ARCHIVE FOR THE ‘cyber-security’ CATEGORY

Atos highlights significant new threats and innovative cyber security solutions that have recently gathered momentum in its new paper Digital Vision for Cyber Security 2. 

F-Secure discovers security flaw with the potential to turn hundreds of thousands of load balancers into beachheads for cyber attacks.

Cyber security provider F-Secure is advising organizations using F5 Networks’ BIG-IP load balancer, which is popular amongst governments, banks, and other large corporations, to address security issues in some common configurations of the product. Adversaries can exploit these insecurely configured load balancers to penetrate networks and perform a wide variety of attacks against organizations, or individuals using web services managed by a compromised device.

 

The security issue is present in the Tcl programming language that BIG-IP’s iRules (the feature that BIG-IP uses to direct incoming web traffic) are written in. Certain coding practices allow attackers to inject arbitrary Tcl commands which could be executed in the security context of the target Tcl script.

 

Adversaries that successfully exploit such insecurely configured iRules can use the compromised BIG-IP device as a beachhead to launch further attacks, resulting in a potentially severe breach for an organization. They could also intercept and manipulate web traffic, leading to the exposure of sensitive information, including authentication credentials and application secrets, as well as allowing the users of an organization’s web services to be targeted and attacked.

 

In some cases, exploiting a vulnerable system can be as simple as submitting a command or piece of code as part of a web request, that the technology will execute for the attacker. To make matters worse, there are cases where the compromised device will not record the adversaries’ actions, meaning there would be no evidence that an attack took place. In other cases, an attacker could delete logs that contain evidence of their post-exploit activities – severely hindering any incident investigations.

 

“This configuration issue is really quite severe because it’s stealthy enough for an attacker to get in, achieve a wide variety of objectives, and then cover their tracks. Plus, many organizations aren’t prepared to find or fix issues that are buried deep in software supply chains, which adds up to a potentially big security problem,” explains F-Secure Senior Security Consultant Christoffer Jerkeby. “Unless you know what to look for, it’s tough to foresee this problem occurring, and even harder to deal with in an actual attack.”   

 

Jerkeby discovered over 300,000 active BIG-IP implementations on the internet during the course of his research, but due to methodological limitations, suspects the real number could be higher. Approximately 60 percent of the BIG-IP instances he found were in the United States.  

 

The coding flaw and class of vulnerability is not novel and has been known, along with other command injection vulnerabilities in other popular languages, for some time. Not everyone using BIG-IP will be affected, but the load balancer’s popularity amongst banks, governments, and other entities that provide online services to large numbers of people, combined with the relative obscurity of the underlying security issues with Tcl, means any organization using BIG-IP needs to investigate and assess their exposure.

 

“Unless an organization has done an in-depth investigation of this technology, there’s a strong chance they’ve got this problem,” continues Jerkeby. “Even someone incredibly knowledgeable about security that works at a well-resourced company can make this mistake. So, spreading awareness about the issue is really important if we want to help organizations better protect themselves from a potential breach scenario.”

 

F-Secure’s research highlights the broad range of threats facing the global finance industry.

SigmaDots blockchain-based solution enables protection for IoT and IIoT systems.

 

 

SigmaDots, a cyber-security startup and subsidiary of Essence Group, has partnered with Telit, a global enabler of the Internet of Things (IoT), to expand IoT security and strengthen business continuity leveraging SigmaDots technology. Essence Group is a market leader in developing LTE-based connected devices and IoT platforms.

SigmaDots has developed the first embedded, blockchain-based cybersecurity solution for IoT and IIoT systems. Telit, recognizing the need for enhanced solutions, is working closely with SigmaDots to improve resilience to cyberattacks. The companies are collaborating on the use of blockchain technology for routers, control panels, IoT gateways, and a host of IoT devices, drastically reducing device vulnerability to cyberthreats.

“The ubiquity of IoT devices makes them attractive targets for cyber mischief,” said Alon Segal, SVP of Software & Services, Telit. “Our collaboration with SigmaDots adds another layer of security and communications resiliency using distributed technologies to offer advanced, secure infrastructure solutions for our customers.”

SigmaDots software-based solutions harness the power of serverless architecture, bringing blockchain-based cybersecurity to the IoT ecosystem. With a scalable, interoperable, and secure platform uniquely adapted to the limited resources of IoT, SigmaDots empowers connected ecosystems to accelerate the machine-to-machine economy.

“IoT is finally delivering on its promises of complete connectivity – wearables, mobile apps, home safety, smart meters and in industry – generally anywhere” said Itsik Harpaz, General Manager of SigmaDots. “However, this connectivity brings significant threats – an attack on a single device can spread throughout the entire network.”

IoT devices without strong cyber protection can easily become part of a botnet to carry out distributed denial of service (DDoS) attacks or fall prey to IoT-focused attacks like man-in-the-middle, data and identity theft, and device hijacking.

“SigmaDots technology was developed out of the need to strengthen the security of our IoT devices,” said Dr. Haim Amir, CEO and founder of Essence Group. “We’ve been creating innovative connected device solutions for more than 25 years, so we fully understand the challenges and the necessity of creating airtight cyber protection.”

 

Mactavish urges brokers to challenge insurers more over the quality of their cyber policies.

In November last year, Mactavish published a report entitled ‘Cyber Risk & Insurance Report’, which identified eight common flaws in cyber insurance policies. This includes, for example, cover being limited to events triggered by attacks or unauthorised activity and excluding cover for issues caused by accidental errors or omissions.

Another flaw is only providing systems interruption cover for the brief period of actual network interruption, as opposed to the more significant knock-on revenue impact during the period after IT systems are restored but the business is still disrupted. In the last two weeks alone Mactavish has reviewed cyber insurance policies for a large British business and a medium sized business. Both of these policies had three or more of the flaws. Mactavish warns that despite insurance industry denials, the eight flaws are widespread.

Bruce Hepburn, Chief Executive Officer, Mactavish, commented: “Many in the industry have challenged our findings but we continue to find these issues affecting the actual policies we review that are being offered to UK businesses, and we will be publishing a second paper on the sector next month providing more details on our findings. “However, in the meantime, we are calling on brokers to challenge insurers more on the quality of the cyber cover they provide and push for improvements. If they can’t achieve this, they need to warn their clients of the omissions in their policies to give them a better understanding of what they are buying.”

Mactavish has issued a challenge to insurers and brokers to guarantee that the eight common flaws it has identified in policies will never be used as reasons to refuse pay-outs on cyber insurance claims unless they can show that a client has been informed but decided not to buy the additional cover. The eight flaws outlined in the Mactavish Cyber Risk & Insurance Report are:

1. Cover can be limited to events triggered by attacks or unauthorised activity – excluding cover for issues caused by accidental errors or omissions; 
2. Data breach costs can be limited – e.g. covering only costs that the business is strictly legally required to incur (as opposed to much greater costs which would be incurred in practice); 
3. Systems interruption cover can be limited to only the brief period of actual network interruption, providing no cover for the more significant knock-on revenue impact in the period after IT systems are restored but the business is still disrupted; 
4. Cover for systems delivered by outsourced service providers (many businesses’ most significant exposure) varies significantly and is often limited or excluded; 
5. Exclusions for software in development or systems being rolled out are common and can be unclear or in the worst cases exclude events relating to any recently updated systems; 
6. Where contractors cause issues (e.g. a data breach) but the business is legally responsible, policies will sometimes not respond; 
7. Notification requirements are often complex and onerous;
8. Businesses are forced to choose IT, legal or PR specialists appointed by their insurer.

F-Secure calls for more response in managed detection and response solutions.

As the threat landscape continues to evolve, so does the need for organizations’ approaches to defending against the business impact of cyber attacks. In light of this trend, cyber security provider F-Secure is calling for greater emphasis on both the preparedness for a breach as well as fast and effective containment that covers the correct balance of people, process and technology.

“Cyber breaches are now a fact of life for many companies. It’s no longer a matter of ‘if’ a company will be breached, the question is ‘when’. And that calls for a shift in how organizations handle many aspects of security,” said F-Secure Countercept Managing Director Tim Orchard.

Research highlights one current area of weakness as the lack of investment in effective incident response strategies. 44 percent of respondents to a recent MWR InfoSecurity (acquired by F-Secure in 2018*) survey said they invested less in their response capabilities than in threat prediction, prevention, or detection. Only 12 percent said response was prioritized over their other security capabilities.

Continuous response, the art and science of having the right people in the right place at the right time armed with the information they need to take control of the situation, is an emerging concept in cyber security that’s central to boosting response capabilities. The aim is to combine elements of collaboration, context, and control into a fluid process. In practice, this could mean a single team of threat hunters, first responders, administrators and other personnel working together to actively identify and remediate potential threats before they escalate.

“Having the tools and techniques in place to quickly detect, contain and frustrate attacks as they unfold buys you time, and gives you an opportunity to understand the full picture about how attackers are exploiting your weaknesses and moving through your network. And they need to be sophisticated enough to avoid tipping off an attacker that you’re onto them, and prepared to evict them in one concerted push,” explained Orchard. “And it’s important to put these tools and techniques into the hands of the right team if you want them to work.” 

According to the Gartner’s Answers to Questions About 3 Emerging Security Technologies for Midsize Enterprises report, “MDR is about ’renting trained eyes’ you can’t find or afford to detect incidents that go undiscovered...It’s about finding the 10% of incidents that bypass traditional firewall and endpoint protection security.”

MDR solutions typically offer 24/7 threat monitoring, detection, and response services that leverage advanced analytics and threat intelligence to help protect organizations. Generally, MDR vendors deploy sensors (such as an endpoint agent or a network probe) to gather data from a client’s systems. The data is then analyzed for evidence of compromise and the client is notified when a potential incident is detected.

After detection, clients either respond on their own or bring in external IR teams and approaches, which can include local or remote investigations and forensics, as well as advice on a possible orchestrated technical response. But at best, response activities stop at isolating hosts using EDR agents or firewalling.

But effective solutions can potentially do much more. Treating response as a continuous activity means team members will be in constant communication and collaboration with one another, able to discuss suspicious events happening anywhere within their infrastructure. MDR solutions can facilitate this process, giving defenders the edge they need to stop, contain, and ultimately, eject an adversary.

“Finding a balanced MDR solution, regardless of whether its an in-house solution or outsourced, is key. I think our approach to preparing our clients to assume the breaches have already happened, and then help them hunt down those threats, is the essence of continuous response,” said Orchard. “Getting this right lets defenders evict attackers quickly on their first try, and prevent those adversaries from repeating their attack.”

A statistical analysis of global online trust show some business executives perceive cyber-security initiatives as having a negative return on investment.

A Survey from Frost & Sullivan, in association with CA Technology, has revealed 27% of business leaders think integrating digital security measures will have no affect on the company's bottom line, however there is a general acceptance that a higher digital trust equates into higher revenue.

The report said companies intending to grow must "enhance their digital trust credentials". 

Digital trust is the measurement of consumer, partner and employee confidence in an organisation's ability to protect and secure data and the privacy of individuals.

The study showed 70% of consumers surveyed trusted organisations to take the correct precautions to protect their data, whereas organisations perceived 95% of their customers to be satisfied with the levels of data protection offered.

You can download the report here. 

 

New study also reveals incidents rose in latter half of year with companies struggling to identify when systems are compromised.
Research by cyber-security provider F-Secure has shown that cyber attacks in 2018 increased by 32% compared to the previous year.

The survey consulted 3350 IT decision-makers, influencers and managers from 12 countries also highlighted a lack of awareness in detecting incidents, suggesting firm's preventative measures such as firewalls were insufficient.

Findings also revealed that the Finance and ICT sectors were most commonly targeted by attackers while healthcare and manufacturing received fewest, with the majority of attacks affecting US-based IP addresses.

Leszek Tasiemski said today's cyber-attacks had evolved significantly and questioned whether or not companies were even aware of the issue. "Today's threats are completely different from ten or even five years ago," he said. "Preventative measures and strategies won't stop everything anymore, so I've no doubt that many of the companies surveyed don't have a full picture of what's going in with their security."

You can read the full report here.

New research suggests adherence to GDPR compliance will influence company's spending around cybersecurity.

Cyber security revenues in 2018 were $160.2 billion and will jump $11.2 billion during 2019, as the focus moves to GDPR compliance. Growth will slow to around $9.8 billion per annum, spiking once a in 2023/4 as AI based Cybersecurity escalates, reaching $223.7 billion, says the report from Rethink Technology Research.

The European Union’s GDPR (General Data Protection Registrar) has set the agenda for legislation over data privacy and protection worldwide and that is generating a spike in spending on security measures that ensure compliance. This will continue to ripple around the world between 2019 and 2021.

North America is expected to continue to spend the most on security (27%), but both Europe (22%) and China (20%) which are rapidly accelerating their spend, with the rest of Asia following closely behind on 16%. North America is expected to lead on almost every market with the exceptions of Industrial and Automotive, where China leads, by a small margin.

You can read the full report here.