What is shadow IoT? How to mitigate the risk

When someone in your organization starts using internet-connected devices without IT’s knowledge, that’s shadow IoT. Here’s what you need to know about its growing risk.

Shadow IoT definition

Shadow IoT refers to internet of things (IoT) devices or sensors in active use within an organization without IT’s knowledge. The best example is from before the days of bring your own device (BYOD) policies when employees used personal smartphones or other mobile devices for work purposes. “Shadow IoT is an extension of shadow IT, but on a whole new scale,” says Mike Raggo, CSO at 802 Secure. “It stems not only from the growing number of devices per employee but also the types of devices, functionalities and purposes.”

Employees have been connecting personal tablets and mobile devices to the company network for years. Today, employees are increasingly using smart speakers, wireless thumb drives and other IoT devices at work as well. Some departments install smart TVs in conference rooms or are using IoT-enabled appliances in office kitchens, such as smart microwaves and coffee machines.

In addition, building facilities are often upgraded with industrial IoT (IIoT) sensors, such as heating ventilation and air conditioning (HVAC) systems controlled by Wi-Fi-enabled thermostats. Increasingly, drink machines located on company premises connect via Wi-Fi to the internet to accept, say, Apple Pay payments. When these sensors connect to an organization’s network without IT’s knowledge, they become shadow IoT.

How prevalent is shadow IoT?

Gartner predicts that 20.4 billion IoT devices will be in use globally by 2020, up from 8.4 billion in 2017. Shadow IoT has become widely prevalent as a result. In 2017, 100 percent of organizations surveyed reported ‘rogue’ consumer IoT devices on the enterprise network, and 90 percent reported discovering previously undetected IoT or IIoT wireless networks separate from the enterprise infrastructure, according to a 2018 report from 802 Secure.

One-third of companies in the U.S., U.K. and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a 2018 Infloblox report on shadow devices. Infoblox’s research found that the most common IoT devices on enterprise networks are:

  • Fitness trackers such as Fitbits, 49 percent;
  • Digital assistants such as Amazon Alexa and Google Home, 47 percent
  • Smart TVs, 46 percent
  • Smart kitchen devices such as connected microwaves, 33 percent
  • Gaming consoles such as Xboxes or PlayStations, 30 percent.
shadow iot infographic v3.0

What are shadow IoT’s risks?

IoT devices are often built without inherent, enterprise-grade security controls, are frequently set up using default IDs and passwords that criminals can easily find via internet searches, and are sometimes added to an organization’s main Wi-Fi networks without IT’s knowledge. Consequently, the IoT sensors aren’t always visible on an organization’s network. IT can’t control or secure devices they can’t see, making smart connected devices an easy target for hackers and cybercriminals. The result: IoT attacks grew by 600 percent in 2018 compared to 2017, according to Symantec.

Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices such as Shodan, Inflobox’s report points out. “Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP and SNMP services. As identifying devices is the first step in accessing devices, this provides even lower-level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities.”

Why aren’t most shadow IoT devices secure?

When PCs were first released decades ago, their operating systems weren’t built with inherent security, Raggo observes. As a result, securing PCs against viruses and malware remains an ongoing struggle.

In contrast, the iOS and Android mobile operating systems were designed with integrated security, such as app sandboxing. While mobile devices aren’t bullet-proof, they’re typically more secure than desktops and laptops.

With today’s IoT and IIoT devices, “It’s like manufacturers have forgotten everything we’ve learned about security from mobile operating systems,” Raggo says. “There are so many IoT manufacturers, and the supply chain for building the devices is scattered all over the world, leading to a highly fragmented market.”

Because IoT devices tend to be focused on just one or two tasks, they often lack security features beyond basic protocols such as WPA2 Wi-Fi, which has its vulnerabilities. The result: Billions of unsecured IoT devices are in use globally on enterprise networks without IT’s knowledge or involvement.

“I bought 10 or 15 IoT devices a few years ago to check out their security,” says Chester Wisniewski, principal research scientist at Sophos. “It was shocking how fast I could find their vulnerabilities, which means anyone could hack them. Some devices had no process for me to report vulnerabilities.”

Have criminal hackers successfully targeted shadow IoT devices?

Yes. Probably the most famous example to date is the 2016 Mirai botnet attack, in which unsecured IoT devices such as Internet Protocol (IP) cameras and home network routers were hacked to build a massive botnet army. The army executed hugely disruptive distributed denial of service (DDoS) attacks, such as one that left much of the U.S. east coast internet inaccessible. The Mirai source code was also shared on the internet, for criminal hackers to use as building blocks for future botnet armies.

Other exploits are available that enable cybercriminals to take control of IoT devices, according to the Infoblox report. “In 2017, for example, WikiLeaks published the details of a CIA tool, dubbed Weeping Angel, that explains how an agent can turn a Samsung smart TV into a live microphone. Consumer Reports also found flaws in popular smart TVs that could be used to steal data as well as to manipulate the televisions to play offensive videos and install unwanted apps.”

Along with amassing botnet armies and conducting DDoS attacks, cybercriminals can also exploit unsecured IoT devices for data exfiltration and ransomware attacks, according to Infoblox.

In one of the oddest IoT attacks thus far, criminals hacked into a smart thermometer inside a fish tank in a casino lobby to access its network. Once in the network, the attackers were able to steal the casino’s high-roller database.

The future potential of IoT-enabled cyberattacks is enough to give CSOs and other IT security professionals concern. “Consider the damage to vital equipment that could occur if someone connected into an unsecured Wi-Fi thermostat and changed the data center temperature to 95 degrees,” Raggo says. In 2012, for instance, cybercriminals hacked into the thermostats at a state government facility and a manufacturing plant and changed the temperatures inside the buildings. The thermostats were discovered via Shodan, a search engine devoted to internet-connected devices.

To date, the impact of IoT device exploits hasn’t been hugely negative for any particular enterprise, says Wisniewski, in terms of exploiting sensitive or private data. “But when a hacker figures out how to make a big profit compromising IoT devices, like using a brand of smart TVs for conference room spying, that’s when the shadow IoT security risk problem will get everyone’s attention.”

3 ways to mitigate shadow IoT security risks?

  1. Make it easy for users to officially add IoT devices. “The reason you have shadow IT and shadow IoT is often because the IT department is known for saying ‘no’ to requests to use devices like smart TVs,” says Wisniewski. Instead of outright banning IoT devices, fast-tracking their approval whenever possible and feasible—within, say, 30 minutes after the request is made—can help reduce the presence of shadow IoT.

    “Publish and circulate your approval process,” Wisniewski adds. “Get users to fill out a brief form and let them know how quickly someone will get back to them. Make the process as flexible and as easy for the requester as possible, so they don’t try to hide something they want to use.”

  2. Proactively look for shadow IoT devices. “Organizations need to look beyond their own network to discover shadow IoT, because much of it doesn’t live on the corporate network,” Raggo says. “More than 80 percent of IoT is wireless-enabled. Therefore, wireless monitoring for shadow IoT devices and networks can allow visibility and asset management of these other devices and networks.”

    Traditional security products list devices by a media access control (MAC) address or a vendor’s organizationally unique identifier (OUI), yet they are largely unhelpful in an environment with a plethora of different types of devices, Raggo adds. “IT really wants to know ‘what is that device?’ so they can determine if it’s a rogue or permitted device. In today’s world of deep-packet inspection and machine learning, mature security products should provide human-friendly categorizations of discovered assets to ease the process of asset management and security.”

  3. Isolate IoT. Ideally, new IoT and IIoT devices should connect to the internet via a separate Wi-Fi network dedicated to such devices that IT controls, says Wisniewski. The network should be configured to enable IoT devices to transmit information and to block them from receiving incoming calls. “With the majority of IoT devices, nothing legitimate is ever transmitted to them,” he says.

Anything shadowy is a problem

“Shadow anything is a problem, whether it’s an IoT device or any other addressable, unmanaged item,” says Wisniewski. “The key is controlling access to the network from only authorized devices, keeping an accurate inventory of authorized devices, and having clear policies in place to ensure employees know they aren’t allowed to ‘bring their own’ devices and that HR sanctions will be enforced if they do.”

Source: https://www.csoonline.com/article/3346082/what-is-shadow-iot-how-to-mitigate-the-risk.html

  • 0

IoT and DDoS attacks dominate cybersecurity space

Connected devices often get attacked minutes after being plugged in.

IoT devices are being attacked with greater regularity than ever before, new research has suggested.

According to a new report by NETSCOUT, smart products often come under attack within five minutes of being plugged in, and are targeted by specific exploits within a day.

The Threat Landscape Report says IoT device security is ‘minimal to non-existent’ on many devices. That makes the IoT sector among the most vulnerable ones, especially knowing that medical equipment and connected cars fall under the IoT category.

DDoS, in general, is still on the rise, the report adds. The number of such attacks grew by a quarter last year. Attacks in the 100-400 Gbps range ‘exploded’, it says, concluding a ‘continued interest’ hackers have in this attack vector.

The global maximum DDoS attack size grew by 19 per cent last year, compared to the year before.

International institutions, such as the UN or the IMF, have never been this interesting to hackers. DDoS attacks against such organisations had risen by almost 200 per cent last year.

Hackers operate similarly to the way legitimate businesses operate. They employ the affiliate model, allowing them to rake up profits quite quickly.

“Our global findings reveal that the threat landscape in the second half of 2018 represents the equivalent of attacks on steroids,” said Hardik Modi, NETSCOUT’s senior director of Threat Intelligence. “With DDoS attack size and frequency, volume of nation state activity and speed of IoT threats all on the rise, the modern world can no longer ignore the digital threats we regularly face from malicious actors capable of capitalizing on the interdependencies that wind through our pervasively connected world.”

Source: https://www.itproportal.com/news/iot-and-ddos-attacks-dominate-cybersecurity-space/

  • 0

The Trouble With Growing Your Own DDoS Protection Methods

If you’re keeping up with what’s happening in the wonderful world of IT, you’re probably reading the blood-curdling headlines about 1.7 Tbps distributed denial of service (DDoS) attacks and gut-wrenching descriptions of average $40,000-per-hour costs of unmitigated attacks. 

You’ve also probably digested the fact that no business is too large or too small to be a target of distributed denial of service attacks. So, it’s natural to start thinking about IT security improvements. In these initial thoughts, it’s tempting to envisage a tidy, on-site operation. It has the latest hardware and software (you’re upgrading), and your IT team is in charge. But hold on a minute. Before you go any further, consider all your options before settling on a DIY security solution. There are many reasons why the wise choice is letting the security pros protect your network.

Five reasons to not DIY

The main reason to pass up DIY mitigation? Its limitations. Although tools and techniques of in-house DDoS mitigation are powerful, they can’t stop swift, massive, and sophisticated volumetric attacks. Remember, in on-premises DIY mitigation plans:

  • Protection starts too late in the attack cycle. DIY protection methods are usually a reaction to the initial attack. By the time the IT security team starts working, much of the damage is done. This is especially relevant in DDoS attacks that include application-layer exploits.
  • The ability to adjust configurations doesn’t always help. IT security pros can respond to an attack by adjusting configuration settings manually. However, this takes valuable time. Also, protection is good only for the same type of attack. This lack of flexibility becomes a problem in multi-vector exploits. When botmasters (human controllers of DDoS bots) change tactics in mid-attack, your protection loses its usefulness. 
  • Your network’s network bandwidth limits DIY protection efforts. Your DDoS protection is only as good as your bandwidth is large. DDoS attacks commonly measure many times more than the volume of enterprise network traffic. 
  • DIY protection can’t always distinguish malware and legitimate users. In-house, DDoS protection methods often involve static traffic rate limitations and IP blacklisting. When you use these relatively old-fashioned methods, legitimate users can be mistaken for malicious software. Being blocked from using your website is a quick way to lose customers. 
  • Prohibitive costs. For many companies wanting to upgrade their DDoS protection, this is the biggest problem of all. Purchasing, installing and deploying hardware appliances carry a hefty price tag that puts DIY protection beyond the budget of most organizations.

Don’t forget to protect your applications

Network users are discovering what IT security pros have known for a while. Volumetric attacks might be the familiar face of DDoS mayhem. In many cases, however, data and application security are also at risk. 

That’s because DDoS attacks are often smokescreens to exploits that look for valuable data and information. In an application-layer DDoS attack, a botnet distracts the security team. While the security pros deal with the immediate problem, bots search for any information that can be sold on the Dark Web. 

If you want to run your own DDoS protection methods, this is bad news. The security of applications that you run onsite is at risk. Given this expanded security scope, you would have to protect your apps by upgrading application-layer security measures. Experts recommend that to secure commercial applications, organizations must have their own remediation process, identity management methods, and infrastructure security procedures.

To run custom applications safely, you should adopt quite a few additional measures. These include application security testing, developer training, DevOps and DevSecOps practices, and maintaining an open source code inventory.

The ace up your sleeve—cloud-based mitigation services

The cloud is where you’ll find a powerful, cost-effective security option. Cloud-based, DDoS mitigation providers offer benefits that DIY methods lack. 

  • Broad DDoS protection. Cloud-based protection secures your infrastructure against attacks on your system’s network and application layers. 
  • No DDoS-related capital or operations costs. Mitigation service specialists offer DDoS protection as a managed service. There’s no need to invest in hardware or software. And, say good-bye to IT labor costs. Your IT staff doesn’t get involved in DDoS mitigation. 
  • No scalability problems. DDoS mitigation providers use large-scale infrastructures, with virtually unlimited bandwidth. 
  • No need to hire expensive talent. In-house DDoS protection solutions require IT pros with expensive, often hard-to-find knowledge and experience. The staffs of DDoS mitigation providers include the security and data specialists needed to keep DDoS attacks at bay.
  • You spend less time and money. When you add up the costs of all required assets and resources, the conclusion is clear. You’ll spend far less time, effort, and budget when you engage off-premises, DDoS protection services.

These are the benefits that most DDoS mitigation services provide. However, advanced mitigation providers go several steps beyond this already high standard of performance. For example, automated defense methods built into DDoS response software eliminate the need for time-consuming human intervention. In fact, these capabilities reduce time to mitigation to mere seconds. (The current industry record is 10 seconds). 

Isn’t it time to take advantage of this IT security firepower? With DDoS mitigation services at your back, you’ll never have to wince at another DDoS screamer headline again.

Source: http://trendintech.com/2019/01/27/the-trouble-with-growing-your-own-ddos-protection-methods/

  • 0

Nokia: IoT Botnets Comprise 78% of Malware on Networks

Nokia is warning of a deluge of IoT malware after revealing a 45% increase in IoT botnet activity on service provider networks since 2016.

The mobile networking firm’s Threat Intelligence Report for 2019 is is based on data collected from its NetGuard Endpoint Security product, which it says monitors network traffic from over 150 million devices globally.

It revealed that botnet activity represented 78% of malware detection events in communication service provider (CSP) networks this year, more than double the 33% seen in 2016.

Similarly, IoT bots now make up 16% of infected devices on CSP networks, a near-five-fold increase from 3.5% a year ago.

“Cyber-criminals are switching gears from the traditional computer and smartphone ecosystems and now targeting the growing number of vulnerable IoT devices that are being deployed,” said Kevin McNamee, director of Nokia’s Threat Intelligence Lab. “You have thousands of IoT device manufacturers wanting to move product fast to market and, unfortunately, security is often an afterthought.”

This is a threat that first came to light with the Mirai attacks of 2016, when the infamous IoT malware sought out and infected tens of thousands of smart devices protected only by factory default passwords.

That ended up launching some of the largest DDoS attacks ever seen, although Nokia also called out crypto-mining as a potential new use of IoT botnets made up of compromised smartphones and web browsers.

“Cyber-criminals have increasingly smart tools to scan for and to quickly exploit vulnerable devices, and they have new tools for spreading their malware and bypassing firewalls. If a vulnerable device is deployed on the internet, it will be exploited in a matter of minutes,” McNamee warned.

IoT adoption is expected to accelerate with 5G, potentially exposing even more devices to cyber risk, Nokia claimed.

Yossi Naar, co-founder at Cybereason, argued that attackers can also use compromised IoT endpoints to move into corporate networks and high-value servers.

“Simply put, security needs to be a primary design consideration, as fundamental as any other measure of performance,” he added. “There should be a focus on tight mechanisms for strong authentication and the minimization of the potential attack surface. It’s a fundamental design philosophy that responsible companies have, but it’s not a reflex for all companies — yet.”

Source: https://www.infosecurity-magazine.com/news/iot-botnets-78-of-malware-on/

  • 0

Universities seeing rise in DDoS attacks

Kaspersky Lab has noticed an overall decline in the number of DDoS attacks this year, which may be due to many bot owners reallocating the computing power of their bots to a more profitable and relatively safe way of making money: cryptocurrency mining.

However, there is still a risk of DDoS attacks causing disruption, despite attackers not seeking financial gain.

The Kaspersky Lab DDoS Q3 report marked a continued trend in attacks aimed at educational organisations, as they open their doors after a long summer and students head back to school.

Attackers were most active during the third quarter in August and September, proven by the number of DDoS attacks on educational institutions increasing sharply at the start of the academic year.

This year, the most prominent attacks hit the websites of one of the UK’s leading universities – the University of Edinburgh – and the US vendor Infinite Campus, which supports the parent portal for numerous city public schools.

Analysis from Kaspersky Lab experts has found that the majority of these DDoS attacks were carried out during term time and subsided during the holidays.

More or less the same result was obtained by the British organisation Jisc.

After collecting data about a series of attacks on universities, it determined that the number of attacks fell when students were on holiday.

The number of attacks also decreases outside of study hours, with DDoS interference in university resources mainly occurring between 9am and 4pm.

Overall, between July and September, DDoS botnets attacked targets in 82 countries.

China was once again first in terms of the number of attacks.

The US returned to second after losing its place in the top three to Hong Kong in Q2.

However, third place has now been occupied by Australia – the first time it’s reached such heights since Kaspersky Lab DDoS reports began.

There have also been changes in the top 10 countries with the highest number of active botnet C&C servers.

As in the previous quarter, the US remained in first place, but Russia moved up to second, while Greece came third.

Kaspersky DDoS protection business development manager Alexey Kiselev says, “The top priority of any cybercriminal activity is gain.

“However, that gain doesn’t necessarily have to be financial. The example of DDoS attacks on universities, schools and testing centres presumably demonstrates attempts by young people to annoy teachers, institutions or other students, or maybe just to postpone a test.

“At the same time, these attacks are often carried out without the use of botnets, which are, as a rule, only available to professional cybercriminals, who now seem to be more concerned with mining and conducting only well-paid attacks.

“This sort of ‘initiative’ shown by students and pupils would be amusing if it didn’t cause real problems for the attacked organisations which, in turn, have to prepare to defend themselves against such attacks,” Kiselev says.

Source: https://datacentrenews.eu/story/universities-seeing-rise-in-ddos-attacks

  • 0

30 years ago, the world’s first cyberattack set the stage for modern cybersecurity challenges

Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was – that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer and ask each machine to send a signal back to a control server, which would keep count.

The program worked well – too well, in fact. Morris had known that if it traveled too fast there might be problems, but the limits he built in weren’t enough to keep the program from clogging up large sections of the internet, both copying itself to new machines and sending those pings back. When he realized what was happening, even his messages warning system administrators about the problem couldn’t get through.

His program became the first of a particular type of cyber attack called “distributed denial of service,” in which large numbers of internet-connected devices, including computers, webcams and other smart gadgets, are told to send lots of traffic to one particular address, overloading it with so much activity that either the system shuts down or its network connections are completely blocked.

As the chair of the integrated Indiana University Cybersecurity Program, I can report that these kinds of attacks are increasingly frequent today. In many ways, Morris’s program, known to history as the “Morris worm,” set the stage for the crucial, and potentially devastating, vulnerabilities in what I and others have called the coming “Internet of Everything.”

Unpacking the Morris worm

Worms and viruses are similar, but different in one key way: A virus needs an external command, from a user or a hacker, to run its program. A worm, by contrast, hits the ground running all on its own. For example, even if you never open your email program, a worm that gets onto your computer might email a copy of itself to everyone in your address book.

In an era when few people were concerned about malicious software and nobody had protective software installed, the Morris worm spread quickly. It took 72 hours for researchers at Purdue and Berkeley to halt the worm. In that time, it infected tens of thousands of systems – about 10 percent of the computers then on the internet. Cleaning up the infection cost hundreds or thousands of dollars for each affected machine.

In the clamor of media attention about this first event of its kind, confusion was rampant. Some reporters even asked whether people could catch the computer infection. Sadly, many journalists as a whole haven’t gotten much more knowledgeable on the topic in the intervening decades.

Morris wasn’t trying to destroy the internet, but the worm’s widespread effects resulted in him being prosecuted under the then-new Computer Fraud and Abuse Act. He was sentenced to three years of probation and a roughly US$10,000 fine. In the late 1990s, though, he became a dot-com millionaire – and is now a professor at MIT.

Rising threats

The internet remains subject to much more frequent – and more crippling – DDoS attacks. With more than 20 billion devices of all types, from refrigerators and cars to fitness trackers, connected to the internet, and millions more being connected weekly, the number of security flaws and vulnerabilities is exploding.

In October 2016, a DDoS attack using thousands of hijacked webcams – often used for security or baby monitors – shut down access to a number of important internet services along the eastern U.S. seaboard. That event was the culmination of a series of increasingly damaging attacks using a botnet, or a network of compromised devices, which was controlled by software called Mirai. Today’s internet is much larger, but not much more secure, than the internet of 1988.

Some things have actually gotten worse. Figuring out who is behind particular attacks is not as easy as waiting for that person to get worried and send out apology notes and warnings, as Morris did in 1988. In some cases – the ones big enough to merit full investigations – it’s possible to identify the culprits. A trio of college students was ultimately found to have created Mirai to gain advantages when playing the “Minecraft” computer game.

Fighting DDoS attacks

But technological tools are not enough, and neither are laws and regulations about online activity – including the law under which Morris was charged. The dozens of state and federal cybercrime statutes on the books have not yet seemed to reduce the overall number or severity of attacks, in part because of the global nature of the problem.

There are some efforts underway in Congress to allow attack victims in some cases to engage in active defense measures – a notion that comes with a number of downsides, including the risk of escalation – and to require better security for internet-connected devices. But passage is far from assured

There is cause for hope, though. In the wake of the Morris worm, Carnegie Mellon University established the world’s first Cyber Emergency Response Team, which has been replicated in the federal government and around the world. Some policymakers are talking about establishing a national cybersecurity safety board, to investigate digital weaknesses and issue recommendations, much as the National Transportation Safety Board does with airplane disasters.

More organizations are also taking preventative action, adopting best practices in cybersecurity as they build their systems, rather than waiting for a problem to happen and trying to clean up afterward. If more organizations considered cybersecurity as an important element of corporate social responsibility, they – and their staff, customers and business partners – would be safer.

In “3001: The Final Odyssey,” science fiction author Arthur C. Clarke envisioned a future where humanity sealed the worst of its weapons in a vault on the moon – which included room for the most malignant computer viruses ever created. Before the next iteration of the Morris worm or Mirai does untold damage to the modern information society, it is up to everyone – governments, companies and individuals alike – to set up rules and programs that support widespread cybersecurity, without waiting another 30 years.

Source:http://theconversation.com/30-years-ago-the-worlds-first-cyberattack-set-the-stage-for-modern-cybersecurity-challenges-105449

  • 0

Over third of large Dutch firms hit by cyberattack in 2016 – CBS

Large companies are hit by cyberattacks at an above average rate, according to the Cybersecurity Monitor of Dutch statistics bureau CBS for 2018. Among companies of 250+ employees, 39 percent were hit at least once by a cyberattack in 2016, such as a hack or DDoS attack. By contrast, around 9 percent of small companies (2-10 employees) were confronted with such an ICT incident.

Of the larger companies, 23 percent suffered from failure of business processes due to the outside cyberattacks. This compares to 6 percent for the smaller companies. Of all ICT incidents, failures were most common, for all sizes, though again, the larger companies were more affected (55%) than the smaller ones (21%). The incidents led to costs for both groups of companies.

Chance of incident bigger at large company

CBS noted that ICT incidents can arise from both from an outside attack and from an internal cause, such as incorrectly installed software or hardware or from the unintentional disclosure of data by an employee. The fact that larger companies suffer more from ICT incidents can be related to the fact that more people work with computers; this increases the chance of incidents. In addition, larger companies often have a more complex ICT infrastructure, which can cause more problems.

The number of ICT incidents also varies per industry. For example, small businesses in the ICT sector (12%) and industry (10%) often suffer from ICT incidents due to external attacks. Small companies in the hospitality sector (6%) and health and welfare care (5%) were less often confronted with cyberattacks.

Internal cause more common at smaller companies

Compared to larger companies, ICT incidents at small companies more often have an internal cause: 2 out 3, compared to 2 out of 5 for larger companies. ICT incidents at small companies in health and welfare care most often had an internal cause (84%). In the ICT sector, this share was 60 percent.

About 7 percent of companies with an ICT incident report them to one or more authorities, including police, the Dutch Data Protection Authority AP, a security team or their bank. The largest companies report ICT incidents much more often (41%) than the smallest companies (6%). Large companies report these ICT incidents most frequently to the AP, complying with law. After that, most reports are made to the police. The smallest companies report incidents most often to their bank.

Smaller: less safe

Small businesses are less often confronted with ICT incidents and, in comparison with large companies, take fewer security measures. Around 60 percent of small companies take three or more measures. This goes to 98 percent for larger companies.

Source: https://www.telecompaper.com/news/over-third-39-of-large-dutch-firms-hit-by-cyberattack-in-2016-cbs–1265851

  • 0

Businesses are becoming main target for cybercriminals, report finds

Cybercrime activity continues to expand in scope and complexity, according to the latest report by cybersecurity firm Malwarebytes, as businesses become the preferred target for crooks throughout Q3.

Malware detection on businesses shot up 55% between Q2 and Q3, with the biggest attack vector coming from information-stealing trojans such as the self-propagating Emotet and infamous LokiBot.

Criminals have likely ramped up attacks on organizations in an attempt to maximize returns, while consumers have seen significantly less action in Q3, with a mere 5% detection increase over the period.

This incline toward a more streamlined campaign, as opposed to the wide nets cast in previous quarters, is due to numerous reasons including businesses failing to patch vulnerabilities, weaponized exploits, and possibly even the implementation of privacy-protective legislation such as GDPR.

“There was a very long period where ransomware was the dominant malware against everybody,” said Adam Kujawa, director of Malwarebytes Labs, speaking to The Daily Swig about the quarterly report, Cybercrime tactics and techniques: Q3 2018.

“We’ve seen the complete evolution of ransomware to what is really just a few families, and whether we’ll see the same distribution and exposure [of ransomware] that we’ve seen in the past few years is unlikely in my opinion.”

GandCrab ransomware, however, which first appeared at the beginning of this year, has matured.

New versions were discovered during Q3 as the ransomware variant is expected to remain a viable threat to both consumers and to businesses, which are at higher risk due to GandCrab’s advanced ability to encrypt network drives.

But despite a recent report by Europol that highlighted ransomware as the biggest threat in 2018, Kujawa isn’t convinced that these campaigns will stick around in the quarters to come.

“There are so many solutions out there that can protect users from ransomware, and there are more people that know what to do if you get hit with it,” he said.

“When you compare that to is it a good return investment [for cybercriminals], we don’t think it is anymore. Most of what we’ve seen [in Q3] is information-stealers.”

Kujawa points to the banking trojan Emotet, that can spread easily and with a primary intent to steal financial data and carry out disturbed denial of service (DDoS) attacks on infected machines.

Businesses, particularly small and medium-sized enterprises with less money invested in cyber defenses, have become valuable targets due to the ease in which trojans like Emotet can spread throughout their networks.

Changes in global information systems may also be a contributing factor in the revival of data-theft.

“That may very well in part play to things like GDPR where you’ve got this data that is no longer legally allowed to be on a server somewhere protected in Europe,” said Kujawa.

“Cybercriminals may be more interested in stealing data like they used to because this stuff is no longer as easy to obtain as it was.”

While information-stealers hogged the spotlight, the threat landscape remains diverse – targets are predominately concentrated within Western countries, while the use of exploit kits were found mostly in Asian countries including South Korea.

Kujawa also noted that social engineering, such as phishing attacks, remains a successful technique for malicious hackers.

He said: “Almost all attacks are distributed through social engineering, that’s still the number one way to get past things like security software, firewalls, and things like that.”

“The biggest problem in our industry right now is people not taking it [cybersecurity] seriously enough,” Kujawa added.

“At the end of the day we’re never going to win the war on cybercrime with just technology because that’s exactly what the bad guys are using against us.”

Source: https://portswigger.net/daily-swig/businesses-are-becoming-main-target-for-cybercriminals-report-finds

  • 0

Central planning bureau finds Dutch cybersecurity at high level

Dutch businesses and the public sector are well protected against cybersecurity threats compared to other countries, according to a report from the Central Planning Bureau on the risks for cybersecurity. Dutch websites employ encryption techniques relatively often, and the ISPs take measures to limit the impact of DDoS attacks, the report said.

Small and medium-sized businesses are less active than large companies in protecting their activities, employing techniques such as data encryption less often, the CPB found. This creates risks for small business and consumers that could be avoided.

The report also found that the Dutch are more often victims of cybercrime than other forms of crime. This implies a high cost for society to ensure cybersecurity. In 2016, already 11 percent of businesses incurred costs due to a hacking attempt.

The threat of DDoS attacks will only increase in the coming years due to the growing number of IoT devices. This was already evident in the attacks against Dutch bank websites earlier this year. A further risk is that over half the most important banks in the world use the same DDoS protection service.

According to the paper Financieele Dagblad, this supplier is Akamai. The company provides DDoS protection for 16 of the 30 largest banks worldwide. The Dutch banks ABN Amro, ING and Rabobank said they were not dependent on a single provider.

The CPB report also found that the often reported shortage of qualified ICT staff is less of a threat than thought. The number of ICT students has risen 50 percent in four years and around 100,000 ICT jobs have been added in the country since 2008. Already 5 percent of all jobs are in ICT. This puts the Netherlands at the top of the pack in Europe, alongside the Nordic countries.

Source: https://www.telecompaper.com/news/central-planning-bureau-finds-dutch-cybersecurity-at-high-level–1264818

  • 0

Edinburgh Uni Hit by Major Cyber-Attack

The website of Edinburgh University was still down at the time of writing after the institution suffered a major cyber-attack during its Freshers’ Week.

A university spokesman told the Edinburgh Evening News that it has “rigid measures in place” to protect IT systems and data.

“Our defenses reacted quickly and no data has been compromised,” he added. “We will continue to work with our internet service provider, [national cybercrime investigators] and with other universities to prevent these network attacks in future.”

The main ed.ac.uk site was still down on Thursday morning, nearly 24 hours after the first reports of an attack went online. That would indicate a serious DDoS attack.

Jisc, the UK non-profit which runs the super-fast Janet network for research and educational institutions, released a statement claiming that a “number of universities” have been targeted this week and adding that the number of DDoS attacks on them “typically increases at this time of year, when students are enrolling at, or returning to university.”

“While Jisc is responsible for protecting connections to the Janet Network for its members (colleges, universities and research centres), members are responsible for protecting their own cyberspace,” it added. “However, Jisc also provides DDoS threat intelligence to its community and provides advice to members affected by cyber-attacks on how to deal with the problem and minimize the impact.”

Ironically, Edinburgh University was praised by the government this year for carrying out cutting-edge cybersecurity research. It is one of 14 Academic Centres of Excellence in Cyber Security Research, backed by the £1.9bn National Cyber Security Strategy.

DDoS attacks grew by 40% year-on-year in the first six months of 2018, according to new figures from Corero Networks.

The security firm claimed that attacks are becoming shorter — with 82% lasting less than 10 minutes — and smaller, with 94% under 5Gbps. However, one in five victims are hit with another attack within 24 hours, the report revealed.

Source: https://www.infosecurity-magazine.com/news/edinburgh-uni-hit-by-major-cyber/

  • 0