Graham Cluley Security News is sponsored this week by the folks at HYPR. Thanks to the great team there for their support! A new guide provides practical guidance for eliminating passwords to accelerate your Zero Trust strategy, and explains how Zero Trust can increase business agility. The free guide, by the analysts at The Cyber … Continue reading “Zero trust with zero passwords – free guide explains what you need to know”
Daily Archives: February 3, 2022
Interview with the Head of the NSA’s Research Directorate
MIT Technology Review published an interview with Gil Herrera, the new head of the NSA’s Research Directorate. There’s a lot of talk about quantum computing, monitoring 5G networks, and the problems of big data:
The math department, often in conjunction with the computer science department, helps tackle one of NSA’s most interesting problems: big data. Despite public reckoning over mass surveillance, NSA famously faces the challenge of collecting such extreme quantities of data that, on top of legal and ethical problems, it can be nearly impossible to sift through all of it to find everything of value. NSA views the kind of “vast access and collection” that it talks about internally as both an achievement and its own set of problems. The field of data science aims to solve them.
“Everyone thinks their data is the messiest in the world, and mine maybe is because it’s taken from people who don’t want us to have it, frankly,” said Herrera’s immediate predecessor at the NSA, the computer scientist Deborah Frincke, during a 2017 talk at Stanford. “The adversary does not speak clearly in English with nice statements into a mic and, if we can’t understand it, send us a clearer statement.”
Making sense of vast stores of unclear, often stolen data in hundreds of languages and even more technical formats remains one of the directorate’s enduring tasks.
Smashing Security podcast #260: New hire mystery, hacktivist ransomware, and digi-dating
Who’s that new guy working at your company, and why don’t you recognise him from the interview? How are hacktivists raising the heat in Belarus? And should you be fully vaxxed for your online date?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Using KPIs to generate results in Cybersecurity
Gaining investment from business leaders to create a mature cybersecurity program and fund initiatives is an imperative for success in enterprise risk mitigation. All too often, security and IT organizations struggle to capture the attention of executives needed to advance their priorities and build even basic cybersecurity capabilities.
Year after year, important initiatives get deprioritized for other business initiatives, pushing out the adoption of important technologies or funding of headcount to manage critical processes. The result is an organization with increasing exposure to risk and unwanted cybersecurity challenges. Fundamental capabilities for effective security operations that improve visibility, such as a SIEM, are deemed too expensive.
What strategies can cybersecurity staff use to cut through the noise of competing business initiatives and get the focus and investment they need to achieve their objectives? Or to properly fund the adoption of a new technology or capability?
One way is to build a reporting system that speaks executive language and abstracts difficult to understand technology into business concepts: risk, reward, performance objectives, metrics, and success. Simply establishing what the basic priorities of a cybersecurity program are and then formally reporting out on key performance indicators on a regular basis can have a profound impact. What an organization chooses to pay attention naturally grows.
What is reported can vary from organization to organization, depending on the operating environment, the type of data transmitted and stored, and regulatory and compliance standards in play, to name a few. A guiding principle should be simplicity; too many data points create noise and inaction. At a minimum, many organizations will look at the attack surface, vulnerabilities and exposures, incidents, and employee training as a good starting point.
Asset management
Asset management is at the core of every program. It’s impossible to guard what you don’t know or see, and yet most organizations fail to have a full grasp of their basic IT footprint. Every piece of hardware and software owned by an organization must be accounted for and every connection to its networks and infrastructure from ancillary systems monitored.
Shadow IT, Bring Your Own Device, and Work from Anywhere have exacerbated these challenges as traditional network edges evaporate and the flow of corporate data across untrusted networks and devices has become increasingly common. This complicated patch work is the corporation’s attack surface. Reporting the scope of that footprint, at the very least, demonstrates awareness of what matters to the organization.
Surprisingly, many organizations can’t easily quantify how many servers they own, the type of operating systems they run, the number of workstations and mobile devices they have, or even where their assets are at any given point in time. This knowledge is fundamental and reporting it regularly to executives ensures that they appreciate the scope of the program while also establishing a priority to keep data fresh and consistently update to date.
Vulnerabilities and patch management
This is perhaps one of the most impactful KPIs, not only because it’s so important in protecting the enterprise, but because it’s a constantly moving target (NIST’s National Vulnerability Database boasts greater than 17,000 submitted CVEs just this year). The vast majority of data breaches (upwards of 90%) leverage exploitation of a known vulnerability.
An effective vulnerability management program should involve scanning to identify new vulnerabilities in their infrastructure on a regular basis. KPIs around this can include the number of existing vulnerabilities discovered in the organization over the reporting period, categorization by CVE, how quickly they are patched after discovery, and graphs that linearly show reduction in vulnerabilities over time.
Cyber incidents
A risk register that tracks every incident in the organization, its severity, the resolution, and lessons learned is a must. Raising awareness to incident quantity, associated impacts to the business, efforts to determine root cause, and mitigations are essential.
Many organizations lack even a fundamental classification system that is well understood across the company. Socializing with executives the incidents from the last reporting period reinforces a shared understanding of what constitutes a Level 1 versus a Level 4 incident, the organization’s expected response, who should be notified, etc. A KPI review keeps these classification systems top of mind and also improves overall organizational readiness when new incidents occur.
Employee training
Performance metrics can include the progress of employee training and awareness campaigns, structured training (online and in-person), initiatives that focus on core concepts (such as thinking before clicking, or how a clean desk is a cybersecurity priority), or the lessons learned from a recent tabletop exercise.
All make for great topics of discussion with executive stakeholders. Many organizations get fun and creative in this area, coming up with security mascots or even inter-business unit competitions.
Getting started
For organizations that are early in the KPI development journey, a great launch point is a Balanced Scorecard. This innovative approach to change management helps:
clarify vision, mission, and strategic themes
gain alignment and buy-in
break through organizational silos
define key objectives, initiatives, and success metrics
inform dashboard content
Initially designed by Dr. Robert Kaplan and Dr. David Norton for performance management, this framework can be valuable tool for a security team to organize their strategy and distill out simple measures of success.
Cultivate curiosity
Perhaps the best value of a KPI review is the simple act of cultivating curiosity. KPI reviews are an opportunity for executives to question the what and the why; to inquire more deeply. Provoking curiosity inherently creates focus, attention, and concern. Cultivating it is one of the powerful catalysts a security team can use in maturing cybersecurity program.
Many technologists, buried in complexities of engineering solutions and securing bits and bytes, underutilize this simple strategy to keep their priorities top of mind with business leaders. Cultivate curiosity, generate questions, and watch investment in your ideas and programs grow.
Crunch! Ransomware hits KP Nuts, Hula Hoops, and McCoys crisps
The IT systems of KP Snacks have been hit by ransomware. And it might well impact the British public’s waistlines as well as the company’s profits:
Growing Number of Phish Kits Bypass MFA
Growing Number of Phish Kits Bypass MFA
Phishing kits designed to circumvent multi-factor authentication (MFA) by stealing session cookies are increasingly popular on the cybercrime underground, security researchers at Proofpoint have warned.
After years of prompting by security teams and third-party experts, MFA finally appears to have reached a tipping point of user adoption. Figures from Duo Security cited by Proofpoint in a new blog today claim that 79% of UK and US users deployed some kind of second-factor authentication in 2021 versus 53% in 2019.
However, the threat landscape is changing as a result. Phishing kits offer a cheap-and-easy way for budding cyber-criminals to launch and monetize campaigns.
“In recent years, Proofpoint researchers have observed the emergence of a new type of kit that does not rely on recreating a target website. Instead, these kits use a transparent reverse proxy to present the actual website to the victim,” the firm explained.
“Modern web pages are dynamic and change frequently. Therefore, presenting the actual site instead of a facsimile greatly enhances the illusion an individual is logging in safely. Another advantage of the reverse proxy is that it allows the threat actor to man-in-the-middle (MitM) a session and capture not only the usernames and passwords in real-time, but also the session cookie.”
These cookies can then be used to access a targeted account without needing a username, password or MFA token.
Proofpoint has already noticed an uptick in the availability of such phishing kits and warned that the trend would only increase as MFA becomes more popular. They include “Modlishka,” “Muraena/Necrobrowser” and “Evilginx2.”
“We are now in 2022, the pandemic still rages, many workers are still working from home and many may not return to the office. As more companies follow Google’s lead and start requiring MFA, threat actors will rapidly move to solutions like these MitM kits,” Proofpoint concluded.
“They are easy to deploy, free to use, and have proven effective at evading detection. The industry needs to prepare to deal with blind spots like these before they can evolve in new unexpected directions.”
Target releases web skimming detection tool Merry Maker as open source
Web skimming has been a major scourge for online shops over the past several years with attacks ranging from simple script injections into payment forms to sophisticated compromises of legitimate third-party scripts and services. Sometimes referred to as Magecart attacks, they have become the leading cause of card-not-present (CNP) fraud and have impacted small and big brands alike, as well as different types of ecommerce platforms.
As one of the top online retailers, Target started looking for solutions a few years ago to combat this threat and keep its own customers protected while shopping on its platform. Since there were no ready-made detection tools for such attacks at the time, two of the company’s security engineers decided to develop their own. After being in active use on Target.com for over three years, the company’s client-side scanner has now been released as an open-source project dubbed Merry Maker.
Why buy now, pay later is the next big fraud risk for retailers
Retailers are offering customers more buy now, pay later (BNPL) finance purchasing options to drive sales across a wide range of products. Shoppers can get instant credit at the point of sale (POS) and then delay or spread payments (often at no extra cost) instead of paying outright at the time of purchase. This can appeal to consumers and has proven to be particularly popular during busy shopping periods such as Black Friday and the holiday season.
However, BNPL is also capturing the attention of online fraudsters. While it is maturing with new providers and products coming to the market, so too are the risks of fraud for retailers as cybercriminals look to exploit the BNPL process.
Apple AirTag and other tagging devices add to CISO worries
We tag content, devices and our belongings. Tagging is ubiquitous today, in early 2022, but it wasn’t always the case.
Stepping back into history, the late 1990s and early 2000s saw the unsavory side of competitive intelligence in Silicon Valley, with companies having their trash dumpsters siphoned for useful information, pretext calling to elicit inside information, and the wholesale theft of electronic devices. Stories ad infinitum exist of teams finishing an engineering meeting and heading down to Chevy’s for dinner and putting their laptops in the trunk of the vehicle and heading into the eatery, only to find the trunk had been jacked and all the laptops missing. Same at the local sports fields, parents would arrive, throw their bag/device into the trunk only to find it gone when they returned. Such was the frequency both the San Jose and Milpitas police began placing signage in shopping centers reminding individuals to take their belongings with them.
Home Improvement Firm Fined £200k for Nuisance Calls
Home Improvement Firm Fined £200k for Nuisance Calls
A Welsh home improvement firm has been fined £200,000 by the UK’s privacy watchdog after making more than half a million nuisance phone calls.
Home2Sense Ltd of Lampeter made 675,478 nuisance calls between June 2020 and March 2021 to offer individuals insulation services, according to the Information Commissioner’s Office (ICO).
However, these people were registered with the Telephone Preference Service (TPS), meaning they had explicitly opted out of receiving unsolicited marketing calls.
According to the UK’s Privacy and Electronic Communications Regulations (PECR), it is illegal to contact anyone registered with the TPS for more than 28 days unless that person has explicitly notified the company that they do not object to receiving such calls.
Among the scores of complaints made to the ICO about Home2Sense’s business practices, one distressed victim said a call center marketer asked to speak to their late mother, who had passed away a decade earlier.
On other calls, the operative posed as a local surveyor and claimed the recipient might be in line for a free grant to replace their loft insulation.
“This is my recently deceased mother’s house that I have just inherited in the past few months. It was extremely upsetting to have someone deliberately cold-call me,” they complained.
The company also illegally used several aliases when presenting themselves to the public, including “Cozy Loft,” “Warmer Homes” and “Comfier Homes.”
Head of ICO regions, Ken Macdonald, argued that the firm’s attempt to blame its staff for failing to screen individuals on the TPS list shows a complete disregard for victims’ privacy.
“Some of the complainants described the calls received as ‘aggressive,’ and the company caused two complainants to feel distressed and upset when they asked to speak to a relative that had passed away,” he added.
“Business owners operating in this field have a duty to have robust procedures and training in place so the law is followed. Attempts to rely on ignorance of the law, or trying to pass the buck onto members of staff or external suppliers, will not be tolerated.”
However, it remains to be seen if Home2Sense ends up paying the full £200,000. Just a quarter (26%) of the monetary value of fines issued by the ICO from January 2020 to September 2021 have been paid, according to a November 2021 report. That’s down from 32% during the previous report period (January 2019-August 2020).
Fines for nuisance calls were among the most likely to remain unpaid, with nearly 80% yet to be collected.