Category Archives: coronavirus

Trends in IT-Security and IAM in 2021, the “New Normal” and beyond

Article by Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH

Yes, there is hope for 2021, but the challenges of the “New Normal” are here to stay. CISOs have to prepare and start acting now, because cybersecurity and the IT-infrastructure will have to face threats that have only just started.

The year 2020 was the year working from home lost its oddity status and became normality. Big names like Google and Twitter are planning long-term and hold out the prospect of working from home on a permanent basis. More than 60 percent of companies are trying the same and have implemented home office policies in 2020. But with great flexibility comes great responsibility: Everyone responsible for Cybersecurity and a secure IT infrastructure is now dealing with new challenges closing the last gaps and weak points when it comes to allowing access to company resources. Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH, the specialist for secure identity access management (IAM), authentication and authorization, shows the top 3 issues CISOs have to look out for:

1. The Problem with Insider Threats will only get Worse
With more and more people working from home, the use of personal devices and working on private networks only increases and further fuels the risk of insider threats. This does not come as a surprise. As early as in 2018, Verizon's Data Breach Investigation Report already recorded an increase in threats from "internal actors," meaning employees who knowingly or unknowingly illegally disseminated data and other company information. According to the 2020 report, insiders were responsible for a data breach in a flabbergasting 30% of cases.

The case of Twitter in the summer of 2020 illustrates the damage vividly an insider threat can create. Hackers used social engineering to exploit the insecurity of IT employees and thus gain access to internal systems. Of course, it is quite unlikely that any of Twitter’s employees acted with malicious intent, still, they became the tool for an attack. The result: although the ATOs (Account Take Over) was used for fairly obvious scam posts, the attackers captured well over $100,000.

No company is immune to such attacks, and even strict cybersecurity policies have little effect because they are very difficult to enforce or monitor when people are working from home. Therefore, it can be assumed that the number of insider threats will increase by more than 20% in 2021.

2. Ransomware and Shadow-IT are bound to become the CISOs nightmare
Working from home came suddenly for most companies and pretty much overnight, and even still, most corporations are not sufficiently prepared for the challenges that lie ahead. Unlike in the office, where the IT department can reasonably reliably control the distribution of software on employee PCs, the use of home networks and private devices opens up new attack vectors for hackers.

Employees often use third-party services, download free software, or use private cloud services as a workaround when corporate services are not available. The storage of documents, access to data or other sensitive information on private devices will also continue to increase without CISOs being able to control this. Since private devices and networks are usually inadequately protected, they serve as a gateway for ransomware, which then attacks corporate networks, encrypts data and extorts high ransoms. Gartner analysts have already predicted a 700% increase in 2017 - the growth from the New Normal will dwarf those numbers and give CISOs many sleepless nights. Due to system and network vulnerabilities, misconfigurations, phishing, and the increase in credential attacks, we will likely see an exponential increase in ransomware attacks in 2021.

3. Mobile Devices Become a Favourite Target for Hackers
Developments such as multi-factor authentication (MFA) is improving the security of access to corporate services. On the flip side, it has put mobile devices in the crosshair of hackers. As smartphones are now practical for almost all online activities, the number of attack vectors has grown steadily along with them. In addition to malware, which can be easily installed via third-party apps, especially on Android, and data manipulation or the exploitation of recovery vulnerabilities (such as the interception of magic links or PIN text messages), social engineering is a particularly popular field here.

In addition to the widespread phishing e-mail, vishing (manipulation of employees by fictitious calls from IT staff) and smishing (which works similarly to phishing but uses SMS instead of e-mail) will increase sharply. Hackers will come up with new tricks to compromise mobile devices, and that can only make digital fraud worse.

2021: The Year We Abolish Trust
In a year in which we will have to learn a lot of things anew, CISOs are well-advised to not build anything on trust – neither their network infrastructure nor their IAM. Zero-trust architectures that question all access to corporate resources must become the standard in the age of the New Normal. Restricting resource access to a physical address or IP address, or to VPN access, is counterproductive and difficult to manage if employees are to work from remote locations. Digital identity will shift from user identity to the combined identity of the device and the user. Only this will enable modern and secure identity & access management.

Six Trends Shaping the 2021 Cybersecurity Outlook

Article by Tom Kellerman, Head of Cybersecurity Strategy, Rick McElroy, Head of Security Strategy and Greg Foss, Senior Cybersecurity Strategist, VMware Carbon Black

Everything is different, and yet the same. As we look ahead to the cybersecurity landscape in the next 12 months, it is from a position no one predicted this time last year. Business operations have changed beyond recognition with most employees working from home in a transition that happened almost overnight. Stretched security teams have been challenged to rapidly deploy robust remote working facilities to maintain productivity. Most were writing the ‘pandemic playbook’ as they went along.

Ironically, one of the few certainties of the situation was that cybercriminals would take advantage of disruption to escalate campaigns. In that sense, nothing changed, except that the opportunity was suddenly much greater. As a result, nine in ten security professionals surveyed by our Threat Analysis Unit said they were facing increased attack volumes, which they attributed to the newly distributed working environment.

The effects of COVID-19 will continue to impact the cybersecurity sector for some time, but they are not the only considerations. This year we’ve seen cybercrime and cybercriminal groups continue along a path of technical and industry innovation that will see new strategies and tactics gain traction in 2021. We have also seen cyber defences tested like never before and, for the most part, they have held firm; there is reason for cybersecurity professionals to be optimistic.

With this in mind, the following are six trends we expect to see, and key areas cybersecurity professionals should keep their eyes on in 2021.

1. Remote-Working Focuses Attacker Attention on Mobile Compromise
As business becomes more mobile than ever and remote working persists, mobile devices and operating systems will be increasingly targeted. As employees use personal devices to review and share sensitive corporate information, these become an excellent point of ingress for attackers. If hackers can get into your Android or iPhone, they will then be able to island-hop into the corporate networks you access, whether by deactivating VPNs or breaking down firewalls.

We will also see hackers using malware such as Shlayer to access iOS, ultimately turning Siri into their personal listening device to eavesdrop on sensitive business communications.

Combating these risks requires a combination of new mobile device policies and infrastructure designed to facilitate continued remote working, as well as raising employee awareness of the persistent risks and the importance of digital distancing.

2. Continuing Direct Impacts on Healthcare
In terms of direct impact of COVID-19 the healthcare sector, at the heart of crisis response, will see the adaptations it made to try and maintain patient services become a vulnerability. With growing reliance on telemedicine for routine medical appointments lucrative personally identifiable information (PII) is being accessed from remote locations and as a result is more easily intercepted by hackers. At the same time, vaccine-related data pertaining to trials and formulae is some of the most sought-after intellectual property right now and the drive to get hold of it for financial or political gain is putting healthcare and biotech organisations under intense pressure from external threats and insider risk.

That said, the strain on healthcare cybersecurity is not going unheeded; we will see increased IT and security budgets in the sector to combat the growth in external threats.

3. Emerging Tactical Trends: Cloud-Jacking and Destructive ICS Attacks
As the new year dawns, we will see tried and tested tactics evolving to become more sophisticated and take advantage of changes in network architecture. Cloud-jacking through public clouds will become the island-hopping strategy of choice for cybercriminals as opportunity proliferates due to the overreliance on public clouds by the newly distributed workforce.

It won’t be only the virtual environment under threat. Increasing cyber-physical integration will tempt nation state-sponsored groups into bolder, more destructive attacks against industrial control system (ICS) environments. Critical National Infrastructure, energy and manufacturing companies will be in the crosshairs as OT threats ramp up. Our analysts are seeing new ICS-specific malware changing hands on the dark web and we are likely to see it in action in the coming year.

4. The Ransomware Economy Pivots to Extortion and Collaboration
Another familiar tactic taking on a new twist is ransomware. Ransomware groups have evolved their approach to neutralise the defensive effect of back-ups and disaster recovery by making sure they’ve exfiltrated all the data they need before the victim knows they’re under attack. Once the systems are locked attackers use the data in their possession to extort victims to pay to prevent the breach becoming public. And if that fails, they can sell the data anyway, meaning the victim is doubly damaged.

Ransomware is such big business that the leading groups are collaborating, sharing resources and infrastructure to develop more sophisticated and lucrative campaigns. Not all collaborations will be successful, however, and we’ll see groups disagreeing on the ethics of targeting vulnerable sectors such as healthcare.

5. AI Utilised for Defensive and Offensive Purposes
Technology innovation is as relevant to attackers as it is to defenders and, while artificial intelligence and machine learning have significant benefits in cybersecurity, we can expect to see adversaries continue to advance in the way AI/ML principles are used for post-exploitation activities. They’ll leverage collected information to pivot to other systems, move laterally and spread efficiently – all through automation.

The silver lining is that in 2021 defenders will begin to see significant AI/ML advancements and integrations into the security stack. Security automation will be simplified and integrated into the arsenal of more organisations – not just those with mature SOCs. As awareness of how attackers are using automation increases, we can expect defenders to fix the issue, maximising automation to spot malicious activity faster than ever before.

6. Defender Confidence is Justifiably on the Rise
To finish on a resoundingly positive note, this year we saw cyber defences placed under inconceivable strain and they flexed in response. Yes, there were vulnerabilities due to the rapidity of the switch to fully remote working, but on the whole security tools and processes are working. Defender technology is doing the job is it designed to do and that is no small feat.

The mission-critical nature of cybersecurity has never been more apparent than in 2020 as teams have risen to the challenge of uniquely difficult circumstances. In recognition of this we will see board-level support and a much healthier relationship between IT and security teams as they collaborate to simultaneously empower and safeguard users. 2020 has been the catalyst for change for which we were more than ready.

Predicated Data Classification Trends for 2021

Article by Adam Strange, Data Classification Specialist, HelpSystems

In the digitally accelerated COVID-19 environment of 2021 what are the top data security trends that organisations are facing? Here is HelpSystems Data Classification Specialist, Adam Strange’s take on the outlook and trends for 2021.

Ongoing Growth in Remote Working will Create Data Security Threats
  • The far-reaching impact of COVID-19 includes the intensified threat of malicious cyber attacks as well as an escalating number of damaging data breaches across almost every sector of business. The rapid shift to remote working during the pandemic left many employers exposed to hackers and highlighted multiple examples of serious network and data vulnerabilities.
  • For example, in a recent article, Infosecurity Magazine quotes research finding that attacks on the biotech and pharmaceutical industry alone rose by 50% in 2020 compared to 2019. And in the defence sector, The Pentagon is seeing a huge rise in cyber attacks through the pandemic, where unprecedented numbers of employees are forced to communicate through their own devices. 
  • As more companies move to facilitate a semi-permanent remote workforce, data security ecosystems will evolve to become more complex and advanced data management and classification solutions will be a critical technology investment.
  • ‘Insider threat’ will be categorised as the most prominent tier 1 data security risk in 2021, necessitating stricter corporate guidelines and protocols in data classification, as well as comprehensive employee education programmes around data security. 
  • HelpSystems’ recent research interviewed 250 CISOs and CIOs in financial institutions about the cybersecurity challenges they face and found that insider threat - whether intentional or accidental - was cited by more than a third (35%) of survey respondents as one of the threats with the potential to cause the most damage in the next 12 months. 
  • Further, the latest Information Commissioner’s Office (ICO) report confirmed that misdirected email remains one of the UK’s most prominent causes of security incidents, demonstrating the need for all organisations to control the dissemination of their classified data. 
  • HelpSystems’ technologies in data security and classification are enabling businesses to regain control of sensitive data, identify sensitive data by scanning and analysing data at rest and classify and protect personal data by detecting PII at creation. 
A Security Culture needs to be Embedded into Organisations, especially as Insider Breach Risk continues to Grow
  • In 2021 data governance will take centre stage in data security and privacy strategies. Companies will create Centres of Excellence (COE) to embed a solid data security culture across teams and corporate divisions and to formalise in-house data management processes, rolling out divisional best practice and placing data classification at the foundation of their data security strategy.
  • Employees play a vital role in ensuring the organisation maintains a strong data privacy posture. For this to be effective, organisations need to ensure that they provide regular security awareness training to protect sensitive information. In terms of how they go about doing this, they must invest in user training and education programmes. 
  • The security culture of the firm must be inclusive towards all employees, making sure they are continually trained so that their approach to security becomes part of their everyday working practice, irrespective of their location, and security becomes embedded into all their actions and the ethos of the business. 
  • Data classification solutions will allow businesses to protect data by putting appropriate security labels in place. HelpSystems data classification uses both visual and metadata labels to classify both emails and documents according to their sensitivity. Once labelled, data is controlled to ensure that emails, documents and files are only sent to those that should be receiving them, protecting sensitive information from accidental loss, through misdirected emails and the inadvertent sharing of restricted documents and files. 
Supply Chain Ecosystem Risk will get Bigger
  • Accenture quote that 94% of Fortune 100 companies experienced supply chain disruptions from COVID-19, and that as much as 40% of cyber threats are now occurring indirectly through the supply chain.
  • 2020 has been the year where businesses realised more than ever that data security across the supply chain was only as strong as its weakest link, where exposing a business’s network and sensitive data to its suppliers had the potential to carry significant additional risk. 
  • HelpSystems’ recent report interviewed 250 CISOs and CIOs from financial institutions about the cybersecurity challenges they face and nearly half (46%) said that cybersecurity weaknesses in the supply chain had the biggest potential to cause the most damage in the next 12 months. 
  • But sharing information with suppliers is essential for the supply chain to function. Most organisations go to great lengths to secure intellectual property (IP), personally identifiable information (PII) and other sensitive data internally, yet when this information is shared across the supply chain, it doesn’t get the same robust attention. 
  • The demand for greater resilience across supply chain operations in 2021 will require businesses to move quickly to overhaul existing tech investments and prioritise data governance. Organisations must ensure basic controls are implemented around their suppliers’ IT infrastructure and that they have robust security measures in place. 
  • Advanced data classification capabilities will deliver assurance and control to numerous industries including finance, defence and government. HelpSystems advises organisations to ensure their suppliers have a robust approach to security and information risk with security frameworks such as ISO 27001 and Cyber Essentials in place. 
  • Organisations should implement a data classification scheme and embed data risk management into the procurement lifecycle processes from start to finish. By effectively embedding data risk management, categorisation and classification into procurement and vendor management processes, businesses will prevent their suppliers’ vulnerabilities becoming their own and more effectively secure data in the supply chain. 
Data Privacy Regulations set to Increase
  • An increased focus on data privacy and protection of personal data and the continuing shift in privacy law, as reflected in the EU’s landmark GDPR in 2018 and, this year, the US’s CCPA, and the CPRA set to take effect in 2023, has changed the data regulatory landscape. We can expect to see similar US compliance rulings come into force beyond California through 2021.
  • In addition to individual state privacy rulings, we can expect to see federal US-wide regulation come into force. 
  • This new phase in privacy regulation will be complex and enforcement will demand changes in people, process and technology - proper corporate data governance programmes, employee training and solid data management systems in every organisation to counter reputational risk and hefty fines. 
  • Data automation will also be a priority as companies struggle to deliver relevant data protection strategies for every level of business and its users, across all platforms and infrastructures to conform with individual state and international laws. 
  • HelpSystems’ unified security, compliance and data classification solutions simplify compliancy reporting enabling business to easily generate the documentation necessary to identify security issues, give auditors the information that they need and prove compliance. 

Cyber Security Roundup for December 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, November 2020.

Manchester United FC remains impacted by a seemly major cyber-attack, which I covered in a blog post titled The Multi-Million Pound Manchester United Hack. At this point, United have provided few details about their cyber-attack which has been impacting club's IT systems for well over a week. However, the UK media are widely reporting United's leaky IT defences was unable to prevent a ransomware attack and data theft.  London's Hackney Borough Council have also been tight-lipped about what they describe as "a serious cyber-attack" which has impacted its service delivery to Londoners. Like United, this attack has all the hallmarks of a mass ransomware outbreak. Both Manchester United and Hacknet Council said they are working UK's National Cyber Security Centre (NCSC).

Man.Utd hit by ransomware, who's next?

Street Fighter games maker Capcom also reported to be compromised by a ransomware attack, with up to 350,000 people said to be affected, along some of Capcom's financial information stolen. The Ragnar locker hacker group were said to be behind the attack, although indications are that Capcom hasn't given in to their ransom demands after an ominous message appeared on the Ragnar group's website, which said Capcom didn't "make a right decision and save data from leakage". 

The ransomware attacks will be going from bad to worse in 2021 according to Sophos. In its annual threat report, Sophos anticipates ransomware tactics, techniques and procedures are to become more evasive, with criminal threat actor operating more like nation-state attackers. Sophos also expects an increase in the number of entry-level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, meaning the technical barrier preventing general nefarious folk orchestrating ransomware attacks is getting lower.

Its likely COVID-19 has saved Ticketmaster from a more substantial DPA/GDPR fine after the Information Commissioners Office (ICO) announced it had fined the gig ticket selling company a mere £1.25 million for failing to keep 9 million of its customer's personal data and payment cards secure.  The ICO investigation concluded a vulnerability in a third-party chatbot installed on Ticketmaster's online payments page was exploited and used to access its customer card payment details. Following the breach, 60,000 Barclays bank customers were victims of fraud, while online bank Monzo had to replace 6,000 payment cards due to fraud. Ticketmaster said it would appeal against the ICO ruling. 

An interesting new UK law is in the offing which proposes fines of 10% of turnover or more than £100,000 a day for telecoms operators that use of Huawei network equipment within their 5G networks. The bill provides the UK government new powers to force out Huawei usage with the UK telecoms giants, the threatened sum of £100,000 a day would only be used in the case of "continuing contravention" according to number 10.

Consumer group Which warned security flaws in popular smart doorbells are placing UK consumers at risk. The watchdog tested 11 smart doorbell (IoT) devices purchased from popular online marketplaces like Amazon, the dodgy products were said to have been made by Qihoo, Ctronics and Victure. The most common security flaws found by Which were weak password policies and a lack of data encryption. Two of the devices could be manipulated to steal network WiFi passwords, providing the opportunity for an attacker to then hack other smart devices within the home.

The NCSC released its annual review, confirming what we already know about the commonality of ransomware attacks on UK organisations.  The NCSC also accused Russia of trying to steal vaccine-related information through cyber-espionage, advising an "ongoing threat" of nation-states targeting the UK vaccine research-and-delivery programmes. The NCSC were not alone in pointing the finger at nation-state threat actors going after COVID-19 vaccines, Microsoft also reported state-backed hackers from Russian and North Korea were targeting organisations working on a coronavirus vaccine. The Russian group "Fancy Bear" and North Korean groups "Zinc" and "Cerium" were fingered by Microsoft as the culprits behind a spate recent cyber-attacks. Microsoft said Fancy Bear were brute-forcing accounts with millions of different passwords combinations, while North Korean groups sent spear-phishing emails posing as World Health Organisation officials, in an attempt to trick researchers into handing over their login credentials and research data. 

Stay safe and secure.

BLOG

VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    MPs criticise privacy watchdog over NHS test-and-trace data

    UK information commissioner ‘must ensure government uses public’s data safely and legally’

    A cross-party group of more than 20 MPs has accused the UK’s privacy watchdog of failing to hold the government to account for its failures in the NHS coronavirus test-and-trace programme.

    The MPs have urged Elizabeth Denham, the information commissioner, to demand that the government change the programme after it admitted failing to conduct a legally required impact assessment of its privacy implications.

    Continue reading...

    CEO of exam monitoring software Proctorio apologises for posting student’s chat logs on Reddit

    Australian students who have raised privacy concerns describe the incident involving a Canadian student as ‘freakishly disrespectful’

    The chief executive of an exam monitoring software firm that has raised privacy concerns in Australia has apologised for publicly posting a student’s chat logs during an argument on the website Reddit.

    Mike Olsen, who is the CEO of the US-based Proctorio, has since deleted the posts and apologised, saying that he and Proctorio “take privacy very seriously”.

    Related: Coalition's university fee overhaul accused of being an 'attack on women'

    Related: Dan Tehan’s threat to police university enrolments can’t plug the holes in the Coalition’s logic

    Continue reading...

    Early access to superannuation paused as police freeze $120,000 in allegedly stolen funds

    ‘Sophisticated’ identity theft attack leads to Australian Tax Office stopping early super withdrawals until Monday

    Allegations of identity theft involving 150 Australians have forced the government to pause the early release of superannuation, after police froze $120,000 believed to have been ripped off from retirement savings.

    On Friday the assistant treasurer, Michael Sukkar, announced the Australian Tax Office would pause requests for early access of superannuation until Monday “out of an abundance of caution” to consider further anti-fraud protection.

    Related: Under-40s twice as likely to access their super early under coronavirus scheme, survey finds

    Related: Should I access my super early during the coronavirus? Here's how it will impact your money

    Continue reading...

    The Guardian view on an NHS coronavirus app: it must do no harm | Editorial

    Smartphones can be used to digitally trace Covid-19. But not if the public don’t download an app over privacy fears – or find it won’t work on their device

    The idea of the NHS tracing app is to enable smartphones to track users and tell them whether they interacted with someone who had Covid-19. Yet this will work only if large proportions of the population download the app. No matter how smart a solution may appear, mass consent is required. That will not be easy. Ministers and officials have failed to address the trade-offs between health and privacy by being ambiguous about the app’s safeguards.

    Instead of offering cast-iron guarantees about the length of time for which data would be held; who can access it; and the level of anonymity afforded, we have had opacity and obfuscation. It is true that we are dealing with uncertainties. But without absolute clarity about privacy the public is unlikely to take up the app with the appropriate gusto.

    Continue reading...