IT Archives - Page 2 of 10

Democratizing Cybersecurity Protects Us All

Cybersecurity is a sophisticated art. It can truly consume the time and resources of IT teams as they work to safeguard valuable data from the growing risk of cyberattacks and data breaches. The technical nature of it, along with the specific expertise it requires, has created a workforce gap that many fear is nearly impossible to bridge.

By Akshay Bhargava, Chief Product Officer at Malwarebytes

In fact, the cybersecurity workforce gap has been reported to be over four million globally, causing an alarming void of security experts who are fit to protect business and consumer data. This gap is particularly painful for small and midsize businesses (SMBs) where recruiting cybersecurity expertise may be particularly costly or challenging. Unfortunately, with the average cost of a breach weighing in at a hefty $3.92 million, cybersecurity is not something any business – no matter the size – can afford to get wrong. This is especially concerning for SMBs where estimates have found that as many as 60% are forced to shut their doors after a cyberattack.

But the damage caused by a successful attack can extend beyond the SMB itself.

Not only will the SMB suffer in the event of a cyberattack, but the larger enterprises it partners with are also put at risk. Take the 2019 Quest Diagnostics data breach as an example. Nearly 12 million patients were exposed after hackers took control of a payments page for one of Quest’s billing collection vendors, AMCA, exposing account data, social security numbers and health information. The same attack also impacted 7.7 million customers of LabCorp. AMCA has since filed bankruptcy.

It’s also been reported that it was an email attack on a vendor of Target Corp. that exposed the credit card and personal data of more than 110 million consumers in 2013. The Target breach has been traced back to network credentials stolen from an email malware attack on a heating, air conditioning and refrigeration firm used by Target.

In each instance, the exposure of a smaller organization put a much larger enterprise at risk. There is hope though, that if we can democratize cybersecurity, SMBs could realize the same protections enterprises require, and we’d all be much safer as a result.

So, what can be done? How can SMBs achieve a cybersecure environment like their enterprise competitors? The key lies in automation and empowering employees.

Automation Unlocks Cybersecurity Democratization

Adopting security automation is an effective way to achieve cyber resilience without adding staff or cost burden. It’s the core of cybersecurity democratization. In fact, companies that fully deploy security automation realize an average $1.55 million in incremental savings when handling a data breach. Not only will automation relieve the pressure from continued staff and skills resource constraints, it’s also dynamically scalable, always on, and enables a more proactive security approach that makes the business exponentially more secure. When applying automation, consider each of these three critical security process areas:

1. Threat detection and prevention. Technologies including advanced analytics, artificial intelligence and machine learning give SMBs the ability to apply adaptive threat detection and prevention capabilities so that they can stay one step ahead of cybercriminals without added staff. By automating threat detection, powered by strong threat intelligence, SMBs can detect new, emerging threats while also increasing the detection and prevention of known threats that may have previously slipped past corporate defenses. Furthermore, they can reduce the noise from incident alerts and false positives from detection systems, improving overall threat detection and prevention success rates.

2. Incident response. If a successful cyberattack does break through, it can move throughout an environment like wildfire. Incident response time is critical to mitigating the severity of the damage, and for those SMBs impacted by the security skills shortage, having the response team needed to react fast is likely a problem. By automating incident response, organizations can greatly improve their cyber resilience. Adopt solutions that will automatically isolate, remediate and recover from a cyberattack:

Isolate. By automating endpoint isolation SMBs are able to rapidly contain an infection while also minimizing disruption to the user. Effective isolation includes the automated containment of network, device and process levels. Advanced solutions will also impede malware from “phoning home” which will restrict further damage to the environment.
Remediate. Automating remediation will quickly and effectively restore systems without requiring staff resource time or expertise. It will also allow CISOs to remediate endpoints at scale to significantly reduce the company’s mean-time-to-response.
Recover. Finally, incident response should also provide automated restore capabilities to return endpoints to their pre-infected, trusted state. During this recovery process it’s also wise to enable automated detection and removal of artifacts that may have been left behind during the incident. This is essential to preventing malware from re-infecting the network.

3. Security task orchestration. To further relieve security staff while ensuring cyber resiliency, low-level tasks should be automated, including the orchestration between complex, distributed security ecosystems and services. This will ensure a more nimble and responsive environment in the event a cyberattack is successful. Cloud-based management of endpoints can help, specifically if it provides deep visibility with remediation maps…[…] Read more »…..

This article first appeared in CISO MAG.

Coronavirus-themed Malware and Ransomware Ramp Up

Cybercriminals are known to leverage on global phenomenon for personal gain, be it the elections or the Olympic Games. And COVID-19 is no different. Scammers are using the pandemic to capitalize on a public scare that is already dire.

By Pooja Tikekar, Feature Writer, CISO MAG

Hackers are using social engineering tools to formulate phishing emails in the name of the World Health Organization (WHO) and other regulatory bodies to target vulnerable victims. These phishing emails contain documents with embedded links that result in malware and ransomware attacks.

Here are some of the COVID-19-themed cyberthreats:

1. CovidLock

The security team at DomainTools discovered a domain (coronavirusapp[.]site), which claims to have a real-time Coronavirus Tracker. It poses as a download site for an Android app that maps the spread of the virus across the globe. However, the app has a hidden ransomware application named “CovidLock” that threatens to delete contacts, pictures and videos on the victims’ device if a ransom of $100 in Bitcoin is not paid within 48 hours.

2. Dharma (CrySIS)

Dharma belongs to the family of CrySIS malware and was first discovered in 2016. The malware is distributed in malicious email attachments to deliver the payload. The payload is attached as an executable file by name “1covid.exe,” which begins to encrypt files after it is downloaded. The encrypted files have an extension called “.ncov” (supposedly Novel Coronavirus). It also drops a ransom note prompting users to write an email to “[email protected]” to restore their files.

dharma ransom note — Image source: Quick Heal

3. Emotet

The Emotet malware spam (malspam) emails contain a warning note and call to action for downloading a malicious Word doc attachment, which is said to contain precautionary health measures and latest updates related to Coronavirus. On opening the attachment and enabling macros in Office 365, an obfuscated VBA macro script begins to run in the background, which further installs a Powershell script and downloads the Emotet malware. The Emotet script also downloads a few other malicious payloads to extract additional data from the targeted system.

4. Maze

Maze ransomware was discovered in 2019, however, amid the Coronavirus crisis, it is used to target health care organizations. It threatens to publish patient records online, thereby putting the health care organizations at risk of the immediate violation of the General Data Protection Regulation (GDPR). According to DataBreaches.net, the operators of Maze ransomware attacked the London-based clinical testing firm Hammersmith Medicines Research, as it has volunteered its services to the U.K.’s National Health Service (NHS) and local medical practices to help test medical frontline staff for COVID-19.

maze ransom note — Image source: Wikimedia Commons

5. REvil

Also known as Sodinokibi, the REvil ransomware operators are targeting managed service providers (MSPs) and local governments amid the pandemic. The operators scan the internet for vulnerable machines to deploy the malware payload through a Virtual Private Network (VPN). The operators targeted and infected California-based biotechnology company 10x Genomics to steal sensitive information, as the firm is part of an international alliance sequencing cells from patients who have recovered from the Coronavirus.

6. NetWalker

A variant of Mailto, the NetWalker ransomware targets home and corporate computer networks to encrypt the files it finds. It targets victims by sending phishing emails attached to execute the payload of the ransomware. Further, the file name “CORONAVIRUS_COVID-19.vbs” tricks users into executing it. Once the “vbscript” is executed, the ransomware is dropped in “C:\Users\<UserName>\AppData\Local\Temp\qeSw.exe.” The shadow copies are erased from the system, making safe file recovery difficult.

7. Ginp

Kaspersky researchers have discovered the Ginp Banking Trojan that takes advantage of Android users to steal credit card credentials of potential victims…[…] Read more »…..

This article first appeared in CISO MAG.

Cloud Strategies Aren’t Just About Digital Transformation Anymore

Organizations have been transferring more data, workloads, and applications to the cloud to increase the pace of innovation and organizational agility. Up until recently, the digital transformation was accelerating. However, cloud adoption recently got a major shove as the result of the crisis, which can be seen in:

Dramatic remote work spikes
Capital expenditure (CapEx) reductions
Business model adaptations to maintain customer relationships

In fact, in a recent blog, Forrester reported robust 2020 first quarter growth of top three providers with AWS at 34%, Microsoft Azure (59%), and Google Cloud Platform (52%). The driver, according to Vice President and Principal Analyst John Rymer, is “Faced with sudden and urgent disruption, most enterprises are turning to the big public cloud providers for help.”

“We are seeing a huge increase in our clients wanting to digitize in-person processes and ensure they are accessible 24/7 and integrated with existing technologies through utilizing cloud services [such as] developing contactless ordering systems for physical retail locations, which both reduce the need for face-to-face interaction, but also sync with existing POS and stock management systems,” said Bethan Vincent, marketing director at UK digital transformation consultancy Netsells Group. “This requires both API integrations and a solid cloud strategy, which seeks to build resilience into these new services, protecting against downtime and the knock-on effect of one system affecting another.”

Jiten Vaidya, PlanetScale

Speaking of resiliency, there is a corresponding uptick in Docker and Kubernetes adoption. “We have seen an interest in databases for Kubernetes spike during the COVID-19 pandemic. Kubernetes had already emerged as the de facto operating system for computing resources either on-premise or in the cloud,” said Jiten Vaidya, co-founder and CEO of cloud-native database platform provider PlanetScale. “As the need for resiliency and scalability becomes top of the mind, having this uniform platform for database deployment is becoming increasingly important to enterprises.”

While business continuity isn’t the buzzy topic it was during the Y2K frenzy, many consulting firms and technology providers say it’s top of mind once again. However, it’s not just about uptime and SLAs, it’s also about the continuity of business processes and the people needed to support those business processes.

Greater remote work is the new normal

Chris Ciborowski, CEO and co-founder of cloud and DevOps consulting firm Nebulaworks, said many of his clients have increased their use of SaaS platforms such as Zoom and GitLab/GitHub source code management systems.

“While these are by no means new, there has been a surge in use as identified by the increased load on the platforms,” said Ciborowski. “These are being leveraged to keep teams connected and driving productivity for organizations that are not used to or built for distributed teams. [M]any companies [were] already doing this pre-pandemic, but the trend is pouring over to those companies that are less familiar with such practices.”

Chris Ciborowski, Nebulaworks

Dux Raymond Sy, CMO and Microsoft MVP + regional director at AvePoint, which develops data migration, management and protection products for Office 365 and SharePoint, has noticed a similar trend.

“Satya Nadella recently remarked [that] two years of digital transformation has happened in two months,” said Sy. “Organizations and users that were on the fence, have all adopted the cloud and new ways of working. They didn’t have a choice, but they are happy with it and won’t revert to the old ways.”

However, not all organizations have learned how to truly live in the cloud yet. For example, many have adopted non-enterprise, consumer communication and/or collaboration platforms, which have offered free licenses in response to COVID-19. However, fast access to tools can result in ad-hoc, unstructured and ungoverned processes.

“Adoption isn’t a problem anymore, but now productivity and security are. As we emerge from the post-pandemic world, organizations are going to need to clean up their shadow IT, overprivileged or external users that can access sensitive data they shouldn’t and sprawling collaboration environments,” said Sy. “The other mistake we are seeing organizations make is not continuously analyzing their content, finding their dark data, and reducing their attack profile. Organizations need to make a regular habit of scanning their environments for sensitive content and making sure it is where it is supposed to be or appropriately expire it if it can be deleted. Having sensitive content in your environment isn’t bad, but access to it needs to be controlled.”

Dux Raymond Sy, AvePoint

All the cybersecurity controls organizations have been exercising under normal conditions are being challenged as IT departments find themselves enabling the sudden explosion of remote workers. In fact, identity and access management company OneLogin recently surveyed 5,000 remote workers from the U.S. and parts of Europe to gauge the cybersecurity risks enterprises are facing. According to the report, 20% have shared their work device password with their spouse or child, which puts corporate data at risk, and 36% have not changed their home Wi-Fi password in more than a year, which puts corporate devices at risk. Yet, 63% believe their organizations will be in favor of continued remote work post-pandemic. One-third admitted downloading an app on their work device without approval.

“Organizations everywhere are facing unprecedented challenges as millions of people are working from home,” said Brad Brooks, CEO and president of trusted experience platform provider OneLogin in a press release. “Passwords pose an even greater risk in this WFH environment and — as our study supports — are the weakest link in exposing businesses’ customers and data to bad actors.”

CapEx loses more ground to OpEx

SaaS and cloud have forever changed enterprise IT financial models, although many organizations still have a mix of assets on-premises and in the cloud. In the wake of the 2008 financial crisis, businesses increased their use of SaaS and cloud. Digital transformation further fueled the trend. Now, CFOs are taking another hard look at CapEx as they fret about cashflow.

Suranjan Chatterjee, Tata Consultancy Services

“The pandemic has crystalized the fact that there are basically two types of companies today: those that are able to deliver digitally and connect to customers remotely, and those that are trying to get into this group,” said Miles Ward, CTO at business and technology consulting services firm SADA. “Since the world turned on its head the past few months, we’ve seen companies in both groups jump on cloud-based tools that support secure connections, scaled communications, rapid development and system access from anywhere, anytime. Using these tools, companies can reduce their risk; nothing feels safer than going from three to five-year commitments on infrastructure to easy pay-as-you-go, and pay only for what you use, commitment-free systems.”

Business models have shifted to maintain customer relationships

Businesses negatively impacted by shelter in place and stay at home executive orders have reacted in one of two ways: adapt or shut down temporarily until the state or country reopens. The ones that have adapted have been relying more heavily on their digital presence to sell products or services online, with the former being supplemented with curbside pickup. The businesses that shut down completely tended to have a comparatively weak digital strategy to begin with. Those companies are the ones facing the biggest existential threat..[…] Read more »…..

The ever changing role of a CSO with David Levine

With a wide and diverse variety of positions during his 23-year tenure with the Ricoh, Vice President Corporate and Information Security and CSO David Levine shares his perspective on the role of the CISO, how he stays abreast of industry trends and in the current COVID-19 era, what it means to have a remote team.

Q: How has the role of the CISO changed over your career?

A: The CISO role has continued to grow in organizational and strategic importance within many businesses, including Ricoh. What was once a blended function in IT is now its own critical function with its leader (CISO/CSO) having a seat at the table and reporting, if applicable, to the board on a regular basis. That’s a significant transformation!

Q: What is the biggest challenge for a CISO today?

A: This ties into my answer above, the security budget and staffing has not necessarily kept pace with increasing demands and importance. As more and more of the organization as well as customers and partners realize they need to engage and include security the team gets spread thinner. This can put a real strain on the organization and its effectiveness. Prioritization and risk assessment become critical to help determine what needs to be focused on. You also cannot ignore the fundamental challenge of just keeping pace with operational fundamentals like vulnerability remediation, patching, alert response and trying to stay ahead of highly skilled adversaries.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I use a variety of approaches to track what’s going on relative to trends and my peers. Daily security email feeds are a great source to get a quick recap on the last 24 hours, leveraging one or more of the big research firms and being active in their councils is a great mix of access to analysts and peers. I am also active in the CISO community and participate in events run by great organizations like Apex.

Q: What advice would you give an early stage CIO or CISO joining an enterprise organization?

A: Although I have been with Ricoh for many years, if I was moving to a new organization, I would take the time to ensure I understand:

the company’s objectives and priorities;

what’s in place today and why;

what security’s role in the organization has been;

what’s working and what isn’t.

I’d also commit to completing initial benchmarking and make sure I spent time, upfront, to start to build solid relationships with key stakeholders.

Q: Have you been putting cloud migration first in your organization’s transformation strategies?

A: We adopted a cloud first mentality a few years ago. The cloud isn’t perfect for everything but in many cases it’s a great solution with a lot of tangible advantages.

Q: What are your Cloud Security Challenges?

A: For us, one of the biggest challenges is keeping pace with the business from a security and governance standpoint. We are currently working on putting in comprehensive policies and requirements, along with tools like a checklist, which will make it clear what’s needed and also enable the various teams to do some of the upfront work without needing to engage my team. That’s a win-win for everyone and reduces the likelihood of a bottleneck.

Q: What are your top data priorities: business growth, data security/privacy, legal/regulatory concerns, expense reduction?

A: YES! In all seriousness, those are all relevant priorities my team and I need to focus on. This further adds to the prior points around more work than hours and resources.

Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?

A: Like most of my peers that I have talked to, we have put on hold most “net new” spending for now. The expectation is we will get back to those efforts a bit down the road. We are also taking a look to see what opportunities we have to streamline expenses.

Q: Has security been more of a challenge to manage while your teams have shifted to a Work From Home structure?

A: I am proud of my teams and the ecosystem we put in place. All in all, it’s been a pretty smooth transition. My team is geographically dispersed and a few key resources were already remote. However, that is not to say there aren’t any challenges – not being able to put hands on devices has made some investigations and project work more difficult but we’ve found safe ways to complete the tasks. Ensuring the teams stay connected and communicate is also important.

Q: What were/are the most significant areas of change due to COVID-19?

A: We certainly had to make some exceptions to allow access and connectivity that we would not have done under normal circumstances, but it was the right thing to do for our business and our customers. We also had to shift some users to work from home who typically would not and as such, didn’t have the right resources. Both of these highlighted areas to focus on in the next revisions of our Business Continuity Plans which contemplated the need to shift work and locations but not necessarily everyone working from home. There is also a need to reemphasize security, policies, training when working from home.

How Video Analytics Help Security Drive Awareness and Insight

In diverse industries, video analytics help security to get a clearer view.

As a rule, there is a lot that video analytics can do to bolster security – whether that’s motion detection for perimeter security; facial recognition for access control; or artificial intelligence (AI) for object classification, to name a few of the possibilities.

As we consider the promise of video analytics in seven key sectors, a common theme emerges. Analytics don’t just enhance the security mission, acting as a force multiplier and driving new levels of awareness and insight. They also boost the position of the security professional, enabling security to leverage its investment in video as a means to drive new levels of efficiency across all levels of the operation.

K-12 Schools

In a K-12 school, where a security officer may need to watch over a large and complex facility, analytics and AI can expand that guard’s reach. “There is the security component from something simple: Was a child left on the playground when everyone returned from recess?” says Forrester Senior Analyst Nick Barber. “AI could be trained to tell the difference between a child and an adult, so that it isn’t falsely triggered if there is a teacher on the playground versus a student.”

“Or, is there an active shooter on campus and should 911 be contacted?” Barber says. AI, as applied to video, could be trained to recognize what a gun looks or sounds like and could automatically alert authorities, while simultaneously relaying the related video. Analytics could support simpler tasks as well, such as taking attendance as students enter the school or classroom.

Universities

The security challenge for universities and college campuses rests with sheer acreage. Universities may have a large security footprint, with their own police departments supported by cameras and a monitoring center. But they also have a lot of ground to cover. Analytics can provide a force multiplier.

Facial recognition, for instance, can offer a ‘be on the lookout’ mechanism to help security identify persons of interest. “If there’s a stalker, the analytics can pick up on those individuals,” says Scott Vogel, CEO of Incyte Security, a data analytics consultancy. Geofencing and other analytic tools can likewise help secure a sprawling perimeter. “You may have people hopping the fence at night to avoid the security gate, and analytics can provide a virtual barrier.”

Healthcare

In the healthcare environment, video is of greatest use in helping to secure entry and exit points, whether that is aimed at keeping unwanted individuals out of an emergency-care situation, or at keeping dementia patients in and on-premise at a senior care facility. “Analytics solutions can alert operators when people either enter or exit secure areas without proper identification procedures, such as swiping a badge, or they can utilize some facial recognition features to be sure that the person on camera who has earned entrance to a secure area is the person they are claiming to be,” says Danielle VanZandt, industry analyst for security, aerospace, defense and security at Frost & Sullivan.

Analytics can also be used to identify potential threats that might otherwise be overlooked by security personnel. Left objects or ‘loitering’ analytics will aid hospital security teams to identify either suspicious packages or behaviors, particularly if these alerts are generated in areas that should not have significant amounts of foot-traffic.

Cannabis

Video analytics can help cannabis growers to identify possible threats to the safety of their crop, says Ryan Douglas, founder of consulting firm Ryan Douglas Cultivation LLC. “High-tech greenhouses install mobile cameras that constantly run along tracks mounted to the ceiling. Analyzing this video can help with the early identification of pest or disease outbreaks, nutritional deficiencies and undesirable growth patterns before they negatively affect a crop,” Douglas says. It’s a way for security to leverage its video investment in support of enhanced operational efficiency.

Security could also utilize analytics to help ensure cannabis retailers comply with regulations, if, for instance, the system was programmed to monitor quantities of product changing hands at the point of sale. “It could ensure that during the purchase transaction, buyers don’t exceed the amount of product that they are legally allowed to purchase,” Barber says.

At grow sites, analytics can also be applied to remote video surveillance systems to help secure the perimeter. Motion-detection capabilities and geofencing can likewise be leveraged to extend the eyes of the security force over the growing and production operations.

Property Management

For security on a commercial property, video alone can’t cover all the bases. Property management requires a combination of broad vision and deep insights. Beyond mere images, analytics can deliver the intelligence to help security professionals make best use of their time and cover ground more effectively.

“You might have teenagers climbing on the roof of the building. Beyond the general liability problem, they are damaging the roof,” Vogel says. “With analytics, you can identify the places where people go up on that roof and notify security. Within seconds you get notification and hopefully can deter that incident.”

Analytics can detect patterns of behavior, noting when a parking lot is filling up. This helps to ensure adequate security coverage when and where it is needed. Video analytic tools can help security to deter theft from commercial properties, by highlighting common traffic-flow patterns and sending out a notification to security officers when those patterns are disrupted. This helps security to see when products may potentially be walking out the back door and, with the help of automated notifications, to respond in real time.

Critical Infrastructure

Consider all the luminous dials in a hydroelectric plant or an oil refinery: Constant reminders that pressure and temperature are key determinants of safety. Security personnel can use analytics to monitor a vast array of analog sensors more effectively and in real time. Point a camera at an analog gauge, program the analytics to watch for threshold levels, “and an alert can get triggered if the pressure rises above a certain point as seen on the dial,” Barber says.

Video can also be used to understand how specific elements of the facility are operating and can signal when key components need replacement. Security thus pushes critical infrastructure closer to an IoT-enabled enterprise, Barber says.

Security personnel also are charged with tracking workers, vendors and others who at critical infrastructure facilities. Video analytics capabilities, when paired with surveillance systems that provide facial recognition, will help critical infrastructure to improve access control, maintain security logs for entry and exits in specialized areas and better manage visitors or contractors, VanZandt says.

Manufacturing

Access control is a key issue in manufacturing, with security tasked to ensure that only the right people can get to certain places, especially sensitive production areas and inventory stores..[…] Read more »….

How the COVID-19 Pandemic Reinforced Hackers’ Revenue Models

The industrious and criminal-minded threat actors behind the majority of cyberattacks have reinvented their attack approaches during the ongoing COVID-19 pandemic. Since the advent of the outbreak, cybercriminals are developing new phishing tools, hacking strategies, and exploring different attack avenues to benefit from the crisis and eventually prove their cyber prowess.

By Rudra Srinivas, Feature Writer, CISO MAG

Several new cybersecurity scams and malicious activities have risen during the pandemic. According to a survey the key cause for the emergence of these new threats is likely due to social distancing norms and malware authors being bored and stuck at home due to the lockdown.

COVID-19 has certainly reshaped the way darknet forums operate. CISO MAG learned four intriguing ways cybercriminals are trying to cash in on public fears.

1. Fake Products in Darknet Markets

Since the beginning of 2020, Coronavirus-related vaccines, virus testing kits, and other fake products are being peddled on the deep web and darknet markets. Hackers are taking advantage of panic as people look for safeguards against the disease. Several security experts warned that the products selling in these hacking forums are in no way real, and buyers are sure to be scammed. For instance, there are fake “vaccines” being sold on the darknet.

2. New Phishing Strategies

COVID-19-related phishing lures, scams, disinformation campaigns, weaponized websites, and malware infections have become widespread across the internet. Recently, a hacker group targeted the World Health Organization (WHO) via a sophisticated phishing attack, which involved an email hosted on a phishing domain that tried to trick the employees into entering their credentials. Researchers are noticing new types of phishing campaigns that pretend to be from authenticate sources, trying to trick users into downloading malicious attachments or entering sensitive data in fake forms.

Recently, a security firm discovered that threat actors distributed malware disguised as “Coronavirus Map” to steal personal information that is stored in the user’s browser. Attackers designed multiple websites related to Coronavirus information to prompt users to click/download an application to keep themselves updated on the situation. The website displays a map (a lookalike of a genuine one) representing the COVID-19 spread. The map generates a malicious binary file and installs it on victims’ devices.

3. Demand for Ransom Soars

With organizations working remotely, the security of the remote employees’ devices becomes a major concern for companies across the globe. Several industry experts stated that remote work increased the risks of cyberthreats like never before. Ransomware attacks on remote workers have become an additional threat level to organizations, especially for health care providers and businesses in financial, federal, and state agencies that deal with sensitive data. The ransomware operators are forcing enterprises to pay high ransom in order to get decryption keys. The average enterprise ransom payments increased 33% ($111,605) in Q1 of 2020 from Q4 of 2019, a survey revealed.

Information technology services provider Cognizant admitted that it is a recent victim of a ransomware attack. The IT giant stated that it was hit by Maze ransomware that caused service disruptions for some of its clients.

4. Income from Selling Credentials

Stolen user credentials and financial information have long been prevalent commodities on hacking forums. But with large swaths of remote workers depending on video conferencing apps and other virtual private networks, hackers are refocusing on these attack surfaces. As endpoint security at home is not as secure as it is in the office, attackers are trying to exploit loopholes.

Over 500,000 account credentials of video conference platform Zoom are being sold on the darknet. According to a recent investigation by IntSights’ researchers, hackers have shared a database containing more than 2,300 usernames and passwords to Zoom accounts on dark web forums. The exposed database contains usernames and passwords of personal Zoom accounts, including corporate accounts belonging to banks, consultancy companies, educational facilities, software vendors, and healthcare providers. Researchers also highlighted that they’ve found various posts and threads of dark web forum members discussing different approaches of targeting Zoom’s conferencing services…[…] Read more »…..

This article first appeared in CISO MAG.

Data Privacy and Data Security: Outsourcing to Third Parties and the Effect on Consumers, Companies, and the Cybersecurity Industry as a Whole

With the recent increase of global data privacy regulations and their ramifications on multinational organizations, it is crucial to examine the differences between data privacy and data security, why these nuances matter, and the impact they have on cybersecurity trends for not only organizations, but consumers.

Twenty years ago, data protection and information security were largely viewed as complementary activities. In today’s environment, data protection is rarely articulated without its privacy counterpart, and information security has transformed into “cybersecurity” to consider that data contains multiple threat factors.

Typically, cybersecurity is described as an intersection of three principles: confidentiality, integrity, and availability (CIA). If one of these core components is to fail or otherwise be wrongly configured, the resulting vulnerability could be a breach of information, commonly by means of unauthorized access, leakage, or wrongful deletion due to poor policy, risk management, or immature security practice.

Data privacy is often defined as the protection of sensitive data, typically referencing personally identifiable information (PII), such as a social security number, race, ethnicity, and age. Depending on the sector, regulation, or jurisdiction, the definition of which data is considered “sensitive” will vary and can expand beyond personal types of information to assets like trade secrets, intellectual property, or financial and operational data. The problem with this definition of data privacy is that the protection of this information is viewed more as a security attribute, lending to the longstanding proverb that you cannot have privacy without security.

If you reflect on the information trends since the turn of the last millennium, we experienced a shift to the cloud in the early 2000s, where organizations moved servers and other hardware assets to centralized vendors that maintain data center environments at scale. With this migration, the world’s first Software-as-a-Service (SaaS) companies came online at the height of the dot-com bubble.

The “as a service” business model placed a new dependence on service organizations when their customers outsourced critical elements of their supply chain for operational efficiencies or for the ability to scale quickly without having to gain expertise in an industry not core to their product. This reliance on third parties created increased security risks since more companies would now have access to the same information that was previously received, managed, and maintained all under the same roof.

The effect on consumers

Beginning in the 2010s, data breaches that affected consumers due to stolen credit card data, like those disclosed by Adobe, Target, and Home Depot all occurring within the same year, made data security a hot topic for consumers for the first time, causing boards and regulators to inquire about the controls in place to mitigate these threats. However, it was not until recently that consumers shifted that mindset to include data privacy, after public breaches exposed health and personal information at Anthem, Uber, Adult Friend Finder, and Marriott. These data breaches made headlines, and consumers began to ask, ‘what data are you storing for me, how do you plan to use this data, and how long will it be retained?’.

Lawmakers and regulators took notice of this shift to consumer protectionism and began to mandate public changes in normal business operations in lieu of federal privacy laws.

The effect on companies

With so many checkpoints to consider when engaging a new vendor, and the stakes for proper due diligence higher than ever, organizations began to turn to assessment firms for assurance around these security controls. Assistance is needed because companies are unable to audit every service provider that might interact with user or customer data. In the United States, an organization may request a System and Organization Controls (SOC) 2 report, an examination by a competent Certified Public Accountant (CPA) of their security controls based on set criteria. Or they may seek ISO 27001 certification, an accredited, point-in-time report on the conformity of their activities to requisite management processes and control objectives, establishing a baseline for what is considered a minimum state of security maturity.

Due to the shift in consumer focus on privacy considerations, globally recognized assurance programs have only recently been developed. In August 2019, the International Organization for Standardization (ISO) released the ISO 27701 standard – requirements and guidance for establishing a Privacy Information Management System (PIMS) for organizations that are controllers and/or processors of sensitive information like PII. While data privacy legislation had been around for several years through mechanisms like the EU-U.S. Privacy Shield and, more recently, the General Data Protection Regulation (GDPR), ISO 27701 is the first assurance program that organizations could certify demonstrating their commitment to privacy based on the legal context affecting their data subjects.

In the months following the release of ISO 27701, organizations such as Alibaba, Huawei, Microsoft, Accenture, Blackhawk Network, and OneTrust have certified to the new standard; however, these certified organizations plus a multitude of others looking to match the achievement have quickly realized that privacy hygiene requires different resources and in-house skill sets than were needed with their security program.

The challenges of incorporating data privacy

One of the top challenges security teams face when building a privacy program on top of their existing security management system is how to expand the enterprise risk assessment to include risks that threaten the protection of PII. They inherently gravitate towards thinking about this new taxonomy of risk in terms of the foundational CIA principles, but neglect to consider the rights of the data subject. As a result, they have been forced to merge security personnel with privacy personnel to complete this task, which now exposes a new problem – many organizations do not have privacy personnel.

Looking at some Fortune 500 organizations, job titles such as Chief Security Officer or Chief Information Security Officer (CISO) are far more commonplace than Chief Privacy Officer. Often, the privacy function of an organization is absorbed by General Counsel or outsourced to law firms kept on retainer. Early ISO 27701 certification plans at the largest processors of personal information in the world have been halted after discovering their security departments have little to no connection to their in-house privacy teams, if they exist at all. This results in a remediation only possible through a major shift in the organizational chart or hiring of competent personnel…[…] Read more »…

Cyber Work Podcast: Growing the number of women in cybersecurity with Olivia Rose

Introduction

Cybersecurity is a field on the cutting edge, yet when it comes to gender parity, there’s still much progress to be made. For women, breaking into a male-dominated field like cybersecurity comes with a unique set of challenges.

Data from the (ISC)² Cybersecurity Workforce Report reveals that the landscape of women in cybersecurity is complex and — at least in some ways — evolving:

Women make up 24% of the cybersecurity workforce — a major increase from 11% in 2017
Women earn more degrees and cybersecurity certifications on average
More women than men hold leadership roles like IT Director, CISO and CIO

Seeing these numbers on the rise is exciting and encouraging. However, not all of the statistics are positive:

Of women in cybersecurity, 56% will leave to pursue jobs in another field
17% of women earn salaries between $50,000 and $99,999, compared to 29% of men
Women in security management roles earn an average of $5,000 less than men in the same roles

In Infosec’s podcast “Growing the Number of Women in Cybersecurity,” Oliva Rose, the director of global executive risk solutions at Kudelski Security, shares her experiences as a woman in the field and shares some valuable advice with women considering a career in the cybersecurity world.

What can companies do to encourage women and minorities to take cybersecurity jobs? And just as important, how can companies encourage them to stay?

Network to overcome isolation

For many women working in cybersecurity, it’s unfortunately easy to feel like a stranger in a strange land. It’s not uncommon to be the only woman on a team or in an entire department, and the feeling of being the “odd woman out” can be enough to drive women to look for jobs in fields with better minority representation.

This leads us to the million-dollar question: what can cybersecurity companies do to make women feel less isolated at work? In this case, the most obvious answer (hire more women) is only one part of the equation, since retention rates for women in cybersecurity are also quite low.

According to Rose, access to networking opportunities is vital. Encouraging women to participate in conferences and professional groups can help them meet other women in the field and foster the sense of community they’ve been missing at work. For women trying to get their foot in the door, Rose suggests volunteering at conferences because it waives the fee! RSA, SecureWorld and ISACA are just a few of the many conferences available to women in information security.

Close the confidence gap

Self-doubt and insecurity can loom over women’s cybersecurity careers like storm clouds on an otherwise sunny day. Many women experience Imposter Syndrome, which is the perception that they’re not as skilled or as smart as their colleagues or that they’re not good enough for the job.

Although men can also experience extreme self-doubt at work, women and minorities are much more susceptible to it. Why? It largely stems from feeling like an outsider. This feeling of being on the outside looking in has ramifications on women’s careers in cybersecurity.

Many women feel the need to prove their skills with certifications and degrees. On average, women in cybersecurity hold more certifications than their male colleagues. They’re also more likely to earn a postgraduate degree, according to the (ISC)² Cybersecurity Workforce Report. Rose has experienced this herself, saying, “You have to know your stuff. You may have to know your stuff more than the five other guys in the room.”

How can we help women feel more confident in cybersecurity jobs? Networking and mentorship are two powerful strategies. Since self-doubt is something that can’t be fought in isolation, connecting women with peers who understand what they’re going through can be immensely beneficial.

Recruit from non-traditional backgrounds

Despite the long-running debate on the value of a college degree in cybersecurity, many recruiters still prefer to hire people with degrees in STEM. That alone disqualifies a huge number of professionals, many of them women, who would make a big contribution to the field.

To hire more women in information security roles, recruiters will have to break the mold and look beyond traditional education requirements. Why? Because women don’t graduate from STEM programs at the same rate as men. In the 2015-2016 school year, women earned only 18.7% of bachelor’s degrees in computer and information sciences..[…] Read more »….

Here Come 5G IoT Devices: What Is “Reasonable Security”?

After years of waiting for 5G technology to transform industry and consumer devices, developments at this year’s Consumer Electronics Show suggest that 2020 may finally be the year when US companies make the leap. Early signs show the healthcare and manufacturing sectors will lead the way this year in incorporating 5G and connected devices into their operations.

If the prognosticators are correct, our smart watches will soon talk to our refrigerators and order healthy groceries online. And our doctors may receive real-time health updates from our workout equipment, pharmacies, and implanted medical devices.

The combination of 5G and the projected explosion in the number of IoT devices has industry excited, and the government focused on data security. 5G will allow massive evolution of products and services; leading to autonomous vehicles, remote surgery, and greater connectivity, automation, and precision in industrial manufacturing. This coming integration and reliance on connected devices—the Internet of Things (IoT)—raises myriad new privacy and security concerns, and lawmakers and regulators are ready to take action.

The New Year brought new state laws in California and Oregon focusing specifically on security requirements for connected devices. The laws are the first in the nation, and portend a coming wave of laws, lawsuits, and regulatory actions focused specifically on data security. Lawmakers are wrestling with how to keep consumers safe in the face of rapid technological advancement, and are falling back on the concept of “reasonable security” to bridge the gap. But reasonable security may not be an easy standard for engineers to implement.

The California and Oregon laws require manufacturers of connected devices to integrate reasonable security measures that (1) are appropriate to the nature and function of the device; (2) appropriate to the information the device may collect, contain, or transmit; and (3) designed to protect the device and its information from unauthorized access, destruction, use, modification, or disclosure.

This may seem like a simple threshold, but these laws’ definition of “connected devices” is expansive, potentially expanding the scope to include security cameras, household assistants, vehicles, and in the case of California, industrial manufacturing equipment. Each different category of device is going to have a different level of sophistication, different uses, different interaction with data, and different manufacturing requirements. What may be reasonable for a wifi-enabled juicer is not going to be reasonable for a connected vehicle.

The increasing inability of laws and policies to keep pace with advancements in technology means that efforts to address these issues are going to be crafted in an overly broad and flexible manner. The California and Oregon laws, as well as similar efforts at the federal level, reflect a struggle to empower the government to address problems, the exact contours of which are not completely known or understood. Rather than be behind the curve of a particular problem, these laws impose broad requirements that will evolve over time.

At the same time, laws run the risk of codifying standards that may be inapt or quickly become obsolete. The California and Oregon laws provide that “reasonable security” can be satisfied by equipping a device with a unique preprogrammed password or a requirement that the user generate a new means of authentication before gaining access to the device for the first time. This may be reasonable for some devices, but the law also covers devices where a compromise in security could result in significant physical harm, and where more stringent security requirements would be appropriate.

As security and encryption approaches continue to advance, the password requirements codified in the laws may actually be disincentives to the adoption of more effective—and reasonable—security practices. So this is leaving engineers asking the question, what is reasonable security?

Unfortunately, “it depends” is the answer right now. Until regulators offer guidance on how they are going to interpret the requirements or, develop those standards through various enforcement actions, it will be up to manufacturers to develop industry-wide standards for what constitutes “reasonable security.” This may be particularly challenging in light of the expansive scope of these laws. The California Attorney General, at least, has previously endorsed the Center for Internet Security’s Critical Security Controls as a baseline for reasonable security. And some industries, like the automotive industry, already have good track records and mechanisms to establish industry standards. Emerging industries and existing companies unfamiliar with IoT and 5G, may not be in such an advantageous position..[…] Read more »…

Supercomputers Recruited to Work on COVID-19 Research

A consortium forms to crunch data that might help researchers get a better understanding of the virus faster.

A convergence of technology resources is being put to work to find answers in the fight against COVID-19. The White House Office of Science and Technology Policy and the U.S. Department of Energy reached out to the technology sector, bringing together IBM and other supercomputing powerhouses to support research into the virus.

The combination of private industry, academic resources, and government entities thus far has assembled 16 supercomputer systems that boast some 775,000 CPU cores and 34,000 GPUs. That computing power is tasked with running huge calculations for molecular modeling, epidemiology, and bioinformatics in order to hasten the research time spent on the virus.

Spearheaded by IBM, the key partners in the COVID-19 High Performance Computing Consortium include Amazon Web Services, Google Cloud, Microsoft, Massachusetts Institute of Technology, Rensselaer Polytechnic Institute, NASA, and others. The consortium is accepting research proposals online, then matching researchers with computing resources that might best accelerate their efforts.

John Kolb, vice president, information services and technology and chief information officer at Rensselaer Polytechnic Institute (RPI), says high-performance computing is an area of expertise for the university. “We’re on our third-generation supercomputer, an IBM DCS system, that we put in place in November,” he says. “It’s the most powerful supercomputer for a private university in the country.”

Kolb says the supercomputer’s architecture is meant to move data in and out of memory very quickly in large quantities. That lets users take on data-intensive problems. “It’s also very well-suited for some of the machine learning and AI things our researchers are involved with,” he says.

The effort to fight COVID-19, Kolb says, may include a lot of modeling of very large data sets once they become available. “You can start to look at issues around the spread of the virus and mitigation of the spread,” he says. “There could be some drug repurposing and perhaps development of new therapeutic candidates.”

There may be opportunities for new materials to filter out the virus, Kolb says, or to create items that are in short supply now.

RPI uses the Summit supercomputer architecture system, which is the same system as some of the Department of Energy labs, he says. “It will be interesting to see if we can have runs here that scale up on Summit or do we have runs on Summit that we could take over.” Kolb believes most of the problems the consortium will deal with may be multivariant. For example, that could mean taking into account the number of people, density, the effectiveness of social distancing, and the capacity of hospitals. “We’re clearly trying to explore some things that may have some great promise, but there’s some great computing and science that need to come into play here,” Kolb says.

The greater emphasis in recent years on technology and compute in the public, private, and academic sectors may mean there can be more hands on deck to support research into the virus. “COVID-19 is going to see a fair amount of data analytics and the use of AI and machine learning tools to think through what are the most promising possibilities going forward,” Kolb says. “Across the country and world, we’re developing much more expertise in this area.”

IBM got involved in this fight believing it could coalesce a team around bringing computational capability to bear on investigating the virus, says Dave Turek, vice president of technical computing at IBM Cognitive Systems. “It was prompted by experiences IBM’s had applying computational biology, molecular dynamics, and material science to a variety of scientific problems,” he says.

Bringing scientific perspective and computing expertise together, Turek says, could create a set of resources that can be used broadly. It also gives researchers access to supercomputing they might not otherwise have, he says. “It a massive, massive amount of computing,” he says.

The way the consortium is established, other interested organizations can make their resources available as well, Turek says. “This is really a clearinghouse,” he says. “We have scientists and computer scientists sitting on review committees on proposals that are coming in to ensure the science is dedicated to the most appropriate platform to the task at hand.”

The momentum and application of technology such as supercomputers that was already underway could help narrow the time research efforts may take. “Even inside IBM, we did modeling on the evolutionary pathways of H1N1,” Turek says. “Those skills and experiences have been scaled up and leveraged over time”..[…] Read more »…..