More stories

  • in

    Regulations against ransomware payment not ideal solution

    With ransomware attacks increasing, legislations have been mooted as a way to bar companies from paying up and further fuelling such activities. In this second piece of a two-part feature on ransomware, ZDNet looks at how such policies can be difficult to enforce and may result in more dire consequences.  Regulations that compelled victims not to pay up could put these businesses in a precarious position, said Steve Turner, a New York-based Forrester analyst who focuses on security and risk. For one, any debate over whether to pay up would be muted when physical lives were at stake. Turner pointed to ransomware attacks that brought down critical infrastructure systems such as power and healthcare, impacting the likes of US Colonial Pipeline, Ireland’s Health Service Executive, and Germany’s Duesseldorf University Hospital.

    The US pipeline operator paid up almost $5 million in ransom, the bulk of which was later recovered by authorities, while the Irish healthcare operator refused to pay and spent weeks struggling to recover from the attack, affecting hundreds of patients. The Duesseldorf hospital’s inability to function also indirectly caused the death of a patient whose treatment was delayed because she had to be rerouted to a hospital further away.   Capgemini’s Southeast Asia head of cybersecurity Hamza Siddique noted that threat actor groups now had such great success in inflicting critical impact on their victims that it left these organisations with few viable options other than to pay up. “Paying the ransom may be the less expensive option for a cash-strapped company than engaging in the painstaking [task of] rebuilding company systems and databases,” Siddique said in an email interview. “Other entities may choose to pay the threat actor in hopes of avoiding the public release of sensitive information, which may lead to bankruptcy or legal issues.” He advised victims to make “informed decisions” on whether to fork out the ransom or embark on the more difficult path of building from scratch. Paying the ransom not only encouraged threat actors to engage in future ransomware attacks, but also provided funds for these groups to act against nations, governments, and foreign policy interests, he noted.

    On whether penalties should be imposed on companies that chose to pay the ransom, he said this decision should be made in line with the country’s IT policy and cost-benefit analysis. Foremost, emphasis should be on not paying, Siddique said, adding that this should be the case if the impact on the business was low. However, if the impact could lead to bankruptcy or major legal issues, organisations should be allowed to decide if they wanted to pay the ransom, he said. Acronis’ CISO Kevin Reed noted that in the short-term, regulations that outlawed ransom payment could have significant adverse effects, but in the long-term, might have an overall positive impact. He said in a video interview that cybercriminals were interested mainly in financial gains and if they faced increasing obstacles in their efforts to extract money, they would stop doing it. However, he cautioned, criminals tended to be creative in how they extorted money, moving from one plan to another until they succeeded in their goal. Regulations on cryptocurrency also not fool-proof CYFIRMA CEO and Chairman Kumar Ritesh suggested that regulations should instead focus on virtual currencies, since these were used to orchestrate ransom payments. Cryptocurrency exchanges or trading firms could be mandated to provide information to the relevant authorities so transactions or accounts with the targeted unique identifiers could be blocked or frozen, Ritesh said in a video interview. Without a trading platform on which to complete the transaction, cybercriminals would find it more difficult to convert their virtual currencies into fiat money. Turner noted that there already were regulations governing legitimate cryptocurrency trading platforms such as Coinbase, which included intricate identification processes before transactions were processed.

    Such policies that identified movements across these cryptocurrency hubs could help cut down illicit activities conducted by regular scammers who were not very tech-savvy. However, threat actor groups behind the recent massive ransomware attacks were not run-of-the-mill criminals, the Forrester analyst said in a video interview.For one, they would not be trading cryptocurrencies through common digital wallets. They typically had the skillsets to quickly move and launder these currencies, much like any organised crime operation, so these could be “clean” for use in the real-world, he said. Furthermore, Turner added that cybercriminals would simply use alternative payment modes should more regulations be introduced to monitor cryptocurrency transactions or bar companies from paying ransoms. “Attackers will just find another payment mechanism that hasn’t been outlawed,” he said. “It could be something as [innocuous] as Walmart gift cards, as long as it doesn’t enable hackers to be traced and allows companies to pay the ransom. Outlawing [the use of] cryptocurrency will only put ransomware victims in a bad position.” Turner noted, though, that some form of regulations could raise the collective security posture of companies across the board, since there would be stronger motivation to avoid being put in a position where they would be held ransom. Policies needed to ensure vendors continue critical support Regulations also may be necessary to ensure businesses remain protected when vendors cease support for IT products and systems.  For example, Western Digital in June advised users of its My Book Live and My Book Live Duo to unplug their devices from the internet following a series of remote attacks that triggered a factory reset, wiping out all data on the device. The breach was due to a vulnerability that was introduced in April 2011 due to a coding oversight. Launched in 2010, the portable storage devices were issued their final firmware update in 2015, after which Western Digital discontinued support for the products. The storage vendor later provided data recovery services for customers who lost data as a result of the attacks.Siddique noted that organisations today were mostly digital in nature and highly dependent on vendors and suppliers to provide support as well as reliable products over a longer period of time, and even after these systems were discontinued. “It’s imperative that there should be policies in place for a vendor to provide minimum support for discontinued product lines, considering client may not be in position to upgrade their software or may have certain dependency on the old version of the products,” he said. There should be clearly defined policies for such support to be provided for a specific minimum number of years after its market release, he suggested. Vendors also should be expected to provide information on upcoming product releases and ease migration to new products. He said changes could be made in the SLA (service level agreement) and, if it was not viable for vendors to maintain a support team for discontinued products, there should be minimum requirement for such provisions based on the severity of security vulnerabilities. At the very least, Turner noted, vendors that chose to continue to support online services linked to their products, should then also continue to offer support to the actual products. Otherwise, these online services should be disabled, he said, noting that Western Digital should have disabled the remote access or online services for the My Book models when they cut support for the products in 2015. “If there are no eyes on it, someone is going to exploit it,” the analyst said. He added that the optics would not look good for a manufacturer of data storage products to suffer a breach of this scale.  Any potential regulation here could look at requiring vendors to support a product as long as they supported the services that required the product to connect to the internet, he said. However, Reed suggested that such policies, if introduced, should apply only to critical systems such as medical and industrial control systems. He noted that some hospitals today operated MRI (magnetic resonance imaging) machines that ran on old versions of Windows that were no longer supported by Microsoft. And these machines could impact actual lives, he said. While he agreed that software vendors should take more responsibility for their products, he said legislations were not necessary for all sectors. RELATED COVERAGE More

  • in

    Constant review of third-party security critical as ransomware threat climbs

    Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers’ security posture before establishing a partnership. In this first piece of a two-part feature on ransomware, ZDNet discusses the need for continuous review of all touchpoints across their supply chain, especially those involving critical systems and data. Enterprises typically would give their third-party suppliers “the keys to their castle” after carrying out the usual checks on the vendor’s track history and systems, according to Steve Turner, a New York-based Forrester analyst who focuses on security and risk. They believed they had done their due diligence before establishing a relationship with the supplier, Turner said, but they failed to understand that they should be conducting reviews on a regular basis, especially with their critical systems suppliers.

    “Anyone who has the keys to the castle, we should know them in and out and have ongoing reviews,” he said in a video interview with ZDNet. “These are folks that are helping you generate revenue and, operationally, should be held accountable [to be] on the same level as your internal security posture.”Third-party suppliers should have the ability to deal with irregular activities in their systems and the appropriate security architecture in place to prevent any downstream effects, he added. Capgemini’s Southeast Asia head of cybersecurity Hamza Siddique noted that technical controls and policies established by third-party or supply chain partners did not always match up to their clients’ capabilities. This created another attack surface or easy target on the client’s network and could lead to risks related to operations, compliance, and brand reputation, Siddique said in an email interview.

    To better mitigate such risks, he said Capgemini recommends a third-party risk management strategy that pulls best practices from NIST and ISO standards. It encompasses, amongst others, the need to perform regular audits, plan for third-party incident response, and implement restricted and limited access mechanisms. The consulting firm’s service portfolio includes helping its clients build a strategy around detection and analysis as well as containment and recovery. Turner urged the need for regular reassessments of third-party systems or, if this could not be carried out, for organisations to have in place tools and processes to safeguard themselves against any downstream attacks.”There needs to be inherent security controls so if something goes off baseline, these can react to ensure [any potential breach] doesn’t spread. A zero trust architecture delivers on that,” he said. “Suppliers have an inherent trust relationship [with enterprises] and this needs to stop.”Steve Ledzian, FireEye Mandiant’s CTO and Asia-Pacific vice president, acknowledged that it was challenging to prevent supply chain attacks because these looked to abuse an existing level of trust between organisations and their third-party vendors. However, he said there still were opportunities to detect and mitigate such threats since hackers would need to carry out other activities before launching a full attack. For instance, after successfully breaching a network via a third-party vendor, they would need to map out the targeted organisation’s network, identify the systems that held critical data, and figure out the privilege credentials they needed to steal to gain access, before they could move laterally within the network. “Once the hacker is in your network, and you’re in detection mode, you have the opportunity to identify and stop them before they are able to breach your data,” Ledzian said in a video interview, stressing the importance of tools and services that enabled enterprises to quickly detect and respond to potential threats. Their defence strategy against ransomware attacks also should look beyond simply purchasing products and into how systems were configured and architected. The main objective here was to bolster the organisation’s resilience and ability to contain such attacks, he added. Acronis’ CISO Kevin Reed also noted that the majority of attacks today still were neither highly sophisticated nor zero-day attacks. Attackers typically needed time and effort after identifying a vulnerability to develop an exploit for it and to make it work successfully. Reed said in a video interview that hackers usually would take several days to develop a workable exploit and this task was increasingly more difficult with modern software architectures. “So it takes time to weaponise a vulnerability,” he said, adding that even highly skilled hackers would take 72 hours to do so. This meant organisations should act quickly to plug any vulnerabilities or deploy patches before exploits were available.He advocated the need for organisations to assess their suppliers’ security posture, validating and cross-verifying that these third-party vendors had the right processes and systems in place. This might be more challenging for small and midsize businesses (SMBs) that did not have the resources or expertise to do so, he noted. Reed added that these companies typically depended on their managed service providers to fulfil the responsibility. Here, he underscored the need for managed service providers to step up, especially in the wake of the Kaseya attack. Increased partnership between hackers a worrying trendRansomware attacks, though, may be primed to get more sophisticated and deployed more quickly in future, as they are no longer developed by a single hacker. According to Ledzian, cyberattacks increasingly are broken down into different parts and delivered by different threat actors specialised in each piece of the attack. One might be tasked to build the malware, while other affiliates focused on reconnaissance and breaching a network and developing the exploit.  “When you have specialised skillsets, then each component is more competent,” he cautioned.

    Global pandemic opening up can of security worms

    Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

    Read More

    Sherif El-Nabawi, CrowdStrike’s Asia-Pacific Japan vice president of engineering, also highlighted the rise in teamwork amongst cybercriminals and emergence of ransomware-as-a-service. Describing this as an alarming trend, El-Nabawi noted that five or six separate groups specialised in all aspects of a ransomware chain could band together, so a single group no longer needed to develop everything on its own. Such partnerships could entice more threat actor groups to come into play and fuel the entire industry, he said. Ledzian added that ransomware attacks also had evolved to become multi-faceted exploitation, with cybercriminals realising data theft would have a more severe impact on businesses than a service disruption. Having data backups would no longer be sufficient in such instances, as attackers gained greater leverage over businesses concerned about threats to make public confidential data, he said. According to CYFIRMA CEO and Chairman Kumar Ritesh, cybercriminals were moving their target towards young companies and large startups with access to large volumes of personal data, such as developers of “super apps” and mobile apps.He further pointed to increasing focus on OT (operational technology) systems, such as oil and gas and automotive, as well as process manufacturing industries. In particular, Ritesh told ZDNet that there was growing interest in autonomous and connected vehicles, which dashboards enabled users to access their smart home and Internet of Things (IoT) systems. Some of these systems, he noted, lacked basic security features with communication links between car and home systems left unsecured, and at risk of being exploited. Cybercriminals also were shifting focus towards individuals and high-level influencers, such as employees working in their organisation’s product research team or who had privileged credentials that gave them access to critical data and systems, he said. With remote work now the norm amidst the global pandemic, he added that such risks were exacerbated as personal devices that were not adequately secured could be easily breached to give hackers access to a company’s network and its intellectual property. RELATED COVERAGE More

  • in

    COVID-19 vaccine portal for Italy's Lazio region hit with cyberattack

    The government of Lazio, Italy took to Facebook this weekend to notify residents of a cyberattack that hit the region’s portal for COVID-19 vaccinations and other IT systems. In a translation of the message posted to the official Lazio government Facebook page, officials said a “powerful” attack had hit the region’s databases on Sunday and that all systems are disabled, including the Salute Lazio portal and the system that managed the COVID-19 vaccine bookings.They added that vaccination operations may experience delays because of the attack. Government officials did not say if it was a ransomware attack. Nicola Zingaretti, president of the Lazio Region, also took to Facebook to let residents know that they still have not identified the people behind the attack but he noted that the attack was “of criminal origin.”Zingaretti explained that the initial attack took place on Saturday night into Sunday morning and that it “blocked almost all of the files in the data center.” “At the moment the system is shut down to allow internal verification and to prevent the spread of the virus introduced with the attack. LazioCrea informs us that health data is safe, as well as financial and budget data,” Zingaretti said. “We are migrating essential services to external clouds to make them operational as soon as possible. 112, 118, Emergency Department, Transfusion Center and Civil Protection are safe and are providing services regularly. The situation is serious and we immediately alerted the Postal Police and the highest levels of the State, which we thank.”

    He later told a press conference that the region was facing an attack “of a terrorist nature” and called it a criminal offensive that is “the most serious that has ever occurred” on Italian territory.”The attacks are still taking place. The situation is very serious,” he said, according to ANSA. A source told the news outlet that the cyberattackers gained access to the system using the profile of an administrator. Through the stolen profile, they were able to activate a “crypto-locker” malware that “encrypted the data on the system,” the sources said. CNN reported that local officials have received a ransom demand. Lazio Region president Nicola Zingaretti visits a local hospital after the cyberattack. 
    Screenshot of Nicola Zingaretti’s Facebook page
    In subsequent messages, Zingaretti touted officials in Lazio that continued the COVID-19 vaccination drive in spite of the attack. He announced that the region reached a milestone of having 70% of the adult population vaccinated. Lazio region’s health manager Alessio D’Amato told Reuters that the attack was “very serious” and that “everything is out.” A state news agency said prosecutors in Rome and other law enforcement bodies are looking into the attack.  The local government used Facebook to update residents about the COVID-19 situation in the region and said that due to the IT systems being down, they were only able to share data about new COVID-19 positive cases, deaths and hospitalizations. Even though most IT systems were offline, some had been restored, including emergency networks, time-dependent networks, and hospital systems. The local government reiterated that the vaccination drives would continue in spite of the attack. “The vaccination campaign won’t stop! Yesterday, 50,000 vaccines were administered, despite the biggest cyberattack suffered. Until August 13th, there are over 500,000 citizens who have their reservation and can go to the administration centers on the date and time indicated above,” government officials wrote on Facebook. “Technicians are working to safely reactivate new bookings as well and no data has been stolen. We’re in constant contact with the commissioner’s structure to ensure vaccination users have a green pass as usual.”In another message, Lazio officials reiterated that the hacker failed to stop the Lazio vaccination campaign.”We will not stop in the face of this attack,” the officials wrote. Throughout the COVID-19 pandemic, cybercriminals routinely attacked hospitals and healthcare facilities with ransomware knowing they would be more likely to pay ransoms due to the need for lifesaving medical technology.Multiple countries, like Ireland and New Zealand, are still in the process of recovering from devastating ransomware attacks that crippled their hospital IT systems for weeks.  More

  • in

    CDW acquires cybersecurity company Focal Point Data Risk

    Technology giant CDW announced the acquisition of cybersecurity company Focal Point Data Risk for an undisclosed amount. Christine Leahy, CEO of CDW, said adding Focal Point’s “array of security consulting, customer workforce skills development and professional services capabilities” would help expand the company’s portfolio and enhance their ability to “address risks posed by malicious cyber threats and cyber workforce shortages, while helping customers successfully navigate shifting data protection laws.””Helping our customers leverage technology to protect their most critical data is core to our mission,” Leahy said.In a statement, Focal Point said it has a variety of customers across “highly regulated and complex” industries such as government, financial services and healthcare. They prioritize identity and access management as well as cloud security and DevSecOps.Focal Point CEO Brian Marlier said the two companies are “well-aligned with shared values and a reputation for exceeding customer expectations.””For our customers and coworkers, joining CDW creates a meaningful opportunity to build a world that is secure by design and protected by default,” Marlier said. “More than ever, our customers need us to mitigate risk as they progress their digital journey.”Another CDW executive, senior vice president Andy Eccles, added that the company was increasingly focused on a cloud-first approach with customers, making it essential that they offer  identity management and data protection services which support the full technology lifecycle.

    “With the Focal Point team joining forces with CDW, our intent is clear – to deliver the industry’s best customer experience as we use our unparalleled expertise to protect our customers today and in the future,” Eccles said. 

    Tech Earnings More

  • in

    Windows 11 is the COVID-19 vaccine for your PC

    We all know that one person who means well and has good intentions but doesn’t have the best communication skills. Perhaps, it’s a politician or a world leader that you know. They’ll tell you to do something because it’s for your own good and that if you don’t do it voluntarily, there’s an imminent danger that bad things will happen. 

    ZDNet Recommends

    For example, if you do not get your COVID-19 vaccine, and you do not wear a mask in public places, with this new Delta variant, you stand a very good chance of becoming infected, possibly very ill with long-standing effects, and maybe become hospitalized and even die.  Also: Windows 11 FAQ And at the very least, even if you don’t become ill, even if you are asymptomatic, you can become an active spreader of something that can potentially harm many other people, possibly those who are close to you. Getting your COVID-19 vaccine is called being proactive. Wearing your mask is acting responsibly. We don’t always like listening to people of authority, especially when we are asked to do something that doesn’t have immediately visible, tangible benefits. Doing things proactively, such as getting a COVID-19 vaccine and wearing a mask, requires having faith in someone being supplied with superior knowledge and expertise, such as a world leader or public health expert. However, as we know, not everyone in a position of authority and possessing subject matter expertise is so polished they can package a message like this and make it palatable to every end-user. 

    With its Windows 11 rollout, Microsoft is not entirely different from that unpolished world leader or politician. Its communication skills have left room for improvement related to this significant and critical Windows upgrade. That’s something I think everyone covering this industry can agree on. We know it means well, we know it has the expertise, but people will still challenge it and get all huffy when they are being told that Windows 11 is an essential upgrade related to securing the PC platform from advanced malware threats.  But to take advantage of the new security capabilities that shield you from these threats, your PC hardware needs to be able to support it. And that is not a message people want to hear. Unfortunately, many legacy PCs, regardless of what antivirus solutions they may run and regardless of how functional and how fast they still run their application workloads, are highly vulnerable to these threats. And as they are not eligible for the Windows 11 upgrade, they are effectively immunocompromised. Just like getting a COVID-19 vaccine and wearing a mask is proactive, so are the architectural changes required to upgrade to Windows 11. And in some cases, implementing those is going to need investment in new PC hardware. It will also require investing in further training and, potentially, some new deployment tools. It’s going to cost some money. But as we know, implementing security changes in your large organization, small business, and consumer space is also not easy to sell. Anything that helps ensure business continuity and strengthen security resiliency from a threat that isn’t immediately visible will fall on deaf ears to all but the most cautious and conservative IT organizations, let alone end-users. 

    How many companies or individuals have we encountered as professionals that run their environments with no or untested backups, haven’t run a complete continuity and DR test in years, and then get burned for it? I mean, how many people did we know that ran with no antivirus or firewall for years before it was built into the foundational IT infrastructure because they didn’t want to pay for it or just felt it was a nuisance? I have dozens of stories as a former IT architect and consultant over my 30-year career to tell for this. It’s tough to sell hardened security or any form of protection as the defining feature to the entire user population. So Windows 11 is also being released with an exciting new user interface to entice them to upgrade, whether by opting-in on hardware that can already accommodate the new OS or upgrading to new PCs. Is this going to cost money to most organizations? Yes. Are a lot of end-user PCs going to need upgrades, costing people money? Yes. Spending money is painful, especially if we are talking about an upgrade to something strictly preventative in nature.  But do you know what is even more painful? A compromise — one which results in reputation loss, such as a publicly visible one that gets your organization on the news, such as a ransomware attack that holds all your IT assets hostage and stops your business cold for days.  Such an attack makes you and your company look stupid for not remediating it when it could have been prevented.  Best case scenario in this situation? Your customers think you’re a bunch of incompetent idiots. Worst case? Business-ending event. The good news is that, like the Pfizer and Moderna COVID-19 vaccines, you can get the first “shot” now. If your hardware supports the new secure boot, virtualization-based security (VBS), and Hypervisor-protected Code Integrity (Memory Integrity/Core Isolation) you can turn it on in Windows 10 today. And when Windows 11 arrives in October or November, get that second shot. And if any of your systems aren’t eligible, replace them. Immediately. Because that’s the proactive and responsible thing to do. More

  • in

    Stop ignoring this iPhone warning

    Have you seen the prompt on your iPhone to update to iOS 14.7.1, but you’ve been putting it off? After all, it doesn’t seem like there’s much to it.

    It’s just a bug fix, right? No, this is no ordinary bug fix. Must read: Why you need to update all your iPhones, iPads, and Macs urgently – NOW! I find Apple a bit strange in that it downplays security vulnerabilities. Apple will tell you that an update is important, but in Apple-land, all updates are important. Take the release notes for iOS 14.7.1 as an example: iOS 14.7.1 fixes an issue where iPhone models with Touch ID cannot unlock a paired Apple Watch using the Unlock with iPhone feature. This update also provides important security updates and is recommended for all users. The update is “important” and “recommended.”

    But some are more important and recommended than others. And this is one example. Switch over to Apple’s support page that details security fixes, which paints a more serious picture. Few click to go to this page, but it’s worth a visit. This is what it says about iOS 14.7.1 (and iPadOS 14.7.1): IOMobileFrameBuffer Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved memory handling. CVE-2021-30807: an anonymous researcher Let me highlight the key bit for you: “Apple is aware of a report that this issue may have been actively exploited.” In case you don’t know, that’s serious. But it gets better. Security researcher Saar Amar, who discovered this vulnerability several months ago, has detailed this bug and how bad guys can exploit it. You can read the gory details here. The bottom line is that not all bugs are the same, and not all updates are created equally, and while iOS 14.7.1 seems on the face of it to be a small update, it’s incredibly important. So, if your iPhone or iPad is still reminding you to install this update, do it now. Right now. To install the update, go to Settings > General > Software Update and download it from there. More

  • in

    The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiring

    A lack of business investment means cybersecurity teams are struggling to keep enterprise networks secure at a time when the rise in remote working is providing additional security challenges — and it’s having an impact on their well-being.

    A global study of cybersecurity professionals by information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) warns that this lack of investment, combined with the challenge of additional workloads, is resulting in a skills shortage that’s leading to unfilled jobs and high burnout among information security staff. According to the study, which surveyed over 500 cybersecurity professionals, 57 percent say a shortage of cybersecurity skills has impacted the organisation they work for, while just over ten percent report a significant impact. The effect is an increased workload for information security staff, according to 62 percent of respondents. That’s had a knock-on effect on the mental health of information security staff, 38 percent of whom say they’ve experienced burnout as a result of extra work pressures during what was already a difficult year.  “The impact, especially this past year of the pandemic, has been significant. Teams are expected to do even more as a result of businesses moving to the remote operating model,” says Candy Alexander, board president of ISSA International.  “The risk landscape has shifted dramatically to a more exposed environment and a cyber-war is in full swing with ransomware attacks becoming devastating to many businesses. Cybersecurity professionals are now challenged with keeping up with the latest and greatest threats,” Alexander adds. One of the reasons many cybersecurity staff have struggled is because of the sudden rise of remote working as a result of the global pandemic: 50 percent of respondents say this has led to an increase in stress. 

    Greater prevalence of remote working has made some aspects of enterprise network security more difficult, as cybersecurity staff have needed to help employees — many of whom may not have worked from home before — stay safe.   More remote working means greater usage of cloud applications, which has led to increased demand for cybersecurity professionals with skills in cloud computing security . A significant number of organisations are struggling to find the people to fill these gaps. Almost four in ten (39%) of cybersecurity professionals say their organisation is struggling to fill cloud computing security roles. Meanwhile, 30 percent are finding it difficult to fill vacancies in application security, and there’s a similar story when it comes to security analysis and investigation. Basic mistakes The ISSA/ESG report found that many organisations are making basic mistakes in hiring and recruiting cybersecurity professionals. More than three-quarters said it was extremely or somewhat difficult to recruit and hire security professionals, but 38% said their organisation doesn’t offer competitive compensation, while 29% said their HR department doesn’t understand the skills needed for cybersecurity and 25% said that job postings at their organisation tended to be unrealistic. Three-quarters of security professionals said that they were approached by recruiters every month. Part of the issue, the report suggests, is many boardrooms view cybersecurity as a cost — something that needs money spent on it but doesn’t help the bottom line of the business — especially when organisations think about finances in the short-term. It’s likely these boardrooms still see cybersecurity as a technology issue rather than a business issue, which is naïve when high-profile data breaches and ransomware attacks have demonstrated that if cybersecurity isn’t managed correctly, it can have huge consequences for the whole business, not just the IT and cybersecurity teams. “Cybersecurity is seen as a cost centre to the business — something you have to do, but only to a minimal degree, like paying the light bill. We need to shift the conversation to aligning our security programs with the business,” says Alexander.  “Businesses have a tendency to invest in things they see value in. We need to ensure they see the value in our cybersecurity programs — including people, training and technology,” she added.  People and training are a key issue here: technology changes fast and the methods cyber criminals use to break into networks are constantly evolving, so it’s important for organisations not only to hire the right people, but also to invest in training them so they can continue in their jobs by reacting to the latest threats and dealing with new forms of technology.  But that doesn’t start with employers: in order to ensure there are enough people to fill cybesecurity jobs going forward, education and training pathways are needed.  “At a societal level, we have to do more to educate school age children about cybersecurity and career opportunities,” says Jon Oltsik, Senior Principal Analyst and ESG Fellow.  “We need more funding for cybersecurity scholarships. We need more internship and mentoring programs. All of these things are works in progress and there are some worthwhile efforts, but supply is not keeping up with demand and it won’t anytime soon”.  In the meantime, it’s recommended that CISOs are in communication with the board in order to ensure that they’re aware of the needs of cybersecurity and that they are getting appropriate amount of attention and investment. And while issues around the available cybersecurity workforce might continue to be a problem for CISOs for now, there are tools and technologies that can help ease the staff workloads, helping to improve both their wellbeing and the organisation’s cyber defences. “CISOs must make all decisions assuming the impact of the cybersecurity skills shortage. This requires a greater commitment to working with service providers, process automation, and advanced analytics technologies,” says Oltsik.  

    MORE ON CYBERSECURITY More

  • in

    This new phishing attack is 'sneakier than usual', Microsoft warns

    Microsoft’s Security Intelligence team has issued an alert to Office 365 users and admins to be on the lookout for a “crafty” phishing email with spoofed sender addresses. 

    Microsoft put out an alert after observing an active campaign targeting Office 365 organizations with convincing emails and several techniques to bypass phishing detection, including an Office 365 phishing page, Google cloud web app hosting, and a compromised SharePoint site that urges victims to type in their credentials.  SEE: Network security policy (TechRepublic Premium) “An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters,” the Microsoft Security Intelligence team said in an update.   “The original sender addresses contain variations of the word “referral” and use various top-level domains, including the domain com[.]com, popularly used by phishing campaigns for spoofing and typo-squatting.”

    The emails use a SharePoint lure in the display name as well as in the message, which poses as a “file share” request for supposed “Staff Reports”, “Bonuses”, “Pricebooks”, and other content, with a link that navigates to the phishing page. pic.twitter.com/c33awiAeH4— Microsoft Security Intelligence (@MsftSecIntel) July 30, 2021

    Phishing continues to be a tricky problem for businesses to stamp out, requiring regularly updated phishing awareness training and technical solutions, such as multi-factor authentication on all accounts – which both Microsoft and CISA highly recommend.  Phishing is a key component of business email compromise (BEC) attacks, which cost Americans more than $4.2 billion last year, according to the FBI’s latest figures. It’s far more costly than high-profile ransomware attacks. BEC, which relies on compromised email accounts or email addresses that are similar to legitimate ones, are difficult to filter as they blend within normal, expected traffic.   

    The phishing group is using Microsoft SharePoint in the display name to entice victims to click the link. The email poses as a “file share” request to access bogus “Staff Reports”, “Bonuses”, “Pricebooks”, and other content hosted in a supposed Excel spreadsheet. It also contains a link that navigates to the phishing page and plenty of Microsoft branding. While convincing Microsoft logos are littered across the email, the main phishing URL relies on a Google storage resource that points the victim to the Google App Engine domain AppSpot – a place to host web applications. “The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page,” Microsoft notes.  SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief The second URL is embedded in the notifications settings links the victim to a compromised SharePoint site. Both URLs require sign-in to get to the final page, allowing the attack to bypass sandboxes.  This campaign is “sneakier than usual”, Microsoft notes.   Microsoft has been touting its ‘Safe Links’ Defender for Office 365 phishing protection feature that ‘detonates’ phishing email at the point a user clicks on a link that matches its list of known phishing pages.  Microsoft has also published details on GitHub about the infrastructure linked to the spoofed emails imitating SharePoint and other products for credential phishing.  “The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages,” Microsoft notes.  More