Daily Archives: October 1, 2020

False Confidence is the Opposite of Cyber Resilience

Reading Time: ~ 4 min.

Have you ever met a person who thinks they know it all? Or maybe you’ve occasionally been that person in your own life? No shame and no shade intended – it’s great (and important) to be confident about your skills. And in cases where you know your stuff, we encourage you to keep using your knowledge to help enhance the lives and experiences of the people around you.

But there’s a big difference between being reasonably confident and having false confidence, as we saw in our recent global survey. Featured in the report COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, the survey data shows that, all over the world, people are pretty confident about their ability to keep themselves and their data safe online. Unfortunately, people are also still getting phished and social engineering tactics aimed at employees are still a major way that cybercriminals successfully breach businesses. These data points strongly suggest that we aren’t all being quite as cyber-safe as we think.

Overconfidence by the Numbers

Approximately 3 in 5 people (59%) worldwide think they know enough to stay safe online.

You may think 59% doesn’t sound high enough to earn the label of “false confidence”. But there were two outliers in our survey who dragged the average down significantly (France and Japan, with only 44% and 26% confidence, respectively). If you only take the average of the five other countries surveyed (the US, UK, Australia/New Zealand, Germany and Italy), it’s a full ten percentage points higher at 69%. UK respondents had the highest level of confidence out of all seven regions surveyed with 75%.

8 in 10 people say they take steps to determine if an email message is malicious.

Yet 3 in 4 open emails and click links from unknown senders.

When so many of us claim to know what to do to stay safe online (and even say we take steps to determine the potential sketchiness of our emails), why are we still getting phished? We asked Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and technology, for his take on the matter. He had two important points to make.

Individualism

According to Dr. Rajivan, it’s important to note that Japan had the lowest level of confidence about their cybersecurity know-how (only 26%), but the survey showed they also had the lowest rate of falling victim to phishing (16%). He pointed out that countries with more individualistic cultures seem to align with countries who ranked themselves highly on their ability to keep themselves and their data safe.

“When people adopt a less individualistic mindset and, instead, perceive themselves to have a greater responsibility to others, their average level of willingness to take risks decreases. This is especially important to note for businesses that want to have a cyber-aware culture.”

– Prashanth Rajivan, Ph.D.

The Dunning-Kruger Effect

Another factor Dr. Rajivan says may contribute to overconfidence in one’s ability to spot phishing attacks might be a psychological phenomenon called the “Dunning-Kruger Effect”. The Dunning-Kruger Effect refers to a cognitive bias in which people who are less skilled at a given task tend to be overconfident in their ability, i.e. we tend to overestimate our capabilities in areas where we are actually less capable.

How These Numbers Affect Businesses

Only 14% of workers feel that a company’s cyber resilience is a responsibility all employees share.

The correlations between overconfidence and individualism may also translate into a mentality that workers are not responsible for their own cybersecurity during work hours. While 63% of workers surveyed agree that a cyber resilience strategy that includes both security tools and employee education should be a top priority for any business, only 14% felt that cyber resilience was a shared responsibility for all employees.

How to Create a Cyber Aware Culture

The short answer: a strong combination of employee training and tools.

The long answer: when asked what would help them feel better prepared to avoid phishing and prevent cyberattacks, workers worldwide agreed that their employers need to invest more heavily in training and education, in addition to strong cybersecurity tools. Dr. Rajivan also agrees, stating that, if employers want to build cybersecurity awareness into their business culture, then they need to invest heavily in their people.

“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”

– Prashanth Rajivan, Ph.D.

Additionally, he tells us, “Human behavior is shaped by past experiences, consequences and reinforcement. To see a real change in human behavior related to phishing and online risk-taking habits in general, people need frequent and varied experiences PLUS appropriate feedback that incentivizes good behavior.”

Ultimately, the importance of training can’t be emphasized enough. According to real-world data from customers using Webroot® Security Awareness Training, which provides both training courses and easy-to-run, customizable phishing simulations, consistent training can reduce click rates on phishing scams by up to 86.5%.

It’s clear a little training can go a long way. If you want to increase cyber resilience, you have to minimize dangerous false confidence. And to do that, you need to empower your workforce with the tools and training they need to confidently (and correctly) make strong, secure decisions about what they do and don’t click online.

Learn more about Security Awareness Training programs.

The post False Confidence is the Opposite of Cyber Resilience appeared first on Webroot Blog.

Cyber Security Roundup for October 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.

COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September.  Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.

Doppelpaymer Ransom notice

On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.  The NCSC's guidance for organisations on defending against ransomware attacks is available here.

Across the pond, healthcare giant Universal Heather Services (UHS), which operates nearly 400 hospitals and clinics, was said to be severely disrupted by the Ryuk ransomware. According to Bleeping Computer, a UHS employee said encrypted files had the telltale .ryk extension, while another employee described a ransom note fitted the Ryuk ransomware demand note. A Reddit thread claimed “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center. Ambulances are being rerouted to other hospitals, the information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment. Four people died tonight alone due to the waiting on results from the lab to see what was going on”. In response, UHS released a statement which said, “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods".

'Dark Overlord', the handle of a British hacker involved in the theft of information as part of "The Overlord" hacking group was jailed for five years in the United States and ordered to pay $1.5 million in restitution, after pleading guilty to conspiring to commit aggravated identity theft and computer fraud, in other words, orchestrating cyber exportation attacks against US firms.


ZeroLogon:  IT Support Staff must Patch Now!
A critical Microsoft Windows Server Domain Controller vulnerability (CVE-2020-1472) is now causing concern for IT staff, after the Microsoft, CISA, the UK NCSC, and other security bodies warned the vulnerability was being actively exploited in mid-September. Dubbed 'Zerologon', Microsoft issued a security fix for the bug, which scored a maximum criticality rate of 10.0, as part of their August 2020 'Patch Tuesday' release of monthly security updates. Since that public disclosure of the flaw, there have been multiple proofs-of-concept (PoC) exploits appearing on the internet, which threat actors are now adapting into their cyberattacks. There are no mitigation or workarounds for this vulnerability, so it is essential for the CVE-2020-1472 security update is installed on all Microsoft Windows Domain Controllers, and then ensure DC enforcement mode is enabled. 

Stay safe and secure.

BLOG

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        McAfee Leapfrogs Competition with trio of awards at 2020 IT World Awards

        Network Products Guide, the industry’s leading technology research and advisory guide, recently named the winners in their 15th Annual 2020 Network PG’s IT World Awards. Judges from a broad spectrum of industry voices around the world participated and their average scores determined the 2020 award winners.  McAfee took center stage with three wins, including Gold for McAfee MVISION Endpoint Detection and Response (EDR) and Silver for McAfee MVISION Cloud for Containers and McAfee MVISION Unified Cloud Edge (UCE).

        The IT World Awards are industry and peer recognitions from Network Products Guide honoring achievements of world’s best in organizational performance, product and service innovations, hot technologies, executives and management teams, successful deployments, product management and engineering, customer satisfaction, and public relations in information technology and cyber security. These wins further validate McAfee’s position as a company poised to successfully help organizations solve for real-time security issues.

        McAfee was recognized in the following categories:

        • Zero Day | Attack & Exploit Detection & Prevention Category: McAfee MVISION EDR uses Artificial intelligence to guide analysts through the investigation process. It is a cloud-delivered solution that detects advanced and previously unknown device threats, provides deep investigation capabilities and the intel for users to respond in a timely manner.
        • Cloud Security Category: McAfee MVISION Cloud for Containers provides the industry’s first Unified Cloud Security Platform with container optimized strategies for securing dynamic container workloads and the infrastructure on which they depend upon.
        • New Product-Service of the Year: McAfee MVISION UCE includes three core technologies converged into a single solution: Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), and Data Loss Prevention (DLP). These technologies work together to protect data from device to cloud and prevent cloud-native threats that are invisible to the corporate network.

         

        For a complete list of McAfee’s accolades and industry recognition, visit: https://www.mcafee.com/enterprise/en-us/about/awards.html

        The post McAfee Leapfrogs Competition with trio of awards at 2020 IT World Awards appeared first on McAfee Blogs.

        96% of Organizations Use Open Source Libraries but Less Than 50% Manage Their Library Security Flaws

        Most modern codebases are dependent on open source libraries. In fact, a recent research report sponsored by Veracode and conducted by Enterprise Strategy Group (ESG) found that more than 96 percent of organizations use open source libraries in their codebase. But ??? shockingly ??? less than half of these organizations have invested in specific security controls to scan for open source vulnerabilities.

        Percentage of codebase pulled from open source

        Why is it important to scan open source libraries?

        For our State of Software Security: Open Source Edition report, we analyzed the security of open source libraries in 85,000 applications and found that 71 percent have a flaw. The most common open source flaws identified include Cross-Site Scripting, insecure deserialization, and broken access control. By not scanning open source libraries, these flaws remain vulnerable to a cyberattack. ツ?ツ?ツ?

        Equifax made headlines by not scanning its open source libraries. In 2017, Equifax suffered a massive data breach from Apache Struts which compromised the data ??? including social security numbers ??? of more than 143 million Americans. Following the breach, Equifax's stock fell over 13 percent. The unfortunate reality is that if Equifax performed AppSec scans on its open source libraries and patched the vulnerability, the breach could have been avoided. ツ?

        Why aren???t more organizations scanning open source libraries?

        If 96 percent of organizations use open source libraries and 71 percent of applications have a third-party vulnerability, why is it that less than 50 percent of organizations scan their open source libraries? The main reason is that when application developers add third-party libraries to their codebase, they expect that library developers have scanned the code for vulnerabilities. Unfortunately, you can???t rely on library developers to keep your application safe. Approximately 42 percent of the third-party code pulled directly by an application developer has a flaw on first scan. And even if the third-party code appears to be free of flaws, more than 47 percent of third-party code has a transitive flaw that???s pulled indirectly from another library in use.

        Transitive and direct open source vulnerabilities

        What are your options for managing library security flaws?

        First off, it???s important to note that most flaws in open source libraries are easy to fix. Close to 74 percent of the flaws can be fixed with an update like a revision or patch. Even high priority flaws are easy to fix ??? close to 91 percent can be fixed with an update.

        patching open source flaws

        So, when it comes to managing your library security flaws, the concentration should not just be, ???How am I going to fix the flaws???? but also ???How am I going to find the flaws???? That???s where tools like Veracode Software Composition Analysis (SCA) come in handy. Veracode SCA scans open source dependencies for known vulnerabilities and makes recommendations on version updating.

        Veracode SCA is fast and easy to use. You can integrate it into your pipeline through a simple command-line scan agent and delivers results in seconds. Or, you can use the same agent directly in your IDE to get feedback even earlier.

        By using a tool like SCA, you can uncover not only flaws introduced directly by the application developer, but also transitive flaws introduced indirectly by other libraries several layers deep. In addition, Veracode SCA can find more vulnerabilities than the National Vulnerability Database (NVD). How? Because not every developer reports flaws to the NVD. So Veracode is able to use data mining, natural language processing, and machine learning to significantly grow its SCA database and find new or unreported flaws.

        To learn more about application scanning statistics and trends, download the ESG report, Modern Application Development Security.

        Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam

        Companies victimized by ransomware and firms that facilitate negotiations with ransomware extortionists could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions, the Treasury Department warned today.

        Image: Shutterstock

        In its advisory (PDF), the Treasury’s Office of Foreign Assets Control (OFAC) said “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

        As financial losses from cybercrime activity and ransomware attacks in particular have skyrocketed in recent years, the Treasury Department has imposed economic sanctions on several cybercriminals and cybercrime groups, effectively freezing all property and interests of these persons (subject to U.S. jurisdiction) and making it a crime to transact with them.

        A number of those sanctioned have been closely tied with ransomware and malware attacks, including the North Korean Lazarus Group; two Iranians thought to be tied to the SamSam ransomware attacks; Evgeniy Bogachev, the developer of Cryptolocker; and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses.

        Those that run afoul of OFAC sanctions without a special dispensation or “license” from Treasury can face several legal repercussions, including fines of up to $20 million.

        The Federal Bureau of Investigation (FBI) and other law enforcement agencies have tried to discourage businesses hit by ransomware from paying their extortionists, noting that doing so only helps bankroll further attacks.

        But in practice, a fair number of victims find paying up is the fastest way to resume business as usual. In addition, insurance providers often help facilitate the payments because the amount demanded ends up being less than what the insurer might have to pay to cover the cost of the affected business being sidelined for days or weeks at a time.

        While it may seem unlikely that companies victimized by ransomware might somehow be able to know whether their extortionists are currently being sanctioned by the U.S. government, they still can be fined either way, said Ginger Faulk, a partner in the Washington, D.C. office of the law firm Eversheds Sutherland.

        Faulk said OFAC may impose civil penalties for sanctions violations based on “strict liability,” meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.

        “In other words, in order to be held liable as a civil (administrative) matter (as opposed to criminal), no mens rea or even ‘reason to know’ that the person is sanctioned is necessary under OFAC regulations,” Faulk said.

        But Fabian Wosar, chief technology officer at computer security firm Emsisoft, said Treasury’s policies here are nothing new, and that they mainly constitute a warning for individual victim firms who may not already be working with law enforcement and/or third-party security firms.

        Wosar said companies that help ransomware victims negotiate lower payments and facilitate the financial exchange are already aware of the legal risks from OFAC violations, and will generally refuse clients who get hit by certain ransomware strains.

        “In my experience, OFAC and cyber insurance with their contracted negotiators are in constant communication,” he said. “There are often even clearing processes in place to ascertain the risk of certain payments violating OFAC.”

        Along those lines, OFAC said the degree of a person/company’s awareness of the conduct at issue is a factor the agency may consider in assessing civil penalties. OFAC said it would consider “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

        ST23: Moderner Datenschutz für Microsoft Teams (German)

        Für viele ist das Arbeiten im Home Office zur Normalität geworden. Microsoft Teams stellt dabei den Ankerpunkt der effektiven Zusammenarbeit und dem Austausch von Inhalten in Microsoft 365 dar. Welche Auswirkung das jedoch auf die Sicherheit hat, diskutieren wir in diesem Podcast. Hierfür zusammengekommen sind Alexander Haug, unser Security Engineer mit Fokus auf Data Protection, sowie Chris Trynoga, unser Solution Architect und Experte für ganzheitliche Sicherheitsansätze.

        The post ST23: Moderner Datenschutz für Microsoft Teams (German) appeared first on McAfee Blogs.

        Hot off the Press: Veracode Named a 2020 Gartner Peer Insights Customers’ Choice for AST

        Veracode has been officially recognized by Gartner Peer Insights as a 2020 Customers??? Choice for Application Security Testing. The report includes Veracode???s aggregate score of 4.6 out of 5 stars out of 95 independent customer reviews (as of July 31, 2020), and of the reviewers, 92 percent said that they would recommend Veracode???s AST solutions.

        Veracode, the largest global provider of application security (AST) solutions. We received the Customers??? Choice distinction, just months after Veracode was named a Leader for the seventh consecutive time in the Gartner Inc. 2020 Magic Quadrant for Application Security Testing, is a true testament to our solutions.

        ???There is no greater endorsement than the voice and passion of our customers,??? said Sam King, CEO of Veracode. ???This Customers??? Choice distinction by Gartner Peer Insights reflects the impact of our best-in-class solutions and customer service. Veracode is committed to helping our customers navigate the ever-evolving application security landscape, with an impassioned focus on empowering developers to both find and fix code defects early in the development process. Thank you to all the Veracode customers worldwide that have made us their trusted partner in secure software delivery.???

        What are our customers saying in their reviews on Gartner Peer Insights? Many tout Veracode???s SaaS-based solution as a key benefit. ???They operate a ???service-based solution??? removing many of the obstacles typical of on-premises scan solutions,??? stated a May 22, 2020 review by the director of security and risk at a manufacturing company. Our customers also talk about how Veracode empowers developers to find and fix code defects early in the development process. A director of application development for the government sector remarked in a review on July 24, 2020 ???[Veracode] was incredibly easy to implement and we had a high rate of developer adoption. We saw phenomenal results in reducing our security risk within the first six months. We are now several years into product implementation and have grown our adoption with both product and automation.???

        To learn more about Gartner Peer Insights 2020 Customers??? Choice for AST and what our customers have to say about our leading application security testing solutions, download the Peer Insights Voice of the Customer report.

        Disclaimer: Gartner Peer Insights Customers??? Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

        Gartner Peer Insights ???Voice of the Customer???: Application Security Testing, Peer Contributors, 9ツ? October 2020

        NIST Awards More Than $4 Million to Small Businesses for Innovations in AI, Wildfire Forecasting and More

        GAITHERSBURG, Md. — The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded 19 small businesses in 12 states a total of more than $4.4 million in grants to support innovative technology development. The awardees will receive Phase I or Phase II funding through NIST’s Small Business Innovation Research (SBIR) program. The competitively selected proposals were submitted in response to a call for innovative products addressing specific technical needs. “The Small Business Innovation Research program supports scientific research and development leading

        NIST Crowdsourcing Challenge to De-Identify Public Safety Data Sets

        BOULDER, Colo. — The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has launched a crowdsourcing challenge to spur new methods to ensure that important public safety data sets can be de-identified to protect individual privacy. The Differential Privacy Temporal Map Challenge includes a series of contests that will award a total of up to $276,000 for differential privacy solutions for complex data sets that include information on both time and location. For critical applications such as emergency planning and epidemiology, public safety responders may need

        Beware: New Android Spyware Found Posing as Telegram and Threema Apps

        A hacking group known for its attacks in the Middle East, at least since 2017, has recently been found impersonating legitimate messaging apps such as Telegram and Threema to infect Android devices with a new, previously undocumented malware. "Compared to the versions documented in 2017, Android/SpyC23.A has extended spying functionality, including reading notifications from messaging apps, call

        Russian Who Hacked LinkedIn, Dropbox Sentenced to 7 Years in Prison

        A Russian hacker who was found guilty of hacking LinkedIn, Dropbox, and Formspring over eight years ago has finally been sentenced to 88 months in United States prison, that's more than seven years by a federal court in San Francisco this week. Yevgeniy Aleksandrovich Nikulin, 32, of Moscow hacked into servers belonging to three American social media firms, including LinkedIn, Dropbox, and

        Critical Flaws Discovered in Popular Industrial Remote Access Systems

        Cybersecurity researchers have found critical security flaws in two popular industrial remote access systems that can be exploited to ban access to industrial production floors, hack into company networks, tamper with data, and even steal sensitive business secrets. The flaws, discovered by Tel Aviv-based OTORIO, were identified in B&R Automation's SiteManager and GateManager, and MB Connect