The Log4j vulnerability crisis that erupted in late-2021 heightened the security world’s awareness of supply chain risks in free and universally deployed open-source software. Following an intense holiday season push by admins and cybersecurity professionals to track and remediate the Log4j flaw, the White House held a meeting of industry leaders to discuss improving open source software security.
Monthly Archives: February 2022
Quantum computing brings new security risks: How to protect yourself
This blog was written by an independent guest blogger.
Although commercial quantum computing may still be decades away, government agencies and industry experts agree that now is the time to prepare your cybersecurity landscape for the future. The power of quantum computing brings security complexities that we are only beginning to understand.
Even now, our cybersecurity climate is getting hotter. The average cost of a data breach reached an all-time high in 2021, and the attack vector grows larger by the minute. There has been a significant increase in the number of connected devices used to access business email and intranet since more organizations have transitioned to remote and hybrid work models.
With quantum computing looming in the not-so-distant future, the way that we think about encryption will need to evolve. Most of our current online privacy protocols utilize cryptography to maintain privacy and data integrity. However, the complex math behind creating encryption keys is no match for the power of quantum computers.
Although IBM hopes to make a 1,000-qubit machine by 2023, widespread adoption of quantum computing is still decades away. Take advantage of this time to develop the cybersecurity infrastructure that your organization needs to prepare for the future of quantum computing.
What is quantum computing?
Quantum computing focuses on developing computer technology based on principles that describe how particles and energy react at the atomic and subatomic levels. Today’s computers encode information in 1’s and 0’s. Quantum computing says that information can be encoded simultaneously in more than one place.
While the science is a bit muddy for those who are not quantum theory experts, we can all agree that quantum computing is faster than any other computing technology. In fact, the quantum computer that is in development at Google is 158 million times faster than the world’s fastest computer today.
Digital transformation has already spurred an increase in demand for web designers and developers, and web development is one of the fastest-growing career fields in the United States right now. In the future, quantum computing has the potential to contribute to finance, military intelligence, pharmaceutical development, aerospace engineering, nuclear power, 3D printing, and so much more.
What are the security risks?
The most significant impending security risks associated with switching over to quantum computers are related to cryptographic encryption. The global internet economy relies on cryptography as the foundation for a secure network. The complex algorithms used to create public and private keys to decrypt encrypted data do not hold up in a quantum environment.
The basic idea behind cryptographic encryption is that anyone who wishes to read an encrypted file must have the key, or code, to unlock it. The longer the key, the longer it takes for a computer to crack, and the more secure your files are.
To put this in perspective, it took a group of 300,000 people and four years of work to crack a 64-bit key in 2002. With 128-bit key encryption, it could take trillions of years to find a matching key.
Recently, the NIST raised the industry standard for key length protocol from 128 bits to 256 bits to increase security and prepare users for the future of quantum computing.
But cryptography is only one piece of the puzzle. Even if you implement the most secure encryption and signing practices, it won’t stop someone from opening a malicious file attachment or clicking on a misleading link. Software flaws, misuse of access, and other human-related problems could cost companies an unfathomable fortune in the quantum age.
How to protect yourself
Several technologies such as 5G, machine learning AI, and quantum computing have made huge advancements toward digitization. But, often, new technology rolls out before all of the kinks have been discovered and resolved. You could say that we are experiencing this problem with legacy cybersecurity systems.
Since the theory behind quantum computing will make our current encryption protocols obsolete, organizations should focus on creating a unified cybersecurity ecosystem to monitor the network, discover vulnerabilities, and mitigate security issues.
Here are a few things companies can do to protect themselves from future risks:
Adopt industry security standards
COVID-19 forced the world to find new ways to communicate, work, and conduct business, with most people finding their “new normal” by using digital online tools and connected devices. This influx of new internet users increased digital deployments, and the advent of the remote work movement caused security vulnerabilities for businesses and consumers to rise significantly.
The NIST’s new industry standards say that the encryption strength of your keys should be at least 128 bits for low-impact data, 192 bits for moderate-impact data, and 256 bits for high-impact information.
In addition, achieving ISO compliance also helps protect your organization by requiring cybersecurity tools for asset discovery, vulnerability assessment, continuous security monitoring, and event reporting.
Implement Zero Trust
Meeting industry security standards, mandated or not, will help you with the technical side of cybersecurity, but implementing zero-trust authentication protocols can help to reduce risks associated with human error.
Scammers are clever, and they tend to use social engineering tactics to build trust with their intended victims so that it is easier to exploit them for their credentials, money, or data. Phishing and spoofing attacks are popular forms of social engineering where an attacker pretends to be a trusted user to infect a network with malware or get their hands on high-level login information.
Phishing and spoofing attacks can be highly covert. In fact, a whopping 30% of phishing emails and SMS messages get opened by targeted users. Another 12% of those users click on the malicious attachment or link.
Zero-trust protocols help reduce the impact of phishing and other social engineering attacks by delegating privileges based on necessity instead of position in a company. This protects crucial data from leaking out in case credentials are breached since no one individual is trusted with “the keys to the kingdom,” so to speak.
Deploy automated tools
Many cybersecurity protection procedures are meant to diffuse the impact that human error can have on an organization. Manually scanning your network, mitigating vulnerabilities, and responding to data breaches opens the door to more mistakes as well as putting a limit on productivity.
That’s why organizations at the cutting edge of security choose to deploy automated tools to help them maintain the integrity of their network. Not only do automated tools work at higher speeds, but they can also analyze data with incredible detail within a timeframe that humans can’t match.
A recent study about cybersecurity adoption reported that 95% of businesses have already automated some cybersecurity processes. The report also highlighted that 98% plan to automate even more of their manual security processes in the upcoming year. This also implies that businesses that don’t automate their security protocols could lag behind.
Implement managed threat detection
Transitioning to a quantum-resistant cybersecurity plan sounds intimidating, which is why it can be helpful to have skilled experts on your side. The best way to ensure that your cybersecurity ecosystem remains intact is to implement managed threat detection through a trusted company. A managed threat detection and response service can help you arm your business with high-quality security tools and provide continuous monitoring and response support when you need it the most.
Wrapping up
Quantum computing will change everything from apps to internet search, web development, cybersecurity, and beyond. It’s wise to stay one step ahead of current technology trends so that when new features are released, your organization is already equipped with the knowledge and tools it needs to weather the dawning of a new age.
Data Leak Exposes IDs of Airport Security Workers
Data Leak Exposes IDs of Airport Security Workers
A cloud misconfiguration at a leading security services multinational has exposed the details of countless airport staff across South America, according to a new report.
A team at AV comparison site Safety Detectives found an Amazon Web Services S3 bucket wide open without any authentication required to view the contents. After notifying the owner, Swedish security giant Securitas, on October 28 2021, the firm secured the database a few days later on November 2.
Inside the 3TB trove, the researchers found personally identifiable information (PII) on Securitas and airport employees dating back to November 2018.
At least four airports across Peru (Aeropuerto Internacional Jorge Chávez) and Colombia (El Dorado International Airport, Alfonso Bonilla Aragón International Airport, and José María Córdova International Airport) are impacted.
Safety Detectives is not sure exactly how many workers are affected, but claimed the S3 bucket contained around 1.5 million files.
These include photos of ID cards featuring full names, occupations and national ID numbers, as well as other miscellaneous photos of employees, planes, luggage and more. The bucket was apparently live and being updated at the time of its discovery.
If found by threat actors, the database could have enabled not only follow-on identity fraud and scams, but far more serious criminal acts, Safety Detectives warned.
“Photos of IDs and employees could allow criminals to impersonate various members of staff – employees that can gain access to restricted areas of the airport, such as luggage-loading areas and even planes,” it said.
“Criminals could even use leaked data to create counterfeit ID cards and badges. A criminal could further strengthen their appearance as a legitimate employee by downloading leaked mobile apps.”
Colombia in particular has a history not only of serious organized crime but also guerrilla warfare groups plotting to destabilize the country.
FBI: Olympic Athletes Should Leave Devices at Home
FBI: Olympic Athletes Should Leave Devices at Home
US law enforcers are urging participants at the Beijing Winter Olympics to leave their devices at home after warning of potential state-backed and cybercrime activity at the event.
An FBI alert issued yesterday claimed it was aware of no specific threat to the games but urged “partners” to remain vigilant.
While strict Communist Party COVID restrictions mean no foreign spectators will be allowed to attend the Olympics or Paralympics, athletes could be targeted, the Feds warned.
“The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the games. The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the games,” the notice read.
“The use of new digital infrastructure and mobile applications, such as digital wallets or applications that track COVID testing or vaccination status, could also increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware. Athletes will be required to use the smartphone app, MY2022, which will be used to track the athletes’ health and travel data.”
Alongside the potential for Chinese agents to spy on participants and other attendees, the FBI warned of the risk of disruption by third parties, who could target broadcasters, hotel networks, transport providers, ticketing services, event security and other Olympic support functions.
It cited the last event in Pyeongchang, South Korea, four years ago where Russian state actors managed to cause significant disruption to the official website and media center.
However, the reality is that few hostile nations will want to spoil China’s party, given the potential geopolitical repercussions, and Beijing will be marshaling all of its resources to keep cybercrime actors at bay.
That said, the FBI has released a set of recommended best practices for organizations and individuals with a presence at the event to mitigate network, remote working, ransomware and social engineering threats.
CISA Tells Organizations to Patch CVEs Dating Back to 2014
CISA Tells Organizations to Patch CVEs Dating Back to 2014
The US government has added eight more vulnerabilities to its growing list of CVEs that must be patched by federal agencies, including some that first appeared eight years ago.
The Cybersecurity and Infrastructure Security Agency (CISA) first launched its Known Exploited Vulnerabilities Catalog in November 2021 as part of a government effort to enhance cyber-resilience.
The Binding Operational Directive (BOD) 22-01 that enabled it applies only to civilian federal agencies, but all organizations are encouraged to monitor the list on an ongoing basis as part of best practice security efforts.
The latest eight additions to the catalog include two that must be patched by February 11: a memory corruption vulnerability in Apple’s IOMobileFrameBuffer (CVE-2022-22587) and a stack-based buffer overflow bug SonicWall SMA 100 appliances (CVE-2021-20038).
Interestingly, while two of the remaining six CVEs were first discovered and published to the National Vulnerability Database (NVD) in 2020, four come from several years earlier.
These include two arbitrary code execution vulnerabilities in the GNU’s Bourne Again Shell (Bash) Unix shell and command language, from 2014 (CVE-2014-7169 and CVE-2014-6271).
Also, from 2014 is an Internet Explorer use-after-free bug (CVE-2014-1776).
The final CVE on the new list is a privilege escalation vulnerability in Intel’s Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability offerings. It was first published back in 2017.
Aside from the Apple and SonicWall flaws, all those on the list must be patched by July 28 2022.
Their inclusion in the catalog is proof again that threat actors often favor older CVEs that have been forgotten about rather than spending the time and resource researching zero-days.
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, argued that IT teams find it increasingly difficult to stay on top of a mounting patch-load, never mind fixing bugs from several years ago.
“We have a couple of options. Either we hire more people to remediate vulnerabilities and mitigate risk. Or we can be more efficient with the people, resources and tools we already have,” he added.
“The only way the cybersecurity industry will be able to reduce an increasingly concerning accumulation of risk and associated cyber-debt will be through a risk-based approach to vulnerability prioritization and a well-orchestrated approach to risk mitigation. It isn’t easy, but it is possible if leaders make cyber-hygiene and risk management a priority.”
CISA now has over 350 vulnerabilities in its “must-patch” catalog.