December 2019 Patch Tuesday forecast: Make sure to deploy year-end updates

Can you believe another year has passed and we’re approaching the last Patch Tuesday of the year? While I get ready to make another online gift purchase with my credit card, I can’t help but reflect on the security activity over the past twelve months. Some of these hit close to home.

The most broadcast news of the year was the exposure of personal information in over 500 million Facebook accounts. This security incident was the result of servers not properly configured, allowing open public access. This was reported in April and additional accounts were exposed in September. Proper security configuration is definitely a challenge across thousands of servers, but it is THE fundamental security requirement before dealing with software vulnerabilities.

Next up in public view was the compromise of Epic Games’ servers that hosted the wildly popular Fortnite game. This security incident back in January was the result of several software vulnerabilities being exploited, resulting in another situation where personal account information was stolen. It is estimated that the security compromise impacted over 200 million gamers worldwide.

Breaches and data loss were not limited to these two social or consumer sites. Reported breaches included Capital One and First American from the financial industry, LabCorp and Quest Diagnostics from the medical field, and the Federal Emergency Management Agency (FEMA) from the government sector. From the report estimates I’ve seen, there will be an unprecedented 5+ billion records stolen this year.

Getting back to the Patch Tuesday forecast, the big news (maybe the elephant in the room to use an old phrase) is that next month, January Patch Tuesday, we’ll see the last free update of Windows 7 and Server 2008/2008 R2. Windows 7 continues to be a popular operating system only being overtaken by Window 10 in January 2019.

Despite the approaching end-of-life, Windows 7 slowly dropped from 36% to 28% in worldwide Microsoft market share throughout the year. After that final update, a lot of consumer desktops and laptops will go unpatched until they finally stop working and are replaced. Many will be compromised, resulting in stolen personal data, but even worse they will be used for additional attacks against our corporate systems.

It will be interesting to see how this possible threat plays out in 2020. In the meantime, be aware that Microsoft has released additional guidance on preparing your Windows 7 machines for extended security updates if you continue to subscribe.

This looks like a busy Patch Tuesday coming up, so I am going to trust all of you to configure and update your systems. It’s time to buy those last presents online. Now where did I put that credit card again?

December 2019 Patch Tuesday Forecast

  • Microsoft will provide the usual round of updates including the monthly rollups and security-only patches for all the operating systems, along with Office, SharePoint server, and Internet Explorer. Based on their current track record, expect another round of service stack updates as well. We may also see a .NET update this month.
  • An update is coming for Acrobat and Reader; Adobe provided a pre-notification they will release APSB19-55 next week. The most recent security Flash release was September Patch Tuesday, so we may see a final one to close out the year, but no promises.
  • Chrome 79 is scheduled for release from Google.
  • We may see an ‘Apple Patch Tuesday,’ although they don’t always release on Tuesday, with security updates for macOS, iTunes and/or iCloud for Windows. Keep an eye on these because I suspect Apple wants to wrap up the year with up-to-date, secure software.
  • Mozilla released security updates for Firefox 71, Thunderbird 68.3 and Firefox ESR 68.3 on Monday this week. Anything released next week would be minor bugfixes, but definitely make sure you install these security fixes.

The hidden risks of cryptojacking attacks

For any business, privacy and security are a constant concern. The variety and velocity of attacks seeking to infiltrate corporate systems and steal vital business and customer information seem never-ending. Given the very public repercussions of certain types of breaches, it can be easy for executives and IT professionals to focus attention on only the most notable attacks. However, numerous industry studies have found that a quiet threat, known as cryptojacking, is rising faster than any other type of cyber incident.

Cryptojacking is a breach where malware is installed on a device connected to the internet (anything from a phone, to a gaming console, to an organization’s servers). Once installed, the malware uses the hijacked computing power to “mine” cryptocurrency without the user’s knowledge.

Unlike phishing or ransomware attacks, cryptojacking runs nearly silently in the background of the victim’s device, and as a result the increase in cryptojacking attacks has flown mainly under the radar. Yet, new studies suggest that attacks of this type have more than tripled since 2017, generating concern as these undetected breaches siphon energy, slow down performance of systems and expose victims to additional risk.

The rise of cryptojacking has followed the same upward trajectory as the value of cryptocurrency. Suddenly, digital “cash” is worth actual money and hackers, who usually have to take several steps to generate income from stolen data, have a direct path to cashing in on their exploits. But if all the malware does is sit quietly in the background generating cryptocurrency, is it really much of a danger? In short, yes – for two reasons.

In fundamental terms, cryptojacking attacks are about stealing… in this case energy and system resources. The energy might be minimal (more about that in a moment) but using resources slows the performance of the overall system and actually increases wear and tear on the hardware, reducing its lifespan, resulting in frustration, inefficiency and increased costs.

Much more importantly however, a cryptojacking-compromised system is a flashing warning sign that a vulnerability exists. Often, infiltrating a system to cryptojack involves opening access points that can be easily leveraged to steal other types of data. Cryptojacking not only appropriates valuable computer and energy resources, but also exposes victims to much more blatant and damaging data attacks.

Who is at risk?

Any connected device can be utilized to mine cryptocurrency, however, the goal of most cryptojacking operations is to hijack enough devices so that their processing power can be pooled, creating a much more effective network with which to generate income. This strategy relies on utilizing small amounts of power from several different machines, which also lessens the chances that the victim will realize they’ve been hacked because the power stolen is miniscule enough to be ignored.

Once hacked, the attacker will network these devices together to create large cryptojacking networks. These attacks are thus often focused on large corporations or businesses where access to multiple devices is easy and convenient.

Identifying victims

Identifying and flagging cryptojacked devices can be difficult, requiring dedicated time and energy. In many cases, the malware might reside in compromised versions of legitimate software. As a result, security scans are less likely to flag the downloaded application as a threat.

The first clue that something may be amiss at the organization is the sudden slowing of devices or a rise in cross-company complaints about computer performance. If widespread, administrators should look to potential cryptojacking as the possible culprit.

Protecting the pack

Organizations and individuals looking to protect themselves need to ensure their overall privacy and security posture is high and that they are taking every step to defend themselves against all types of cyber incidents. Crytopjacking is often a warning shot, sending up a red flag that the system may not be as protected as it should be.

Relying on the basics is the first place to start – everyone on the network should be using multi-factor authentication and unique passwords. There should be continuous monitoring for unexpected activity on the network, as well as safeguards in place to make sure any software installed on a device comes from a reputable source and is fully patched. Finally, there needs to be a team dedicated to constantly monitoring, remediating and updating privacy and security safeguards.

While cryptojacking attacks are worrisome and can lead to further breaches, most can be avoided or remedied before a larger incident occurs with proper monitoring and early detection. The rise in cryptojacking should be taken as a good reminder for administrators to ensure their security and privacy measures adhere to the current standards.

After all, if there weren’t a lot of vulnerable systems out there this type of attack wouldn’t be growing at a rapid pace. As always, staying vigilant, up-to-date and following security best practices is the only way to stay shielded against cryptojacking cybercriminals.

Review: Cyber Smart

Cyber Smart

Do you believe you’re not interesting or important enough to be targeted by a cybercriminal? Do you think your personal data doesn’t hold any value? Bart R. McDonough proves why those beliefs are wrong in his book Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals.

McDonough, CEO and Founder of Agio, is a cybersecurity expert, speaker and author with more than 20 years of experience in the field, and this is his debut book.

Cyber Smart: Five Habits to Protect Your Family, Money, and Identity from Cyber Criminals

He starts by debunking the most common cybersecurity myths, like the one mentioned above. Whether you like it or not, you are important, and your data is important. Also, everything has a price.

McDonough explains all the possible risks and threats you could encounter in a connected world, who are the bad actors, what their goals are and, most importantly, their attack methods.

The author presents five golden rules – or, as he calls them, “Brilliance in the Basics” habits – you should be complying with to maintain a good cybersecurity hygiene: update your devices, enable two-factor authentication, use a password manager, install and update antivirus software, and back up your data.

The second half of the book gives you detailed and specific recommendations on how to protect your:

  • Identity
  • Children
  • Money
  • Email
  • Files
  • Social media
  • Website access and passwords
  • Computer
  • Mobile devices
  • Home Wi-Fi
  • IoT devices
  • Your information when traveling.

McDonough doesn’t use scare tactics that could possibly make you want to forego all technology and go live in the woods. On the contrary, he wants you to embrace it and understand that even if the online world poses so many threats, there’s a lot you can do to protect yourself.

Who is this book for?

You don’t need to be a cybersecurity professional to understand this book. Its language is simple and it offers many comprehensible everyday examples and detailed tips. It’s a book you should definitely have in your home library, also for future reference.

The author has a very clear message: don’t just sit back and hope bad actors will pass you over. Be proactive and take all the possible and necessary steps to secure your data and your devices.

Nearly half of consumers worry about being tricked by fraudsters this holiday season

There has been a 29% increase in suspected online retail fraud during the start of the 2019 holiday shopping season compared to the same period in 2018, and a 60% increase in suspected e-commerce fraud during the same period from 2017 to 2019, according to iovation.

online retail fraud increase

The findings are based on the online retail transactions analyzed for its e-commerce customers between Thanksgiving and Cyber Monday over the last three years.

“Among the conclusions from TransUnion’s 2019 Holiday Retail Fraud Survey: nearly half of all consumers, 46%, are concerned with being victimized by fraudsters this holiday season with baby boomers being the most concerned of any generation at 54%,” said TransUnion Senior VP of Business Planning and Development, Greg Pierson.

Additional findings: Online retail fraud increase

The percent of suspected fraudulent e-commerce transactions during the start of the holiday shopping season and entire year compared to legitimate transactions for the past three years.

  • 15% from Nov. 28 to Dec. 2, 2019. 10% so far in 2019.
  • 13% from Nov. 22 to Nov. 26, 2018. 11% all of 2018.
  • 11% from Nov. 23 to Nov. 27, 2017. 7% all of 2017.

The top days during the start of the 2019 holiday shopping season for legitimate and suspected fraudulent online retail transactions.

  • Thanksgiving, Nov. 28: 16% of legitimate holiday weekend transactions (#5). 17% of suspected fraudulent holiday weekend transactions (#4-tie).
  • Black Friday, Nov. 29: 26% of legitimate holiday weekend transactions (#1). 25% of suspected fraudulent holiday weekend transactions (#1).
  • Saturday, Nov. 30: 19% of legitimate holiday weekend transactions (#3). 19% of suspected fraudulent holiday weekend transactions (#3).
  • Sunday, Dec. 1: 17% of legitimate holiday weekend transactions (#4). 17% of suspected fraudulent holiday weekend transactions (#4-tie).
  • Cyber Monday, Dec. 2: 22% of legitimate holiday weekend transactions (#2). 21% of suspected fraudulent holiday weekend transactions (#2).

The countries and U.S. cities where the highest percentage of suspected fraudulent e-commerce transactions originated from during the start of the 2019 holiday shopping season.

Country

  • China: 57%
  • Central African Republic: 57%
  • Lebanon: 45%

U.S. city

  • Boardman, Oregon: 70%
  • Pineville, Louisiana: 42%
  • Alexandria, Louisiana: 38%

online retail fraud increase

Mobile transaction and fraud trends

The survey also found that consumers used a mobile phone or tablet for 63% of their online retail transactions during the start of the 2019 holiday shopping season. That is up from 58% for the same period in 2018 and 56% for the same period in 2017.

For the holiday shopping weekend, retail transactions from a mobile phone compared to all e-commerce transactions were:

  • 64% on Thanksgiving, Nov. 28
  • 63% on Black Friday, Nov. 29
  • 67% on Saturday, Nov. 30
  • 66% on Sunday, Dec. 1
  • 57% on Cyber Monday, Dec. 2

“Year after year it becomes clear that when not at work, consumers increasingly prefer using their mobile devices to make retail purchases due to their convenience,” said iovation’s Senior Director of Customer Success, Melissa Gaddis. “Once at work when they’re at their desk, consumers turn to their desktop and laptop computers to make purchases.”

Always trying to emulate the purchasing patterns of trusted consumers, mobile is also the preferred method for fraudulent online retail transactions. A mobile phone or tablet appeared to be used for 63% of all suspected fraudulent e-commerce transactions during the long holiday shopping weekend compared to 59% from the same period in 2018 and 51% from the same period in 2017.

Top compliance and risk management challenges for financial organizations

Notable regulatory compliance and risk challenges remain high in a number of key areas for U.S. banks and credit unions, according to the results of a Wolters Kluwer survey.

risk challenges financial organizations

Rising risk challenges for financial organizations

This year’s survey generated a Main Indicator Score of 95, a 10-point increase from the 2018 score, that was influenced by concerns about the impact of Home Mortgage Disclosure Act (HMDA) rules; cybersecurity, credit and compliance risks; and an increased level of regulatory agency fines.

The calculation of the Main Indicator Score is based on several factors, including the number of new federal regulations, number of enforcement actions, and the total dollar amount of fines imposed on banks and credit unions over the past 12 months, together with additional information provided by survey respondents.

“Respondents indicated more confidence in their ability to maintain compliance, keep track of changing regulations, and demonstrate compliance to regulators, reaching the highest confidence levels in the survey’s seven years,” said Timothy R. Burniston, Senior Advisor for Regulatory Strategy with Wolters Kluwer’s Compliance Solutions business.

“These findings suggest a strengthening of lenders’ compliance program management practices. That said, relatively high levels of concern across a range of areas remain, reinforcing the reality that regulatory compliance and risk management issues continue to significantly challenge financial institutions.”

Among top obstacles cited in implementing effective compliance programs, 47 percent of respondents ranked manual compliance processes as a seven or higher concern on a scale of 10, and 45 percent cited inadequate staffing, both slight increases over 2018 levels.

Concerns about managing increased HMDA analysis and reporting obligations jumped significantly among reporters, particularly in their ability to analyze newly collected HMDA data—moving from 21 percent in 2018 to 35 percent in 2019—and in reporting those expanded data to regulators, moving from 15 percent last year to 40 percent in 2019.

Regulatory compliance challenges

Over the next 12 months, respondents’ most pressing regulatory compliance challenges include: managing and implementing residential mortgage regulations; keeping current with changing regulations; complying with the forthcoming Current Expected Credit Loss (CECL) accounting standards; deposit account regulations; and compliance program management.

Respondents also expressed a high level of concern about their ability to comply with BSA/AML requirements, fair lending laws and regulations, UDAAP standards, new URLA forms and, to a slightly lesser degree, state regulatory requirements.

From a risk management perspective, cybersecurity continued to rank as the top risk with 78 percent of respondents anticipating escalated priority over the next 12 months, followed by compliance risk at 47 percent and credit risk at 45 percent of respondents ranking them as a seven or higher. It’s clear that risk challenges are rising on the agenda for financial organizations.

risk challenges financial organizations

Looking forward

When asked about enhancing elements of their compliance management systems, 48 percent of respondents anticipate higher future investments in strengthening their risk assessment capabilities, followed by updating compliance policies and procedures (47 percent), and expanding compliance control testing processes (43 percent).

Looking forward, economic factors the institutions are monitoring as potential concerns include interest rate fluctuations (87 percent), data privacy issues (85 percent), and recession fears (76 percent).

Only 22 percent of respondents view regulatory relief over the next two years as either very likely (three percent) or somewhat likely (19 percent), a drop from 48 percent who viewed regulatory relief as very likely (15 percent) or somewhat likely (23 percent) in the 2018 survey.

Avoiding the next breach: Four tips for securing your apps

As security incidents continue to be an ongoing threat to businesses on a daily basis, keeping security procedures up-to-date and avoiding the next breach have become paramount.

avoiding the next breach

In the first six months alone in 2019, more than 4 billion customer records were exposed due to data breaches. Every year we see the same, troublesome story play out: companies who fail to address vulnerabilities in their infrastructure and customer-facing mobile and web apps will eventually fall victim to malicious actors.

When it comes to data breaches, it’s easy to stay out of the spotlight – until the worst case scenario happens. With this in mind, it’s critical that companies be proactive in their cybersecurity efforts and ensure their security teams are equipped to address vulnerabilities in real-time. Let’s take a look at four key tips to keeping tabs on business apps and improving security efforts.

Developers and security teams – unite!

Simply put, security, operations and developer teams need to have ongoing collaboration. While security teams may be responsible for strategizing around new investments in defensive technology, they are not part of the building process.

It is crucial to include application developers – the ones who are actually adopting the new platforms and methods that alter your risk profile – in the security conversation. Developers need visibility and feedback as well as automated security checks throughout the development process – a method that secures applications while simultaneously achieving business objectives.

Prioritize the needles in the haystack

Prioritization is a major problem in the world of application security. There is a constant overabundance of bugs that need fixing, so a pile-on of both expected and unexpected issues can occur at an unmanageable rate. Given this, it’s no surprise that security professionals can end up feeling paralyzed by the overwhelming volume of threat alerts on their plate.

This issue explains why legacy web application firewalls are often bought for compliance – just to check off a box – and then turned off and monitored. Security teams need a modern solution that pulls out needles from the haystack, identifying anomalies and the most important attacks in real-time. Solutions like these allow any team member to access security data and quickly diagnose, triage and solve the problem within their applications.

When security teams are enabled to view attack traffic like this and understand the impact on their apps, they become more informed about the probability of bug exploitation and, therefore, are better equipped to address issues.

Know the unknowns, but accept that you can’t know them all

Facing unknowns is a challenge, and this reality couldn’t be more true for security professionals. These teams are often concerned with their lack of understanding of threats, attack vectors and methods specific to cloud-native applications. It’s a valid fear – one rooted in the idea that they can’t stop or prevent threats they can’t see.

The common issue is that companies are often operating blindly when trying to secure cloud-native applications due to a lack of information on why or how an activity was allowed or blocked. This is because some security vendors operate as a black box and do not provide customers the means to drill down or understand why activity was allowed or blocked.

As a result, teams can become complacent on security activity and are prevented from investigating and learning from attacks on their applications. Security teams can’t effectively secure their apps with a black box mentality. To operate successfully and make sure they are avoiding the next breach, they need to choose a solution and develop practices that provide them with visibility into the unknowns – as many as possible.

Avoiding the next breach by keeping tabs on your budget

Two words: spend wisely. The allocation of a security budget needs to align with the overall technology strategy, so companies need to ensure they are allocating their security budget strategically. A good starting point is to consider investments in building cloud services and web applications, as well as corresponding defensive technologies.

Earlier this year, analyst firm IDC published research that forecasted worldwide spending on security-related hardware, software, and services to reach $103 billion in 2019, which puts it at nearly a 10 percent increase over 2018. Where is all this money going? Companies need to spend smarter on solutions that will offer long-term improvements to their security practices from the ground up.

The rise of continuous crowdsourced security testing for compliance

A large percentage of organizations and institutions are moving toward a rigorous, continuous testing model to ensure compliance, a Synack report reveals.

continuous crowdsourced security testing

As part of this shift toward continuous testing, organizations are utilizing crowdsourced security testing to achieve regulatory compliance and real security, with adoption expected to increase four-fold in 2020.

With new compliance frameworks such as GDPR and CCPA drastically increasing the cost of a breach, organizations are racing to protect their data. In an increasingly connected, highly regulated and digital world, business leaders and decision makers are turning to outside vendors that can ramp up quickly in a cost effective manner.

As a result, the crowdsourced security testing space – which has already gained credibility for its significantly better ROI than more traditional, less frequent, and less secure methods – has surpassed all estimates and will continue to do so in 2020 and beyond.

“The rapid embrace of crowdsourced security testing has happened because it is proven to work better than traditional security testing methods and addresses the ever growing talent gap within organizations,” said Synack CTO Mark Kuhr.

What is boosting continuous crowdsourced security testing?

The growth in crowdsourced security testing can be attributed to two major trends. The first: rapid development cycles. “Today’s security teams have shorter development cycles and dynamic environments that require rapid deployment and a continuous approach to security testing,” explains Kuhr. This explains the shift towards continuous, crowdsourced security testing for compliance purposes.

“Although we are seeing a move toward a 24/7, 365 security culture at organizations in a wide variety of industries and geographies, there is still ample room for improvement,” said Aisling MacRunnels, Synack’s CMO.

“Our survey found that on average, most security tests are lasting just 20 hours. As the number of cyber incidents continues to increase, it will be imperative for decision makers to implement security testing solutions on a continuous basis with 1500-2000 hours of testing a year.”

Secondly, organizations are looking to crowdsourced security due to tremendous pressure from boards and regulators to remain compliant and secure. Regulatory frameworks and best practices mentioned in the report including GDPR and HIPAA are increasingly requiring or recommending an annual or more frequent audit with penetration testing.

The advent of trusted and structured crowdsourced penetration testing solutions build on that trend by providing the very best of human intelligence with artificial intelligence on a continuous cadence.

“This shift toward continuous crowdsourced security testing will allow organizations and institutions to have the best of both worlds by procuring technology that offers efficient and effective results while fulfilling best practice standards such as NIST 800-53 to meet compliance objectives,” said Kuhr.

In addition to helping identify a set of security and compliance best practices for a diverse set of industries, the report found security testing is becoming part of an organization’s normal routine rather than a once-a-year check of the box focused only on compliance.

44% of organizations and institutions surveyed are performing security tests on a monthly or weekly basis, which suggests they are moving toward the more effective continuous model that crowdsourced solutions enable.

Other key findings

  • 63% of organizations agree that the most common use case for external vendors is to identify and reduce vulnerabilities, which is encouraged by different compliance frameworks and best practice standards
  • 52% of organizations experience unwanted cost and complexity due to overlap in functionality from using multiple security vendors, which is caused by poor budget allocation and overlap in vendor capabilities
  • 32% of compliance testing processes are expensive and difficult to scale, yet crowdsourced security testing solutions provide 147% higher ROI than a typical pen test and may decrease the burden of testing on organizations by reducing signal-noise ratio

2020 predictions: Rising complexity of managing digital risk

Digital risk management experts at RSA Security have released their predictions for 2020, detailing key cyber trends for the year ahead. With contributions from President, Rohit Ghai and CTO, Dr. Zulfikar Ramzan – the predictions offer a steer to companies on emerging threats and highlight that cybersecurity issues remain the number one digital risk for organizations undergoing digital transformation.

2020 predictions

“In 2019, across all verticals, cyber attack risk ranks as one of the top digital risk management priorities,” commented Rohit Ghai, President at RSA Security. “Don’t expect anything to change in the New Year. In fact, across both public and private sectors, organizations will continue to embrace digital transformation initiatives. On the risk register, cyber-attack risk will remain the leading business risk and inevitably, organizations will continue to struggle to gain visibility across a growing number of endpoints and a more dynamic workforce. Both will create gaps for potential exploitation.”

Some of the key trends that businesses need be aware of include:

Cybersecurity: A matter of safety

“There will be a shift in mindset from cybersecurity to “cyber safety” in 2020. Global events like the Summer Olympics in Japan or World Expo in Dubai are blending physical infrastructure with connected systems to deliver better user experiences,” comments Alaa Abdulnabi, Regional Vice President of META. “However, these events underscore a new reality: cyber is much more than just a data security issue. It will become a component of physical security, too.”

Expect to see a cyber incident at the edge next year

“The continued proliferation of IoT devices will make edge computing an essential component of enterprise IT infrastructure in 2020,” comments Rohit Ghai, President. “To power these systems, 5G will become a bedrock for organizations looking to speed up their IT operations. With this innovation and speed will come greater digital risk. A security incident in the New Year will serve as the wake-up call for organizations leaning into edge computing. It will remind them that threat visibility across is essential as their attack surface expands and the number of edge endpoints in their network multiplies.”

Breach accountability

“A high-profile case where an organizations is breached due to an API integration will create confusion over who is responsible for paying the GDPR fine,” comments Angel Grant, Director of Digital Risk Solutions. “This will spark conversations about regulatory accountability in a growing third-party ecosystem.”

The rise of cyber attacks in the crypto-sphere

“The security of cryptocurrencies rests on safeguarding users’ private keys, leaving the ‘keys to kingdom’ accessible to anyone who fails to adequately protect them,” comments Dr. Zulfikar Ramzan, CTO. “Cybercriminals usually follow the money, so expect that cryptocurrencies will be at or near the top of attacker’s wish lists in 2020.”

The API house of cards will start to tumble

“Many organizations have stitched together a fragile network of legacy systems via API connections to help better serve customers and improve efficiency,” comments Steve Schlarman, Director & Portfolio Strategist. “A security incident in the New Year will disrupt the patchwork of connections and it will lead to major outages. The event will serve as a call-to-action for security and risk teams to evaluate how their IT teams are patching systems together.”

The identity crisis will worsen

“Businesses are coming to realize that mismanaged credentials and passwords are often the weakest link in a security chain and identity compromise continues to be at the root of most cyber incidents,” comments Rohit Ghai, President. “Next year, we will see identity risk management become front and centre in cyber security programs as organizations adopt more and more cloud solutions; as workforces become more dynamic with gig workers and remote employees and as the number of identities associated with things or autonomous actors continues to dwarf the number of human actors on the network.”

CPoC: New data security standard for contactless payments

The PCI Security Standards Council (PCI SSC) published a new data security standard for solutions that enable merchants to accept contactless payments using a commercial off-the-shelf (COTS) mobile device with near-field communication (NFC).

CPoC

PCI CPoC Standard

Using the PCI Contactless Payments on COTS (CPoC) Standard and supporting validation program, vendors can provide merchants with contactless acceptance solutions that have been developed and lab-tested to protect payment data.

“The PCI CPoC Standard is the second standard released by the Council to address mobile contactless acceptance. Specifically, the PCI CPoC Standard provides security and test requirements for solutions that enable contactless payment acceptance on a merchant COTS device using an embedded NFC reader,” said PCI SSC Standards Officer Emma Sutcliffe.

“Contactless, or tap and go, payment adoption is on the rise globally, and merchants want affordable, flexible and safe options for contactless payment acceptance that allow them to best serve their customers. In addition to PCI Software-based PIN Entry on COTS (SPoC) Solutions that enable contactless payment acceptance with a dongle attached to the mobile COTS device, the PCI CPoC Standard and Program now provide merchants the option to use validated solutions that require no additional hardware to accept contactless transactions,” said PCI SSC Senior VP Troy Leach.

CPoC

Standard security requirements

The PCI CPoC Standard includes security requirements for vendors on how to protect payment data in CPoC Solutions and test requirements for laboratories (labs) to evaluate these solutions through the supporting validation program.

CPoC

The central elements

The primary elements of a CPoC Solution include: a COTS device with an embedded NFC interface to read the payment card or payment device; a validated payment acceptance software application that runs on the merchant COTS device initiating a contactless transaction; and back-end systems that are independent from the COTS device and support monitoring, integrity checks and payment processing. Software-based PIN entry is not permitted in a CPoC Solution.

Through a combination of the security controls built into the merchant application and ongoing monitoring and integrity checks performed by the back-end systems, merchants and consumers can have confidence in the security of the CPoC Solution and the contactless transaction.

How do SMBs plan to improve their security posture in 2020?

With cybersecurity concerns already mounting ahead of the 2020 presidential election, SMB executives are turning their attention to how these threats could impact their own business.

SMBs security posture 2020

The threat of foreign adversaries

According to a new Zix-AppRiver survey, 93 percent believe that as foreign adversaries attempt to breach national security or wage cyberwar, they will use small businesses such as their own as entry points. Among them, two thirds expect this threat to become even more severe.

“In 2019, we saw cyberattacks on our government trickle down from large agencies to smaller local municipalities and schools,” said Dave Wagner, CEO, Zix.

“That follows the pattern we’ve seen in business, where attacks have expanded from big corporations to small- and medium-sized businesses. While these attacks can originate from anywhere, the survey data shows that SMBs believe foreign actors and even nation-states may be targeting them as a first step toward access to larger companies or government agencies.”

SMBs want a better security posture in 2020, and they’re ready to pay for it

This, among other cybersecurity concerns, could be a possible driver behind SMBs’ plan to shore up their security investment and defenses in 2020. Sixty-two percent of all SMBs plan to increase their cybersecurity budgets in 2020.

Among the list of cybersecurity upgrades they’d like to make, their highest priorities include employing more cybersecurity technology (58 percent), creating better security awareness training for their employees (57 percent) and conducting more regular reviews of their security defenses (50 percent).

These findings are in line with other key results from the survey, which indicate that only 43 percent of all SMBs currently feel in-control and confident in their own cyber preparedness.

Concerns about foreign powers

SMBs within the government and technology sectors are among those most concerned about their security posture and nation-state cyberattacks on their business in 2020. Executives within these industries also have the highest propensity to increase their cybersecurity budgets next year, with 77 percent of technology SMBs and 76 percent government SMBs planning to increase their budgets in the coming year.

“It seems unusual that small and midsize companies are concerned about foreign powers, but with elections coming up in 2020, they have legitimate reasons to worry about becoming vulnerable entry points for outside entities,” said Troy Gill, senior cybersecurity analyst at AppRiver.

“The silver lining is that they are actively planning to improve their security with new technology and better training for employees, which together, are a powerful combination.”

How DNS filtering works and why businesses need it

The Domain Name System (DNS) is a cornerstone of the internet. DNS servers connect URL names that humans can read to unique Internet Protocol (IP) addresses that web browsers can understand. Without DNS, we’d all be typing in long, seemingly random combinations of characters and numbers in order to get anywhere online! However, this dependency opens up the possibility for misuse. From domain hijacking and cache poisoning to Denial of Service attacks, DNS is no stranger to being attacked or even scarier, being an attack vector!

how DNS filtering works

It’s not difficult to see why attackers would use DNS as an attack vector. Any application that uses the internet uses it, even though a majority of internet traffic is web content. This includes email, peer-to-peer sharing, RDP, SSH, etc. Fortunately, this crucial component of the internet can be used defensively as well. DNS filtering can prevent users from downloading malware without also blocking legitimate files by accident. Let’s explore how this process works and why it’s a useful tool for IT and security teams.

Methods for filtering malware

Malware is one of the major plagues of modern computing and many security providers spend ample time trying to prevent users from accessing malicious files on the internet. One of the easiest ways to keep users from downloading malware is to simply block access to servers hosting malicious files. There are companies whose entire purpose is to sell services that identify malicious actors. This is typically referred to as “Threat Intelligence.” Once you know which servers and sites are bad, the next step is to prevent users from connecting to them. There are multiple ways to do this, and they each have advantages and drawbacks.

It would be easy to simply block malicious sites based on IP address, but this usually isn’t practical. Unfortunately, modern server configurations allow a single IP address to host many different services. Also, many different domain names can map to the same IP address, which generally makes blocking bad sites by IP address too broad. In practice, this means IT ends up blocking legitimate websites and services along with the malicious ones, which frustrates users and makes it harder for them to accomplish their work.

On the other hand, filtering based on full URLs achieves greater fidelity against individual files served by web servers. This approach avoids the problem of blocking too many legitimate sites, but requires a lot of extra work from IT. Since URLs are application protocol-specific, this level of protection ends up requiring a unique filtering implementation per application protocol (HTTP vs FTP). Many businesses don’t have the resources to implement this successfully.

Not too broad, not too granular

DNS sits smack dab in the middle of the two methods described above. Filtering by DNS is more precise than IP address filtering, but not as work- intensive as URL filtering. For example, if malicious files are served up by only one domain name out of four that map to an individual IP address, blocking by domain name will not interrupt the other three domains (whereas blocking by IP address would interrupt all four domains). The level of precision that DNS filtering offers keeps organizations safe from malware without making IT departments seem “heavy-handed” and frustrating employees by unnecessarily blocking important sites and services.

DNS is also application protocol agnostic, so blocking by domain name will block connections to malicious links no matter which application initiates the connection. There are very few applications today that don’t connect to the Internet, and they all resolve human readable names into IP address. For example, regardless of whether you read your email using a thick client like Outlook or use a web UI like Gmail, clicking on a malicious link will result in the same resolution of the same name. The same goes for documents.

Clicking on a malicious link in Acrobat Reader or Microsoft Word results in the same resolution of the same name regardless of document type or application. That means DNS-level filtering will block malicious links in all of these scenarios without needing to be customized to the specific application or protocol in use. With workers accessing corporate data from multiple devices, checking email on their phones and using applications that IT might not even know about, the flexibility provided by DNS filtering is extremely useful.

DNS filtering considerations

In security, it’s important to remember that no single solution is foolproof and DNS filtering is no exception. Servers using custom application protocols on odd ports to perform malicious activity like botnet attacks usually require IP address blocking. Malicious activity on non-Web protocols like SMTP require full domain name blocking.

Lastly, malicious content hosted on a file sharing or content delivery network requires full URL blocking because most of the content on the CDN is legitimate. No one level of network blocking is foolproof either. As every seasoned security professional knows, the best security is layered security. Therefore, the best network blocking solutions will allow filtering at all three network levels: IP, Domain and URL.

One of the other advantages of DNS filtering is that many solutions available on the market integrate seamlessly into your current infrastructure. Instead of pointing your internal DNS server to your ISPs upstream DNS server, you point it to DNS servers from these solutions that provide protection.

Putting it all together

DNS is incredibly important to everything we do on the internet in our daily lives. The old method of blocking by IP address is inadequate, as many individual servers can serve up many different, mostly legitimate services. And even though we do just about everything in our web browser, blocking by URLs can be too narrow. The gap left over can be filled by blocking by domain names.

Remember, because of our heavy reliance on the internet, DNS-based filtering is essential for businesses today since it removes an avenue of attack that you couldn’t close down otherwise.

Despite potential fines, GDPR compliance rate remains low

58% of surveyed businesses worldwide failed to address requests made from individuals seeking to obtain a copy of their personal data as required by GDPR within the one-month time limit set out in the regulation, reveals updated research from Talend.

GDPR compliance rate

GDPR compliance rate: 2018 and now

In September 2018, Talend released the results of its first GDPR research benchmark, which was aimed to assess the ability of organizations to achieve right to access and portability compliance with the European regulation. At that time, 70% of the companies surveyed reported they had failed to provide an individual’s data within one month.

One year later, Talend surveyed a new population of companies, as well as the companies which reported a failure to comply in the first benchmark, in order to map improvement. Although the overall percentage of companies who reported compliance increased to 42%, the rate remains low 18 months after the regulation came into force.

“These new results show clearly that Data Subject Access Rights is still the Achilles’ heel of most organizations,” said Jean-Michel Franco, Senior Director of Data Governance Products at Talend. “To fully comply with GDPR it is necessary to understand where the data is, how it is processed and by whom, as well as ensure that the data is trusted.”

Organizations are struggling to meet requests

The research revealed that only 29% of the public sector organizations surveyed could provide the data within the one-month limit. With an increasing use of data and new technologies – facial recognition, artificial intelligence – by the public sector to improve the citizen experience, the need for more integrated data governance is a must-have for 2020 and beyond.

The same observation applies to companies in the media and telecommunications industries. Only 32% of these organizations reported that they could provide the correct data on time.

Many firms barely reach an average success rate

Compared to last year, retail companies improved their success rate with 46% of such companies reporting they provided correct responses within the one-month limit. A greater proportion of companies in this industry started to take a customer-centric approach to both improve the experience and internal processes.

The same situation occurs with organizations in finance as well as in travel, transport, and hospitality industries. In addition, the latter are considered as the best performers as companies in that industry represent 38% of all the organizations who provided data in less than 16 days.

The lack of automation remains a barrier to success

One take-away from this new benchmark is the lack of automation in processing requests. One of the main reasons companies failed to comply was the lack of a consolidated view of data and clear internal ownership over pieces of data. In the financial services industry, for example, clients may have multiple contracts with a company that may not be located in one place making it difficult to retrieve all necessary information.

Processing the requests thus remains very manual and often Involves the business users, e.g. the insurance representatives in the case of an insurance company. In addition, processing Subject Right Requests can be very costly; according to a recent Gartner survey, companies “spend, on average, more than $1,400 to answer a single SRR.”

GDPR compliance rate

ID proof and requesting process should be improved

The research also highlights the lack of an ID check during the data request process of the individual requesting data. Overall, only 20% of the organizations surveyed asked for proof of identification. Moreover, of the companies surveyed that reported asking for proof of identification, very few use an online and secure way of sharing ID documents. Instead, most of the time, copies of identification were provided by email. The requesting process also remains cumbersome with reported difficulties including finding the right email address to send the request, and follow up emails because the data is incomplete or because the files can’t be opened.

What do cybercriminals have in store for 2020?

As we look to 2020 and a new decade, cybersecurity will continue to be a top priority for businesses and consumers alike. To help organizations prepare for the next year and beyond, Experian released its forecast, which predicts the top five threats businesses and consumers should be aware of in order to keep their information safe.

2020 top five threats

“Hackers are continuing to become more sophisticated with the tools at their disposal to gain control of personal devices and business operating systems,” said Michael Bruemmer, Vice President at Experian Data Breach Resolution.

“There has never been a more important time for organizations to be equipped with the knowledge and resources needed to try to prevent and respond to a data breach.”

2020: Top five threats

Cybercriminals will leverage text-based smishing identity theft techniques to target consumers participating in online communities. As more Americans continue to join like-minded groups on social media to provide financial support to social causes or political candidates, cybercriminals can solicit unsuspecting consumers with fraudulent messages via SMS text to seek bank account details or other sensitive information.

Hackers will take to the skies to steal consumer data from devices connected to unsecure networks. As cities install more free public Wi-Fi systems, the more than one million drone devices operating in the U.S. today may be armed with affordable mobile hacking devices to steal sensitive data from consumers and businesses on the streets below.

Cybercriminals will use deepfake technology to disrupt the operations of large commercial enterprises and create geo-political confusion. Artificial intelligence technology can manipulate C-suite executives and government leaders’ appearance and voice to blur the lines of what is real and what isn’t.

Burgeoning industries, such as cannabis retailers and cryptocurrency entities will be targeted for cyberattacks as a result of online activism or “hacktivism.” As a form of protest, hackers may seek to gain access to controversial companies’ sensitive data due to their prevalence in society and increased cash flow.

Cybercriminals will execute a major hack of the mobile point-of-sale platforms used to process transactions. The proliferation of mobile payment options would allow cybercriminals to access payment data over unsecured networks and target large venues such as concerts or major sporting events.

Cybersecurity regulation is not one-size-fits-all

Differences in cultural values have led some countries to tackle the spectre of cyberattacks with increased internet regulation, whilst others have taken a ‘hands-off’ approach to online security – a study shows.

cybersecurity regulation differences

Internet users gravitate towards one of two ‘poles’ of social values. Risk-taking users are found in ‘competitive’ national cultures prompting heavy regulation, whilst web users in ‘co-operative’ nations exhibit less risky behavior requiring lighter regulation.

Researchers at the University of Birmingham used cultural value measurements from 74 countries to predict the Global Cybersecurity Index (GCI), which measures state commitments of countries to cybersecurity regulation.

Cybersecurity regulation differences

Dr. Alex Kharlamov, from Birmingham Law School, and Professor Ganna Pogrebna, from Birmingham Business School, demonstrated that differences in cybersecurity regulation, measured by GCI, stem from cross-cultural differences in human values between countries. They also showed how cultural values mapped onto national commitments to regulate and govern cybersecurity.

In China, where people are more risk taking than American and British web users across five categories of risk behaviors, regulation is far stricter than in the USA, which in turn is tighter than the UK.

Dr. Kharlamov and Professor Pogrebna showed that this corresponded to the countries’ relative positions on the cultural value scale, with China closer to ‘competitive’ than the USA, which in turn is closer to this ‘pole’ than the UK.

Dr. Kharlamov commented: “We spend most of our lives in the digital domain and cyberattacks not only lead to a significant financial damage, but also cause prolonged psychological harm – using social engineering techniques to trick people into doing something they otherwise would not want to do.

“Irresponsible use of digital technologies, such as the Cambridge Analytica case, cause harm to many citizens and tell us that Internet regulation is imminent. It is vital to understand the origins of human behavior online, as well as values and behavioral patterns.”

Risky online behavior

The five categories of risk behavior – cybersecurity, personal data, privacy, cybercrime and negligence – each consisted of six behavioral examples such as:

  • Not using anti-virus or antimalware protection (cybersecurity)
  • Providing private information, such as your email address, to obtain free WiFi in public places such as coffee shops, airports and train stations (personal data)
  • Linking multiple social media accounts such as Twitter, Facebook and Instagram (privacy)
  • Using insecure connections or free WiFi (cybercrime)
  • Letting web browsers remember passwords (negligence)

Professor Ganna Pogrebna said: “Culture shapes the way we govern cyber spaces. Human values lie at the core of the human risk-taking behavior in the digital space, which, in turn has a direct impact on the way in which digital domain is regulated.

“We talk about establishing overarching international online regulation, such as a new International Convention of Human Digital Rights. Yet, it seems the main reason why the international community fails to agree on such regulation has deep cultural underpinning.”

How are enterprises coping with the security challenges brought on by digital transformation initiatives?

451 Research has polled IT decision makers at 400 larger companies about the current state of cybersecurity in their organizations, the security initiatives they have planned, the challenges they face, and how they are accommodating emerging technologies and digital transformation initiatives.

The survey, performed on behalf of eSentire, revealed several interesting things, including some unexpected contradictions.

For example: 97 percent of the respondents believe their sensitive information is well-protected and 92 percent believe their organization has the tools and expertise to protect an increasingly diverse and disparate infrastructure, despite 56 percent saying their organizations had experienced a significant security incident, cyberattack, or data breach in the past 12 months.

enterprises coping security challenges

“SMEs are reporting higher levels of confidence compared to that of their larger peers that often have more resources, staff, tools and specialized expertise. This high level of confidence, or overconfidence, is not backed by risk assessment data and seems to stem from comparison to the organizations’ abilities and cybersecurity posture of the past and not in light of the present or future,” infosec analyst Aaron Sherrill pointed out.

“Considering the increasing volume and sophistication of malicious attacks, the increase in regulatory requirements, the rapid adoption of new technologies and the ever-increasing complexity of a rapidly expanding hybrid IT ecosystem organizations should remain skeptical about their cybersecurity posture.”

Companies are opting for hybrid IT environments

Previous 451 Research surveys revealed that, nowadays, most organizations have dedicated security budgets and that 87 percent of organizations are increasing security budgets by an average of 22 percent for the coming year.

Personnel costs amount to over one-third of those budgets and the wedge continue to expand. Money allocated for the purchase of security tools amounts to 43 percent of security budgets, but that percentage is trending down as there is an increasing shift toward managed services and personnel costs.

Most companies (57%) are also shifting their primary workload environments from on-premises resources and infrastructure to a hybrid IT environment that leverages both on-premises systems and off-premises cloud/hosted resources in an integrated fashion. 19% are shifting to a completely off-premises public cloud environment composed of IaaS, PaaS and/or SaaS.

Skills shortage

The overwhelming majority of organizations have at least five dedicated security professionals on staff and most employ more:

enterprises coping security challenges

But while the majority (87%) say that they have enough information security personnel on staff to support their organization, most are also looking to add specialized security experts to their teams as they are facing an expertise or skills gap in several key areas (network security, IoT security, risk analysis, threat detection and hunting, etc.)

“The greatest skills gaps for many security teams is around public cloud security expertise. This gap is increasing the probability that workloads will be improperly deployed and secured, especially as cloud platforms continue to introduce new capabilities and features at record speed,” Sherrill noted.

He also pointed out that while data security, governance and privacy are the top pains for most organizations, hybrid or multi-cloud security and securing emerging technologies are quickly becoming the most pressing challenges for many organizations.

“Digital transformation and the distribution of the workforce not only scatters resources and assets, but continues to drive a divide between corporate confidence and actual ability to protect their interests in a transformed workplace and economy,” says Mark Sangster, Vice President and Industry Security Strategist at eSentire.

“An example drill-down exposes that having satisfactory staffing levels does not ensure that the firm is equipped with critical expertise and competencies to detect threats across a perimeter less environment, nor is prepared to manage those threats once discovered. Cyber adversaries are as prepared to embrace digital transformation, and exploit the lag between the time organizations adopt emerging technology, and then retrofit security programs and staff to properly protect their assets in this new, self-inflicted risk paradigm.”

Supply chain examination: Planning for vulnerabilities you can’t control

Seemingly, there are numerous occurrences when the customer’s personally identifiable information stored by an organization’s third-party provider is set loose by malicious intentioned actors. Threats take on many different shapes and sizes and aren’t someone else’s problem or responsibility to control or mitigate.

supply chain examination

Data breaches are not only caused by elusive thugs outside of the firewalled perimeter, but also from well-intended professionals inside the system. These individuals may not be security consultants but they’re a key part of the supply chain attack – a breach of information caused in a stand-alone moment that ripples through the rest of the supply chain unintentionally.

The supply chain starts with a request for service and ends with a fulfillment that includes all the moments of data-at-rest, data-in-transit and intersystem communication vital for service fulfillment. Every person and every asset have a responsibility to secure these multiple stages of the supply chain.

On an international scale, a larger conversation is taking place about how to secure data at all levels within the organization. Securing the supply chain is a pivotal process in understanding the complete threat landscape. Here are some common-sense ventures to evaluate and discern the varying degrees of supply chain security.

Supply chain examination

When providing services to your organization, it’s valuable to reach an understanding about what various partners are doing. There is the concept in some cybersecurity spaces of technological roll down. This means that whatever standard the primary company has the partner companies should also adhere to. There are legal and liability reasons why it is suggested to come to an agreement with your partners about how they treat your companies’ applications and data if not hosted internally, or even if it is hosted internally but administered by a vendor.

In one case study of how important it is to vet the vendor, an actor gained access to internally vulnerable systems through a non-mission critical ingress. Companies outsource things like telephone network administration or air conditioning monitoring or printer maintenance. You have probably seen these situations and can probably think of some examples where a trusted, industry recognized partner did not perform the same kind of hardening your company demands, leaving an ingress open to attack.

The first way you can combat this kind of vulnerability is to simply ask, in writing, how they plan to handle any concerns your organization has. The government supply chain, for example, includes an inquiry and design review process that must be followed regardless of whether it is a prime or subprime supplier. From a liability standpoint, this places the risk more on the partner than the consuming organization of the service but doesn’t absolve the customer of all risk.

Own all your data

Another strong way of eliminating risk in your enterprise is to own control of all your data. This can take many forms and does not necessarily mean that your organization needs to go back to the data center to build, administer and maintain infrastructure. It could mean building a hardened platform with built in controls that consider the big questions, including the following:

  • What happens if someone breaks into the cloud provider and steals your logical volumes from the host OS?
  • What happens if the cloud provider has a misconfiguration and an actor comes in through the defined ingress point to attempt to access your data?
  • What happens when a true disaster happens?

Each question can be answered relatively easily if you take these issues into consideration when building a platform, application or enterprise. Having a quality three-tier PKI solution and hardened identity and access management platform are two ways to help gain control of your data, even in the cloud. The use of hardened ingress points in conjunction with a quality IAM solution, that includes a two-factor authorization option, can eliminate unwanted egress of data by restricting where the data can flow to, or even be requested from. Going through a methodical process of encrypting valuable data at rest, in transit and at the application layer, can help ensure confidentiality.

Even in the unlikely event that your environment is comprised, the data is useless without the proper encryption keys.
The last part of this equation is to ensure whatever you do to protect your data can be quantified, measured and audited on a regular basis to allow for your customer and intellectual property to be both safe guarded safe from unwanted access.

Proper encryption

The overall goal of encryption is to protect data. The first step in the encryption process is knowing the types data that must be protected. While there are regulatory and compliance requirements mandating what type of encryption should be used, it is always good practice to protect any type of personally identifiable data, system inventory and any payment card, health care or government related data. By understanding the types of data a company needs to protect, security professionals can better identify the regulatory requirements that will be placed on the data in scope for encryption.

An effective approach to encryption is to apply it wherever sensitive data is being processed, stored or viewed. For example, in the cloud the user must access the cloud over the internet. It is the responsibility of the service provider to provide the end user with a secure platform to access data. Here, good encryption practice would entail encrypting the first initial connection as well the session and post session activity as well. By taking the approach of applying encryption at all levels of the supply chain, an organization is reducing its attack surface.

While it is the service provider’s job to provide the platform, it is the end-user’s responsibility to understand how their data is being kept and accessed. Encryption dos and don’ts are simple: Apply the principle of least privilege and restrict access to the encryption keys to individuals or on specialized hardware such as a Hardware Security Module. By not properly securing the Master encryption keys, an organization inadvertently open the door to human error and increased risk surface. This can easily be reinforced by instituting a centralized management service and keeping your keys in a separate environment from your data. By separating the keys from the data an organization can better guarantee the security of the environment.

Yet encryption is only as strong as the policies and procedures in place to support it. Working with operations teams enforce encryption standards and key management is a two-sided struggle. Take the time to educate your employees and conduct good end-user training to ensure that users know and understand their role in the data security process.

These steps help secure an organization’s data and provide a level of guarantee the provider is doing everything in their power to keep up with industry trends and security. This action then harnesses trust between the provider and users in a way to help drive business goals while meeting industry standards.

A supply chain that’s secure

By securing the supply chain and educating end-users, security organizations can increase security while also driving operational efficiency. By vetting the supply chain, organization’s gain a competitive edge by knowing how their data is processed, stored, and its overall usage. This drives efficiency by giving organizations a way to demonstrate their ability to merge security and operations while providing a viable secure solution that fulfills the company’s goals and requirements.

Contributing author: Thomas Smith, Senior Security Consultant in Vulnerability Management, Atos North America.

Prevent credential stuffing and account takeover attacks with these expert tips

Account takeover and credential stuffing attacks are two security threats that often go hand in hand. Both have become alarmingly prominent: a recent report found that one-fifth of account openings so far in 2019 have been fraudulent.

prevent credential stuffing

Prevent credential stuffing

Credential stuffing is when criminals get access to customer login details, typically by purchasing a list based on a data breach on the dark web. They then use automated login requests to attempt to access various accounts. Since many people use the same passwords for multiple accounts, something will usually work. In an account takeover (ATO) scenario, attackers use bots to test out thousands of stolen credentials. Once they succeed at breaking into an account, they take it over and use it to perform illicit activities like theft, fraud, and data exfiltration.

These types of attacks have significant consequences for companies. Trust and security are essential components of customer retention, so ATO and credential stuffing attacks can lead to customer loss. For example, 80% of US customers will stop spending money at a business for several months if the brand suffers from a data breach. Companies that are hit by these types of attacks also often incur substantial financial damages, with data breaches costing businesses $3.92 million on average.

While all industries should be worried about ATO and credential stuffing, websites that store valuable personal information are generally the hardest hit. Gaming companies, like Epic Games, are frequently targeted because attackers can make a profit by stealing and reselling the virtual goods within gamers’ accounts. Retail companies, financial services, and healthcare organizations also often fall victim to these types of attacks.

How can you avoid being the next Dunkin’ Donuts or TurboTax, which made headlines for suffering from credential stuffing and ATO attacks? Follow these tips:

Use multi-factor authentication

Passwords are unreliable. According to Have I Been Pwned, a database that tracks account breaches, 555,278,657 passwords have been exposed in known data breaches to date. Almost every successful credential stuffing and ATO attack relies on stolen passwords, so one of the best ways to mitigate risk is by requiring users to provide more than a single piece of information to log into their account.

Additional factors for multi-factor authentication could include text or email security codes, a physical security token, biometrics, or security questions.

Rate limit authentication requests

When hackers attempt to compromise accounts via credential stuffing, they often use bots or other similar automated approaches to input thousands of credentials in quick succession. To limit attackers’ ability to do this, IT teams can set a cap on the number of login attempts any single IP address can make within a given period.

Organizations should also establish security policies that lock accounts after a user (or attacker) reaches that threshold — this prevents attackers from attempting to login many times, even if they spread out their attempts. However, keep in mind that attackers will often utilize botnets to get around rate limit restrictions. This tendency means authentication requests can come from multiple sources, so your team needs to pair this strategy with others.

Flag unrecognized devices

An ATO attack will most often come from a new, unrecognized device, so your team can help prevent attacks by keeping an eye on the devices attempting to access your accounts. You should always check IP addresses to ascertain whether the device the request originates from is one your team has seen before. Organizations can use cookies to save approved logins and validate the device in the future. Then, if the login is coming from an unrecognized location, additional steps should be taken to verify the user.

Alert customers about new logins

Your customers can be a great first line of defense for flagging unauthorized login attempts. Alert a user when someone tries to log into their account, either via email or text message. This policy will allow your users to discover illicit activity and take corrective action if necessary.

ATO attacks and credential stuffing can be devastating to a business. Every company can and should try to prevent credential stuffing and ATO attacks by creating strong authentication policies, monitoring where login attempts originate from and preventing attackers and bad bots from attempting too many logins. By taking these steps, IT teams will go a long way towards ensuring every login attempt is legitimate, and only real customers and users can access accounts.

European cybersecurity market to exceed $65 billion by 2025

The European cybersecurity market is determined to exceed $65 billion by 2025, according to Graphical Research. This growth is attributed to strong government initiatives to promote data safety and hefty investments in cybersecurity solutions. Industry sectors and cybersecurity The increasing cases of data breaches and cyber attacks on critical business infrastructure have driven several business enterprises toward partnering with government agencies for enhanced cybersecurity. For instance, in July 2016, the EU Commission announced a Public-Private … More

The post European cybersecurity market to exceed $65 billion by 2025 appeared first on Help Net Security.

Cybersecurity company benefits should reduce stress but don’t

From start-ups to Silicon Valley giants, tech company employees work in some of the most luxurious offices in the world, especially as the best of businesses battle to attract top talent. For those of us in high-anxiety fields, some attempts have been made to alleviate stress by offering more unique perks. While the goal is admirable, many of these cybersecurity company benefits miss the mark. Cybersecurity company benefits There is an abundance of company-sponsored privileges … More

The post Cybersecurity company benefits should reduce stress but don’t appeared first on Help Net Security.

Insight into NIS Directive sectoral incident response capabilities

An analysis of current operational incident response (IR) set-up within the NIS Directive sectors has been released by ENISA. The NIS Directive and incident response The EU’s NIS Directive (Directive on security of network and information systems) was the first piece of EU-wide cybersecurity legislation. It aims to achieve a high common level of network and information system security across the EU’s critical infrastructure by bolstering capacities, cooperation and risk management practices across the Member … More

The post Insight into NIS Directive sectoral incident response capabilities appeared first on Help Net Security.

2019 experienced massive spate of crypto crimes, $4.4 billion to date

With only seven months left for nations to pass laws and virtual asset service providers (VASPs) to comply with the guidelines, the majority of cryptocurrency exchanges are not equipped to handle basic KYC, let alone comply with the stringent new funds Travel Rule included in the updated Financial Action Task Force (FATF) guidance, according to CipherTrace. Inadequate KYC The research results revealed that the lion’s share — more than two-thirds — of exchanges do not … More

The post 2019 experienced massive spate of crypto crimes, $4.4 billion to date appeared first on Help Net Security.