Tag Archives: Cybersecurity

Technology

Cybersecurity Awareness Month: a reminder to keep your data secure this October

To commemorate this year’s Cybersecurity Awareness Month, which commences in October, UK Tech News spoke with a variety of industry experts to get their thoughts and advice on the topic of cybersecurity risks and best practices:

Tim Bandos, Vice President of Cyber Security, Digital Guardian:

“Long gone are the days when all but the biggest data breaches would make the headlines of non-IT press. That’s because we’ve become increasingly desensitised to security stories. Today, it takes something huge to turn heads. Whether it’s 300,000 files and directories stolen by a former Tesla employee or the 600 million Facebook passwords ‘hidden’ in plain text, only these most egregious lapses in data security seem to set alarm bells ringing.

“Data protection solutions can help prevent data loss, but maintaining a successful security program is largely dependent on employee awareness and their ability to comply. By teaching employees how to make decisions about the use and protection of data, they’re in a better position to make better judgments on their own around data in the future.”

Michael Scheffler, AVP EMEA, Bitglass:

“Public opinion on the cloud has come a long way in recent years, with most security professionals now accepting that it’s no less secure than the traditional, in-house way of doing things. Allowing data to move beyond the traditional network perimeter can cause concern for many executives – if not properly secured, it can leave an enterprise vulnerable to data leakage, malware, unauthorised data access, and regulatory non-compliance.

“As adoption of cloud-based applications and services continues to grow throughout the business world, organisations need specialised security technology that is capable of protecting sensitive data wherever it is stored or accessed. The enterprise needs end-to-end security across all devices, locations, and users, as well as complete visibility throughout IT infrastructure. Fortunately, recent years have given rise to a variety of new security technologies that are designed to tackle the cloud’s unique challenges.”

Todd Kelly, Chief Security Officer, Cradlepoint:

“Securing Internet of Things (IoT) devices and data for business use cases is one of the hottest topics during Cyber Security Awareness Month this year. At its core, IoT represents a huge expansion of the network edge, with each deployment potentially covering wired broadband, public and private LTE, WiFi, and LoRA WAN connectivity. In the not too distant future, we’ll see IoT deployments take advantage of 5G connectivity as well. The good thing is the industry and governments have started efforts to better define the inherent security controls and best practices that will help, over time, improve the overall security of IoT deployments. But that will take some time to gain mass adoption in the market.

“IoT devices and routers are a major source of attacks for cybercriminals and nation state attackers. According to Symantec, in 2018, 75% of botnets were router focused. IoT security can be daunting for many businesses, and there are a number of important areas that everyone who has deployed or is considering deploying IoT applications should consider. Devices typically do not have layered security features or secure software development and patching models integrated with their solutions. On top of that, many IoT devices cannot be accessed, managed, or monitored like conventional IT devices. Depending on the use case and vendor, there can be numerous OS, management and API-level interfaces and capabilities to manage.

“With the expanding diversity of business IoT use cases along with their associated IoT devices, architectures, vendors, management platforms and disparate security capabilities, customers should look to invest in enterprise IoT platforms to simplify the number of tools, devices and architectures needed to meet the business benefits for IoT use cases in the enterprise while reducing cyber risk.

“Using existing network-based security solutions may not be sufficient. Instead, organisations should look at using expert cloud-based management platforms and software-defined perimeter technologies, which effectively address the security risks inherent in IoT deployments and provide network-wide policies and visibility. IoT security will remain one of the most important enterprise security issues for many years to come. But while businesses should always be mindful of potential threats, by addressing these early and with the right technology, they can be confident in their IoT deployments now and into the future.”

John Ford, CISO, ConnectWise:

“The simplest thing SMBs can do to protect themselves from cyber-threats is to enable multifactor authentication. Essentially, that means having more than just a password. Most people use it all the time and never even think about it. “For instance, when logging into your bank account from something other than your primary computer, and the bank sends a text message to your phone with a code. You enter the code and you’re in. That’s all multifactor authentication is. In cybersecurity, we call it “something you have and something you know.

“While there are all kinds of complex products and technologies companies use to protect themselves – many of them excellent – the fact is, most ransomware attacks can be prevented by this easy-to-deploy process. Yet, multifactor authentication has only recently become widely adopted, despite having been around close to 20 years.”

Eltjo Hofstee, Managing Director, Leaseweb UK:

“NCSAM is a time to pause and take stock of security practices, revising or enhancing to ensure as robust a security posture as possible. As a cloud hosting provider to over 200 UK customers, Leaseweb constantly reviews its security checklist against the UK government’s 14 Cloud Security Principles to uphold compliance and best practice across all aspects related to security in the cloud. From data in transit protection, supply chain, operational, and personnel security to the provision of a governance framework, secure user management and service administration, Leasweb’s security plan and measures provide reassurance for customers of adherence to the highest standards in secure cloud service delivery.”

Sascha Giese, Head Geek, SolarWinds:

“With every passing year, the public sector is becoming increasingly aware of the onslaught of cyberattacks it faces, with an increase in the number of organisations reporting over 1,000 cyberattacks in 2018 compared to 2017, as revealed this year through a SolarWinds FOI request. Public sector IT professionals are working every day to ensure the data their department holds is kept secure. While tools and technology are of course the most solid defence against security threats, public sector IT pros should also consider the following three steps to achieving a stronger security posture: leadership setting the right example; regular and effective training for all teams; and ensuring security policies are revised frequently to keep up with the latest threats.

“U.K. government IT professionals are trusted with data by citizens, and so to give them confidence this information is being kept safe, organisations in this sector must adhere to strict security policies. And, to keep on top of security, having initiatives supported by everyone—not just the IT team—are the crucial part of the puzzle.”

Steve Nice, Chief Security Technologist, Node4:

“In this day and age, a cyber-attack is unfortunately more of an inevitability than just a mere threat. So, businesses need to accept the fact that mitigation technology is a necessity. This Cyber Security Month, it’s important for organisations to recognise how to strengthen their security to prevent potentially devastating attacks from harming them. It’s the responsibility of the IT team to ensure that the business’ security is up to speed, and so a Vulnerability Testing programme can help the team understand where the weaknesses are and support these areas. This means that valuable time – and money – can be saved from being spent on unnecessary security infrastructures before knowing where the holes in the defence really lie.

“However, it’s not just the technology that needs to be supported. Regardless of how many layers of protection IT teams implement, the weakest link is the people involved. Managing this is essential in any cyber security strategy, so it’s vital to ensure that all employees are fully up-to-date with the latest security protocols and processes in the company. This is a key part of cyber security, and even more so because the human element is the hardest to control and measure effectively.”

Technology

The importance of supply chain visibility for tackling disruption from cyber threats

Antony Lovell, VP of Applications at Vuealta discusses why businesses need to look at cybersecurity along their supply chain, as cyber-crime poses a significant new threat

We are in the midst of unprecedented levels of digital disruption, which is proving hugely beneficial to industries all over the world. From enabling global expansion with more ease than ever before, to automating mundane tasks that allow people to focus on more strategic work, businesses are profiting off digitisation. But our increasing dependancy on technology has also catalysed an increase in cyber-crime, with the number of significant attacks having grown by more than 50% in the last three years.

As organisations become increasingly digitalised, they are opening themselves up to a much larger and increasingly threatening landscape. Now companies across multiple industries have fallen victim to some of the biggest attacks we have ever experienced, and it is costing them millions. British Airways, for example, recently paid out a record £183m fine following its breach in 2018, when hackers stole the personal data of half a million of its customers.

In fact, a recent Vuealta report, The Future of the Supply Chain, revealed that despite supply chains having to contend with a whole host of disruptive forces – from political uncertainty and trade wars, to new entrants encroaching on their market and more adverse weather events – it is new digital frontiers like cyber-crime that are posing the largest threat.

Global expansion can be risky

With the threat of cyber-attacks increasing across all industries and businesses globally, it’s no surprise that the Vuealta report found that 50% of organisations across the UK and US identified a cyber-attack as one of the biggest causes of supply chain disruption.

Incidents such as the NotPetya ransomware attack, which in 2017 claimed global logistics giant Maersk as one of its victims, served as a warning to businesses to improve their cybersecurity measures, or risk becoming the next headline.

However, despite these high-profile incidents, many companies are still unaware of the disruption such an assault could have on their wider operations, should they fall victim.

Now, with many businesses in the UK (68%) looking to grow and expand into new markets, the complexity of modern logistics is significantly increased. Interconnected, multi-layered and often unwieldly, a global supply chain can cover half the world, taking in primary, secondary and tertiary manufacturers and producers, freight companies, ocean terminal and airport operators, along with dozens of parties inbetween. In fact, over half (58%) of the organisations Vuealta spoke to had five or more companies in their supply chain, with 14% having more than 50.

Working alongside multiple third parties not only increases the complexity of the modern supply chain, it also significantly expands the attack surface that cyber-criminals are able to exploit. So how can organisations protect themselves against these kinds of threats, especially when it’s next to impossible to know where or when they are going to come from?

Utilising technology to overcome cybersecurity challenges

To overcome the challenges being thrown at them, businesses should look to and learn from those that have already been unfortunate enough to have fallen victim to an attack in the last five years, for whom investing in technology (44%) was predictably the most popular solution for mitigating against future threats. Of course, implementing some sort of security solution or strategy across the organisation is a given when looking to protect against a cyber-attack. And it seems across all respondents, there was at least some awareness of this, with 43% thinking their business should be investing in cybersecurity to help combat supply chain challenges and pressures.

Next on the list, however, was planning technology (37%), something that not many businesses initially think of when defending against cyber-attacks, but which can ensure that organisations have a robust approach in place to manage their supply chain.

Planning for the unexpected

When all departments work in and across different platforms, there are hundreds if not thousands of entry points for hackers to take advantage of. As such, it’s next to impossible for an organisation to have the visibility needed to manage and protect all of their systems from an attack. Connected planning across the entire supply chain increases transparency and reduces the attack surface that hackers can exploit.

Another significant part of the issue is the speed at which a cyber-attacker can take hold. Therefore, any solution needs to be agile and able to react just as quickly. When implemented properly at both a technological and an organisational level, connected planning provides an intuitive map of how decisions ripple through an entire organisation. That connection then allows organisations to rapidly harness data from a variety of sources to quickly formulate and adapt plans.

As the risk of cyber-attack becomes an ever-increasing threat to global supply chains, technology is in fact the key to preventing any major breach and reacting to external events as they occur. Businesses need to place an emphasis on revolutionising their planning processes that enable them to manage more complex networks and respond to external events with speed. With that agility and foresight, they can ensure they are prepared to navigate any of today’s challenges, including disruption from digital transformation.

Technology

How to Block DDoS Attacks Using Automation

 Adrian Taylor, Regional Vice President at A10 Networks, discusses how the right approach can successfully mitigate attacks automatically

DDoS attacks can be catastrophic, but the right knowledge and tactics can drastically improve your chances of successfully mitigating attacks. In this article, we’ll explore the five ways, listed below, that automation can significantly improve response times during a DDoS attack, while assessing the means to block such attacks.

Response time is critical for every enterprise because, in our hyper-connected world, DDoS attacks cause downtime, and downtime means money lost. The longer your systems are down, the more your profits will sink.

Let’s take a closer look at all the ways that automation can put time on your side during a DDoS attack. But first, let’s clarify just how much time an automated defence system can save.

Automated vs. Manual Response Time

Sure, automated DDoS defence is faster than manual DDoS defence, but by how much?

Founder and CEO of NimbusDDoS Andy Shoemaker recently conducted a study to find out. The results spoke volumes: automated DDoS defence improves attack response time five-fold.
The average response time using automated defence was just six minutes, compared to 35 minutes using manual processes, a staggering 29-minute difference. In some cases, the automated defence was even able to eliminate response time completely.

An automated defence system cuts down on response time in five major ways. Such systems can:

  • Instantly detect incoming attacks: Using the data it has collected during peace time, an automated DDoS defence system can instantly identify suspicious traffic that could easily be missed by human observers.
  • Redirect traffic accordingly: In a reactive deployment, once an attack has been detected, an automated DDoS defence system can redirect the malicious traffic to a shared mitigation scrubbing center – no more manual BGP routing announcements of suspicious traffic.
  • Apply escalation mitigation strategies: During the attack’s onslaught of traffic, an automated DDoS defence system will take action based on your defined policies in an adaptive fashion while minimising collateral damage to legitimate traffic.
  • Identify patterns within attack traffic: By carefully inspecting vast amounts of attack traffic in a short period of time, an automated DDoS defence system can extract patterns in real-time to block zero-day botnet attacks.
  • Apply current DDoS threat intelligence: An automated DDoS defence system can access real-time, research-driven IP blocklists and DDoS weapon databases and apply that intelligence to all network traffic destined for the protected zone.

An intelligent automated DDoS defence system doesn’t stop working after an attack, either. Once the attack has been successfully mitigated, it will generate detailed reports you and your stakeholders can use for forensic analysis and for communicating with other stakeholders.

Although DDoS attackers will never stop innovating and adapting, neither will automated and intelligent DDoS protection systems.

By using an automated system to rapidly identify and mitigate threats with the help of up-to-date threat intelligence, enterprises can defend themselves from DDoS attacks as quickly as bad actors can launch them.

Three key strategies to block DDoS attacks

While it’s crucial to have an automated system in place that can quickly respond to attacks, it’s equally important to implement strategies that help achieve your goal of ensuring service availability to legitimate users.

After all, DDoS attacks are asynchronous in nature: You can’t prevent the attacker from launching an attack, but with three critical strategies in place, you can be resilient to the attack, while protecting your users.

Each of the three methods listed below is known as a source-based DDoS mitigation strategy. Source-based strategies implement cause as a basis for choosing what traffic to block. The alternative of destination-based mitigation relies on traffic shaping to prevent the system from falling over.

While destination traffic shaping is effective in preserving system health from being overwhelmed during an attack, it is equally fraught with indiscriminate collateral damage to legitimate users.

Tracking deviation:

  • A tracking deviation strategy works by observing traffic on an ongoing basis to learn what qualifies as normal and what represents a threat.
  • Specifically, a defence system can analyse data rate or query rate from multiple characteristics (e.g. BPS, PPS, SYN-FIN ratio, session rate, etc.) to determine which traffic is legitimate and which is malicious or may identify bots or spoofed traffic by their inability to answer challenge questions.

Pattern recognition:

  • A pattern recognition strategy uses machine learning to parse unusual patterns of behaviour commonly exhibited by DDoS botnets and reflected amplification attacks in real time.
  • For example, DDoS attacks are initiated by a motivated attacker that leverages an orchestration platform providing the distributed weapons with instructions on how to flood the victim with unwanted traffic. The common command and control (C&C) and distributed attack exhibit patterns that can be leveraged as a causal blocking strategy.

Reputation:

  • To utilise reputation as a source-based blocking strategy, a DDoS defence system will use threat intelligence provided by researchers of DDoS botnet IP addresses, in addition to tens of millions of exposed servers used in reflected amplification attacks.
  • The system will then use that intelligence to block any matching IP addresses during an attack.

Any of these three source-based DDoS mitigation strategies requires more computing capabilities than indiscriminate destination protection.

They do, however, have the significant advantage of being able to prevent legitimate users from being blocked, thereby reducing downtime and preventing unnecessarily lost profits.

Knowing that, it’s safe to say that these three mitigation strategies are all well worth the investment.

Technology

Confidential data about 24.3 million patients freely available on the internet – unprotected image servers to blame

Vulnerability management specialist Greenbone Networks has today released details of new research in to the security of the servers used by health providers across the world to store images of X-rays as well as CT, MRI and other medical scans.

Of the 2,300 medical image archive systems worldwide that Greenbone analysed between mid-July and early September 2019, 590 of them were freely accessible on the internet, together containing 24.3 million data records from patients located in 52 different countries. Available data included patient names, dates of birth, dates of examination and some medical information about the reason for examination. For US patients (which make up 13.7 million of the compromised records), it also included Social Security numbers.

More than 737 million images were linked to this patient data, with approximately 400 million of these accessible or easily downloadable via the internet. In addition, 39 of these imaging servers allowed access to patient data via an unencrypted HTTP web viewer, without any level of protection.

Greenbone carried out an analysis of all medical image archiving systems connected to the public internet. These Picture Archiving and Communication Systems (PACS) servers are based on a protocol known as DICOM (Digital Imaging and Communications in Medicine), which – based on the IP protocol – makes it possible for medical professionals to access and share scans and other images. The DICOM standard dates back to the 1980s.

Dirk Schrader, cyber resilience architect at Greenbone Networks who lead the research said:

“The data pertaining to millions of patients is there for anyone to access simply because of the careless configuration of these medical archiving servers. A significant number of these servers have no protection at all, they aren’t password protected and have no encryption. Indeed, everyday internet users could gain access to these servers with very little effort – there’s no need to write any code or deploy any specialist hacking tools.

“Health providers need to act now to secure their systems, not just because they could be in breach of regulations such as GPDR in the EU and HIPAA in the US, but because they are putting their patients at risk. This data could be used to commit identity theft, highly-specialised phishing campaigns or even for extortion, where medical information is weaponised to blackmail people in the public eye.”

This research was initiated by German broadcaster Bayerischer Rundfunk and US not-for-profit news site ProPublica. To ensure compliance with data protection regulations, Greenbone did not download or view any of patient data as part of its research and will only be disclosing details of the vulnerable systems to authorised bodies.

A full report into the research – including a breakdown by country – is available https://www.greenbone.net/en/blog/

Technology

How to Play Identity Like a Board Game

Andre Bosch, Senior Director of Product Operations, SailPoint, considers whether businesses should treat identity programs like a board game

Hobbies are meant to take us away from the day-to-day of our jobs. They are a way to pursue new knowledge or a new skill. Humans have been playing board games for at least 5,000 years. There are even a few games featured prominently on Egyptian hieroglyphics or etched into the base of Assyrian winged lions so that the sentries could play. Board games not only allow us to enjoy time with friends and family, but they transport us to new places and allow us to take on new personas.

My ‘daytime’ persona is immersed in the world of cybersecurity and identity. Nights and weekends, however, are times for friends, family, and hobbies. And you guessed it, my hobby of choice is board games. I own over 140, and I have played over 400 different games, regularly host two game nights a week, and attend a board game conference (yes, they exist!) once a year. One day I was playing some games with my game group and, without my conscious effort, my hobby and my day job mixed. The result was interesting and provided me some insight. Here’s what I found.

The first time my hobby and my job crossed over, I was playing BANG! The Dice Game – a hidden role game set in the wild west. It is a struggle between the law – the Sheriff and Deputies – and the lawless Outlaws and Renegades. In this game, we only know the Sheriff’s role. All other players keep their role hidden. The key to the game is the win conditions. The Sheriff and Deputies win when all the Outlaws and Renegades are dead. The Outlaws win when the Sheriff is dead. The twist in the game, however, is the win condition for the Renegade. The Renegade wins if the Sheriff dies and they are the last player standing. What this means for the Renegade is that they pose as a Deputy early in the game and work alongside the Sheriff and other Deputies to remove the outlaws before turning on the law to pursue a victory.

With that context in mind, let’s take this full circle back to identity. While identity doesn’t often feel like fun and games, we can adopt strategies and lessons from board games and apply them to your identity programs.

The Renegade is the insider threat.
The Renegade initially plays as if they are a Deputy, only to turn when it’s most advantageous and kill the Sheriff (steal the critical data).

The best way to figure out who’s who in these games is via activity.
Outlaws will quickly start shooting at the Sheriff; deputies will then aim their fire at the outlaws. Activity is the key to figuring out who’s who. We do similar things in identity when we ask, “What are people doing with the access they have?”

The presence of a traitor makes it harder for the “good guys.”
This is, of course, obvious for Identity professionals. If it weren’t for the insider threat, many of us wouldn’t have jobs. The key insight here, however, is that we have to find a way to root out the traitor without causing ourselves too much harm. It’s not uncommon, for example, for experienced Deputies to start shooting at each other in the hopes of rooting out the Renegade. Waiting too long to take on the Renegade can mean that both deputies and outlaws are too weak to handle the Renegade when he turns. On the other hand, weakening other deputies is a significant risk.

The traitor is often looking for “dark corners” to do bad things.
The worst possible outcome for the Renegade is that they are “figured out” early in the game. Because of this, they need to find ways to look and act like a Deputy. Sometimes this means doing something “bad” in a way that the other players can’t tell it was you. This isn’t dissimilar to what we see in breaches today. The “bad guys” typically aren’t at their stand-up desk in the middle of a crowded area at work during the workweek downloading privileged information. More often, they are in areas where people can’t see them (physically or digitally) using credentials or badges that aren’t theirs. As identity professionals, we are often tasked with shrinking the “dark corners” and deny the insiders the opportunity to breach.

Lastly, and most interestingly, being the traitor is difficult.
If the Sheriff and Deputy build trust and deny the traitor the ability to find “dark corners,” being the traitor is impossible. In the end, the traitor is just one person (or a small team) going against a much larger, more powerful team. Stealth is their best weapon but robbed of that they are easily defeated.

Technology

On IT Professionals’ Day, is the push for productivity creating a pathway for cyberattacks?

Juliette Rizkallah, CMO at SailPoint, questions whether pressure to drive productivity could be leaving organisations exposed to cyberattacks

It’s no secret that organisations are under increased pressure to improve efficiency. With close to zero productivity growth in the UK between 2007 and 2017 , the pressure is on. We’re seeing organisations rightfully embrace all manner of new technologies resulting from digital transformation to maximise efficiencies, from cloud-based collaboration platforms to artificially intelligent software bots.

However, SailPoint’s Market Pulse Survey found that these new technologies are also introducing risk to the workplace, as are office workers’ poor cybersecurity habits. As employees prioritise efficiency ahead of cybersecurity – also putting them at odds with IT – it is their organisations that truly suffer as a result of this undue risk.

In their efforts to achieve workplace efficiency, employees are engaging in risky behaviour like deploying software without IT’s approval – a practice commonly known as shadow IT. In fact, our survey found that nearly one in three employees admitted to using shadow IT, which introduces new technologies into the workplace outside of IT’s visibility. This lack of visibility leaves IT teams unable to effectively govern and secure their organisation’s users and their access to sensitive applications and data. After all, how can the IT team secure what they cannot see?

This focus on efficiency over security by the workforce has not only introduced more risk to the workplace but also created a sense of frustration between workers and their IT teams. A full 55 per cent of employees surveyed said that their IT department can be a source of inconvenience – a perception that understandably leads to friction between the two parties. IT teams are also often being left out of cybersecurity conversations until something goes wrong. Our survey shows that 49 per cent of employees admit they would blame IT for a cyberattack if one occurred as a result of an employee being hacked.

It is clear that workers are not taking their role in cybersecurity – or IT’s recommendations – seriously. And with younger generations entering the workforce, the future does not look bright. Despite their technological prowess, the 18-25 age group fall short compared to other employees when it comes to cybersecurity, with 87 per cent reusing passwords across different accounts. Amongst this group, almost half (47 per cent) duplicate passwords across work and personal accounts. Perhaps most alarmingly, 28 per cent of 18 to 25 year olds would even consider selling their workplace passwords to a third party.

As the digital transformation continues to introduce rapid changes in the workplace, the best way to increase efficiency without sacrificing security in the process is to secure an organisation’s users, which are the common link across the IT ecosystem and the new security perimeter. By taking this identity-centric approach to security, organisations will have the much-needed visibility across all of their users, applications and data. A comprehensive identity governance strategy can also alleviate the stress between the IT and business departments by giving employees appropriate access to the applications and data they need to securely do their jobs.

With identity governance, organisations can embrace the new technologies that come with the digital transformation, enabling their workforces while also providing IT the visibility and security they need in their increasingly complex IT environments. Otherwise, organisations risk being exposed by the very technologies that are designed to improve their productivity.

Technology

EMEA identified as global hotspot for brute force access attacks

EMEA is a global hotspot for brute force access attacks, according to research from F5 Labs.

The analysis forms part of the Application Protection Report 2019, which explores the fact that most applications are attacked at the access tier, circumventing legitimate processes of authentication and authorisation. Brute force attacks are typically defined as either ten or more successive failed attempts to log in in less than a minute, or 100 or more failed attempts in a 24-hour period.

EMEA hit hardest

In 2018, the F5 Security Incident Response Team (SIRT) reported that brute force attacks against F5 customers1 constituted 18% of all attacks and 19% of addressed incidents.

Of all SIRT-logged attacks taking place in EMEA last year, 43,5% were brute force. Canada was a close second (41,7% of recorded attacks), followed by the USA (33,3%) and APAC (9,5%). The public services sector was most affected, with 50% of all incidents taking the form of brute force attacks, followed by financial services (47,8%) and the healthcare industry (41,7%). Education (27,3%) and service providers (25%) were also in the firing line.

“Depending on how robust your monitoring capabilities are, brute force attacks can appear innocuous, like a legitimate login with correct username and password,” said Ray Pompon, Principal Threat Research Evangelist, F5 Networks. “Attacks of this nature can be hard to spot because, as far as the system is concerned, the attacker appears to be the rightful user.”

Any application that requires authentication is a potential venue for a brute force attack, but F5 Labs mostly recorded attacks focusing on:

  • HTTP form-based authentication brute force (29% of logged attacks globally). Attacks against web authentication forms in the browser. Most of the traditional logins on the web take this form.
  • Outlook web access (17,5%), Office 365 (12%) ADFS (17,5%) brute force. Attacks against authentication protocols for Exchange servers, Microsoft Active Directory and Federated Services. Since these services are not accessed through a browser, users authenticate to them through separate prompts. Due to the single sign-on capabilities of AD and federation, successful access attacks of these protocols encompass mail, as well as entire intranets and significant amounts of sensitive information.
  • SSH/SFTP brute force (18%). SSH and SFTP access attacks are among the most prevalent, partly because successful SSH authentication is often a quick path to administrator privileges. Brute forcing SSH is hugely attractive to cyber criminals as many systems still rely on default credentials ease of use.
  • S-FTP brute force (6%). S-FTP brute force is dangerous as it is a method to drop malware, which presents a wide range of disruptive options, including escalation of privilege, keylogging or other forms of surveillance and network traversal.

Overall, email is the most targeted service when it comes to brute force attacks. For organisations that do not rely heavily on ecommerce, the most valuable assets are often stored far from the perimeter, behind multiple layers of controls. In this case, email is often a powerful staging ground to steal data and gain access to the tools needed to wreak widespread havoc.

Breach data also pegged email as a primary target; it was involved in the top two subcategories of access breaches, representing 39% of access breaches and 34.6% of all breach causes. Email is directly attributed as a factor in over a third of all breach reports.

Staying safe

According to the Application Protection Report 2019, safeguarding against access tier attacks is still a major challenge for many organisations. Multi-factor authentication can be hard to implement and not always feasible in the required timeframe. Worryingly, while passwords are typically inadequate forms of protection, F5’s Application Protection Report 2018 found that 75% of organisations still use simple username/password credentials for critical web applications.

“While access attack tactics will certainly change as defensive technologies become more advanced, the core principles to stay safe will remain significant for the foreseeable future,” said Pompon.

“To start, make sure your system can at least detect brute force attacks. One of the main challenges is that confidentiality and integrity can sometimes find themselves at odds with availability. It is important to establish reset mechanisms that work for both the organisation and its users. It is not enough to set up some firewall alarms on brute force attempts and take a nap. You have to test monitoring and response controls, run incident response scenario tests, and develop incident response playbooks so that you can react quickly and reliably.”

Technology

The USB is back – as an essential defence against data breaches

Could the humble USB be making a comeback? Jon Fielding, MD EMEA of Apricorn, discusses why secure usb drives are seeing a resurgence in popularity

Once an indispensable piece of business hardware, found in pretty much every briefcase and office drawer, the USB drive’s popularity waned as technology advanced. Today, large volumes of data can be transferred online and stored in the cloud, while mobile devices give us access to corporate information wherever we are. But as concerns rise over how to protect data when it’s on the move, removable storage devices once again have a key role to play: as a crucial part of a business’s cybersecurity defences.

New working practices and technologies have brought additional risk to businesses. In a survey carried out by Apricorn this year, almost half of organisations admitted their mobile workers have knowingly put data at risk, while nearly a quarter said they can’t be certain their data is adequately secured when used in a remote working environment.

Ongoing digital transformation and the adoption of cloud, AI and IoT are introducing an extra layer of complexity to businesses that potentially makes them more vulnerable to cyber-attacks. Meanwhile, personal devices and consumer apps are being brought into the corporate environment without the knowledge of the IT department.

At the same time, GDPR has begun to bare its teeth, with the Information Commissioner’s Office (ICO) recently hitting British Airways and the Marriott hotel group with significant fines.

Organisations recognise the pressing need to invest in strengthening their security posture. There are plenty of sophisticated high-tech security tools and solutions on the market – but as with all new technologies, integrating these can add to an already complex IT environment, compounding risk and lack of control.

Technology is always evolving, for good and bad. However, most cyber-attacks don’t involve the use of new and sophisticated techniques. Instead, hackers rely on simple approaches that exploit well-known weaknesses – for instance a lack of software patching, or employees who haven’t been properly educated in good security hygiene. Reverting back to basics has its merits as a defence strategy, as well as one for attack.

Here’s where highly secure removable storage devices have a role to play. Mandated for use as a key part of an organisation’s cybersecurity strategy, they provide a practical way for employees to safely and reliably store, move and transfer large amounts of sensitive data offline.

More crucially, however, is the availability of USB drives that have hardware encryption capabilities built in. These automatically encrypt all data written to them, locking it down so that if the device is lost or stolen the information on it will be completely inaccessible.

End-to-end encryption of all data as standard – both at rest and in transit – has come to be recognised as a vital element of any cybersecurity plan, and is specifically recommended in Article 32 of GDPR as a means to protect personal data. Two thirds of organisations now hardware-encrypt all information as standard – up from just half last year. There’s a high level of awareness of the risk of not doing so: lack of encryption is behind 27 per cent of all data breaches, according to IT decision makers.

Encryption should be invisible, and automatic. If it’s built into a device the decision and responsibility to encrypt is taken out of the user’s hands. Strict policies detailing how removable storage devices should be used can be enforced through whitelisting on the IT infrastructure, blocking access to USB ports from all non-approved media. Employees should also be trained in how to use devices safely, as well as the importance of data protection and how to be a responsible information owner.

Until recently, I think many companies didn’t quite believe that GDPR would be applied in anger. The ICO’s clear shot across the bows has shaken the myth that any period of amnesty or leniency will continue. This is likely to trigger an upturn in spending on cybersecurity, as organisations seek to avoid penalties.

There’s a plethora of ‘shiny new things’ out there to invest in – but businesses should also consider the fundamentals of good security practice, and implement the tools and techniques that will most effectively provide a robust defence. The ‘humble’ USB drive is one of these – and that’s why I believe it’s set to enjoy a renaissance.

Industry News, Technology

Scale Computing and Acronis Form Technology Partnership

Scale Computing, a market leader in edge computing, virtualisation and hyperconverged solutions, and Acronis, a global leader in cyber protection, today announced an OEM partnership, offering Acronis Backup to customers through Scale Computing channels, delivering archiving, enhanced data protection, disaster recovery, and threat mitigation on the Scale Computing HC3 platform.

Scale Computing HC3 offers the Scale Computing Data Protection Suite, which provides high availability, backup, replication, and recovery features. Many HC3 users deploy additional backup and recovery solutions to utilise other types of storage, extending existing storage investments in NAS or SAN, or use advanced data protection features that are not available on HC3. Scale Computing has determined Acronis Backup best meets these archiving and advanced disaster recovery needs for these HC3 users.

With Acronis Backup on Scale Computing HC3, users will be able to meet the toughest backup objectives for mission-critical systems, saving up to 10x the storage space, and reducing the backup workload with automated administration. Acronis Backup on Scale Computing HC3 ensures that data is safe, and mission-critical business applications are available, by enabling users to proactively prevent, or recover quickly from disasters, with capabilities such as:

● Long-Term Retention for Data Archival – Backups can be stored on inexpensive storage for long-term retention to meet regulatory compliance
● Acronis Active Protection – An integrated anti-ransomware defense powered by machine learning (ML) models that proactively detects and stops ransomware attacks and automatically recovers any affected files, including those on network shares and removable devices
● Full Bare-Metal System Recovery – Accelerates recovery speeds up to twice as fast with the ability to restore a backup image to a machine that doesn’t have a preinstalled OS
● Acronis Universal Restore – Simplifies the recovery of an entire system to the same or dissimilar hardware, or virtual machine, by using smart technology that automatically detects boot requirements
● Granular Recovery – Enables individuals to search for and restore specific files or folders without having to recover full databases or systems

With flexible on-premises and cloud storage options, Acronis Backup users can easily scale their deployment to fit their archival and data protection needs. A simple, touch-friendly UI offers advanced reporting capabilities that lets administrators manage and orchestrate backups with ease across sites.

“Faced with ever-increasing volumes of data along with the growing threat of ransomware and other malware, IT professionals are under tremendous pressure to protect everything while ensuring production systems aren’t impacted. The good news is that protecting your organisation’s data doesn’t have to be difficult,” said Pat Hurley, Vice President and General Manager, Americas, Acronis. “With Acronis Backup on Scale Computing HC3, organisations gain a fast, scalable cyber protection solution that won’t consume their limited IT budgets.”

“Data protection and disaster recovery are a necessity for IT organisations today, and many of our HC3 customers have implemented effective disaster recovery strategies that combine per VM snapshot scheduling with replication, failover, and recovery. Each HC3 appliance has built-in VM snapshots with scheduling capabilities that are flexible enough to implement almost any backup strategy,” said Jeff Ready, CEO and co-founder, Scale Computing. “With Acronis Backup, HC3 users are enabled to add market-leading archiving and data protection capabilities to their infrastructure. Our technologies are highly complementary, and HC3 customers, who are used to the flexibility and ease of use of our platform, will also benefit from the performance, ROI and TCO advantages offered by Acronis Backup.”

Acronis Backup on Scale Computing HC3 protects nearly all supported VM operating systems on the Scale Computing HC3 platform and can granularly backup and restore individual VMs up to and including the entire system. Acronis Backup can store backup data in a wide range of storage locations, including HC3 virtual disks, existing NAS/SAN, and public clouds.

Acronis Backup is available for purchase from Scale Computing today.

Scale Computing is a key sponsor at the Acronis Global Cyber Summit 2019 between Oct. 13-16, 2019.

Technology

How to Effectively Manage Cyber Threats on Critical Infrastructure

Anthony Perridge, VP International, ThreatQuotient, explains how businesses can tackle the growing threats from the increase in hackers targeting critical infrastructure

Criminals are tirelessly attacking critical infrastructure (CRITIS) around the world and compromising the Industrial Control System (ICS) and the Supervisory Control and Data Acquisition (SCADA) systems that control these infrastructures. In 2010, the Stuxnet worm infiltrated numerous control systems and damaged nuclear power plants. Five years later, the BlackEnergy malware attack on the Ukrainian power supply became the first cyberattack that caused a blackout.

However, the term CRITIS not only covers the power grid, but also areas such as military, manufacturing, healthcare, transport, water supply and food production. In 2017, the outbreak of the ransomware WannaCry affected several healthcare companies. In 2018, the US CERT, together with the British National Cyber Security Centre (NCSC) and the FBI, issued a warning that the Russian government had launched an attack on critical infrastructure in various industries. In addition, for several years, threats to air travel booking and public transit systems have been making headlines. In early 2019, the ransomware variant LockerGoga began infiltrating and disrupting the production processes of chemical companies and aluminium producers.

Important challenges

According to an investigation by (ISC)2, there is a shortfall of nearly three million cybersecurity experts worldwide, and nearly 60 percent of the 1,452 survey respondents believed that their company was at medium to high risk of virtual attacks. The existing security teams are barely able to handle the myriad of alerts. Moreover, they are often not sufficiently represented at senior management level to receive the necessary attention and support for important initiatives. For example, only 31 percent of organisations in the aviation industry have a dedicated CISO.

To make the most of their existing resources, security teams must be able to understand and prioritise the threat data and alerts within the context of their organisation. This gives teams the opportunity to easily and clearly communicate relevant security issues to management, and to justify additional resources needed to improve security processes.

More and more attacks use multiple vectors in parallel and make the defense more difficult. The US CERT warning mentioned above mentions a variety of these used TTPs, including spear-phishing emails, watering hole attacks, credential capture, and specific attacks on ICS and SCADA infrastructures. At the same time, the attack surface is growing as CRITIS operators increasingly migrate to the cloud, introducing mobile devices and IoT. More than two-thirds of IT executives in the oil and gas industry said they are more vulnerable to security breaches because of digitisation (the provision of digital technologies for advanced automation).

Companies can protect their digital landscape against threats only if they have an overview of the entire infrastructure and the ability to continuously evaluate and prioritise threat intelligence.

Many ICS and SCADA systems have been in use for years and do not have modern security features that can protect against current threats. The number of reported weaknesses in the production area increased significantly in 2018 compared to the previous year. However, these systems are rarely updated as operators fear interruptions. Despite increasing attacks on critical infrastructures, protection has not been extended. Rather, it has become even worse as the devices and systems are increasingly connected to the Internet without paying attention to the security implications. Although those responsible for Information Technology (IT) and Operational Technologies (OT) have different goals, processes, tools, and concepts, they must work together as their environments grow closer together.

Surveys among security officers say that 75 percent of businesses assume they will be the victims of cybersecurity attacks on OT / ICS systems. However, only 23 percent adhere to the industry’s minimum legal requirements for cyber security.

Conclusion

Headlines about attacks on critical infrastructures are quickly portrayed as a sensation. It is often difficult to find the facts behind the report and to understand the impact of a large-scale cyber campaign on the business. It is not enough to update only the ICS and SCADA devices. With a trusted threat intelligence platform, can companies identify and respond to the truly relevant threats.

Here’s some tips I offer to help organisations minimise their cyber risk:

  • Consolidate all sources for external (such as OSINT) and internal (SIEM, for example) threat and vulnerability data in one central repository.
  • Collect security-related information about the entire infrastructure (local, cloud, IoT, mobile, and legacy systems) by integrating vulnerability data and threat intelligence in the context of active threats.
  • Filter non-relevant information, avoiding overload due to too many alerts, and easily navigate massive amounts of threat data to focus on critical resources and vulnerabilities.
  • Prioritise the most important data depending on the individual situation, with the possibility of dynamic adaptation as new data and insights become available.
  • Proactively search for malicious activity that can demonstrate malicious behaviour, denial of service attacks, and other disruptions and potential harm to customers, employees, and key components.
  • Focus on aspects beyond reactive measures to aid detection, response and recovery.

For more information, visit Threatquotient at: https://www.threatq.com/