For this week’s “In the News”, locate an article that discusses one of the following:
- new security threats
- changing security threats
- reduced security threats?
In regards to the threats that you have identified, how does the threat change the steps that the organization would take to mitigate, or lessen, the risk from that threat?
Oby Okereke says
Changing security threats – Business Email Compromise – BEC
_________________________________________________________________________________________________
https://www.darkreading.com/vulnerabilities—threats/business-email-compromise-thinking-beyond-wire-transfers/d/d-id/1335325
Though business email compromise has been an existing threat for a while, it seems have earned its place as a growing cyber threat gaining a eminent place going by the latest news on data breaches and compromise. The worst part of this threat is that it cannot be patched due to the fact that it relies on social engineering – people are always the weakest links.
To quote the cited article, “the number of reports describing BEC incidents has rapidly grown from a monthly average of nearly 500 in 2016 to more than 1,100 in 2018, the Financial Crime Enforcement Network (FinCEN) says in its July 2019 Financial Trend Analysis. The total value of attempted BEC threats climbed from an average of $110 million per month in 2016 to $301 million per month in 2018.”
As awareness of the scam grows, the methods used by the attackers have revolved and seems to be quick to mutate based on a specified target. On the other side of the divide, the security industry has also risen to the challenge to design tools that will help to combat this security threat. Some notable tools such as Writing Style DNA, which is used by Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™ help detect email impersonation tactics used in BEC and similar scams.
Some other steps that organizations need to take to lessen the risk from BEC is security awareness training geared towards understanding the need to verify approvals of funds or CEO or other authorized signatories t company funds and instructions. Since BEC is mostly conducted via email, implementing a domain based message authentication and reporting conformance (DMARC) will help mitigate its success.
DMARC is an email authentication, policy, and reporting protocol. that builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.
Frederic D Rohrer says
Qualcomm chipset vulnerabilites highlight an increase in hardware vulnerabilites.
https://blog.firosolutions.com/exploits/qualcomm/
Many chip makers are now affected by vulnerabilities with cause in the hardware design of the chip, not a software mistake. Intel’s cores are vulnerable due to predictive queue processing and pipe-lining, meanwhile Qualcomm chips are now found to be vulnerable against many injection methods involving data pointers. This affects GPS coordinate decoding functions, h265 encoding and others. It highlights that hardware design security is being exploited more and more.
Sheena L. Thomas says
Interesting read. You would think in 2019 chip developers would incorporate security into their development, design and implementation ?!!?!? At what point are industry folks are going to realize that you cannot create something without considering the vulnerabilities that can be created.
Duy Nguyen says
https://www.securityweek.com/new-protection-scheme-makes-weak-passwords-virtually-uncrackable
New password scheme provides organizations better protection even with weaker passwords policies. According to researchers, passwords are stored in databases and are vulnerable to exploits. With PolyPasswordHasher, passwords are not stored on the database but only information used to encode the passwords are. With this schema, even if the database were to be exploited, hackers would only have encoding information and not the passwords itself. Essentially creating another level of password protection for the organization.
Dima Dabbas says
Duy,
This is an interesting article as the idea of not storing the passwords directly in the database may provide better protection of this data. This ensures that if organizations were attacked and the attackers were able to access the database, they won’t be able to retrieve passwords and use them for access but rather only be able to retrieve the encoding information for these passwords.
Elizabeth V Calise says
I know this is off topic but it is realted to passwords. When it comes to US banking, typically it is a username and a password that you need to provide. When it comes to pay bills, loans – you will enter your banking information on the website to make payments. I recently learned in other country how the banking works with customers. For example, in some countries, it is more than just a password and username – the bank provide a token as well. For example, it may take a username, password and token. If you have a country device, you can do something like mobile bank ID where you type in your phone number and birthdate then a verfication pops up on the phone and you accept but then need to enter a pin. Compared to the US – I think there are much better ways than only a username and password. I feel like the US is a bit behind in this way when it comes to its customers.
Sheena L. Thomas says
I think they should use Multi factor authentication. This would almost eliminate password compromises.
Scott Radaszkiewicz says
Is AI Fundamental to the future of cybersecurity?
https://www.csoonline.com/article/3402018/is-ai-fundamental-to-the-future-of-cybersecurity.html
I find the whole Artificial Intelligence(AI) or Machine Learning(ML) element intriguing. AI is being used to combat cyber attacks, as well as proliferate them. This is a pretty good article about how AI is instrumental in the world today.
What is the danger: an attacker will gain access to an organization’s system. Then, using AI, it will learn the interior and make intelligent decisions to help it pivot around and avoid security defenses. For instance, if the attack finds a certain antivirus system deployed on a workstation, it might alter it’s attack and use a different method of infiltration based on what it finds.
Conversely, AI is being used to combat attacks. Systems “learn” what is happening on a system and make decisions to allow or deny access to resources based on what the particular program is doing. This helps cyber security professionals protect systems based on behaviors of attacks, not just the exact pattern of an attack. As cyber security continue to evolve over the few few years, I believe AI will be a major part of the attacks, as well as the defense.
Brock Donnelly says
https://technical.ly/dc/2019/07/29/5-cybersecurity-threats-you-should-be-concerned-about-right-now/
Steven Freidkin, CEO of Ntiva list five threats you choose to be currently concerned with and their mitigations.
Trend 1: Attackers are targeting the small fish to land the big ones. We are seeing this phenomenon increase daily. A lot of these large breaches are coming from weak partner security. The Solution: Multifactor Authentication (MFA). I would like to add iron-clad SLAs and employee security awareness training.
Trend 2: Rise in phishing as the vehicle for attacks. Phishing is not new but their effectiveness for launching additional attacks is high. New forms of phishing are becoming known as Whaling and Spear. The Solution: Phishing Prevention Training.
Trend 3: Basic anti-virus is proving less and less effective against sophisticated attacks. With more sophisticated attacks and ransomware further solutions are needed for complete protection. The Solution: Advanced Endpoint Protection
Trend 4: Spam filters aren’t keeping up. Hackers are using spam and phishing as their initial attack to gain higher value data. There is no known program for human discretion which is the best prevention. The Solution: Phishing Prevention Training and Advanced Endpoint Protection
Trend 5: The nature of due diligence is changing. An investment in advanced measures is far less expensive the cost resulting from a data breach. The DoD now requires that contractors not only have MFA but also full IDSs. The baseline for protection is shifting. The Solution: MFA, Phishing Prevention Training, Endpoint Protection, Intrusion Detection
Sheena L. Thomas says
Yes, Phishing attacks are not new but they are becoming more and more sophisticated. It’s becoming difficult to explain to an end user why a certain email is phishing because they look real.
Dima Dabbas says
7 mobile security threats you should take seriously in 2019
https://www.csoonline.com/article/3241727/7-mobile-security-threats-you-should-take-seriously-in-2019.html
This article discusses how mobile security is the top security concern in most organizations. Most employees these days can access their organization’s data from within mobile devices. Accessing the servers and data of an organization from within mobile devices makes the process of securing this data a very difficult process. The article identifies the area in which mobile devices can present risks. The first is data leakage as the mobile devices can fall in the wrong hands and cause unauthorized access to sensitive information. The next risk is social engineering which isn’t particularly specific to mobile devices but organizations need to focus on educating and training their employees to be more aware of the importance of security. Wi-fi interference is another risk that mobile devices introduce to organizations as mobile devices connect to various networks that transmit the data. The use of out of date devices is another risk to mobile devices as not all mobile devices may be updated on a regular basis which may mean that these devices contain bugs or vulnerabilities that have not been addressed.
From this article, we can see that organizations need to have strict security policies in place to ensure the employees comply with these policies and are aware of the risks and threats they may pose to the organization if they are not compliant.
Ahmed A. Alkaysi says
https://securityboulevard.com/2019/01/the-emergence-of-geopolitical-fueled-cyber-attacks/
I think geopolitical security threats are continuing to increase and become more elaborate, especially since we are coming close to the next election. The majority of nation sponsored attacks have been from Russia, China, North Korea, and Iran. 60% of the attacks included lateral movement within the network. These threats have only increased with the heightened tensions regarding Iran and North Korea specifically. The trade war with China has also not helped things, as Huawei has been under the microscope. I think this threat will only increase and continue to evolve. It’s important for not only organizations to have good defense against these types of attacks, but the general public should remain diligent in responding with sensitive information in social media such as Linkedin, which has become a favorite for attackers.
Jonathan Duani says
I think this is a really interesting and really real threat to the aerospace industry. I think that we may be seeing this more and more especially with a lot of the new car manufactures installing over the air updates and technologies directly into the ECM of the vehicles. Since the technology is so new who knows what vulnerabilities and vetting it has gone through and it could easy access for an experienced hacker. I think especially with this article even though access at airports are already really restricted I think the people who work at them need to be even more closely scrutinized because if the wrong person can get to a plane it could really be catastrophic.
Source: https://www.apnews.com/6219f26c3ea145b6b29b5e69115504a9
Elizabeth V Calise says
Jonathan,
This is a good read. This article reminded me of another hack that happened with the past three years. I don’t remember all the details but I believe some type of navy ship or something of the like is hacked. None the less, I think this is a growing topic especially for companies like Boeing who sell aircrafts. Unforunately, I think we will see more of this.
Elizabeth V Calise says
Cryptojacking in 2019 is not dead – it’s evolving!
Cryptojackers have shutdown university networks and government websites. But there has been one case that attracted a lot of attention, and that is the use of Coinhive mining service focused on mining Monero.
With the closure of Coinhive it appeared that cryptojackingmight be coming to an end. Coinhive was a cryptocurrencymining service that relied on a small chunk of computer code installed on websites.
However, although Coinhive was not an inherently malicious code, it became popular among hackers for cryptojacking. The more people visited a site, the more processing power was siphoned off to mine Monero.
The platform had seemed like a good idea until the software went on to form the foundation of the notorious cryptojacking malware that ended up affecting millions of user devices, spiking electricity bills, and draining batteries to secretly and illicitly mine cryptocurrency.
Coinhive announced that it would be shutting down operations on 8th March 2019, and many thought that would be the end of intensive cryptojacking activity.
Coinhive was far from the only cryptojacking malware on the market.
The threat can come from other forms of malware such as banking trojans, credential stealers and pieces of malware which sit on machines.
It may be good news that Coinhive has closed down, but we cannot be complacent and believe the threat of cryptojacking has gone away. As long as there is cryptocurrency for the taking, cryptojackers will be evolving their tactics for getting their hands on it, and we need to be more vigilant than ever.
https://hackernoon.com/cryptojacking-in-2019-is-not-dead-its-evolving-984b97346d16
Steve Pote says
Regulatory, specifically the idea of disposal and remanence is a new and terrifying idea.
Beyond bad guys and natural disasters the idea that somewhere in a basement closet there is a backup hard drive with ~who knows what from who knows when~ for which someone is somehow liable is actually fairy certain.
As awareness of our surrender of privacy increases the level of liability increases.
As much as GDPR has it’s own growing and enforcement pains and only applies if you want to do business in Europe it still points to the best means to mitigate the risk of a shelved HDD or achived database…after you are done with it…get rid of it. Purge it.
https://www.schneier.com/essays/archives/2016/03/data_is_a_toxic_asse.html
Steve Pote says
I probably could have used this as a primary topic.
Lost privacy, honest mistakes and a fair mop-up (and very close to home).
I keep seeing the ~not storing it in the first place~ solution as best mitigation.
https://temple-news.com/personal-information-of-160-students-exposed-for-three-weeks-on-temple-website/
Sheena L. Thomas says
Reducing the threat of phishing attacks.
Phishing attacks is gaining unauthorized access to resources, systems, data, etc. Phishing attacks has become increasingly sophisticated making it difficult for the end user to determine if an email, text message, and/or phone call is legitimate. Users who fall victim to this attack can either cost the company thousands of dollars and/or lose their own money.
I think the following factors can reduce the threat of phishing attacks.
1. Multi factor authentication,
2. Anti spoofing protections,
3. Digital signatures,
4. Security awareness and training
More and more phishing attacks are conducted through spoofed emails and/or compromised accounts (stolen credentials). if you implement protections around email and stolen credentials (multi factor authentication) this can greatly reduce the amount of successful phishing attacks.
https://healthitsecurity.com/news/how-multi-factor-authentication-can-combat-phishing-cyberattacks