research Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

research

50% of UK universities have reported data breaches in last 12 months

960 640 Stuart O'Brien

More than half of UK universities reported a data breach to the ICO in the last year, while 46% of all university staff received no security training and almost a quarter of institutions (24%) did not commission a penetration test from a third party. 

That’s according to research conducted by Redscan on the state of cyber security in the higher education sector, based on an analysis of Freedom of Information requests.

The National Cyber Security Centre (NCSC) itself says universities are targeted by criminals seeking financial gain, as well as by nation state attackers looking to steal intellectual property. The Redscan report underscores the degree to which universities are an attractive target. It also raises concerns that many may not be doing enough to defend against the latest threats, particularly at a time when institutions are embracing remote teaching en masse and conducting world-changing research in relation to COVID-19. 

Defending against an incessant stream of phishing attacks remains a challenge of all universities, says Redscan. Several institutions reported receiving millions of spam/phishing emails each year, with one reporting a high of 130 million. Phishing attempts were described as being “endless” and one university disclosed that attacks had increased by 50% since 2019. 

Other key findings from the report include:

  • 54% of universities reported a data breach to the ICO in the last 12 months
  • A quarter of universities haven’t commissioned a pen test from an external provider in the last year
  • 46% of all university staff in the UK received no security training in the last year. One top Russell Group university has trained only 12% of its staff
  • Universities spend an average of £7,529 per year on security training, with expenditure ranging from £0 to £49,000
  • Universities employ, on average, three qualified cyber security professionals
  • 51% of universities are proactive in providing security training and information to students
  • 12% of universities do not offer any kind of security guidance, support or training at all to students
  • 66 out of 134 universities have Cyber Essentials or Cyber Essential Plus certification

Redscan CTO, Mark Nicholls, said: “UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistencies in the approach institutions are taking to protect their staff, students and intellectual property against the latest cyber threats. 

“The fact that such a large number of universities don’t deliver cyber security training to staff and students, nor commission independent penetration testing, is concerning. These are foundational elements of every security program and key to helping prevent data breaches. 

“Even at this time of intense budgetary pressure, institutions need to ensure that their cyber security teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.” 

“The threat posed to universities by nation state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable.” 

CEOs ‘need technology in their DNA’ to ensure success

960 640 Stuart O'Brien

CEOs and executive leadership positions should be filled by people with technology career backgrounds, such as app or software development, if businesses are to be more successful, say the majority (69%) of business leaders in the UK.

Research conducted by VMware has found international recognition that elevating technology team members into leadership roles drives significant value for the entire organisation.

When identifying specific benefits, over one in four (42%) business leaders highlight improved efficiency across the whole organisation, a third (33%) recognise increased business performance and greater innovation potential, and more than a third (39%) better customer experiences.

Vanson Bourne, commissioned by VMware, interviewed 2,250 respondents in EMEA (including 450 from the UK) during March and April 2020. This consisted of 750 business decision makers, 750 IT decision makers and 750 app developers. All respondents were from organisations with at least 500 employees, across all private and public sectors, including, but not limited to IT, financial services, retail and wholesale, healthcare, education and government.

VMware says the findings sit against a backdrop of seismic disruption, where digital transformation – the way technology transforms or enhances business models – has been validated in helping leaders and their organisations adapt to fast-changing market dynamics, changing business models and employee mobilization.

During the pandemic, UK businesses highlight the benefits of modernised applications, for example, to enhance their performance and resilience. More than half (58% ) of respondents highlighted the role of modernised apps to enable employees to work remotely, and just under a third referenced their ability to continuously push updates in response to the changing landscape (31%), and ensure reliable uptime (35%). 

In fact, more than three quarters (81%) of app developers and technology leaders in the UK believe that without successfully modernising applications, organisations will not be able to deliver a best-in-class customer experience. This is echoed by the global executive community; more than 80% of whom believe that enhancing application portfolios will improve the customer experience, which is directly tied to revenue growth.

“Business leaders have never been at the helm of so much change, so those with an inherent knowledge of technology and an understanding of how applications can help them adapt to any market conditions and shape their future performance and resiliency have a real advantage. Indeed, three quarters of the world’s business leaders agree that a ‘technology inside’ leadership skillset will bring success,” said Ed Hoppitt, Director of Apps and Cloud Native Platforms VMware, EMEA. “From the tens of millions of people and students now working and educating from home, to banks being able to scale to provide significant revenue streams, to businesses and retailers looking at digital platform options almost overnight, this pandemic has driven a decade of digital transformation in a few months. 

“It is the ability to get these defining, business apps – that deliver information and services into the hands of users, where needed – that creates success and genuinely drives customer engagement.  Leadership with technology in its DNA combined with a software-enabled digital foundation to serve up these digital services is a winning combination.”

Ursula Dolton, CTO at British Heart Foundation, said: “Businesses risk missing a trick by not appointing C-suite execs with backgrounds in technology. It is no longer enough to simply invest in technologies, since their benefits to organisations go well beyond implementation. In order to get the most from these investments, it’s vital to deliver cultural change and strategic direction, a role best suited for leaders with an understanding of these platforms and the power to both respond to demand and enforce real change.” 

A competitive advantage, born out of the continuous development and delivery of new applications and services, is also reinforced by the findings – which reveal that high-performing companies in EMEA have a more efficient and effective development rate of applications. Two thirds (66%) of new applications make it through to production in high-performing companies***, compared to 41% within underperforming organisations, while 70% of application efforts make it to production in the planned timeframe in high-performing organisations, compared with just 41% in underperforming.

Financial services head to the cloud to escape security concerns

960 640 Stuart O'Brien

The financial services industry is accelerating its shift to the cloud, as it presses forward with digital transformation in the face of security concerns. 

That’s according to the Financial Services edition of F5’s 2020 State of Application Services (SOAS) report, which says 60% of surveyed organisations in the industry believe public cloud platforms will be strategically important for them in the next two to five years, up sharply from 49% in 2019.

It comes as 84% of financial services organisations execute on digital transformation plans, with three quarters saying the key driver is to increase the speed of new product and service deployment.

Cloud adoption is increasing even as security concerns remain widespread. While two-thirds of organisations are confident in their ability to withstand an application attack on premises, only 40% said the same when it comes to the public cloud. 

“The idea that financial services applications would be the slowest to move into the cloud has been clearly disproven,” said Lori MacVittie, Principal Technical Evangelist, Office of the CTO at F5.

“Instead we are seeing the industry go ‘all in’ on multi-cloud adoption as organisations seek to increase the pace of their digital transformation and more quickly deploy the applications that will deliver a high-quality customer experience. Ultimately, financial services organisations that face growing competition from digital challengers are turning to the cloud to meet the needs of customers who now expect a seamless fintech service.” 

As cloud adoption increases, the F5 research says financial services organisations are seeking to balance the innovation imperative with security needs.

Many are looking to open banking, which 47% of surveyed organisations (among the two-thirds of respondents who provide banking services) have either implemented or plan to do so. Within this subset, 68% are deploying API gateways to deliver innovation, allowing them to securely share data with partners and open APIs to public developer networks.

82% of organisations with open banking initiatives have published APIs to third parties, compared to 62% of those not engaged in open banking.

The reports says that in this context security remains a pressing concern, especially with 87% of organisations embracing multi-cloud environments, and 41% determining the type of cloud to support an application on a case-by-case basis.

Asked about the biggest challenges of managing applications in a multi-cloud environment, 59% of respondents highlighted the need to apply consistent security policies across all company applications, well ahead of migrating apps among clouds/data centers (32%), gaining visibility into application health, or optimising the performance of the application (both 26%).

Security clearly resonates as a priority for the entire industry. Over half of respondents named it as the most important characteristic of an application service, while financial services leaders ranked real-time threat analytics as their number two strategic trend, compared to number six across all industries. Three quarters of respondents said it is important to enforce the same security policies on premises and in the cloud.

Nevertheless, the industry fears that it lacks the capacity to effectively respond to threats, with 72% of respondents reporting that they face a security skills gap.

The importance of security is further underlined by the applications financial services organisations choose to prioritise. Among the industry’s top five app services deployed today, four are security-focused: common security services and SSL VPN (both deployed by 86%), WAF (81%, up from 77% in 2019) and DDoS protection (80%).

That is balanced by a focus on application services that underpin the effort to drive high-quality customer experiences: 80% of financial services respondents said they are deploying services such as load balancing, global server load balancing and DNS, compared to 75% globally. 

Looking forward, the industry is planning to deploy application services that will support greater adoption of public cloud and modern (cloud- or container-native) architectures. 42% expect to deploy SDN gateways or SDN WAN in 2020 (up from 34% in 2019) while 39% will deploy API gateways (up from 27%) and 35% Ingress control (up from 21%).

46% of financial services respondents identified Software-defined networking (SDN) as a strategically important trend for them in the next 2-5 years, up from 42% last year.

McAfee advocates shared responsibility for cyber security in manufacturing

960 640 Stuart O'Brien

McAfee’s latest Cloud Adoption and Risk Report revealed that between January and April 2020, enterprise use of cloud in the manufacturing industry spiked by 144%, compared to the average overall enterprise increase of 50%.

Likewise, external attacks on cloud accounts increased by 630%, with manufacturing verticals seeing a 679% increase in threats, making it one of the most affected sectors.

A previous report from McAfee – Grand Theft Data II – The Drivers and Shifting State of Data Breaches – revealed that IT security professionals across all sectors, including manufacturing, are still struggling to fully secure their organisation and protect against breaches, with 61% claiming to have experienced a data breach at their current employer

The firm says data breaches are getting more serious and are under greater scrutiny – nearly three-quarters of all breaches have required public disclosure or have affected financial results.

One major issue highlighted in the report is that security technology continues to operate in isolation, with 81% reporting separate policies or management consoles for cloud access security broker (CASB) and data loss prevention (DLP), resulting in delayed detection and remediation actions.

Mo Cashman, Principle Engineer at McAfee, has outlined key issues with this approach and how they can be addressed:

Why is collaboration and shared responsibility important for improving overall governance in the manufacturing industry?

“We often see blurred lines when it comes to responsibility for data security, cybersecurity and compliance in the manufacturing space. Unfortunately, lack of clarity about who owns what as part of a shared responsibility model means Information Technology (IT) and Operational Technology (OT) convergence is increasing cyber risk. For example, IT systems are used on the OT side, giving OT teams some level of responsibility for managing data security and governance. However, a combination of differing systems and policies as well as lack of transparency between teams can make it challenging to manage security as a whole. This challenge is further compounded because shared responsibility must also factor in the supply chain, and suppliers often bring their own security controls into the mix through the installation of their own devices. 

“By implementing a shared responsibility model, teams can come together and create full visibility of who is responsible for each piece of the puzzle – for example, handling security at system and programming levels. This can ensure that the right controls are adopted where they are needed, while providing an encompassing view of security systems across the organisation.  

“With a collective understanding of risk and responsibility between IT, OT and the supply chain, organisations are moving their security posture and data governance up one level. A good example of this already in practice is the cloud: as organisations become increasingly aware of their role in the shared responsibility model to secure the cloud, they are becoming more aware of their risk levels and able to manage these more effectively.” 

What are the potential consequences for manufacturers that fail to implement  a shared responsibility model across IT/OT/supply chain?

“Failure to adopt a shared responsibility model across IT, OT and the supply chain can leave manufacturers with unnecessary expenses, higher risks and weakened security. From a cost perspective, organisations could be paying for additional but unnecessary security licensing and monitoring. Without clarity on which tools are already in use across IT and OT teams, organisations will not only face challenges with interoperability but they’ll risk doubling up on tooling and training costs. Instead, taking a more holistic approach of the organisation as a whole will enable IT and OT teams to decide where responsibility lies and lower costs. For instance, OT teams have very specific requirements and expertise. While overall monitoring to collect and understand data might sit with IT, OT can layer on context for specific alerts based on their expertise. Taking a collaborative approach where everyone’s responsibility is clear will enable organisations to streamline processes and limit unnecessary costs.

“Ultimately, a key consequence of failing to adopt a shared responsibility model is a higher level of risk and poorer overall security. Without clear dividing lines on responsibility and a collaborative approach, IT will not have the comprehensive view of systems required to keep track of all data and potential threats. As a result, pockets of vulnerable systems are likely – falling through the cracks between teams. Limited visibility means limited security. 

“This security issue is compounded in the manufacturing sector as the type of vulnerabilities impacting IT systems are often very different to those impacting OT. While lots of research exists around IT threats, less research is available on the OT side. Given that OT systems are usually lightweight and could be prone to damage if too much traffic is thrown at them, vulnerability discovery can be challenging. The combination of limited research and levels of system vulnerability which are harder to uncover means manufacturers can easily find themselves exposed to cyberattacks if a shared responsibility model is not employed.” 

What current factors are driving manufacturing organisations to reconsider their current set-up and move to a shared responsibility model?

“Faced with uncertainty and confusion about what the ‘new normal’ will look like has meant business leaders are thinking about resilience more than ever. In doing so, they’re considering their enterprise as a whole – moving away from a more siloed view. For manufacturers, future resilience depends on their systems remaining up and, importantly, secure. This requires business leaders to think more closely about the role that people, process and technology play. When considering a return to normality, organisations are wondering how they would deal with cybersecurity challenges if staff are working remotely, or how they could operate more flexibly to adjust as restrictions ease and tighten in response to the rate of virus transmission in future. Taking this holistic view of the whole organisation inevitably starts to break down barriers between teams and puts the shared responsibility model front and centre.”

What benefits will shared responsibility bring to the future of the manufacturing space?

“Firstly, shared responsibility allows manufacturing organisations to leverage expertise where it lies. For example, while IT teams have a centralised view and understanding of IT risks, they should collaborate with OT teams for industry context as required. Collaboration here will allow for quicker identification and investigation of alerts, reducing response time as teams both detect and mitigate threats more quickly.

“In the manufacturing sector particularly, safety is an important benefit of adopting a shared responsibility. Improved security, via a shared responsibility model, will help teams to uncover security risks before they have major consequences for customers. What’s more, if OT, IT and the supply chain work together, teams will be able to identify new security boundaries and reduce future risk.”

McAfee has also outlined practical steps that manufacturers can take:

·       Elect a governance committee. Creating a committee that includes individuals across IT, OT and the supply chain is vital. It can remove silos and provide a consolidated view of risk across the business as a whole. 

·       Conduct regular audits. Running audits across both IT and OT is key to ensuring visibility across systems, as well as opening doors to question processes and systems. What systems are out there? Who are the suppliers? What SLAs/security contracts are in place? Through these audits, teams can identify risks, kick-start contractual discussions with suppliers and agree the process to mitigate vulnerabilities before they occur.  

·       Start with monitoring. Increasing overall levels of monitoring will provide greater visibility. This monitoring should go hand-in-hand with implementing threat detection capabilities and the response plans that go with them. Ultimately, response times can be reduced if IT and OT teams understand their roles and responsibility in the process. 

·       Asses the overall security architecture. Fostering a more holistic view of the current enterprise set-up and how this maps with existing security standards is crucial. If IT and OT teams use different models to meet different criteria, manufacturers should aim to bring these models together into one consolidated enterprise view of cyber risk. 

·       Create a security awareness programme. By implementing a security awareness and readiness programme, organisations can ensure that all teams are educated on security procedures and are actively involved in maintaining them. This programme should include everyone from end users to OT engineers, and all the way up to executive level, in order to ensure that all areas of the manufacturing process are covered.

Unmanaged personal devices at home threatening corporate security

960 640 Stuart O'Brien

More than half of UK employees working remotely during lockdown use unmanaged personal devices to access corporate systems.

That’s according to a study published today by CyberArk, which found that UK employees’ work-from-home habits – including password re-use and letting family members use corporate devices – are putting critical business systems and sensitive data at risk.

The survey, which aimed to gauge the current state of security in today’s expanded remote work environment, found that:

  • 60% of remote employees are using unmanaged, insecure “BYOD” devices to access corporate systems. 
  • 57% of employees have adopted communication and collaboration tools like Zoom and Microsoft Teams, which have been the focus of highly publicised security flaws

Working Parents Compound the Risk

The study found that the risks to corporate security become even higher when it comes to working parents. As this group had to quickly and simultaneously transform into full-time teachers, caregivers and playmates, it’s no surprise that convenience would outweigh good cybersecurity practices when it comes to working from home. 

  • 57% insecurely save passwords in browsers on their corporate devices
  • 89% reuse passwords across applications and devices
  • 21% admitted that they allow other members of their household to use their corporate devices for activities like schoolwork, gaming and shopping. 

Are Current Work-from-Home Security Policies Enough?

While 91% of IT Teams are confident in their ability to secure the new remote workforce, more than half (57%) have not increased their security protocols despite the significant change in the way employees connect to corporate systems and the addition of new productivity applications.

CyberArk says the rush to onboard new applications and services that enable remote work combined with insecure connections and dangerous security practices of employees has significantly widened the attack surface and security strategies need to be updated to match this new dynamic threat landscape. This is especially true when it comes to securing privileged credentials of remote workers, which, if compromised, could open the door to an organisation’s most critical systems and resources.

“Major socio-economic events have always led to a sharp uptake in cyber incidents. The WHO has warned of an exponential increase in attacks due to the global and unprecedented nature of the ongoing health crisis, and its transformative impact on the way we work. With the accelerated use of collaboration tools and home networks for professional purposes, best-practice security is struggling to keep pace with the need for convenience which, in turn, is leaving businesses vulnerable”, said Rich Turner, SVP EMEA, CyberArk.

“Responsibility for security needs to be split between employees and employers. As more UK organisations extend remote work for the longer term, employees must be vigilant. This means constantly updating and never re-using passwords, verifying that the operating system and application software they use are up to date, and ensuring all work and communication is conducted only on approved devices, applications and collaboration tools. Simultaneously, businesses must constantly review their security policies to ensure employees only have access to the critical data and systems they need to do their work, and no more. Decreasing exposure is critical in the context of an expanded attack surface.”

Without automation, security gets harder during a business disruption

960 640 Guest Post

FireMon’s 2020 State of Hybrid Cloud Security Survey found that 69.5 percent of respondents have a security team of just 10 people or fewer.  And  most manage both on-premise network security and cloud security.  

These teams are already bogged down with manual tasks at the best of times, so when a crisis  hits, it magnifies the risks of manual processes. Not only is it difficult to maintain essential network operations, but the number of misconfigurations that threaten compliance go up dramatically. 

Worse still, if unexpected interruptions to business continuity lead to team members being out of commission, security and compliance is further compromised because there’s not enough people to execute even the most basic steps of the business continuity plan — forget security configuration and compliance! An unexpected disaster scenario that already threatens data and compliance is further magnified, and so is the risk to the business, including the greater likelihood of lost revenues. 

IT’S ALREADY WAY TOO HARD TO KEEP UP ON A NORMAL DAY 

If you’re already short on people on a regular day, it’s going to be even harder to keep on top of everything that needs to be done when disaster strikes. Some of those manual tasks such as firewall rule updates may simply not get done, or if they do, they’re rushed and are more prone to human errors that lead to misconfigurations. Instead, the priority is to keep the business running and security teams must shift their focus to exceptional, specific user access issues that are cropping up, which are also being done in a hurry without enough attention to compliance because there’s no foundational best practices in place. 

Disruptions also mean some security team members are no longer available, so you’re even further short-staffed at a time when you need all hands on deck. Without automation and logs that provide insight into how and why things are done, you’re dependent on the knowledge of people who may no longer be available to share it.  

AUTOMATE WHAT YOU CAN SO YOU CAN MANAGE WHAT YOU CAN’T 

You can’t control everything, and it’s not a matter of if disaster strikes, it’s when.  Regardless of the cause, a “black swan” event tends to throw a lot of curve balls at security teams. However, if you’ve already automated most cloud configurations and global security policy, your team is in a much better position to deal with the expected.  

There are many things security teams can automate, including: 

  • Identity and access management, including cloud configuration 
  • Updates and patches 
  • Detection and monitoring 
  • Firewall rule updates 

Knowledge transfer through documentation also means you’re not dependent on specific team members to maintain compliance. 

You can’t automate everything at once, but if you start with low-hanging fruit, you’ll see immediate benefits. By establishing a global security policy and making it a baseline for any access configurations, including cloud services, you can be responsive to the lines of business change requests. Organizational knowledge is also quickly accessible, even when disaster strikes and if team members become unavailable. 

There are times when business isn’t as usual – it happens. However, it’s important to learn and adapt while things unfold during those times. In this case, many organizations will decide to lean into cloud migrations and automation to blunt the impacts of future black swan events. 

UK’s manufacturing sector facing COVID-19 cyber threats

960 640 Stuart O'Brien

Manufacturing is now the most attacked sector representing almost a third of all cyber attacks in the UK & Ireland, while Technology was the most attacked sector globally.

That’s according to the 2020 Global Threat Intelligence Report (GTIR) from NTT, which says that despite efforts to layer up defences, many organisations are unable to stay ahead of attackers, while others are struggling to do the basics like patching old vulnerabilities. 

NTT asserts that manufacturing increasingly faces financially motivated data breaches, global supply chain risks and risks from unpatched vulnerabilities. The UK was the only country (apart from Hong Kong) this year where Manufacturing topped the list of most attacked sectors, representing 29% of all attacks, with Technology (19%) second and Business and Professional Services (17%) third. Government and Finance made up the other two sectors in the top five. 

Reconnaissance attacks accounted for half of all hostile activity in the UK and Ireland, with web application the next most common form of attack (22%). Reconnaissance activity (60%) was also the most common attack type against manufacturers followed by web application attacks (36%).

Rory Duncan, Security Go-to-Market Leader, NTT, said: “UK manufacturing has become a major target for attackers in recent years as a result of the increased risks brought about from the convergence of IT and Operational Technology (OT). The biggest worry is that security has lagged behind in this sector, potentially exposing systems and processes to attack. Poor OT security is a legacy issue; many systems were designed with efficiency, throughput and regulatory compliance in mind rather than security. In the past, OT also relied on a form of ‘security through obscurity’. The protocols, formats and interfaces in these systems were often complex and proprietary and different from those in IT systems, so it was difficult for attackers to mount a successful attack. As more and more systems come online, hackers are innovating and see these systems as ripe for attack.

“Now more than ever, it’s critical for all organisations, regardless of sector or region, to pay attention to the security that enables their business; making sure they are cyber-resilient and secure-by-design, which means embedding privacy and security into the fabric of their enterprise architecture and organisational culture. The current global pandemic and the flow of trusted and untrusted information used to mask the activities of cyber criminals has shown us that they will take advantage of any situation. Organisations must be ready to respond to these and other threats in a constantly evolving landscape.”

The 2020 Global Threat Intelligence Report calls last year the ‘year of enforcement’ with the number of Governance, Risk and Compliance (GRC) initiatives growing, creating a challenging global regulatory landscape. Several acts and laws now influence how organisations handle data and privacy, including the General Data Protection Regulation (GDPR), which has set a high standard for the rest of the world. The report provides organisations with recommendations to help navigate compliance complexity, including identifying acceptable risk levels, building cyber-resilience capabilities and implementing solutions that are secure-by-design.

The 2020 GTIR – the eigth annual report – analyses and summarises trends based on log, event, attack, incident and vulnerability data from trillions of logs and billions of attacks. To learn more about how this year’s GTIR offers organisations a robust framework to address today’s cyber threat landscape, and to learn more about the emerging trends across different industries and regions, including the Americas, APAC and EMEA, follow the link to download the NTT Ltd. 2020 GTIR

Global Highlights: 2020 Global Threat Intelligence Report:

  • Most common attack types accounted for 88% of attacks: Application-specific (33%), web application (22%), reconnaissance (14%), DoS/DDoS (14%) and network manipulation (5%) attacks.
  • Weaponisation of IoT: Botnets like Mirai, IoTroop and Echobot have advanced in automation, improving propagation capabilities. Mirai and IoTroop are also known for spreading through IoT attacks, then propagating through scanning and subsequent infection from identified hosts.
  • Old vulnerabilities remain an active target: Attackers leveraged those that are several years old, but have not been patched by organisations, such as HeartBleed, which helped make OpenSSL the second most targeted software with 19% of attacks globally. A total of 258 new vulnerabilities were identified in Apache frameworks and software over the past two years, making Apache the third most targeted in 2019, accounting for over 15% of all attacks observed.
  • Attacks on Content Management Systems (CMS) accounted for about 20% of all attacks: Targeting popular CMS platforms like WordPress, Joomla!, Drupal, and noneCMS, cyber criminals used them as a route into businesses to steal valuable data and launch additional attacks. Additionally, more than 28% targeted technologies (like ColdFusion and Apache Struts) support websites.

Financial services organisations ‘increasingly prone to authentication and DDoS attacks’

960 640 Stuart O'Brien

Financial services organisations have experienced a significant increase in the number of authentication and distributed denial of service (DDoS) attacks over the past three years.

That’s according to research from F5 Labs, which says the opposite was true of web attacks, which were notably down during the same period.

The analysis, which examined customer security incident response (SIRT) data from 2017-2019, covered banks, credit unions, brokers, insurance, and the wide range of organisations that serve them, such as payment processors and financial Software as a Service (SaaS).

On average, brute force and credential stuffing constituted 41% of all attacks on financial services organisations over the full three-year period. The percentage of attacks grew from 37% in 2017 to a high point of 42% in 2019.

Brute force attacks involve a bad actor attempting large volumes of usernames and passwords against an authentication endpoint. Other forms of brute force attacks simply use common lists of default credential pairs (for example, admin/admin), commonly used passwords, or even randomly generated password strings.

Occasionally, brute force attacks leverage credentials that have been obtained from other breaches. These are then used to target the service in an attack known as “credential stuffing.” 

Delving deeper, F5’s SIRT team found that there were clear regional variations in attack trends. In EMEA, brute force and credential stuffing attacks only amounted to 20% of the total, which is higher than the 15% observed in Asia Pacific but significantly lower than North America’s 64%. The latter is likely driven by a large volume of existing breached credentials.

“The first indications of an authentication attack are often customer complaints about account lockouts, rather than any sort of automated detection,” said Raymond Pompon, Director at F5 Labs.

“Early detection is key. If defenders can identify an increase in failed login attempts over a short period of time, it gives them a window of opportunity to act before customers are affected.”

DDoS attacks were the second biggest threat to financial services organisations, accounting for 32% of all reported incidents between 2017 and 2019. It is also the fastest growing threat. In 2017, 26% of attacks on financial services organisations focused on DDoS.  The figure soared to 42% in 2019.

Yet again there were distinct regional variations. 50% of all attacks reported in EMEA over the three-year period were DDoS-related. Asia Pacific was similarly affected with 55%, but the volume dropped to 22% in North America.

According to F5 Labs, denial-of-service attacks against financial service providers usually target either the core services used by customers (such as DNS) or the applications that allow users to access online services (i.e. viewing bills or applying for loans). Attacks are often sourced from all over the world, likely via the use of large botnets that are either rented out by attackers, or purpose-built from compromised machines.

“The ability to quickly identify the characteristics of traffic when under attack conditions is critically important. It is also vital to quickly enable in-depth logging for application services in order to identify unusual queries,” Pompon explained.

While authentication and DDoS attacks continue to spread, there was also a concurrent dip drop in web attacks against financial services organisations. In 2017 and 2018, they accounted for 11% of all incidents. In 2019, it was just 4%. 

“While it is difficult to determine causality, one likely factor driving this trend is the growing sophistication of properly implemented technical controls such as web application firewalls (WAFs),” said Pompon.

F5 Labs’ 2018 Application Protection Report found that a greater proportion of financial organisations tend to deploy WAFs (31%) than the average across all industries (26%).

Most of the web attacks recorded by the F5 SIRT centred on APIs, including those related to mobile authentication portals and Open Financial Exchange (OFX). Web scraping –copying content for the purpose of creating realistic phishing pages – was also in evidence. 

F5 Labs suggests that web attacks against financial services targets tend to be more persistent compared to other sectors – partly due to the cybercriminals’ precise targeting and the potential high value of success.

F5 Labs’ analysis concludes that, although the financial services industry tends to require less convincing about the merits of substantive security programs, there is no room for complacency.

“Despite the valuable assets at stake, it can still be a challenge to convince some organisations of the need for multifactor authentication, which probably represents the most impactful way to prevent nearly all access-style attacks like brute force, credential stuffing, and phishing,” said Pompon.

“Having said that, there is still a lot that can be done. On the preventative side this includes hardening APIs and implementing a vulnerability management program that features external scanning and regular patching. On the detective side, it is critical to continually monitor traffic for traces of brute force and credential stuffing. As ever, it is essential to develop, and regularly practice, procedures for incident response that address all risks.”

84% of security and IT teams ‘don’t have a positive relationship’

960 640 Stuart O'Brien

Almost two thirds (59%) of European IT heads believe it is challenging to gain end-to-end visibility of their network, with almost half saying this lack of visibility is a major concern.

That’s according to a new poll by IDC/Forrester/VMware, which says more than a third (37%) feel the challenges associated with this lack of visibility has resulted in misalignment between security and IT teams – and a quarter (29%) have no plans to implement a consolidated IT and security strategy.

Only a third (38%) of networking teams are currently involved in the development of security strategies. Yet, 60% of these are involved in the execution of security, perhaps signalling that networking teams are not seen as having an equal role with the other IT or security teams when it comes to cybersecurity.

This is in stark contrast to the fact that network transformation is seen as being essential to delivering the levels of resilience and security required by modern businesses, with 43% of European organisations saying this is a key priority for them between 2019 to 2021. 

Critically, organisations need shared thinking and responsibilities to establish a cohesive security model if they are to deliver their company’s strategic goals, seen by Forrester as increased security (55%), technological advancement (56%) and the ability to respond faster (56%). 

Alongside the inconsistency in how the role of the network in security is perceived, there is a lack of cohesion within the IT and security teams as to who is responsible for network security.

“Businesses who are looking to adapt to fast-changing market conditions rely on the ability to efficiently connect, run and secure modern applications consistently, from the data center, across any cloud and all the way to the device. And it is the virtual cloud network that is delivering this. The network needs to be recognised as the DNA of any modern security, cloud and app strategy, and it should be seen as a strategic weapon and not merely the plumbing,” said Jeremy Van Doorn, Sr Director of Systems Engineering, Software Defined Data Center EMEA, VMware

The research also sheds light on the difference in priorities for both the IT and security teams. Globally, the top priority for IT is efficiency (51%), whilst security teams are focused on incident resolution (49%). And while new security threats require visibility across the entire IT infrastructure, less than three quarters of securityteams are involved in executing the organisation’s security strategy. 

Forty five percent of respondents recognise that a consolidated strategy could help reduce data breaches and more quickly identify threats. Yet this relationship isn’t proving an easy one to maintain as 84% of security and IT teams admit they don’t have a positive relationship with one another (at VP level and below). More than half of organisations want to move to a model of shared responsibility in the next 3-5 years, where IT securityarchitecture (58%), cloud security (43%) and threat hunting response (51%) is shared between IT and securityteams; but that calls for much closer collaboration than exists today. 

Denis Onuoha, Chief Information Security Officer at Arqiva, said: “It is critical that IT and security teams work in harmony to ensure every touch point of the IT infrastructure remains secure. The network forms a critical part of the business in delivering the best and most efficient services to customers. We recognise the importance of the network and therefore ensure security is embedded into the fabric of its infrastructure from the beginning and not bolted on as an afterthought. As we navigate a growing number of cloud and Edge environments and the network remains the connector between them all, it has become business critical for us to keep network security a top priority.” 

McAfee flags autonomous vehicle hacking risks

960 640 Stuart O'Brien

IT security giant McAfee’s has successfully tricked an autonomous vehicle to accelerate up to 85 MPH in a 35 MPH zone using just two inches of electrical tape.

The McAfee Advanced Threat Research (ATR) team and McAfee Advanced Analytic Team (AAT) partnered to explore how artificial intelligence can be manipulated through research known by the analytics community as adversarial machine learning or, as McAfee calls it, ‘model hacking‘.

McAfee ATR successfully created a black-box targeted attack on the MobilEye EyeQ3 camera system, utilised today in many vehicles including certain Tesla models. Through this attack, McAfee researchers were able to cause a Tesla model S implementing Hardware pack 1 to autonomously speed up to 85 mph, after manipulating the AI technology to misclassify a speed limit sign that read 35 mph.

McAfee says the implications of this research are significant, because:

  • By 2023, worldwide net additions of vehicles equipped with autonomous driving capabilities will reach 745,705 units, up from 137,129 units in 2018, according to Gartner
  • However, there is more discussion and awareness needed about the potential pitfalls and safety concerns associated with such rapid acceleration in this technology.
  • Given this projected growth, it’s a rare and critical opportunity for the cybersecurity industry and automobile manufacturers to be ahead of adversaries in understanding how AI/machine learning models can be exploited in order to develop safer next-gen technologies.

Mo Cashman, Principle Engineer at McAfee, said: “The automotive and cybersecurity industries will need to work together closely to design, develop, and deploy the right security solutions to mitigate threats both before they occur and after they happen. Unlike automotive safety, cybersecurity is not probabilistic. Threats come from a variety of sources, including intentionally malicious and unintentionally malignant. As a result, processes must be put in place to mitigate these cyber threats over the entire lifecycle of the product, from early design decisions through manufacturing to operation and decommissioning.

“With new systems come new attack surfaces and vectors – all of which should lead to new risk management considerations. Manufacturers must recognise this and take the appropriate measures for cyber resilience. Key actions range from conducting rigorous checks to using security tools to distinguish real threats from ‘noise’. Manufacturers must also ensure connections are secured from the cloud through to the vehicle endpoint, minimising vulnerabilities which hackers could use for their own gain.

“No matter the state of the threat landscape today, best practices for automotive security are an evolution and amalgamation of both product safety and computer security. By collaborating with the cybersecurity industry, the automotive and manufacturing sectors can research, develop, and enhance products, services, and best practices for a more secure driving experience.”

McAfee’s Top Tips for manufacturers:

  • Conduct rigorous checks. There are times when a product functions in a way developers/engineers didn’t expect it to perform, as evidenced by McAfee’s research. Perform rigorous checks and validations, considering new scenarios and edge cases that could be introduced in real-world use that perhaps the technology wasn’t specifically designed to handle. Additionally, McAfee encourages auto manufacturers to assess model hacking in systems.
  • Human-Machine teaming. Adversaries are human, continuously introducing new techniques. Machine learning can be used to automate the discovery of new attack methods; creative problem solving and the unique intellect of the security team strengthen the response.
  • Apply multiple analytic techniques and closely monitor changes. Protection methods include multiple techniques, for example noise addition, distillation, feature squeezing, etc. In addition, implement statistically-based thresholds and closely monitor false positives and false negatives, paying attention to the reason for the change. 
  • Take a ‘one enterprise’ and systems approach to security and risk management. Many organisations still operate in silo and this needs to change. Threats enter from multiple routes. As a result, increased collaboration and achieving one unified view across the manufacturer’s digital workplace, cloud services, industrial controls and supply chain are necessary considerations if a manufacturer is to maintain a strong cybersecurity posture as it develops autonomous vehicles.
  • Build a strong culture of security. For manufacturers, safety is often a strategic pillar of the business. Signs are posted highlighting accident-free days and senior leaders are champions of the programme. Bring that same focus to cybersecurity.