The 2019 Security Awareness Report published by SANS Security Awareness, a division of SANS Institute, found that across many organizations, there is an increased emphasis on the need for awareness and training programs.
According to the report, more than 75% of those who are currently responsible for security awareness and training are spending less than half of their time on employee education programs.
“The implication is that awareness is simply mounted on to their other job requirements. This is the largest single factor limiting the growth and maturity of programs,” the report said.
Though awareness professionals often bring more dynamic skills to their technical roles, the lack of candidates who possess the much needed soft skills of communication and marketing hinders the organization’s ability to build a program that truly engages employees.
Among the nearly 1,600 respondents who participated in the study, those who reported having programs that are effectively changing employee behavior have at least two full-time employees dedicated to awareness and training.
“While there is a general tendency to isolate individual employees as the cause of security related issues, the data within the report demonstrates that addressing an organization’s human cyber risk is best handled by making consistent systemic training investments. This report examines the most effective steps to address them, enabling you to benchmark your awareness program against your peers and other organizations,” the report said.
The report did find that the number of organizations with no program at all has decreased over the last two years, falling from 7.6% to 4.3% and indicating a slow but steady shift toward success.
“I’m absolutely thrilled about the release of the 2019 Security Awareness Report,” says SANS security awareness director Lance Spitzner. “Every year we are able to gain a better understanding of the most common challenges awareness professionals face and how to best address them, and after five years we are beginning to identify key trends.”
Two reports published independently of each other found that the majority of organizations are moderately to extremely concerned about the state of cloud security.
In Guardians of the Cloud, the 2019 cloud report published annually by Bitglass, researchers found that 93% of organizations are at least moderately concerned about their ability to use the cloud securely. The same number of respondents in the 2019 Cloud Security Report from Synopsys said that they were either moderately or extremely concerned about cloud security.
According to Guardians of the Cloud, 75% of organizations leverage multiple cloud solutions, while a mere 20% actually have visibility over cross-app anomalous behavior. Additionally, only 20% of participating organizations said that they use cloud data loss prevention (DLP), despite storing highly sensitive information in the cloud, including customer and employee data and intellectual property. Not surprisingly, malware is the most concerning data leakage vector.
The majority (67%) of companies said they believe cloud apps are either as secure as or more secure than on-premises apps. Two of the most popular cloud security capabilities among respondents are access control (52%) and anti-malware (46%).
“Data is now being stored in more cloud apps and accessed by more devices than ever before,” said Rich Campagna, chief marketing officer of Bitglass, in today’s press release. “This report found that...the adoption rates of basic cloud security tools and practices are still far too low. Many organizations need to rethink their approach to protecting data, as traditional tools for safeguarding data on premises are not capable of protecting data in the cloud.”
Synopsys’ latest cloud security report likewise found that organizations have a wide range of cloud security concerns. Most notable, organizations are worried about data loss and leakage (64%) and data privacy and confidentiality (62%).
For 43% of organizations, monitoring new vulnerabilities in cloud services is one of the most challenging aspects of cloud compliance.
“As workloads continue to move to the cloud, cybersecurity professionals are realizing the complications of protecting these workloads. The top two security headaches SOCs are struggling with are compliance (34%) and lack of visibility into infrastructure security (33%). Setting consistent security policies across cloud and on-premises environments (31%) and the continuing lack of qualified security staff (31%) are tied for third place,” the report said.
Researchers have said with high confidence that the publicly reported adversary dubbed StrongPity has been engaged in an unreported and ongoing malware campaign, according to research from AT&T Alien Labs.
Threat actors are using the new malware and infrastructure to control compromised machines and deploying malicious versions of the WinBox router management software, WinRAR, as well as other trusted software to compromise their targets, researchers said.
“StrongPity was first publicly reported on in October 2016 with details on attacks against users in Belgium and Italy in mid-2016. In this campaign, StrongPity used watering holes to deliver malicious versions of WinRAR and TrueCrypt file encryption software,” researchers wrote in a blog post.
StrongPity was reported on again in 2017 and 2018. New samples that strongly resembled the work of StrongPity were again identified in early July 2019.
These most recent samples of the malware have been, as of yet, unreported but mirror those created and deployed to targets following a toolset rebuild that came after public reporting of the malware during the fourth quarter of 2018, researchers said.
“The malicious version of the software installs StrongPity malware without any obvious signs to the victim, and then operates as if it were a standard unaltered version of the trusted software.”
While researchers were unable to identify specific details about how the malicious installers are delivered, they noted, “It is likely that methods previously documented by the previous reports of StrongPity, such as regional download redirecting from ISPs, is still occurring. Based on the type of software used as the installer (WinRAR, WinBox, IDM, etc.), the type of targets may continue to be technically-oriented, again similar to past reports.”
A lack of CEO awareness and engagement with cybersecurity could be placing their organizations at unnecessary risk of attack, according to new findings from RedSeal.
The security vendor polled over 500 IT professionals in the UK to better understand the cyber-risks posed by business leaders.
Over half (54%) said they don’t believe their CEO follows correct security procedure and in so doing is potentially exposing their organization to compromise. Over a third (38%) weren’t sure what technology their CEO used at home, with the majority (95%) claiming to be concerned that home smart devices could be hacked.
Over one in 10 (11%) respondents claimed that CEO or senior managers’ actions had put corporate security at risk, and three-quarters (75%) argued that their CEOs should pay more attention to cybersecurity in the future.
However, poor security policies and processes also seem to be to blame: 14% of UK CEOs still haven’t had any security training, while only 29% of respondents said they provide a daily cyber-report to their boss. A quarter (26%) said they only report major breaches to the CEO, perpetuating disengagement from cyber-related issues at the highest level.
In reality, cyber matters to CEOs as breaches could have a major impact on the bottom line and corporate reputation. Following a major incident, a third of respondents said they lost customers, 34% said it damaged reputation and over a fifth (23%) lost revenue.
“CEOs have wide access to their organization’s network resources, the authority to look into most areas, and frequently see themselves as exempt from the inconvenient rules applied to others. This makes them ideal targets,” argued RedSeal CTO, Mike Lloyd.
“The internet is a dangerous place where new security threats can evolve and rapidly mutate. Perfect defense is illusory; in a complex and interdependent world, some attacks are bound to succeed. Organizations must look to a strategy of resilience. They’ll survive only by planning in advance for how the inevitable successful attacks will be handled.”
UK government workers have lost over 500 mobile devices and laptops over the past year, with just a small percentage ever recovered, according to new research from MobileIron.
The security vendor issued Freedom of Information (FOI) requests to nine government departments, all but one of which replied.
It found that public sector employees managed to lose 508 mobiles and laptops between January 2018 and April 2019.
It’s unclear whether these devices were password protected and/or if the data on them was encrypted, or if they had a remote wipe functionality to protect sensitive information. However, attackers could theoretically gain access to sensitive accounts if a device gets into the wrong hands without proper security controls in place.
“As the amount of business data that flows across devices, apps, networks, and cloud services continues to increase, it is essential that organizations have the right security protocols in place to minimize risk and prevent unauthorized access to sensitive data if a device is lost or stolen. Even one lost or stolen device provides a goldmine of readily accessible and highly critical data to potential fraudsters and hackers,” argued MobileIron UK and Ireland regional director, David Critchley.
The answer is to implement a zero-trust model, whereby users are forced to authenticate at all times, he said.
“This approach validates the device, establishes user context, checks app authorization, verifies the network, and detects and remediates threats before granting secure access to a device or user,” he added. “The zero-trust model allows organisations, including government departments, to significantly reduce risk by giving them complete control over their business data – even on lost or stolen devices.”
It’s not just the government that has been found wanting regarding the loss of devices. Last year, an FOI request revealed that the BBC had reported over 170 lost or stolen devices over the previous two years.
UK’s NCSC Hails Another Successful Year of Cyber Defense
The UK’s National Cyber Security Centre (NCSC) has dismantled tens of thousands of phishing campaigns and fraudulent websites over the past year as its Active Cyber Defence (ACD) program continues to lead by example globally.
In an update on Tuesday, the GCHQ off-shoot revealed a successful second year for the initiative.
It dismantled over 22,000 phishing campaigns hosted in UK IP space, linked to over 142,000 attacks, and removed more than 14,000 phishing sites, as part of an overall takedown of over 192,000 fraudulent sites – most (64%) of which were offline within 24 hours.
The NCSC also pointed to a 100-fold increase in the number of web checks run, with a total of 111, 853 advisories issued to public sector users. This comes on top of a Protective DNS service which now prevents 1.4m public sector employees from visiting malicious sites, DMARC to prevent email attacks, and other initiatives designed to bolster the security of the UK’s internet space and set an example for other governments.
“By taking down phishing and malware attacks when we see them in UK IP space, regardless of the brand abused, we intend to make the UK a more difficult place to host these attacks. While in and of itself this doesn’t affect the global attacks against the UK, we hope to lead by example,” the report claimed.
“If we can show that a relatively simple set of actions can make a delegated IP space a harder place to host badness, we can get on our high horse and try to get other responsible countries and entities to do similar things. Coordinated action would make hosting badness globally much harder and therefore increase the cost of launching these attacks in the first place and reduce the return on investment.”
The NCSC is not stopping there: it’s working with Action Fraud to produce a new automated fraud reporting system for the public; developing an Internet Weather Centre to provide insight into the digital landscape of the UK; and producing a vulnerability scanning tool for CNI and public sector providers.
Photo Shared via iPhone Leads to JetBlue Evacuation
Passengers heading to Tampa, Florida, experienced an unusual delay on Tuesday. Those on board a JetBlue flight out of Newark, New Jersey, were evacuated after a person used the AirDrop feature on the Apple phone to send an image of a suicide vest to multiple iOS devices on the plane, according to the Daily News.
Several passengers on the flight surprisingly received the image through Apple’s AirDrop feature, which allows users to share content with nearby devices through Bluetooth technology. Given that the person delivering the photo had to be within Bluetooth range, it was presumably a passenger as the plane had already left the gate and was on the runway waiting for takeoff, the report suggested.
There’s no real way to trace a Bluetooth MAC address to an individual or their device unless all devices were confiscated from the passengers on the flight, according to Dr. Richard Gold, head of security engineering at Digital Shadow. “Even then, it’s unlikely you’d be able to figure the originating MAC address without forensically examining the devices which received the pictures.”
The issue is just the latest concern with Bluetooth. There have been a number of reports of people abusing the AirDrop feature on iOS devices that uses Bluetooth technology to send unwanted photos of various natures to unsuspecting receivers since the feature was introduced in 2011, Gold said.
In addition to being difficult to trace, people typically leave the Bluetooth function on, said Chris Morales, head of security analytics at Vectra. “I used to admittedly walk around with my laptop scanning for exposed Bluetooth listening devices and could send commands to the owner. It is very easy. The easiest way to not receive things over Bluetooth is to require a pin for connectivity or to just turn it off.”
The issues surrounding shadow IT that have long plagued security because of unmonitored and unsupported cloud applications and devices are increasingly coming under proper control, according to the 2019 Duo Trusted Access Report.
The report found that threats from applications and devices that have traditionally been lurking in IT environments are being mitigated through the implementation of a zero-trust model. Enterprises appear to be catching up with cloud expansion and addressing concerns of shadow IT because the report found that the average number of organizations protecting cloud apps reportedly surged 189% year-over-year.
The report assessed the security of thousands of the world’s largest and fastest-growing organizations and examined 24 million devices used for work. Research showed that the use of out-of-date devices has dropped precipitously, which could be a function of the ever-growing remote workforce. According to today’s press release, a third of all work is done on a mobile device, a 10% increase year-over-year. In turn, organizations are hardening mobile defenses against malware.
In addition, biometric verification has seen a double-digit jump to more than 77% of business devices, and organizations are outright rejecting authentication based on policies for location-rooted devices, device locks not enabled or a lack of disk encryption.
“Without proper protections, such as strong user authentication and device hygiene checks, accessing business applications from mobile devices can increase exposure to threats that exploit user identities,” the press release said.
As organizations continue to experience shifts in digital transformation, they are enforcing security controls that establish user and device trust through a zero-trust security model.
“For years, security teams have had little visibility into the cloud applications users were accessing and the personal devices they were using,” said Wendy Nather, head of advisory CISOs at Duo. “The findings in this report make clear that security leaders are taking back control of these apps and devices thanks to a zero-trust approach to security. This approach, in many cases, even allows organizations to adapt quickly to pending threats.”
The US Coast Guard recommended that ships update their cybersecurity strategies after a malware attack “significantly” degraded the computer systems of a deep draft vessel in February, according to a press release.
In the marine safety alert, the Coast Guard wrote that the vessel involved in the February cyber incident was inbound to the Port of New York and New Jersey during an international trip when it reported that its onboard network was being impacted by a cyber incident.
The Coast Guard responded, and after an analysis conducted alongside an “interagency team of cyber experts” it concluded that while the functionality of the boat’s computer system was impacted, control systems were not. The computer system was used for managing cargo data and communicating with the Coast Guard and shore-side facilities.
“Prior to the incident, the security risk presented by the shipboard network was well known among the crew. Although most crew members didn’t use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business – to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard,” the alert said.
Targeting governmental and military assets will continue to be valuable for those seeking to disrupt our society, said Tim Mackey, principal security strategist for the Cybersecurity Research Center at Synopsys.
“This incident highlights lessons for everyone to take – whether you’re in government or in a corporate setting – vigilance starts with preparedness. All systems contain weaknesses, and software systems are no different. An up-to-date inventory of all software assets, including versions, origins and update procedures, is a bare minimum operational requirement for deployed software,” said Mackey.
“This asset inventory should also include a detailed accounting for all known weaknesses, and procedures should be in place to ensure newly disclosed weaknesses or vulnerabilities are amended to the inventory. The goal of this process to ensure that systems are both patched and that the potential attack surface for the asset can be quantified. Armed with this information, threat models can be created which then guide mitigation efforts.”
NCSC in DNS Warning as Hijackers Focus on Home Routers
The UK’s National Cyber Security Centre (NCSC) has issued a warning about DNS hijacking threats, as reports emerge of widespread attacks in Brazil affecting 180,000 users.
The NCSC posted the advisory on Friday as a follow-up to one issued in January. DNS hijacking attackers typically take control of an authoritative DNS server, change the entries stored there and in so doing covertly redirect users to servers under their control, in a Man in the Middle attack.
However, DNS hijackers are also targeting consumers with a slightly different modus operandi, Avast revealed in a recent blog post.
These attacks look to modify the settings on home routers, potentially via cross-site request forgery (CSRF) web-based attacks, so that they use rogue DNS servers. Once again, the end goal is to secretly redirect the user to a phishing page or one capable of installing malware on their machine.
Avast claims to have blocked over 4.6m CSRF attacks during February and March alone in Brazil, adding that 180,000 users have had their DNS hijacked in the first half of 2019.
The initial CSRF attack often happens via malvertising when a user visits a compromised website.
“When visiting a compromised site, the victim is unknowingly redirected to a router exploit kit landing page, which is usually opened in a new window or tab, initiating the attack on the router automatically, without user interaction,” it said.
“In general, the exploit kit attempts to find the router IP on a network, and subsequently attempts to guess the password using various login credentials. Once the hacker successfully logs into the router, the exploit kit attempts to alter the router’s DNS settings using various CSRF requests.”
GhostDNS, Navidade and SonarDNS are the three exploit kits being used in these attacks. Once a rogue DNS server is installed, the attackers look to monetize their efforts via phishing to steal Netflix and banking credentials from consumers; replacing good ads with malicious ones to steal traffic for profit; and installing browser-based crypto-jacking scripts.
Avast urged consumers to stay on the latest router firmware version; use strong and unique log-ins for online banking and routers; and to check their banking sites have a valid certificate.