Information Technology

How secure is your home or office network?I’ll assume you already have an antimalware/antivirus solution in place, such as Windows Security, which is built into Windows 10 and Windows 11 (and which I believe works particularly well). But antivirus isn’t enough.Escalating international tensions — coupled with an ever-increasing number of professionals working remotely — are driving the need for small-scale solutions and best practices to secure home- and small-business networks and mobile devices from malware, malvertising, and other threats. 

ZDNet Recommends

What follows is a brief guide — with product recommendations and best practices — for those of you looking to navigate the rapidly evolving cybersecurity landscape. If you have limited network security experience but want to provide additional security for yourself, your small business, or your friends and family, this guide is for you. (If you’re looking for more extensive resources on networking security, CISA’s guide is a good place to start.) Below are the products I am currently using to protect my family’s home networks and mobile devices. (I expect to add more product and service recommendations when I have sufficient time to investigate them.)Mobile and device-based DNS VPN firewall

If you can have only one solution, because you or your friends or loved ones cannot afford a hardware-based firewall device, look no further than NextDNS, which combines an encrypted VPN traffic tunnel with a hosted firewall and DNS blocking and filtering service. When installed as an app on a device, the service creates a private encrypted connection (VPN) to its cloud servers. Its basic functionality includes proxying Domain Name Services (DNS) queries against a large database of potentially malicious sites and blocking them, depending on how restrictive the service is set up. This means if you try to access a site listed on its blocklists, it will stop the connection. This also includes blocklists for advertisements and pornography, if enabled. It should be noted that NextDNS is not a VPN service (such as these covered recently by David Gewirtz) for creating anonymized private connections to the public internet and for end-to-end enterprise VPN connectivity (such as with OpenVPN) even though it uses its own VPN for the service to work. However, it can work in tandem with those services as needed.The service has native clients for iOS, MacOS, Android, Windows, Linux, and Chrome OS, and can be set as the default DNS on a broadband router or an IoT device. And best of all, the lowest tier of service is absolutely free. The “Pro” service has unlimited devices, unlimited queries, unlimited configurations, and is a whole $20 per year.The only main drawback of this service is that it is client-based — meaning you need to install this software on every device you use it on. So it’s ideal for smartphones, tablets, and laptops when you are on a mobile network or using a public Wi-Fi or ethernet connection, but not suitable for “blanket” device coverage on a home or small office broadband network. It is also a DNS-based solution rather than an IP-based and connection-oriented solution, so it is not a true intrusion prevention solution such as a hardware firewall.

To begin using it, simply visit nextdns.io, and start a new configuration. The first thing you will want to take note of is your randomly-issued ID, which is how you and your family members will identify yourself to the service and how it will apply specific security settings you choose to them.NextDNS initial configuration screen web user interface
Jason Perlow/ZDNet
The clients all have similar configuration screens and are all easy to install, but the key thing to remember is the Configuration ID and to “Send Device ID”, because that ensures you are using the service with your specified configuration and that when the system logs activity, you will be able to narrow down to which device is having an event.NextDNS Client configuration in iOS
Jason Perlow/ZDNet

Once you have the clients connected to the NextDNS VPN, you can verify they are using the service and that it is logging the connections with the Logs tab at the top of the web portal UX. The logs page allows you to look at traffic logs on a device per device basis, for all DNS queries or just blocked queries.Logs menu of NextDNS user interface
Jason Perlow/ZDNet
Security protection options can be set in the Security menu tab where various services can be enabled, such as for AI-Driven Threats, Google Safe Browsing, Cryptojacking, DNS Rebinding, IDN Homograph Attacks, Typosquatting, Domain Generation Algorithms, Newly Registered Domains, Parked Domains, and Child Sexual Abuse Material. I have all of these currently turned on in my own configuration.Tracking and Ad blocking are enabled in the Privacy menu tab. The two blocklists I currently have enabled are NextDNS’s maintained list and OISD, which covers enough ground to protect mobile devices for most regular browsing and mobile app use while keeping functionality the least restrictive as possible. If you enable too many lists, you may find that certain apps (such as Facebook, with its Graph API) may begin to misbehave, and then you will need to disable NextDNS for them to work again temporarily. So I would only start adding more blocklists such as AdGuard and a few others on their curated list one at a time to see how it affects your usability. NextDNS Privacy menu
Jason Perlow/ZDNet
NextDNS also has a Parental Controls menu for locking out specific websites, apps, and games, as well as the ability to lock out pornography, piracy, dating, and social networks. NextDNS has the ability to have multiple Configuration IDs per account, so if you want to configure your children’s devices, you might want to assign them a separate Configuration ID as well as enter a Parental Passcode in their NextDNS app settings screen so it cannot be altered. You’ll also want to set Parental Controls on their devices using native app restrictions (Such as the Content and Privacy Restrictions menu on iOS) so the NextDNS app cannot be deleted.Open Source wide-spectrum DNS blocking

If you are inclined to host your own DNS proxy, and want the most flexible control over the domains you want to block on your premises, look no further than Pi-Hole. Originally built for the Raspberry Pi embedded development board, the open source project has become hugely popular with cybersecurity and privacy enthusiasts alike for its ability to block not just advertisers and trackers, but also malicious domains. 

The easiest way to run it is to download Docker Desktop for your operating system (Windows, Mac), or Docker Engine for Linux, and then install Pi-Hole into a Docker Container. This sounds scarier than it actually is – the Docker Desktop is an easy wizard-based install, and the Pi-Hole part involves issuing a single command line to pull the Pi-Hole repository (docker pull pihole/pihole), and another command line to fire up the container:docker run -d –name pihole -e ServerIP=172.16.154.130 -e WEBPASSWORD=password -e TZ=Europe/Copenhagen -e DNS1=127.17.0.1 -e DNS2=1.1.1.1 -e DNS3=8.8.8.8 -p 80:80 -p 53:53/tcp -p 53:53/udp -p 443:443 –restart=unless-stopped pihole/pihole:latestYou will want to change the bolded sections to reflect your actual local IP address for ServerIP, the desired password, and the Time Zone (I used America/New_York). More elaborate instructions for Windows documented by Andrew Denty on his blog can be found here and Mac can be found in Nathan Alderman’s article at iMore here.You will also want to make sure the system you intend to run it on has a static rather than a dynamic IP.Once you have Pi-Hole installed, you’ll want to connect via browser to the administrative interface on the system running it. Pi-Hole administrative interface
Jason Perlow/ZDNet
As you can see, I have over two million domains set to be blocked. How do you do the same? You go into Group Management, choose Adlist (this is what Pi-Hole uses to refer to community-sourced lists of domains to be blocked), and then plug in the URL of the Adlist.Which Adlists should you use? Well, there are many lists you can choose from, all of which have different purposes such as Advertising, Suspected Malware, Malvertising, and others. But I consulted with Jason Ford, a principal engineer at a prominent Silicon Valley-based infosec company, and asked him what he used on his Pi-Hole. He was nice enough to give me his lists and his regular expressions for domain blocking. These include some very popular ones such as OISD, Steven Black, and some curated ones from Firebog. If you decide to use all of his lists, you’ll have over 2 million domains blocked on your Pi-Hole.Once you have pasted the URLs of the Adlists into the UX, you’ll want to go into Tools and choose Update Gravity. This is what refreshes the local database and populates the blocking engine. If there are specific domains you want to block or permit, you want to go into the Blacklist or Whitelist menus and put them in individually.(Note to Pi-Hole’s project team: These are considered noninclusive terminology; we suggest you use Denylist and Allowlist instead and have a look at the Inclusive Naming Initiative.)To begin using Pi-Hole on your devices and clients, change your DNS settings to reflect that of the Pi-Hole machine. So, for example, my Pi-Hole is running on my 192.168.1.78 Windows machine – so I’ve set my Mac and my wife’s Windows PC and a few other things to use it as the DNS.If you find the Pi-Hole is blocking a specific site or functionality that you need to use (such as a needed tracking cookie or script), simply whitelist the site, or temporarily, click on Disable from the left-hand administrative menu. You can choose to disable it indefinitely, for 10 seconds, for 30 seconds, for 5 minutes, or a custom time.Enterprise-grade firewall appliance for home and SMB: FirewallaWhile there are many hardware firewall and network intrusion protection products available in the medium/large SMB and the Enterprise space (such as Cisco Meraki, Sonicwall, Palo Alto Networks, Fortinet, Ubiquiti, Watchguard, and Sophos), there are very few priced for home and smaller SMBs. What I currently use for myself, my immediate family, and have recommended to friends and colleagues is the Firewalla series of products, which is a company founded by a group of former Cisco engineers.Firewalla web user interface (dashboard view)
Jason Perlow/ZDNet
I like Firewalla because it is very easy to install, it isn’t particularly expensive, and it has no ongoing fees. Unlike the DNS blocking solutions above, it is a true embedded Linux, IP-based rules firewall with advanced intrusion detection capabilities that can monitor every device on your home network. Firewalla web interface (flows)
Jason Perlow/ZDNet
Firewalla also has a very good user interface and app for mobile devices for administrating it and receiving alerts and a pretty robust remote management web interface. You don’t need to be a network security genius to set rules and protect your network. Firewalla mobile device app (iPad)
Jason Perlow/ZDNet
You can certainly do some very granular protections and permissions on a per-device basis and set block lists of different target groups and lots of other things, but for the most part, the default configuration when applied to all devices on the network is likely sufficient for most home users. Firewalla’s CEO and founder, Jerry Chen, has published a best practices guide (Part 1, Part 2, Part 3) that I suggest you review once you get your box running. Additionally, if you are not sure which router mode to use with your Firewalla (Router, Bridge, DHCP, Simple) read this guide, and if you want to understand how it intercepts network traffic, read here.

Firewalla Red is for residences with 100 meg broadband or less. It’s a small red box powered by a USB cable that plugs into one of the spare ports of your home broadband router. It uses ARP spoofing or DHCP mode to monitor all your network devices. 

Firewalla Blue Plus is for residences with 500 meg broadband or less. In addition to the faster network port and the capabilities of the Red, it has Geo-IP filtering so you can block entire countries off your network, not just IP ranges or domains. It also incorporates a VPN Server, VPN Client, and Site to Site VPN. Because of the Geo-IP filtering, and the currently evolving situation in Eastern Europe, my suggestion is that the Blue Plus should be the minimum considered configuration unless you are really on a budget or have a minimalistic device footprint at home.

Firewalla Purple is for residences with 1 gig of broadband or less. It is the newest product released by the company and is pretty much the ultimate home network defense device you can buy for the money. In addition to the capabilities of the Blue Plus, it is a complete router replacement (which can act in bridge mode if the existing broadband router needs to stay in place) with twin gigabit Ethernet ports. It has a short-range Wi-Fi access point for tethering to a smartphone as backup internet connectivity.

Firewalla Gold is a powerful intrusion detection, IP firewall, and multi-gigabit router for SMBs (100 employees or less). Introduced before the Purple, it is essentially a Firewalla Purple on steroids, with four gigabit Ethernet ports, powered by an x86-based chip rather than an Arm-based chip the Purple, Red, and Blue all use. However, it’s probably overkill for most homes unless you have a broadband connection with higher than gigabit network traffic requirements.

Open Source Firewalls: OPNSense and pfSenseIf you are inclined to set up an actual software-based firewall on a border gateway on your premises and want something that is robust but not expensive, then look no further than OPNsense. 

OPNSense, Hagennos, CC BY-SA 4.0, via Wikimedia Commons

OPNSense is an open source firewall system based on the BSD UNIX operating system (which, in turn, is also forked from other projects such as pfSense and m0n0wall.) It has the following list of core features:Traffic Shaper Two-factor Authentication throughout the system Captive portal Forward Caching Proxy (transparent) with Blacklist support Virtual Private Network (site to site & road warrior, IPsec, OpenVPN & legacy PPTP support) High Availability & Hardware Failover ( with configuration synchronization & synchronized state tables) Intrusion Detection and Prevention Built-in reporting and monitoring tools including RRD Graphs Netflow Exporter Network Flow Monitoring Support for plugins DNS Server & DNS Forwarder DHCP Server and Relay Dynamic DNS Encrypted configuration backup to Google Drive Stateful inspection firewall Granular control over state table 802.1Q VLAN support

Image: OPNSense, Hagennos, CC BY-SA 4.0, via Wikimedia Commons
The complete feature list of what this software project can do extends far beyond this list. It is downloadable as a 64-bit x86 ISO or USB installer image so that you can install it on a PC with (at least two) Ethernet ports. The project also sells it pre-installed on a hardware appliance in multiple configurations, starting with 4-port gigabit networking, a 600mbps IPsec VPN, 16GB of flash storage, 4GB RAM, and a fanless casing and mainboard for 549 EUR.Similar to OPNSense is pfSense, which has a comparable feature set and similar hardware requirements. As with OPNSense, pre-configured appliances are available, from as

low as $189 for a small office/branch office configuration

. You could certainly use one of these for a home firewall solution, but you’d need a considerable amount of networking and network security experience to administrate it. More

Researchers have found almost 100,000 new variants of mobile banking Trojans in just a year.

ZDNet Recommends

As our digital lives have begun to center more on handsets rather than just desktop PCs, many malware developers have shifted part of their focus to the creation of mobile threats. Many of the traditional infection routes are still workable — including phishing and the download and execution of suspicious software — but cyberattackers are also known to infiltrate official app stores, including Google Play, to lure handset owners into downloading software that appears to be trustworthy.  This technique is often associated with the distribution of Remote Access Trojans (RATs). While Google maintains security barriers to stop malicious apps from being hosted in its store, there are methods to circumvent these controls quietly.  In 2021, for example, Malwarebytes found an app in Google Play disguised as a useful barcode scanner with over 10 million active installs. While the app was submitted as legitimate software, an update was issued to the software after it had accumulated a huge user base turning the app into an aggressive adware nuisance.  The same tactic can be used to turn seemingly benign apps into banking Trojans designed to steal your financial data and account credentials from online services. In the mobile world, theft can occur by redirecting users to phishing pages or by performing overlay attacks, in which a phishing window covers a banking app’s display. Trojans may also quietly sign up their victims to premium telephone services.Recent examples of Trojans ending up in Google Play include Joker and Facestealer.

According to new research published by Kaspersky, 97,661 new mobile banking Trojan variants were detected in 2021, alongside 17,372 new mobile ransomware Trojans and a total of 3,464,756 malicious installation packages, .APKs that can be installed on jailbroken devices or those that accept apps from unknown developers.  The banking Trojans responsible for the most detected attacks over 2021 were Trojan-Banker.AndroidOS.Agent, Trojan-Banker.AndroidOS.Anubis, and Trojan-Banker.AndroidOS.Svpeng.
Kaspersky
Residents of Japan, Spain, Turkey, France, Australia, Germany, Norway, Italy, Croatia, and Austria are most commonly targeted by mobile banking Trojans.Kaspersky says that after a steep climb in the number of attacks detected in 2020, banking Trojan rates are now on the decline. 
Kaspersky
The cybersecurity researchers added that there is a “downward” trend on mobile attacks in general, but “attacks are becoming more sophisticated in terms of both malware functionality and vectors.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Digital Transformation Agency
The Digital Transformation Agency’s (DTA) Trusted Digital Identity Bill is in its final phase of development before it is introduced into Parliament. The Bill seeks to expand the application of Australia’s federal digital identity system to state and territory governments and the private sector. While the federal government already has its Trusted Digital Identity Framework in place, the framework is only applicable to federal government entities and not applicable to states and territories or the private sector. The Bill, if passed, would create another framework that allows state and territory governments and the private sector to facilitate online transactions requiring a digital identity, which the DTA hopes will reduce friction and delay in online environments. In this final phase, the DTA has been calling for relevant stakeholders to review the Bill’s exposure draft, with the Office of the Australian Information Commissioner (OAIC) calling for various privacy changes ranging from consent definitions to alignment with other government regimes to limiting law enforcement access. On the consent front, the OAIC — which is set to be the regulator of the legislation’s privacy requirements — said the Bill should explicitly limit the maximum duration of an enduring consent to disclosure of attributes to 12 months. Under the exposure draft, there is currently no expiry date for a person’s consent when it comes to their digital identity being accessible by an entity providing digital identity services. The OAIC added that consent definitions contained in the Bill should align with the Consumer Data Right (CDR) in being voluntary, informed, and specific. “Alignment between privacy obligations is essential to promote clarity for individuals and regulated entities,” the OAIC said.

For instances where a cybersecurity or digital fraud incident has occurred, the OAIC also said the Bill should be amended so that only one accredited entity or participating relying party is required to notify affected individuals or businesses in relation to the particular incident. The privacy regulator said limited notifications would prevent people from having notification fatigue. “The OAIC is concerned that the numerous notifications to individuals will lead to notification fatigue such that individuals will no longer treat notifications as serious,” the regulator said. The OAIC also strongly recommended that law enforcement access to digital identity information for non-biometric information be limited further to only permit access to address misuse or fraud within the digital identity system, or pursuant to a warrant. The current drafting of the Bill allows law enforcement access to digital identity information so long as it has reasonable suspicion a person has committed an offence or breached a law. The Commonwealth Bank of Australia, meanwhile, has submitted to the DTA that biometric data retention by digital identity service providers should be expanded to allow them to retain data when undertaking digital identity fraud investigations. As the DTA prepares for the potential digital identity framework expansion, the agency’s digital sourcing strategy director Ben Leech said accessibility would be at the core of any future services it builds. “When it comes to delivering quickly, having accessibility built in to the way we build and design all of our services, means that it’s not an afterthought,” Leech said on Tuesday afternoon, who spoke in a panel at the Pegasystems’ annual evolve for government APAC event. “I think that’s really important because backwards engineering something to add in accessible features down the track: one it doesn’t work, two you’re usually rushing things, and three, it slows down the process that was meant to be the quick process anyway.” Related Coverage More

US taxpayers who don’t want to submit biometric data simply to sign up for an online account with the IRS now have another option. The IRS will let taxpayers verify their identity via a live, virtual interview to create an account, the agency said Monday. 

The new option in the agency’s authentication system is now available as a short-term solution for this year’s tax filing system, the IRS said. The agency received significant criticism for previously requiring taxpayers to authenticate their identity by providing a selfie. The IRS used facial recognition software from ID.me to analyze the selfies after signing an $86 million contract with the company. Civil rights groups and members of Congress from both parties questioned how the IRS could begin the use of facial recognition without advance warning. Consequently, earlier this month, the IRS said it would stop using the ID.me facial recognition software, adding in a statement that it will “transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts.”However, the announcement did little to quell outrage about the initial decision to use ID.me’s tools, and senators on both sides of the aisle continued to raise concerns about what information ID.me gained access to.The IRS said Monday that taxpayers will still have the option to verify their identity automatically with ID.me’s biometric verification tools. For taxpayers who select this option, new requirements are in place to ensure images provided by taxpayers are deleted for the account being created. Furthermore, the IRS said, any existing biometric data from taxpayers who previously created an IRS Online Account that has already been collected will also be permanently deleted over the course of the next few weeks.For future tax filing seasons, the IRS is aiming to roll out Login.Gov as an authentication tool. More

The private health services industry is once again the sector with the highest number of reported data breaches in Australia, accounting for 18% of all breaches notified to the Office of the Australian Information Commissioner (OAIC) during the latter half of 2021. Out of the total 464 data breach notifications sent to the OAIC during the six months to December, private health service providers reported 83 of them. Finance filed the second most with 56, while legal, accounting, and management services rounded out the top three with 51. The 464 data breaches received by the information commissioner under the Notifiable Data Breaches (NDB) scheme marked a 6% increase when compared to the first half of 2021. Looking at the data breaches notified to the commissioner during this period, malicious or criminal attacks remained as the leading source of breaches, accounting for 256 notifications. Despite malicious or criminal attacks being the biggest reason for data breaches, the 256 notifications are a 9% decrease from the previous period. At the same time, there was a significant rise in breaches due to human error, which increased by 43% to 190, after a dip in the previous period. System faults, meanwhile, were the source of 4% of data breaches during the period. Unpacking the top causes of human error breaches notified to the OAIC, 43% of them were due to personal information being emailed to the wrong recipient, 21% were due to unintended release, while 8% arose from people losing paperwork or data storage devices. Most breaches, 85%, involved contact information such as an individual’s name, home address, phone number or email address. Identity information such as date of birth, passport details and driver licence details were exposed in 40% of data breaches. Financial details, such as bank account and credit card numbers, were involved in 39% of breaches.

The NDB scheme has been in operation since early 2018, with Information Commissioner Angelene Falk saying she now expects organisations to have strong accountability measures in place to prevent and manage data breaches in line with legal requirements and community expectations. Despite this expectation, Falk noted that some organisations have continued to fall short of the scheme’s assessment and notification requirements. For example, 11% of organisations that experienced system faults did not become aware of the incident for over a year. “Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm,” Falk said. “If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.” Last month, the OAIC called for more data accountability measures in light of the Attorney-General’s Department (AGD) seeking consultation for its review of the Privacy Act. The AGD began its review into the country’s Privacy Act at the end of 2020 as part of the Commonwealth’s response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry, which found the laws needed to be updated to adequately protect consumers and their data. Among the measures being pushed by the OAIC is a central obligation to collect, use, and disclose personal information fairly and reasonably for entities under the scope of Australia’s Privacy Principles. Related Coverage More

Business email compromise (BEC), a multi-billion dollar subset of phishing threats, might need a new name because the scams are no longer just about email. The FBI warns that scammers have ramped up video meetings as a tool to trick unsuspecting victims into handing over their money.Virtual meeting tools like Microsoft Teams and Zoom were the big winners of video during the pandemic. And where users go, unfortunately the scammers follow. BEC usually relies on fake, spoofed or compromised email domains to relay messages to targets with the aim of fooling them into making a wire transfer. The scams are technically simple but are often peppered with carefully constructed backstory conducted via email that fools even well-trained employees. It is the top category of cybercrime measured by funds lost, which totalled $1.8 billion in 2020 based on cases reported to the FBI. BEC dwarfs reported ransomware losses.       But BEC is not just about email. The FBI’s Internet Crime Center (IC3) says it has seen a surge in BEC scams using video meetings as the forum to communicate. This happened between 2019 and 2021, corresponding to the world’s shift to video meetings as we all adjusted to the COVID-19 pandemic and remote working. Video might not seem the most obvious medium for this type of scam because meetings require a physical presence and not just some text in email. But apparently video works when used in combination with email, which attackers are using to insert themselves in a subsequent trusted video conversation. “Criminals began using virtual meeting platforms to conduct more BEC related scams due to the rise in remote work because of the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually,” the FBI said. The BEC scam with video does still involve email as part of reconnaissance. The attacker compromises employee emails and “inserts themselves in workplace meetings via virtual meeting platforms to collect information on a business’s day-to-day operations,” the FBI notes.

The scammer can also break into an employer’s email, such as that of the CEO, and send spoofed emails to employees “instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.”Scammers may also ask employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or “deep fake” audio, and claim their video/audio is not properly working. “They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email,” the FBI said.BEC scams defy a clean definition because they can involve outsiders or insiders and often require just one legitimate officer to make an authorized transfer under false scenarios concocted by the scammer, such as an urgent email from a financial controller to a subordinate on a Friday afternoon. The FBI does offer several tips that employers should take note of. It’s a tough one for employers when employees can use Teams, Zoom, Google Meet, Slack or even Discord to have a video meeting. Employers and employees should, for example, “confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting,” says the FBI. The FBI also recommends implementing two-factor or multi-factor authentication (MFA) to verify requests for changes in account information. MFA might slow processes down but it does work and should be used for high-value accounts. Microsoft says only a fifth of organizations enable MFA for enterprise email accounts in 2021.  The FBI’s advice contains somewhat obvious advice about protecting financial details that may be forgotten during the normal course of business with trusted partners, including checking the URLs in emails, waiting out for hyperlinks, and sharing login credentials. The FBI’s full list of dos and don’ts include:Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting.Use secondary channels or two-factor authentication to verify requests for changes in account information.Ensure the URL in emails is associated with the business/individual it claims to be from.Be alert to hyperlinks that may contain misspellings of the actual domain name.Refrain from supplying login credentials or personal information of any sort via email.  Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.  More

NIST and university researchers have proposed a new computational model for assessing cybersecurity costs in network protection.

The larger the network, the more opportunities there may be for threat actors to infiltrate, cause damage, or conduct theft. Today’s corporate networks often provide a vast attack surface including Internet of Things (IoT) devices, mobile products, remote work tools, on-prem and off-prem services, and cloud systems.  It may be a challenge for businesses to work out what the most important areas are in terms of cybersecurity investment, but a new computational model could take out some of the guesswork.  Authored by US National Institute of Standards and Technology (NIST) researchers Van Sy Mai, Richard La, and Abdella Battou, a new paper published in IEEE/ACM Transactions on Networking, titled “Optimal Cybersecurity Investments in Large Networks Using SIS Model: Algorithm Design,” proposes “a way to determine optimum investments needed to minimize the costs of securing these networks, providing recovery from infections and repairing their damage.” The algorithm was designed with pandemic and disease tracking as inspiration. Viruses can spread through a population with no immunity through social contact and digital viruses can also spread through networks and points of system-to-system contact if no protection is in place.  “A virus/malware infection in one system can spread internally, attacking other systems, potentially impacting the overall system,” NIST says. “The problem is similar to that of the spread of diseases in social networks.”

The model uses datasets based on a network’s long-term behavior to generate key performance metrics in analyzing large network systems and risk areas.  Whereas vaccine rate tracking can be used to measure the impact of protection on a pandemic’s risk level and spread, in this study, a time-averaged security cost was imposed in protecting different elements of a network with the overall aim being the development of cybersecurity investment strategies.  The researchers’ “susceptible-infected-susceptible” (SIS) model considered investments, economic loss, and recovery requirements caused by malware infections.  Four algorithms assess network probabilities of being breached, the likely rates of spread, how long — and how much it would cost — to repair the damage, and the expense associated with full recovery.  These assessments were then compared to the model’s investment strategies, including network monitoring and diagnostics to generate recommendations for the ‘optimal’ areas money should be spent in protecting a network.  This study may highlight how machine learning could be harnessed to provide a foundation for cybersecurity investments in the future. It could also become a valuable tool for enterprise users in the future, who are facing an average cost of at least $4 million due to a data breach today.   In related news this month, NIST has been working on improved product labeling for IoT devices and software to improve cybersecurity education and to help consumers make more informed choices.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

According to analyst firm IDC, overall security spending is expected to reach nearly $1 billion in Brazil this year, an increase of 10% in relation to 2020.

Government

Of that total, spending on security solutions will reach $860 million, the analyst said, with cloud security becoming a key area of focus for Brazilian IT decision-makers. According to IDC, 2022 will see firms dealing with an increasing number of cyberattacks, a trend that has gathered pace since the start of the COVID-19 pandemic. The research added that managed detection and response (MDR) services will continue to gain ground as the demand for skilled professionals intensifies.The shortage of information security skills is one of the most significant issues facing Brazilian IT organizations, mentioned by 40% of the businesses polled by IDC. In addition, 57% said they will rely on external help to manage and operate environments with modern cybersecurity solutions due to the shortage of professionals to boost internal teams.With over 33 million intrusion attempts in 2021, Brazil is only behind the US, Germany and the UK in terms of ransomware attacks, according to a cyber threats report released by SonicWall. In 2020, Brazil ranked ninth in the same ranking, with 3,8 million ransomware attacks. Also: Investment in data privacy in Brazil falls below global averageAccording to the SonicWall report, Brazil also stands out in terms of malware attacks, which have increased over 61% in 2021, with 210 million attacks in 2021, compared to approximately 130 million seen in the prior year.

According to a separate study released in December 2021 by PwC, the vast majority of Brazilian companies plan to boost their cybersecurity budgets in 2022. The study noted the increase in cyberattacks against local organizations was among the key concerns of senior decision-makers. The study suggests that 45% of Brazilian companies estimate an increase of 10% or more in investments in data security, compared to 26% worldwide. Only 14% of Brazilian leaders expressed the same levels of concern in relation to cybersecurity in 2020, against 8% worldwide. In 2021, 50% of the companies polled by PwC claimed to have allocated up to 10% of their technology budget to security-related actions. More