[metaslider id=2951] … Read More
Cyber security awareness top priority in financial sector
By Warwick Ashford - Computerweekly
Information security chiefs in the financial sector say cyber security awareness needs to be a top priority
Employee training is a top priority for improving security, according to 35% of CISOs polled by the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Infrastructure upgrades and network defence were also named as top priorities by 25% of respondents, followed by breach prevention (17%).
Infrastructure upgrades, network defence and breach prevention are prioritised mostly by CISOs reporting into a technical function like chief information officer (CIO), according to the first FS-ISAC CISO cyber security trends report.
Employee training is a priority mainly for CISOs reporting into a non-technical function like the chief operations officer (COO) or the General Counsel.
The report, which is aimed at helping leaders and businesses understand cyber security trends across the globe, said while cyber security used to be handled in the server room, it is now a board room topic.
The survey found that quarterly reports to the board of directors were most common (53%), with some CISOs (8%) reporting more than four times a year or even on a monthly basis.
In the era of increasing security threats and vulnerabilities, the report said CISOs know that keeping top leadership and boards updated regularly on these security risks and effective defences are a priority.
As security has increasingly become a concern for financial institutions, the role of the CISO has been thrust into the organisational spotlight, the report said.
However, the study found that that two-thirds of CISOs do not report to the CEO, and that the top cyber chain of command is more likely to be the CIO, followed by chief risk officer (CRO) and then COO. Only 8% said they report to the CEO.
FS-ISAC recommends training employees should be prioritised for all CISOs, regardless of reporting structure because employees serve as the first line of defence.
Employee training should include awareness about downloading and executing unknown applications on company assets, also in accordance with corporate policies and relevant regulations, and training employees on how to report suspicious emails and attachments, the report said.
FS-ISAC also encourages more frequent and timely reporting to the board of directors to ensure businesses maintain an “at the ready” risk posture and that cyber practices are clear to board members.
As the threat landscape shifts, FS-ISAC recommends that CISOs have expanded reporting responsibilities or dual-reporting responsibilities in the corporate structure to ensure critical information flows freely.
Free and direct flow of critical information to the CEO and to the board of directors will help increase transparency and facilitate faster decision making, the report said
The two most important ways to defend against security threats
By Roger A. Grimes - CSO - February 7, 2018
Patching and security training programs will thwart attacks more effectively than anything else. You’re already doing them. Here’s how to do them better.
An average of 5,000 to 7,000 new computer security threats are announced each year. That’s as many as 19 every day. The rate at which new threats appear make it difficult to decide which ones require your attention. It might surprise you that, while your competitors waste money on high-tech, expensive, and sometimes exotic defenses, you can get far more value by concentrating on just two things you already do. You can spend less money and nothing you do otherwise will provide a better defense.
The two things you need to do better are not a secret. You already know you need to do them. You know from your own experience that what I’m saying is true. The data in favor of doing them is overwhelming. Still, most companies don’t do them well enough.
Change your security focus
Most computer security defenders focus on the wrong things. They focus on specific threats and what they did after hackers broke in, not how they broke in. There may be hundreds of thousands of unique software vulnerabilities and hundreds of millions of unique malware families, but they all share about a dozen different ways that they initially exploited an environment, including:
- Unpatched software
- Social engineering
- Misconfigurations
- Password attacks
- Physical attacks
- Eavesdropping
- User errors
- Denial of service
Focusing on and reducing these root exploitation causes will help you significantly defeat hackers and malware.
If you want to minimize computer security risk the fastest, identify the biggest root exploitation causes in your company that allow threats to do the most damage to your environment. Stop the biggest root cause and you stop every threat that uses that root cause.
So, what are the biggest root exploitation causes in most environments? Unpatched software and social engineering.
Without a doubt, these two root causes are responsible for the most successful and damaging attacks in most companies and have been for decades. One of these root exploitation methods has likely been behind any big attack that has made news in the mainstream media. In my experience, when a company of any size or even the military suffers a big attack, it’s can be traced to one of those two root causes.
Your company’s experience may vary, and if it does, you can ignore this article. The biggest problems for the majority of readers are unpatched software and social engineering. If they fix those two things, it will do more to decrease security risk than all the other things they could do combined.
Over 12,000 Business Websites Leveraged for Cybercrime
By Kelly Sheridan- Dark Reading - February 5, 2018
Attackers exploit trust in popular websites to launch phishing campaigns and spread malware.
More than 12,300 websites in the business category were used to launch cyberattacks or deliver malware in 2017, making company sites riskier than gambling and shopping sites. Attackers are abusing people’s trust in popular sites to launch consistent and effective malware campaigns.
Forty-two percent of the top 100,000 websites ranked by Alexa are considered “risky,” according to Menlo Security’s State of the Web 2017. Researchers determined a website’s risk based on three criteria: use of vulnerable software, history of distributing malware or launching attacks, and the occurrence of a security breach within the 12 previous months.
A site was deemed risky if it met any one of these criteria. The largest category of risk was news and media sites, 49% of which met a risk factor, followed by entertainment and arts (45%), travel (41%), personal sites and blogs (40%), society (39%), and business and economy (39%), which includes company, association, industry group, financial data and serivces, and hosted business application sites.
Business and economy sites hosted more phishing sites, ran more vulnerable software, and experienced more security incidents than any other category in 2017, researchers found. The category was hit with 23,819 incidents in 2017; the next-highest was society sites at 12,669.
Background websites: Who are you talking to?
Menlo CTO Kowsik Guruswamy explains the risk of “background radiation,” which stems from the idea that much of cybercriminals’ damage happens behind the scenes. Each time someone visits a website, it contacts an average of 25 background sites for different demands: grabbing ads from an ad delivery network, for example, or videos from a content delivery server.
Any of these third-party sites could be compromised and pose risk to users. Most malware prevention tools, from antivirus products to behavioral modeling systems, are designed to focus on the intended domain and often don’t pick up on calls to background sites.
A major website like Bloomberg might have an IT team to update servers, Guruswamy says. However, when end users visit and are presented with videos and ads, the activity comes from other networks and may not necessarily be safe. The same applies to all major websites.
As software ages, risks grow
Many of today’s websites are participating in browsing sessions, and actively servicing ads, on software riddled with vulnerabilities, Guruswamy says.
“You have this really, really old software that’s full of holes that haven’t been patched and are waiting to be exploited,” he explains, pointing to the Equifax breach as an example of what threat actors can do if a website is running unpatched software.
Menlo analysts passively fingerprinted website software for both primary and background sites, and coordinated the documented vulnerabilities for each one. They found more than 51,000 business and economy websites are running vulnerable software.
The software supporting company websites is often old enough to have been compromised several times over the past few years. More than 32,000 websites analyzed run on Microsoft Internet Information Services (IIS) 7.5, which was released in 2009. Many sites use software that is no longer fully supported; for example, Microsoft’s IIS 5 Web server, which was released in 2000 and stopped receiving mainstream support in 2005.
Sophos Named Leader (again) in Gartner Magic Quadrant for Endpoint Protection
Sophos has once again been named a Leader in the Gartner Magic Quadrant for Endpoint Protection Platforms, as we have been for the past decade. This year, there were one of only three in this category. This positioning confirms the ongoing innovation and impressive results of Sophos Intercept X, one of the industry’s most comprehensive endpoint protection.
Get your complimentary copy of the Magic Quadrant Report, click here,
In the report, Gartner states that the definition of an Endpoint Protection Platform (EPP) has been updated: “In September 2017, in response to changing market dynamics and client requirements, we adjusted our definition of an EPP. An EPP is a solution deployed on endpoint devices to prevent file-based malware, to detect and block malicious activity from trusted and untrusted applications, and to provide the investigation and remediation capabilities needed to dynamically respond to security incidents and alerts…Organizations are placing a premium on protection and detection capabilities within an EPP, and are depreciating the EPP vendors’ ability to provide data protection capabilities such as data loss prevention, encryption or server controls.”
“The threat landscape is evolving at an astonishing rate,” said Dan Schiappa, senior vice president and general manager of products at Sophos. “During the last 12 months alone we have seen repeated ransomware attacks that traditional endpoint protection alone cannot adequately protect against. To stay at the forefront of endpoint protection, vendors must continually analyze the landscape and innovate the approach to protection faster than cybercriminals can innovate their attack techniques. We believe Gartner’s continued placement of Sophos in the Leaders quadrant in the Magic Quadrant for Endpoint Protection Platforms demonstrates that Sophos is able to innovate and deliver solutions that organizations of all sizes can use every day. Predicting future threats is the future of security protection and the deep learning capabilities we have added to our portfolio is enabling us to do just that, more effectively than any other next-generation vendor.”
Further strengthening the advanced levels of protection within its endpoint portfolio, Sophos also announced today that it has added deep learning neural network and advanced anti-exploit technology to the newest release of its next-generation Intercept X. Intercept X can be installed alongside any traditional endpoint protection from any vendor, immediately boosting detection speed and accuracy. Sophos believes that its next-generation enduser, server, and network protection technologies will further its leadership and continue to keep customers protected as threats evolve. The advanced machine learning technology has been further developed by Sophos to enhance Sophos Sandstorm capabilities and is powering automated threat analysis in SophosLabs facilities worldwide.
Digital Extortion to Expand Beyond Ransomware
From DarkReading - Kelly Sheridan - January 30, 2018
In the future of digital extortion, ransomware isn’t the only weapon, and database files and servers won’t be the only targets.
When we think of digital extortion, we typically think of ransomware. But cybercriminals now are looking outside ransomware for new ways to shake down organizations.
Cybercriminals have learned that many businesses will pay if a ransomware attack cripples their day-to-day operations. Ransomware drove the spike in digital extortion in 2017 and remains cybercriminals’ weapon of choice, according to a new Trend Micro study “Digital Extortion: A Forward-Looking View.”
But threat actors are exploring new extortion tactics. “Some of the attacks we’ve seen highlight a shift in the model itself,” says Trend Micro chief cybersecurity officer Ed Cabrera. “As we expand our digital footprint, I think it creates an enormous opportunity for attackers to identify areas where they can have immediate impact.”
The criminal extortion framework has been around in the physical world for a long time, he continues. Now, in the digital world, it’s just getting started. Attackers are learning their chances of getting paid increase exponentially if they target certain files, systems, or databases. While ransomware will remain popular, but other types of threats are starting to appear, according to Trend Micro.
Extortion attacks and critical infrastructure
“Going forward, you would be remiss to just focus on files,” says Cabrera. Cybercriminals will begin to leverage the growth of IoT, specifically industrial IoT, to extort money from victims. Businesses that need to be up and running at all times are especially vulnerable
If you have questions on how to protect your mission critical systems, contact us.
