Eliana Willis

A new report from Mimecast has found that the US leads the way in the size of payouts following ransomware incidents. In the “State of Ransomware Readiness” study from Mimecast, researchers spoke with 742 cybersecurity professionals and found that 80% of them had been targeted with ransomware over the last two years. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

Of that 80%, 39% paid a ransom, with US victims paying an average of $6,312,190. Victims in Canada paid an average of $5,347,508 while those in the UK paid nearly $850,000. Victims in South Africa, Australia, and Germany all paid less than $250,000 on average.More than 40% of respondents did not pay any ransom, and another 13% were able to negotiate the initial ransom figure down. Of the 742 experts who spoke to Mimecast, more than half said the primary source of ransomware attacks came from phishing emails with ransomware attachments, and another 47% said they originated from “web security.” Phishing emails that led to drive-by downloads were also a highly-cited source of ransomware infections. Less than half of respondents said they have file backups that they could use in the event of a ransomware attack, and almost 50% said they needed bigger budgets to update their data security systems. Also: What is malware? Everything you need to know about viruses, trojans, and malicious software

Despite the lack of backups, 83% of those surveyed said they could “get all their data back without paying the ransom.” Another 77% of executives said they believed they could get their company back to normal within two days following a ransomware incident. This confused Mimecast researchers, considering nearly 40% of respondents admitted to paying ransoms. A number of respondents called for more training and more information-sharing about threats. “Ransomware attacks have never been more common, and threat actors are improving each day in terms of their sophistication and ease of deployment,” said Jonathan Miles, head of strategic intelligence & security research at Mimecast. “Preparation is key in combating these attacks. It’s great to see cybersecurity leaders feel prepared, but they must continue to be proactive and work to improve processes. This report clearly shows ransomware attacks pay, which gives cybercriminals no incentive to slow down.”Ransomware incident costs stretch far beyond the ransom itself; 42% of survey respondents reported a disruption in their operations, and 36% said they faced significant downtime. Almost 30% said they lost revenue, and 21% said they lost customers. Another cost? Almost 40% of the cybersecurity professionals surveyed said they believed they would lose their jobs if a ransomware attack was successful.Two-thirds of respondents said they would “feel very or extremely responsible if a successful attack occurred. When asked why, almost half said it would be because they “underestimated the risk of a ransomware attack.” More

You know the non-profit Internet Security Research Group (ISRG) for its Let’s Encrypt certificate authority, the most popular way of securing websites with TLS certificates. The group wants to do more. Its newest project, Prossimo, seeks to make many basic internet programs and protocols memory-safe by rewriting them in Rust.

Rust, like some other memory-safe programming languages such as Go and Java, prevents programmers from introducing some kinds of memory bugs. All too often memory safety bugs go hand-in-hand with security issues. Unfortunately, much of the internet’s fundamental software is written in C, which is anything but memory safe. Of course, you can write memory-safe programs in C or C++, but it’s difficult. Conversely, you can create memory bugs in Rust if you try hard enough, but generally speaking Rust and Go are much safer than C and C++.Also: The most popular programming languages and where to learn themThere are many kinds of memory safety bugs. One common type is out-of-bounds reads and writes. In these, if you wrote code to track a to-do list with 10 items in C without memory protection measures, users could try to read and write for an 11th item. Instead of an error message, you’d read or write to memory that belonged to another program. In a memory-safe language, you’d get a compile error or crash at run time. A crash is bad news too, but it’s better than giving a hacker a free pass into some other’s program memory. Using that same example, what happens if you delete the to-do list and then ask for the list’s first item? A badly written program in a non-memory-safe language will try to fetch from the old memory location in what’s called a use-after-free error. This trick is used all the time to steal data and wreak havoc on a poorly secured program. Again, with Rust or Go, you must go far out of way to introduce such a blunder. As ISRG’s executive director, Josh Aas, explained in a speech at the Linux Foundation Membership Summit: We’ve only started talking about security seriously recently. The problem is mainly C and C++ code. That’s where these vulnerabilities are coming from. New memory safety vulnerabilities come up in widely used software every day. I think it’s fair to say that this is out of control. 90% of vulnerabilities in Android; 70% from Microsoft and 80% of zero-day vulnerabilities come from old language memory-based. There are real costs to this stuff every day people get hurt.

Why are they doing this now? Because, Aas explained, “We didn’t have great system languages to replace C. Now, we have that option.”So it is that under the Prossimo umbrella, ISRG is sponsoring developers to create memory-safe versions of internet programs. So far this includes a memory-safe TLS library, Hyper, and module, mod_tls, for the Apache webserver; a memory-safe curl data transfer utility; and memory-safe Rustls, a safer OpenSSL alternative.Next up, Prossimo wants to give Network Time Protocol (NTP) the memory-safe treatment. For now, though, this NTP project lacks funding. Of course, replacing critical C-based programs throughout the internet is a gigantic and complex task. But it’s a job that must be done as we grow ever more dependent on the internet for our personal lives, business work, and indeed the entire global economy. Related Stories: More

Microsoft has released 55 security fixes for software including patches that resolve zero-day vulnerabilities actively exploited in the wild. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering. 

Products impacted by November’s security update include Microsoft Azure, the Chromium-based Edge browser, Microsoft Office — as well as associated products such as Excel, Word, and SharePoint — Visual Studio, Exchange Server, Windows Kernel, and Windows Defender.   Read on: Some of the most interesting vulnerabilities resolved in this update, all deemed as important, are: CVE-2021-42321: (CVSS:3.1 8.8 / 7.7). Under active exploit, this vulnerability impacts Microsoft Exchange Server and due to improper validation of cmdlet arguments, can lead to RCE. However, attackers must be authenticated.CVE-2021-42292: (CVSS:3.1 7.8 / 7.0). Also detected as exploited in the wild, this vulnerability was found in Microsoft Excel and can be used to circumvent security controls. Microsoft says that the Preview Pane is not an attack vector. No patch is currently available for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021.CVE-2021-43209: (CVSS:3.1 7.8 / 6.8). A 3D Viewer vulnerability made public, this bug can be exploited locally to trigger RCE. CVE-2021-43208: (CVSS:3.1 7.8 / 6.8). Another known issue, this 3D Viewer security flaw can also be weaponized by a local attacker for code execution purposes. CVE-2021-38631: (CVSS:3.0 4.4 / 3.9). Also made public, this security flaw, found in the Windows Remote Desktop Protocol (RDP), can be used for information disclosure.CVE-2021-41371: (CVSS:3.1 4.4 / 3.9). Finally, this RDP vulnerability, known before patching was available, can also be exploited locally to force an information leak.According to the Zero Day Initiative (ZDI), historically, this is a relatively low number of vulnerabilities resolved during the month of November.”Last year, there were more than double this number of CVEs fixed,” the organization says. “Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors.”

Last month, Microsoft resolved 71 bugs in the October batch of security fixes. Of particular note are patches for a total of four zero-day flaws, one of which was being actively exploited in the wild, whereas three were made public. A month prior, the tech giant tackled over 60 vulnerabilities during the September Patch Tuesday. Among the patches was a fix for an RCE in MSHTML.In recent Microsoft news, Visual Studio 2022 and .NET 6 were made generally available on November 8. Visual Studio 2022 includes a refresh of some features as well as debug improvements for developers. .NET 6 includes performance enhancements and is the first version able to support both Windows Arm64 and Apple Arm64 Silicon.Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

One of my favorite parts of our annual predictions process is reviewing the accuracy of Forrester’s predictions from the previous year. This is not simply navel gazing. Looking backward actually makes us far better predictors, keeps us firmly grounded in the reality of our customers, and ensures that our predictions remain firmly embedded in reality. Some teams within Forrester even have a rating system, ranging from “completely missed the mark” to “nailed it.” I won’t lie that it is an absolute thrill when a prediction I’ve contributed to comes true, especially when it has the potential to positively impact our clients, the industry, or even society as a whole. Twelve months ago, we predicted that at least one Asia Pacific (APAC) government would embrace a Zero Trust (ZT) framework in the coming year. In keeping with our rating system, I’m happy to say we nailed it! Since 2009, when ZT was coined by Forrester, large technology companies have adopted it as their security model, and now the US federal government is following suit. In Europe, ZT went from concept to reality for many firms during 2020 and then accelerated in 2021 as COVID-19 hastened the death of traditional security models across the region. Unfortunately, APAC has been a very different story. ZT adoption has been slow; according to the Forrester Analytics Business Technographics® Security Survey, 2021, only 13% of security leaders in APAC cite Zero Trust as a top strategic information/IT security priority. While ZT is slowly gaining momentum in the Asia Pacific region, it faces many adoption challenges: concerns over the nomenclature, paucity of ZT pioneers, under-resourced security teams. With all these challenges in play, predicting that an APAC government would embrace a ZT framework in 2021 was a bold call, indeed. Why’d we make it? We fully expected ZT momentum to accelerate for a number of reasons: 1) the shift to remote work requires a new approach to security; 2) the evolving regulatory landscape across APAC has increased focus on data protection; 3) Forrester Analytics survey data shows that APAC consumers and citizens are prioritizing security and privacy in their purchasing decisions; and 4) the release of the US’s National Institute of Standards and Technology’s publication on ZT architecture, which further validated the approach. I’ve led multiple APAC CISO roundtables on the topic of Zero Trust over the past 12 months. While participants were supportive of the prediction in principal, they were also skeptical — there were no indications in the media or elsewhere to support such a big call. And then in October, exactly one year after we made the prediction, Singapore Senior Minister and Coordinating Minister for National Security Teo Chee Hean announced Singapore’s new cybersecurity strategy. The strategy was supported by Prime Minister Lee Hsien Loong, who acknowledged in the strategy foreword: “Five years ago, we launched the first Singapore Cybersecurity Strategy. The world is now a different place,” noting the need for a new way of thinking about security. The new Singaporean cybersecurity strategy clearly defines ZT as “[a] security framework requiring all end users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.” The strategy endorses a mindset shift from perimeter defense toward a ZT cybersecurity model, encourages critical infrastructure owners to adopt a ZT cybersecurity posture for critical systems, and states that the government is implementing the Government Trust-based Architecture that translates ZT principles to government context. Looking to the future, we will continue to make important predictions about the state of Zero Trust adoption, particularly in governments. In fact, in our 2022 public sector predictions, we make the call that five governments will adopt Zero Trust to revive public trust in digital services, following the lead of the US and Singapore.  

For more regional insight beyond ZT, check out Forrester’s 2022 Asia Pacific predictions, where trust and values take center stage. We look forward to assessing how we fared this time next year.This post was written by Principal Analyst Jinan Budge, and it originally appeared here. More

Critical vulnerabilities in millions of connected devices used in hospital networks could allow attackers to disrupt medical equipment and patient monitors, as well as Internet of Things devices that control systems and equipment throughout facilities, such as lighting and ventilation systems.

ZDNet Recommends

The vulnerable TCP/IP stacks – communications protocols commonly used in connected devices – are also deployed in other industries, including the industrial sector and the automotive industry. The 13 newly disclosed vulnerabilities in Nucleus Net TCP/IP stacks have been detailed by cybersecurity researchers at Forescout and Medigate. Dubbed Nucleus:13, the findings represent the final part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks used in connected devices and how to mitigate them. SEE: A winning strategy for cybersecurity (ZDNet special report)  The vulnerabilities could be present in millions of devices based around Nucleus TCP/IP stacks and could allow attackers to engage in remote code execution, denial of service attacks and even leak data – although researchers can’t say for certain if they’ve actively been exploited by cyber criminals. Now owned by Siemens, the Nucleus TCP/IP stack was originally released in 1993 and is still widely used in critical safety devices, particularly in hospitals and the healthcare industry where they’re used in anaesthesia machines, patient monitors and other devices, as well as for building automation systems controlling lighting and ventilation. Of the three critical vulnerabilities identified by researchers, CVE-2021-31886 poses the greatest threat, with a Common Vulnerability Scoring System (CVSS) score of 10 out of 10. It’s a vulnerability in (File Transfer Protocol) FTP servers that doesn’t properly validate the length of user commands, leading to stack-based buffer overflows that can be abused for denial-of-service and remote code execution.

The remaining two critical vulnerabilities both have a CVSS score of 9.9. CVE-2021-31887 is a vulnerability in FTP servers that doesn’t properly validate the length of PWD or XPWD FTP server commands, while CVE-2021-31888 is a vulnerability that occurs when the FTP server doesn’t properly validate the length of MKD or XMKD FTP commands. Both can result in stack-based buffer overflows, allowing attackers to begin denial-of-service attacks or remotely launch code. Because the stacks are so common, they are easy to identify and target. It’s also possible to find some of the connected devices on IoT search engine Shodan – and if they are publicly facing the internet, it’s possible to launch remote attacks. This is why researchers decided to examine them specifically. “We found some promotional material for the stack that mentions using this for medical applications,” Daniel dos Santos, research manager at Forescout Research Labs, told ZDNet. “Then when you look at some of the data promoting medical devices, they mention the use of the stack directly.” Attackers would need to jump through a number of steps, detailed extensively in the paper, to fully exploit the vulnerabilities. But, as long as they exist, that potential is there – along with the potential for disruption. In hospitals, not only could this affect machines used for patient care, systems in the building such as alarms, lighting and ventilation could be affected. Organisations are recommended to apply the available security patches released by Siemens in order to mitigate the threat. “All vulnerabilities that are being disclosed on Nov 9th have been fixed in the corresponding latest fix releases of active Nucleus version lines,” a Siemens spokesperson told ZDNet.  Researchers also suggest that networks should be segmented in order to limit the exposure of any devices or software that could contain vulnerabilities, but can’t be patched. “Make sure that you know your network, so even if devices are not patched and you know that probabilities exist, you can still live with a network configuration that lets you sleep at night,” said dos Santos.

“The main thing is network segmentation and being able to know and to make sure that devices that are potentially vulnerable and maybe can’t be patched are contained, and can only talk to other devices they’re allowed to.” SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report)  Nucleus:13 represents the final part of Forescout’s Project Memoria, which has worked to uncover and, when possible, help to patch security vulnerabilities in devices, which in some cases are decades old – designed at a time far before the rise of the Internet of Things was even predicted. “Many of these pieces of software are 20, 30 or even more years old. Unfortunately, that means that they were designed in a different age for different requirements and they’re just not up to date with security nowadays,” said dos Santos. “Many of these vulnerabilities are kind of predictable in the sense that they’re repeated over and over again over different pieces of software,” he added. The aim of the year-long project has been to showcase the vulnerabilities in older devices and to push for connected devices to be built with IoT security in mind – and to prevent the same old vulnerabilities causing problems moving forward, particularly as the use of IoT devices continues to grow. “The expanded adoption of these types of technology by every type of organization, and their deep integration into critical business operations, will only increase their value for attackers over the long term,” warns the report.
MORE ON CYBERSECURITY More