Work from Home: Manage This, Please
November 19, 2020
I read “Over Half of Remote Workers Admit to Using Rogue Tools Their IT teams Don’t Know About.” If the information in the write up is on the money, cyber security for the WFH crowd may be next to impossible. The write up reports:
According to a new report from mobile security firm NetMotion, the vast majority of remote workers (62 percent) are guilty of using Shadow IT, with some of them (25 percent) using a “significant number” of unapproved tools.
The article includes this statement:
“Sadly, our research showed that nearly a quarter of remote workers would rather suffer in silence than engage tech teams,” said Christopher Kenessey, CEO of NetMotion.
Net net: Bad actors relish the WFH revolution. The inducement of WFHers using software not vetted by their employer creates numerous opportunities for mischief. How does a firm addicted to Slack and Microsoft Teams deal with this situation:
Hey, team. I am using this nifty new app. It can speed up our production of content. You can download this software from a link I got on social media. Give it a whirl.
Manage this, please.
Stephen E Arnold, November 19, 2020
Security Is a Game
November 12, 2020
This article’s headline caught my attention: “Stop Thinking of Cybersecurity As a Problem: Think of It As a Game.” I think I understand. The write up asserts:
The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.
Interesting idea. Numerous cyber security solutions are available. Some organizations have multiple solutions in place. Nevertheless, bad actors continue to have success. If the information in Risk Based Security 2020 Q3 Report Data Breach QuickView is anywhere close to accurate. The “game” is being won by bad actors: Lots of data was sucked down by cyber criminals in the last nine months.
Fun, right?
Stephen E Arnold, November 12, 2020
Organizational Security: Many Vendors, Many Breaches
October 30, 2020
I noted a write up with a fraught title: “Breaches Down 51%, Exposed Records Set New Record with 36 Billion So Far.” I interpreted this to mean “fewer security breaches but more data compromised.”
The write up explains the idea this way:
The number of records exposed has increased to a staggering 36 billion. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record,” Risk Based Security reveals.
Okay. How is this possible? The answer:
The report explores numerous factors such as how media coverage may be a factor contributing to the decline in publicly reported breaches. In addition, the increase of ransomware attacks may also have a part to play.
I interpreted this to mean, “Let’s not tell anyone.”
If you want a copy of this RiskBased Security report, navigate to this link. You will have to cough up an email and a name.
Net net: More data breaches and fewer organizations willing to talk about their security lapses. What about vendors of smart cyber security systems? Vendors are willing to talk about the value and performance of their products.
Talk, however, may be less difficult than dealing with security breaches.
Stephen E Arnold, October 30, 2020
Cyber Sins: Part of the Human Condition Permanently
October 24, 2020
Business operations have secrets and maybe sins. Medium explains “The Seven Deadly Sins Of Cybersecurity.” Using the metaphor of the biblical seven deadly sins: greed, gluttony, lust, envy, sloth, wrath, and pride, the article compares social media platforms to the digital manifestation of them. The write up argues that cybersecurity is demonized by seven deadly sins.
What’s a sin?
Covid-19 has made cyber security more important than ever as people are forced to work from their homes. Organizations need cybersecurity to protect their information and the pandemic exposes all weaknesses in organizations’ cybersecurity culture, if any exists. Another sin is believing a layered, complex solution equals a decent security plan. Complexity actually creates more problems, especially when plans involve too much overhead management and talking about “doing something” instead of taking action.
Credential abuse is also a deadly sin. One commits credential abuse in the over reliance of simple passwords. People love simple passwords, because they are easy to remember and they hate complex credential systems because they are annoying. It might be better to find an alternative solution:
“So what solutions should you start exploring? Identity & Access Management, Privileged Access Management (PAM), Just-In-Time/Just-Enough Administration, Role-based access controls, Multi-Factor Authentication, and more. What about Single Sign-On? Federated Identity management? everyone must adhere to secure credential management without exception…In climbing, free-soloing might be the epitome of cool, but when you fall, you’ll wish you had a belay.”
The article advises to be aware that you cannot treat all of your information the same way. The example the article uses is treating a mobile number differently than a credit card number. It is important to be aware of how any information posted online could be potentially harmful.
Then an ultimate sin is not paying attention to blind spots:
“Many threats “hide in plain sight” and we don’t have the time, energy, and resources to look for them, let alone know where to start.This problem is due to complexity, a lack of resources, and too many gaps and overlaps.”
The key to absolving this sin is discovering the blind spots, then developing solutions.
Sin, however, is part of the human condition. Bad actors sense opportunities and exploit them. Cyber crime continues to thrive and become more pervasive.
Whitney Grace, October 24, 2020
Twitter for Verification: The Crypto Approach
October 21, 2020
New York State’s Twitter Investigation Report explores the cybersecurity “incident” at Twitter and its implications for election security. If you don’t have a copy, you can view the document at this url. The main point of the document struck me as this statement from the document:
Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the Hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account.
With the Department of Financial Services’ report in mind, I found the information in “.Crypto Domain Owners Can Now Be Verified With Twitter Accounts for Safer Payments” interesting. Twitter and “safer” are not words I would associate. The write up reports:
Blockchain startup Unstoppable Domains and oracle network Chainlink have launched a new feature allowing individuals or entities with blockchain domains to authenticate themselves using their Twitter accounts. The feature is powered by Chainlink oracles, which connect each .crypto address from Unstoppable Domains to a public Twitter username. The firms said the Twitter authentication could help stem crimes in cryptocurrency payments such as phishing hacks.
In one of our Twitter tests, we created an account in the name of a now deceased pet. Tweets were happily disseminated automatically by the dog. Who knew that the dead dog’s Twitter account can reduce phishing attacks?
Twitter: Secure enough to deliver authentication? The company’s approach to business does not give me confidence in the firm’s systems and methods.
Stephen E Arnold, October 21, 2020
Apple and AWS: Security?
October 13, 2020
DarkCyber noted an essay-style report called “We Hacked Apple for 3 Months: Here’s What We Found.” The write up contains some interesting information. One particular item caught our attention:
AWS Secret Keys via PhantomJS iTune Banners and Book Title XSS
The information the data explorers located potential vulnerabilities to allow such alleged actions as:
- Obtain what are essentially keys to various internal and external employee applications
- Disclose various secrets (database credentials, OAuth secrets, private keys) from the various design.apple.com applications
- Likely compromise the various internal applications via the publicly exposed GSF portal
- Execute arbitrary Vertica SQL queries and extract database information
Other issues are touched upon in the write up.
Net net: The emperor has some clothes; they are just filled with holes and poorly done stitching if the write up is correct.
Stephen E Arnold, October 13, 2020
Work from Home: Stating the Obvious and a Newish Word
October 12, 2020
I read “Organizations Have Accrued Technical Debt in the Shift to Remote Work, and Now They Have to Face the Fallout.” Three facets of the article snagged my attention. The first was this observation attributed to a Security Awareness Advocate at KnowBe4, a information services firm:
“Many organizations have accrued a lot of technical debt, for lack of a better term, to get people working remotely,” said Malik. “They’ve enabled remote access to servers that they traditionally would never have given access to, or they might have relaxed some security rules. I heard of an organization that actually dropped 2FA to allow all of their employees to easily connect into the office, because they didn’t have enough resources to deploy 2FA to everyone, or train them up, or to deal with the number of tickets that would inevitably come in.
Okay, the obvious has been stated.
Second, the use of the phrase “technical debt” indicates that services firms want to make clear that taking one set of technologies and applying them to remote work has risks.
No kidding. News? Hardly. Reports from assorted cyber security companies have been pointing out that phishing has become a go-to mechanism for some time. A useful report is available from Interpol.
The third facet of the article was the use of the portmanteau “websem.” The coinage appears to be a combination of the word “webinar”, itself a modification of “seminar, and the now ubiquitous term “Web.”
Observations:
- Recycling Interpol data does not constitute an insight worthy of a consulting gig
- Whipping up jargon adds some froth to the Reddiwip analysis
Why not cite sources and use words WFH’ers will understand; for example, Zoom-eeting. Mammals braying, excitement, and snacks with toppings? The fallout? Plump targets for phishers.
Stephen E Arnold, October 12, 2020
Watch Out for Trojans
October 3, 2020
Here is an interesting little write-up on a specific type of malware. Predict gives us, “What You Need to Know About Trojan Horse?” Writer Rakesh Elamaran begins by defining the term—a trojan is an app that appears desirable but, once downloaded, turns malicious. Naturally, he observes, simply banning downloads is an impractical solution. Instead, we’re told:
“Because Trojan horses don’t reproduce after they have been installed on a computer, they are much easier to isolate and remove than some other cyber threats. To do this, you should use a Trojan remover, which usually comes bundled with the best antivirus software. If you suspect your computer may be infected, use your antivirus program to check your hard drive for any suspicious files. Some Trojans are not as dangerous as others, which is why your client may suggest quarantining an infected file rather than deleting it. Your antivirus software will then monitor the file closely and inform you if it detects any unusual and/or malicious activity. To ensure optimal safety, you should schedule full weekly scans of your computer and set up automatic definition updates in your antivirus program. Of course, in addition to using the best antivirus software you can prevent Trojan infections by avoiding any suspicious emails, attachments, and links sent to you from unknown addresses. Before typing your data into online forms, look for a padlock symbol in the address bar to make sure that your connection is secure and that all the data you enter is encrypted.”
The post lists some symptoms to watch out for. One is hardware, like a CD tray, that performs a function unprompted. The rest are changes settings not initiated by the user: browser home pages; passwords, usernames, or other login information; and screen savers, backgrounds, or mouse settings. It also specifies the most common actions trojans tend to take, from erasing files to installing a back door, and names a few famous versions that have caused havoc in the past.
Cynthia Murrell, October 3, 2020
Cybersecurity: A Booming Business
September 23, 2020
The United Kingdom has seen record growth for cyber security startups. The record growth in the cybersecurity field is due to the COVID-19 pandemic and the heavy demand on Internet and digital services. Internet and digital services must be protected from potential bad actors stealing individuals’ information or be mischievous during Zoom meetings. Tech Round explains more about cybersecurity’s growth in: “Cybersecurity: The Fastest Growing UK Startup Sector During COVID-19.”
Before the pandemic struck, cybersecurity focused on financial and regulatory risks. Cyber risk management is now a hot ticket for investors. COVID-19 also points to a future where more people will be working remotely, organizations will host their data offsite, and more services will be online:
“Ajay Hayre, Senior Consultant Technology at Robert Walters comments: “Historically IT security has represented only 5% of a company’s IT budget but due to remote working and transition to online or cloud-based solutions, cybersecurity has been thrust to the centre of business continuity plans, having proved its worth in enabling business objectives during lockdown. Not only will every company see the benefit of having this expertise in-house, but they will be looking externally for tools, services and advisors to help guarantee the future-proofing of their business by way of solid and robust cybersecurity provisions.”
What is even more interesting are the venture capitalists behind the investing. The PHA Group breaks down who the “5 Key VCs Backing Cybersecurity Startups” are. According to the LORCA Report 2020, a half billion pounds were fundraised in the first half of 2020 for cybersecurity startups. This is a 940% increase compared to 2019. Venture capitalists also want to invest their money in newer technologies, such as AI, encryption, secure containers, and cloud security. The five companies that invested the most in UK cybersecurity are Ten Eleven Ventures, Energy Impact Partners, Index Ventures, and Crosslink Capital.
Whitney Grace, September 23, 2020
DarkCyber for September 22, 2020, Now Available: Bogus Passports, Chinese Data and Apps, and the Dronut Drone
September 22, 2020
DarkCyber for September 22, 2020, is now available. This week’s program features an update on falsified documents, three stories about China, and a report about the Dronut. You can view the video on YouTube. The video is available via the Beyond Search blog.
Kenny Toth, September 22, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
