Tag Archives: cybersecurity

Building Cybersecurity KPIs for Business Leaders and Stakeholders

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/08/05/building-cybersecurity-kpis-for-business-leaders-and-stakeholders/

Building Cybersecurity KPIs for Business Leaders and Stakeholders

In the final part of our “Hackers ‘re Gonna Hack” series, we’re discussing how to bring together parts one and two of operationalising cybersecurity together into an overall strategy for your organisation, measured by key performance indicators (KPIs).

In part one, we spoke about the problem, which is the increasing cost (and risk) of cybersecurity, and proposed some solutions for making your budget go further.

In part two, we spoke about the foundational components of a target operating model and what that could look like for your business. In the third installment of our webinar series, we summarise the foundational elements required to keep pace with the changing threat landscape. In this talk, Jason Hart, Rapid7’s Chief Technology Officer for EMEA, discussed how to facilitate a move to a targeted operational model from your current operating model, one that is understood by all and leveraging KPIs the entire business will understand.

First, determine your current operating model

With senior stakeholders looking to you to help them understand risk and exposure, now is the time to highlight what you’re trying to achieve through your cybersecurity efforts. However, the reality is that most organisations have no granular visibility of their current operating model or even their approach to cybersecurity. A significant amount of money is likely being spent on deployment of technology across the organisation, which in turn garners a large amount of complex data. Yet, for the most part, security leaders find it hard to translate that data into something meaningful for their business leaders to understand.

In creating cyber KPIs, it’s important they are formed as part of a continual assessment of cyber maturity within your organisation. That means determining what business functions would have the most significant impact if they were compromised. Once you have discovered these functions, you can identify your essential data and locations, creating and attaching KPIs to the core six foundations we spoke of in part two. This will allow you to assess your level of maturity to determine your current operating model and begin setting KPIs to understand where you need to go to reach your target operating model.

Focus on 3 priority foundations

However, we all know cybersecurity is a wide-ranging discipline, making it a complex challenge that requires a holistic approach. It’s not possible to simply focus on one aspect and expect to be successful. We advise that, to begin with, security leaders consider three priority foundations: culture, measurement, and accountability.

For cybersecurity to have a positive and successful impact, we need to change our stakeholders’ mindsets to make it part of organisational culture. Everyone needs to understand its importance and why it’s necessary. We can’t simply assume everyone knows what is essential and that they’ll act. Instead, we need to measure our progress towards improving cybersecurity and hold people accountable for their efforts.

Translate cybersecurity problems into business problems

Cybersecurity problems are fundamentally business problems. That’s why it’s essential to translate them into business terms by creating KPIs for measuring the effectiveness of your cyber initiatives.

These KPIs can help you and your stakeholders understand where your organisation needs improvements, so you can develop a plan everyone understands. The core components that drive the effectiveness of a KPI, begin with defining the target, the owner, and accountability. The target is the business function or system that needs improvement. The owner is responsible for implementing the programme or meeting the KPI. Accountability is defined as who will review the data regularly to ensure progress towards achieving desired results.

40% of our webinar’s audience said they don’t currently use cybersecurity KPIs.

Additionally, when developing KPIs, it’s crucial to think about what information you’ll need to collect for them to be effective in helping you achieve your goals. KPIs are great, but to be successful, they need data. And once data is being fed into the KPIs, as security leaders, we need to translate the “technical stuff” – that is, talk about it in a way the business understands.

Remember, it’s about people, processes, and technology. Technology provides the data; processes are the glue that brings it together and makes cybersecurity part of the business process. And the people element is about taking the organisation on a journey. We need to present our KPIs in a way the organisation will understand to stakeholders who are both technical and non-technical.

Share and build the journey

As a security leader, you need to drive your company’s cybersecurity strategy and deploy it across all levels of your organisation, from the boardroom to the front lines of customer experience. However, we know that the approach we’re taking today isn’t working, as highlighted by the significant amounts of money we’re trying to throw at the problem.

So we need to take a different approach, going from a current to a target operating model, underpinned by KPIs that are further underpinned by data to take you in the direction you need to go. Not only will it reduce your organisational risk, but it will reduce your operational costs, too. But more importantly, it will translate what’s a very technical industry into a way everyone in your organisation will understand. It’s about a journey.

To find out what tools, processes, methodologies, and KPIs are needed to articulate key cybersecurity goals and objectives while illustrating ROI and keeping stakeholders accountable, watch part three of “Cybersecurity Series: Hackers ‘re Gonna Hack.”

Additional reading:


Get the latest stories, expertise, and news about security today.

Securing Open-Source Software

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/07/securing-open-source-software.html

Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such:

Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It bears the qualities of a public good and is as indispensable as national highways. Given open source’s value as a public asset, an institutional structure must be built that sustains and secures it.

This is not a novel idea. Open-source code has been called the “roads and bridges” of the current digital infrastructure that warrants the same “focus and funding.” Eric Brewer of Google explicitly called open-source software “critical infrastructure” in a recent keynote at the Open Source Summit in Austin, Texas. Several nations have adopted regulations that recognize open-source projects as significant public assets and central to their most important systems and services. Germany wants to treat open-source software as a public good and launched a sovereign tech fund to support open-source projects “just as much as bridges and roads,” and not just when a bridge collapses. The European Union adopted a formal open-source strategy that encourages it to “explore opportunities for dedicated support services for open source solutions [it] considers critical.”

Designing an institutional framework that would secure open source requires addressing adverse incentives, ensuring efficient resource allocation, and imposing minimum standards. But not all open-source projects are made equal. The first step is to identify which projects warrant this heightened level of scrutiny—projects that are critical to society. CISA defines critical infrastructure as industry sectors “so vital to the United States that [its] incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Efforts should target the open-source projects that share those features.

Apple’s Lockdown Mode

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/07/apples-lockdown-mode-2.html

I haven’t written about Apple’s Lockdown Mode yet, mostly because I haven’t delved into the details. This is how Apple describes it:

Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware. Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.

At launch, Lockdown Mode includes the following protections:

  • Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when iPhone is locked.
  • Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

What Apple has done here is really interesting. It’s common to trade security off for usability, and the results of that are all over Apple’s operating systems—and everywhere else on the Internet. What they’re doing with Lockdown Mode is the reverse: they’re trading usability for security. The result is a user experience with fewer features, but a much smaller attack surface. And they aren’t just removing random features; they’re removing features that are common attack vectors.

There aren’t a lot of people who need Lockdown Mode, but it’s an excellent option for those who do.

News article.

EDITED TO ADD (7/31): An analysis of the effect of Lockdown Mode on Safari.

Eligible customers can now order a free MFA security key

Post Syndicated from CJ Moses original https://aws.amazon.com/blogs/security/eligible-customers-can-now-order-a-free-mfa-security-key/

One of the best ways for individuals and businesses to protect themselves online is through multi-factor authentication (MFA). MFA offers an additional layer of protection to help prevent unauthorized individuals from gaining access to systems or data.

In fall 2021, Amazon Web Services (AWS) Security began offering a free MFA security key to AWS account owners in the United States. I’m happy to announce that eligible customers can now order the free security key through the ordering portal in the AWS Management Console. In response to customer demand, we’ve streamlined the ordering process, especially for linked accounts. At this time, only U.S.-based AWS account root users who have spent more than $100 each month over the past 3 months are eligible to place an order.

To order your free security key

  1. Confirm your eligibility at the ordering portal. You will be prompted to sign in if you haven’t already.
  2. Choose your free security key from the available options.
  3. Provide your email address for order confirmation and your shipping address.
  4. Place your order.

You can connect the security key to AWS, as well as other security key–enabled applications, such as Dropbox, GitHub, and Gmail. If your organization is still early in adopting MFA, the free security key is another way to help protect your AWS account credentials, as well as to jump start your MFA journey by showing how convenient modern security keys are to use. As you expand your AWS usage, all your users should obtain and enable MFA. This can be done at the AWS Identity and Access Management (IAM) user level in the AWS identity system or upstream in your federated identity provider, since using federated identities is a best practice.

We encourage everyone to use MFA to help protect themselves online. Although some applications do not yet support security keys, nearly all provide an MFA option, such as time-based password codes or mobile push notifications. So, whether you’re signing in to your AWS account, your favorite social networks, or your bank account, MFA can help level-up your security posture.

If you’re not eligible for a free security key but would still like a security key, check out our MFA recommendations, which are available for purchase from many sellers, including Amazon. For more information about the MFA program, see our Free MFA Security Key page.

If you have feedback about this post, submit comments in the Comments section below.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

CJ Moses

CJ Moses

CJ is the Chief Information Security Officer (CISO) at AWS, where he leads product design and security engineering. His mission is to deliver the economic and security benefits of cloud computing to business and government customers. Previously, CJ led the technical analysis of computer and network intrusion efforts at the U.S. Federal Bureau of Investigation Cyber Division. He also served as a Special Agent with the U.S. Air Force Office of Special Investigations (AFOSI). CJ led several computer intrusion investigations seen as foundational to the information security industry today.

How to Build and Enable a Cyber Target Operating Model

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/07/08/how-to-build-and-enable-a-cyber-target-operating-model/

How to Build and Enable a Cyber Target Operating Model

Cybersecurity is complex and ever-changing. Organisations should be able to evaluate their capabilities and identify areas where improvement is needed.

In the webinar “Foundational Components to Enable a Cyber Target Operating Model,” – part two of our Cybersecurity Series – Jason Hart, Chief Technology Officer, EMEA, explained the journey to a targeted operating cybersecurity model. To build a cybersecurity program is to understand your business context. Hart explains how organisations can use this information to map out their cyber risk profile and identify areas for improvement.

Organisations require an integrated approach to manage all aspects of their cyber risk holistically and efficiently. They need to be able to manage their information security program as part of their overall risk management strategy to address both internal and external cyber threats effectively.

Identifying priority areas to begin the cyber target operating model journey

You should first determine what data is most important to protect, where it resides, and who has access to it. Once you’ve pinned down these areas, you can identify each responsible business function to create a list of priorities. We suggest mapping out:

  • All the types of data within your organisation
  • All locations where the data resides, including cloud, database, virtual machine, desktops, and servers
  • All the people that have access to the data and its locations
  • The business function associated with each area

Once you have identified the most recurring business functions, you can list your priority areas. Only 12% of our webinar audience said they were confident in understanding their organisation’s type of data.

Foundations to identify risk, protection, detection, response, and recovery

To start operationalising cybersecurity within a targeted area, we first set the maturity of each foundation. A strong foundation will help ensure all systems are protected from attacks and emerging threats. People play a critical role in providing protection and cyber resilience. They should be aware of potential risks so they can take appropriate actions to protect themselves and their business function.

1. Culture

A set of values shared by everyone in an organisation determines how people think and approach cybersecurity. Your culture should emphasise, reinforce, and drive behaviour to create a resilient workforce.

Every security awareness program should, at minimum, communicate security policy requirements to staff. Tracking employee policy acknowledgements will ensure your workforce is aware of the policy and helps you meet compliance requirements.

A quick response can reduce damages from an attack. Security awareness training should teach your workforce how to self-report incidents, malicious files, or phishing emails. This metric will prove you have safeguards in place. Tailor security awareness training to employees’ roles and functions to measure the effectiveness of each department.

2. Measurement

Measuring the ability to identify, protect, detect, respond, and recover from cybersecurity risks and threats enables a robust operating model. The best approach requires an understanding of what your most significant risks are. Consider analysing the following:

  • Phishing rate: A reduction in the phishing rate over time provides increased awareness of security threats and the effectiveness of awareness training. Leverage a phishing simulation to document the open rates per business function to track phishing risks.
  • The number of security breaches: Track and record the number of new incidents and breaches every month. Measure a monthly percentage increase or decrease.
  • Mean time to detect (MTTD): Calculate how long it takes your team to become aware of indicators of compromise and other security threats. To calculate MTTD, take the sum of the hours spent detecting, acknowledging, and resolving an alert, and divide it by the number of incidents.
  • Patching cadence: Determine how long it takes to implement application security patches or mitigate high-risk CVE-listed vulnerabilities.
  • Mean time to recovery (MTTR): Take the sum of downtime for a given period and divide it by the number of incidents. For example, if you had 20 minutes of downtime caused by two different events over two days, your MTTR is 20 divided by two, equalling 10 minutes.

3. Accountability

A security goal generates the requirement for actions of an entity to be traced uniquely to support non-repudiation, deterrence, fault isolation, intrusion detection, prevention, after-action recovery, and legal action.

The quality of your incident response plan will determine how much time passes between assigning tasks to different business functions. Calculate the mean time between business functions aware of a cyber attack and their response. Additionally, calculate the mean time to resolve a cyber attack once they have become aware by measuring how much time passes between assigning tasks to different business functions.

Also, consider recording how internal stakeholders perform with awareness or other security program efforts to track the effectiveness of training.

4. Process

Processes are critical to implementing an effective strategy and help maintain and support operationalising cybersecurity.

To determine your increase in the number of risks, link the percent differences in the number of risks identified across the business monthly. Identify accepted risks by stakeholders and vendors monthly, and hold regular information security forums between business functions to review levels of progress. It’s also wise to document meeting notes and actions for compliance and internal reference.

5. Resources

Ownership of cybersecurity across the business creates knowledge to manage, maintain and operate cybersecurity.

When determining the effectiveness of resources, analyse what levels of training you give different levels of stakeholders. For example, administration training will differ from targeted executives.

Calculate the engagement levels of input and feedback from previous awareness training and record positive and negative feedback from all stakeholders. Ensure that different parts of the business have the required skill level and knowledge within the business function’s scope. Use a skills matrix aligned to security domains to uncover stakeholders’ hidden knowledge or skill gaps.

6. Automation

The automation of security tasks includes administrative duties, incident detection, response, and identification risk.

Consider implementing automation in vulnerability management processes internally and externally to the business. Additionally, detect intrusion attempts and malicious actions that try to breach your networks. And finally, automate patch management actions on all assets within scope by assessing the number of patches deployed per month based on the environment, i.e. cloud.

A journey that delivers outcomes

A cyber-targeted operating model is a unique approach that provides defensibility, detectability, and accountability. The model is based on the idea that you can’t protect what you don’t know and aims to provide a holistic view of your organisation’s security posture. By identifying the most critical business functions and defining a process for each foundation, you can develop your cyber maturity over time.

To get the maximum benefit from Cybersecurity Series: Hackers ‘re Gonna Hack, watch Part One: Operationalising Cybersecurity to benchmark your existing maturity against the six foundational components. Watch Part 2: Foundational Components to Enable a Cyber Target Operating Model on-demand, or pre-register for Part Three: Cybersecurity KPIs to Track and Share with Your Board to begin mapping against your priority areas. Attendees will receive a complete list of Cybersecurity KPIs that align with the maturity level of your organisation.

Additional reading:


Get the latest stories, expertise, and news about security today.

When Security Locks You Out of Everything

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/06/__trashed-2.html

Thought experiment story of someone who lost everything in a house fire, and now can’t log into anything:

But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in—you guessed it—my Password Manager.

I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.

It’s a one-in-a-million story, and one that’s hard to take into account in system design.

This is where we reach the limits of the “Code Is Law” movement.

In the boring analogue world—I am pretty sure that I’d be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is possible.

But when things are secured by an unassailable algorithm—I am out of luck. No amount of pleading will let me without the correct credentials. The company which provides my password manager simply doesn’t have access to my passwords. There is no-one to convince. Code is law.

Of course, if I can wangle my way past security, an evil-doer could also do so.

So which is the bigger risk?

  • An impersonator who convinces a service provider that they are me?
  • A malicious insider who works for a service provider?
  • Me permanently losing access to all of my identifiers?

I don’t know the answer to that.

Those risks are in the order of most common to least common, but that doesn’t necessarily mean that they are in risk order. They probably are, but then we’re left with no good way to handle someone who has lost all their digital credentials—computer, phone, backup, hardware token, wallet with ID cards—in a catastrophic house fire.

I want to remind readers that this isn’t a true story. It didn’t actually happen. It’s a thought experiment.

4 Strategies to Help Your Cybersecurity Budget Work Harder

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/06/17/4-strategies-to-help-your-cybersecurity-budget-work-harder/

4 Strategies to Help Your Cybersecurity Budget Work Harder

The digital economy is being disrupted by data. An estimated 79 zettabytes of data was created and consumed in 2021— a staggering amount that is reshaping how we do business. But as the volume and value of data increases, so does the motivation for hackers to steal it. As such, cybersecurity is a growing concern for organisations across all industries, and budget requests are increasing as a result.

But if we’re spending more, why are organisations still getting hacked at an increasing rate?

In the first webinar of Cybersecurity Series: Hackers ‘re Gonna Hack, Jason Hart, Chief Technology Officer, EMEA, Rapid7, shared his experience on why executives need to reconsider their current operating model and ensure their cybersecurity budgets are working as hard as possible.

84% of our webinar audience agreed that doubling their cybersecurity budget would not halve the risk or impact for their business.

Cybersecurity departments are finding it extremely challenging to justify increases to their budget when they are not seen as directly contributing to revenue. There was also a time when cyber insurance was regarded as a safeguard and magic wand to protect us from risks. But now, these providers are placing more onus on organisations to ensure preventative measures are in place, including risk assessment, controls, and cybersecurity operations.

In an ever-evolving landscape, it is essential to take a step back and consider how you can improve your approach. The key question remains, “How do you do more with less?” You can’t protect everything – you need to understand what matters most and be able to manage, mitigate, and transfer risks by working with a range of stakeholders throughout your organisation. Here are four strategies that can help.

1. Embrace the evolution of profit and loss for cybersecurity

A profit-and-loss framework for cybersecurity enables organisations to identify their current level of risk, prioritise their efforts based on those risks, and then set benchmarks for improvements over time. The goal is to create an environment where you can proactively manage your cybersecurity risks rather than reactively mitigate them after they’ve occurred.

61% of our audience agreed they need to approach cybersecurity from a profit-and-loss perspective.

2. Become situation-aware

Awareness is the ability to look at all the information available, recognise what’s important, and act accordingly. It’s a skill that can be learned, practised, and improved over time.

You can’t fix what you don’t know, so it’s essential to have a clear understanding of the risks in your organisation and those that might arise in the future. We believe there are three levels of awareness:

  • Situation awareness: When an organisation understands the critical (people, data and process) and operational elements for executing information security strategy.
  • Situation ignorance: When organisations assume everything is OK without considering the impact of people, data, and processes. They may be implementing security control and awareness training, but there is no straightforward process. The strategy does not align to risk reduction and mitigation, and budgets continue to increase.
  • Situation arrogance: Organisations that continue to spend huge amounts of budget, while still getting compromised and breached. They might consider people, data, and process, but they fail to act.

57% of our audience believed they were situation-aware. 31% percent said they were situation-ignorant, and 11% felt their organisations were situation-arrogant.

Try to identify your organisation’s cyber maturity to make improvements. To test impact and likelihood, ask your peers – in the event of a breach, what data would you be most concerned about if hackers applied ransomware to it? To test risk versus control effectiveness, consider where that data is located. When understanding impact and level of risk, find out what business functions would be affected.

3. Adapt or become irrelevant

Cybersecurity operations should be tailored to your organisation’s unique needs; there’s no one-size-fits-all approach. The move away from traditional operation models to a more targeted one requires a strong foundation for transformation and change. This includes:

  • Culture
  • Process
  • Measurement
  • Resources
  • Accountability
  • Automation

Only 27% of our audience believed they have the foundations for a targeted operations model to carry over to cybersecurity.

4. Implement protection-level agreements

To eradicate and remove a critical vulnerability, you might need to reboot, consider patch management, or bring systems down. This can be hard to assign a value, but it will inevitably increase your budget.

For example, to reduce a critical vulnerability, the average annual cost for the business is £1 million per year. But what if we set up a protection-level agreement (PLA) so that any critical vulnerabilities are eradicated and managed within 30 days? That would reduce operational costs to approximately £250,000 per year.

But what if you are hacked on day 25? That isn’t not a control failure – it results from a business decision that has been agreed upon. PLAs enable you to track and monitor threat activity so the business and leadership team can understand why you were breached. The approach also highlights gaps in your foundation, enabling you to address them before they become serious problems. For example, it might highlight potential challenges in handoff, process, or accountability. Additionally, a PLA is a language your stakeholders understand.

Everyone is on the same journey

Each stakeholder in your organisation is at a different stage of their journey. They have different expectations about how cybersecurity will impact them or their department. They also have different levels of technical knowledge. When planning communications, consider these differences to get them on board with your vision, working with them to ensure everyone’s expectations can be met.

Register for Part 2 Cybersecurity: Hackers ‘re Gonna Hack to find out more about getting your executive team on board. Jason Hart, Chief Technology Officer, EMEA, Rapid7, will show you how to implement new ideas to build your target operating model to drive effectiveness and change.

Additional reading:


Get the latest stories, expertise, and news about security today.

Complimentary GartnerⓇ Report “How to Respond to the 2022 Cyberthreat Landscape”: Ransomware Edition

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2022/06/15/complimentary-gartner-report-how-to-respond-to-the-2022-cyberthreat-landscape-ransomware-edition/

Complimentary GartnerⓇ Report

First things first — if you’re a member of a cybersecurity team bouncing from one stressful identify vulnerability, patch, repeat cycle to another, claim your copy of the GartnerⓇ report “How to Respond to the 2022 Cyberthreat Landscape” right now. It will help you understand the current landscape and better plan for what’s happening now and in the near term.

Ransomware is on the tip of every security professional’s tongue right now, and for good reason. It’s growing, spreading, and evolving faster than many organizations can keep up with. But just because we may all be targets doesn’t mean we have to be victims.

The analysts at Gartner have taken a good, long look at the latest trends in security, with a particular eye toward ransomware, and they had this to say about attacker trends in their report.

Expect attackers to:

  • “Diversify their targets by pursuing lower-profile targets more frequently, using smaller attacks to avoid attention from well-funded nation states.”
  • “Attack critical CPS, particularly when motivated by geopolitical tensions and aligned ransomware actors.”
  • “Optimize ransomware delivery by using ‘known good’ cloud applications, such as enterprise productivity software as a service (SaaS) suites, and using encryption to hide their activities.”
  • “Target individual employees, particularly those working remotely using potentially vulnerable remote access services like Remote Desktop Protocol (RDP) services, or simply bribe employees for access to organizations with a view to launching larger ransomware campaigns.”
  • “Exfiltrate data as part of attempts to blackmail companies into paying ransom or risk data breach disclosure, which may result in regulatory fines and limits the benefits of the traditional mitigation method of ‘just restore quickly.'”
  • “Combine ransomware with other techniques, such as distributed denial of service (DDoS) attacks, to force public-facing services offline until organizations pay a ransom.”

Ransomware is most definitely considered a “top threat,” and it has moved beyond just an IT problem but one that involves governments around the globe. Attackers recognize that the game got a lot bigger with well-funded nations joining the fray to combat it, so their tactics will be targeted, small, diverse, and more frequent to avoid poking the bear(s). Expect to see smaller organizations targeted more often and as part of ransomware-as-a-service campaigns.

Gartner also says that attackers will use RaaS to attack critical infrastructure like CPS more frequently:

“Attackers will aim at smaller targets and deliver ‘ransomware as a service’ to other groups. This will enable more targeted and sophisticated attacks, as the group targeting an organization will have access to ransomware developed by a specialist group. Attackers will also target critical assets, such as CPS.”

Mitigating ransomware

But there are things we can do to mitigate ransomware attacks and push back against the attackers. Gartner suggests several key recommendations, including:

  • “Construct a pre-incident strategy that includes backup (including a restore test), asset management, and restriction of user privileges.”
  • “Build post-incident response procedures by training staff and scheduling regular drills.”
  • “Expand the scope of ransomware protection programs to CPS.”
  • “Increase cross-team training for the nontechnical aspects of a ransomware incident.
  • “Remember that payment of a ransom does not guarantee erasure of exfiltrated data, full recovery of encrypted data, or immediate restoration of operations.”
  • “Don’t rely on cyber insurance only. There is frequently a disconnect between what executive leaders expect a cybersecurity insurance policy to cover and what it actually does cover.”

At Rapid7, we have the risk management, detection and response, and threat intelligence tools your organization needs to not only keep up with the evolution in ransomware threat actors, but to implement best practices of the industry.

If you want to learn more about what cybersecurity threats are out there now and on the horizon, check out the complimentary Gartner report.

Gartner, How to Respond to the 2022 Cyberthreat Landscape, 1 April 2022, by Jeremy D’Hoinne, John Watts, Katell Thielemann

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.


Get the latest stories, expertise, and news about security today.

Additional reading:

M1 Chip Vulnerability

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/06/m1-chip-vulnerability.html

This is a new vulnerability against Apple’s M1 chip. Researchers say that it is unpatchable.

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.

The attack, appropriately called “Pacman,” works by “guessing” a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn’t been maliciously altered. This is done using speculative execution—a technique used by modern computer processors to speed up performance by speculatively guessing various lines of computation—to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct.

What’s more, since there are only so many possible values for the PAC, the researchers found that it’s possible to try them all to find the right one.

It’s not obvious how to exploit this vulnerability in the wild, so I’m unsure how important this is. Also, I don’t know if it also applies to Apple’s new M2 chip.

Research paper. Another news article.

Defending Against Tomorrow’s Threats: Insights From RSAC 2022

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/06/13/defending-against-tomorrows-threats-insights-from-rsac-2022/

Defending Against Tomorrow's Threats: Insights From RSAC 2022

The rapidly changing pace of the cyberthreat landscape is on every security pro’s mind. Not only do organizations need to secure complex cloud environments, they’re also more aware than ever that their software supply chains and open-source elements of their application codebase might not be as ironclad as they thought.

It should come as no surprise, then, that defending against a new slate of emerging threats was a major theme at RSAC 2022. Here’s a closer look at what some Rapid7 experts who presented at this year’s RSA conference in San Francisco had to say about staying ahead of attackers in the months to come.

Surveying the threat landscape

Security practitioners often turn to Twitter for the latest news and insights from peers. As Raj Samani, SVP and Chief Data Scientist, and Lead Security Researcher Spencer McIntyre pointed out in their RSA talk, “Into the Wild: Exploring Today’s Top Threats,” the trend holds true when it comes to emerging threats.

“For many people, identifying threats is actually done through somebody that I follow on Twitter posting details about a particular vulnerability,” said Raj.

As Spencer noted, security teams need to be able to filter all these inputs and identify the actual priorities that require immediate patching and remediation. And that’s where the difficulty comes in.

“How do you manage a patching strategy when there are critical vulnerabilities coming out … it seems weekly?” Raj asked. “Criminals are exploiting these vulnerabilities literally in days, if that,” he continued.

Indeed, the average time to exploit — i.e., the interval between a vulnerability being discovered by researchers and clear evidence of attackers using it in the wild — plummeted from 42 days in 2020 to 17 days in 2021, as noted in Rapid7’s latest Vulnerability Intelligence Report. With so many threats emerging at a rapid clip and so little time to react, defenders need the tools and expertise to understand which vulnerabilities to prioritize and how attackers are exploiting them.

“Unless we get a degree of context and an understanding of what’s happening, we’re going to end up ignoring many of these vulnerabilities because we’ve just got other things to worry about,” said Raj.

The evolving threat of ransomware

One of the things that worry security analysts, of course, is ransomware — and as the threat has grown in size and scope, the ransomware market itself has changed. Cybercriminals are leveraging this attack vector in new ways, and defenders need to adapt their strategies accordingly.

That was the theme that Erick Galinkin, Principal AI Researcher, covered in his RSA talk, “How to Pivot Fast and Defend Against Ransomware.” Erick identified four emerging ransomware trends that defenders need to be aware of:

  • Double extortion: In this type of attack, threat actors not only demand a ransom for the data they’ve stolen and encrypted but also extort organizations for a second time — pay an additional fee, or they’ll leak the data. This means that even if you have backups of your data, you’re still at risk from this secondary ransomware tactic.
  • Ransomware as a service (RaaS): Not all threat actors know how to write highly effective ransomware. With RaaS, they can simply purchase malicious software from a provider, who takes a cut of the payout. The result is a broader and more decentralized network of ransomware attackers.
  • Access brokers: A kind of mirror image to RaaS, access brokers give a leg up to bad actors who want to run ransomware on an organization’s systems but need an initial point of entry. Now, that access is for sale in the form of phished credentials, cracked passwords, or leaked data.
  • Lateral movement: Once a ransomware attacker has infiltrated an organization’s network, they can use lateral movement techniques to gain a higher level of access and ransom the most sensitive, high-value data they can find.

With the ransomware threat growing by the day and attackers’ techniques growing more sophisticated, security pros need to adapt to the new landscape. Here are a few of the strategies Erick recommended for defending against these new ransomware tactics.

  • Continue to back up all your data, and protect the most sensitive data with strong admin controls.
  • Don’t get complacent about credential theft — the spoils of a might-be phishing attack could be sold by an access broker as an entry point for ransomware.
  • Implement the principle of least privilege, so only administrator accounts can perform administrator functions — this will help make lateral movement easier to detect.

Shaping a new kind of SOC

With so much changing in the threat landscape, how should the security operations center (SOC) respond?

This was the focus of “Future Proofing the SOC: A CISO’s Perspective,” the RSA talk from Jeffrey Gardner, Practice Advisor for Detection and Response (D&R). In addition to the sprawling attack surface, security analysts are also experiencing a high degree of burnout, understandably overwhelmed by the sheer volume of alerts and threats. To alleviate some of the pressure, SOC teams need a few key things:

For Jeffrey, these needs are best met through a hybrid SOC model — one that combines internally owned SOC resources and staff with external capabilities offered through a provider, for a best-of-both-worlds approach. The framework for this approach is already in place, but the version that Jeffrey and others at Rapid7 envision involves some shifting of paradigms. These include:

  • Collapsing the distinction between product and service and moving toward “everything as a service,” with a unified platform that allows resources — which includes everything from in-product features to provider expertise and guidance — to be delivered at a sliding scale
  • Ensuring full transparency, so the organization understands not only what’s going on in their own SOC but also in their provider’s, through the use of shared solutions
  • More customization, with workflows, escalations, and deliverables tailored to the customer’s needs

Meeting the moment

It’s critical to stay up to date with the most current vulnerabilities we’re seeing and the ways attackers are exploiting them — but to be truly valuable, those insights must translate into action. Defenders need strategies tailored to the realities of today’s threat landscape.

For our RSA 2022 presenters, that might mean going back to basics with consistent data backups and strong admin controls. Or it might mean going bold by fully reimagining the modern SOC. The techniques don’t have to be new or fancy or to be effective — they simply have to meet the moment. (Although if the right tactics turn out to be big and game-changing, we’ll be as excited as the next security pro.)

Looking for more insights on how defenders can protect their organizations amid today’s highly dynamic threat landscape? You can watch these presentations — and even more from our Rapid7 speakers — at our library of replays from RSAC 2022.

Additional reading


Get the latest stories, expertise, and news about security today.

[VIDEO] An Inside Look at the RSA 2022 Experience From the Rapid7 Team​

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/06/10/video-an-inside-look-at-the-rsa-2022-experience-from-the-rapid7-team/

[VIDEO] An Inside Look at the RSA 2022 Experience From the Rapid7 Team​

The two years since the last RSA Conference have been pretty uneventful. Sure, COVID-19 sent us all to work from home for a little while, but it’s not as though we’ve seen any supply-chain-shattering breaches, headline-grabbing ransomware attacks, internet-inferno vulnerabilities, or anything like that. We’ve mostly just been baking sourdough bread and doing woodworking in between Zoom meetings.

OK, just kidding on basically all of that (although I, for one, have continued to hone my sourdough game). ​

The reality has been quite the opposite. Whether it’s because an unprecedented number of crazy things have happened since March 2020 or because pandemic-era uncertainty has made all of our experiences feel a little more heightened, the past 24 months have been a lot. And now that restrictions on gatherings are largely lifted in most places, many of us are feeling like we need a chance to get together and debrief on what we’ve all been through.

Given that context, what better timing could there have been for RSAC 2022? This past week, a crew of Rapid7 team members gathered in San Francisco to sync up with the greater cybersecurity community and take stock of how we can all stay ahead of attackers and ready for the future in the months to come. We asked four of them — Jeffrey Gardner, Practice Advisor – Detection & Response; Tod Beardsley, Director of Research; Kelly Allen, Social Media Manager; and Erick Galinkin, Principal Artificial Intelligence Researcher — to tell us a little bit about their RSAC 2022 experience. Here’s a look at what they had to say — and a glimpse into the excitement and energy of this year’s RSA Conference.

What’s it been like returning to full-scale in-person events after 2 years?

[VIDEO] An Inside Look at the RSA 2022 Experience From the Rapid7 Team​

What was your favorite session or speaker of the week? What made them stand out?

[VIDEO] An Inside Look at the RSA 2022 Experience From the Rapid7 Team​

What was your biggest takeaway from the conference? How will it shape the way you think about and practice cybersecurity in the months to come?

[VIDEO] An Inside Look at the RSA 2022 Experience From the Rapid7 Team​

Want to relive the RSA experience for yourself? Check out our replays of Rapid7 speakers’ sessions from the week.

Additional reading:


Get the latest stories, expertise, and news about security today.

Cybersecurity Is More Than a Checklist: Joel Yonts on Tech’s Unfair Disadvantage

Post Syndicated from Peter Scott original https://blog.rapid7.com/2022/06/03/cybersecurity-is-more-than-a-checklist-joel-yonts-on-techs-unfair-disadvantage/

Cybersecurity Is More Than a Checklist: Joel Yonts on Tech’s Unfair Disadvantage

Breaches caused by misconfigurations are alarmingly common. Over a third of all cyberattacks in 2020 were the result of firewall, cloud, and server misconfigurations. The tech industry is at the highest risk of bad actors taking advantage of these preventable vulnerabilities, with the information sector falling victim to a majority of 2021’s breaches caused by misconfigurations. One such instance is the Android app data leak, which compromised over 100 million users’ data.

As organizations mature and innovate, so do malicious actors – and many of them target tech companies’ public cloud infrastructure. In today’s world of rapid development, companies must prioritize the protection of their infrastructure with a mix of people, processes, and technology.

Achieving this means going beyond tactical security approaches and instilling organization-wide commitment. While checklists can be a helpful tool, security has to go beyond that; it should be a mission rather than a to-do list to set aside when complete. Neglecting to fulfill that mission can cause serious financial and reputational damage.

When it comes to strengthening their security postures, tech companies must address an industry-specific set of challenges. Recently, we were fortunate to sit down with Joel Yonts, Chief Research Officer and Strategist at Malicious Streams and CEO at Secure Robotics.ai. A seasoned security executive with over 25 years of experience, Yonts’s expertise in enterprise security, digital forensics, artificial intelligence, and robotic and IoT systems gives him a nuanced, data-driven perspective.

Read our Q&A below to get his insights on today’s best practices in security for tech companies.

Can you tell us what you do in your roles as Chief Research Officer and Strategist at Malicious Streams and CEO at Secure Robotics?

Malicious Streams delivers holistic cybersecurity strategies. The most complex things that I deal with are people – researching, listening, and observing how people work at all levels to determine how I can connect them.

I am a fractional CISO for several multinational organizations. I also build cybersecurity programs, do cyber maturity assessments, and build cybersecurity strategies in emerging areas.

In true Joel fashion, however, I needed more research time than I was getting in those roles. So, I spun up Secure Robotics.ai as a side company to Malicious Streams. Secure Robotics focuses on cyber protection for intelligent machines.

There’s a technology and capability gap right now: Technology adoption has outpaced cybersecurity. There are areas where we can’t protect these intelligent machines properly. I’m focused on developing practices and capabilities like digital forensics to better secure artificial intelligence systems.

How do you think about the tech adoption/security maturity gap? How do you address it?

This is one of the things that I talk about often: In cybersecurity, things move fast. The attacker-defender cycle is nonstop — as one side innovates, the other side does too. It’s a zero-sum game, a head-to-head competition. Every time a company innovates and creates some new technology or security tool, I always ask, “How are the attackers going to innovate to address that?”

For example, if you’ve got a new technology that improves network security, you can project that cybercriminals might subvert that by attacking the host. They might go upstream or downstream from there. Once you accept that, you can start thinking through those patterns and plan for early detection and prevention in those new areas.

In other words, if you don’t think a couple of moves ahead in cybersecurity, you will lose. The attackers can mobilize and deploy technology far faster than companies can. Anticipation is very important for long-term security.

When you’re working with companies on their cybersecurity strategies, how do you decide what to prioritize?

One of the biggest problems that I deal with in cybersecurity is priorities. Everybody’s got them. But many organizations have far too many, and this creates a problem when it comes to focusing resources. We need to wrangle them down to just a few of the highest-risk and greatest-value items for us to be successful.

We’ve seen the collapse of the castle walls around corporate networks. I’ve heard it said that the internet has become the new corporate network, and it’s such a true statement.

A corporate solution isn’t one monolithic server in a data center anymore. It is a cloud solution connected to seven SaaS solutions and three other cloud environments. This network of technologies may communicate across the product network or through the open internet. This requires different security approaches than in the past.

Another big priority that I see is identity and access management (IAM). Regretfully, I still see a lot of companies struggling with multi-factor authentication. There are still people working to catch up because there are some complexities associated with IAM, but it’s a high-risk area and should be a priority. IAM is a foundation in security that is expected to be in place. Incidents here are likely to create additional brand damage and draw regulators’ attention.

Another big challenge is cyber insurance. Rates are skyrocketing — double or triple what they used to be. Often, your rate will depend on how well you can prove the maturity of your cyber program. One of the questions they’re likely to ask is, “Do you use multi-factor authentication?” Every cyber insurance company will ask that question because it’s such an effective control. If you answer their questions wrong, it could cost you millions of dollars in higher premiums.

What have been the most valuable developments in cybersecurity in recent years?

The first thing that jumps to mind is EDR technology. We obviously want to solve cybersecurity challenges much earlier in the process. But EDR is instrumental in the detection and response phases.

EDR products can catch an attacker in an environment very quickly, even if they’re using stealthy technologies. These days, attackers don’t deploy a bunch of new tools when they break into an environment; they just use the tools you already have against you. But even in those scenarios, EDR has been a massive game-changer.

The most significant advancement in cybersecurity hasn’t been improving vulnerability detection but improving vulnerability management. If you find one security flaw in a company, that’s manageable. But what if you find 700,000 flaws in a company? How do you sort through that in a meaningful way so you can prioritize, communicate, take action, and maintain an audit trail? That’s where I’ve seen a lot of innovation recently.

We’ve been in the cloud now for a while. Many companies are still doing cloud security wrong in many ways, but I think that the move to cloud security posture management and the adoption of multi-cloud tools for visibility and control have been significant steps in the right direction.

What challenges do tech companies face that other companies don’t necessarily wrestle with?

One of the big ones is the level of forgiveness from users. Whether you’re selling a piece of technology or a security service, if you have a breach or a major vulnerability, there’s a lot less forgiveness than if you’re a retailer with the same issue. The high expectations mean you have to be more diligent to keep your customers happy.

Fair or not, people think, “I need technology companies to help solve my problems, not add to my problems.” When a retailer or manufacturer has a public cybersecurity issue, you don’t hear people saying they won’t do business with that company. But with tech companies that have security issues — sometimes with a very skilled attacker that any company would struggle to defend against — I hear a lot of people saying they will take their business elsewhere. So that’s a definite challenge for them.  

Are there any specific threats that are a bigger risk for tech companies?

Supply chain risk is a significant threat for tech companies. Making decisions about where you’re going to source parts of your products and services, what you’re going to source, and how you’re going to source them — all of that is incredibly difficult from a security perspective, even down to the hardware level. Detecting threats on that level is just monumentally difficult.

For technology companies, embracing new technologies is part of their DNA, but it also brings more security challenges. For example, what does it mean to secure serverless environments? Containers? Those are technologies that have been adopted fast because of their value propositions, but not every company has figured out how to handle asset management, detection, and response for them.

Manage Your Cloud Security Posture

Learn More About InsightCloudSec

The other challenge is rapid adoption of intelligent machines. For example, I just released a paper on chatbots. They’re valuable, offering efficiency and improving some aspects of customer experience. But a lot of the time they sit outside the cybersecurity program.

In this recent paper, I released a couple of proof-of-concept attacks where I trojanized a chatbot and skimmed credit cards with it. I duplicated a standard interface where someone checking on a product order could enter the information and see the real-time status of their purchase. I was able to compromise the chatbot interface and inject a couple of new fields so that, instead of just asking for the name and order, it asks for the credit card and zip code you used to place the order. In my trojanized version, it then stores that in a slot in the chatbot memory and never goes inside the company. It sits on the outside. Then when I, as an “attacker,” come and give it a specific order number, it dumps all the cards I skimmed out through the chat interface in an encoded format.

That’s a white-hat example, obviously, but attackers are out there figuring this out. Tech companies need to be seriously considering how they will secure chatbots and other intelligent machines they leverage.

What advice would you give tech companies looking for security solutions?

Don’t start with the technology – that is the very first thing. Technology companies may be the most guilty of doing this because technology is their business. But it’s not the way to go.

Instead, start by trying to understand and define the problem. You need to understand what it is you’re trying to protect, how you’re going to protect it, and what it looks like if it is not protected. Otherwise, you might decide to adopt a huge range of technologies — fantastic, big, monolithic solutions — and then find that there are massive gaps between them. They’re not connected. You need to make sure that you have an interlocking set of strategies to protect the entire attack surface area. Because guess what? If you have chinks in your armor, the attacker will probe and exploit those weaknesses.

For more insights on how to navigate the future of cloud security as a technology company, visit our hub page.

Additional reading:


Get the latest stories, expertise, and news about security today.

3 Takeaways From the 2022 Verizon Data Breach Investigations Report

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/05/31/3-takeaways-from-the-2022-verizon-data-breach-investigations-report/

3 Takeaways From the 2022 Verizon Data Breach Investigations Report

Sometimes, data surprises you. When it does, it can force you to rethink your assumptions and second-guess the way you look at the world. But other times, data can reaffirm your assumptions, giving you hard proof they’re the right ones — and providing increased motivation to act decisively based on that outlook.

The 2022 edition of Verizon’s Data Breach Investigations Report (DBIR), which looks at data from cybersecurity incidents that occurred in 2021, is a perfect example of this latter scenario. This year’s DBIR rings many of the same bells that have been resounding in the ears of security pros worldwide for the past 12 to 18 months — particularly, the threat of ransomware and the increasing relevance of complex supply chain attacks.

Here are our three big takeaways from the 2022 DBIR, and why we think they should have defenders doubling down on the big cybersecurity priorities of the current moment.

1. Ransomware’s rise is reaffirmed

In 2021, it was hard to find a cybersecurity headline that didn’t somehow pertain to ransomware. It impacted some 80% of businesses last year and threatened some of the institutions most critical to our society, from primary and secondary schools to hospitals.

This year’s DBIR confirms that ransomware is the critical threat that security pros and laypeople alike believe it to be. Ransomware-related breaches increased by 13% in 2021, the study found — that’s a greater increase than we saw in the past 5 years combined. In fact, nearly 50% of all system intrusion incidents — i.e., those involving a series of steps by which attackers infiltrate a company’s network or other systems — involved ransomware last year.

While the threat has massively increased, the top methods of ransomware delivery remain the ones we’re all familiar with: desktop sharing software, which accounted for 40% of incidents, and email at 35%, according to Verizon’s data. The growing ransomware threat may seem overwhelming, but the most important steps organizations can take to prevent these attacks remain the fundamentals: educating end users on how to spot phishing attempts and maintain security best practices, and equipping infosec teams with the tools needed to detect and respond to suspicious activity.

2. Attackers are eyeing the supply chain

In 2021 and 2022, we’ve been using the term “supply chain” more than we ever thought we would. COVID-induced disruptions in the flow of commodities and goods caused lumber to skyrocket and automakers to run short on microchips.

But security pros have had a slightly different sense of the term on their minds: the software supply chain. Breaches from Kaseya to SolarWinds — not to mention the Log4j vulnerability — reminded us all that vendors’ systems are just as likely a vector of attack as our own.

Unfortunately, Verizon’s Data Breach Investigations Report indicates these incidents are not isolated events — the software supply chain is, in fact, a major avenue of exploitation by attackers. In fact, 62% of cyberattacks that follow the system intrusion pattern began with the threat actors exploiting vulnerabilities in a partner’s systems, the study found.

Put another way: If you were targeted with a system intrusion attack last year, it was almost twice as likely that it began on a partner’s network than on your own.

While supply chain attacks still account for just under 10% of overall cybersecurity incidents, according to the Verizon data, the study authors point out that this vector continues to account for a considerable slice of all incidents each year. That means it’s critical for companies to keep an eye on both their own and their vendors’ security posture. This could include:

  • Demanding visibility into the components behind software vendors’ applications
  • Staying consistent with regular patching updates
  • Acting quickly to remediate and emergency-patch when the next major vulnerability that could affect high numbers of web applications rears its head

3. Mind the app

Between Log4Shell and Spring4Shell, the past 6 months have jolted developers and security pros alike to the realization that their web apps might contain vulnerable code. This proliferation of new avenues of exploitation is particularly concerning given just how commonly attackers target web apps.

Compromising a web application was far and away the top cyberattack vector in 2021, accounting for roughly 70% of security incidents, according to Verizon’s latest DBIR. Meanwhile, web servers themselves were the most commonly exploited asset type — they were involved in nearly 60% of documented breaches.

More than 80% of attacks targeting web apps involved the use of stolen credentials, emphasizing the importance of user awareness and strong authentication protocols at the endpoint level. That said, 30% of basic web application attacks did involve some form of exploited vulnerability — a percentage that should be cause for concern.

“While this 30% may not seem like an extremely high number, the targeting of mail servers using exploits has increased dramatically since last year, when it accounted for only 3% of the breaches,” the authors of the Verizon DBIR wrote.

That means vulnerability exploits accounted for a 10 times greater proportion of web application attacks in 2021 than they did in 2022, reinforcing the importance of being able to quickly and efficiently test your applications for the most common types of vulnerabilities that hackers take advantage of.

Stay the course

For those who’ve been tuned into the current cybersecurity landscape, the key themes of the 2022 Verizon DBIR will likely feel familiar — and with so many major breaches and vulnerabilities that claimed the industry’s attention in 2021, it would be surprising if there were any major curveballs we missed. But the key takeaways from the DBIR remain as critical as ever: Ransomware is a top-priority threat, software supply chains need greater security controls, and web applications remain a key attack vector.

If your go-forward cybersecurity plan reflects these trends, that means you’re on the right track. Now is the time to stick to that plan and ensure you have tools and tactics in place that let you focus on the alerts and vulnerabilities that matter most.

Additional reading:


Get the latest stories, expertise, and news about security today.

Security and Human Behavior (SHB) 2022

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/05/security-and-human-behavior-shb-2022.html

Today is the second day of the fifteenth Workshop on Security and Human Behavior, hosted by Ross Anderson and Alice Hutchings at the University of Cambridge. After two years of having this conference remotely on Zoom, it’s nice to be back together in person.

SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, Alice Hutchings, and myself. The forty or so attendees include psychologists, economists, computer security researchers, sociologists, political scientists, criminologists, neuroscientists, designers, lawyers, philosophers, anthropologists, geographers, business school professors, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

For the past decade and a half, this workshop has been the most intellectually stimulating two days of my professional year. It influences my thinking in different and sometimes surprising ways—and has resulted in some unexpected collaborations.

Our goal is always to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to six to eight minutes, with the rest of the time for open discussion. Because everyone was not able to attend in person, our panels all include remote participants as well. The hybrid structure is working well, even though our remote participants aren’t around for the social program.

This year’s schedule is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is liveblogging the talks.

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, thirteenth, and fourteenth SHB workshops. Follow those links to find summaries, papers, and occasionally audio/video recordings of the various workshops. Ross also maintains a good webpage of psychology and security resources.

The Justice Department Will No Longer Charge Security Researchers with Criminal Hacking

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/05/the-justice-department-will-no-longer-charge-security-researchers-with-criminal-hacking.html

Following a recent Supreme Court ruling, the Justice Department will no longer prosecute “good faith” security researchers with cybercrimes:

The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.


The new policy states explicitly the longstanding practice that “the department’s goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems.” Accordingly, the policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges. The policy focuses the department’s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer—such as one email account—and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.

News article.

Attacks on Managed Service Providers Expected to Increase

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/05/attacks-on-managed-service-providers-expected-to-increase.html

CISA, NSA, FBI, and similar organizations in the other Five Eyes countries are warning that attacks on MSPs — as a vector to their customers — are likely to increase. No details about what this prediction is based on. Makes sense, though. The SolarWinds attack was incredibly successful for the Russian SVR, and a blueprint for future attacks.

News articles.

What’s Changed for Cybersecurity in Banking and Finance: New Study

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/05/10/whats-changed-for-cybersecurity-in-banking-and-finance-new-study/

What's Changed for Cybersecurity in Banking and Finance: New Study

Cybersecurity in financial services is a complex picture. Not only has a range of new tech hit the industry in the last 5 years, but compliance requirements introduce another layer of difficulty to the lives of infosec teams in this sector. To add to this picture, the overall cybersecurity landscape has rapidly transformed, with ransomware attacks picking up speed and high-profile vulnerabilities hitting the headlines at an alarming pace.

VMware recently released the 5th annual installment of their Modern Bank Heists report, and the results show a changing landscape for cybersecurity in banking and finance. Here’s a closer look at what CISOs and security leaders in finance said about the security challenges they’re facing — and what they’re doing to solve them.

Destructive threats and ransomware attacks on banks are increasing

The stakes for cybersecurity are higher than ever at financial institutions, as threat actors are increasingly using more vicious tactics. Banks have seen an uptick in destructive cyberattacks — those that delete data, damage hard drives, disrupt network connections, or otherwise leave a trail of digital wreckage in their wake.

63% of financial institutions surveyed in the VMware report said they’ve seen an increase in these destructive attacks targeting their organization — that’s 17% more than said the same in last year’s version of the report.

At the same time, finance hasn’t been spared from the rise in ransomware attacks, which have also become increasingly disruptive. Nearly 3 out of 4 respondents to the survey said they’d been hit by at least one ransomware attack. What’s more, 63% of those ended up paying the ransom.

Supply chain security: No fun in the sun

Like ransomware, island hopping is also on the rise — and while that might sound like something to do on a beach vacation, that’s likely the last thing the phrase brings to mind for security pros at today’s financial institutions.

IT Pro describes island hopping attacks as “the process of undermining a company’s cyber defenses by going after its vulnerable partner network, rather than launching a direct attack.” The source points to the high-profile data breach that rocked big-box retailer Target in 2017. Hackers found an entry point to the company’s data not through its own servers, but those of Fazio Mechanical Services, a third-party vendor.

In the years since the Target breach, supply chain cybersecurity has become an even greater area of focus for security pros across industries, thanks to incidents like the SolarWinds breach and large-scale vulnerabilities like Log4Shell that reveal just how many interdependencies are out there. Now, threats in the software supply chain are becoming more apparent by the day.

VMware’s study found that 60% of security leaders in finance have seen an increase in island hopping attacks — 58% more than said the same last year. The uptick in threats originating from partners’ systems is clearly keeping security officers up at night: 87% said they’re concerned about the security posture of the service providers they rely on.

The proliferation of mobile and web applications associated with the rise of financial technology (fintech) may be exacerbating the problem. VMware notes API attacks are one of the primary methods of island hopping — and they found a whopping 94% of financial-industry security leaders have experienced an API attack through a fintech application, while 58% said they’ve seen an increase in application security incidents overall.

How financial institutions are improving cybersecurity

With attacks growing more dangerous and more frequent, security leaders in finance are doubling down on their efforts to protect their organizations. The majority of companies surveyed in VMware’s study said they planned a 20% to 30% boost to their cybersecurity budget in 2022. But what types of solutions are they investing in with that added cash?

The number 1 security investment for CISOs this year is extended detection and response (XDR), with 24% listing this as their top priority. Closely following were workload security at 22%, mobile security at 21%, threat intelligence at 15%, and managed detection and response (MDR) at 11%. In addition, 51% said they’re investing in threat hunting to help them stay ahead of the attackers.

Today’s threat landscape has grown difficult to navigate — especially when financial institutions are competing for candidates in a tight cybersecurity talent market. In the meantime, the financial industry has only grown more competitive, and the pace of innovation is at an all-time high. Having powerful, flexible tools that can streamline and automate security processes is essential to keep up with change. For banks and finance organizations to attain the level of visibility they need to innovate while keeping their systems protected, these tools are crucial.

Additional reading:


Get the latest stories, expertise, and news about security today.

Corporate Involvement in International Cybersecurity Treaties

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/05/corporate-involvement-in-international-cybersecurity-treaties.html

The Paris Call for Trust and Stability in Cyberspace is an initiative launched by French President Emmanuel Macron during the 2018 UNESCO’s Internet Governance Forum. It’s an attempt by the world’s governments to come together and create a set of international norms and standards for a reliable, trustworthy, safe, and secure Internet. It’s not an international treaty, but it does impose obligations on the signatories. It’s a major milestone for global Internet security and safety.

Corporate interests are all over this initiative, sponsoring and managing different parts of the process. As part of the Call, the French company Cigref and the Russian company Kaspersky chaired a working group on cybersecurity processes, along with French research center GEODE. Another working group on international norms was chaired by US company Microsoft and Finnish company F-Secure, along with a University of Florence research center. A third working group’s participant list includes more corporations than any other group.

As a result, this process has become very different than previous international negotiations. Instead of governments coming together to create standards, it is being drive by the very corporations that the new international regulatory climate is supposed to govern. This is wrong.

The companies making the tools and equipment being regulated shouldn’t be the ones negotiating the international regulatory climate, and their executives shouldn’t be named to key negotiation roles without appointment and confirmation. It’s an abdication of responsibility by the US government for something that is too important to be treated this cavalierly.

On the one hand, this is no surprise. The notions of trust and stability in cyberspace are about much more than international safety and security. They’re about market share and corporate profits. And corporations have long led policymakers in the fast-moving and highly technological battleground that is cyberspace.

The international Internet has always relied on what is known as a multistakeholder model, where those who show up and do the work can be more influential than those in charge of governments. The Internet Engineering Task Force, the group that agrees on the technical protocols that make the Internet work, is largely run by volunteer individuals. This worked best during the Internet’s era of benign neglect, where no one but the technologists cared. Today, it’s different. Corporate and government interests dominate, even if the individuals involved use the polite fiction of their own names and personal identities.

However, we are a far cry from decades past, where the Internet was something that governments didn’t understand and largely ignored. Today, the Internet is an essential infrastructure that underpins much of society, and its governance structure is something that nations care about deeply. Having for-profit tech companies run the Paris Call process on regulating tech is analogous to putting the defense contractors Northrop Grumman or Boeing in charge of the 1970s SALT nuclear agreements between the US and the Soviet Union.

This also isn’t the first time that US corporations have led what should be an international relations process regarding the Internet. Since he first gave a speech on the topic in 2017, Microsoft President Brad Smith has become almost synonymous with the term “Digital Geneva Convention.” It’s not just that corporations in the US and elsewhere are taking a lead on international diplomacy, they’re framing the debate down to the words and the concepts.

Why is this happening? Different countries have their own problems, but we can point to three that currently plague the US.

First and foremost, “cyber” still isn’t taken seriously by much of the government, specifically the State Department. It’s not real to the older military veterans, or to the even older politicians who confuse Facebook with TikTok and use the same password for everything. It’s not even a topic area for negotiations for the US Trade Representative. Nuclear disarmament is “real geopolitics,” while the Internet is still, even now, seen as vaguely magical, and something that can be “fixed” by having the nerds yank plugs out of a wall.

Second, the State Department was gutted during the Trump years. It lost many of the up-and-coming public servants who understood the way the world was changing. The work of previous diplomats to increase the visibility of the State Department’s cyber efforts was abandoned. There are few left on staff to do this work, and even fewer to decide if they’re any good. It’s hard to hire senior information security professionals in the best of circumstances; it’s why charlatans so easily flourish in the cybersecurity field. The built-up skill set of the people who poured their effort and time into this work during the Obama years is gone.

Third, there’s a power struggle at the heart of the US government involving cyber issues, between the White House, the Department of Homeland Security (represented by CISA), and the military (represented by US Cyber Command). Trying to create another cyber center of power within the State Department threatens those existing powers. It’s easier to leave it in the hands of private industry, which does not affect those government organizations’ budgets or turf.

We don’t want to go back to the era when only governments set technological standards. The governance model from the days of the telephone is another lesson in how not to do things. The International Telecommunications Union is an agency run out of the United Nations. It is moribund and ponderous precisely because it is run by national governments, with civil society and corporations largely alienated from the decision-making processes.

Today, the Internet is fundamental to global society. It’s part of everything. It affects national security and will be a theater in any future war. How individuals, corporations, and governments act in cyberspace is critical to our future. The Internet is critical infrastructure. It provides and controls access to healthcare, space, the military, water, energy, education, and nuclear weaponry. How it is regulated isn’t just something that will affect the future. It is the future.

Since the Paris Call was finalized in 2018, it has been signed by 81 countries — including the US in 2021 — 36 local governments and public authorities, 706 companies and private organizations, and 390 civil society groups. The Paris Call isn’t the first international agreement that puts companies on an equal signatory footing as governments. The Global Internet Forum to Combat Terrorism and the Christchurch Call to eliminate extremist content online do the same thing. But the Paris Call is different. It’s bigger. It’s more important. It’s something that should be the purview of governments and not a vehicle for corporate power and profit.

When something as important as the Paris Call comes along again, perhaps in UN negotiations for a cybercrime treaty, we call for actual State Department officials with technical expertise to be sitting at the table with the interests of the entire US in their pocket…not people with equity shares to protect.

This essay was written with Tarah Wheeler, and previously published on The Cipher Brief.

A cybersecurity club for girls | Hello World #18

Post Syndicated from Gemma Coleman original https://www.raspberrypi.org/blog/cybersecurity-club-girls-hello-world-18/

In this article adapted from Hello World issue 18, teacher Babak Ebrahim explains how his school uses a cybersecurity club to increase interest in Computing among girls. Babak is a Computer Science and Mathematics teacher at Bishop Challoner Catholic College Secondary in Birmingham, UK. He is a CAS Community Leader, and works as a CS Champion for the National Centre for Computing Education in England.

Cybersecurity for girls

It is impossible to walk into an upper-secondary computer science lesson and not notice the number of boys compared to girls. This is a common issue across the world; it is clear from reading community forums and news headlines that there is a big gap in female representation in computing. To combat this problem in my school, I started organising trips to local universities and arranging assembly talks for my Year 9 students (aged 13–14). Although this was helpful, it didn’t have as much impact as I expected on improving female representation.

Girls do a cybersecurity activity at a school club.
Girls engage in a cryptography activity at the club.

This led me to alter our approach and target younger female students with an extracurricular club. As part of our lower-secondary curriculum, all pupils study encryption and cryptography, and we were keen to extend this interest beyond lesson time. I discovered the CyberFirst Girls Competition, aimed at Year 8 girls in England (aged 12–13) with the goal of influencing girls when choosing their GCSE subjects (qualifications pupils take aged 14–16). Each school can enter as many teams as they like, with a maximum of four girls in each team. I advertised the event by showing a video of the previous year’s attendees and the winning team. To our delight, 19 girls, in five teams, entered the competition.

Club activities at school

To make sure that this wasn’t a one-off event, we started an after-school cybersecurity club for girls. All Computing teachers encouraged their female students to attend. We had a number of female teachers who were teaching Maths and Computing as their second subjects, and I found it more effective when these teachers encouraged the girls to join. They would also help with running the club. We found it to be most popular with Year 7 students (aged 11–12), with 15 girls regularly attending. We often do cryptography tasks in the club, including activities from established competitions. For example, I recently challenged the club to complete tasks from the most recent Alan Turing Cryptography Competition. A huge benefit of completing these tasks in the club, rather than in the classroom, was that students could work more informally and were not under pressure to succeed. I found this year’s tasks quite challenging for younger students, and I was worried that this could put them off returning to the club. To avoid this, I first taught the students the skills that they would need for one of the challenges, followed by small tasks that I made myself over two or three sessions.

Three teenage girls at a laptop

For example, one task required students to use the Playfair cipher to break a long piece of code. In order to prepare students for decoding this text, I showed them how the cipher works, then created empty grids (5 x 5 tables) and modelled the technique with simple examples. The girls then worked in teams of two to encrypt a short quote. I gave each group a different quotation, and they weren’t allowed to let other groups know what it was. Once they applied the cipher, they handed the encrypted message to another group, whose job was to decrypt it. At this stage, some would identify that the other group had made mistakes using the techniques, and they would go through the text together to identify them. Once students were confident and competent in using this cipher, I presented them with the competition task, and they then applied the same process. Of course, some students would still make mistakes, but they would realise this and be able to work through them, rather than being overwhelmed by them. Another worthwhile activity in the club has been for older pupils, who are in their second year of attending, to mentor and support girls in the years below them, especially in preparation for participating in competitions.

Trips afield

Other club activities have included a trip to Bletchley Park. As a part of the package, students took part in a codebreaking workshop in which they used the Enigma machine to crack encrypted messages. This inspirational trip was a great experience for the girls, as they discovered the pivotal roles women had in breaking codes during the Second World War. If you’re not based in the UK, Bletchley Park also runs a virtual tour and workshops. You could also organise a day trip to a local university where students could attend different workshops run by female lecturers or university students; this could involve a mixture of maths, science, and computer science activities.

Girls do a cybersecurity activity at a school club.
Girls engage in a cryptography activity at the club.

We are thrilled to learn that one of our teams won this year’s CyberFirst Girls Competition! More importantly, the knowledge gained by all the students who attend the club is most heartening, along with the enthusiasm that is clearly evident each week, and the fun that is had. Whether this will have any impact on the number of girls who take GCSE Computer Science remains to be seen, but it certainly gives the girls the opportunity to discover their potential, learn the importance of cybersecurity, and consider pursuing a career in a male-dominated profession. There are many factors that influence a child’s mind as to what they would like to study or do, and every little extra effort that we put into their learning journey will shape who they will become in the future.

What next?

Find out more about teaching cybersecurity

Find out more about the factors influencing girls’ and young women’ engagement in Computing

  • We are currently completing a four-year programme of research about gender balance in computing. Find out more about this research programme.
  • At our research seminar series, we welcomed Peter Kemp and Billy Wong last year, who shared results from their study of the demographics of students who choose GCSE Computer Science in England. Watch the seminar recording.
  • Katharine Childs from our team had summarised the state of research about gender balance in computing. Watch her seminar, or read her report.
  • Last year, we hosted a panel session to learn from various perspectives on gender balance in computing. Watch the panel recording.

The post A cybersecurity club for girls | Hello World #18 appeared first on Raspberry Pi.