Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for February 2018

Cybersecurity Skills Gap Soars as Brexit Bites

Cybersecurity Skills Gap Soars as Brexit Bites

The cybersecurity talent gap is greater than for any other digital skills, according to new research from Capgemini, as Brexit begins to take its toll.

The global consultancy polled over 1200 senior executives and front-line employees and analyzed social media sentiment of more than 8000 cybersecurity employees to compile its latest report, Cybersecurity Talent: The Big Gap in Cyber Protection.

It revealed that 68% of organizations reported high demand for cyber-skills in the workforce, versus 61% demanding innovation skills and 64% analytics skills. However, only 43% had “proficient skills already present in the organization” — a 25% point gap between supply and demand.

By comparison, the gap for analytics was just 13% and innovation was 21%.

“The cybersecurity skills gap has a very real effect on organizations in every sector,” said Mike Turner, COO of Capgemini’s Cybersecurity Global Service Line. “Spending months rather than weeks looking for suitable candidates is not only inefficient, it also leaves organizations dangerously exposed to rising incidents of cybercrime. Business leaders must urgently rethink how they recruit and retain talent, particularly if they wish to maximize the benefits from investment in digital transformation.”

What’s more, demand is set to grow, with 72% of respondents predicting high demand for cybersecurity in 2020.

Brexit is clearly having an impact on the UK’s attractiveness as a place to work for skilled EU workers, exacerbating talent shortages, according to experts speaking at the TEISS summit this week.

The figures come as new stats show a record drop in EU net migration to the UK. The number of EU citizens coming to the UK (220,000) decreased by 47,000 over the past year, falling to 2014 levels, while the number leaving the UK (130,000) is the highest recorded level since 2008.

Sophie Barrett-Brown, head of UK practice at immigration law firm Laura Devine Solicitors, argued that “skilled EU nationals choosing to pursue opportunities outside the UK is not a success story for the UK.

“A further fall in net migration may seem to be good news for those with concerns about immigration, but in reality it underlines a growing skills shortage impacting on businesses and public services. Behind every official statistic showing more workers leaving the UK and fewer arriving, the real story is vacancies unfilled and business potential unrealized,” she added.

“The biggest concern is the ongoing uncertainty employers face as the Brexit deadline of March 2019 approaches. With government now not due to publish proposals for the post-Brexit migration system until the end of 2018, employers are having to plan for any scenario and a number of businesses have already begun transferring some of their business functions overseas.”

Source: Information Security Magazine

McAfee: Global Cybercrime Costs Hit $600bn

McAfee: Global Cybercrime Costs Hit $600bn

Global cybercrime now costs nearly $600bn annually, with two-thirds of the world’s netizens having had their personal information stolen or compromised, according to a new McAfee report.

The Economic Impact of Cybercrime – No Slowing Down report was compiled in partnership with non-profit the Centre for Strategic and International Studies (CSIS).

It focuses specifically on cybercrime that occurs when attackers illegally access computer networks to steal IP and personal data, commit fraud and financial crime, and disrupt services. The report estimated costs resulting from securing networks, purchasing cyber-insurance, recovering from incidents, damaged reputation and liability risks.

Although it’s significantly greater than the $445bn estimated in 2014, the $600bn figure could be much higher when other types of cybercrime are considered, and given the fact that under-reporting and inaccuracies are rife in some regions, according to McAfee.

The report also estimated that nearly three billion credentials and other PII have been stolen since 2014, equating to two-thirds of netizens who have had their details compromised.

With Yahoo suffering a breach of three billion records, and researchers finding 1.4 billion compromised credentials on the dark web, even this could be a conservative estimate.

It also claimed that nation states were the most “dangerous” source of cybercrime, led by Russia and North Korea, but with China pegged as the most active cyber-espionage player.

Ransomware was judged to be the fastest-growing type of cybercrime, fueled by the cybercrime-as-a-service phenomenon and the rise of crypto-currency to help perpetrators maintain anonymity online.

McAfee chief scientist, Raj Samani, warned that this trend is democratizing cybercrime to the massed ranks of less technically gifted attackers.

“Businesses often struggle to remain vigilant against threats because they have too many tools operating in silo at once — and failing to communicate with each other,” he added.

“By making sure that tools can work together and removing siloed security teams, organizations can find the right combination of people, process and technology to effectively protect data, detect threats and, when targeted, rapidly correct systems.”

The report also blamed the rise in cybercrime costs on the increasing sophistication of top-tier cyber-criminals.

Source: Information Security Magazine

Government Ramps Up ICO Fees for Large Organizations

Government Ramps Up ICO Fees for Large Organizations

The government has proposed increasing the maximum fees organizations will have to pay data protection watchdog the Information Commissioner’s Office (ICO) as it looks to ramp up its activity to regulate the forthcoming GDPR.

Currently, data controllers are legally required to register with and pay the ICO either £35 or £500 annually depending on their revenue and number of employees.

However, the government is proposing to shift this to a new three-tiered funding model which will take effect when the GDPR lands on May 25.

“The government, which has a statutory duty to ensure the ICO is adequately funded, has proposed the new funding structure based on the relative risk to the data that an organization processes,” the ICO explained. “The model is divided into three tiers and is based on a number of factors including size, turnover and whether an organization is a public authority or charity.”

Micro-organizations of fewer than 10 staff or maximum turnover of £632,000 will be charged £40 — or £35 if they pay by direct debit, making the costs unchanged from the current fees.

However, Tier 2 organizations — SMEs with maximum turnover of £36m or no more than 250 members of staff — will need to pay a £60 fee.

The biggest increase comes for Tier 3 data controllers, large organizations which must fork out £2900 — potentially a £2400 increase on what they currently pay.

“The fee is higher because these organizations are likely to hold and process the largest volumes of data, and therefore represent a greater level of risk,” the ICO claimed.

Charities will be designated as Tier 1 organizations regardless of size or turnover, whilst public authorities can classify according to staff numbers, not turnover, the ICO said in an accompanying guide.

The changes come as the ICO’s already stretched resources are expected to come under even greater pressure with the introduction of the new privacy regulation from Brussels. The government claimed its "income requirements" would increase from around £19m in 2016/17 to £33m in 2020/21.

Source: Information Security Magazine

Allentown Struggles with $1 Million Cyber-Attack

Allentown Struggles with $1 Million Cyber-Attack

The city of Allentown, Pennsylvania, is struggling to remediate a malware attack that could cost nearly $1 million to mitigate.

According to local paper The Morning Call, the city’s critical systems have been hit by the malware known as Emotet, impacting both financial and public safety operations, according to Mayor Ed Pawlowski. Allentown’s finance department can’t complete any external banking transactions, the city’s 185 surveillance cameras are impacted and the police department can’t access Pennsylvania State Police databases, Pawlowski said.

Emotet spread like wildfire around the city’s networks, self-replicating (Emotet can spread itself to other systems by stealing an address book from a computer on the network) and harvesting city employees’ credentials along the way. There’s an intimation that phishing was the initial infection vector: Pawlowski warned city residents not to open emails and attachments from city employees. In the past Emotet has been spread via weaponized Microsoft Word documents.

The virus impacted all city systems that run Microsoft, so the city has hired Microsoft engineers to handle emergency response to the crisis for an initial $185,000. Though the virus has now been contained, Pawlowski said it will cost $800,000 to $900,000 to fully remediate the damage.

Further details remain shadowy.

“I’m not trying to in any way shape or form hide anything from the public,” Pawlowski told the city council. “But we just don’t want to divulge how we’re aggressively attacking this because if it is a hacker, they can always modify their attack.”

“Shame on us for doing a disservice to our intelligence community,” said Allentown IT director Matthew Leibert, chastising the council for holding an open hearing on the incident, given that there’s an ongoing criminal investigation into where the virus came from.

Pawlowski also said the virus evaded the city’s “extensive” antivirus and firewall systems.

“This particular virus actually is unlike any other virus,” he said. “It has intelligence built in, so it keeps adapting to our systems, thus evading any firewalls that we have up.”

Emotet first emerged in 2014 as a Trojan designed to steal banking credentials from targets in Austria and Germany. It searches the targeted system for sensitive information that will be exfiltrated to the command-and-control (C2) servers under the attackers’ control. The attacker can then sell the information harvested or log into the account themselves to steal more information.

Starting late last year, the malware began spreading beyond financial targets and into the US and other arenas, while adding new capabilities, including a new dropper, sandbox awareness and anti-analysis capabilities.

Source: Information Security Magazine

Bad Actors Increase Focus on Cloud Services, Encryption

Bad Actors Increase Focus on Cloud Services, Encryption

Malware sophistication is increasing as adversaries begin to weaponize cloud services and evade detection through encryption, which is being used as a tool to conceal command-and-control activity.

That’s according to the Cisco 2018 Annual Cybersecurity Report (ACR). It also found that while encryption is meant to enhance security, the expanded volume of encrypted web traffic (50% as of October 2017) – both legitimate and malicious – has created more challenges for defenders trying to identify and monitor potential threats. Cisco threat researchers observed more than a threefold increase in encrypted network communication used by inspected malware samples over a 12-month period.

“Last year’s evolution of malware demonstrates that our adversaries continue to learn,” said John Stewart, senior vice president and chief security and trust officer at Cisco. “We have to raise the bar now – top-down leadership, business-led technology investments and practice effective security – there is too much risk, and it is up to us to reduce it.”

The defense side isn’t sitting still, either. To reduce the time that adversaries have to operate, security professionals said they are increasingly leveraging and spending more on tools that use AI and machine learning. Applying machine learning can help enhance network security defenses and, over time, “learn” how to automatically detect unusual patterns in encrypted web traffic, cloud and IoT environments.

However, some of the 3,600 CISOs interviewed for the report said they were reliant and eager to add tools like machine learning and AI but were frustrated by the number of false positives such systems generate.

Security professionals also said that they see value in behavioral analytics tools in locating malicious actors in networks. A full 92% of security professionals said behavioral analytics tools work well. Two-thirds of the healthcare sector, followed by financial services, found behavior analytics to work extremely well to identify malicious actors.

The report noted that defenders are implementing a complex mix of products from a cross-section of vendors to protect against breaches. This complexity and growth in breaches has many downstream effects on an organization’s ability to defend against attacks, such as increased risk of losses. In 2017, 25% of security professionals said they used products from 11 to 20 vendors, compared with 18% of security professionals in 2016. Security professionals also said 32% of breaches affected more than half of their systems, compared with 15% in 2016.

Meanwhile, the financial cost of attacks is no longer a hypothetical number: More than half of all attacks resulted in financial damages of more than half a million dollars, including, but not limited to, lost revenue, customers, opportunities and out-of-pocket costs.

The use of cloud is growing too, and the report suggests that attackers are taking advantage of this. In this year’s study, 27% of security professionals said they are using off-premises private clouds, compared with 20% in 2016. Among them, 57% said they host networks in the cloud because of better data security, 48% because of scalability and 46% because of ease of use.

While cloud offers better data security, attackers are taking advantage of the fact that security teams are having difficulty defending evolving and expanding cloud environments. The combination of best practices, advanced security technologies like machine learning and first-line-of-defense tools like cloud security platforms can help protect this environment.

Erik Westhovens, enterprise architect at Insight, believes that its findings reveal the importance of both detection technology and employee education to organizations looking to combat the ever-evolving cybersecurity threat.

"What’s clear from Cisco’s latest research is that the cybersecurity environment is moving at an unprecedented speed, with malignant actors and defenders engaged in an arms race that would make Cold War strategists blush,” he said. “The past few months has seen the focus shift once again, from ransomware to malware, resulting in new requirements for defending against cyber-attacks…[and] the inventiveness of cyber-attackers means that the threat is always evolving.”

He added that while AI and machine learning are key to detecting novel methods quickly and finding ways to contain and neutralize them, “people should remain the first line of any cyber-defense strategy. Consider the modern flexible employee – accessing company information on the move and working with sensitive data every day, regardless of job function. Because malware frequently takes advantage of employee's ignorance, organizations need to focus their security strategy both on detection technology and on educating their workforce on how to avoid becoming an easy route in."

Source: Information Security Magazine

Risk and Compliance Management Moves Towards Collaboration

Risk and Compliance Management Moves Towards Collaboration

Managing the impact of a data breach is the top priority in risk management, yet respondents in a recent survey also reported that they lack the budget and resources to do that effectively.

Collectively, organizations today face an unprecedented volume and variety of information risks that have enterprise-wide impact, including increasingly sophisticated cybersecurity incidents, information leaks, aggressive regulatory sanctions and the proliferation of communication channels outside the control of IT or security.

According to a survey of 150 IT, compliance and security professionals conducted by communications compliance company Actiance and IDG Research, personnel are seeing more and more risks with corporate-wide impact, which has led to greater overlap in duties in fighting these threats. As a result, the majority of survey respondents highlighted the greater need for collaboration in the planning and execution of defense, monitoring and recovery strategies across IT, security and compliance. However, they require more resources across all functions. Interestingly, respondents ranked adding personnel low on the list as a solution: The addition of staff was mentioned the least as a strategy for managing risk moving forward.

On a positive note, collaboration between the three functions in the evaluation and selection of risk management solutions appears to be very high: 75% reported that their function collaborates with at least one or both of the other two departments in evaluating and selecting risk management solutions, whereas only 5% say their function alone is responsible for those tasks. Moreover, these functions want to stay on the same page moving forward – all ranked sharing common control processes as a high priority in collaborating with other departments to address information risk. Respondents across all functions overwhelmingly pointed toward clearly defined policies as an area that is working well today. Risk/compliance titles differed from others in highlighting monitoring and alerting process controls as an area that is also working well.

In terms of other priorities, managing the risk and impact of a data breach was ranked highest across all functions, with the only exception being risk/compliance titles, who ranked the loss of sensitive customer information slightly higher.

“Although the legacy technologies, buying processes, and functionally driven priorities of the last 15 to 20 years have left some organizations with redundant and ineffective risk management processes and solutions, many companies have successfully bridged the resulting informational and organizational silos,” said Robert Cruz, senior director of information governance at Actiance. “Firms are evolving toward a more holistic, collaborative model that incorporates the priorities of IT, security and compliance stakeholders.”

Source: Information Security Magazine

#TEISS18: Phishing Trends and their Impact on Future Risks

#TEISS18: Phishing Trends and their Impact on Future Risks

At The European Information Security Summit (TEISS) 2018 Lesley Marjoribanks, head of ethical phishing, Royal Bank of Scotland, reflected on the key phishing trends observed in the last year and their impact on phishing risks for the future.

The first notable phishing pattern of last year was impactful ransomware, Marjoribanks said, with attacks like WannaCry and NotPetya making mainstream media. “What we will see going into 2018 is attackers really going after the end-user to have the most impact, so you’re talking about hospitals, air traffic control” etc. The big news for ransomware is that it’s not going anywhere, she added; it’s going to get slicker and “we will see ransomware delivered by ‘smishing’ in the very near future.”

Another pattern is that of changing subject matter, she continued, explaining that successful phishing relies on current, timely subject matters to catch the target's attention. “For the last couple of years they [phishing subjects] were fairly innocuous (invoice attached, DHL delivery) but in the last quarter of last year we saw a real influx of more ‘grizzly’ subject matters.”

Marjoribanks then referred to the trend of distraction and its emerging use in phishing techniques. “I guarantee that at some point this year there will be a large-scale ransomware attack on our bank that will act as a distraction” to the SOC, she said, with another attack coming in through the back door.

Next was what Marjoribanks called ‘long-term phishing’, which describes the time and effort fraudsters go to to gather as much information on a target as possible to maximize their attack. “Phishing is going to explode in this way,” she warned, “and we’ve already seen phishing cases that have had a lapse time of four months.”

LinkedIn is also something that is causing companies problems when it comes to phishing, Marjoribanks added, as “if there’s a rich stream of information out there – such as LinkedIn – you can bet that’s the first place fraudsters will go to mine information.”                                                                                                                                

Lastly is the growth of mobile malware in phishing attacks, something that Marjoribanks warned was likely to explode with more and more businesses offering mobile services to their customers. “It’s almost like a disaster waiting to happen, and fraudsters are clever, clever people; they always surprise us.”

To conclude, Marjoribanks said that for best phishing defense, a layered security approach is imperative and must include:

  • Awareness and education
  • Gateways
  • Secure internal processes: 2FA, patching and social media guidelines
  • Malware software

Source: Information Security Magazine

C-Level Prioritizes Breach Costs Over Customer Losses

C-Level Prioritizes Breach Costs Over Customer Losses

Most UK C-level executives that have suffered a breach care about the associated costs more than losing customers, according to new research from Centrify.

The identity security vendor polled 800 CEOs, CFOs, CTOs, CIOs, and CISOs in US and UK organizations to compile its latest report, CEO Disconnect is Weakening Cybersecurity.

In the UK, 63% of respondents rated investigation, remediation and legal costs as the most important factor stemming from a breach, followed by disruption to operations (47%) and loss of intellectual property (32%).

On the one hand, the findings should mean that senior executives are ready to buy-in to GDPR initiatives, given the huge new fines that could result from non-compliance.

However, it also indicates an overly narrow focus on the potential repercussions of a successful cyber-attack, resulting in security investments that continue to be piecemeal and reactive. Just 16% said loss of customers was the most important factor to consider post-breach, whilst 11% cited damage to the company’s reputation.

Yet both of these less immediately quantifiable factors can have a major long-term impact on a breached organization.

It’s claimed, for example, that TalkTalk lost over 100,000 customers after the breach in 2015.

Centrify also identified a damaging disconnect between CEOs in the UK and US and their technical C-level colleagues — with the former seeming to be heavily influenced by sensational headline-grabbing malware threats such as WannaCry.

Nearly two-thirds (65%) of CEOs claimed malware was the biggest threat to the company, compared to just 35% of CIOs, CTOs and CISOs. In fact, the technical C-level were more likely to point to identity compromise (42%) as the primary threat to their organization.

The findings are borne out by the fact that 68% of executives from companies that already experienced a breach with serious consequences said it could have been prevented by either privileged user identity and access management or user identity assurance. Just 8% said the same about anti-malware endpoint controls.

"Building a secure defense against the very real risk that data breaches pose requires investment and just like any other major cost to an organization the CEO needs to be convinced of the merits in doing so,” Centrify CTO, Barry Scott, told Infosecurity.

“This is more about educating CEOs in a language they understand about the need to invest in a comprehensive protection plan that guards against the primary threat to cybersecurity today, that is identity-related attacks, rather than reacting to the sensational headlines that malware generates."

Source: Information Security Magazine

#TEISS18: Cybersecurity – Myths Versus Reality

#TEISS18: Cybersecurity – Myths Versus Reality

Speaking at The European Information Security Summit (TEISS) 2018 in West London today Sumin Tchen, principal & founder, Belarc, explored some of the myths that surround information security and highlighted how they do not always reflect the realities of cyber-risks.

The first myth is the notion that you should prioritize securing high-value assets. The reality, Tchen explained, is that “the high-value asset is not the one that is attacked typically,” and often attackers target devices with no direct access to high-value data and then escalate privileges or find admin accounts to allow them access.

Second, he continued, is the myth that the latest endpoint protection will stop breaches, which is something that is yet to be proven, and third is the belief that IDS/IPS will halt most attacks. “There’s a lot of new technology going on with IDS, but a lot of it is still dependent on signatures, and signatures are always behind new technology. It’s not the wisest thing to be totally dependent on IDS.”

Next are the separate notions that you should focus on critical vulnerabilities and new vulnerabilities. The problem with the first, Tchen said, is that “the majority of attacks do not use critical value vulnerabilities” and regarding the second, “92% of vulnerabilities are greater than a year old. If a breach is still working, why stop a good thing? Attackers will keep using the same things that work.”

The last myth that Tchen discussed is that focusing on isolated systems is un-productive. He argued the reality is that most systems considered to be ‘isolated’ are “not quite as isolated as everyone thinks.”

To conclude, Tchen advised organizations to build cybersecurity around standards, pointing to the Center for Internet Security (CIS) Top 5 controls:

  • Identify authorized and unauthorized devices
  • Identify authorized and authorized software
  • Secure configuration for all devices
  • Continuous vulnerability assessment & remediation
  • Controlled use of admin privileges

Source: Information Security Magazine

Bot-Driven Credential Stuffing Hits New Heights

Bot-Driven Credential Stuffing Hits New Heights

More than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks, according to the latest report from Akamai.

The cloud delivery provider’s latest State of the Internet/Security report for Q4 2017 comprised analysis from over 7.3 trillion bot requests per month.

It claimed that such requests account for over 30% of all web traffic across its platform per day, excluding video streaming. However, malicious activity has seen a sharp increase, as cyber-criminals look to switch botnets from DDoS attacks to using stolen credentials to try to access online accounts.

Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse. The figure rose to a staggering 82% for the hospitality industry.

The stats chime with similar data from fraud prevention specialist ThreatMetrix, which claimed in its latest Cybercrime report for Q4 2017 that there were 34 million bot attacks during the peak festive shopping period, rising to 800 million for the quarter.

It said that for some businesses bot activity can make up as much as 90% of their daily traffic.

Akamai claimed that credential stuffing can cost businesses up to $2.7m annually.

“Increased automation and data mining have caused a massive flood of bot traffic to impact websites and internet services. Although most of that traffic is useful for internet businesses, cyber-criminals are looking to manipulate the powerful volume of bots for nefarious gains,” said Akamai senior security advocate, Martin McKeay.

“Enterprises need to watch who is accessing their sites to differentiate actual humans from both legitimate and malicious bots. Not all web traffic and not all bots are created equal.”

Elsewhere in the report, the firm revealed a major increase in the volume of DDoS attacks on financial services firms: 37 organizations experienced 298 attacks during the quarter.

The UK is now the third most targeted country for web app attacks, up one place from the previous quarter, and the ninth biggest attack source.

Source: Information Security Magazine