26% of remote workers have experienced a cyber attack personally, while 45% of employers have asked their employees to use their personal devices for work since the start of the pandemic, according to a Microsoft research.
The study surveyed 500 employees and 200 business decision makers in September 2020 about remote working, digital security behaviours, and the worries they now face.
The accelerated transition to homeworking is placing pressure on organizations to support the unavoidable blending of personal and professional lives more than ever before.
However, this naturally creates new risks, including the increased risk of cyber attacks. This was reflected in the research which showed that only 17% of remote workers currently believe that the software and technology provided has done enough to protect their data.
This could be in some way due to the pace at which employers had to transition to remote working environments, with 36% of employers admitting they have spent the past few months putting in place the security, privacy, and workplace procedures required for today’s remote working world.
Remote workers’ information protection concerns
76% of workers were surprised with how well they had adapted to remote working. However, one in five employees feel their data is more vulnerable when working from home due to the absence of regular IT supports.
The research points to some potentially dangerous cybersecurity issues amongst remote workers:
- Personal emails: 30% of workers still use personal email accounts to share confidential work materials.
- Poor password hygiene: One third of workers use the same password to log into work and personal devices.
- Unregulated access: 43% face/navigate no security restrictions when accessing work-related documents and materials remotely.
Employers’ security management concerns
One of the most concerning findings is that organizations are potentially side-stepping their own security procedures in the name of expediency:
- Reactive approach: One third of employers acknowledge they are exposed since they had to make remote-working decisions and transitions so quickly.
- Lack of devices: 45% of employers have had to ask their employees to use their personal devices for work purposes since the start of the pandemic.
- No remote BYOD policies: 42% of employers are yet to secure those remote employee’s personal devices.
Furthermore, 41% of employers acknowledge it has become increasingly difficult to remain GDPR compliant because of the pandemic.
The report identified an escalation in both the level and sophistication of attacks. For example:
- Over 13bn malicious and suspicious mails were blocked, out of which more than 1bn were URLs set up for the explicit purpose of phishing credential attacks in 2019.
- Ransomware is the most common reason behind Microsoft’s incident response engagements from October 2019 through July 2020.
- The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and VPN exploits.
- IoT threats are constantly expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019.
Des Ryan, Solutions Director for Microsoft Ireland, said: “Cyber hackers are opportunistic, skilled, and relentless. They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute or finding new ways to hide their work.
“While our physical work locations may have changed, our responsibilities in protecting organizational data and complying to data regulations have not. Now is the time to address this with an increased investment in cybersecurity, secure devices, tighter policies, increased support, and education for employees so they can play an important role in not only protecting themselves but also their organizations.”
Cloud-based services and hybrid working
When asked about the future, 58% believe they will have a hybrid workforce in future as more staff work from home more of the time and others are in the office.
57% felt more positive about using cloud-based services, including productivity tools.
Remote priorities: Training, support and investment
However, the research shows that Irish organizations understand there is a gap with 41% admitting they are behind the curve when it comes to having the right digital services and technologies in place to deal with new working realities.
As a result of the move to remote working, employers are focused on investment in digital security. The research found:
- 38% of organizations have already increased the level and detail of cybersecurity training for staff who are working from home.
- A further 52% will prioritise investing in training in 2021.
- 44% of workers would also welcome alternatives to passwords, with biometric verification (fingerprint or facial recognition) being the most popular options.
The AI in cybersecurity market is projected to generate a revenue of $101.8 billion in 2030, increasing from $8.6 billion in 2019, progressing at a 25.7% CAGR during 2020-2030, ResearchAndMarkets reveals.
The market is categorized into threat intelligence, fraud detection/anti-fraud, security and vulnerability management, data loss prevention (DLP), identity and access management, intrusion detection/prevention system, antivirus/antimalware, unified threat management, and risk & compliance management, on the basis of application. The DLP category is expected to advance at the fastest pace during the forecast period.
Malicious attacks and cyber frauds growing rapidly
The number of malicious attacks and cyber frauds have risen considerably across the globe, which can be attributed to the surging penetration on internet and increasing utilization of cloud solutions.
Cyber fraud, including payment and identity card theft, account for more than 55% of all cybercrime and lead to major losses for organizations, if they are not mitigated. Owing to this, businesses these days are adopting advanced solutions for dealing with cybercrime in an efficient way.
This is further resulting in the growth of the global AI in cybersecurity market. AI-based solutions are capable of combating cyber frauds by reducing response time, identifying threats, refining techniques for distinguishing attacks that need immediate attention.
The number of cyber-attacks has also been growing because of the surging adoption of the BYOD policy all over the world. It has been observed that the policy aids in increasing productivity and further enhances employee satisfaction.
That being said, it also makes important company information and data vulnerable to cyber-attacks. Devices of employees have wide-ranging capabilities and IT departments are often not able to fully quality, evaluate, and approve each and every devices, which can pose high security threat to confidential data.
DLP systems utilized for enforcing data security policies
AI provides advanced protection via the machine learning technology, and hence offers complete endpoint security. The utilization of AI can efficiently aid in mitigating security threats and preventing attacks.
DLP plays a significant role in monitoring, identifying, and protecting the data in storage and in motion over the network. Certain specific data security policies are formulated in each organization and it is mandatory for the IT personnel to strictly follow them.
DLP systems are majorly utilized for enforcing data security policies in order to prevent unauthorized usage or access to confidential data. The fraud detection/anti-fraud category accounted for the major share of the market in 2019 and is predicted to dominate the market during the forecast period as well.
The AI in cybersecurity market by region
Geographically, the AI in cybersecurity market was led by North America in 2019, as stated by a the publisher report. A large number of companies are deploying cybersecurity solutions in the region, owing to the surging number of cyber-attacks.
Moreover, the presence of established players and high digitization rate are also leading to the growth of regional domain. The Asia-Pacific region is expected to progress at the fastest pace during the forecast period.
In conclusion, the market is growing due to increasing cybercrime across the globe and rising adoption of the BYOD policy.
One Identity released a global survey that reveals attitudes of IT and security teams regarding their responses to COVID-19-driven work environment changes. The results shed insight into IT best practices that have emerged in recent months, and how organizations rushed to adopt them to maintain a secure and efficient virtual workplace.
Cloud computing has been a lifesaver
99% of IT security professionals said their organizations transitioned to remote work because of COVID-19, and only a third described that transition as “smooth.” 62% of respondents indicated that cloud infrastructure is more important now than 12 months ago.
Thirty-one percent attributed this shift directly to COVID-19. The cloud has become front and center to the new working reality, creating flexibility for employees.
These results demonstrate that the previous level of attention to cloud deployments, while notable, does not appear to have been nearly enough to accommodate the dramatic computing shift across organizations.
“This research makes it clearly evident that cloud computing has been a lifesaver for many enterprises as IT teams pivoted and supported the massive shift to working away from offices,” said Darrell Long, president and general manager at One Identity.
“While we knew the pandemic-driven changes were sudden, what was particularly notable was how strongly the results proved that organizations had to turn their focus on the immediate challenges presented by the aggressive move to cloud computing, chiefly finding solutions that streamlined administering and securing who has access to what and how.”
Higher priority on access request technologies
Shifts in priorities indicate organizations are turning their focus on tackling the security basics. When compared to 12 months ago, 50% of respondents are placing a higher priority on access request technologies, and 31% said this change in prioritization is because of COVID.
Identity/access lifecycle management, identity process and workflow, and role management all saw increased priority among at least half of those surveyed.
Perhaps shell shocked, only 45% of IT security professionals indicated they are prepared for the IT changes necessary when their employees move back to organizations’ offices, according to survey results. Yet, 66% expressed increased confidence in the effectiveness of their identity management programs post COVID-based changes.
“We now know the truth: the COVID pandemic did not change the need to be productive, nor did it change the regulatory compliance requirements companies face, but clearly IT and security teams scrambled to shift their systems to accommodate work from home in a secure and controlled way,” said Long.
“Companies and organizations were helped to an extent by cloud investments that prepared them pre-COVID. However, most of them are still dealing with new challenges as employees adapt, IT and security teams effectively respond to the challenge of providing effective processes for gaining access to the resources needed for the workforce to do their jobs and security challenges associated with this new working environment.”
Earlier this year, businesses across the globe transitioned to a remote work environment almost overnight at unprecedented scale and speed. Security teams worked around the clock to empower and protect their newly distributed teams.
Protect and support a remote workforce
Cisco’s report found the majority of organizations around the world were at best only somewhat prepared in supporting their remote workforce. But, it has accelerated the adoption of technologies that enable employees to work securely from anywhere and on any device – preparing businesses to be flexible for whatever comes next. The survey found that:
- 85% of organizations said that cybersecurity is extremely important or more important than before COVID-19
- Secure access is the top cybersecurity challenge faced by the largest proportion of organizations (62%) when supporting remote workers
- One in two respondents said endpoints, including corporate laptops and personal devices, are a challenge to protect in a remote environment
- 66% of respondents indicated that the COVID-19 situation will result in an increase in cybersecurity investments
“Security and privacy are among the most significant social and economic issues of our lifetime,” said Jeetu Patel, SVP and GM of Cisco’s Security & Applications business.
“Cybersecurity historically has been overly complex. With this new way of working here to stay and organizations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”
People worried about the privacy of their tools
People are worried about the privacy of remote work tools and are skeptical whether companies are doing what is needed to keep their data safe. Despite the pandemic, they want little or no change to privacy requirements, and they want to see companies be more transparent regarding how they use their customer’s data.
Organizations have the opportunity to build confidence and trust by embedding privacy into their products and communicating their practices clearly and simply to their customers. The survey found that:
- 60% of respondents were concerned about the privacy of remote collaboration tools
- 53% want little or no change to existing privacy laws
- 48% feel they are unable to effectively protect their data today, and the main reason is that they can’t figure out what companies are doing with their data
- 56% believe governments should play a primary role in protecting consumer data, and consumers are highly supportive of the privacy laws enacted in their country
“Privacy is much more than just a compliance obligation. It is a fundamental human right and business imperative that is critical to building and maintaining customer trust,” said Harvey Jang, VP, Chief Privacy Officer, Cisco. “The core privacy and ethical principles of transparency, fairness, and accountability will guide us in this new, digital-first world.”
78% of SMBs indicated that having a privileged access management (PAM) solution in place is important to a cybersecurity program – yet 76% of respondents said that they do not have one that is fully deployed, a Devolutions survey reveals.
While it’s a positive trend that the majority of SMBs recognize the importance of having a PAM solution, the fact that most of the respondents don’t have a PAM solution in place reflects that there is inertia when it comes to deployment.
SMBs are not immune, company size doesn’t protect from cyberattacks
Global cybercrime revenues have reached $1.5 trillion per year. And according to IBM, the average price tag of a data breach is now $3.86 million per incident. Despite these staggering figures, there remains a common (and inaccurate) belief among many SMBs that the greatest security vulnerabilities exist in large companies.
However, there is mounting evidence that SMBs are more vulnerable than enterprises to cyberthreats – and the complacency regarding this reality can have disastrous consequences.
“SMBs must not assume that their relative smaller size will protect them from cyberattacks. On the contrary, hackers, rogue employees and others are increasingly targeting SMBs because they typically have weaker – and, in some cases, virtually non-existent – defense systems.
“SMBs cannot afford to take a reactive wait-and-see approach to cybersecurity because they may not survive a cyberattack. And even if they do, it could take several years to recover costs, reclaim customers and repair reputation damage,” said Devolutions CEO David Hervieux.
Key findings from the survey
To dig deeper into the mindset of SMBs about cybersecurity, Devolutions conducted a survey of 182 SMBs from a variety of industries – including IT, healthcare, education, and finance. Some notable findings include:
- 62% of SMBs do not conduct a security audit at least once a year – and 14% never conduct an audit at all.
- 57% of SMBs indicated they have experienced a phishing attack in the last three years.
- 47% of SMBs allow end users to reuse passwords across personal and professional accounts.
These findings reinforce the need for better cybersecurity education for smaller companies.
“Conducting this survey reaffirmed to us that while progress is being made, there is a still a lot of work to do for many SMBs to protect themselves from cybercrime. We plan to conduct a survey like this each year so that we can identify the most current trends and in turn help our customers address their most pressing needs,” added Hervieux.
Protect from cyberattacks: The role of MSPs
One way for SMBs to close the cybersecurity gap is to seek out a trusted managed service provider (MSP) for guidance and implementation of cybersecurity solutions, monitoring and training programs. Because SMBs do not typically have huge IT departments like their enterprise counterparts, they often look to outside resources.
MSPs have an opportunity to strengthen their relationship with existing customers and expand their client base by becoming cyber experts who can advise SMBs on various cybersecurity issues, trends and solutions – as well as offer the ability to promptly respond to any security incidents that may arise and take swift action.
“We expect more and more MSPs will be adding cybersecurity solutions and expertise to their portfolio of offerings to meet this demand,” Hervieux concluded.
Prevent privileged account abuse
Organizations must keep critical assets secure, control and monitor sensitive information and privileged access, and vault and manage business-user passwords – all while ensuring that employees are productive and efficient. This is not an easy task for SMBs without the right solution in place.
Many PAM and password management solutions on the market are prohibitively expensive or too complex for what SMBs need.
Amazon Web Services (AWS) has made available three new S3 (Simple Storage Service) security and access control features:
- Object Ownership
- Bucket Owner Condition
- Copy API via Access Points
Object Ownership is a permission that can be set when creating a new object within an S3 bucket, to enforce the transfer of new object ownership onto the bucket owner.
“With the proper permissions in place, S3 already allows multiple AWS accounts to upload objects to the same bucket, with each account retaining ownership and control over the objects. This many-to-one upload model can be handy when using a bucket as a data lake or another type of data repository. Internal teams or external partners can all contribute to the creation of large-scale centralized resources,” explained Jeff Barr, Chief Evangelist for AWS.
But with this set up, the bucket owner doesn’t have full control over the objects in the bucket and therefore cannot use bucket policies to share and manage objects. If the object uploader needs retain access to it, bucket owners will need to grant additional permissions to the uploading account.
“Keep in mind that this feature does not change the ownership of existing objects. Also, note that you will now own more S3 objects than before, which may cause changes to the numbers you see in your reports and other metrics,” Barr added.
Bucket Owner Condition
Bucket Owner Condition allows bucket owners to confirm the ownership when they create a new object or perform other S3 operations.
AWS recommends using Bucket Owner Condition whenever users perform a supported S3 operation and know the account ID of the expected bucket owner.
The feature eliminates the risk of users accidentally interacting with buckets in the wrong AWS account. For example, it prevents situations like applications writing production data into a bucket in a test account.
Copy API via Access Points
S3 Access Points are “unique hostnames that customers create to enforce distinct permissions and network controls for any request made through the access point. Customers with shared data sets […] can easily scale access for hundreds of applications by creating individualized access points with names and permissions customized for each application.”
The feature can now be used together with the S3 CopyObject API, allowing customers to copy data to and from access points within an AWS Region.
Popular mobile messengers expose personal data via discovery services that allow users to find contacts based on phone numbers from their address book, according to researchers.
When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery.
A recent study by a team of researchers from the Secure Software Systems Group at the University of Würzburg and the Cryptography and Privacy Engineering Group at TU Darmstadt shows that currently deployed contact discovery services severely threaten the privacy of billions of users.
Utilizing very few resources, the researchers were able to perform practical crawling attacks on the popular messengers WhatsApp, Signal, and Telegram. The results of the experiments demonstrate that malicious users or hackers can collect sensitive data at a large scale and without noteworthy restrictions by querying contact discovery services for random phone numbers.
Attackers are enabled to build accurate behavior models
For the extensive study, the researchers queried 10% of all US mobile phone numbers for WhatsApp and 100% for Signal. Thereby, they were able to gather personal (meta) data commonly stored in the messengers’ user profiles, including profile pictures, nicknames, status texts and the “last online” time.
The analyzed data also reveals interesting statistics about user behavior. For example, very few users change the default privacy settings, which for most messengers are not privacy-friendly at all.
The researchers found that about 50% of WhatsApp users in the US have a public profile picture and 90% a public “About” text. Interestingly, 40% of Signal users, which can be assumed to be more privacy concerned in general, are also using WhatsApp, and every other of those Signal users has a public profile picture on WhatsApp.
Tracking such data over time enables attackers to build accurate behavior models. When the data is matched across social networks and public data sources, third parties can also build detailed profiles, for example to scam users.
For Telegram, the researchers found that its contact discovery service exposes sensitive information even about owners of phone numbers who are not registered with the service.
Which information is revealed during contact discovery and can be collected via crawling attacks depends on the service provider and the privacy settings of the user. WhatsApp and Telegram, for example, transmit the user’s entire address book to their servers.
More privacy-concerned messengers like Signal transfer only short cryptographic hash values of phone numbers or rely on trusted hardware. However, the research team shows that with new and optimized attack strategies, the low entropy of phone numbers enables attackers to deduce corresponding phone numbers from cryptographic hashes within milliseconds.
Moreover, since there are no noteworthy restrictions for signing up with messaging services, any third party can create a large number of accounts to crawl the user database of a messenger for information by requesting data for random phone numbers.
“We strongly advise all users of messenger apps to revisit their privacy settings. This is currently the most effective protection against our investigated crawling attacks,” agree Prof. Alexandra Dmitrienko (University of Würzburg) and Prof. Thomas Schneider (TU Darmstadt).
Impact of research results: Service providers improve their security measures
The research team reported their findings to the respective service providers. As a result, WhatsApp has improved their protection mechanisms such that large-scale attacks can be detected, and Signal has reduced the number of possible queries to complicate crawling.
The researchers also proposed many other mitigation techniques, including a new contact discovery method that could be adopted to further reduce the efficiency of attacks without negatively impacting usability.
Compliance is probably one of the dullest topics in cybersecurity. Let’s be honest, there’s nothing to get excited about because most people view it as a tick-box exercise. It doesn’t matter which compliance regulation you talk about – they all get a collective groan from companies whenever you start talking about it.
The thing is, compliance requirements are often being poorly written, vague and confusing. In my opinion, the confusion around compliance comes from the writing, so it’s no surprise companies are struggling, especially when they have to comply with multiple requirements simultaneously.
Poor writing is smothering compliance regulations
Take ISO 27001 as an example. Its goal is to improve a business’ information security management and its process has six-parts, which include commands like “conduct a risk assessment”, “define a security policy” and “manage identified risks”. The requirements for each of these commands are extremely vague and needlessly subjective.
The Sarbanes-Oxley Act (SOX), which covers all businesses in the United States, is no better. Section 404 vaguely says that all publicly traded organizations have to demonstrate “due diligence” in the disclosure of financial information, but then it does not explain what “due diligence” means.
The Gramm-Leach-Bliley Act (GLBA) requires US financial institutions to explain information-sharing practices to their customers. It says financial organizations have to “develop a written information security plan”, but then doesn’t offer any advice on how to achieve that.
Even Lexcel (an accreditation indicating quality in relation to legal practice management standards) in the United Kingdom, which is written by lawyers for lawyers, is not clear: “Practices must have an information management policy with procedures for the protection and security of the information assets.”
For a profession that prides itself on being able to maintain absolute clarity, I’m surprised Lexcel allows this type of subjectivity in its compliance requirements.
It’s not easy to write for such a wide audience
Look, I understand. It’s a pretty tricky job to write compliance requirements. It needs to be applicable to all organizations within a particular field, each of which will have their differences in the way they conduct business and how they’ve set up their technological infrastructure.
Furthermore, writers are working against the clock with compliance requirements. IT regulations are changing at such a quick pace that the requirements they write today might be out of date tomorrow.
However, I think those who write requirements should take the Payment Card Industry Data Security Standard (PCI DSS) as an example. The PCI DSS applies to all organizations that store cardholder data and the requirements are clear, regularly updated, and you can find everything you need in one place.
The way PCI DSS compliance is structured (in terms of requirement, testing procedures and guidance) is a lot clearer than anything else I’ve seen. It contains very little room for subjectivity, and you know exactly where you stand with it.
The GDPR is also pretty well written and detailed. The many articles referring to data protection are specific, understandable and implementable.
For example, when it comes to data access, this sentence is perfectly clear: “Unauthorized access also includes accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data transmitted, stored or otherwise processed” (Articles 4, 5, 23 and 32).
It’s also very clear when it comes to auditing processes: “You need to maintain a record of data processing activities, including information on ‘recipients to whom the personal data have been or will be disclosed’, i.e. whom has access to data” (Articles 5, 28, 30, 39, 47).
So, while you’re faced with many compliance requirements, you need to have a good strategy in place. However, it can get complex when you’re trying to comply with multiple mandates. If I can give you one tip, it is to find the commonalities between all of them, before coming up with a solution.
You need to do the basics right
In my opinion, the confusing nature of compliance only spawns the relentless bombardment of marketing material from vendors on “how you can be compliant with X” or the “top five things you need to know about Y”.
You have to understand that at the core of any compliance mandate is the desire to keep protected data secure, only allowing access to those who need it for business reasons. This is why all you need to do with compliance is to start with the basics: data storage, file auditing and access management. Get those right, and you’re on your way to demonstrating your willingness to comply.
The survey, focused on changes in IT spending in the wake of the coronavirus pandemic, reveals that cybersecurity is IT leaders’ top focus for the rest of the year—and half of those surveyed are increasing their budgets to support their goals.
The pandemic has upended most businesses’ 2020 plans, with 70% of CIOs reporting their long-term priorities have shifted since the start of the year. Now, 89% said they’re focused on cybersecurity, while 82% are working on remote enablement.
Their goals reflect these new priorities: 86% said they’re aiming to improve security standards across their environment, while 80% are making their tech stack more flexible for remote and on-premise users. In addition, 75% said they were hoping to keep their IT infrastructure and tool stack up to date.
CIOs expect their budgets to increase in 2020
While budgets are tight for half the respondents, who don’t expect an increase in spending, the other half of CIOs expect their budgets to increase in 2020 to reflect shifts in IT. Some 33% anticipated a 5% increase, 13% foresaw a 5-10% increase, and 9% expected an increase greater than 10%.
To achieve their security and remote enablement goals, 43% of CIOs are investing in IAM, ahead of endpoint security (34%) and security awareness training (17%).
“Prioritizing IAM makes sense. CIOs have been waking up to the fact that most hackers don’t break down the gate—they just unlock it because they already have the keys,” said Kevin Nix, CEO at Hitachi ID.
“Bad actors have been focused on stolen credentials, phishing attacks, and social engineering, especially since the pandemic forced so many employees to work remotely. We’ve seen a new urgency among companies looking for IAM solutions. Last year, businesses might plan to adopt IAM over a year or two. Now they need it next quarter.”
- 67% of CIOs say they’re more willing to invest in emerging technologies
- 88% of respondents at companies with 500-1000 employees were planning to invest in emerging technology, the most of any size category. Just 45% of those at companies with 5,000 to 10,000 employees said the same, the lowest of any category.
- 87% would consider emerging security technology in 2020, while 71% would consider emerging AI and machine learning technology
Twilio has confirmed that, for 8 or so hours on July 19, a malicious version of their TaskRouter JS SDK was being served from their one of their AWS S3 buckets.
“Due to a misconfiguration in the S3 bucket that was hosting the library, a bad actor was able to inject code that made the user’s browser load an extraneous URL that has been associated with the Magecart group of attacks,” the company shared.
Who’s behind the attack?
Twilio is a cloud communications platform as a service (CPaaS) company, which provides web service APIs developers can use to add messaging, voice, and video in their web and mobile applications.
“The TaskRouter JS SDK is a library that allows customers to easily interact with Twilio TaskRouter, which provides an attribute-based routing engine that routes tasks to agents or processes,” Twilio explained.
The misconfigured AWS S3 bucket, which is used to serve public content from the domain twiliocdn.com, hosts copies of other SDKs, but only the TaskRouter SDK had been modified.
The misconfiguration allowed anybody on the Internet to read and write to the S3 bucket, and the opportunity was seized by the attacker(s).
“We do not believe this was an attack targeted at Twilio or any of our customers,” the company opined.
Jordan Herman, Threat Researcher at RiskIQ, which detailed previous threat campaigns that used the same malicious traffic redirector, told Help Net Security that because of how easy misconfigured Amazon S3 buckets are to find and the level of access they grant attackers, they are seeing attacks like this happening at an alarming rate.
Om Moolchandani, co-founder and CTO at code to cloud security company Accurics, noted that there are many similarities between waterhole attacks and the Twilio incident.
“Taking over a cloud hosted SDK allows attackers to ‘cloud waterhole’ into the victim environments by landing directly into the operation space of victims,” he said.
Due to this incident, Twillio checked the permissions on all of their AWS S3 buckets and found others that were misconfigured, but they stored no production or customer data and haven’t been tampered with.
“During our incident review, we identified a number of systemic improvements that we can make to prevent similar issues from occurring in the future. Specifically, our teams will be engaging in efforts to restrict direct access to S3 buckets and deliver content only via our known CDNs, improve our monitoring of S3 bucket policy changes to quickly detect unsafe access policies, and determine the best way for us to provide integrity checking so customers can validate that they are using known good versions of our SDKs,” the company shared.
They say it’s difficult to gauge the impact on the attack on individual users, since the “links used in these attacks are deprecated and rotated and since the script itself doesn’t execute on all platforms.”
The company urges those who have downloaded a copy of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00) to re-download it, check its integrity and replace it.
“If your application loads v1.20 of the TaskRouter JS SDK dynamically from our CDN, that software has already been updated and you do not need to do anything,” they pointed out.
70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos.
Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.
Europeans suffered the lowest percentage of security incidents in the cloud, an indicator that compliance with GDPR guidelines are helping to protect organizations from being compromised. India, on the other hand, fared the worst, with 93% of organizations being hit by an attack in the last year.
“Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public cloud. The most successful ransomware attacks include data in the public cloud, according to the State of Ransomware 2020 report, and attackers are shifting their methods to target cloud environments that cripple necessary infrastructure and increase the likelihood of payment,” said Chester Wisniewski, principal research scientist, Sophos.
“The recent increase in remote working provides extra motivation to disable cloud infrastructure that is being relied on more than ever, so it’s worrisome that many organizations still don’t understand their responsibility in securing cloud data and workloads. Cloud security is a shared responsibility, and organizations need to carefully manage and monitor cloud environments in order to stay one step ahead of determined attackers.”
The unintentional open door: How attackers break in
Accidental exposure continues to plague organizations, with misconfigurations exploited in 66% of reported attacks. Misconfigurations drive the majority of incidents and are all too common given cloud management complexities.
Additionally, 33% of organizations report that cybercriminals gained access through stolen cloud provider account credentials. Despite this, only a quarter of organizations say managing access to cloud accounts is a top area of concern.
Data further reveals that 91% of accounts have overprivileged identity and access management roles, and 98% have multi-factor authentication disabled on their cloud provider accounts.
Public cloud security incident: The silver lining
96% of respondents admit to concern about their current level of cloud security, an encouraging sign that it’s top of mind and important.
Appropriately, “data leaks” top the list of security concerns for nearly half of respondents (44%); identifying and responding to security incidents is a close second (41%). Notwithstanding this silver lining, only one in four respondents view lack of staff expertise as a top concern.
More and more companies, self-employed and private customers are using Boxcryptor to protect sensitive data – primarily in the cloud. Boxcryptor ensures that nobody but authorized persons have access to the data. Cloud providers and their staff, as well as potential hackers are reliably excluded. The audit verified whether this protection is guaranteed.
During the audit, Kudelski was given access to the source code of Boxcryptor for Windows and to the internal documentation.
“All these components were logically correct and did not show any significant weakness under scrutiny. It is important to note that the codebase we audited was not showing any signs of malicious intent.”
The goal of the audit
The goal of the audit was to give all interested parties an indirect insight into the software so that they can be sure that no backdoors or security holes are found in the code.
Robert Freudenreich, CTO of Boxcryptor, about the benefits of an audit: “For private users, Boxcryptor is a means of digital self-defense against curious third parties, for companies and organizations a way to achieve true GDPR compliance and complete control over business data. With software that is so security relevant, it is understandable that users want to be sure that the software is flawless.”
The audit process started at the beginning of May with short communication lines to the developers and managers in the Boxcryptor team. If Kudelski had found a serious security vulnerability, they would not have held it back until the final report, but would have reported the problem immediately.
A problem rated as “medium”
The problem rated as medium is a part of the code that affects the connection to cloud providers using the WebDAV protocol. Theoretically, the operators of such cloud storage providers could have tried to inject code into Boxcryptor for Windows.
In practice, however, this code was never used by Boxcryptor, so there was no danger for Boxcryptor users at any time. In response to the audit, this redundant part of the code was removed.
Two problems classified as “low” and further observations
One problem classified as low concerns the user password: to protect users with insecure passwords, it was suggested that passwords be hashed even more frequently and that the minimum password length be increased, which we implemented immediately.
The second problem classified as low was theoretical and concerned the reading of the Boxcryptor configuration.
IT and application development professionals tend to exhibit risky behaviors when organizations impose strict IT policies, according to SSH.
Polling 625 IT and application development professionals across the United States, United Kingdom, France, and Germany, the survey verified that hybrid IT is on the rise and shows no signs of slowing down.
Fifty-six percent of respondents described their IT environment as hybrid cloud, an increase from 41 percent a year ago. On average, companies are actively using two cloud service vendors at a time.
While hybrid cloud offers a range of strategic benefits related to cost, performance, security, and productivity, it also introduces the challenge of managing more cloud access.
Cloud access solutions slowing down work
The survey found that cloud access solutions, including privileged access management software, slow down daily work for 71 percent of respondents. The biggest speed bumps were cited as configuring access (34 percent), repeatedly logging in and out (30 percent), and granting access to other users (29 percent).
These hurdles often drive users to seek risky workarounds, with 52 percent of respondents claiming they would “definitely” or at least “consider” bypassing secure access controls if they were under pressure to meet a deadline.
85 percent of respondents also share account credentials with others out of convenience, even though 70 percent understand the risks of doing so. These risks are further exacerbated when considering that 60 percent of respondents use unsecure methods to store their credentials and passwords, including in email, in non-encrypted files or folders, and on paper.
“As businesses grow their cloud environments, secure access to the cloud will continue be paramount. But when access controls lead to a productivity trade-off, as this research has shown, IT admins and developers are likely to bypass security entirely, opening the organization up to even greater cyber risk,” said Jussi Mononen, chief commercial officer at SSH.
“For privileged access management to be effective, it needs to be fast and convenient, without adding operational obstacles. It needs to be effortless.”
Orgs using public internet networks
In addition to exposing the risky behaviors of many IT and application development professionals when accessing the cloud, the survey also revealed some unwitting security gaps in organizations’ access management policies. For example, more than 40 percent of respondents use public internet networks – inherently less secure than private networks – to access internal IT resources.
Third-party access was also found to be a risk point, with 29 percent of respondents stating that outside contractors are given permanent access credentials to the business’ IT environment.
Permanent credentials are fundamentally risky as they provide widespread access beyond the task at hand, and can be forgotten, stolen, mismanaged, misconfigured, or lost.
Mononen continued, “When it comes to access management, simpler is safer. Methods like single sign-on can streamline the user experience significantly, by creating fewer logins and fewer entry points that reduce the forming of bad IT habits.
“There is also power in eliminating permanent access credentials entirely, using ephemeral certificates that unlock temporary ‘just-in-time’ access to IT resources, only for time needed before access automatically expires. Ultimately, reducing the capacity for human error comes down to designing security solutions that put the user first and cut out unnecessary complexity.”
IAM priorities differ by industry vertical, and a one-size-fits-all approach to IAM doesn’t work when every industry and business within that industry is unique, according to LastPass and Vanson Bourne.
Each industry vertical has unique business needs, and as a result has different areas of focus when it comes to their IAM program.
Finance focused on reducing risk, while integrating IAM infrastructure
Financial service organizations deal with higher stakes than most verticals, which inevitably impacts how they manage employee access and authentication.
35 percent of IT professionals in this industry say hackers have gained access to their organizations in the past, which is not surprising given financial institutions experience the highest cybercrime costs out of all verticals at an average of $18.3 million per year.
According to the report, 70 percent of IT professionals in the finance industry say that reducing risk is a top priority and 65 percent state that integrating security infrastructure is their biggest area for improvement.
IT focused on IAM security benefits and prioritizes MFA
As information technology businesses are close to IAM software and managing customer’s data, it’s clear their relationship with technology impacts their IAM strategy. 77 percent in this industry say securing data is their top priority, while improving identity and access management is less of a focus with 61 percent noting that as a priority.
28 percent of IT and security professionals in this industry said they are planning to invest in multi-factor authentication (MFA) solutions which will help address their security challenges because MFA helps ensure only the right employees are able to access sensitive data.
Media needs a secure, automated way to manage user access
Mass communication companies work with an array of external consultants to execute their programs, which leads to a wide array of users, both internally and externally, accessing business resources which complicates IAM.
34 percent of IT professionals in this industry say managing user access is important to their organization, compared to the overall average of all industries (9 percent). 44 percent say end users are demanding an easier to use solution and 49 percent say automating IAM processes is an area for improvement.
“Finance is focused on reducing risk and integrations, IT is prioritizing the security components of IAM, whereas media is focused on improving employee productivity.,” said John Bennett, General Manager, Identity and Access Management Business Unit at LogMeIn.
“It’s clear that flexibility, breadth of functionality and ease of use are critical so businesses can customize their IAM strategy in alignment with their business objectives. Organizations need to evaluate what their business needs are and build their IAM strategy based on those requirements.”
Nearly 80% of the companies had experienced at least one cloud data breach in the past 18 months, and 43% reported 10 or more breaches, a new Ermetic survey reveals.
According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments.
Meanwhile, 80% reported they are unable to identify excessive access to sensitive data in IaaS/PaaS environments. Only hacking ranked higher than misconfiguration errors as a source of data breaches.
“Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments,” said Shai Morag, CEO of Ermetic.
“In fact, two thirds cited cloud native capabilities for authorization and permission management, and security configuration as either a high or an essential priority.”
Excessive access permissions may go unnoticed
Driven by the dynamic and on-demand nature of public cloud infrastructure deployments, users and applications often accumulate access permissions beyond what is necessary for their legitimate needs.
Excessive permissions may go unnoticed as they are often granted by default when a new resource or service is added to the cloud environment. These are a primary target for attackers as they can be used for malicious activities such as stealing sensitive data, delivering malware or causing damage such as disrupting critical processes and business operations.
As part of the study, IDC surveyed 300 senior IT decision makers in the US across the Banking (12%), Insurance (10%), Healthcare (11%), Government (8%), Utilities (9%), Manufacturing (10%), Retail (9%), Media (11%), Software (10%) and Pharmaceutical (10%) sectors. Organizations ranged in size from 1,500 to more than 20,000 employees.
Some of the report’s key findings include:
- 79% of companies experienced at least one cloud data breach in the past 18 months, and 43% said they had 10 or more
- Top three cloud security threats are security misconfiguration of production environments (67%), lack of visibility into access in production environments (64%) and improper IAM and permission configurations (61%)
- Top three cloud security priorities are compliance monitoring (78%), authorization and permission management (75%), and security configuration management (73%)
- Top cloud access security priorities are maintaining confidentiality of sensitive data (67%), regulatory compliance (61%) and providing the right level of access (53%)
- Top cloud access security challenges are insufficient personal/expertise (66%), integrating disparate security solutions (52%) and lack of solutions that can meet their needs (39%)
Currently, organizations are struggling to adjust to the new normal amidst the COVID-19 pandemic, a Bitglass survey reveals. 41% have not taken any steps to expand secure access for the remote workforce, and 50% are citing proper equipment as the biggest impediment to doing so. Consequently, 65% of organizations now enable personal devices to access managed applications. Remote work and secure access concerns When asked what their organizations are primarily concerned with securing while employees … More
The post 41% of organizations have not taken any steps to expand secure access for the remote workforce appeared first on Help Net Security.
Nearly a third (29%) of organizations in Europe and the Middle East still see usernames and passwords as one of the most effective means to protect access to their IT infrastructure, two years after the inventor of the complex static password admitted they don’t work, according to Thales.
In fact, 67% of respondents indicate that their organizations plan to expand its use of usernames and passwords in the future. This continued reliance on outdated security comes despite IT leaders revealing it is increasingly easier (48%) to sell the need for security to their boards compared to last year (29%).
Surveying 400 IT decision-makers across Europe and the Middle East, the research found that 57% of IT professionals revealed that unprotected infrastructure is one of the biggest targets for cyber-attacks. Therefore any organization utilizing it, as a result of business pressure driving them to adopt digital transformation technologies, are likely to be putting themselves at a higher level of risk.
Solving the security vs. convenience conundrum
With the global pandemic causing many companies to work from home, IT departments are battling to provide employees with both security and convenience. In fact, over two-thirds (67%) of European IT leaders say their security teams feel under pressure to provide convenient access to applications and cloud services for users, but still maintain security – an indication they’re struggling to balance their digital transformation and security priorities.
To this end, 96% believe that strong authentication and access management solutions can facilitate secure cloud adoption. 76% also revealed employee authentication needs to be able to support secure access to a broad range of services including VPNs and cloud applications.
Making small improvements
While some organizations still rely on legacy authentication methods like usernames and passwords, growing awareness of the threats is prompting action with almost all (94%) organizations having changed their security policies around access management in the last 12 months.
Staff training on security and access management (47%), increasing spend on access management (43%), and access management becoming a board priority (37%), have all seen an increased focus.
This is set to pay off in compliance terms too, with nearly all (98%) European respondents admitting controlling who has access to their company’s data. This will help them meet data regulation requirements like GDPR.
“As more and more businesses move to adopt cloud-based services for CRM, email, employee collaboration and IT infrastructure as part of their digital transformation strategies, the struggle to extend old solutions, designed to protect internal resources, to the outside world becomes very problematic.
“Often, in an effort to adapt to the new working habits of users connecting from anywhere, which is increasingly pertinent right now and will become standard moving forward, businesses tend to revert back to old password-based logins for cloud services in despair. This is knowingly increasing their security exposure to credential stuffing and phishing attacks,” said Francois Lasnier, Vice President for Access Management solutions at Thales.
Usernames and passwords: Two steps forward, one step back
Looking ahead, some IT leaders are set to potentially use their influence at board level more wisely, with investment in the use of more secure methods such as biometric authentication (75%) and smart SSO (81%) set to increase in the next year.
However, a third (67%) still plan to expand their use of usernames and passwords, which is a similar size to those intending to further utilize passwordless authentication methods (70%).
“For a long time, the biggest battle IT leaders have faced is increasing board awareness around taking the threat of security seriously,” Lasnier continued.
“Now that they have that buy in, the focus should be on highlighting the importance access management plays in implementing a zero trust security policy to their executive management. With this in place, risk management professionals will be able to put in place a ‘Protect Everywhere – Trust Nobody’ approach as they expand in the cloud.”
Google has made available BeyondCorp Remote Access, a cloud-based, zero trust service that allows employees, contractors and partners to securely access specific corporate resources from untrusted networks without having to use the company’s VPN.
The goal is to help companies with a suddenly massive remote workforce from overburdening the company’s VPN infrastructure.
About BeyondCorp Remote Access
BeyondCorp Remote Access is a subscription-based service that is available through Google Cloud.
“This cloud solution — based on the zero trust approach we’ve used internally for almost a decade — lets your employees and extended workforce access internal web apps from virtually any device, anywhere, without a traditional remote-access VPN,” Google Cloud honchos Sunil Potti and Sampath Srinivas explained.
“Over time, we plan to offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”
Access to web apps and services is granted (or not) based on user identity, device identity, device security, location, and other metadata and signals collected through the browser or an endpoint agent that is installed on the user’s device (if the customer mandates it).
The web apps that can be accessed through the service can be hosted on Google Cloud, on other clouds, or on the customer’s premises. Enterprise admins can configure access policies for each app.
“For example, you can enforce a policy that says: ‘My contract HR recruiters working from home on their own laptops can access our web-based document management system (and nothing else), but only if they are using the latest version of the OS, and are using phishing-resistant authentication like security keys.’ Or: ‘My timecard application should be safely available to all hourly employees on any device, anywhere,’” the duo explained.
The company’s long term plan is to “offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”
The report provides practical recommendations from information security executives based on their first-hand experiences. They share key recommendations for how organizations can securely adopt RPA while mitigating potential risks, including:
- Limiting access for reprogramming robots – Reduce the risk that comes with RPA permissions – like the ability to reprogram robots – by securely managing credentials to RPA tools and training RPA teams on secure software development practices.
- Automating credential management – Successful RPA deployments require automated credential management, including machine-generated passwords, automatic password rotation, identity verifications and just-in-time or time-limited credential access.
- Establishing robust processes for monitoring RPA activity – Rapidly detect and respond to unauthorized or anomalous robot behavior by assigning human managers, enforcing least privilege and making actions traceable.
Conceptual overview of an RPA tool
“From finance and HR to manufacturing, organizations are rapidly adopting RPA to drive new efficiencies for their business and deliver innovative services to customers,” said Marianne Budnik, CMO, CyberArk.
IT executives have rising SaaS security fears, and worry about cloud security, proprietary data encryption, as well as the loss of independent control due to access limitations, according to Archive360.
SaaS security fears
The research surveyed more than 100 enterprise IT executives worldwide, to identify the leading security challenges they face with their SaaS vendors.
Overall, those surveyed said they are troubled by the current level of security and accountability provided by their SaaS vendors. Nearly two-thirds are so concerned that they intend to retire applications that do not provide the level of security control they want.
Further, nearly all executives surveyed stressed the importance of maintaining ownership of their own encryption keys. Yet in third-party SaaS private cloud deployments, the SaaS vendor (not the enterprise) maintains access to and ownership over encryption keys. In fact, only 26 percent of those surveyed stated that they have control of their encryption keys, and 74 percent stated that control is maintained entirely by their SaaS vendors.
This risk is compounded by the fact that many vendors often use the same encryption keys for multiple customers. When companies unlock data for one customer using keys that also protect other customers’ archives, they are exposing other tenants’ data to potential risk.
As one Director of IT at a large U.S.-based manufacturing company commented, “I’ve seen too many strong companies go out of business, and have also audited our vendors and seen great vendors fall out of compliance. Having them in control is just one more additive risk.”
Encryption key ownership and access worries
When asked about their top worries when it comes to encryption key ownership and access, IT executives listed the following:
- Loss of independent control of data security.
- Concern of my privacy.
- Past history of compromises.
- Trust for data breach and confidentiality of data.
- Potential conflict with my company’s standards.
- Without internal controls, you do not know where the information goes.
“In light of the widespread threats of increasingly sophisticated malicious cyber groups, and corporate risk relating to global data privacy laws, IT teams are under immense pressure to plug any holes in their security practices and mitigate all vulnerabilities,” said Tibi Popp, CTO at Archive360.
“The positive news is that our survey shows that IT executives not only understand the importance of security as it relates to today’s SaaS applications, but that they are taking swift and necessary steps to protect their enterprises by retiring these applications as quickly as possible.”
- Nearly all executives surveyed (92 percent) believe they will require SaaS vendors to provide more tailored and flexible security options in the future.
- Only 19 percent of respondents said 75 percent or more or more of their SaaS vendors meet all of their security requirements.
- Seventy percent of companies said they have made at least one security exception for a SaaS vendor.
The majority of companies have experienced a five-fold increase in the number of workforce identities, which are being driven primarily by mobile and cloud technology. Encouragingly, one-hundred percent of IT security stakeholders report that a lack of strong IAM practices introduces security risk, an IDSA survey reveals.
Strong IAM practices
Security leadership also cares “much more” about IAM now than ever before, with importance anticipated to continue to increase over the next five years. Despite growth, and an apparent understanding of risk, only half of IT security professionals state that the security team has any level of ownership for workforce IAM. What’s more, less than one in four IT security professionals say their teams have “excellent” awareness of their company’s identity strategy.
“With the majority of today’s breaches tied to compromised credentials and the number of credentials skyrocketing, IAM is a critical and complex issue that spans many organizational teams, requiring a strategy around people, processes and technology,” said Julie Smith, executive director of the IDSA.
“The findings highlight that addressing identity security through integrated technologies is only one piece of the puzzle. Without collaboration amongst all stakeholders and a clear understanding of responsibilities and handoff points, identity incurs greater risk.”
“As businesses embrace new technologies and expand their workforce, the reality of managing identities is seemingly growing more complex by the day. Awareness of the impact IAM has on security posture has grown as well, as an increasing number of data breaches are tied to stolen identities,” said Den Jones, director of enterprise security for Adobe.
“However, as the data shows, IAM efforts face several organizational challenges as companies grapple with who should take the lead. With the number of identities growing, organizations of all sizes should examine how identity management fits into their security strategy, and eliminate any silos between teams that increase risk or slow the pace of the digital transformation of the business.”
Modern technologies are driving explosive growth of identities
- 52% say that identities have grown more than five-fold in the past 10 years
- The increase in identities is driven primarily by technology changes, such as mobile devices (76%)
- Other identity growth factors include a mix of more employees (57%), connected employees (66%), enterprise connected devices (60%), and cloud applications (59%)
Identities are increasingly important to corporate security
- 100% report a lack of strong IAM practices introduces security risk
- 92% say security leadership cares more about identity management now than in the past
- Security teams are worried about a range of potential identity-related security incidents, including phishing (83%), social engineering (70%), compromised privileged identities (64%), and more
Identity security efforts lack alignment
- While security is involved in IAM activities (99%), only 24% say their security team has “excellent” awareness of IAM
- A wide range of organizational issues prevent security from engaging with workforce IAM, including lack of alignment of goals (33%), reporting structure (30%), history of security not being involved (30%), and resistance from existing teams (24%)
- Budget ownership issues (40%) are cited as the top reason for not spending more on workforce IAM
Incomplete security ownership for identities has consequences
- Only half (53%) report that security has any level of ownership for workforce IAM
- When security teams have ownership of IAM they have better understanding of identities, are more likely to view IAM leadership as a career opportunity, and face fewer barriers to IAM involvement