Specialized Recruiting Solutions Designed to Access Deep Talent Pools
Call Us: 415-510-2973

Archive for the News Category

US Federal Contractors Lag in Cyber Best Practices

US Federal Contractors Lag in Cyber Best Practices

The US federal government relies on tens of thousands of contractors and subcontractors – sometimes referred to as the federal “supply chain” – to provide critical services, hold or maintain sensitive data, deliver technology and perform key functions. When it comes to their cyber-risk, BitSight has found that the cybersecurity posture of US federal contractors lags far behind that of federal agencies.

In an analysis of 1,200 federal government contractors, the mean BitSight Security Rating for federal agencies was at least 15 or more points higher than the mean of any contractor sector.

“To some this may be surprising: Some agencies have made public their large data breaches in recent years,” the report noted. “However, many agencies maintain a strong security posture overall and the aggregate performance of agencies has increased steadily. The mean rating for agencies as of January 2018 was 725. This is markedly higher than any of the other sector of contractors for the US federal government observed in this study.”

The analysis reveals that 8% of healthcare/wellness contractors have disclosed a data breach since January 2016; aerospace/defense firms had the next highest breach disclosure rate at 5.6%. It also reveals that botnet infections are especially prevalent among the government contractor base, particularly for healthcare/wellness and manufacturing contractors.

The report uncovered an issue with best practices, as well: many contractors are simply not following them. On the network encryption and email security front, nearly 50% of contractors have a BitSight grade below C for the “protective technology” subcategory of the NIST Cybersecurity Framework.

Also, nearly one in five users at technology and aerospace/defense contractors have an outdated internet browser, making these employees and their organizations highly susceptible to new variants of malware.

“US government contractors, subcontractors and other third parties can be the cause of significant losses of government data,” the report notes. “Agency leadership must ensure that these organizations are protecting the sensitive government data with which they have been entrusted. Political, technology and civil service leaders within an agency all must be involved in addressing this risk.”

Source: Information Security Magazine

CISOs See Incidents Growing and Preparedness Waning

CISOs See Incidents Growing and Preparedness Waning

When it comes to cybersecurity and preparedness, a recent survey paints a grim picture: A full 66% of CISOs believe their organization will experience a data breach or cybersecurity exploit that will seriously diminish shareholder value in the future – even as security postures aren’t likely to improve.

A survey from Ponemon Institute and defense contractor Raytheon of 1,100 senior-level IT and IT security global practitioners found that 54% of CISOs believe that their cybersecurity posture will either stay the same (35% of respondents) or decline (19% of respondents) in the coming year. Just 46% believe their cybersecurity strategy will improve, down from 59% in 2015. Also, 60% expect their companies will have to spend more to achieve regulatory compliance and respond to lawsuits and litigation.

However, worries and concerns are escalating. On the internet of things (IoT) security front, with the use of IoT devices in organizations being inevitable, 82% of respondents predict unsecured IoT devices will cause a data breach in their organizations. To boot, 80% said such a breach could be catastrophic.

Further, 67% believe cyber-extortion, such as ransomware and data breaches, will increase in frequency and payout, and 60% predict nation-state attacks against government and commercial organizations will worsen and could potentially lead to a cyber-war.

The report postulated that the disconnect between impending threat and readiness is critical and will lead to 2018 being even more breach heavy than 2017.

“Our hope is that CISOs and senior leaders can use this report as a tool to start a deep dialogue about the critical need for cybersecurity within their organizations,” said Raytheon chairman and CEO Thomas Kennedy. “Every day the cyber-threat is growing more sophisticated and aggressive, posing a real threat to global businesses across all sectors. To reduce risks, leaders must urgently work with their IT teams to identify potential vulnerabilities, develop an action plan and make the investments needed to protect the value of their organization.”

The 2018 Study on Global Megatrends in Cybersecurity, however, also shows that despite growing threats, 64% of IT professionals believe cybersecurity is still not considered a strategic priority among senior leadership. Senior leadership are seen as seemingly disengaged in the oversight of their organization’s cybersecurity strategy, with 68% of CISO/IT executives surveyed saying their boards are not being briefed on measures taken to prevent or mitigate the consequences of a cyber-attack.

“Conversations around cybersecurity resiliency are happening among our nation’s top intelligence chiefs, yet business leaders still have not made cybersecurity a business priority,” said Larry Ponemon, chairman and founder of Ponemon Institute. “This important research reveals an urgent need for executives to appropriately address cyber-threats against their organizations.”

Source: Information Security Magazine

DDoS Costs Skyrocket for SMBs and Enterprises Alike

DDoS Costs Skyrocket for SMBs and Enterprises Alike

The financial impact of a distributed denial-of-service (DDoS) attack is continuing to rise globally – with significant cost spikes for both small to medium-sized businesses (SMBs) and enterprises per attack.

Kaspersky Lab’s IT Security Risks Survey 2017, which polled 5,200 business representatives from 29 countries, shows that whether as the result of a single incident or as part of a multi-faceted cyberattack, the financial implications of reacting to a DDoS attack in 2017 is $123,000 for SMBs per incident, compared to $106,000 in 2016.

For enterprises, the cost has soared more than half a million dollars – from $1.6 million in 2016 to $2.3 million in 2017 on average per attack. The rising financial costs of DDoS attacks, coupled with unquantifiable impacts such as reputational damage, are crippling for many organizations.

When asked about the specific consequences experienced as a result of a DDoS attack, most organizations (33%) claim that the cost incurred in fighting the attack and restoring services is the main burden, while a quarter (25%) cited money spent investing in an offline or back-up system while online services are unavailable. Additionally, 23% said that a loss of revenue and business opportunities occurred as a direct result of DDoS attacks, whereas 22% listed the loss of reputation among clients and partners as another direct consequence of a DDoS attack.

Previous Kaspersky Lab research also found that the attack rate is accelerating, with more than a third (33%) of organizations facing a DDoS attack in 2017, compared to just 17% in 2016. Even so, organizations are undereducated about taking steps to protect themselves. For instance, they often expect third parties to protect their businesses.

According to the research, 34% of organizations expect their ISP will protect them from DDoS attacks, and another 26% expect their data center or infrastructure partners will do so. Additionally, nearly a third (28%) claim that it is unlikely that they will be targeted by a DDoS attack in general.

“DDoS attacks, both standalone or as part of an attack arsenal, can cost an organization thousands, if not millions – that’s without counting reputational damage and lost clients and partners as a result,” said Kirill Ilganaev, head of Kaspersky DDoS protection, Kaspersky Lab. “It is therefore wise to be aware of these threats and invest in their own protective measures in advance. It is also important to choose reliable specialized security solutions that are based on cybersecurity expertise and tailored to fight the most sophisticated DDoS attacks organizations face today.”

Source: Information Security Magazine

Half of UK Firms Hit by Cyber-Related Fraud in Past Two Years

Half of UK Firms Hit by Cyber-Related Fraud in Past Two Years

Nearly half of UK organizations (49%) have suffered from cyber-related fraud in the past two years, according to the latest research from PwC.

The global consulting firm polled over 7200 business decision makers to compile its Global Economic Crime & Fraud Survey.

The research is slightly unusual in that it approaches cybercrime in the context of it being a source of fraud. As such, it ranks highest, above others in the top five: asset misappropriation (32%), procurement fraud (23%), bribery and corruption (23%) and business misconduct (21%).

PwC forensics partner, Fran Marwood, confirmed to Infosecurity that: "the other categories are not cyber-related. They are what you might call traditional frauds."

“Much of the cybercrime in the UK comes from external overseas threats, and as the world’s fifth largest economy, it’s no surprise that the resources of UK organizations are seen as an attractive target by global fraudsters,” she added.

“Over half of respondents reported suffering phishing attacks, which are done on a large scale to play the odds. But ultimately cyber-defense relies on people understanding the threat, so training, awareness and escalation routes are just as important as defensive technology.”

UK organizations are actually behind their international counterparts when it comes to implementing anti-fraud technology and don’t seem to be using advanced tools as effectively as many.

Suspicious activity monitoring spotted just 10% of fraud, while data analytics detected only 1%, down from 8% two years ago, according to the report.

This doesn’t bode well for the future, with over two-fifths (42%) of UK respondents claiming that cybercrime would be the most disruptive ‘fraud’ type over the next two years.

More concerning still is the fact that a quarter of UK firms don’t have a cybersecurity program in place, although it does appear to be high on the agenda for most: 82% of CISOs report directly to the board, for example.

Source: Information Security Magazine

US Government in Epic Border Security Fail

US Government in Epic Border Security Fail

The US government has been left red-faced after it emerged that its Customs and Border Protection (CBP) has failed for over a decade to verify passports are authentic because it has not been able to properly read their built-in smart chip.

Democratic Party senators Ron Wyden and Claire McCaskill sent a letter this week to the acting commissioner of the CBP, demanding that the anti-forgery and anti-tampering features of the e-passports are utilized.

The ‘smart’ passports, implemented in the US back in 2007, contain a chip on which is stored the holder’s information and cryptographic information to verify its authenticity, making it virtually impossible to forge.

Countries that want to retain visa waiver status must also support e-passports for their citizens.

However, the senators claimed that: “Despite these efforts, CBP lacks the technical capabilities to verify e-Passport chips.”

“CBP has been aware of this security lapse since at least 2010, when the Government Accountability Office (GAO) released a report highlighting the gap in technology,” the letter continued.

“Eight years after that publication, CBP still does not possess the technological capability to authenticate the machine-readable data in e-Passports.”

The senators argued that “it is past time” for the features to be utilized, and urged the agency to work with experts to calculate the costs before developing and implementing a plan to validate the digital signatures in smart passports.

The security fail comes amid a renewed attempt by the Trump administration to act tough on border control, with a controversial “extreme vetting” policy which requires those from certain countries to reveal detailed social media histories and other information or risk being turned away.

Source: Information Security Magazine

Cybersecurity Skills Gap Soars as Brexit Bites

Cybersecurity Skills Gap Soars as Brexit Bites

The cybersecurity talent gap is greater than for any other digital skills, according to new research from Capgemini, as Brexit begins to take its toll.

The global consultancy polled over 1200 senior executives and front-line employees and analyzed social media sentiment of more than 8000 cybersecurity employees to compile its latest report, Cybersecurity Talent: The Big Gap in Cyber Protection.

It revealed that 68% of organizations reported high demand for cyber-skills in the workforce, versus 61% demanding innovation skills and 64% analytics skills. However, only 43% had “proficient skills already present in the organization” — a 25% point gap between supply and demand.

By comparison, the gap for analytics was just 13% and innovation was 21%.

“The cybersecurity skills gap has a very real effect on organizations in every sector,” said Mike Turner, COO of Capgemini’s Cybersecurity Global Service Line. “Spending months rather than weeks looking for suitable candidates is not only inefficient, it also leaves organizations dangerously exposed to rising incidents of cybercrime. Business leaders must urgently rethink how they recruit and retain talent, particularly if they wish to maximize the benefits from investment in digital transformation.”

What’s more, demand is set to grow, with 72% of respondents predicting high demand for cybersecurity in 2020.

Brexit is clearly having an impact on the UK’s attractiveness as a place to work for skilled EU workers, exacerbating talent shortages, according to experts speaking at the TEISS summit this week.

The figures come as new stats show a record drop in EU net migration to the UK. The number of EU citizens coming to the UK (220,000) decreased by 47,000 over the past year, falling to 2014 levels, while the number leaving the UK (130,000) is the highest recorded level since 2008.

Sophie Barrett-Brown, head of UK practice at immigration law firm Laura Devine Solicitors, argued that “skilled EU nationals choosing to pursue opportunities outside the UK is not a success story for the UK.

“A further fall in net migration may seem to be good news for those with concerns about immigration, but in reality it underlines a growing skills shortage impacting on businesses and public services. Behind every official statistic showing more workers leaving the UK and fewer arriving, the real story is vacancies unfilled and business potential unrealized,” she added.

“The biggest concern is the ongoing uncertainty employers face as the Brexit deadline of March 2019 approaches. With government now not due to publish proposals for the post-Brexit migration system until the end of 2018, employers are having to plan for any scenario and a number of businesses have already begun transferring some of their business functions overseas.”

Source: Information Security Magazine

McAfee: Global Cybercrime Costs Hit $600bn

McAfee: Global Cybercrime Costs Hit $600bn

Global cybercrime now costs nearly $600bn annually, with two-thirds of the world’s netizens having had their personal information stolen or compromised, according to a new McAfee report.

The Economic Impact of Cybercrime – No Slowing Down report was compiled in partnership with non-profit the Centre for Strategic and International Studies (CSIS).

It focuses specifically on cybercrime that occurs when attackers illegally access computer networks to steal IP and personal data, commit fraud and financial crime, and disrupt services. The report estimated costs resulting from securing networks, purchasing cyber-insurance, recovering from incidents, damaged reputation and liability risks.

Although it’s significantly greater than the $445bn estimated in 2014, the $600bn figure could be much higher when other types of cybercrime are considered, and given the fact that under-reporting and inaccuracies are rife in some regions, according to McAfee.

The report also estimated that nearly three billion credentials and other PII have been stolen since 2014, equating to two-thirds of netizens who have had their details compromised.

With Yahoo suffering a breach of three billion records, and researchers finding 1.4 billion compromised credentials on the dark web, even this could be a conservative estimate.

It also claimed that nation states were the most “dangerous” source of cybercrime, led by Russia and North Korea, but with China pegged as the most active cyber-espionage player.

Ransomware was judged to be the fastest-growing type of cybercrime, fueled by the cybercrime-as-a-service phenomenon and the rise of crypto-currency to help perpetrators maintain anonymity online.

McAfee chief scientist, Raj Samani, warned that this trend is democratizing cybercrime to the massed ranks of less technically gifted attackers.

“Businesses often struggle to remain vigilant against threats because they have too many tools operating in silo at once — and failing to communicate with each other,” he added.

“By making sure that tools can work together and removing siloed security teams, organizations can find the right combination of people, process and technology to effectively protect data, detect threats and, when targeted, rapidly correct systems.”

The report also blamed the rise in cybercrime costs on the increasing sophistication of top-tier cyber-criminals.

Source: Information Security Magazine

Government Ramps Up ICO Fees for Large Organizations

Government Ramps Up ICO Fees for Large Organizations

The government has proposed increasing the maximum fees organizations will have to pay data protection watchdog the Information Commissioner’s Office (ICO) as it looks to ramp up its activity to regulate the forthcoming GDPR.

Currently, data controllers are legally required to register with and pay the ICO either £35 or £500 annually depending on their revenue and number of employees.

However, the government is proposing to shift this to a new three-tiered funding model which will take effect when the GDPR lands on May 25.

“The government, which has a statutory duty to ensure the ICO is adequately funded, has proposed the new funding structure based on the relative risk to the data that an organization processes,” the ICO explained. “The model is divided into three tiers and is based on a number of factors including size, turnover and whether an organization is a public authority or charity.”

Micro-organizations of fewer than 10 staff or maximum turnover of £632,000 will be charged £40 — or £35 if they pay by direct debit, making the costs unchanged from the current fees.

However, Tier 2 organizations — SMEs with maximum turnover of £36m or no more than 250 members of staff — will need to pay a £60 fee.

The biggest increase comes for Tier 3 data controllers, large organizations which must fork out £2900 — potentially a £2400 increase on what they currently pay.

“The fee is higher because these organizations are likely to hold and process the largest volumes of data, and therefore represent a greater level of risk,” the ICO claimed.

Charities will be designated as Tier 1 organizations regardless of size or turnover, whilst public authorities can classify according to staff numbers, not turnover, the ICO said in an accompanying guide.

The changes come as the ICO’s already stretched resources are expected to come under even greater pressure with the introduction of the new privacy regulation from Brussels. The government claimed its "income requirements" would increase from around £19m in 2016/17 to £33m in 2020/21.

Source: Information Security Magazine

Allentown Struggles with $1 Million Cyber-Attack

Allentown Struggles with $1 Million Cyber-Attack

The city of Allentown, Pennsylvania, is struggling to remediate a malware attack that could cost nearly $1 million to mitigate.

According to local paper The Morning Call, the city’s critical systems have been hit by the malware known as Emotet, impacting both financial and public safety operations, according to Mayor Ed Pawlowski. Allentown’s finance department can’t complete any external banking transactions, the city’s 185 surveillance cameras are impacted and the police department can’t access Pennsylvania State Police databases, Pawlowski said.

Emotet spread like wildfire around the city’s networks, self-replicating (Emotet can spread itself to other systems by stealing an address book from a computer on the network) and harvesting city employees’ credentials along the way. There’s an intimation that phishing was the initial infection vector: Pawlowski warned city residents not to open emails and attachments from city employees. In the past Emotet has been spread via weaponized Microsoft Word documents.

The virus impacted all city systems that run Microsoft, so the city has hired Microsoft engineers to handle emergency response to the crisis for an initial $185,000. Though the virus has now been contained, Pawlowski said it will cost $800,000 to $900,000 to fully remediate the damage.

Further details remain shadowy.

“I’m not trying to in any way shape or form hide anything from the public,” Pawlowski told the city council. “But we just don’t want to divulge how we’re aggressively attacking this because if it is a hacker, they can always modify their attack.”

“Shame on us for doing a disservice to our intelligence community,” said Allentown IT director Matthew Leibert, chastising the council for holding an open hearing on the incident, given that there’s an ongoing criminal investigation into where the virus came from.

Pawlowski also said the virus evaded the city’s “extensive” antivirus and firewall systems.

“This particular virus actually is unlike any other virus,” he said. “It has intelligence built in, so it keeps adapting to our systems, thus evading any firewalls that we have up.”

Emotet first emerged in 2014 as a Trojan designed to steal banking credentials from targets in Austria and Germany. It searches the targeted system for sensitive information that will be exfiltrated to the command-and-control (C2) servers under the attackers’ control. The attacker can then sell the information harvested or log into the account themselves to steal more information.

Starting late last year, the malware began spreading beyond financial targets and into the US and other arenas, while adding new capabilities, including a new dropper, sandbox awareness and anti-analysis capabilities.

Source: Information Security Magazine

Bad Actors Increase Focus on Cloud Services, Encryption

Bad Actors Increase Focus on Cloud Services, Encryption

Malware sophistication is increasing as adversaries begin to weaponize cloud services and evade detection through encryption, which is being used as a tool to conceal command-and-control activity.

That’s according to the Cisco 2018 Annual Cybersecurity Report (ACR). It also found that while encryption is meant to enhance security, the expanded volume of encrypted web traffic (50% as of October 2017) – both legitimate and malicious – has created more challenges for defenders trying to identify and monitor potential threats. Cisco threat researchers observed more than a threefold increase in encrypted network communication used by inspected malware samples over a 12-month period.

“Last year’s evolution of malware demonstrates that our adversaries continue to learn,” said John Stewart, senior vice president and chief security and trust officer at Cisco. “We have to raise the bar now – top-down leadership, business-led technology investments and practice effective security – there is too much risk, and it is up to us to reduce it.”

The defense side isn’t sitting still, either. To reduce the time that adversaries have to operate, security professionals said they are increasingly leveraging and spending more on tools that use AI and machine learning. Applying machine learning can help enhance network security defenses and, over time, “learn” how to automatically detect unusual patterns in encrypted web traffic, cloud and IoT environments.

However, some of the 3,600 CISOs interviewed for the report said they were reliant and eager to add tools like machine learning and AI but were frustrated by the number of false positives such systems generate.

Security professionals also said that they see value in behavioral analytics tools in locating malicious actors in networks. A full 92% of security professionals said behavioral analytics tools work well. Two-thirds of the healthcare sector, followed by financial services, found behavior analytics to work extremely well to identify malicious actors.

The report noted that defenders are implementing a complex mix of products from a cross-section of vendors to protect against breaches. This complexity and growth in breaches has many downstream effects on an organization’s ability to defend against attacks, such as increased risk of losses. In 2017, 25% of security professionals said they used products from 11 to 20 vendors, compared with 18% of security professionals in 2016. Security professionals also said 32% of breaches affected more than half of their systems, compared with 15% in 2016.

Meanwhile, the financial cost of attacks is no longer a hypothetical number: More than half of all attacks resulted in financial damages of more than half a million dollars, including, but not limited to, lost revenue, customers, opportunities and out-of-pocket costs.

The use of cloud is growing too, and the report suggests that attackers are taking advantage of this. In this year’s study, 27% of security professionals said they are using off-premises private clouds, compared with 20% in 2016. Among them, 57% said they host networks in the cloud because of better data security, 48% because of scalability and 46% because of ease of use.

While cloud offers better data security, attackers are taking advantage of the fact that security teams are having difficulty defending evolving and expanding cloud environments. The combination of best practices, advanced security technologies like machine learning and first-line-of-defense tools like cloud security platforms can help protect this environment.

Erik Westhovens, enterprise architect at Insight, believes that its findings reveal the importance of both detection technology and employee education to organizations looking to combat the ever-evolving cybersecurity threat.

"What’s clear from Cisco’s latest research is that the cybersecurity environment is moving at an unprecedented speed, with malignant actors and defenders engaged in an arms race that would make Cold War strategists blush,” he said. “The past few months has seen the focus shift once again, from ransomware to malware, resulting in new requirements for defending against cyber-attacks…[and] the inventiveness of cyber-attackers means that the threat is always evolving.”

He added that while AI and machine learning are key to detecting novel methods quickly and finding ways to contain and neutralize them, “people should remain the first line of any cyber-defense strategy. Consider the modern flexible employee – accessing company information on the move and working with sensitive data every day, regardless of job function. Because malware frequently takes advantage of employee's ignorance, organizations need to focus their security strategy both on detection technology and on educating their workforce on how to avoid becoming an easy route in."

Source: Information Security Magazine

Page 1 of 27312345...102030...Last »