – Hardware
* Swift warns banks of malware threat
* Survey: Retail IT Professionals Confidence in Cyber Security Capabilities Increase as Data Breaches Rise
* Verizon: Bad Guys Still Phishing for Data
* Email ‘most popular phishing tool’
* Investment grows as DDoS attacks become sophisticated
* MSSPs: The Pros and Cons of Outsourcing Network Security
* Multi-Factor Authentication Heads PCI’s List of Changes
* Jones Day, K&L Gates Bulk Up Cybersecurity Practices
* Be Prepared: How Proactivity Improves Cybersecurity Defense
* What did we learn from BT’s 2016 CIO Report?
* Top 10 web hacking techniques of 2015
Threats on the Horizon for Tomorrow’s Global Security Landscape
At the Information Security Forum, we recently released Threat Horizon 2018, the latest in our annual series of reports which provide businesses a forward-looking view of the increasing threats in today’s always-on, interconnected world.
In Threat Horizon 2018, we highlighted the top three emerging threat themes, as determined by our research, to information security over the next two years.
Over the next two years, technology will increasingly become an integral part of everyday life in modern society, both at a business and a personal level.
Organizations will seek to maximize efficiency and effectiveness through improved connectivity.
However, with these benefits will come associated threats in an expanded and more complex security threat landscape highlighted by the growth of the Internet of Things (IoT).
Dealing with cyber-attacks and avoiding data breaches is enough to keep most organizations busy, but this will become even more challenging as established methods of information risk management are eroded or compromised by a variety of (usually non-malicious) actors.
Governments around the world will take an even greater interest in scrutinizing both new and existing technology products and services used by their citizens.
They will begin to adopt a more intrusive approach in dealing with organizations that handle personal information, especially major technology companies.
These governments will justify their activities on the grounds of regulating disruptive business models and organized crime.
However, their efforts in combating international crime – where many think they should be concentrating their resources – will fall significantly short of the expectation of many organizations.
Information security professionals are facing increasingly complex threats, some new and others familiar but evolving.
Their primary challenge remains unchanged; to help their organizations navigate mazes of uncertainty where, at any moment, they could turn a corner and encounter information security threats that inflict severe business impact.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ba11989fd2&e=20056c7556
The Next Frontier of Malware – Hardware
As recently as two years ago, there has been some rumoured issues related to malware and viruses that get into USB-based hardware devices and can possibly be running from those devices to either steal data or become a launching pad once connected to a device to penetrate deeper that system or the network that it is connected to.
The most dangerous part about this flavour of Malware is that it likely cannot be detected.
Likely can’t be put there except through some physical means of implantation and would be equally difficult to remove from the device once it is infected – if it is even possible to remove at all.
The reality is that this exploit works exceeding well and is nearly impossible to detect or thwart through our current set of tools.
Anti-malware products will need to re-think some of their approaches to detecting hardware embedded malware.
Payloads for these exploits could be adapted to much more damaging variants beyond just data siphoning.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4fff80c6a8&e=20056c7556
Swift warns banks of malware threat
Interbank payment network Swift is warning banks to beware of a new breed of malware that acts to hide fraudulent transactions on local client interface devices and may have been successfully exploited by the unknown hackers who recently stole $81 million from Bangladesh Bank.
Researchers at BAE System now claim that after gaining administrative rights at Bangladesh Bank, the hackers installed a piece of malware named evtdiag.exe which shielded the attackers by changing information on transfer requests made via Swift on the client interface used by the bank to track information about transfer requests.
While the malware appears to have compromised code on a Swift-supplied interface device, Swift maintains that banks’ must take all necessary precautions to lock down their own systems.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d4e9924424&e=20056c7556
Survey: Retail IT Professionals Confidence in Cyber Security Capabilities Increase as Data Breaches Rise
Tripwire, Inc., a leading global provider of end point protection, security and compliance solutions, today announced the results of its 2016 retail cyber security survey.
Conducted by Dimensional Research, the survey evaluated the attitudes of over 200 IT professionals in the retail sector and compared their responses to a similar survey Tripwire conducted in 2014.
“Unfortunately, these results indicate that we can expect retail breach activity to continue in the future,” said Tim Erlin, director of IT security and risk strategy. “The increase in confidence connected with speed of breach detection is particularly surprising, especially in combination with partial implementation of detection tools.
Together these results indicate while retail organizations might feel better about their cyber security capabilities, there’s still a long way to go to close the gap between initial compromise and detection.”
Seventy-five percent of the 2016 respondents believed they could detect a breach within 48 hours, compared with forty-two percent in 2014.
Retail data breaches involving personally identifiable information (PII) have more than doubled since 2014.
When asked if a data breach occurred at their organization where PII was stolen or accessed by intruders, one-third (thirty-three percent) of the respondents said, “yes,” compared with fourteen percent in 2014.
Implementation of breach detection technology has remained flat.
In both 2014 and 2016, fifty-nine percent of the respondents said their breach detection products were only partially or marginally implemented.
Companies with larger revenues monitor configuration parameters on critical payment assets less frequently.
Sixty-five percent of respondents working for organizations with revenues of less than $100 million check their compliance at least weekly, and only fifty-five percent of respondents with revenues of more than $100 million answered similarly.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=97884ae52b&e=20056c7556
Verizon: Bad Guys Still Phishing for Data
Marc Pitler, principal author of the 2016 DBIR, Verizon’s annual look at the global landscape of security threats, points to one stark statistic: More than 63% of all data breaches involved weak, lost or stolen credentials.
That’s one of the main reasons Verizon Communications Inc. (NYSE: VZ) continues to tout multi-factor authentication as a key to lowering security risks.
Pitler authored this year’s report with considerable humor — and you can check it out here — and refers to it as a “scouting report” for those attempting to thwart attacks.
He calls things such as phishing emails “the number one play in the bad guy’s playbook,” because they lead to significant data breaches.
The percentage of users clicking on the corrupted links in phishing emails actually rose slightly from 11% to 13% and while that is not a statistically significant increase, it is a reflection of why phishing remains a tried and true method of attacking networks.
Once an individual takes the bait, things happen quickly.
Infiltration of a network happens in minutes more than 80% of the time, but often discovery of the breach is measured in days, and that detection deficit is getting worse. “If — and some have called ‘if’ the biggest word in the language — there’s any good news, it’s that the number of breaches staying open months or more continues to decline slightly,” Pitler writes in the report.
This year’s numbers were influenced by one large attack, known as Dridex, which was a very large botnet targeting bank credentials, he notes.
It produced a treasure trove of information.
“With better network segmentation and stronger authentication through your internal network, we can limit damage,” Pitler says. “Now we can click in a response plan — who clicked, let’s quarantine that device, find out exactly what has been done, what communications inbound and outbound have happened, and really try to break the chain before the real impact occurs where significant data is exfiltrated from the organization.”
Pitler says mobile devices are not yet a major source of threats, but are still something being watched carefully.
And as the Internet of Things brings many low-level devices onto the network, those are also being scrutinized.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bf1f5d2158&e=20056c7556
Email ‘most popular phishing tool’
The online crime groups were shunning mobiles and newer technologies in favour of phishing campaigns, said the report from Verizon.
Almost 90% of the incidents involved attempts to steal cash, it said.
About 30% of phishing emails had been opened by people in targeted organisations in 2015, said the report, up from 23% in 2014.
And, of the scam emails opened, about 13% had been able to launch malware because staff had run the attachments they had carried.
Statistics gathered for the Verizon report suggest 84% of the organisations questioned took weeks to spot that criminals had won access to internal systems.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ec5d008fb3&e=20056c7556
Investment grows as DDoS attacks become sophisticated
A new report by real-time information services provider Neustar, entitled The Threatscape Widens: DDoS Aggression and the Evolution of IoT Risks, released this month, says it’s no longer the question ‘if’ or ‘when’ a company will be DDoSed – it’s how often and how long will it last.
According to the report, 73 per cent of companies were attacked in 2015, with 82 per cent of those attacked suffering multiple attacks.
Out of that number, 45 per cent said they were attacked six times, or more.
In EMEA, 47 per cent of companies were attacked at least five times.
It also suggests that DDoSing is not its own purpose – it’s a means to an end, in many cases.
More than half of companies (57 per cent) said a DDoS attack is usually followed by data theft, which can be customer data, financial or intellectual property.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a3a6f2a6c3&e=20056c7556
MSSPs: The Pros and Cons of Outsourcing Network Security
If you’re already outsourcing functions such as customer support, web design, or manufacturing, the advantages of outsourcing security might seem familiar to you.
These are some of the key benefits to having a managed provider take care of your cyber security needs:
– Cost Savings
– Security Expertise
– All-Encompassing Customer Support
MSSP Disadvantages Boil Down to Increased Risk
– Before diving into the risks associated with hiring an MSSP, it’s important to understand that MSSPs do not completely eliminate your security costs—for example, you’ll still need an in-house CISO for the MSSP to report to and coordinate with.
MSSPs offer security expertise; but they are meant to supplement your own security team, not replace it.
– One disadvantage that keeps companies from outsourcing their security functions is the risk of letting someone take care of their sensitive data.
– At least when security is in-house, you can take it on yourself to guarantee customer data protection, which leads to another risk-related MSSP disadvantage—a lack of control.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d972c43789&e=20056c7556
Multi-Factor Authentication Heads PCI’s List of Changes
The PCI Security Standards council will deliver its 3.2 data security standard version, effective April 28, strengthening rules for data access, providing criteria for ongoing compliance programs, and reminding merchants and network operators to continue to migrate to a more secure Web protocol, or Transport Layer Security.
The multi-factor requirement is the biggest change in the PCI DSS 3.2, said PCI chief technology officer Troy Leach.
PCI recommends that organizations review how they manage access to their cardholder data environment and review the current administrator roles to identify where the new requirement will require changes to authentication.
Version 3.2 also calls for new criteria titled Designated Entities Supplemental Validation, designed to help service providers maintain security programs through effective compliance oversight, proper scoping of an environment, and assuring effective alerts are in place in critical security controls.
An organization is required to undergo an assessment of these validation processes only if instructed to do so by an acquirer or payment brand.
Even if not mandatory, the PCI council suggests organizations study these security practices, especially new requirements for service providers.
Those requirements include a third party provider maintaining a documented description of the cryptographic architecture and reporting on failures of critical security control systems.
In addition, a new requirement calls for executive management to establish responsibility for protection of cardholder data and the PCI compliance program.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=41e264bb5c&e=20056c7556
Jones Day, K&L Gates Bulk Up Cybersecurity Practices
As cyberthreats and data protection settle into the forefront of general counsel minds, two leading Am Law 100 firms are bolstering their cybersecurity practices with a pair of recent hires.
On Monday, Jones Day announced its addition of former Hunton & Williams counsel Jörg Hladjk in Brussels, where he will lead his new firm’s cybersecurity, privacy and data protection practice.
Also switching shingles this month is Steven Caponi, the former head of Blank Rome’s cybersecurity and data privacy group, who has joined K&L Gates as a partner in Wilmington, Delaware.
Caponi, who advises executives and boards of directors on corporate governance issues related to cyberthreats, previously served as administrative partner for Blank Rome’s operations in Delaware.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cb9e22a18f&e=20056c7556
Be Prepared: How Proactivity Improves Cybersecurity Defense
When responding to an incident, there is always extreme pressure to gather and process digital evidence before it is no longer available or has been modified.
As illustrated in the KPMG 2015 Global CEO Outlook report, half of chief executive officers polled said their organizations are either not prepared or only partially prepared to deal with a major cyber-attack.
One reason these executives gave for this lack of preparedness was because too much attention is being spent on preventing attacks, and not enough on protection and response actions.
Here are five examples of how to shift from a reactive to proactive cyber preparedness model through the process of Digital Forensic Readiness.
-Maintain a business-centric focus
-Don’t reinvent the wheel
-Security intelligence goes beyond threats
-Keep tabs on external relationships
-Understand costs and benefits
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f23a31bf8e&e=20056c7556
What did we learn from BT’s 2016 CIO Report?
Office worker sitting on rooftop in cityBT has recently released its 2016’s CIO report, dissecting the challenges and opportunities available for enterprise organizations, and the CIO, following the mainstream adoption of disruptive digital technologies.
Here, we’ve detailed a few of the lessons learnt from the 2016 report:
– Security is now being dealt with
The report highlights 33% of respondents believe the transition through to cloud computing will act as a catalyst to improve security throughout the organization.
It would appear the implementation of cloud is forcing enterprise to deal with security – it is no longer a subject which can be put off for another day.
– Cloud is no longer a choice
65% of respondents stated their current infrastructures are struggling to deal with the rapid adoption of digital technologies.
There are still challenges to the adoption of a cloud model (security, legacy systems, time constraints and budget), though the CIO’s in questions realize cloud is no longer an option to become more successful, but a necessity to remain relevant.
– The CIO role has changed and there’s no going back
A successful CIO will be able to bridge the gap between IT and the rest of the business, becoming more of a businessman as opposed to a technologist.
The disruptive nature of digital technologies ensure CIO’s now have to be driven by flexibility, adaptive to new ideas, understanding of agile models and more receptive to alternative trends.
This could be seen as quite a shift in what would be the current perception of a CIO.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=089aeefe1b&e=20056c7556
Top 10 web hacking techniques of 2015
After receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces:
FREAK (Factoring Attack on RSA-Export Keys)
LogJam
Web Timing Attacks Made Practical
Evading All* WAF XSS Filters
Abusing CDN’s with SSRF Flash and DNS
IllusoryTLS
Exploiting XXE in File Parsing Functionality
Abusing XLST for Practical Attacks
Magic Hashes
Hunting Asynchronous Vulnerabilities
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d5adcea7e7&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=e00a959b29)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)