A recent research shows high-risk vulnerabilities at 84% of companies across finance, manufacturing, IT, retail, government, telecoms and advertising. One or more hosts with a high-risk vulnerability having a publicly available exploit are present at 58% of companies. Publicly available exploits exist for 10% of the vulnerabilities found, which means attackers can exploit them even if they don’t have professional programming skills or experience in reverse engineering. To select a suitable security assessment solution for … More
The post How do I select a security assessment solution for my business? appeared first on Help Net Security.
73% of security and IT executives are concerned about new vulnerabilities and risks introduced by the distributed workforce, Skybox Security reveals.
The report also uncovered an alarming disconnect between confidence in security posture and increased cyberattacks during the global pandemic.
Digital transformation creating the perfect storm
To protect employees from COVID-19, enterprises rapidly shifted to make work from home possible and maintain business productivity. Forced to accelerate digital transformation initiatives, this created the perfect storm.
2020 will be a record-breaking year for new vulnerabilities with a 34% increase year-over-year – a leading indicator for the growth of future attacks.
As a result, security teams now have more to protect than ever before. Surveying 295 global executives, the report found that organizations are overconfident in their security posture, and new strategies are needed to secure a long-term distributed workforce.
- Deprioritized security tasks increase risk: Over 30% of security executives said software updates and BYOD policies were deprioritized. Further, 42% noted reporting was deprioritized since the onset of the pandemic.
- Enterprises can’t keep up with the pace: 32% had difficulties validating if network and security configurations undermined security posture. 55% admitted that it was at least moderately difficult for them to validate network and security configurations did not increase risk.
- Security teams are overconfident in security posture: Only 11% confirmed they could confidently maintain a holistic view of their organizations’ attack surfaces. Shockingly, 93% of security executives were still confident that changes were correctly validated.
- The distributed workforce is here to stay: 70% of respondents projected that at least one-third of their employees will remain remote 18 months from now.
“Traditional detect-and-respond approaches are no longer enough. A radical new approach is needed – one that is rooted in the development of preventative and prescriptive vulnerability and threat management practices,” said Gidi Cohen, CEO, Skybox Security.
“To advance change, it is integral that everything, including data and talent, is working towards enriching the security program as a whole.”
Businesses around the globe are facing challenges as they try to protect data stored in complex hybrid multi-cloud environments, from the growing threat of ransomware, according to a Veritas Technologies survey.
Only 36% of respondents said their security has kept pace with their IT complexity, underscoring the need for greater use of data protection solutions that can protect against ransomware across the entirety of increasingly heterogenous environments.
Need to pay ransoms
Typically, if businesses fall foul to ransomware and are not able to restore their data from a backup copy of their files, they may look to pay the hackers responsible for the attack to return their information.
The research showed companies with greater complexity in their multi-cloud infrastructure were more likely to make these payments. The mean number of clouds deployed by those organizations who paid a ransom in full was 14.06. This dropped to 12.61 for those who paid only part of the ransom and went as low as 7.22 for businesses who didn’t pay at all.
In fact, only 20% of businesses with fewer than five clouds paid a ransom in full, 44% for those with more than 20. This compares with 57% of the under-fives paying nothing to their hackers and just 17% of the over-20s.
Slow recovery times
Complexity in cloud architectures was also shown to have a significant impact on a business’s ability to recover following a ransomware attack. While 43% of those businesses with fewer than five cloud providers in their infrastructure saw their business operations disrupted by less than one day, only 18% of those with more than 20 were as fast to return to normal.
Moreover, 39% of the over-20s took 5-10 days to get back on track, with just 16% of the under-fives having to wait so long.
Inability to restore data
Furthermore, according to the findings of the research, greater complexity in an organization’s cloud infrastructure, also made it slightly less likely that they would ever be able to restore their data in the event of a ransomware attack.
While 44% of businesses with fewer than five cloud providers were able to restore 90% or more of their data, just 40% of enterprises building their infrastructure on more than 20 cloud services were able to say the same.
John Abel, SVP and CIO at Veritas said: “The benefits of hybrid multi-cloud are increasingly being recognised in businesses around the world. In order to drive the best experience, at the best price, organizations are choosing best-of-breed cloud solutions in their production environments, and the average company today is now using nearly 12 different cloud providers to drive their digital transformation.
“However, our research shows many businesses’ data protection strategies aren’t keeping pace with the levels of complexity they’re introducing and, as a result, they’re feeling the impact of ransomware more acutely.
“In order to insulate themselves from the financial and reputational damage of ransomware, organizations need to look to data protection solutions that can span their increasingly heterogenous infrastructures, no matter how complex they may be.”
Businesses recognize the challenge
The research revealed that many businesses are aware of the challenge they face, with just 36% of respondents believing their security had kept pace with the complexity in their infrastructure.
The top concern as a result of this complexity, as stated by businesses, was the increased risk of external attack, cited by 37% of all participants in the research.
Abel continued: “We’ve heard from our customers that, as part of their response to COVID, they rapidly accelerated their journey to the cloud. Many organizations needed to empower homeworking across a wider portfolio of applications than ever before and, with limited access to their on-premise IT infrastructure, turned to cloud deployments to meet their needs.
“We’re seeing a lag between the high-velocity expansion of the threat surface that comes with increased multi-cloud adoption, and the deployment of data protection solutions needed to secure them. Our research shows some businesses are investing to close that resiliency gap – but unless this is done at greater speed, companies will remain vulnerable.”
Need for investment
46% of businesses shared they had increased their budgets for security since the advent of the COVID-19 pandemic. There was a correlation between this elevated level of investment and the ability to restore data in the wake of an attack: 47% of those spending more since the Coronavirus outbreak were able to restore 90% or more of their data, compared with just 36% of those spending less.
The results suggest there is more to be done though, with the average business being able to restore only 80% of its data.
Back to basics
While the research indicates organizations need to more comprehensively protect data in their complex cloud infrastructures, the survey also highlighted the need to get the basics of data protection right too.
Only 55% of respondents could claim they have offline backups in place, even though those who do are more likely to be able to restore more than 90% of their data. Those with multiple copies of data were also better able to restore the lion’s share of their data.
Forty-nine percent of those with three or more copies of their files were able to restore 90% or more of their information, compared with just 37% of those with only two.
The three most common data protection tools to have been deployed amongst respondents who had avoided paying ransoms were: anti-virus, backup and security monitoring, in that order.
The safest countries to be in to avoid ransomware attacks, the research revealed, were Poland and Hungary. Just 24% of businesses in Poland had been on the receiving end of a ransomware attack, and the average company in Hungary had only experienced 0.52 attacks ever.
The highest incident of attack was in India, where 77% of businesses had succumbed to ransomware, and the average organization had been hit by 5.27 attacks.
As COVID-19 lockdown measures were implemented in March-April 2020, consumer and business behavioral changes transformed the internet’s shape and how people use it virtually overnight. Many networks experienced a year’s worth of traffic growth (30-50%) in just a few weeks, Nokia reveals.
By September, traffic had stabilized at 20-30% above pre-pandemic levels, with further seasonal growth to come. From February to September, there was a 30% increase in video subscribers, a 23% increase in VPN end-points in the U.S., and a 40-50% increase in DDoS traffic.
Ready for COVID-19
In the decade prior to the pandemic, the internet had already seen massive and transformative changes – both in service provider networks and in the evolved internet architectures for cloud content delivery. Investment during this time meant the networks were in good shape and mostly ready for COVID-19 when it arrived.
Manish Gulyani, General Manager and Head of Nokia Deepfield, said: “Never has so much demand been put on the networks so suddenly, or so unpredictably. With networks providing the underlying connectivity fabric for business and society to function as we shelter-in-place, there is a greater need than ever for holistic, multi-dimensional insights across networks, services, applications and end users.”
The networks were made for this
While the networks held up during the biggest demand peaks, data from September 2020 indicates that traffic levels remain elevated even as lockdowns are eased; meaning, service providers will need to continue to engineer headroom into the networks for future eventualities.
Content delivery chains are evolving
Demand for streaming video, low-latency cloud gaming and video conferencing, and fast access to cloud applications and services, all placed unprecedented pressure on the internet service delivery chain.
Just as Content Delivery Networks (CDNs) grew in the past decade, it’s expected the same will happen with edge/far edge cloud in the next decade – bringing content and compute closer to end users.
Residential broadband networks have become critical infrastructure
With increased needs (upstream traffic was up more than 30%), accelerating rollout of new technologies – such as 5G and next-gen FTTH – will go a long way towards improving access and connectivity in rural, remote and underserved areas.
Better analytical insights enable service providers to keep innovating and delivering flawless service and loyalty-building customer experiences.
Deep insight into network traffic is essential
While the COVID-19 era may prove exceptional in many ways, the likelihood is that it has only accelerated trends in content consumption, production and delivery that were already underway.
Service providers must be able to have real-time, detailed network insights at their disposal – fully correlated with internet traffic insights – to get a holistic perspective on their network, services and consumption.
Security has never been more important
During the pandemic, DDoS traffic increased between 40-50%. As broadband connectivity is now largely an essential service, protecting network infrastructure and services becomes critical.
Agile and cost effective DDoS detection and automated mitigation are becoming paramount mechanisms to protect service provider infrastructures and services.
Ransomware still remains the most common cyber threat to SMBs, with 60% of MSPs reporting that their SMB clients have been hit as of Q3 2020, Datto reveals.
More than 1,000 MSPs weighed in on the impact COVID-19 has had on the security posture of SMBs, along with other notable trends driving ransomware breaches.
The impact of such attacks keeps growing: the average cost of downtime is now 94% greater than in 2019, and nearly six times higher than it was in 2018 increasing from $46,800 to $274,200 over the past two years, according to Datto’s research. Phishing, poor user practices, and lack of end user security training continue to be the main causes of successful ransomware attacks.
The survey also revealed the following:
- MSPs a target: 95% of MSPs state their own businesses are more at risk. Likely due to increasing sophistication and complexity of ransomware attacks, almost half (46%) of MSPs now partner with specialized Managed Security Service Providers (MSSPs) for IT security assistance – to protect both their clients and their own businesses.
- SMBs spend more on security: 50% of MSPs said their clients had increased their budgets for IT security in 2020, perhaps indicating awareness of the ransomware threat is growing.
- Average cost of downtime continues to overshadow actual ransom amount: Downtime costs related to ransomware are now nearly 50X greater than the ransom requested.
- Business continuity and disaster recovery (BCDR) remains the number one solution for combating ransomware, with 91% of MSPs reporting that clients with BCDR solutions in place are less likely to experience significant downtime during an attack. Employee training and endpoint detection and response platforms ranked second and third in tackling ransomware.
The impact of COVID-19 on ransomware and the cost of security disruptions
During the pandemic, the move to remote working and the accelerated adoption of cloud applications have increased security risks for businesses. More than half (59%) of MSPs said remote work due to COVID-19 resulted in increased ransomware attacks, and 52% of MSPs reported that shifting client workloads to the cloud increased security vulnerabilities.
As a result, SMBs need to take precautions to avoid the costly disruptions that occur in the aftermath of an attack. The survey also determined that healthcare was the most vulnerable industry during the pandemic (59%).
“Now more than ever organizations need to be vigilant in their approach to cybersecurity, especially in the healthcare industry as it’s managing and handling the most sensitive (and for criminals the most valuable) private data,” said Travis Lass, President of XLCON.
“The majority of our clients are small healthcare clinics, with no in-house IT. As ransomware attacks continue to increase, it’s critical we do everything we can to support them by arming them with best-in-class technology that will fend off malicious attackers looking to take advantage of the already fragile state of the healthcare industry.”
Top three ways ransomware is attacking entities
- Phishing emails. 54% of MSPs report these as the most successful ransomware attack vector. The social engineering tactics used to deceive victims have become very sophisticated, making it vital for SMBs to offer extensive and consistent end user security education that goes beyond the basics of identifying phishing attacks.
- Software-as-a-Service (SaaS) applications. Nearly one in four MSPs reported ransomware attacks on clients’ SaaS applications, with Microsoft being hit the hardest at 64%. These attacks mean that SMBs must consider the vulnerability of their cloud applications when planning their IT security measures and budgets.
- Windows endpoint systems applications. These are the most targeted by hackers, with 91% of ransomware attacks targeting Windows PCs this year.
“Reducing the risk of cyberattacks requires a multi-layered approach rather than a single product – awareness, education, expertise, and purpose-built solutions all play a key role.
“The survey highlights how MSPs are taking the extra step to partner with MSSPs that can offer more security-focused experience, along with a more widespread use of security measures like SSO and 2FA – these are critical strategies businesses and municipalities need to adopt to protect themselves from cyber threats now and in the future.”
Cisco has patched two vulnerabilities in its Cisco Security Manager solution, both of which could allow unauthenticated, remote attackers to gain access to sensitive information on an affected system.
Those are part of a batch of twelve vulnerabilities flagged in July 2020 by Florian Hauser, a security researcher and red teamer at Code White.
About the Cisco Security Manager vulnerabilities
Cisco Security Manager is a security management application that provides insight into and control of Cisco security and network devices deployed by enterprises – security appliances, intrusion prevention systems, firewalls, routers, switches, etc.
Cisco has fixed two vulnerabilities affecting Cisco Security Manager v4.21 and earlier, by pushing out v4.22:
- CVE-2020-27130, a critical path traversal vulnerability that could be exploited by sending a crafted request to the affected device and could result in the attacker downloading arbitrary files from it
- CVE-2020-27125, which could allow an attacker to view static credentials in the solution’s source code
Cisco has also simultaneously announced that it will fix multiple Java deserialization vulnerabilities (collectively designated as CVE-2020-27131) in the upcoming v4.23 of the Cisco Security Manager solution. Those could allow unauthenticated, remote attackers to execute arbitrary commands on an affected instance and could be triggered by sending a malicious serialized Java object to a specific listener on an affected system.
The company’s Product Security Incident Response Team (PSIRT) has noted that public announcements about all these vulnerabilities are available, but that they are “not aware” of instances of actual malicious use in the wild.
The public announcements they are referring to is a post on Gist, a pastebin service operated by GitHub, through which Hauser shared PoCs for the flaws he discovered and flagged.
Today malware evolves very fast. Loaders, stealers, and different types of ransomware change so quickly, so it’s become a real challenge to keep up with them. Along with that analysis of them becomes harder and more time-consuming. But cybersecurity specialists can’t waste their time, waiting can cause serious damage. So, how to avoid all of that and speed up malware analysis? Let’s find out.
The goal of malware analysis is to research a malicious sample: its functions, origin, and possible effects on the infected system. This data allows analysts to detect malware, react to the attack effectively, and enhance security.
Generally, there are two ways of how to perform malware analysis:
- Static analysis: get information about a malicious program without running, just having a look at it. With this approach, you can investigate content data, patterns, attributes, and artifacts. However, it’s very hard to work with any advanced malware using only static analysis.
- Dynamic analysis: examine malware while executing it on hardware or, more frequently, in a sandbox, and then try to figure out its functionality. The great advantage here is that the virtual machine allows you to research malicious files completely safe for your system.
The main part of the dynamic analysis is to use a sandbox. It is a tool for executing suspicious programs from untrusted sources in a safe environment for the host machine. There are different approaches to the analysis in sandboxes. They can be automated or interactive.
Online automated sandboxes allow you to upload a sample and get a report about its behavior. This is a good solution especially compared to assembling and configuring a separate machine for these needs. Unfortunately, modern malicious programs can understand whether they are run on a virtual machine or a real computer. They require users to be active during execution. And you need to deploy your own virtual environment, install operation systems, and set software needed for dynamic analysis to intercept traffic, monitor file changes, etc.
Moreover, changing settings to every file takes a lot of time and anyway, you can’t affect it directly. We should keep in mind that analysis doesn’t always follow the line and things may not work out as planned for this very sample. Finally, it’s lacking the speed we need, as we have to wait up to half an hour for the whole cycle of analysis to finish. All of these cons may cause damage to the security if an unusual sample remains undetected. Thankfully, now we have interactive sandboxes.
With ANY.RUN, you can detect, analyze, and monitor threats. And one of its main advantages is that malware can be tricked into executing as if it is launched on a real machine. A user can influence the simulation and interact with the virtual environment: click a mouse, input data, reboot the system, open files, etc. You receive initial results straight after a task is run. One or two minutes are usually enough to complete the research after the end of a task. You may also collect Indicators of Сompromise (IOCs), information that helps to detect a threat in the network. Cybersecurity specialists can use IOCs to identify which malicious program has got into the system, or analyze samples and collect data to protect organizations from possible attacks.
Fast analysis with ANY.RUN
ANY.RUN users can upload their research publicly, so their tasks are available for your research in the public submissions. It’s a huge database of fresh malware samples and completed reports. More than 8000 uploads are performed here daily. You can also use them to speed up your analysis. The simplest way is to make a hash sum search there and it is possible that the sample has already been investigated.
Let’s analyze one of the submissions to see the fast analysis in action.
By looking at the process tree we can see the EXCEL.EXE process running and just after a couple of seconds the EQNEDT32.EXE starts execution. It means that exploitation of the Microsoft equation editor vulnerability (CVE-2017-11882) was used, which shows us that the sample is malicious. After the exploitation, the EQNEDT32.EXE process is downloading and starting the executable file from the Command & Control server. Thanks to the easy-to-understand GUI, we can tell that the analyzed sample is malicious just 3 seconds after the task is started, so we can complete the analysis within minutes.
And as we can notice from the picture below, 14 seconds are more than enough to get the malware family detected by the network’s Suricata rules. Note that this sample is also detected by local signatures after it creates files and writes into the registry. The real-time analysis starts a few seconds after the task is launched. Once the Excel file is opened, the infection process starts. In the virtual machine, we have an opportunity to react to it and maybe trigger the possible malware to act.
The RegAsm.exe system process is injected, then it steals personal data, drops applications, and changes the autorun value in the registry. Moreover, Lokibot is detected. We also know from “HTTP Requests” that EQNEDT32.EXE downloads the main payload from the following URL http://126.96.36.199. In the “Connections” field we can find out that RegAsm.exe connects with microdots.in.
Our task is still running and we’ve already collected a lot of data. But if something seems a little off, the executed file or maldoc may not have worked out. You can relaunch the task with new configurations: pick a different system’s locale, run it with Tor, or choose another OS. And you may get a completely new outcome within a couple of minutes.
After that, you can spend more time performing a more comprehensive analysis with the help of the MITRE ATT&CK matrix, the process graph. You can work on one sample jointly, save or share your task with colleagues using various types of reports.
Sometimes you don’t need to wait until local or network signatures detect malware family – you can determine it by yourself in no time! For example, Wshrat requests payload by the POST method and names itself in this process 21 seconds after the following task is started.
Here’s another situation, your sample doesn’t run in the chosen environment. For example, the malware checks the locale and doesn’t start the execution if the language doesn’t meet the criteria. In the task below a malicious document checks the language in the operational system and Microsoft Office. The malware runs only if the locale’s Italian (en-US / it-IT).
In a virtual machine, you need to perform many manual steps to add additional language both in the OS and Office. But with ANY.RUN you just restart your task with a different locale – pretty time saving: a couple of seconds instead of minutes and hours!
This isn’t the only example — malware can check the environment, work in 64-bit systems, be geofenced, etc. And all you need to do is to expand your analysis in a couple of mouse clicks and don’t waste hours on creating new virtual environments, making snapshots, downloading software, and reading manuals. Save your time!
Cybersecurity professionals need to evaluate threats fast and respond efficiently, before damage occurs. Since all basic functionality of ANY.RUN is free, you can try it out and see how it can save your time and speed up malware analysis.
For many employees, the COVID-19 pandemic brought about something they dreamed of for years: the possibility to eschew long commutes, business attire and (finally!) work from their home.
Companies were forced to embrace the work-from-home switch and many are now starting to like the cost savings and the possibility to hire employees from a wider, non-localized pool of applicants.
But for IT security teams, the switch meant even more work and struggling finding new ways to keep their organization and their employees secure from an increasing number and frequency of cyber threats.
The pressure to deliver security is on
A recent LogMeIn report has also revealed that the transition to remote work for the majority of businesses has impacted the day-to-day work of IT professionals.
Aside from the expected technical tasks and an increased number of web meetings, over half of them have been forced to spend more time managing IT security threats and developing new security protocols. In fact, the percentage of IT professionals who are now spending 5 to 8 hours per day on IT security rose from 35 in 2019 to 47 in 2020.
“In terms of defensive tactics, the first two months of the pandemic shifted the previous network-centric thinking to endpoint and remote access. Many firms lacking endpoint detection and response or endpoint protection (next-gen AV) sought to roll out these services across their distributed organization. They also focused on IAM and VPN or SDP services,” Mark Sangster, VP and Industry Security Strategist at eSentire, told Help Net Security.
“The other shift moved thinking from BYOD to BYOH: Bring Your Office Home. Firms were faced with the challenge of securing connections from home offices made through consumer-grade networking gear provided by employee ISPs. These systems are not as hardened as commercial-grade internet devices and were often misconfigured or left in factory settings with default administrative credentials and wide-open Wi-Fi services. This effort required IT teams to help non-technical employees harden their home routers, better understand password security and embrace the necessity for multi-factor authentication and VPNs.”
Solving the security puzzle
Companies’ tech priorities have shifted as well, with many increasing spending for security.
But the need to implement new technology, the widening attack surface, and the onslaught of ransomware-wielding gangs have forced some companies to accept the limits of what they can do with in-house IT security staff and technology, and to seek additional assistance from outside detection and response experts.
The threat of ransomware is insidious and be particularly destructive, delivering a potentially fatal blow to some (often smaller) organizations.
“Firms need to understand the risks and prepare with proactive defenses (threat hunting), hot-swappable back-ups and fail-over colocation systems. The real trick is catching unauthorized activity quickly, before criminal groups are able to plant ransomware throughout the organization, steal data and then launch a synchronized attack to cripple the organization. This means being able to monitor VPN traffic (connections) and remote administrative activities to detect unauthorized movement,” Sangster explained.
“Criminal groups steal credentials to then access the business using remote tools. This MO is detectable, but it requires proactive hunting and constant monitoring of these services. We have stopped multiple attacks of this nature. In those cases, the ransom attack was either isolated to a single device (and quickly recovered in less than an hour), or it required coordinate defenses to block remote attacks through remote admin tools like Microsoft RDP or PowerShell. In these cases, machine learning flagged suspicious activity for further investigation by security analysts. This quick response meant dwell time was only minutes and prevented the criminal gang ransomware from metastasizing throughout the organization.”
A rise in consumer digital traffic has corresponded with a rise in fraud attacks, Arkose Labs reveals. As the year progresses and more people than ever are online, historically ‘normal’ online behavioral patterns are no longer applicable and holiday levels of digital traffic continue to occur on a near daily basis.
Fraudsters are exploiting old fraud modeling frameworks that fail to take today’s realities into account, attempting to blend in with trusted traffic and carry out attacks undetected.
“As the world becomes increasingly digital as a result of COVID-19, fraudsters are deploying an alarming volume of attacks, and continually devising new and more sophisticated ways of carrying out their attacks,” said Vanita Pandey, VP of Marketing and Strategy at Arkose Labs.
“The high fraud levels that accompany high traffic volumes are likely here to stay, even after the pandemic ends. It’s crucial that businesses are aware of the top attack trends so that they can be more vigilant than ever to successfully identify and stop fraud over the long-term.”
Bot attacks and credential stuffing skyrocket
Q3 of 2020 saw its highest ever levels of bot attacks. 1.3 billion attacks were detected in total, with 64% occurring on logins and 85% emanating from desktop computers.
Due to the widespread availability of usernames, email addresses and passwords from years of data breaches, as well as easy access to automated tools to carry out attacks at scale, credential stuffing emerged as a main driver of attack traffic. 770 million automated credential stuffing attacks were detected and stopped by Arkose Labs in Q3.
For ecommerce, every day is Black Friday
The rise in digital traffic for most of 2020 means businesses have been dealing with holiday season levels of traffic since March. With every day now resembling Black Friday, some retailers are better equipped to handle the onslaught of holiday season traffic and fraud.
However, it remains to be seen if a holiday sales bump will occur this year, given already record high traffic levels for many ecommerce businesses.
While much of 2019 saw a marked shift from automated attacks to human sweatshop-driven attacks, automated attacks dominated much of 2020, with Q3 seeing a particularly high spike. This trend is likely to revert back to more targeted attacks in Q4, as during the holiday shopping season fraudsters typically employ low-cost attackers to commit attacks that require human nuance and intelligence.
Europe emerges as the top attacking region
Nearly half of all attacks in Q3 of 2020 originated from Europe, with over 10 million sweatshop attacks coming from Russia and 7 million coming from the United Kingdom.
Many European countries, such as the United Kingdom, France, Italy and Germany, are among those whose GDP shrunk the most since the global pandemic began. A surge in attacks from nations suffering the biggest dips in economic output highlights the economic drivers that spur fraud.
Pandey said, “COVID-19 has sent the world into turmoil, upending digital traffic patterns and introducing long-lasting consequences. Habits formed during 2020 – namely conducting commerce, school, work and even socializing entirely online – will be difficult to let go of, so fraud teams must be capable of quickly cutting through digital traffic noise and spotting even the most subtle signs of attacks. In particular, using targeted friction to deter malicious activity will be key in the months and years ahead.”
A majority of audit and risk professionals believe the risk environment will continue to be dynamic and unpredictable in 2021, rather than returning to more stable pre-pandemic conditions, an AuditBoard survey finds.
The top risk they cited for the coming year was of “economic conditions impacting growth,” followed closely by “cybersecurity threats.”
The responses also illustrate the long-term changes audit and risk professionals will experience in their roles as a result of the pandemic, and how crucial those individuals will be in helping organizations overcome risk challenges despite gaps in enterprise risk management (ERM) programs.
A permanent shift to remote work
One of the biggest challenges the COVID-19 pandemic has created for audit, risk, and compliance professionals is the sudden shift to remote work. Performing audit and risk management tasks in a remote environment is a significant challenge without the aid of modern, collaborative technology.
Recent Institute of Internal Auditors (IIA) polls suggest roughly three-quarters of audit teams are without a modern audit technology solution today. However, when asked by AuditBoard about the future of work, 59% of respondents said they expect their team will work remotely for all or part of the workweek once quarantines lift.
7.5% said they expect their team will work 100% remote on a permanent basis. This shift to remote work presents a major operational challenge for audit, risk, and compliance teams.
“Conditions this year have changed drastically due to the pandemic, and audit, risk, and compliance organizations have had to act quickly to adapt to the dynamic risk environment while maintaining operational continuity,” said John Reese, SVP of Marketing, AuditBoard.
“AuditBoard survey responses overwhelmingly showcase how quickly the workplace mindset is shifting, and how important modern audit, risk, and compliance technology has become to support a more remote and connected future.”
Businesses face dynamic risk environment
Respondents were asked questions about the risks their businesses face as a result of the pandemic and looking forward. Responses reveal an evolving risk landscape with a variety of different business priorities.
- 81% of respondents said “risk will continue to be dynamic and unpredictable” in 2021 and beyond.
- When asked what they see as the most pressing risk facing their businesses in 2021, 27.6% of respondents said, “economic conditions impacting growth,” more than one-quarter (27%) said, “cybersecurity threats,” and 12.8% said “business continuity and crisis response.”
“Audit and risk professionals expect the 2021 business risk environment to be unpredictable,” continued Reese.
“Specifically, they are most concerned with the potential risk of economic conditions, cybersecurity threats, and business continuity as their organizations are faced with a fast-changing external environment. Technology like AuditBoard will be a crucial enabler as organizations strive to understand and manage these risks at scale, and stay a step ahead.”
Amid changing strategies, risk management programs often lacking
The pandemic has shifted risk management strategies for most organizations, but many organizations still lack a mature ERM program.
- 79.5% have either made moderate changes (43.1%), redirected strategy in certain areas (29.3%), or made significant broad-ranging changes (7.1%) to their risk management program since the start of the pandemic.
- Despite these measures for managing the changing risk landscape, just 16.1% reported having a “robust ERM program” that impacts daily decision making and internal audit planning.
Audit teams becoming a core part of business response to risk
Responses from survey questions directed specifically at audit attendees show how auditors are becoming an increasingly relied-upon asset for organizations as they navigate these risks.
- 55% replied that they agree or strongly agree that internal audit teams are involved with discussions of risk and potential responses to the crisis.
- The same sample of respondents was also asked how COVID-19 will change communications between audit teams and the rest of the organization. 44% said that communications with audit committees will increase moving forward.
- In a separate conference session, 84.3% of respondents replied that they are somewhat or very likely to expand risk assessment to new areas or processes and add new controls to mitigate additional risks as a result of the pandemic.
Seventy-three percent of health system, hospital and physician organizations report their infrastructures are unprepared to respond to attacks. The survey results estimated 1500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a 300 percent increase over this year.
Black Book Market Research surveyed 2,464 security professionals from 705 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyberattacks.
Ninety-six percent of IT professionals agreed with the sentiments that data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.
With the healthcare industry estimated to spend $134 billion on cybersecurity from 2021 to 2026, $18 billion in 2021, increasing 20% each year to nearly $37 billion in 2026, 82% of CIOs and CISOs in health systems in Q3 2020 agree that the dollars spent currently have not been allocated prior to their tenure effectively, often only spent after breaches, and without a full gap assessment of capabilities led by senior management outside of IT.
Talent shortage for cybersecurity pros continues
Additionally, 291 healthcare industry human resources executives were surveyed to determine the organizational supply and demand of experienced cybersecurity candidates. On average, cybersecurity roles in health systems take 70% longer to fill than other IT jobs.
Health systems are struggling to find workers that request cybersecurity-related skills as vacancy duration as reported by survey HR respondents average about 118 days to fill positions, nearly three times as high as the national average for other industries.
“The talent shortage for cybersecurity experts with healthcare expertise is nearing a very perilous position,” said Brian Locastro, lead researcher on the 2020 State of the Healthcare Cybersecurity Industry study by Black Book Research.
Seventy-five percent of the sixty-six-health system CISOs responding agreed that experienced cybersecurity professionals are unlikely to choose a healthcare industry career path because of one main reason.
More than in other industries, healthcare CISOs are ultimately held responsible for a data breach and the financial and reputation impacts to the provider organization despite having extremely limited decision-making technology or policy making authority.
COVID-19 has greatly increased risk of data breaches
Healthcare cybersecurity has become more complicated as providers are forced to deal with the COVID-19 pandemic. Understaffed and underfunded IT security departments are scrambling to accommodate the surge in demand of remote services from patients and physicians while simultaneously responding to the surge in security risks.
The survey found 90% of health systems and hospital employees who shifted to working at home due to the pandemic, did not receive any updated guidelines or training on the increasing risk of accessing sensitive patient data compromising systems
“Despite the rising threat, the vast majority of hospitals and physicians are unprepared to handle cybersecurity threats, even though they pose a major public health problem,” said Locastro.
Forty percent of all clinical hospital employees receive little or no cybersecurity awareness training still in 2020, beyond initial education on log in access.
Fifty-nine percent of health system CIOs surveyed are shifting security strategies to address user authentication and access as malicious incidents and hackers are the 2020 attacker’s go-to entry point of choice for health systems.
Stolen and compromised credentials were ongoing issues for 53% of health systems surveyed as hackers are increasingly using cloud misconfigurations to breach networks.
Cybersecurity consulting and advisory services are in high demand
Sixty-nine percent of 219 C-Suite respondents state their health system’s budget for cybersecurity consulting is increasing in 2021 to assess gaps, secure network operations, and user security on-premises and in the cloud.
“In today’s highly competitive cybersecurity market there isn’t enough talent to staff hospitals and health systems,” said Locastro.
“As provider organizations struggle with recruit, hire and retain in house staff, the plausible choice is retaining an experienced advisory firm that is capable of identifying and remediating hidden security vulnerabilities, which appeals to the strategic and economic sense of boards and CEOs.”
Healthcare cybersecurity challenges find resolutions from outsourced services
“The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data,” said Locastro. “Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet.”
That shortage of healthcare cybersecurity professionals and a lack of appropriate technology solutions implemented is forcing a rush to acquire services and outsourcing at a pace five times more than the acquisition of cybersecurity products and software solutions.
Cybersecurity companies are responding to the labor crunch by offering healthcare providers and hospitals with a growing portfolio of managed services.
“The key place to start when choosing a cybersecurity services vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization’s risk framework to select your best-suited vendor,” said Locastro.
“Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively.”
Fifty-one percent of in-house IT management respondents with purchasing authority report their group is e not aware of the full variety of cybersecurity solution sets that exist, particularly mobile security environments, intrusion detection, attack prevention, forensics and testing in various healthcare settings.
Cybersecurity in healthcare provider organizations remains underfunded
The amount of dollars that are actually spent on healthcare industry cybersecurity products and services are increasing, averaging 21% year over year since 2017. Extended estimates have estimated nearly $140 Billion will be spent by health systems and health insurers by 2026.
However, 82% of hospital CIOs in inpatient facilities under 150 staffed beds and 90% of practice administrators collectively state they are not even close to spending an adequate amount on protecting patient records from a data breach.
“Outdated IT systems, fewer cybersecurity protocols, untrained IT staff on evolving security skills, and data-rich patient files are making healthcare the current target of hacker attacks,” said Locastro. “And the willingness of hospitals and physician practices to pay high ransoms to regain their data quickly motivates hackers to focus on patient records.”
“Threats are now four times more likely to be centered on healthcare than any other industry, and ransomware attacks are increasing in popularity because of the amount of privileged information the hacker can obtain,” said Locastro.
“Providers at the point-of-care haven’t kept pace with the cybersecurity progress and tools that manufacturers, IT software vendors, and the FDA have made either.”
Healthcare consumers willing to change providers if patient privacy was comprised
Eighty percent of healthcare organization have not had a cybersecurity drill with an incident response process, despite the skyrocketing cases of data breaches in the healthcare industry in 2020.
Only 14 percent of hospitals and six percent of physician organizations believe that a 2021 assessment of their cybersecurity will show improvement from 2020. Twenty-six percent of provider organizations believe their cybersecurity position has worsened, as compared to three percent in other industries, year-to-year.
“Medical and financial leaders have wielded more influence over organizational budgets and made it difficult for IT management to implement needed cybersecurity practices despite the existing environment, but now consumers are beginning to react negatively to the provider’s lack of protection solutions.”
A poll of 3,500 healthcare consumers that used medical or hospital services in the last eighteen months revealed 93% would leave their provider if their patient privacy was comprised in an attack that could have been prevented.
Researchers at the University of Birmingham have managed to break Intel SGX, a set of security functions used by Intel processors, by creating a $30 device to control CPU voltage.
Break Intel SGX
The work follows a 2019 project, in which an international team of researchers demonstrated how to break Intel’s security guarantees using software undervolting. This attack, called Plundervolt, used undervolting to induce faults and recover secrets from Intel’s secure enclaves.
Intel fixed this vulnerability in late 2019 by removing the ability to undervolt from software with microcode and BIOS updates.
Taking advantage of a separate voltage regulator chip
But now, a team in the University’s School of Computer Science has created a $30 device, called VoltPillager, to control the CPU’s voltage – thus side-stepping Intel’s fix. The attack requires physical access to the computer hardware – which is a relevant threat for SGX enclaves that are often assumed to protect against a malicious cloud operator.
The bill of materials for building VoltPillager is:
- Teensy 4.0 Development Board: $22
- Bus Driver/ Buffer * 2: $1
- SOT IC Adapter * 2: $13 for 6
How to build Voltpillager Board
This research takes advantage of the fact that there is a separate voltage regulator chip to control the CPU voltage. VoltPillager connects to this unprotected interface and precisely controls the voltage. The research show that this hardware undervolting can achieve the same (and more) as Plundervolt.
Zitai Chen, a PhD student in Computer Security at the University of Birmingham, says: “This weakness allows an attacker, if they have control of the hardware, to breach SGX security. Perhaps it might now be time to rethink the threat model of SGX. Can it really protect against malicious insiders or cloud providers?”
While COVID-19 has created new concerns and deepened traditional challenges for IT, organizations with complete insight and governance of their technology ecosystem are better positioned to achieve their priorities, a Snow Software survey of 1,000 IT leaders and 3,000 workers in the United States, United Kingdom, Germany and Australia reveals.
The challenge of managing risk
In fact, mature technology intelligence – defined as the ability to understand and manage all technology resources – correlated to resilience and growth. Of the IT leaders classified as having mature technology intelligence, 79% were confident in their organization’s ability to weather current events and 100% indicated that innovation continues to be a strategic focus for their organization.
“The complexities, risks and budget concerns IT departments traditionally face have been exacerbated, and a rapid acceleration of digital transformation and cloud adoption has brought new issues to the forefront. Now more than ever, IT leaders need to be in a position to quickly adapt to these macro trends as they define their top technology priorities in 2021.”
Technology management has become increasingly difficult
Many IT leaders indicated increases in technology spend across the board – on software, hardware, SaaS and cloud – over the past 12 months. Faced with more complex ecosystems, it is no surprise that 63% also reported technology management had become more difficult.
As anticipated budget restrictions go into effect for 2021, IT leaders will need to demonstrate the value of their investments and ensure proper governance over their entire technology stack.
Improved employee perception of IT
Employee perception of IT has improved, but differing perceptions on technology management and procurement hint at potential issues. While 41% of workers believe that access to technology has improved, there remains a 22-point gap between IT leaders and employees on how easy it is to purchase software, applications or cloud services.
This is not the only area where IT leaders and workers have varying views. Though they agree that security is the number one issue caused by unmanaged and unaccounted for technology, awareness of additional issues drops dramatically after that, with 16% of workers believing it causes no business issues whatsoever.
The data suggests continued challenges ahead for organizations as they try to reduce risk across the board.
Vendor audits a looming but potentially underestimated risk in 2021
87% of IT leaders said they had been audited by a software vendor over the last 12 months.
The vendors that audited the most were Microsoft, IBM, Oracle, Adobe and SAP. Yet only 51% said they were concerned about audits over the next 12 months, an answer that varied wildly based on geography – 81% of US leaders said they were concerned compared to just 30% in Germany and 42% in the UK.
Based on 2020 trends as well as vendor behavior following the 2008 recession, it appears European IT leaders are significantly underestimating this risk.
Organization’s top IT priorities
Organization’s top IT priorities are inherently at odds with each other and often align with the IT department’s biggest challenges. IT leaders reported that their organization’s top priorities in 2020 were adopting new technologies (38%), reducing security risks (38%), reducing IT spend (38%).
They paralleled the biggest challenges IT leaders faced over the past 12 months with managing cybersecurity threats (43%), implementing new technologies (40%) and supporting remote work (39%). Juggling these conflicting and difficult priorities became even more complicated in light of COVID-19.
Few meeting the bar for mature technology intelligence
Strong technology intelligence enabled IT leaders to more effectively tackle their top priorities and challenges. Just 14% of IT leaders met the bar for mature technology intelligence. This elite group outpaced other respondents in their ability to support digital transformation, reduce risk, enable employees and control spend.
“As we collectively look ahead to 2021, it’s more important than ever that CIOs and IT leaders strike the right balance between managing risk and remaining agile in the face of continued unpredictability,” said Pooley.
“It is clear from the data that a comprehensive understanding of technology resources and the ability to manage them is a key differentiator. IT leaders can use the insights to endure challenging periods like the pandemic, as well as embrace innovation to drive future growth and resilience.”
Although only 33% of organizations are currently using a dedicated digital experience monitoring solution today, nearly half of IT leaders are now likely to invest in these solutions as a result of the events of 2020, a NetMotion survey reveals.
Digital experience monitoring
In addition, the research revealed that tech leaders tend to overestimate the positive experience of remote workers – with IT estimating the quality of the remote working experience to be 21% higher than actual remote workers rated it.
“The past eight months have revealed fundamental blind spots in the way many IT teams have traditionally monitored the digital experiences of remote workers,” said Christopher Kenessey, CEO of NetMotion.
“Digital experience monitoring is emerging as the next crucial addition to IT’s toolbox in today’s remote working world, where IT no longer owns the networks that employees are using. Simply put, our research confirms that IT teams can’t fix what they can’t see.”
Remote work causing more technology issues, IT is hard-pressed to solve them
Since the beginning of COVID-19, nearly 75% of organizations have seen an increase in support tickets from remote workers, with 46% reporting a moderate increase and 29% reporting a large increase in workload, according to the survey. This extra burden is straining already stretched IT teams.
Further, from an IT, tools and technology perspective, 48% of workers prefer the experience of working in the office. That may be because IT has a harder time diagnosing employee tools and technology challenges outside of controlled office settings.
According to the survey, over 25% of IT teams admit struggling to diagnose the root cause of remote worker issues; and ensuring reliable network performance was cited as the top challenge for IT leaders surveyed, with 46% reporting the problem.
Joining these issues, IT leaders listed the following challenges encountered this year:
- Software and application issues (43%)
- Remote worker cybersecurity (43%)
- Hardware performance and configuration (38%)
Strained IT-employee relationship
The survey also revealed that the new remote work dynamic may be straining the IT-employee relationship, with remote workers not fully trusting IT to provide the help they need.
While 45% of remote workers say their IT department values employee feedback, 26% of employees said they didn’t feel that their feedback would change anything, and 29% were undecided.
Furthermore, while 66% of remote workers reported encountering an IT issue while working remotely, many are not sharing their issues with IT. In fact, 58% of remote workers said that they had encountered IT issues while working remotely but did not share them with their IT team, and of the issues they reported to IT, only 46% were actually resolved.
“As everyone has gravitated towards a ‘work from anywhere’ status, IT teams have struggled to support employees. Workers are accessing a wider variety of resources from countless unknown networks, reducing visibility and making it exponentially more difficult for IT to diagnose the root cause of technology failures,” Kenessey said.
“Sadly, our research showed that nearly a quarter of remote workers would rather suffer in silence than engage tech teams. Without dedicated tools to monitor the experience of remote and mobile workers, IT teams are at a disadvantage when diagnosing and resolving technology challenges, and that’s putting greater strain on the IT-business relationship.”
Healthcare is a growing field where the importance of security and privacy cannot be overstated. Many security professionals have gravitated toward this dynamic field, enhancing their skills and knowledge by earning the (ISC)² HealthCare Information Security and Privacy Practitioner (HCISPP) credential.
Globally recognized and respected, the vendor-neutral HCISPP creates significant advantages for security professionals and the healthcare organizations that employ them. In the new (ISC)² eBook, HCISPPs around the world share how becoming certified has helped advance their careers – and keep healthcare IT healthy.
Read the eBook and find out how HCISPP certification can benefit YOU.
HCISPP at a glance
- Proves you’re at the forefront of protecting patient health information and navigating a complex regulatory environment
- Stands out as the only certification that combines cybersecurity skills with privacy best practices and techniques
- Demonstrates you have the knowledge and ability to implement, manage and assess security and privacy controls to protect healthcare organizations using best practices and procedures.
Businesses increasingly embrace the moving of multiple applications to the cloud using containers and utilize Kubernetes for orchestration, according to Zettaset.
However, findings also confirm that organizations are inadequately securing the data stored in these new cloud-native environments and continue to leverage existing legacy security technology as a solution.
Businesses are faced with significant IT-related challenges as they strive to keep up with the demands of digital transformation. Now more than ever to maintain a competitive edge, companies are rapidly developing and deploying new applications.
Companies must invest in high performance data protection
The adoption of containers, microservices and Kubernetes for orchestration play a significant role in these digital acceleration efforts. And yet, while many companies are eager to adopt these new cloud-native technologies, research shows that companies are not accurately weighing the benefits of enterprise IT innovation with inherent security risks.
“Our goal with this research was to determine whether enterprise organizations who are actively transitioning from DevOps to DevSecOps are investing in proper security and data protection technology. And while findings confirm that companies are in fact making the strategic decision to shift towards cloud-native environments, they are currently ill-equipped to secure their company’s most critical asset: data.
“Companies must invest in high performance data protection so as it to secure critical information in real-time across any architecture.”
- Organizations are embracing the cloud and cloud-native technologies: 39% of respondents have multiple production applications deployed on Kubernetes. But, companies are still struggling with the complexities associated with these environments and how to secure deployments.
- Cloud providers offer considerable influence with regards to Kubernetes distribution: A little over half of those surveyed are using open source Kubernetes available through the Cloud Native Computing Foundation (CNCF). And 34.7% of respondents are using a Kubernetes offering managed by an existing cloud provider such as AWS, Google, Azure, and IBM.
- Kubernetes security best practices have yet to be identified: 60.1% of respondents believe there is a lack of proper education and awareness of the proper ways to mitigate risk associated with storing data in cloud-native environments. And 43.2% are confident that multiple vulnerable attack surfaces are created with the introduction of Kubernetes.
- Companies have yet to evolve their existing security strategies: Almost half of respondents (46.5%) are using traditional data encryption tools to protect their data stored in Kubernetes clusters. Over 20% are finding that these traditional tools are not performing as desired.
“The results of our research substantiate the notion that enterprise organizations are moving forward with cloud-native technologies such as containers and Kubernetes. What we were most interested in discovering was how these companies are approaching security,” said Charles Kolodgy, security strategist and author of the report.
“Companies overall are concerned about the wide range of potential attack surfaces. They are applying legacy solutions but those are not designed to handle today’s ever-evolving threat landscape, especially as data is being moved off-premise to cloud-based environments.
“To stay ahead of what’s to come, companies must look to solutions purposely built to operate in a Kubernetes environment.”
As the Internet of Things becomes more and more part of our lives, the security of these devices is imperative, especially because attackers have wasted no time and are continuously targeting them.
Chen Ku-Chieh, an IoT cyber security analyst with the Panasonic Cyber Security Lab, is set to talk about the company’s physical honeypot and about the types of malware they managed to discover through it at HITB CyberWeek on Wednesday (October 18).
In the meantime, we had some questions for him:
Global organizations are increasingly experiencing IoT-focused cyberattacks. What is the realistic worst-case scenario when it comes to such attacks?
The use of IoT is increasingly widespread, from home IoT, office IoT to factory IoT, and the use of automation equipment is increasing. Therefore, the most realistic and worst case for IoT is to affect critical infrastructure equipment, such as industrial control systems (ICS), by attacking IIoT devices.
Hackers can affect the operation of ICSes by attacking IIoT, resulting in large-scale damage. Furthermore, protecting medical IoT devices is also important. Hacked pacemakers, insulin pumps, etc. can affect human lives directly.
What are the main challenges when it comes to vulnerability research of IoT devices?
Expanding from IoT devices to IoT systems. The main challenge is that IoT systems consist of various components. Most components have different software/firmware, hardware, etc. The discovery of vulnerabilities in IoT devices requires expertise in many fields – researchers need to know a lot about chips, applications, communication protocols, network protocols, operation systems, cloud services, and so on.
What advice would you give to an enterprise CISO that wants to make sure the connected devices in use in the organization are as secure as possible?
To start, CISOs should check whether the vendors of the products they plan to use care about product security. How do they deal with vulnerabilities? Do they have a PSIRT? Do they have a point of contact for vulnerability reports? And so on.
Once they settle on a product to use, they should make sure that best practices – e.g., safely configuring the device, applying security updates in a timely manner – are part of the internal processes. They should also check the security of the services the devices use, e.g., network services used by an IP camera. Finally, network defenses should be structured to effectively control the access rights of the various networked devices in the environment.
How do you expect the security of IoT devices to evolve in the near future?
As we move forward, governments will attempt to create security baselines with regulations and certifications (labelling schemes). New security standards for various sectors (automotive, aviation – to name a few) will also be created.
As IoT products use similar network security protocols or hardware components, IoT security will no longer be a unilateral effort by the manufacturers. In the future, manufacturers, suppliers of parts, security organizations and governments will cooperate more closely, and even achieve mutual defense alliances to ensure effective and immediate protection.
Nuspire released a report, outlining new cybercriminal activity and tactics, techniques and procedures (TTPs) throughout Q3 2020, with additional insight from Recorded Future.
Threat actors becoming even more ruthless
The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.
“We continue to see attackers use newsjacking and typosquatting techniques to attack organizations with ransomware, especially this quarter with the Presidential election and schools moving to a virtual learning model,” said John Ayers, Nuspire Chief Strategy Product Officer.
“It’s important for organizations to understand the latest threat landscape is changing so they can better prepare for current themes and better understand their risk.”
Increase in malware activity
There has been a significant increase in malware activity over the course of Q3 2020; the 128% increase from Q2 represents more than 43,000 malware variants detected a day.
As Emotet made a significant appearance, new features in Emotet modules were discovered, implying the group will likely continue operations throughout the remainder of the next quarter to successfully gauge the viability of these new features.
“Keeping a vigilant eye on how threats evolve, grow and adapt over time helps us understand how threat actors have been retooling their tactics. It’s more important than ever to consistently have visibility into the threat landscape.”
- The ZeroAccess botnet made another big appearance in Q3. It resurged in Q2, coming in second for most used botnet, but then went quiet towards the end of Q2, coming back up in Q3.
- Office document phishing skyrocketed during the second half of Q3, which could be due to the upcoming election, or because attackers have just finished retooling.
- Ransomware attack on the automotive industry is on the rise. At the end of Q3 2020, references have already surpassed the 2019 total at 18,307, an increase of 79.15% with Q4 still remaining.
- H-Worm Botnet, also known as Houdini, Dunihi, njRAT, NJw0rm, Wshrat, and Kognito, surged to the top of witnessed Botnet traffic for Q3 from the actors behind the botnet by deploying instances of Remote Access Trojans (RATs) using COVID-19 phishing lures and executable names.
Academics at UCL and other institutions have collaborated to develop a machine learning tool that identifies new domains created to promote false information so that they can be stopped before fake news can be spread through social media and online channels.
To counter the proliferation of false information it is important to move fast, before the creators of the information begin to post and broadcast false information across multiple channels.
How does it work?
Anil R. Doshi, Assistant Professor for the UCL School of Management, and his fellow academics set out to develop an early detection system to highlight domains that were most likely to be bad actors. Details contained in the registration information, for example, whether the registering party is kept private, are used to identify the sites.
Doshi commented: “Many models that predict false information use the content of articles or behaviours on social media channels to make their predictions. By the time that data is available, it may be too late. These producers are nimble and we need a way to identify them early.
“By using domain registration data, we can provide an early warning system using data that is arguably difficult for the actors to manipulate. Actors who produce false information tend to prefer remaining hidden and we use that in our model.”
By applying a machine-learning model to domain registration data, the tool was able to correctly identify 92 percent of the false information domains and 96.2 percent of the non-false information domains set up in relation to the 2016 US election before they started operations.
Why should it be used?
The researchers propose that their tool should be used to help regulators, platforms, and policy makers proceed with an escalated process in order to increase monitoring, send warnings or sanction them, and decide ultimately, whether they should be shut down.
The academics behind the research also call for social media companies to invest more effort and money into addressing this problem which is largely facilitated by their platforms.
Doshi continued “Fake news which is promoted by social media is common in elections and it continues to proliferate in spite of the somewhat limited efforts social media companies and governments to stem the tide and defend against it. Our concern is that this is just the start of the journey.
“We need to recognise that it is only a matter of time before these tools are redeployed on a more widespread basis to target companies, indeed there is evidence of this already happening.
“Social media companies and regulators need to be more engaged in dealing with this very real issue and corporates need to have a plan in place to quickly identify when they become the target of this type of campaign.”
The research is ongoing in recognition that the environment is constantly evolving and while the tool works well now, the bad actors will respond to it. This underscores the need for constant and ongoing innovation and research in this area.
Multi-factor authentication (MFA) that depends on one of the authentication factors being delivered via SMS and voice calls should be avoided, Alex Weinert, Director of Identity Security at Microsoft, opined.
That’s not to say that MFA should be avoided, though, just that there are safer and more reliable ways to get additional authentication factors.
Why SMS- and voice-based MFA is the least secure option
Last year, Weinert noted that using any form of MFA is better than relying just on a password for security, as it “significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.”
But the delivery of authentication factors via publicly switched telephone networks (PSTN) is the least secure of the MFA methods available, he thinks, because:
- The SMS and voice formats aren’t adaptable to user experience expectations, technical advances, and attacker behavior in real-time
- PSTN systems are not 100% reliable, meaning the message or call may not come when needed
- Changing regulations may get in the way of SMS delivery and phone calls
- SMSes and phone calls were designed without encryption and can be intercepted (e.g., via software-defined radios, femotcells, SS7 intercept services, mobile malware, phishing tools)
- Support agents at companies operating publicly switched telephone networks can be tricked, bribed or coerced by attackers into providing access to the victims’ SMS or voice channel (e.g., via SIM swapping)
MFA is a must
The value of multi-factor authentication is not in question, but as more and more users adopt it, attackers will try come up with new ways to grab the needed OTP authentication codes.
Weinert advised users to, if possible, switch from SMS- and voice-based MFA to using app-based authentication. Naturally, he endorsed the Microsoft Authenticator app, but there are other apps that serve the same function (such as Google Authenticator, Cisco’s Duo Mobile) and the same protections (encrypted communication, more control, etc.).
There are other MFA options available, and some offer an even greater degree of safety against remote attacks, such as smart cards or security keys – actual physical devices attackers should get their hands on in order to gain access to secured accounts.
ESET researchers have discovered ModPipe, a modular backdoor that gives its operators access to sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS (point-of-sale) – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide.
The majority of the identified targets were from the United States.
Containing a custom algorithm
What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.
This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet “louder” approach, such as keylogging.
Exfiltrated credentials allow ModPipe’s operators access to database contents, including various definitions and configuration, status tables and information about POS transactions.
“However, based on the documentation of RES 3700 POS, the attackers should not be able to access some of the most sensitive information – such as credit card numbers and expiration dates – which is protected by encryption. The only customer data stored in the clear and thus available to the attackers should be cardholder names,” cautions ESET researcher Martin Smolár, who discovered ModPipe.
“Probably the most intriguing parts of ModPipe are its downloadable modules. We’ve been aware of their existence since the end of 2019, when we first found and analyzed its basic components,” explains Smolár.
- GetMicInfo targets data related to the MICROS POS, including passwords tied to two database usernames predefined by the manufacturer. This module can intercept and decrypt these database passwords, using a specifically designed algorithm.
- ModScan 2.20 collects additional information about the installed MICROS POS environment on the machines by scanning selected IP addresses.
- ProcList with main purpose is to collect information about currently running processes on the machine.
“ModPipe’s architecture, modules and their capabilities also indicate that its writers have extensive knowledge of the targeted RES 3700 POS software. The proficiency of the operators could stem from multiple scenarios, including stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market,” adds Smolár.
What can you do?
To keep the operators behind ModPipe at bay, potential victims in the hospitality sector as well as any other businesses using the RES 3700 POS are advised to:
- Use the latest version of the software.
- Use it on devices that run updated operating system and software.
- Use reliable multilayered security software that can detect ModPipe and similar threats.