Thought leadership. threat analysis, news and alerts.
A Lookback of the Cybersecurity Threats in 2020
The world dramatically changed in 2020. The abrupt work from home shift to anything online such as online shopping opened up a plethora of cybersecurity threats at a scale never seen before.
Most Notable Cybersecurity Threats in 2020
Here are some of the notable cybersecurity threats in 2020:
1. Threats Associated with Collaboration Apps
The work from home shift gave rise to the demand for collaboration tools such as Microsoft Teams, Slack, and Zoom. In 2020, threat actors turned their attention to these collaboration tools.
In 2020, the term “Zoombombing” was coined. This term refers to uninvited threat actors viewing Zoom meetings or sharing pornographic images and content.
Last year, threat actors leveraged association to Microsoft Teams – referring to the communication platform developed by Microsoft which features chat, videoconferencing, and file storage. In October 2020, Abnormal Security reported that up to 50,000 emails were observed spoofing employee emails and impersonating Microsoft Teams.
“The email pretends to be a Microsoft Teams notification email notifying the recipient that they have received messages and their teammates are trying to reach them,” Abnormal Security said. “The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing ‘microsftteams’, lending further credence.”
2. Remote-Working Tools Exploitation
An IBM study released in June 2020 showed that 83% of employees were provided little to no ability to work from home prior to the sudden work from home shift. The IBM study further found that 53% of employees used their personal laptops and computers for business operations, while 61% also said their employer hasn't provided tools to properly secure those devices.
In 2020, threat actors actively exploited remote-working services such as virtual private network (VPN) services. In addition to masking internet protocol (IP) address so that online actions are virtually untraceable, VPN services promise secure and encrypted connections.
Security researchers, however, discovered security vulnerabilities in many VPN services. Even as VPN service vendors released patches fixing these security loopholes, many users delay the application of these patches, leading threat actors to exploit these unpatched security vulnerabilities.
In April 2020, the Canadian Centre for Cyber Security and U.S. Cybersecurity and Infrastructure Security Agency issued separate alerts warning organizations about the continued exploitation of the security vulnerability in Pulse Secure VPN, in particular, CVE-2019-11510 – a security vulnerability that allows a remote, unauthenticated attacker to compromise a vulnerable Pulse Secure VPN server, allowing an attacker to gain access to all active users and their plain-text credentials.
3. E-Commerce Threats
Among the effects of the lockdown measures in 2020 has been a huge spike in e-commerce business. Imperva reported that web traffic to retail sites spiked by as much as 28% on the weekly average. In “The State of Security within E-commerce,” Imperva reported that among the cyber threats faced by e-commerce businesses in 2020 were DDoS attacks and bad bots.
DDoS, short for distributed denial-of-service, refers to a cyberattack that attempts to disrupt the normal traffic of online resources such as websites, overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks are launched by hijacking multiple computer systems, including Internet of Things (IoT), as sources of attack traffic.
According to Imperva, it monitored an average of eight application layer DDoS attacks a month against retail sites as lockdown measures led to an increase in demand for online shopping.
Bad bots, meanwhile, refer to software applications that run automated tasks over the internet for malicious purposes, for example, automatically scanning websites for software vulnerabilities and exploiting these vulnerabilities. According to Imperva, bad bots are the top threat to online retailers before and during the imposition of the lockdown measures.
4. Supply Chain Attack on SolarWinds
Year 2020 ends with one of the biggest cyberattacks: the supply chain attack on SolarWinds. On December 13, 2020, SolarWinds admitted that it fell victim to a supply chain attack.
In a supply chain attack, a threat actor gains access to your organization’s IT systems via an outside partner or third party that has access to your organization’s systems and data. According to SolarWinds, a threat actor gained access to its Orion Platform software source code and inserted the malicious software (malware) called “Sunburst.”
This malware ended up in the Orion Platform software update, specifically for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. According to SolarWinds, if present and activated, the Sunburst malware could potentially allow an attacker to compromise the server on which the Orion Platform software runs.
Open-source reports showed that the U.S. Treasury Department and other U.S. Government Departments had been compromised. Microsoft recently admitted that the SolarWinds supply chain attack also affected its own systems. Microsoft said that it found no evidence of access to production services or customer data, or its systems being used to attack others.
Microsoft, however, said that the SolarWinds attackers were able to view Microsoft's source code but had been unable to modify any code or engineering systems. “At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the company said. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”
Upcoming Holiday Shopping Season Brings New Level of Cybercrime Threats to Online Retailers
Online shopping this holiday season is projected to be unprecedented, with many people staying at home and opting to shop online as a result of the COVID-19 mandatory lockdown or due to self-imposed lockdown.
The expected online shopping surge creates a perfect stage for cybercrimes.
Shift to Online Shopping
Statistics Canada reported that from February 2020 to May 2020, retail e-commerce sales soured by 99.3%. The record gain in e-commerce, however, resulted in a record decline in retail sales.
Statistics Canada reported that for the same period, the total retail sales fell by 17.9%. The impact of COVID-19, Statistics Canada said, is best highlighted using the April 2020 data, with a 26.4% decline in retail sales compared to the April 2019 data.
A survey conducted by Deloitte showed that 47% of Canadian consumers said they’ve been shopping online more often since the COVID-19 crisis began. The survey further showed that the same number of Canadian consumers (47%) will likely head online to find gifts and other items this holiday season, with the remaining 53% to head to traditional retails stores. While the number of those who intend to do their shopping in the traditional way is few points higher than those who intend to shop online this holiday season, this data is high enough as 69% of holiday shoppers shopped in the retails stores during the holiday season in 2019.
“A lot has changed since the 2019 outlook,” Deloitte said. “COVID-19 has changed how Canadians live, work, and shop, and it has turbocharged the fundamental shifts in consumer behaviour that were already underway.”
Imperva, meanwhile, reported that from March 1 to March 22, 2020, retail websites’ traffic worldwide soured by as much as 28% on a weekly average.
Holiday Season Cybercrime Threats
A new report from Imperva showed that the upcoming holiday shopping season will present online retailers with a new level of traffic, at the same time, never seen before level of cybercrime threats. According to Imperva, online retailers will face the following cybercrime threats this holiday season:
Bad Bots Attacks
According to Imperva, bad bots, as a group, is a top threat to online retailers, before and during the pandemic. A bad bot refers to a software application that runs automated tasks over the internet.
As opposed to a good bot which runs automated tasks over the internet for legitimate purposes, the purpose of a bad bot is malicious. Bad bots interact with software applications in the same way as legitimate users would, making them indistinguishable from legitimate users.
An example of a bad bot is a bot that interacts with a website’s login interface, attempting to “brute-force” its way by attempting to login using the trial and error method in guessing the correct username and password combination. Aside from brute-force attacks, bad bots are used for competitive data mining, personal and financial data harvesting, and more.
According to Imperva, API attacks are attractive targets due to the sensitive payment data they hold. The volume of attacks on retailers’ APIs far exceeded average levels this year, Imperva said.
API, short for An Application Programming Interface, is a software intermediary that allows other software applications to communicate with one another. A website API, for instance, connects between applications such as databases.
According to Imperva, retail sites experienced an average of eight application layer DDoS attacks a month, with a significant spike in April 2020 as lockdowns resulted in the demand for online shopping. DDoS, short for distributed denial of service, refers to a cyberattack that attempts to make an online service, such as a website, unavailable to legitimate users.
DDoS uses bad bots. In DDoS attacks, bad bots are organized into a botnet – referring to hijacked computers that are controlled by attackers to conduct malicious activities such as DDoS attacks. Application layer DDoS, meanwhile, is a type of DDoS attack comprised of malicious requests with the end goal of crashing the web server.
According to Imperva, retail sites are vulnerable to client-side attacks as many of these sites are built on frameworks using a number of third-party code. Client-side refers to anything that’s displayed or takes place on the client – end user – using a browser. This includes what the user sees on the site’s online form.
The attack on Ticketmaster is an example of a client-side attack. In June 2018, Ticketmaster made public that they had been compromised and that attackers stole customer information. RiskIQ, the company that discovered the attack, reported that Ticketmaster wasn’t directly compromised but the site’s third-party supplier known as Inbenta was. According to RiskIQ, attackers either added or replaced Inbenta’s code used for Ticketmaster with a malicious one.
A client-side attack also directly compromises the website itself. Such was the case in the British Airways website client-side attack. The attack was discovered by RiskIQ.
According to RiskIQ, a malicious code was found in British Airways’ baggage claim page where customers were required to enter their personally identifiable information. The malicious code then sent the information entered to a URL that looked like it belonged to British Airways. Upon closer inspection, however, the URL wasn’t owned by British Airways.
It’s still unknown how the malicious code got into the British Airways’ site in the first place.
Worried about your website or web application and looking to better protect it? Contact us today to see how to mitigate the risks quickly and efficiently.
Combating the Most Common Cyber Security Risks
Hard as it may be to believe, government agencies have been found to have some of the worst cyber-security systems in the United States.
Agencies at federal, state, and local agencies were all ranked below other industries (retail, transportation etc.) in a study on U.S. cyber-security. Even NASA, considered one of the most technologically-innovative institutions in the country (if not the world), was flagged for its high vulnerability.
The U.S. Department of State was another weak performer, struggling to protect their systems from outside threats with an unsuitable set-up.
The point? If one of the most powerful governments in the world is failing to keep sensitive data out of criminals’ hands, they are risking the security of countless people on a daily basis. They cannot afford to be so lax.
The same is true of your own business, albeit on a smaller scale: allowing your enterprise to be vulnerable in today’s world is dangerous for your employees and clients alike.
What cyber threats are you most susceptible to, and how can you protect against them?
What is it?
We’ve all heard of malware, but do we know what it actually is?
This applies to various incarnations of dangerous software that can cause all manner of chaos in your computer, delivered as a virus or ransomware (in which you are ordered to pay in order to regain access to your system).
The malware can actually take over your computer, monitor your activities without your awareness, or even transfer critical information to another user with the utmost discretion.
How can you prevent it?
Make sure you use unique passwords and educate your employees to do the same. Only share sensitive data on a site which is clearly secure, with ‘https’ in their URL.
You should never download any files sent by a sender you don’t trust or recognize, and make sure data is backed up to disconnected hardware on a regular basis. This enables you to restore vital information in the event of a malware attack, without needing to pay or sacrificing critical data.
What is it?
You know to never open an attachment in an email from an unknown sender, or to be wary of telltale bad grammar. These are sure signs of a phishing scam, but some cyber-criminals are more advanced.
They may pose as someone else – such as a friend, a bank etc. – and encourage you to follow a link or open an attachment. The email may look legitimate but will contain harmful malware that could pose a serious risk to your entire business.
How can you prevent it?
The most obvious technique: be sure before you click. If there is anything remotely suspicious or odd about the email, don’t follow a link or open an attachment.
If an email from a bank or other trusted organization asks for confidential information, contact them through another channel to confirm this (though they will generally never ask for sensitive data through email anyway).
Anti-phishing toolbars can be installed on your browser, which will notify you if you enter a known phishing website. Use desktop and network firewalls to protect your system from any malicious programs, and pay attention when your browser informs you that a site is ‘not secure’ (lacking the ‘https’ in its URL bar).
SQL Injection Attack
What is it?
SQL (Structured Query Language) is a language allowing for communication between databases, and countless servers use it to manage critical data. An SQL injection is an attack aimed at these types of servers, employing malicious coding to extract data from them which would otherwise remain private.
If the server under attack carries access information (usernames, passwords), financial details (credit cards etc.), or any other highly-sensitive data, the criminal responsible will be able to access some or all of it.
How can you prevent it?
All sensitive data contained within a database should be encrypted. Passwords, financial records, and anything else which could leave your business vulnerable must be protected.
Also, don’t store such sensitive information if you don’t need it currently, and are unlikely to in the future. Leaving data that carries real value to linger in your databases could lead to problems – all of which can be avoided simply by wiping useless information.
Implement Web Application Firewall as it will automatically block and prevent SQL injection attacks.
Cross-Site Scripting (XSS)
What is it?
During an XSS attack, the cyber-criminal injects malicious code right into your website with an aim to go after your visitors through their browser.
These attacks can cause severe damage to your reputation, as your site would be responsible for endangering visitors’ sensitive data.
This is worsened if they are customers purchasing from you or providing their personal details. As a result, you might not even realize your site is infected until customers start tracing suspicious activity back to their activities on your domain.
How can you prevent it?
While web application firewall will block XSS attacks, you need to pay attention to the way in which your site accepts input data, to minimize malicious code passing through. This might mean using a number of filters in place, such as a web app firewall, that reduces the risk of an XSS attack significantly.
Another step, though somewhat more complex, is to use an alternative rendering format to raw HTML, to reject entries that might be malicious. Markdown or BBCode are alternatives to raw HTML that may help to protect against XSS attacks.
Cyber-security threats are constantly evolving, as criminals continue to find weaknesses in security protocols and exploit them. By keeping your security systems up to date and, staying abreast of the latest risks, you can maximize your business’s resistance to threats.
Never be complacent about your business’s cyber-security precautions: you should always be willing to explore new systems and processes for the good of your entire enterprise.
When you have questions concerning cybersecurity threats, get in touch with our team and we will be happy to help.
Dangers of Cyberattacks as a Result of Source Code Leak
This past week, someone posted the source code of Apple iPhone operating system iOS on GitHub – a repository of open source code.
There was confusion at first as to whether the code was real or not. Apple indirectly confirmed that the code was real by filing a DMCA legal notice demanding GitHub to remove the source code. DMCA, which stands for Digital Millennium Copyright Act, is a takedown request that empowers owners of copyrighted material who believe their rights under U.S. copyright law have been infringed.
The iPhone source code called “iBoot” published on GitHub, Apple said "is responsible for ensuring trusted boot operation of Apple's iOS software." The company added, “The ‘iBoot’ source code is proprietary and it includes Apple's copyright notice. It is not open-source.”
Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Lorenzo Franceschi-Bicchierai of Motherboard that the iBoot source code publication is the “biggest leak” in Apple's history.
A source code is a collection of computer instructions that’s written by a programmer when developing a software program. A software can either be open source or non-open source.
With an open source code, anyone can inspect or modify the code. With a non-open source code, the source code is hidden from the public and as such, only the software maker can make changes to the code.
Non-Open Source Code Leak
Apple and Microsoft are examples of companies that keep their products’ source code hidden from the public.
While most companies don’t allow outsiders to view and make modifications on their source code, they allow security researchers, also known as ethical hackers, to review their software, find security vulnerabilities and report this directly to the company to receive monetary reward, also called bounty.
Apple, through its bounty program, pays a maximum of $200,000 to someone who directly reports bugs or security vulnerabilities to the company.
Despite the takedown of the iPhone source code on GitHub, the source code has already made its way to dark web sites.
Access to non-open source code like the iBoot gives hackers a better chance of finding security vulnerabilities that could lead to cyberattacks.
EternalBlue Source Code Leak
On April 15, 2017, a hacker group calling itself the “Shadow Brokers” leaked the source of code of a number of hacking tools believed to be developed by the U.S. National Security Agency (NSA).
The source code of EternalBlue is one of those leaked by the hacker group. EternalBlue could allow remote code execution if a cyberattacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
The EternalBlue source code leak spawned devastating cyberattacks, the most notable of which was the WannaCry cyberattack. In May 2016, hundreds of thousands of computers around the world were infected with WannaCry, a malware that encrypts computer files, prevents users from accessing files and asks for ransom payment in the form of Bitcoin for the release of the decryption key to unlock the affected computer.
Adylkuzz is another malware that uses the EternalBlue source code. The purpose of Adylkuzz malware is to mine the cryptocurrency Monero. Similar to cryptocurrency Bitcoin, a Monero coin needs to be mined – a process by which a transaction is verified, added to the public ledger, known as the blockchain, and a means before a coin is released.
While cryptocurrency mining of Bitcoin can only be done on powerful computers, mining Monero can be done on regular computers and even on smartphones.
The Adylkuzz malware installs the Monero cryptocurrency miner called “cpuminer” on infected computers. Once the cpuminer is installed in a compromised computer, Monero cryptocurrency mining is conducted without the knowledge of the user. Cryptocurrency mining operation, however, will exhaust your computer CPU, resulting in slow performance.
Open Source Code Leak
With an open source code, anyone can inspect or modify the code. An open source is also known as a collaborative code. There are benefits in allowing other programmers to inspect and modify a source code. It’s a known fact that there’s not one software with a perfect source code. Allowing programmers to inspect and modify a source code can enhance and improve the code in the long run.
Linux is an example of an open source software. It’s an operating system similar to Windows and iOS. The difference between Linux and other operating systems is that it’s open source. The Linux source code is free and available to the public to view and, for users with the necessary skills, to contribute to the enhancement of the code.
While the publication of an open source code, on one hand, can be beneficial to society similar to the positive contribution of Linux, publication of an open source code with malicious intent can be detrimental to society.
Mirai Source Code Leak
The publication of the Mirai source code is an example of how a publication of a malicious open source code can be detrimental to society.
On September 30, 2016, a HackForum user by the name of “Anna-senpai” posted the source code of the malicious software called “Mirai”. The Mirai was responsible for the distributed denial of service (DDoS) attack on the website of cybersecurity journalist Brian Krebs on September 20, 2016.
On December 13, 2017, Paras Jha pleaded guilty in creating the Mirai and for conducting a series of DDoS attacks on the networks of Rutgers University between November 2014 to September 2016, which resulted in shutting down Rutgers University’s central authentication server – a gateway portal through which students, staff and faculty deliver assignments and assessments.
According to the U.S. Department of Justice, hundreds of thousands of IoT devices such as wireless cameras and routers were infected with the Mirai malware and were used "to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers".
According to Imperva Incapsula, Mirai-infected IoT devices were spotted in 164 countries, appearing even in remote locations like Montenegro, Tajikistan and Somalia.
The publication of the Mirai spawned other DDoS attacks, the most notable of which was the attack on Dyn, a domain name service (DNS) provider which many websites rely upon. The DDoS attacks against Dyn resulted in temporarily shutting down popular websites like Amazon, Twitter, Netflix and even GitHub.
Dyn, in a statement, said, “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.” The company said that 100,000 IoT devices were infected with the Mirai malware to attack its DNS infrastructure.
In December 2017, the source code of the malware called “Satori”, a variant or new version of Mirai, was leaked on Pastebin. This Mirai variant particularly infects Huawei home router model HG532.
While the original Mirai malware infects IoT devices by using default usernames and passwords, Satori doesn’t need usernames and passwords. Security researchers at Qihoo 360 Netlab said, “The bot [Satori] itself now does NOT rely on loader/scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm-like behavior is quite significant.”
Security researchers at NewSky Security said that with the release of the full working code of the Mirai variant Satori, “we expect its usage in more cases by script kiddies and copy-paste botnet masters.”
Cybersecurity Best Practices
Here are some security best practices to protect your organization’s computers from the dangers of cyberattacks as a result of source code leak:
1. Use Supported Software
Supported software refers to a software whereby security updates are regularly issued by the software vendor.
Many fell victim to WannaCry for using Windows operating systems that Microsoft – the software vendor – no longer supports or no longer issues security updates.
A patch, also known as security update, is a piece of software code added to an existing source code that fixes security vulnerabilities.
WannaCry could have been prevented by simple patching or installing of the security update issued by Microsoft on March 14, 2017 – a month before the hacker group leaked the EternalBlue source code. Microsoft’s March 14, 2017 security update patches or fixes the security vulnerability exploited by EternalBlue. This security update was issued to supported Windows operating systems.
3. Use Latest Software Version
Many leaked source code are typically source code of older software version. Software vendors normally fix security vulnerabilities found in older software versions with the latest software version.
Interesting to note that Windows 10 proved to be resilient against Petya ransomware attack unleashed more than a month after the WannaCry attack. Similar to WannaCry, Petya exploited security vulnerabilities exploited by EternalBlue and EternalRomance – two hacking tools believed to be developed by the NSA and leaked by the hacker group Shadow Brokers.
4. Practice Network Segmentation
There are instances that security updates can’t be installed right away. One way to prevent or minimize the effects of a cyberattack is through network segmentation – a process of dividing computer network into subnetworks. With network segmentation, cyberattack on one subnetwork won’t affect the other subnetworks.
5. Have the Right DDoS Protection
Cybercriminals today don’t necessarily create their own attack tools. Some simply copy leaked source code. This is the case of DDoS-for-hire groups, a bunch of cybercriminals that offer DDoS service for a fee. There are available tools that effectively counter these DDoS attacks. Connect with us today and protect your business.
'Secure' Wi-Fi Standard Has Serious Security Flaws
Researchers from the University of Leuven in Belgium have discovered a series of serious wi-fi security flaws that essentially eliminate wi-fi privacy.
These series of wi-fi vulnerabilities collectively dubbed as “Krack”, short for key reinstallation attacks, can access data that was previously presumed to be safely encrypted. Krack attackers can steal wi-fi passwords, chat messages, emails, photos and other sensitive information. It’s also possible, depending on device use and the network configuration, for Krack attackers to inject malicious software like ransomware into websites.
The University of Leuven researchers, in their paper entitled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” (PDF) said that “every Wi-Fi device is vulnerable” to Krack attacks.
"The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” lead researcher Mathy Vanhoef said.
Wi-Fi Alliance, a non-profit organization that promotes wi-fi technology and certifies wi-fi products, said, “Recently published research identified vulnerabilities in some Wi-Fi devices where those devices reinstall network encryption keys under certain conditions, disabling replay protection and significantly reducing the security of encryption.”
For its part, the International Consortium for Advancement of Cybersecurity on the Internet (ICASI), in a statement said, “Depending on the specific device configuration, successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network.”
ICASI members include Amazon, Cisco Systems, IBM, Intel Corporation, Juniper Networks, Microsoft Corporation and Oracle Corporation.
How Krack Works
For Krack to work, the attacker must be within the range of a victim. As proof-of-concept, lead researcher Vanhoef executed Krack attacks against wi-fi devices. Vanhoef was able to show that Krack not just steals login credentials – including email addresses and passwords – but all data that the victim transmits or sends was decrypted.
It’s also doable for Krack attackers, depending on the network setup and the device being used, to decrypt, not just data sent over wi-fi but also data sent towards the victim, for instance, the content of a website.
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations,” Vanhoef said. “For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”
Krack is able to decrypt not just data sent over wi-fi but also data sent towards the victim by exploiting the vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access 2 (WPA2) protocol.
The 4-way handshake is a 14-year-old technology that supposedly ensures wi-fi privacy by installing a fresh and unique encryption key that’ll be used to encrypt all subsequent traffic every time a device joins a protected wi-fi network.
Instead of installing a fresh and unique encryption key, Krack tricks the device into reinstalling an already-in-use encryption key. This is done by manipulating and replaying handshake messages. The researchers also found that Krack similarly exploits other wi-fi handshakes, including PeerKey handshake, the group key handshake and the Fast BSS Transition (FT) handshake.
As mentioned, Krack is a series of wi-fi vulnerabilities. This means that not just one wi-fi vulnerability is exploited by Krack. The Common Vulnerabilities and Exposures (CVE) – a dictionary of common names for publicly known cyber security vulnerabilities – list the following specific vulnerabilities related to Krack:
According to Wi-Fi Alliance, there’s no evidence that Krack has been exploited maliciously in the wild.
How to Prevent Krack Attacks
To prevent Krack attacks, make sure to update your wi-fi device as soon as patch or security update becomes available. A security update ensures that an encryption key is only installed once, preventing Krack attacks.
Password change of your wi-fi network won’t stop Krack attacks. The only remedy is to apply the patch or security update of your wi-fi device as soon as it becomes available. It’s also important to update your router’s firmware. While it’s important to patch or apply the latest security updates of your wi-fi and router, it also pays to change the wi-fi password as a precaution.
According to Vanhoef, they notified wi-fi manufacturers about the Krack issue on July 14, 2017. They also notified the Computer Emergency Response Team Coordination Center (CERT/CC) – the world’s first computer emergency response team for internet security incidents. CERT/CC, in turn, issued a broad notification to wi-fi manufacturers on August 28, 2017 about this issue.
“We have released a security update to address this issue,” Microsoft spokesperson told The Verge. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”
Windows updates released last October 10, according to Microsoft, addressed this issue. The company said it “withheld disclosure until other vendors could develop and release updates”.
“Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member,” the alliance said. “Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches.”
Cryptocurrency Mining Malware: A Credible Threat
Over the course of three months this year, cyber criminals pocketed over $63,000 by secretly infecting the computers of strangers with a cryptocurrency mining malware.
According to ESET, attackers were able to infect strangers’ computers with cryptocurrency mining malware by exploiting a known vulnerability code-named “CVE-2017-7269” in Windows Server 2003 – a server operating system released by Microsoft in 2003.
This particular cryptocurrency mining malware was seen in the wild on May 26, 2017. “Since then, it has been appearing in waves, on a weekly or less frequent basis, which implies that the attacker scans the internet for vulnerable machines,” ESET said.
The attackers were able to earn such significant amount in just 3 months by creating a botnet – a network of several hundred of unpatched computers infected with the crypto mining malware and remotely controlled by cyber criminals to mine the cryptocurrency Monero.
Microsoft ended its regular update support for Windows Server 2003 in July 2015. Since May 12 of this year, to prevent another cyber attack – the scale of WannaCry ransomware, the company has since released security updates for Windows Server 2003. On June 13, 2017, Microsoft issued a patch or security update to fix the CVE-2017-7269 vulnerability.
What is Cryptocurrency Mining?
Cryptocurrency is the alternative currency in the digital world. In July of this year, the Australian Government recognized cryptocurrency as a legal payment method. In April of this year, Japan legitimized Bitcoin as a legal payment method. Bitcoin isn’t the only cryptocurrency. According to Trend Micro, as of July 2017, there were over 700 cryptocurrencies used and traded online, Monero being one of them.
Cyber criminals have turned to Monero as this cryptocurrency markets itself as an anonymous and untraceable cryptocurrency. Aside from anonymity, cyber criminals turned to Monero as this cryptocurrency can be mined using ordinary CPUs, unlike Bitcoin which requires a specialized hardware.
“Cryptocurrencies are created (and secured) through cryptographic algorithms that are maintained and confirmed in a process called mining, where a network of computers or specialized hardware such as application-specific integrated circuits (ASICs) process and validate the transactions,” Trend Micro describes cryptocurrency mining. “The process incentivizes the miners who run the network with the cryptocurrency.”
The actual process of cryptocurrency mining is legal. One just needs to use one’s own computer. One can use another computer to mine cryptocurrency, provided that the computer owner consents that his or her computer will be used for mining cryptocurrency.
Illicit Cryptocurrency Mining
The growth of cryptocurrency market has also led to the growth in cases where cryptocurrency mining malware are installed without the knowledge or consent of the computer owners.
According to Kaspersky Lab, in 2013, its products were able to deter 205,000 cryptocurrency mining malware infections; 701,000 infections in 2014; and in the first eight months of 2017, a total of 1.65 million infections.
According to IBM, unauthorized embedding of cryptocurrency mining tools grew sixfold in the eight-month period between January and August 2017.
In 2014, Harvard’s supercomputer cluster called “Odyssey” was used to illegally mine Dogecoins, another digital currency. Also, in 2014, the National Science Foundation (NSF), a US government-backed organization, revealed that NSF-funded computers were used to illegally mine Bitcoins. In February of this year, one of the US Federal Reserve’s servers was used to illegally mine Bitcoins.
Crypto mining malware is propagated or spread by exploiting the vulnerabilities of unpatched Microsoft operating system, as reported by ESET. Kaspersky Lab, for its part, observed the spread of this malware via adware installers that are spread using social engineering. Other attack methods include:
“Virtually any attack vector that involves injecting executable code could turn a targeted system into a virtual coin miner for the attacker,” IBM said.
In 2014, advertisements on Yahoo's homepage were infected with malware aimed at mining Bitcoins.
The following are this year’s notable cryptocurrency mining malware, in addition to the one reported by ESET:
This malware exploited EternalBlue, the same security flaw that WannaCry ransomware exploited.
This malware exploited the security flaw in the interoperability software suite Samba.
This malware, a Linux Trojan, targets Raspberry Pi devices.
All these malware infected devices and machines and turned them into Monero-mining botnets. Aside from Monero, another cryptocurrency Zcash is also being used by cyber criminals in concealed crypto mining for its anonymity promise.
Dangers of Crypto Mining Malware
Crypto mining malware impacts the performance of an infected computer. Mining activity eats the resources of infected computers. It reduces the performance of the infected computer. It increases the wear and tear. It also increases power consumption.
Crypto mining malware’s ill-effects go beyond the performance and power cost. It could also trigger web and network-based attacks.
“These malware can threaten the availability, integrity, and security of a network or system, which can potentially result in disruptions to an enterprise’s mission-critical operations,” Trend Micro said. “Information theft and system hijacking are also daunting repercussions. These attacks can also be the conduit from which additional malware are delivered.”
How to Prevent Cryptocurrency Mining Malware Intrusion
There’s no one-stop solution to prevent cryptocurrency mining malware intrusion into your organization’s computers as there are so many intrusion possibilities.
Here are some of the ways to prevent cryptocurrency mining malware intrusion:
1. Keep all software up-to-date
Timely apply patches or security updates. A timely security update, for instance, of Windows Server 2003 could have prevented the cryptocurrency mining malware as reported by ESET.
2. Change default login and password
Over the first three quarters of 2016, Trend Micro reported, that it detected a Bitcoin-mining zombie army from home routers and IP cameras. These IoT devices were compromised for the simple reason that owners didn’t change the default login and password.
3. Enable the firewall of IoT devices (home routers, IP cameras)
4. Take precaution against unsolicited emails, links, attachments or files from websites, questionable third-party software or applications
5. Build a cyber security-conscious staff through education and role-based training
New Bluetooth Malware Puts Billions of Devices at Risk
A new malicious software dubbed as “BlueBorne” puts billions of Bluetooth-enabled devices at risk.
Dr. Jaap Haartsen invented the Bluetooth while working at Ericsson in the 1990s. Bluetooth was named after the 10th-century king of Denmark King Harald Blåtand (blue-tooth in English), who famously united Scandinavia. Just as King Bluetooth united Scandinavia, Dr. Haartsen’s invention unites or connects devices.
Bluetooth is currently the most widely-used protocol for short-range communications. It's used in a wide range of devices, from personal computers to smart phones, consumer electronics devices (smart TVs, printers), medical and health devices, home automation and autonomous cars.
Bluetooth is now licensed, managed and maintained by the Bluetooth Special Interests Group (SIG). Tech giants Google, Microsoft, Apple, Intel and IBM are some of the group members.
How BlueBorne Works
1. BlueBorne attacks devices via Bluetooth.
The security research firm Armis first identified the BlueBorne malware. Researchers at the research firm found that BlueBorne malware specifically exploits the security flaw in Bluetooth-enabled devices running on Windows, Android, pre-version 10 of iOS and Linux operating systems, regardless of the Bluetooth version in use.
This means that every single computer, mobile device or IoT device running on one of the above-mentioned operating systems is at risk. There are currently 2 billion Android users, 500 million Windows 10 users, 1 billion Apple users, and 8 billion IoT users.
Affected devices include all Android phones, tablets and wearables (except those using only Bluetooth Low Energy), all Windows computers since Windows Vista and all Linux devices like Samsung Gear S3, Samsung Smart TVs and Samsung Family Hub.
2. BlueBorne spreads through the air.
BlueBorne is alarming as it operates through the air. Unlike traditional cyber attacks, no action is required from the victim to enable the BlueBorne attack – no need to download a malicious file or click on a link.
Once the malware detects the Bluetooth is active on a device that runs on Windows, Android, pre-version 10 of iOS or Linux operating system, it attacks it despite the fact that the targeted device isn’t paired with the attacker’s device or set on discoverable mode.
“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” Armis said.
To initiate BlueBorne, the attacker must be near the targeted user and the Bluetooth feature of the target user's device must be turned on. Billions of devices are at risk as Bluetooth is turned on by default on many devices. Many users also prefer to turn on Bluetooth most of the time to conveniently connect it to keyboards, headphones and other various IoT devices.
The airborne operation of BlueBorne is problematic in the following ways:
a) Highly Infectious
Spreading from one device to another through the air makes BlueBorne highly infectious since the Bluetooth process enjoys high privileges on all operating systems. Exploiting Bluetooth gives hackers full control over the device.
b) Bypasses Traditional Cyber Security Measures
As BlueBorne is spread through the air, it bypasses traditional cyber security measures. Typical security measures are defenseless against airborne attacks. BlueBorne attackers can bypass secure internal “air-gapped” networks – a security measure that isolates a computer or network and prevents it from establishing an external connection.
"These silent attacks are invisible to traditional security controls and procedures. Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," Yevgeny Dibrov, CEO of Armis, said in a statement. "The research illustrates the types of threats facing us in this new connected age."
3 Ways BlueBorne Attackers Could Exploit Your Device
1. Take Full Control of Your Device for Criminal Activities
BlueBorne attackers could remotely execute code on your vulnerable device, allowing the attackers to take full control over your device, access corporate networks, systems and data. With full access to your device, hackers could perform criminal activities, including ransomware and data theft.
2. Create Large Botnets Similar to the Mirai Botnet
Mirai botnet uses compromised IoT devices to carry out crippling Distributed Denial of Service attacks (DDoS) attacks. In 2016, crippling DDoS attacks were waged against the website of cyber security blogger Brian Krebs and a French web hosting company. BlueBorne attackers, for instance, could use your compromised device, together with other compromised devices, to execute DDoS against a particular website.
3. Perform Man-in-The-Middle Attack
BlueBorne attackers could perform a man-in-the-middle attack on your device.
Man-in-the-middle attack happens when attackers redirect the communication between two users to the attackers’ computer without the knowledge of the original two users.
“An attacker who successfully exploited this vulnerability could perform a man-in-the-middle attack and force a user's computer to unknowingly route traffic through the attacker's computer,” Microsoft said in its September 12, 2017 security bulletin. “The attacker can then monitor and read the traffic before sending it on to the intended recipient.”
Microsoft calls this Bluetooth vulnerability as "Microsoft Bluetooth Driver Spoofing Vulnerability".
How to Prevent BlueBorne Attacks
1. Turn Bluetooth Off
The safest way to prevent a BlueBorne attack is by turning off the Bluetooth feature on your device. This malware can access your device only when it’s in the active mode. If it’s turned off, the malware can’t successfully infiltrate your device.
2. Update Your Operating System
It’s advisable to keep your operating system up-to-date. Not all operating systems though have patched or issued a security update that fixes BlueBorne vulnerability.
According to Armis, it informed Google about the BlueBorne issue on April 19, 2017. Google released a public security update and security bulletin on September 4th, 2017.
Microsoft was informed by Armis about the BlueBorne issue on April 19, 2017. Microsoft released security updates on July 11, 2017.
Apple was informed about BlueBorne on August 9, 2017. Apple corrected this vulnerability with its latest iOS and tvOS.
Linux was informed by Armis on August 15 and 17, 2017 and on September 5, 2017. As of September 12, 2017, Armis said, Linux hasn't yet issued a public security update to patch the BlueBorne malware.
Canadian University Loses $11.8 Million to BEC Scammers
An Edmonton, Alberta-based university publicly acknowledged that it was a victim of a recent cyber attack.
According to the Alberta-based university, a series of bogus emails tricked university staff into changing the electronic banking information for one of the university’s major supplier. This resulted in the money transfer worth $11.8 million to a bank account that the university staff believed belonged to the supplier.
The university traced over $11.4 million of the money to bank accounts in Canada and Hong Kong. According to the university, the traced bank accounts have been frozen and the university is working with its legal counsel in Montreal and Hong Kong to pursue civil action to recover the money. The remaining balance of these accounts is, however, unknown at this time.
“There is never a good time for something like this to happen but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident,” the university spokesperson said.
The incident that occurred at the Alberta-based university is an example of the cyber attack called business email compromise (BEC).
What is a Business Email Compromise (BEC)
BEC is a cyber attack that targets organizations that have regular dealings with foreign suppliers and regularly perform wire transfer payments.
According to the FBI’s Internet Crime Complaint Center (IC3), from October 2013 to December 2016, a total of 40,203 BEC incidents were reported worldwide, with the total financial loss amounting to $5.3 billion. The IC3 said that the scam has been reported in 131 countries, with victims ranging from non-profit organizations to small businesses and large corporations. These businesses offer a variety of goods and services, signifying that no specific sector is targeted more than another. Tech giants Google and Facebook succumbed to BEC scams.
"Ransomware has been drawing much of the attention in the security world lately,” Cisco 2017 Midyear Cybersecurity Report (PDF) said. “However, a threat that’s not nearly as high-profile is raking in far more for its creators than ransomware: Business email compromise, or BEC."
According to the FBI’s Internet Crime Complaint Center, some of the organizations affected by BEC reported being a victim of ransomware attack before the BEC incident.
How BEC Works
BEC is an elaborate deception scheme.
First, attackers study the organization they want to target.
Attackers spend weeks and even months to study the organization’s suppliers, billing systems, top executive or CEO’s writing style and his or her travel schedule.
Attackers get the above-mentioned information from public online resources such as social media accounts and by using malicious software that’s capable of infiltrating the organization’s networks, gain access to passwords, financial account information and email threads relating to billing and invoices.
Second, attackers establish a relationship with a target employee.
When the time is right, for instance, when the CEO isn’t in his or her office, BEC scammers contact a specific employee – bookkeeper, accountant, controller or chief financial officer – in an organization who’s responsible for directly transferring money to suppliers.
Attackers exploit the target employee through email spoofing, phishing email and telephone calls.
A spoofing tool is also used by the attackers to direct email replies to a different account that the attackers control. At this stage, the target employee is tricked into thinking that he or she is corresponding with the organization’s CEO.
Third, attackers send instructions for money transfer.
For this third stage, attackers further deceive the target employee, for instance, by convincing the employee that the supplier has a new bank account number and instruct the employee to send payment to this new account. Attackers may also send a bogus email from a CEO to release the money to the new bank account.
Fourth, money sent is drained to different accounts.
In this fourth stage, money is sent to “money mules” in different parts of the world. Some of these accounts are difficult to trace. If the scam isn’t uncovered in time, it may be hard to recover the money.
How to Prevent BEC Scams
Here are some of the ways to prevent BEC scams:
1. Verify the authenticity of the money transfer request.
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” said FBI Special Agent Martin Licciardo.
Also, confirm the money transfer request by calling the supplier with the previously known company numbers, not the one provided in the email request. In the case of the Alberta-based university, based on the preliminary assessment of the university’s internal audit group, the BEC scammers were able to succeed in deceiving the university staff as “controls around the process of changing vendor banking information were inadequate”.
2. Use an email intrusion detection system.
This automated system can flag emails with extensions that are similar to your organization’s email. For example, an intrusion detection system for legitimate email of xyz-corporation.com can flag bogus emails from xyz_corporation.com.
Small and Medium-Sized Businesses Not Investing in Cyber Security
The rise of global cyber attacks in recent years might have led many to believe that small and medium-sized businesses (SMBs) are investing in cyber security. But the reality is that majority of SMBs aren’t investing in cyber security.
In the study “Canadian Business Speaks Up: An Analysis of the Adoption of Internet-based Technology”, the Canadian Chamber of Commerce found that cyber security threats are underestimated by 64% of Canadian businesses, indicating they’ve no intention of investing in cyber security measures at this time. Eighty-one percent of the respondents of the Canadian Chamber of Commerce study classify themselves as small businesses and 7% classify themselves as medium. The study was conducted between December 2016 and January 2017.
In another paper “Cyber Security in Canada: Practical Solutions to a Growing Problem”, the Canadian Chamber of Commerce said that a “data breach costing $6 million would break many small businesses”.
In the UK, meanwhile, despite the recent global cyber attacks, insurance company Zurich revealed that close to half (49%) of SMEs in this part of the world only intend to spend less than £1,000 on cyber security in the next 12 months, while 22% of SMEs don’t know how much they will spend.
“While recent cyber-attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it’s important to remember that small and medium sized businesses need to protect themselves too,” said Paul Tombs, head of SME Proposition at Zurich. “The results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses."
Extent of Cyber Attacks on Small and Medium-Sized Businesses
Symantec’s 2016 global internet security threat report (PDF) showed that cyber criminals are more and more turning their attention to hacking small businesses. The Symantec report showed that spear-phishing attackers gradually targeted small businesses – defined by Symantec as enterprises composed of 1 to 250 employees – from 18% in 2011 to 31% in 2012; 30% in 2013; 34% in 2014 and 43% in 2015.
In the UK, results from the latest Zurich SME Risk Index showed that 875,000 or nearly 16% of SMEs have fallen victim to a cyber attack, costing 21% of the victims over £10,000.
In Canada, 23% of Canadian small business owners were certain they were the victim of a cyber attack in 2016, while another 32% suspected that they might have been breached according to an Ipsos survey (PDF).
Canada’s Digital Privacy Act
"There are a significant number of breaches that never get reported because there's no obligation to report them," Imran Ahmad, a partner at the law firm Miller Thomson – a firm that specializes in cyber security, told CBC News.
This practice of sweeping cyber attacks under the rug will start to change with the upcoming implementation of the Digital Privacy Act (PDF), a Canadian law that was passed in June 2015. The Digital Privacy Act requires organizations “to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner”. Failure to report a data breach under this law could result in a fine of up to $100,000.
Matthew Braga of CBC News, in the article "Here's why reports of data breaches will skyrocket this year" wrote, "The hope is that more transparency will lead to better protections and fewer breaches in the long term.”
6 Reasons Why Cyber Criminals Attack Small and Medium-Sized Businesses
Here are 6 reasons why cyber criminals are attracted to small businesses:
1. Less Capable to Handle Cyber Attacks
SMBs are less equipped to manage a cyber attack due to lack of resources.
2. Less Likely to Guard Important Data
SMBs are less likely to protect their important data – intellectual property, personally identifiable information and credit card credentials.
3. Susceptible to Attack Due to Partnership with Large Businesses
The partnership between large businesses and SMBs provides hackers back-channel access to their true target: large businesses.
4. Less Likely to Have Key Security Defenses
According to Cisco, in its 2017 midyear cyber security report, as a result in lesser budget and expertise, SMBs have less key security defenses in place. For instance, only 34% of SMBs reported using email security compared with 45% of large businesses and only 40% use data loss prevention defenses compared with 52% of large businesses.
5. Less Likely to Have Written, Formal Cyber Security Strategies
Large businesses are more likely to have written, formal strategies in place compared to SMBs (66% versus 59%), Cisco reported.
6. Less Likely to Require Vendors to Have ISO Certifications
Large organizations, CISCO noted, are more likely than SMBs to require their vendors to have ISO 27018 certifications (36% versus 30%). ISO 27018 refers to the “commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.”
Ripple Effect of Cyber Attacks on SMBs to Canada’s Economy
In the 2016 Canadian Chamber of Commerce's "Top 10 Barriers to Competitiveness for 2016", the business organization ranked Canada’s vulnerability to cyber crime as the country’s number 2 barrier to global competitiveness. The country’s chamber of commerce said that digital security breaches and cyber theft hinder Canada’s global competitiveness.
Without taking into consideration the value of the data itself, the Canadian Chamber of Commerce said that the country’s internet economy accounted for 3.6% of its $1.83 trillion GDP.
Protecting small businesses, in particular, from cyber attacks is as important as protecting large enterprises, considering that the economy of Canada mostly comprised of small businesses. According to the Canadian Chamber of Commerce, out of the 1.2 million businesses in Canada, 98% have fewer than 100 employees, 55% have fewer than 4 and 75% have fewer than 10 employees. These over a million small enterprises in the country employ 60-80% of all jobs created in Canada and companies with fewer than 100 employees contribute about 51% to Canada’s GDP.
We invite you to connect with us to speak with one of our cyber security experts, and protect your small or medium business today.
Why Lack of Qualified Cyber Security Workforce is a Critical Vulnerability for Many Businesses
There’s WannaCry. There’s Petya. There’s NotPetya. These cyber threats have hugged the headlines in the past few days. There’s one cyber threat that remains as a critical vulnerability for many businesses: lack of qualified cyber security workforce.
Cyber Attacks Outpace Cyber Defense
According to Symantec, 430 million new unique pieces of malware were discovered in 2015. At the close of 2015, Symantec added, 191 million records were exposed as a result of cyber attacks.
“Attacks outpace defense, and one reason for this is the lack of an adequate cyber security workforce,” said the Center for Strategic and International Studies in its study called “Hacking the Skills Shortage: A study of the international shortage in cyber security skills”.
A report from Frost & Sullivan and ISC² found that by 2020, more than 1.5 million global cyber security positions will be unfilled. Frost & Sullivan and ISC² revealed that 45 percent of hiring managers reported that they’re struggling to fill additional information security positions despite the increase of security spending across the board for technology, rising average annual salaries and high rates of job satisfaction.
Five years ago, cyber threat wasn’t part of the top 10 risks (it only ranked 12th) prioritized by corporate boards according to Lloyds’ 2011 annual risk survey.
Corporate attitude towards cyber security has drastically changed in recent years. A Forbes report found that four financial institutions – J.P. Morgan Chase & Co., Bank of America, Citigroup, and Wells Fargo – spent more than $1.5 billion on cyber security in 2015. In a live interview on Bloomberg in 2015, Bank of America CEO Brian Moynihan said that cyber security is the bank’s only business unit with no budget limit.
In 2017, PwC’s global CEO survey found that cyber threat is the top five risks on CEOs’ minds, behind only to availability of key skills, volatile energy costs and changing consumer behavior.
Delay of Hiring Cyber Security Workforce Leaves Businesses Vulnerable to Cyber Attacks
The 2017 state of cyber security survey by ISACA (Information Systems Audit and Control Association) found it takes six months or longer to fill priority cyber security and information security positions in more than 1 in 4 companies around the globe.
“When positions go unfilled, organizations have a higher exposure to potential cyber attacks. It’s a race against the clock,” said Christos Dimitriadis, ISACA board chair.
For its part, the Center for Strategic and International Studies said, “The continued skills shortage creates tangible risks to organizations.” In the study conducted by the center, 1 in 4 respondents said their organizations have lost proprietary data as a result of their inability to maintain adequate cyber security staff.
Lack of Qualified Applicants
The ISACA report showed that compared to other corporate job openings, which garner 60 to 250 applicants, cyber security opening receives fewer applicants.
Fifty-nine percent of the organizations surveyed by ISACA reported that for each cyber security opening, they only receive at least 5 applicants, and only 13 percent receive 20 or more applicants. Sixteen percent of North American respondents in the ISACA survey indicated that cyber security opening receives at least 20 applicants.
Compounding the problem of lack of applicants for cyber security opening is the problem of qualified applicants. ISACA board chair said, “As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job.”
Sixty-four percent of the respondents of the ISACA survey said half or less of their applicants for cyber security position are qualified, while 35 percent of the survey respondents said that less than 25 percent of applicants are qualified.
When asked to identify the most important attributes of a qualified applicant, respondents of the ISACA survey ranked practical verification or hands-on experience as the most important; reference/personal endorsement is ranked second; certifications is ranked third; formal education is ranked fourth; and specific training is ranked fifth.
Making things worse is the “security fatigue” of non-cyber security personnel. The National Institute of Standards and Technology (NIST) defined security fatigue as a “weariness or reluctance to deal with computer security”.
A NIST study found that a majority of computer users experienced security fatigue that often results in risky computing behavior in the workplace and in their personal lives.
“The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” cognitive psychologist and co-author of the NIST study Brian Stanton said.
“Years ago, you had one password to keep up with at work,” computer scientist and co-author of the NIST study Mary Theofanos said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cyber security expanding and what it has done to people.”
The NIST study found that security fatigue results to feelings of resignation and loss of control. This weariness or reluctance to deal with computer security, the NIST study found, can lead to choosing the easiest option among alternatives, behaving impulsively, and failing to follow security rules.
How to Remedy the Cyber Security Workforce Shortfall
Here are three recommendations on how to remedy the cyber security workforce shortfall:
1. Accept Non-Traditional Sources of Education
The Center for Strategic and International Studies study suggested that hiring managers should put less emphasis on degree requirements especially for entry-level cyber security positions, and instead place greater emphasis on hands-on experience and professional certifications.
2. Diversify the Cyber Security Workforce
A number of studies have shown that women and minorities are underrepresented in the field of cyber security. Opening this field to women and minorities will diversify the cyber security workforce and will also expand the talent pool.
The Center for Strategic and International Studies study revealed that organizations are looking to automate cyber security functions to offset the skills shortage. Cyber security automation generates efficiencies. Efficient processes allow cyber security personnel to focus their talent and time on cyber threats that need human intervention.
Steve E. Driz, I.S.P., ITCP