Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

research

Research into AI cyber security threat lacking

960 640 Stuart O'Brien

A study of cyber security academic research projects worth €1bn to assess academic trends and threats has found Cyber Physical Systems, Privacy, IoT and Cryptography the strongest cyber security areas to watch – but that Artificial Intelligence is an “apparent omission”.

Crossword Cybersecurity looked at nearly 1,200 current and past research projects from academic institutions in the United Kingdom, United States, Europe, Australia, and Africa, with reported funding of EU projects at over €1 billion.

The database identified several global trends by comparing the periods January 2008 to June 2013 with July 2013 to December 2018, including:

· Cyber Physical Systems (CPS) – Over 100 projects were found in this area alone, a significant figure. The United States appears to be the most active in CPS research, with a focus on securing critical infrastructure.
. Privacy – Projects related to privacy have increased by 183% in recent years.
· Internet of Things (IoT) – Projects with an IoT element have increased by 123% lately, with around 14% of current projects having this characteristic.
· Cryptography – With the promise of quantum computing on the horizon, there has been an influx of new projects that apply the technology to the future of cryptography, with a 227% increase in this area of research (albeit this was from a low base).

Significant differences can also be seen between regions. For example, the EU appears distinctly focused on minimising Small & Medium Enterprises’ (SME) exposure to cyber security risk. Conversely, when compared with other regions, the US has a greater focus on the human component of cyber security. Other US top project funding areas include Cyber Physical Systems (as applied to smart cities and power grids), securing the cloud, cybercrime, and the privacy of Big Data sets (as applied to the scientific research community).

In the UK, the leading research verticals are critical infrastructure and securing the health sector (with 11 current projects each). Current funding across UK projects exceeds £70m, with quantum and IoT-related projects both more than doubling over five years. There are currently nine new UK projects with a focus on Cyber Physical Systems.

The four UK projects with the greatest funding are in the fields of Safe and Trustworthy Robotics, Big Data Security, Cybercrime in the Cloud and Quantum Technology for Secure Communications.

The most notable UK decline was in big data projects, which have dropped by 85%.

Globally, there are currently 52 global projects with a cryptographic focus, and at least 39 current live EU projects featuring a cryptographic element. In the UK, this area has been consistently strong over the last ten years, with 18 projects starting between 2008 and mid 2013, and 19 projects from mid 2013 to now.

Tom Ilube, CEO at Crossword Cybersecurity plc said: “The need to protect critical infrastructure has never been stronger as technology becomes more deeply embedded in every aspect of our daily lives. However, one apparent omission is research solely focused on the application of AI techniques to complex cyber security problems. We hope to see more of that in the future, as the industry works to stay ahead of the constantly evolving cyber security landscape.”

The Crossword Cybersecurity database will be periodically updated, to deliver ongoing insight into the most prevalent cyber security research trends and investment areas. If you are interested in further details, contact the Scientific Advisory Team at Crossword Cybersecurity on innovation@crosswordcybersecurity.com.

Cybersecurity responsible for 36% of management stress

960 640 Stuart O'Brien

Over half of SME owners count internet issues as one of their biggest bugbears heading into 2019, with phishing emails from overseas ‘billionaires’ topping the list of the strangest mailbox scams from the past 12 months.

In a survey conducted by Q2Q, 52% of company bosses complained that problems with their internet were responsible for some of their firm’s biggest technology-related headaches. While an additional 41% of respondents said that six months on, GDPR compliance was still causing confusion within the workplace.

The research also found that phishing emails – including those masquerading as financial information requests from the CEO, and communications purporting to be from a foreign billionaire looking to pass on significant sums of money – made up 38% of the most common scam communications.

Unsurprisingly then, cyber-security was responsible for 36% of management stress, with 22% of respondents citing emerging online risks as one of their biggest IT challenges heading into the New Year.

The research also found that around 64% of SMEs choose to outsource their IT support, while – shockingly – 10% of company owners didn’t have any sort of technical provision.

Andrew Stellakis, managing director at Q2Q, said; “Hearing that internet issues are still responsible for over half of SME’s IT-related headaches is simply inexcusable in this day-and-age. There are plenty of things which can cause a slow connection, but understanding the root cause is key to getting the most out of our systems, employees and the working day.

“It’s also rather worrying that – six months on – 40% of SME’s are still unsure about the rules and regulations surrounding GDPR. Over the past 18 months, I’ve spent a lot of time working closely with SMEs to ensure they are fully compliant – and it isn’t as daunting as it may seem.

“The appointment of a dedicated IT provider or GDPR officer – either in-house or externally – is often left until something goes wrong. But, as the news has been filled with reports of cyber-attacks and GDPR fines over the past few months, it should be all SME owners’ New Year’s resolution to ensure their company – and reputation – remains intact in 2019.”

INFOGRAPHIC: Only 29% travel sites opt to fully protect consumers with EV SSL

960 640 Stuart O'Brien

UK phishing scams jumped 648% YoY on Cyber Monday, with lack of EV SSL certificates on travel websites cited as a primary cause.

Sectigo investigated security levels on the websites of 35 airlines, 27 hotel groups, 23 travel comparison websites, 11 car hire firms and eight train operating companies, to find out whether they are doing all they can to protect customers as we approach peak travel season.

Among its key findings were:

  • Only 29% of these enterprises had an EV SSL certificate on their website.
  • As many as 65% of these organisations only have a free SSL certificate, with neither any company branded address on their homepage nor any “Not secure” warnings.
  • Up to 6% had no EV certificate whatsoever

Full findings are illustrated in the infographic below:

UK businesses looking for more cybercrime support from government

960 640 Stuart O'Brien

Research has revealed that UK businesses are looking to the Government for greater support to safeguard them from the ongoing threat of cybercrime.

According to RedSeal, nearly three-quarters (68%) of IT bosses polled for the survey said that their business had suffered at least one attack in the past 12 months, while almost a third (31%) said that the Government didn’t offer enough support or guidance on best cybersecurity practices.  

Other statistics included 19% of businesses polled admitting to not having a plan in place to deal with a cyberattack, along with 65% of IT teams  suggesting that senior management needed to take more notice to cybersecurity in 2019.

“We commissioned this research to explore how prepared businesses are to continue operating during an attack,” said Ray Rothrock, CEO of RedSeal.  “The number of high profile breaches has meant that 2018 has become the year where businesses are left wondering what more they can do to protect themselves, how to remain resilient, to keep operating and minimise customer damage.

“Our research highlights the fact that that senior IT bosses want the UK government direct more attention, money and resource to supporting their businesses in the face of cyberattacks.”

The research follows recent revelations from the National Cyber Security Centre which found that only 30% of UK businesses have a board member with responsibility for cybersecurity and only 10% require their suppliers to adhere to any cyber standards.

Vigilance urged for EMEA businesses as phishing season begins

960 640 Stuart O'Brien

Businesses in EMEA are being urged to remain vigilant as phishing attacks ramp up during the winter months.

F5 Labs, in collaboration with Webroot, has launched its second annual Phishing and Fraud report, highlighting an anticipated threat surge from October until January.

According the report, fraud incidents in October, November, and December tend to jump over 50% compared to the annual average.

Indicative of the scale of the problem, 75,6% of all websites taken offline by the F5 SOC platform between January 2014 and the end of 2017 were related to phishing attacks. This is followed by malicious scripts (11.3%) and URL redirects (5.2%), which are also used in conjunction with phishing operations. Mobile phishing (2%) was also identified as a growing issue.

“We’re in the middle of a cyber-crimewave where phishers and fraudsters take advantage of people at their most distracted,” said David Warburton, Senior EMEA Threat Research Evangelist, F5 Networks.

“It is prime season for individuals giving up credentials or inadvertently installing malware. Businesses are wrapping up end-of-year activities, key staff are on vacation, and record numbers of online holiday shoppers are searching for the best deals, looking for last-minute credit or feeling generous when charities come calling.”

Although phishing targets vary based on the nature of the scam, a remarkable 71% of attackers’ efforts from 1 September to 31 October 2018 focused on impersonating just ten organisations.

Technology companies were most mimicked (70% of incidents), with 58% of phishers’ time spent posing as big hitters like Microsoft, Google, Facebook, Apple, Adobe, Dropbox, and DocuSign during the monitored period.

The finance sector was also under fire. 13 of the top 20 fastest growing targets were financial organisations. Banks accounted for 55% of these, five of which were major European entities.

Notably, some of the most successful malware programs started out as banking malware. For example, Trickbot, Zeus, Dyre, Neverquest, Gozi, GozNym, Dridex, and Gootkit are all banking trojans known to have spread initially through phishing campaigns.

The Phishing and Fraud report stresses that the best first line of defence is a consistent education programme and creating a culture of curiosity. Tests by Webroot show that security awareness training can have a particularly ameliorative effect.

Companies that ran 11 or more training campaigns reduced employee phishing click-through rates to 13%. Six to ten sessions saw a 28% click-through rate, rising to 33% with one to five employee engagements.

In addition to awareness-raising, F5 Labs stresses the importance of organisations implementing access control protections, including multi-factor authentication and credential stuffing controls, to prevent phished credentials becoming a breach. Other report recommendations include the following defensive tactics:

  • Email labeling. Clearly label all mail from external sources to prevent spoofing. A simple, specially formatted message can alert users to be on guard.
  • Anti-virus (AV) software. AV software is a critical tool to implement on every system a user has access to. In most cases, up-to-date AV software will stop the malware installation attempt. Set your AV policy to update daily at a minimum.
  • Web Filtering. A web filtering solution helps block access to phishing sites. Not only will this prevent a breach (providing the phishing site is known by your web filter provider), but it presents a valuable teaching opportunity by displaying an error message to the user
  • Traffic decryption and inspection. F5 Labs analysed malware domains from Webroot that were active in September and October 2018. 68% of them were phoning-home over port 443, which is the standard TCP port used for websites encrypting communications over SSL/TLS. If organisations do not decrypt traffic beforeinspection, the malware installed through phishing attacks will go undetected inside the network.
  • Single-Sign On (SSO). The fewer credentials users manage, the less likely they are to share them across multiple applications, create weak passwords, and store them insecurely. 
  • Report phishing. Provide a means for employees to easily report suspected phishing. Some mail clients now have a built-in phish alert button to notify IT of suspicious activity. If your email client doesn’t have this feature, instruct all users to call the helpdesk or security team.
  • Change email addresses. Consider changing the email addresses of commonly targeted employees if they are receiving an unusually high number of phishing attacks on a continual basis.
  • Use CAPTCHAs. Use challenge-response technologies like CAPTCHA to distinguish humans from bots. However, users can find them annoying so use in cases where it’s highly likely a script is coming from a bot.
  • Access control reviews. Review access rights of employees regularly, especially those with access to critical systems. These employees should also be prioritised for phishing training.
  • Look out for newly-registered domain names. Phishing sites are often newly registered domains. When F5 reviewed the list of active malware and phishing domains collected by Webroot in September, only 62% were still active a week later.
  • Implement web fraud detection. Implement a web fraud solution that detects clients infected with malware. This stops cybercriminals logging into your systems and allowing fraudulent transactions to occur.

“Phishing is a big problem and we expect attacks to continue because they are so effective, especially during the winter period” added Warburton.

“As organisations get better at web application security, it will be easier for fraudsters to phish people than to find web exploits. Ultimately, there is no one-stop-shop security control for phishing and fraud. A comprehensive control framework that includes people, process, and technology is a critical requirement to reduce the risk of an attack becoming a major incident.”

Security breaches – A high price tag for UK business this Christmas

960 640 Stuart O'Brien

Forty-four per cent of UK consumers will stop spending with a business or brand for several months in the immediate aftermath of a security breach or a hack.

That’s according to new data from payment security specialist PCI Pal that, even more significantly, shows a further 41% of consumers will never return to a brand or a business post-breach, representing a potentially significant loss of revenue.

The findings  suggest that a combination of high-profile recent breaches, headlines devoted to new data privacy regulations such as the GDPR, and personal experience have put security concerns at the forefront for UK consumers.

Over a third (38%) confirmed they have personally suffered the negative consequences of a data security breach.

Meanwhile, consumers reported that even being perceived as having insecure data practices can be enough to incur spending penalties: 31% reported that they spend less with brands they perceive to have insecure data practices, while over a quarter (26%) say they stop spending completely if they don’t trust a company with their data.

The findings suggest that it’s not just online threats that worry consumers – with 76% uncomfortable with providing payment information, such as credit card details, over the phone. Specifically, almost a third (32%) said they would hang up and find an alternative payment option, while nearly a quarter (24%) would ask for an online payment option and a further fifth (20%) would enquire as to how the data is being captured and whether it is safe.

Interestingly, when looking at the research findings by age group, 41% of those aged 18-24 said they would give their payment information over the phone with no questions asked, compared to just 14% of those aged 55-65.

Finally, from an industry perspective, consumers were asked which verticals they consider to be the least secure or more likely prone to a security breach, 41% of consumers said the financial sector, followed by 40% suggesting retail and 35% suggesting the travel industry.

“While security breaches are not new, consumers’ attitudes towards them appear to be changing significantly, with the vast majority of those surveyed now reporting that trust in security practices, or lack thereof, influences not just where but also how, and how much they are prepared to spend,” said James Barham, CEO at PCI Pal.

“What’s really interesting is how consumers are increasingly questioning data security practices. Nearly half of those surveyed know they should check a company’s security processes and 22% said they question businesses directly or research how an organisation safeguards consumer data. This suggests a real change in how consumers prioritise privacy and security. This should act as a real wake-up call to consumer-facing brands: they need to adopt stronger security practices, especially for those operating contact centres where payments are handled over the phone if they want to keep customers loyal and spending with them.”

Semafone warns of stricter checks and invasive auditing for contact centres

960 640 Stuart O'Brien

Semafone has called on contact centres to pay heed to changes to the Payment Card Industry Security Standards Council (PCI SSC) guidance for protecting telephone-based payment card data.

Updated for the first time since 2011, the guidance clarifies a number of points relating to compliance with the Payment Card Industry Data Security Standard (PCI DSS).

“Since the guidance was last updated in 2011, new technologies and payment channels are increasing the scope of the cardholder data environment and creating some uncertainty & compliance challenges for contact centres,” said Ben Rafferty, Semafone’s global solutions director and a contributing member of the Special Interest Group (SIG) formed by the PCI SSC to update the guidance. “Drawing on our experience of descoping enterprise contact centres around the globe, we aim to provide advice for anyone securing these critical payment channels.”

The key points of the new guidance, highlighted by Semafone, are as follows:

·        Keep softphones separate. The emergence of VoIP and softphones, which are often connected to the desktop environment processing payments, can result in the entire system becoming “in scope” of PCI DSS and subject to its stringent controls. As a result, it is strongly recommended that contact centres fully segment their data and telephony networks.

·        Any cardholder data captured in call recordings brings more checks than ever. Qualified Security Assessors (QSAs) now have clear guidelines regarding call recordings and the capture of sensitive card details. Both manual and automated “pause and resume” systems, whereby recording is briefly stopped, are deemed to run the risk of accidentally capturing these details. If a contact centre is using either of these solutions, QSAs can demand extensive evidence of measures to protect sensitive data. Multi-factor authentication controls need to be added to call recording solutions, as well as to storage and search tools, and QSAs are empowered to conduct invasive auditing to ensure that additional controls have been put in place effectively.

·        Third-party service providers are in scope if they provide more than a dial tone. The new guidance specifies that any call service, from a “transfer” to a “call recording”, that is provided by a third party, will bring that provider into scope of the PCI DSS. The only service that is exempt is a simple voice communications connection, or “dial tone”.

·        Devices that control Session Initiation Protocol (SIP) Redirection are in PCI DSS scope The new guidance recognises that redirecting a call to a secured line, just for the payment process itself, exposes it to a potential risk of interception or diversion by hackers. As a result, all such devices, on or offsite, controlling redirection are vulnerable and therefore fall into the scope of PCI DSS and are subject to the full range of controls.

·        Removing the card data from the contact centre is the only secure solution. Lastly, the updated guidance recommends scope reduction techniques and technologies, including managed and unmanaged dual-tone multi-frequency (DTMF) masking solutions. These remove cardholder data and other personal information from the contact centre environment. Callers enter their card numbers via their telephone keypad, remaining in full communication with the agent throughout. The DTMF key tones are masked with flat bleeps, so they cannot be identified by their sound. This prevents any sensitive card information form coming into contact with the agent, with call recording technology and with any other desktop applications. The card data is sent directly to the payment processor, bypassing the contact centre completely.

“When working with clients looking to attain PCI DSS compliance, the telephone payment channel is the most challenging to address for several reasons,” said Wayne Murphy, a QSA with Sec-1 and contributing member of the SIG. “Contact centre agents often need access to single business systems, which are accessible by all departments within an organisation, bringing most of the business into scope for PCI DSS assessment activities. Plus, integration with VoIP systems make it nearly impossible to simplify the current payment channel to reduce scope.”

Healthcare IT leaders outline cyber security concerns

960 640 Stuart O'Brien

Healthcare IT leaders are increasing their spending to defend against cyberattacks and feeling anxiety about Apple, Amazon and Google entering the health care space.

That’s according to a new report from the US-based Center for Connected Medicine (CCM) entitled Top of Mind for Top Health Systems 2019, which focuses on three areas of health IT set to impact health systems next year, namely Cybersecurity, Telehealth, and Interoperability.

Key findings of the report include:

  • Hackers and other cyber-criminals are stepping up their attacks on the health care industry, leading 87 percent of respondents to say they expect to increase spending on cybersecurity in 2019; no health system was expecting to decrease spending.
  • Health IT leaders overwhelmingly expect government and commercial reimbursement to provide the majority of funding for telehealth services by 2022; internal funding and patient payments are expected to provide the majority of funding for telehealth in 2019.
  • 70 percent of responding executives said they were “somewhat concerned” about big tech companies, such as Apple, Amazon and Google, disrupting the health care market; 10 percent were “very concerned.”

The US health care industry was hit with 2,149 breaches comprising a total of 176.4 million records between 2010 and 2017, according to a study published in JAMA Network in September 2018. And the number of data breaches increased in almost every year, starting with 199 in 2010 and ending with 344 in 2017.

The findings are based on quantitative and qualitative surveys of C-suite executives at nearly 40 US health systems. The research was conducted by the Health Management Academy in partnership with the CCM.

Ransomware and phishing top concerns for IT professionals

960 640 Stuart O'Brien
Ransomware (24%) and phishing attacks (21%) are the top two concerns among IT leaders in 2018, according to new research.
Barracuda surveyed more than 1,500 IT and security professionals in North America, EMEA, and APAC about their IT security priorities, how these have shifted over the 15 years and what is expected to change within another 15 years.
Other key finding include:
  • In 2003, viruses (26%) and spam and worms (18%) were noted as the top two threats
  • In 2003 only 3% identified cloud security as a top priority. This number has gone up to 14% in 2018
  • 43% identified AI and machine learning as the development that will have the biggest impact on cyber security in the next 15 years
  • 41% also believe the weaponisation of AI will be the most prevalent attack tactic in the next 15 years

Overall, Barracuda says study indicates that while the top security priorities have remained consistent over the past 15 years, the types of threats organisations are protecting against has shifted significantly.

Looking ahead, respondents believe that the cloud will be a higher priority 15 years in the future and that AI will be both a threat and an important tool.

A full 25 percent of respondents said email was their top security priority in 2003, and 23 percent said the same about their current priorities.

Network security came in a close second for both 2003 and 2018 priorities, with 24 percent and 22 percent respectively.

31 percent of respondents chose AI as the new technology that they will rely on to help improve security, and 43 percent identified the increasing use of artificial intelligence and machine learning as the development that will have the biggest impact on cyber security in the next 15 years.

On the other hand, 41 percent believe the weaponisation of AI will be the most prevalent attack tactic in the next 15 years.

“Artificial intelligence is technology that is top of mind for many of the IT professionals we spoke with — both as an opportunity to improve security and as a threat,” said Asaf Cidon, VP email security at Barracuda. “It’s an interesting contrast. We share our customers’ concern about the weaponization of AI. Imagine how social engineering attacks will evolve when attackers are able to synthesize the voice, image, or video of an impersonated target.”

IT employment landscape dominated by AI & cybersecurity

960 640 Stuart O'Brien

Nearly one in three organisations plans to increase their IT staff in 2019, with AI and cybersecurity top of the list of skills required.

The 2019 State of IT report from Spiceworks surveyed 1,000 tech professionals in businesses across North America and Europe, and also found that one in four IT pros plans to seek new employment; with millennials are most likely to job hop.

Behind cybersecurity skills, AI tech expertise is the number two skill large enterprises are seeking, while job-hopping IT pros are primarily seeking better salaries and opportunities to advance their IT skills.

The report also found that while 29% of companies plan to increase their IT staff in 2019, most companies (59%) aren’t planning to build up their IT staff next year.

However, Spiceworks says that doesn’t necessarily mean they’re not hiring at all. For example, some companies may be focused on backfilling positions formerly held by IT pros who may have left the building in search of greener pastures.

When comparing the data by company size, enterprises with 1,000+ employees are more likely to increase their IT staff next year than their smaller counterparts – the reports suggests this is because larger companies have more IT needs and data assets to manage, and they’re more likely to increase their tech spend in 2019 too.

IT security/cybersecurity skills are most sought after among companies planning to shore up IT staffing levels next year. When comparing the data by company size, it’s clear large enterprises (5,000+ employees) are more likely to seek AI expertise than their smaller counterparts. In fact, it’s the number two skill they’re looking for after security know-how.

On the other hand, midsize companies (500 to 999 employees) are more likely to seek candidates with DevOps skills. Smaller companies are more likely to prioritise hiring IT pros with end user hardware and infrastructure expertise. This finding comes as small businesses plan to significantly boost their hardware budgets in 2019.

In 2019, 26% of IT pros plan to find a new employer, 8% plan to leave the IT field for a new career, 6% plan to move into IT consulting, and 5% plan to retire.

However, job plans vary significantly by age. For example, 33% of millennial IT pros plan to seek new employment in 2019, compared to 26% of Gen X and 13% of baby boomers. Millennials are also more likely to expect a raise and promotion, while unsurprisingly, baby boomer IT pros are most likely to retire in 2019.

Additionally, when comparing the data by gender, Spiceworks says it’s worth noting that women are more likely to expect a promotion next year: 25% of female IT pros expect a promotion in 2019 compared to 14% of male IT pros. However, men are slightly more likely to anticipate a raise… 37% of men expect a raise next year compared to 33% of women.

Job plans also vary by region. For example, in the UK specifically, 38% of IT pros plan to find a new employer next year, compared to the 28% average in Europe and 24% in North America. Spiceworks speculates that this is because digital tech jobs are on the rise in the UK, which means more job opportunities for IT pros (and more temptation to job hop). In fact, according to the 2018 Tech Nation Report, UK employment in the digital tech sector increased by 13% between 2014 and 2017.

“Companies looking to maximize efficiencies and grow profits understand the potential artificial intelligence has to automate tasks and reduce the cost of doing business,” Peter Tsai, Senior Technology Analyst at Spiceworks. “But to effectively deploy and manage AI-enabled tech, organisations need workers with relevant AI skillsets and experience. And large enterprises, which often have resources dedicated to R&D, are already ahead of the game when it comes to experimenting with and getting value out of AI.”