Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

industry data

Research into AI cyber security threat lacking

960 640 Stuart O'Brien

A study of cyber security academic research projects worth €1bn to assess academic trends and threats has found Cyber Physical Systems, Privacy, IoT and Cryptography the strongest cyber security areas to watch – but that Artificial Intelligence is an “apparent omission”.

Crossword Cybersecurity looked at nearly 1,200 current and past research projects from academic institutions in the United Kingdom, United States, Europe, Australia, and Africa, with reported funding of EU projects at over €1 billion.

The database identified several global trends by comparing the periods January 2008 to June 2013 with July 2013 to December 2018, including:

· Cyber Physical Systems (CPS) – Over 100 projects were found in this area alone, a significant figure. The United States appears to be the most active in CPS research, with a focus on securing critical infrastructure.
. Privacy – Projects related to privacy have increased by 183% in recent years.
· Internet of Things (IoT) – Projects with an IoT element have increased by 123% lately, with around 14% of current projects having this characteristic.
· Cryptography – With the promise of quantum computing on the horizon, there has been an influx of new projects that apply the technology to the future of cryptography, with a 227% increase in this area of research (albeit this was from a low base).

Significant differences can also be seen between regions. For example, the EU appears distinctly focused on minimising Small & Medium Enterprises’ (SME) exposure to cyber security risk. Conversely, when compared with other regions, the US has a greater focus on the human component of cyber security. Other US top project funding areas include Cyber Physical Systems (as applied to smart cities and power grids), securing the cloud, cybercrime, and the privacy of Big Data sets (as applied to the scientific research community).

In the UK, the leading research verticals are critical infrastructure and securing the health sector (with 11 current projects each). Current funding across UK projects exceeds £70m, with quantum and IoT-related projects both more than doubling over five years. There are currently nine new UK projects with a focus on Cyber Physical Systems.

The four UK projects with the greatest funding are in the fields of Safe and Trustworthy Robotics, Big Data Security, Cybercrime in the Cloud and Quantum Technology for Secure Communications.

The most notable UK decline was in big data projects, which have dropped by 85%.

Globally, there are currently 52 global projects with a cryptographic focus, and at least 39 current live EU projects featuring a cryptographic element. In the UK, this area has been consistently strong over the last ten years, with 18 projects starting between 2008 and mid 2013, and 19 projects from mid 2013 to now.

Tom Ilube, CEO at Crossword Cybersecurity plc said: “The need to protect critical infrastructure has never been stronger as technology becomes more deeply embedded in every aspect of our daily lives. However, one apparent omission is research solely focused on the application of AI techniques to complex cyber security problems. We hope to see more of that in the future, as the industry works to stay ahead of the constantly evolving cyber security landscape.”

The Crossword Cybersecurity database will be periodically updated, to deliver ongoing insight into the most prevalent cyber security research trends and investment areas. If you are interested in further details, contact the Scientific Advisory Team at Crossword Cybersecurity on innovation@crosswordcybersecurity.com.

Cybersecurity responsible for 36% of management stress

960 640 Stuart O'Brien

Over half of SME owners count internet issues as one of their biggest bugbears heading into 2019, with phishing emails from overseas ‘billionaires’ topping the list of the strangest mailbox scams from the past 12 months.

In a survey conducted by Q2Q, 52% of company bosses complained that problems with their internet were responsible for some of their firm’s biggest technology-related headaches. While an additional 41% of respondents said that six months on, GDPR compliance was still causing confusion within the workplace.

The research also found that phishing emails – including those masquerading as financial information requests from the CEO, and communications purporting to be from a foreign billionaire looking to pass on significant sums of money – made up 38% of the most common scam communications.

Unsurprisingly then, cyber-security was responsible for 36% of management stress, with 22% of respondents citing emerging online risks as one of their biggest IT challenges heading into the New Year.

The research also found that around 64% of SMEs choose to outsource their IT support, while – shockingly – 10% of company owners didn’t have any sort of technical provision.

Andrew Stellakis, managing director at Q2Q, said; “Hearing that internet issues are still responsible for over half of SME’s IT-related headaches is simply inexcusable in this day-and-age. There are plenty of things which can cause a slow connection, but understanding the root cause is key to getting the most out of our systems, employees and the working day.

“It’s also rather worrying that – six months on – 40% of SME’s are still unsure about the rules and regulations surrounding GDPR. Over the past 18 months, I’ve spent a lot of time working closely with SMEs to ensure they are fully compliant – and it isn’t as daunting as it may seem.

“The appointment of a dedicated IT provider or GDPR officer – either in-house or externally – is often left until something goes wrong. But, as the news has been filled with reports of cyber-attacks and GDPR fines over the past few months, it should be all SME owners’ New Year’s resolution to ensure their company – and reputation – remains intact in 2019.”

INFOGRAPHIC: Only 29% travel sites opt to fully protect consumers with EV SSL

960 640 Stuart O'Brien

UK phishing scams jumped 648% YoY on Cyber Monday, with lack of EV SSL certificates on travel websites cited as a primary cause.

Sectigo investigated security levels on the websites of 35 airlines, 27 hotel groups, 23 travel comparison websites, 11 car hire firms and eight train operating companies, to find out whether they are doing all they can to protect customers as we approach peak travel season.

Among its key findings were:

  • Only 29% of these enterprises had an EV SSL certificate on their website.
  • As many as 65% of these organisations only have a free SSL certificate, with neither any company branded address on their homepage nor any “Not secure” warnings.
  • Up to 6% had no EV certificate whatsoever

Full findings are illustrated in the infographic below:

Vigilance urged for EMEA businesses as phishing season begins

960 640 Stuart O'Brien

Businesses in EMEA are being urged to remain vigilant as phishing attacks ramp up during the winter months.

F5 Labs, in collaboration with Webroot, has launched its second annual Phishing and Fraud report, highlighting an anticipated threat surge from October until January.

According the report, fraud incidents in October, November, and December tend to jump over 50% compared to the annual average.

Indicative of the scale of the problem, 75,6% of all websites taken offline by the F5 SOC platform between January 2014 and the end of 2017 were related to phishing attacks. This is followed by malicious scripts (11.3%) and URL redirects (5.2%), which are also used in conjunction with phishing operations. Mobile phishing (2%) was also identified as a growing issue.

“We’re in the middle of a cyber-crimewave where phishers and fraudsters take advantage of people at their most distracted,” said David Warburton, Senior EMEA Threat Research Evangelist, F5 Networks.

“It is prime season for individuals giving up credentials or inadvertently installing malware. Businesses are wrapping up end-of-year activities, key staff are on vacation, and record numbers of online holiday shoppers are searching for the best deals, looking for last-minute credit or feeling generous when charities come calling.”

Although phishing targets vary based on the nature of the scam, a remarkable 71% of attackers’ efforts from 1 September to 31 October 2018 focused on impersonating just ten organisations.

Technology companies were most mimicked (70% of incidents), with 58% of phishers’ time spent posing as big hitters like Microsoft, Google, Facebook, Apple, Adobe, Dropbox, and DocuSign during the monitored period.

The finance sector was also under fire. 13 of the top 20 fastest growing targets were financial organisations. Banks accounted for 55% of these, five of which were major European entities.

Notably, some of the most successful malware programs started out as banking malware. For example, Trickbot, Zeus, Dyre, Neverquest, Gozi, GozNym, Dridex, and Gootkit are all banking trojans known to have spread initially through phishing campaigns.

The Phishing and Fraud report stresses that the best first line of defence is a consistent education programme and creating a culture of curiosity. Tests by Webroot show that security awareness training can have a particularly ameliorative effect.

Companies that ran 11 or more training campaigns reduced employee phishing click-through rates to 13%. Six to ten sessions saw a 28% click-through rate, rising to 33% with one to five employee engagements.

In addition to awareness-raising, F5 Labs stresses the importance of organisations implementing access control protections, including multi-factor authentication and credential stuffing controls, to prevent phished credentials becoming a breach. Other report recommendations include the following defensive tactics:

  • Email labeling. Clearly label all mail from external sources to prevent spoofing. A simple, specially formatted message can alert users to be on guard.
  • Anti-virus (AV) software. AV software is a critical tool to implement on every system a user has access to. In most cases, up-to-date AV software will stop the malware installation attempt. Set your AV policy to update daily at a minimum.
  • Web Filtering. A web filtering solution helps block access to phishing sites. Not only will this prevent a breach (providing the phishing site is known by your web filter provider), but it presents a valuable teaching opportunity by displaying an error message to the user
  • Traffic decryption and inspection. F5 Labs analysed malware domains from Webroot that were active in September and October 2018. 68% of them were phoning-home over port 443, which is the standard TCP port used for websites encrypting communications over SSL/TLS. If organisations do not decrypt traffic beforeinspection, the malware installed through phishing attacks will go undetected inside the network.
  • Single-Sign On (SSO). The fewer credentials users manage, the less likely they are to share them across multiple applications, create weak passwords, and store them insecurely. 
  • Report phishing. Provide a means for employees to easily report suspected phishing. Some mail clients now have a built-in phish alert button to notify IT of suspicious activity. If your email client doesn’t have this feature, instruct all users to call the helpdesk or security team.
  • Change email addresses. Consider changing the email addresses of commonly targeted employees if they are receiving an unusually high number of phishing attacks on a continual basis.
  • Use CAPTCHAs. Use challenge-response technologies like CAPTCHA to distinguish humans from bots. However, users can find them annoying so use in cases where it’s highly likely a script is coming from a bot.
  • Access control reviews. Review access rights of employees regularly, especially those with access to critical systems. These employees should also be prioritised for phishing training.
  • Look out for newly-registered domain names. Phishing sites are often newly registered domains. When F5 reviewed the list of active malware and phishing domains collected by Webroot in September, only 62% were still active a week later.
  • Implement web fraud detection. Implement a web fraud solution that detects clients infected with malware. This stops cybercriminals logging into your systems and allowing fraudulent transactions to occur.

“Phishing is a big problem and we expect attacks to continue because they are so effective, especially during the winter period” added Warburton.

“As organisations get better at web application security, it will be easier for fraudsters to phish people than to find web exploits. Ultimately, there is no one-stop-shop security control for phishing and fraud. A comprehensive control framework that includes people, process, and technology is a critical requirement to reduce the risk of an attack becoming a major incident.”

Security breaches – A high price tag for UK business this Christmas

960 640 Stuart O'Brien

Forty-four per cent of UK consumers will stop spending with a business or brand for several months in the immediate aftermath of a security breach or a hack.

That’s according to new data from payment security specialist PCI Pal that, even more significantly, shows a further 41% of consumers will never return to a brand or a business post-breach, representing a potentially significant loss of revenue.

The findings  suggest that a combination of high-profile recent breaches, headlines devoted to new data privacy regulations such as the GDPR, and personal experience have put security concerns at the forefront for UK consumers.

Over a third (38%) confirmed they have personally suffered the negative consequences of a data security breach.

Meanwhile, consumers reported that even being perceived as having insecure data practices can be enough to incur spending penalties: 31% reported that they spend less with brands they perceive to have insecure data practices, while over a quarter (26%) say they stop spending completely if they don’t trust a company with their data.

The findings suggest that it’s not just online threats that worry consumers – with 76% uncomfortable with providing payment information, such as credit card details, over the phone. Specifically, almost a third (32%) said they would hang up and find an alternative payment option, while nearly a quarter (24%) would ask for an online payment option and a further fifth (20%) would enquire as to how the data is being captured and whether it is safe.

Interestingly, when looking at the research findings by age group, 41% of those aged 18-24 said they would give their payment information over the phone with no questions asked, compared to just 14% of those aged 55-65.

Finally, from an industry perspective, consumers were asked which verticals they consider to be the least secure or more likely prone to a security breach, 41% of consumers said the financial sector, followed by 40% suggesting retail and 35% suggesting the travel industry.

“While security breaches are not new, consumers’ attitudes towards them appear to be changing significantly, with the vast majority of those surveyed now reporting that trust in security practices, or lack thereof, influences not just where but also how, and how much they are prepared to spend,” said James Barham, CEO at PCI Pal.

“What’s really interesting is how consumers are increasingly questioning data security practices. Nearly half of those surveyed know they should check a company’s security processes and 22% said they question businesses directly or research how an organisation safeguards consumer data. This suggests a real change in how consumers prioritise privacy and security. This should act as a real wake-up call to consumer-facing brands: they need to adopt stronger security practices, especially for those operating contact centres where payments are handled over the phone if they want to keep customers loyal and spending with them.”

Semafone warns of stricter checks and invasive auditing for contact centres

960 640 Stuart O'Brien

Semafone has called on contact centres to pay heed to changes to the Payment Card Industry Security Standards Council (PCI SSC) guidance for protecting telephone-based payment card data.

Updated for the first time since 2011, the guidance clarifies a number of points relating to compliance with the Payment Card Industry Data Security Standard (PCI DSS).

“Since the guidance was last updated in 2011, new technologies and payment channels are increasing the scope of the cardholder data environment and creating some uncertainty & compliance challenges for contact centres,” said Ben Rafferty, Semafone’s global solutions director and a contributing member of the Special Interest Group (SIG) formed by the PCI SSC to update the guidance. “Drawing on our experience of descoping enterprise contact centres around the globe, we aim to provide advice for anyone securing these critical payment channels.”

The key points of the new guidance, highlighted by Semafone, are as follows:

·        Keep softphones separate. The emergence of VoIP and softphones, which are often connected to the desktop environment processing payments, can result in the entire system becoming “in scope” of PCI DSS and subject to its stringent controls. As a result, it is strongly recommended that contact centres fully segment their data and telephony networks.

·        Any cardholder data captured in call recordings brings more checks than ever. Qualified Security Assessors (QSAs) now have clear guidelines regarding call recordings and the capture of sensitive card details. Both manual and automated “pause and resume” systems, whereby recording is briefly stopped, are deemed to run the risk of accidentally capturing these details. If a contact centre is using either of these solutions, QSAs can demand extensive evidence of measures to protect sensitive data. Multi-factor authentication controls need to be added to call recording solutions, as well as to storage and search tools, and QSAs are empowered to conduct invasive auditing to ensure that additional controls have been put in place effectively.

·        Third-party service providers are in scope if they provide more than a dial tone. The new guidance specifies that any call service, from a “transfer” to a “call recording”, that is provided by a third party, will bring that provider into scope of the PCI DSS. The only service that is exempt is a simple voice communications connection, or “dial tone”.

·        Devices that control Session Initiation Protocol (SIP) Redirection are in PCI DSS scope The new guidance recognises that redirecting a call to a secured line, just for the payment process itself, exposes it to a potential risk of interception or diversion by hackers. As a result, all such devices, on or offsite, controlling redirection are vulnerable and therefore fall into the scope of PCI DSS and are subject to the full range of controls.

·        Removing the card data from the contact centre is the only secure solution. Lastly, the updated guidance recommends scope reduction techniques and technologies, including managed and unmanaged dual-tone multi-frequency (DTMF) masking solutions. These remove cardholder data and other personal information from the contact centre environment. Callers enter their card numbers via their telephone keypad, remaining in full communication with the agent throughout. The DTMF key tones are masked with flat bleeps, so they cannot be identified by their sound. This prevents any sensitive card information form coming into contact with the agent, with call recording technology and with any other desktop applications. The card data is sent directly to the payment processor, bypassing the contact centre completely.

“When working with clients looking to attain PCI DSS compliance, the telephone payment channel is the most challenging to address for several reasons,” said Wayne Murphy, a QSA with Sec-1 and contributing member of the SIG. “Contact centre agents often need access to single business systems, which are accessible by all departments within an organisation, bringing most of the business into scope for PCI DSS assessment activities. Plus, integration with VoIP systems make it nearly impossible to simplify the current payment channel to reduce scope.”