Author Archives: David Bisson

More Than Half of Organizations Have Unfilled Cybersecurity Positions

More than half of organizations have unfilled cybersecurity positions, according to a new workforce development survey.

Fifty-nine percent of IT professionals surveyed in the Information Systems Audit and Control Association (ISACA)’s “State of Cybersecurity Report 2018” said their organizations have open positions in information security. Approximately the same proportion (54 percent) of practitioners admitted that it takes their employer three months on average to fill security-related roles, and another 3 percent confessed that their firms can’t fill those jobs.

Companies Struggle to Fill Cybersecurity Positions

For the report, the ISACA surveyed 2,366 professionals who work in information security or hold ISACA’s Certified Information Security Manager (CISM) and/or Cybersecurity Nexus Practitioner (CSXP) designations. Their responses illustrated the challenges presented by the ongoing cybersecurity skills gap.

The survey found that employees lack confidence in the qualifications of their organization’s workforce. Three in 10 participants said that less than a quarter of employees were qualified. Slightly more (31 percent) reported that 25 to 50 percent of their co-workers possess the necessary skills, while just 12 percent of respondents indicated that 75 to 100 percent of their colleages are sufficiently qualified.

At the organizational level, respondents revealed that 39 percent of most openings were for “individual contributor, technical security.” This supported the belief held by 77 percent of survey participants that hiring demand for that particular role was increasing. Security personnel also reported an increased demand for “individual contributor, nontechnical security” and “security manager,” at 46 percent and 39 percent, respectively.

Investing in Training and Retention

The ISACA survey revealed that dwindling budgets aren’t to blame for the persistent skills gap. In fact, 64 percent of respondents reported an increase in their organization’s security budget.

Matt Loeb, CEO of ISACA, said this finding supports the notion that cybersecurity staffing issues aren’t financial in nature.

“Even though enterprises have more budget than ever to hire, the available workforce lacks the skills organizations critically need,” Loeb explained, as quoted a press release. “More of those dollars will need to be invested in technical cybersecurity training, along with effective retention programs.”

To further minimize the skills gap, the authors of the report advised organizations to invest in security automation tools and make improvements to their hiring processes.

The post More Than Half of Organizations Have Unfilled Cybersecurity Positions appeared first on Security Intelligence.

94 Percent of Web Applications Suffer From High-Severity Vulnerabilities

Ninety-four percent of all web applications suffer from high-severity software vulnerabilities, a new report revealed.

According to “Automated Code Analysis: Web Application Vulnerabilities in 2017,” every web app tested by security firm Positive Technologies contained vulnerabilities of varying severity. In addition to the 94 percent of appplications that contained a high-severity flaw, 85 percent carried an exploitable vulnerability.

A Tempting Target for Cybercriminals

For the report, Positive Technologies conducted vulnerability assessments against 33 applications. Some of the applications tested were publicly available at the time of analysis, while others worked for internal business functions only. All were susceptible to code and/or configuration weaknesses, while other flaws, such as unpatched software updates, were not considered in the report.

Of all the vulnerabilities identified, cross-site scripting (XSS) bugs were the most prevalent at 82 percent of applications, followed by HTTP response splitting and arbitrary file reading at 58 percent and 52 percent, respectively.

Aside from enabling attacks against users, the vulnerabilities discovered in 70 percent of applications laid the foundation for denial-of-service (DoS) conditions. This medium-level threat was more common than four others of high severity, including arbitrary file reading (61 percent), operating system (OS) commanding (55 percent), unauthorized database access (45 percent), and deletion or modification of server files (42 percent).

Some industries’ web applications were more vulnerable to weaknesses than others. For instance, Positive Technologies found critical vulnerabilities in 100 percent of financial institutions’ web apps, while 83 percent of government apps and 75 percent e-commerce software suffered from high-severity flaws.

Proactive Security Measures Key to Protecting Web Applications

Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, said the report indicates that web applications are obvious targets for attackers.

“A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network,” Galloway explained, as quoted in a press release. “Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”

The report noted, however, that detecting vulnerabilities in application source code isn’t enough. It advised organizations to also embrace proactive security measures, such as web application firewalls (WAFs).

The post 94 Percent of Web Applications Suffer From High-Severity Vulnerabilities appeared first on Security Intelligence.

Teen Faces 10 Years in Prison for Downloading 7K Freedom of Information Releases

A teenager faces upwards of 10 years in prison for downloading 7,000 freedom of information releases that contained people’s sensitive personal information. On 11 April, Nova Scotia’s police raided the home of a yet-unnamed 19-year-old. As many as 15 officers seized computer equipment from the teen, who lives with his parents and siblings and is […]… Read More

The post Teen Faces 10 Years in Prison for Downloading 7K Freedom of Information Releases appeared first on The State of Security.

Nearly 4 in 10 IT Professionals Struggle to Detect and Respond to Cloud Security Incidents

Nearly 4 in 10 IT and cybersecurity professionals who responded to a recent survey cited cloud security as a major challenge.

According to the “Oracle and KPMG Cloud Threat Report, 2018,” 38 percent of security practitioners said they struggle to detect and respond to security incidents in the cloud. It was the biggest challenge cited in the survey, beating out lack of visibility across endpoints and the attack surface (27 percent), lack of collaboration between security and IT operations teams (26 percent), and lack of unified policies across different environments (26 percent).

Cloud Security Remains an Ongoing Concern

For the report, Oracle and KPMG commissioned Enterprise Strategy Group (ESG) to survey 450 IT and cybersecurity professionals working at public- and private-sector organizations based in North America, Western Europe and Asia. Their responses highlighted the widespread concern about security gaps at every step of the cloud migration process.

The report suggested that confusion was partly responsible for those gaps. Just 43 percent of survey respondents were able to correctly identify the most widely used infrastructure-as-a-service (IaaS) shared responsibility model. That means fewer than half of security professionals knew they were responsible for cloud security.

Respondents also indicated that employees might be exacerbating those security holes. More than four-fifths (82 percent) of security leaders said they are worried that employees don’t follow corporate cloud security policies. The report cited a variety of factors contributing to this prevalence of shadow IT, including personal preferences, external collaboration and speed requirements.

Bolstering Defenses in the Cloud

Tony Buffomante, U.S. leader of KPMG’s Cyber Security Services, said organizations need to do more to protect themselves against security gaps when migrating to the cloud.

“As many organizations migrate to cloud services,” Buffomante said, “it is critical that their business and security objectives align, and that they establish rigorous controls of their own, versus solely relying on the cybersecurity measures provided by the cloud vendor.”

The survey revealed that more companies could be turning to technology to better protect themselves. Forty-seven percent of respondents said their organization uses machine learning for security purposes, while 35 percent said they planned to invest in solutions equipped with security automation. Investing in both of these technologies, along with adopting security best practices, could help close cloud security gaps.

The post Nearly 4 in 10 IT Professionals Struggle to Detect and Respond to Cloud Security Incidents appeared first on Security Intelligence.

Patch Plugs More Than a Dozen Vulnerabilities Affecting Industrial Secure Router Series

A newly issued patch plugs more than a dozen vulnerabilities that affect certain versions of an industrial multiport secure router series. On 13 April, Cisco Talos published a report revealing the security weaknesses as part of a coordinated disclosure strategy with Moxa, an automation solutions provider for companies seeking to get the most out of […]… Read More

The post Patch Plugs More Than a Dozen Vulnerabilities Affecting Industrial Secure Router Series appeared first on The State of Security.

Inside Job Behind Theft of $3M from Bitcoin Exchange, Says CEO

The chief executive officer of a Bitcoin exchange believes the theft of more than $3 million from the platform was an inside job. On 12 April, the team behind Coinsecure replaced the Indian exchange’s website with a statement. The notice reveals that someone exposed users’ Bitcoin funds and then stole them out of a wallet […]… Read More

The post Inside Job Behind Theft of $3M from Bitcoin Exchange, Says CEO appeared first on The State of Security.

Navigating the Tech Industry’s ‘Great Shakeout’: Expert’s Advice for Securely Migrating to the Cloud

All indications suggest organizations’ adoption of the cloud is going to ramp up considerably in the next few years. According to Cisco’s Global Cloud Index: Forecast and Methodology (2016–2021) white paper, cloud data centers will process 94 percent of workloads and compute instances by 2021. Close to three-quarters of those resources will be Software-as-a-Service (SaaS) […]… Read More

The post Navigating the Tech Industry’s ‘Great Shakeout’: Expert’s Advice for Securely Migrating to the Cloud appeared first on The State of Security.

Ransomware Was the Most Prevalent Form of Malware in 2017

A recent data breach investigations study revealed that ransomware was the most prevalent variety of malware in 2017.

According to Verizon’s “2018 Data Breach Investigations Report (DBIR),” security professionals spotted cryptolockers in 39 percent of security incidents that involved malware as an attack variety. This attack type was more prevalent than spyware, banking Trojans and other forms of malicious software over the course of the year.

Ransomware in Review

For the report, Verizon analyzed over 53,000 security incidents, including 2,216 data breaches, submitted from contributors in more than five dozen countries. The goal of the study was to identify trends in those events and inform organizations about the threats they’re up against as they plan their defense strategies.

The researchers ranked ransomware as the fifth-most prevalent action variety with 787 incidents, and noted that malware was utilized as a tactic in 30 percent of security events.

Gabe Bassett, senior information security data scientist at Verizon and co-author of the report, said he tracked ransomware’s growth since it first appeared in the 2013 edition of the DBIR. During that span of time, he witnessed ransomware activity double year over year on at least two separate occasions.

“The reason we’re seeing this incredible prevalence is ransomware is a great value proposition for the attacker,” Bassett told TechRepublic. “They don’t have to do a lot of the complex work. They just drop a piece of malware and then let it run.”

Ransomware activity also grew because of its flexibility, allowing cybercriminals to launch campaigns against targets that are more lucrative than users’ personal devices. In fact, Verizon noted a rise in ransomware operations targeting enterprises’ file systems and databases.

An Industry Perspective

Ransomware was more prevalent in some industries than others. Healthcare came in at the top, with cryptolockers accounting for 85 percent of all malware varieties over the course of the year. The May 2017 outbreak of WannaCry, which claimed 34 percent of the U.K.’s National Health Service (NHS) hospital trusts as victims, according to the U.K. Department of Health and Social Care, likely helped drive up this figure.

But Bassett and his fellow researchers revealed that number might misrepresent the realities of data protection in the healthcare sector. The Verizon report noted that medical organizations are bound by federal regulations to report ransomware attacks as data breaches and not instances of data risk. Therefore, it’s impossible to know whether hospitals and other healthcare centers are more susceptible to ransomware than organizations in other industries or if higher reporting standards are to blame.

The report’s authors advised organizations to take certain steps to protect themselves against data breaches, including implementing two-factor authentication (2FA), patching software vulnerabilities and conducting ongoing security awareness training with employees.

The post Ransomware Was the Most Prevalent Form of Malware in 2017 appeared first on Security Intelligence.

U.S. Appeals Court Says Barnes & Noble Data Breach Victims Can Seek Damages

A U.S. federal appeals court has ruled that victims of a payment card data breach at Barnes & Noble can seek damages against the national bookseller. According to Reuters, the decision came on 11 April when the 7th U.S. Circuit Court of Appeals in Chicago said that Heather Dieffenbach of California and Susan Winstead of […]… Read More

The post U.S. Appeals Court Says Barnes & Noble Data Breach Victims Can Seek Damages appeared first on The State of Security.

Great Western Rail Resets All Customer Passwords after Detecting Password Reuse Attacks

Great Western Rail has taken the precaution of resetting the passwords for all its customers after detecting a limited campaign of password reuse attacks. As reported by The Register, the British train operating company detected password reuse attacks against some of its customers’ GWR.com accounts. In total, it found that bad actors had targeted 1,000 […]… Read More

The post Great Western Rail Resets All Customer Passwords after Detecting Password Reuse Attacks appeared first on The State of Security.

Survey: Nearly Half of Organizations Have a Consistent Enterprise Encryption Strategy

Nearly half of organizations have an enterprise encryption strategy that is applied consistently across the entire organization, a new encryption survey revealed. Forty-three percent of respondents to Thales’ “2018 Global Encryption Trends Study” said their employer had an enterprisewide encryption plan in place for 2017. That’s up from 41 percent in 2016 and 37 percent in 2015.

Enterprise Encryption Strategy Adoption on the Upswing

Thales began tracking the evolution of encryption back in 2005. In the 13 years that followed, the firm observed a steady increase in organizations adopting an encryption strategy. The company reported a decline in companies with no such strategy or plan over the same period: Just 13 percent of respondents said they lacked a comprehensive encryption policy in 2017, down from 15 percent two years prior.

Not all survey participants reported having a consistent plan across the entire organization, but the percentage of professionals with a limited enterprise encryption strategy didn’t change from 2016. Forty-four percent of respondents said their organization had a limited approach in both 2016 and 2017, which is up from just a quarter of individuals in 2015.

IT Security Spending on the Rise

For the study, Thales commissioned the Ponemon Institute to survey 5,252 individuals across industry sectors in the U.S., U.K. and 10 other countries. Their responses provided the company with insight into how enterprises’ use of encryption has evolved.

Their answers also illuminated how much budget employers are allocating to encryption and IT security. The former declined slightly from 14 percent in 2016 to 12 percent in 2017. At the same time, organizations spent approximately 10 percent of their overall IT spending on security, a percentage that marked a record high in a 13-year upward slope.

The report indicated some areas where both encryption and security spending could grow. One of them was cloud, with 21 percent of professionals expecting their organization to transfer sensitive or confidential data to the cloud within the next year or so. That’s in addition to the 61 percent of respondents who already do so.

Human Error an Ongoing Risk to Data

The Thales survey revealed that employee mistakes weighed heavily on respondents’ minds. Forty-seven percent of professionals cited human error as the most salient threat to sensitive or confidential data, followed by system or process malfunction and cybercriminals at 31 percent and 30 percent, respectively.

To protect against employee mistakes, organizations should balance technical controls with training that helps employees take responsibility for their actions.

The post Survey: Nearly Half of Organizations Have a Consistent Enterprise Encryption Strategy appeared first on Security Intelligence.

Ransomware Named Most Prevalent Malware in Verizon’s 2018 DBIR

Verizon Enterprise has named ransomware the most prevalent variety of malware in its 2018 Data Breach Investigations Report (DBIR). For the 11th edition of its report, Verizon Enterprise analyzed 53,308 incidents with 2,216 confirmed data breaches. Researchers with the American multinational telecommunications conglomerate found that three in 10 incidents included malware. Of those that did, […]… Read More

The post Ransomware Named Most Prevalent Malware in Verizon’s 2018 DBIR appeared first on The State of Security.

New Scam Targeting Corporations’ Chip Cards, Warns Secret Service

The United States Secret Service is warning of a new scam in which thieves are targeting the chip-based debit cards issued to corporations. As reported by Brian Krebs, the scam involves criminals intercepting a newly issued debit card along its way to a corporation, tampering with the chip and waiting until it’s activated so that […]… Read More

The post New Scam Targeting Corporations’ Chip Cards, Warns Secret Service appeared first on The State of Security.

Nearly Half of Organizations Targeted Again Within a Year of Suffering a ‘Significant’ Cyberattack, Report Reveals

Nearly half of organizations that suffered a “significant” digital attack fell victim to bad actors again within a year’s time, a new security trends report revealed.

According to Mandiant’s “M-Trends 2018” report, 49 percent of managed detection and response customers that remediated a large-scale attack suffered an incident from the same or a similarly motivated threat group within one year. The initial assaults consisted of data theft, credential harvesting and spear phishing, among other techniques.

Unpacking Repeat Cyberattack Trends

Mandiant admitted to not having looked at recompromise figures since it released its “M-Trends 2013” study five years ago. That report found that 38 percent of clients had suffered another attack after successful remediation.

The number of follow-up attacks were somewhat higher in 2017: 56 percent of customers weathered at least one significant attack from the same threat group or one like it. At the same time, the vast majority (86 percent) of organizations that remediated more than one significant cyberattack hosted more than one unique bad actor in their IT environment.

Some regional differences were apparent over the course of the year. Less than half of customers in the Americas and Europe, Middle East and Africa (EMEA) experienced another attack of consequence and/or multiple threat actors. By contrast, 91 percent of Asia-Pacific (APAC) clients dealt with a subsequent campaign, while 82 percent of organizations from that region suffered a significant attack from multiple groups.

The Good News and Bad News About Dwell Time

Dwell time, or the average number of days during which attackers lurked in a victim’s network prior to detection, increased across several regions in 2017, according to the report. The APAC average increased nearly three times, from 172 days to 489 days. The EMEA dwell time growth was more modest at 40 percent, from 106 days to 175 days.

Stuart McKenzie, vice president of Mandiant at FireEye, expressed disappointment in the growth of the median EMEA dwell time but noted that it’s not all bad news.

“On the positive side, we’ve seen a growing number of historic threats uncovered this year that have been active for several hundred days,” McKenzie said, as quoted by Infosecurity Magazine. “Detecting these long-lasting attacks is obviously a positive development, but it increases the dwell time statistic.”

During the same survey period, the dwell time for the Americas decreased from 99 days to 75.5 days. The average across all regions rose slightly from 99 days to 101 days.

Looking Ahead

In the report, Mandiant shared its prediction that foreign digital espionage groups will continue to prey upon U.S. companies and service providers in 2017. It also predicted that bad actors will target the software supply chain to spy on developers and software-makers over the course of the year.

The post Nearly Half of Organizations Targeted Again Within a Year of Suffering a ‘Significant’ Cyberattack, Report Reveals appeared first on Security Intelligence.

Shopper’s Lawsuit Seeks $5M in Damages for Data Breach at Saks Fifth Avenue, Lord & Taylor

A shopper has filed a class-action lawsuit seeking at least $5 million in damages for a data breach that affected Saks Fifth Avenue and Lord & Taylor. According to Women’s Wear Daily, shopper Antranik Mekerdijian filed a class action lawsuit against Hudson’s Bay Company, owner of the two luxury department stores, in a California federal […]… Read More

The post Shopper’s Lawsuit Seeks $5M in Damages for Data Breach at Saks Fifth Avenue, Lord & Taylor appeared first on The State of Security.

Cloud vs. On-Premises: Understanding the Security Differences

More and more organizations are now entrusting their IT resources and processing to the cloud. This trend is likely to grow in the coming years. To illustrate, Gartner predicts that cloud data centers will process 92 percent of workloads by 2020. Cloud workloads are expected to increase 3.2 times in that same span of time, […]… Read More

The post Cloud vs. On-Premises: Understanding the Security Differences appeared first on The State of Security.

Mark Zuckerberg Doesn’t Plan to Extend GDPR to All Facebook Users

Mark Zuckerberg doesn’t plan on extending the European Union’s General Data Protection Regulation (GDPR) to all Facebook users. On 3 April, Facebook’s chief executive told Reuters in a phone interview that the social networking platform was working on applying a version of the Regulation to users worldwide. When asked what parts of the framework would […]… Read More

The post Mark Zuckerberg Doesn’t Plan to Extend GDPR to All Facebook Users appeared first on The State of Security.

Less Than 30 Percent of IT Security Executives Can Prevent Ransomware Attacks, Survey Reveals

Less than 30 percent of IT security executives who responded to a recent survey reported that they would be able to prevent large-scale ransomware attacks.

Despite this, SolarWinds MSP’s new report, “The 2017 Cyberattack Storm Aftermath,” found that IT security executives have a high level of knowledge of crypto-malware. More than two-thirds (69 percent) of respondents said they were deeply familiar with ransomware attacks such as WannaCry, which infected hundreds of thousands of endpoints within 48 hours earlier in May 2017, and Petya, which affected systems in dozens of countries in June 2017.

This familiarity led approximately three-quarters of survey participants to rate the risk of both WannaCry and Petya as very high, but it didn’t translate to better protection against this type of incident. While most respondents indicated that they would be able to detect WannaCry (72 percent) and Petya (67 percent), only 28 percent and 29 percent, respectively, said they would be able to prevent these attacks.

Organizations Struggle to Curb Ransomware Attacks

For the survey, SolarWinds MSP commissioned the Ponemon Institute to speak to 202 senior-level IT security executives in the U.S. and U.K. about some of the most high-profile threats that emerged in 2017. Their responses revealed that enterprises could be doing more to protect against these widespread attacks.

For example, just one-quarter of respondents said their organization employs specialists who possess the necessary expertise to defend against ransomware and other threats. Meanwhile, one-third admitted that their employer doesn’t have any specialized personnel on the payroll and doesn’t consult with external experts.

Many of these problems can be attributed to lack of resources. Less than half of survey participants reported having sufficient technology to prevent, detect and contain significant threats, and 48 percent said their organization’s IT security budget was inadequate.

Patching and Basic Security Hygiene

Tim Brown, vice president of security architecture at SolarWinds, said the best way for organizations to close these gaps and protect themselves against ransomware is to apply software patches.

“People often don’t think of basic security hygiene as one of the most important things they need to do, but it really is — although it’s really not easy,” Brown told Infosecurity Magazine. “Doing the basics well is not ‘sexy’ or ‘cool,’ it’s a lot of hard work that needs to get done, but no technology is going to really save you from that hard work.”

For companies that lack the necessary resources to fulfill those security basics, Brown suggested contracting security functions to a managed services provider (MSP).

The post Less Than 30 Percent of IT Security Executives Can Prevent Ransomware Attacks, Survey Reveals appeared first on Security Intelligence.

Global IoT Security Spending to Reach $1.5 Billion in 2018, Report Reveals

Enterprises could spend as much as $1.5 billion to secure their IoT devices in 2018, a new report revealed.

As part of its report titled “Forecast: IoT Security, Worldwide, 2018,” Gartner estimated that organizations’ IoT security spending will grow 28 percent this year, increasing from the $1.2 billion spent in 2017.

IoT Spending on the Rise

Professional services will carry $946 million of that new investment, Gartner predicted. Endpoint security and gateway security will follow at $373 million and $186 million, respectively.

As the demand for penetration testing, asset discovery and other solutions grows, organizations will commit even more funding to IoT security, according to the report. In addition, spending will more than double from $1.5 billion in 2018 to $3.1 billion in 2021.

Limiting Factors

Although global spending on IoT security is increasing, Gartner noted some limiting factors. For example, failure to prioritize and implement security best practices and tools could restrain spending by as much as 80 percent in the coming years.

Ruggero Contu, research director at Gartner, said that companies are also failing to organize their disparate security projects into a cohesive whole. He noted that most IoT security measures are planned, deployed and operated by business units in collaboration with IT.

“However,” he explained, “coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider’s alliances with partners or the core system that the devices are enhancing or replacing.”

A Bright Future for IoT Security

The lack of standard IoT security practices might be a problem now, but Gartner indicated that it won’t be an issue for long.

Regulatory compliance will help emphasize security by-design for the IoT, especially in heavily regulated industries. If those guidelines are widely adopted, Gartner predicted that IT security standards bodies will create formal frameworks for securing connected devices in the workplace.

The post Global IoT Security Spending to Reach $1.5 Billion in 2018, Report Reveals appeared first on Security Intelligence.

U.S. Pipeline Network Disables Transactions System After Digital Attack

A major U.S. pipeline network temporarily disabled a system that digitally processes customer transactions following a digital attack. Energy Transfer Partners (ETP), a Fortune 500 oil and natural gas company, disclosed the incident on 2 April in a notice sent to shippers. According to Dallas News, the announcement reveals that digital attackers targeted the electronic […]… Read More

The post U.S. Pipeline Network Disables Transactions System After Digital Attack appeared first on The State of Security.

‘Tiger’ Named the Most Common Password Related to a Sports Team

Security researchers recently claimed that “Tiger” is the most common password relating to sports teams and mascots.

To coincide with the annual NCAA Division I men’s basketball tournament, Keeper Security published a bracket of some of most commonly used sports-related passwords. Among them, “Tiger” and its variations, such as “T1ger” and “T1g3r,” came out on top.

What’s the Most Common Password Related to Sports?

According to a press release, “Tiger” was 850 percent more common than “Bluejay,” the password that appeared least frequently. It was also 187 percent more common than “Eagle,” the runner-up for first place.

Some of the other credentials that appeared in Keeper Security’s bracket were “Bulldog,” “Gator, “Cardinal,” “Wildcat” and “Hurricane.”

Keeper Security's bracket for sports-themed passwords that are commonly leaked
Source: Keeper Security

To create this bracket, Keeper Security used a file of compromised credentials uncovered by security firm 4iQ that included 1.4 billion passwords, according to a 4iQ blog post. All of these credentials were in cleartext, meaning that anyone could easily access them.

A Call for Better Account Security

Darren Guccione, CEO and co-founder of Keeper Security, said his company’s bracket reflects the fact that users continue to opt for convenience over security when choosing a password.

“People often choose their passwords based on something they can easily remember,” explained Guccione. “But those are the easiest passwords for hackers to crack. Since most people reuse the same password more than 80 percent of the time, this can compromise consumers’ banking, retail and social media accounts.”

Attackers don’t even need to steal those credentials from improperly secured databases or buy them from underground marketplaces. They can simply brute-force their way into users’ accounts by building and deploying a password cracking tool.

While Keeper’s password bracket is all in good fun, it also illustrated the need for users to embrace better account security practices. They can do so by adopting authentication solutions such as biometrics and by following the recommendations of enterprise security teams. Most will advise users to avoid simple keystroke combinations, stay away from common dictionary words and create unique passwords for each account.

The post ‘Tiger’ Named the Most Common Password Related to a Sports Team appeared first on Security Intelligence.

Saks Fifth Avenue, Lord & Taylor Suffer Payment Card Data Breach

Saks Fifth Avenue and Lord & Taylor have both suffered a data breach involving customers’ debit and credit card information. The data breach became apparent on 28 March when Joker’s Stash, a seller of stolen payment card details on underground markets, announced its “BIGBADABOOM-2” sale of five million cards. Working with financial organizations, Gemini Advisory […]… Read More

The post Saks Fifth Avenue, Lord & Taylor Suffer Payment Card Data Breach appeared first on The State of Security.

Under Armour Notifies 150M MyFitnessPal Users of Data Breach

Under Armour has taken steps to notify 150 million MyFitnessPal users of a data breach that might have affected their account information. On 29 March, Under Armour published a statement announcing that it was working to notify approximately 150 million users of MyFitnessPal, a food and nutrition app and website for the American clothing manufacturer, […]… Read More

The post Under Armour Notifies 150M MyFitnessPal Users of Data Breach appeared first on The State of Security.

Government Leaders Rank Cybersecurity Threats as Top Trend Affecting Communications, Survey Reveals

Cybersecurity threats constitute the top trend affecting government communications, a recent survey of local councils and leaders revealed.

In Vision’s 2018 research brief titled “What’s Next in Digital Communications for Local Government,” more than one-quarter (27 percent) ranked cybersecurity threats as the top factor influencing how their government communicates and operates. Citizen engagement ranked slightly lower among survey participants at 24 percent, followed by social media at 13 percent.

Cybersecurity Is Top of Mind for Government Leaders

These concerns help explain why security is at the top of respondents’ minds for 2018: 41 percent of surveyed parties told Vision, a service that builds, develops and hosts websites for local governments, that minimizing cybersecurity risk is among their top priorities for the year, behind only expanding citizen engagement (66 percent), and improving web accessibility and adherence to Web Content Accessibility Guidelines (WCAG) 2.0 (53 percent).

David Nachman, general manager of content management solutions for Vision, said these considerations among local government leaders reflect the concerns of their constituents.

“It’s clear that local agencies are well aware of the rising expectations of their increasingly digital and mobile citizens who now demand the same level of accessibility, security and efficiency they enjoy in the private sector,” Nachman wrote in an article on GCN.

Cybersecurity Threats: A Persistent Problem

The Vision report underscored persistent cybersecurity challenges confronting governments. According to Netwrix’s “2017 IT Risks Report,” 65 percent of governments said they suffered a breach in 2016. Only 26 percent said they felt prepared to defend their data against cyberthreats.

At the same time, nearly half of government employees that responded to a recent Dtex survey said they take no responsibility for cybersecurity. Even worse, one-third of participants said they believe they are more likely to be struck by lightning than to suffer a data breach.

To address these ongoing issues, Dtex advised governments to adopt a layered approach to cyberdefense that consists of building a positive security culture in the workplace and using intelligent, automated data protection tools.

The post Government Leaders Rank Cybersecurity Threats as Top Trend Affecting Communications, Survey Reveals appeared first on Security Intelligence.

Facebook to Include Data Misuse Issues in Bug Bounty Program

Facebook has announced its plans to expand its bug bounty program to include issues of app developers misusing users’ data. On 26 March, Facebook’s director of product partnerships Ime Archibong made public the social network’s intention to reward researchers for spotting instances of data misuse by app developers. The change is expected to take effect […]… Read More

The post Facebook to Include Data Misuse Issues in Bug Bounty Program appeared first on The State of Security.

The FBI’s 10 Most-Wanted Black-Hat Hackers – #9 and #8

Recently, we renewed our countdown of the FBI’s 10 most wanted black-hat hackers. First up was Bezhad Mesri at number 10. He is accused of having compromised Home Box Office (HBO) employees’ emails and abused that access to steal data, extort the company for ransom, and leak the information online when he didn’t get his […]… Read More

The post The FBI’s 10 Most-Wanted Black-Hat Hackers – #9 and #8 appeared first on The State of Security.

“Limited Breach” Detected on System Supporting Baltimore’s 911 Emergency Services

City officials have confirmed they detected what they’re calling a “limited breach” on a system that supports Baltimore’s 911 emergency services. According to The Baltimore Sun, city personnel detected the intrusion at 08:30 local time on 25 March. The quickly determined that unknown attackers had hacked into the municipality’s computer-aided dispatch (CAD) system. This type […]… Read More

The post “Limited Breach” Detected on System Supporting Baltimore’s 911 Emergency Services appeared first on The State of Security.

Atlanta Struggling to Recover from Ransomware Infection Days After Attack

The city of Atlanta is struggling to recover from a ransomware infection days after the initial attack targeted its computer network. As of 26 March, the municipality was still struggling to collect customers’ online payments for bills and fees. Such disruption continues to plague the State of Georgia’s capital city at a time when Atlanta […]… Read More

The post Atlanta Struggling to Recover from Ransomware Infection Days After Attack appeared first on The State of Security.

Two-Thirds of Organizations Struggle to Find Professionals With Necessary Cybersecurity Skills, Survey Reveals

The cybersecurity skills gap remains a major obstacle for most organizations, a recent survey revealed.

According to “Cybrary Declassified: Unraveling the Cyber Skills Gap and Talent Shortage,” two-thirds of IT, security and other nontechnical employees said it’s difficult for their organization to find qualified cybersecurity professionals.

As a result, 68 percent of respondents said they doubt their employer’s ability to defend against advanced threats. Furthermore, one-third of IT personnel revealed that their organization has already suffered at least one security breach.

Closing the Cybersecurity Skills Gap Through Training

Participants in the survey were candid about their own cybersecurity skills: 4 out of 5 professionals admitted that they don’t feel qualified to protect their organizations.

To help overcome this skills gap, many employees have turned to training programs. The majority of respondents (80 percent) said they enrolled in online programs as opposed to physical classrooms (17 percent) and conferences (3 percent). As for preferred training format, 65 percent sought out practical exercises, while one-quarter used video training programs, which was followed by exams and collaboration at 7 percent and 6 percent, respectively.

Finding the time and budget for training was a personal endeavor for most of the employees surveyed. Eighty-seven percent of respondents told Cybrary that they dedicated at least some of their personal time to training. Slightly less than that (85 percent) committed part of their funds to training.

The cost of training varied widely: 40 percent of respondents revealed that their skills-building programs cost up to $1,000, while about 1 in 10 said their efforts cost more than $5,000.

Integrating Cybersecurity Training Into the Work Culture

Kathy Miley, chief operating officer (COO) of Cybrary, said she isn’t against employees using some of their money to pay for training, but she does feel that organizations have a responsibility to integrate training into the work culture. Doing so can help more clearly define the company’s mission, vision and values for employees, she said.

“Leaders must prioritize creating a dynamic learning environment where experience is not only rewarded, but less-experienced employees receive the support they need to improve their skills,” Miley explained in the report. “The future of modern business is dependent on human intelligence.”

Cybrary advised organizations to collect employee feedback on training types, conduct annual performance reviews of educational programs and provide incentives for employees to participate in such initiatives.

The post Two-Thirds of Organizations Struggle to Find Professionals With Necessary Cybersecurity Skills, Survey Reveals appeared first on Security Intelligence.

Cobalt/Carbanak Malware Group Leader Arrested in Spain

The Spanish National Police has arrested the leader of a criminal group responsible for developing sophisticated banking malware including Cobalt and Carbanak. On 26 March, EUROPOL announced the arrest of the yet-unnamed computer criminal mastermind in Alicante, Spain. That individual is responsible for helping to attack 100 financial institutions worldwide and cause more than 1 […]… Read More

The post Cobalt/Carbanak Malware Group Leader Arrested in Spain appeared first on The State of Security.

19% of Ohio State University Students Clicked on Links in Phishing Simulation

Nearly one in five students at Ohio State University clicked on unverified links in emails sent to them as part of a phishing simulation. On 31 January, the IT risk management office at Ohio State University (OSU) initiated a phishing exercise against the university’s student population. Its intention was to determine how many students would […]… Read More

The post 19% of Ohio State University Students Clicked on Links in Phishing Simulation appeared first on The State of Security.

Forty Percent of Email Fraud Attacks Against US Businesses Resulted in an Employee’s Termination, Survey Reveals

Companies in the U.S. fired an employee after 40 percent of email fraud attacks that occurred over the past two years, a new survey revealed.

According to Proofpoint’s “Understanding Email Fraud” report, U.S. organizations fired responsible personnel following a business email compromise (BEC) attack more often than companies in all other countries. Australian firms terminated someone in response to slightly more than 25 percent of strikes, while companies in the U.K. and Germany did so even less frequently. Organizations in France fired employees in roughly 15 percent fraud cases, the lowest total of the countries included in the study. Overall, businesses around the world terminated employees after nearly 1 in 4 attacks.

A Pervasive Threat

For the survey, Proofpoint commissioned Censuswide to speak to people at companies with 200 or more employees across various industries about their experiences with email fraud attacks. The firm queried 2,250 individuals in the U.S., U.K., Germany, France and Australia to determine how businesses are affected by BEC, who is most at risk and how organizations are protecting themselves, if at all.

The responses revealed that email fraud attacks are pervasive around the world. Respondents from three-quarters of organizations surveyed told Censuswide that their employer suffered an attack in the last two years, while 41 percent reported that their company was hit more than once.

Firing responsible personnel was just one consequence of email fraud addressed in the study. In 55.7 percent of cases, organizations suffered downtime or other business disruptions. Meanwhile, companies lost sensitive data in roughly half of BEC instances and lost funds to cybercriminals in about one-third of such attacks.

Driving Awareness Around Email Fraud

Robert Holmes, vice president of email security products for Proofpoint, said he believes that BEC scams are so prolific because of their simplicity. These campaigns involve small distribution operations rather than malicious attachments or links, party because the attackers attempt to impersonate people in positions of authority within those organizations.

This make email fraud “extremely difficult to detect and stop with traditional security tools,” according to Holmes, as quoted by Infosecurity Magazine. “Our research underscores that organizations and board rooms have a duty to equip the entire workforce with the necessary solutions and training to protect everyone against this growing threat,” he continued.

The Proofpoint survey noted that most organizations can do more to protect against BEC attacks by implementing phishing awareness programs and creating business controls to stop fraudulent wire transfers. It also highlighted the importance of implementing security measures such as end-to-end encryption, access controls and email authentication.

The post Forty Percent of Email Fraud Attacks Against US Businesses Resulted in an Employee’s Termination, Survey Reveals appeared first on Security Intelligence.

Researchers Can Earn up to $15K in Netflix’s New Public Bug Bounty Program

Netflix has launched a public bug bounty program through which security researchers can receive rewards of up to $15,000. Announced on 21 March, the streaming service’s new vulnerability responsible disclosure framework will award researchers upwards of thousands of dollars for reporting weaknesses discovered in Netflix’s primary targets. In-scope applications include the American entertainment company’s API, […]… Read More

The post Researchers Can Earn up to $15K in Netflix’s New Public Bug Bounty Program appeared first on The State of Security.

Cybercrime Profits Total Nearly $200 Billion Each Year, Study Reveals

Illegal cybercrime profits total as much as $200 billion each year, according to an academic study into cybercriminals’ money laundering schemes.

Virtualization-based security firm Bromium announced some of the findings from its nine-month “Into the Web of Profit” study into how cybercriminal launder money online. The report revealed that cybercrime funds make up between 8 and 10 percent of illegal profits laundered across the world. Those figures place global ill-gotten proceeds at $80 billion to $200 billion annually.

Digital Currencies Driving Cybercrime Profits

Virtual currencies have become the primary tools threat actors use to launder money. They could play an even bigger role in future illicit transactions. According to the study, cybercriminals are increasingly using digital money to purchase real estate, with cryptocurrencies expected to account for 25 percent of total property sales in the next few years.

Even so, law enforcement is more intent on monitoring bitcoin, which is driving cybercriminals to look for alternatives, the study found. Some bad actors could turn to Litecoin, the second-most popular cryptocurrency on the Dark Web. Others are expected to embrace in-game currency and goods from “Grand Theft Auto V,” “Minecraft” and other computer games.

The Cybercrime Economy

Dr. Mike McGuire, senior lecturer in criminology at Surrey University in England, conducted the study under Bromium’s sponsorship. His research revealed that cybercrime is more than just a business.

“It’s like an economy which mirrors the legitimate economy,” said McGuire, as quoted by Dark Reading. “The problem here is the cyber economy and the legitimate economy is so intertwined that some laundering is going on in cyber, then back to the real world, then back to cyber.”

McGuire will present further findings from “Into the Web of Profit” during his speaker slot at the RSA Conference 2018 in San Francisco on April 20.

The post Cybercrime Profits Total Nearly $200 Billion Each Year, Study Reveals appeared first on Security Intelligence.

Frost Bank Detects Unauthorized Access that Could Have Exposed Check Images

Texas-chartered Frost Bank has detected an instance of unauthorized access that might have exposed the images of some electronically stored checks. Frost, which is one of the largest banks in Texas at 139 branches across the state, detected the security incident in March 2018. According to a statement published on its website, the event involved […]… Read More

The post Frost Bank Detects Unauthorized Access that Could Have Exposed Check Images appeared first on The State of Security.

How to Use NIST’s Cybersecurity Framework to Protect against Integrity-Themed Threats

When it comes to the CIA triad, confidentiality generally commands most of the attention. Organizations are worried about the unauthorized disclosure of their data, so they concentrate on reducing the risks of that type of an incident. In so doing, however, enterprises commonly overlook the other two triadic elements, integrity in particular. Ron Ross, a […]… Read More

The post How to Use NIST’s Cybersecurity Framework to Protect against Integrity-Themed Threats appeared first on The State of Security.

Report: UK Health Device Regulations Don’t Fully Consider How Poor Digital Security Affects Patient Safety

Current U.K. regulations do not fully consider how poor device security could potentially affect patient privacy and safety in the healthcare sector, according to a new report.

Vulnerabilities and Increased Integration Put Patients at Risk

In a study titled “Cyber Safety and Resilience: Strengthening the Digital Systems That Support the Modern Economy,” researchers from the Royal Academy of Engineering argued that the U.K.’s health device regulations fail to adequately account for digital security as the technology landscape evolves.

“The regulation of health devices and systems has focused on patient safety, albeit not perfectly, but has not fully considered the possible impacts of poor cybersecurity,” the researchers wrote in the report. “As new technologies and systems are created, and the threat environment evolves, vulnerabilities in connected health devices need to be addressed.”

According to the study, both implantable and nonimplantable health devices are prone to vulnerabilities. These weaknesses affect low-power, low-footprint sensors as well as large-scale legacy medical equipment.

At the same time, the researchers observed that healthcare providers’ enterprise systems are integrating more with clinical suppliers and systems. This makes them preferred targets of ransomware and other digital threats.

Improving Health Device Regulations in the UK

Researchers advised U.K. regulators to address these risks by linking data protection standards with digital security best practices. In addition, security frameworks should use clear language to help device manufacturers and other parties easily navigate the regulations.

The report also outlined the following recommendations for securing health devices to ensure patients’ safety:

  • Governance — When applicable, clarify the roles and responsibilities for national and local entities in the U.K.’s National Health Service (NHS).
  • Procurement — Look to other industries to understand supply chain risks. Organizations can use that knowledge to build more trustworthy products and provide customers with information about the security of those items.
  • Design — Seek input from healthcare professionals when creating new systems. Developers need such contributions to learn how health organizations implement their systems.
  • Defense — Explore patch management strategies that account for patient safety and the security of medical devices.
  • Education — Train clinical professionals on digital security and data literacy.

The report’s lead author, Nick Jennings, underscored these recommendations with a plea to build better security into systems from the outset. “We cannot totally avoid failures or attacks,” he said, “but we can design systems that are highly resilient and will recover quickly.”

Many of the recommendations for healthcare also apply to other critical sectors. The researchers noted that it’s important for private organizations to work with the U.K. government to develop relevant sector-specific guidelines.

The post Report: UK Health Device Regulations Don’t Fully Consider How Poor Digital Security Affects Patient Safety appeared first on Security Intelligence.

Microsoft Launches Limited-Time Bug Bounty Program for Bugs Like Spectre and Meltdown

Microsoft has launched a limited-time bug bounty program to help discover and address vulnerabilities similar to Spectre and Meltdown. On 14 March, the Redmond-based tech giant announced a framework for speculative execution side channel vulnerabilities. The program encourages researchers to submit their discoveries of hardware design weaknesses on par with Spectre and Meltown, two vulnerabilities […]… Read More

The post Microsoft Launches Limited-Time Bug Bounty Program for Bugs Like Spectre and Meltdown appeared first on The State of Security.

For the First Time, DHS and FBI Accuse Russia of Hacking U.S. Energy Organizations

For the first time on record, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) publicly blamed Russia for attempting to hack U.S. energy infrastructure. On 15 March, DHS and FBI published a joint Technical Alert (TA) via the United States Computer Emergency Readiness Team (US-CERT). In it, officials say Russian […]… Read More

The post For the First Time, DHS and FBI Accuse Russia of Hacking U.S. Energy Organizations appeared first on The State of Security.

Unique Data Exfiltration Method Makes PinkKite POS Malware Stand Out

A new family of point-of-sale malware called “PinkKite” uses a unique method to exfiltrate consumers’ stolen payment card information. Kroll Inc. researchers Matt Bromiley and Courtney Dayter presented on the threat during Kaspersky’s Security Analyst Summit 2018 on 9 March. In their talk entitled “It’s a Small World After All: The Evolution of Small POS […]… Read More

The post Unique Data Exfiltration Method Makes PinkKite POS Malware Stand Out appeared first on The State of Security.

The FBI’s 10 Most Wanted Black-Hat Hackers – #10

Hackers all have different intentions. Some work to making computer networks more secure, while others develop malware and exploit software vulnerabilities. Of the latter group, there is a special subclass of criminals: those who make the FBI’s Cyber’s Most Wanted list. These individuals give a whole new meaning to black-hat hacking. The nature of their […]… Read More

The post The FBI’s 10 Most Wanted Black-Hat Hackers – #10 appeared first on The State of Security.