now browsing by tag


#cybersecurity | #hackerspace | Now Is the Time to Focus on API Security

Source: National Cyber Security – Produced By Gregory Evans

API security could be the most important consideration in serverless environments for preventing large-scale data breaches

Serverless adoption is growing faster than most would have expected. The majority of companies are already using it, and serverless use will grow significantly over the next two years. With serverless, software engineers are able to build applications that deliver scale and business value without consideration for the complexities of operations and security. The serverless application architecture is so innovative and new that most traditional security tools do not interoperate due to lack of operating system or container access.

A new approach is needed to conduct security analysis and provide protection for serverless apps.

While serverless applications have introduced new security problems, our focus needs to shift to the world of application programming interfaces (APIs), where sensitive data is prominently transferred in these modern application designs.

It is important to discover what organizations are doing to secure their cloud-native apps, especially with the benefits DevSecOps offers. This focus is especially timely these days because fundamental changes to application architectures and the infrastructure platforms hosting them are not served by existing cybersecurity technologies and traditional approaches to securing business-critical workloads.

As we move forward into 2020, we believe that APIs are the most vulnerable attack vector for large-scale data breaches. Security teams need to be able to automate and analyze security behind their apps. Here is a list of what DevOps and IT security teams to consider:

API data breaches could represent more than 50% of records lost in the coming months and become the single largest vector of large-scale hacking. According to Verizon’s 2019 Data Breach Incident Report, external hacking remained the largest threat actor (69%) and threat action (53%) respectively for data breaches reported last year. And the top threat vector successfully attacked was web applications, at approximately 67% of the time. When new reports announcing a company has had tens or hundreds of millions of its records compromised or stolen, the specific web attack vector more often than not appears to be RESTful APIs. It is our belief these incidents of large-scale data breaches from APIs connected to both mobile and web applications will create the largest and most significant data breach headlines in the coming months.

Shadow APIs continue to emerge as a new threat to cloud-first enterprises. According to the ESG Report on Security for DevOps, the top new investment that enterprises plan to make to secure cloud-native apps will be API Security (37% of all respondents marked this as the most important new control needed for cloud security). Cloud services enable businesses to ship new applications (mobile and web) faster and cheaper with more scalability. As a result, the number of new microservices and APIs grows exponentially with cloud-native apps. Enterprise security teams are struggling to keep pace with their DevOps counterparts. New APIs are popping up everywhere and being labeled as “shadow APIs” since it’s not clear who owns them and who is responsible for their ongoing security and compliance.

Serverless continues to outpace Kubernetes and container usage.  As much as Kubernetes is being praised by many DevOps thought leaders, the data tells us that most developers appreciate the convenience, speed and ease of building applications with serverless computing. According to CB Insights, serverless is now the highest growth public cloud service ahead of containers, batch computing, machine learning and IoT services. Serverless spending is expected to reach $7.7 billion by 2021, up from $1.9 billion in 2016 with an estimated CAGR of 33%. Today, very few existing security tools can address application security issues specific to serverless applications. This will be an important new security challenge in 2020.

CCPA fines will exceed $200 million in its first year of existence. The California Consumer Privacy Act (CCPA) took effect Jan. 1. However, according to the way the regulation is outlined, lawsuits can be filed for privacy violations occurring in 2019. It is our estimate that very few companies are prepared to meet the guidelines outlined in CCPA. Further, unlike the General Data Protection Regulation (GDPR), which went into effect in May 2018, there are no maximum limits capping how large the fines could be for CCPA violations. The first few CCPA rulings served by the courts may create big headlines to put added pressure on companies to be proactive about protecting the data privacy of their customers.

Many companies successfully mobilized and monetized their data using APIs as an effective way to share information and build services. However, APIs can create compliance and security vulnerabilities the industry is ill-prepared to address. As more companies leverage and build API services and apps natively in the cloud, the industry will face new concerns and cybersecurity threats. While automation is a common practice that enables DevOps speed and scale, security teams need to take advantage of similar automation techniques to keep up with application teams using CI/CD and DevOps practice.

The industry needs to work closely with the top cloud providers to build better application security controls that function across multi-cloud environments. Most organizations are struggling to secure the application layer of their cloud-native apps, and APIs are the most critical attack vector leading to significant data breaches. As an industry, we need to do more to discover and secure APIs to protect ourselves against large-scale data breaches in the months ahead.

Source link

The post #cybersecurity | #hackerspace |<p> Now Is the Time to Focus on API Security <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Iran’s APT33 sharpens focus on industrial control systems – Naked Security

Source: National Cyber Security – Produced By Gregory Evans Iran’s elite hacking group is upping its game, according to new evidence delivered at a cybersecurity conference this week. The country’s APT33 cyberattack unit is evolving from simply scrubbing data on its victims’ networks and now wants to take over its targets’ physical infrastructure by manipulating […] View full post on

#nationalcybersecuritymonth | Focus on the fundamentals of cybersecurity

#cybersecurity | Attacks on Multiple Airbus Suppliers Demonstrate a Need for Renewed Focus on Supply Chain Cyber Security

Source: National Cyber Security – Produced By Gregory Evans

The supply chain has become one of the most popular vectors for attackers looking to compromise an enterprise-scale company. Vendors often have access to the company’s sensitive data, or have enough access to their network to provide an opening that allows for privilege escalation. European aerospace company Airbus has found itself on the receiving end of a particularly large coordinated attack on its vendors over the past 12 months. With evidence pointing to a nation-state attacker, this case demonstrates why it is necessary for smaller companies to take supply chain cyber security just as seriously as their larger partners.

The Airbus attacks: Four breach attempts on vendors since late 2018

Given that the company has military contracts throughout the world, including the provision of transport and combat planes to many of Europe’s largest military powers, Airbus is a natural high-value target for nation-state espionage.

It is still unclear exactly who is behind these attacks on Airbus suppliers (as is so often the case with these things), but they have been linked to the Chinese state intelligence services based on the specific technical documents that the hackers targeted.

Agence France-Presse (AFP) reports that four vendors were targeted in separate attacks over the previous year: engine manufacturer Rolls-Royce, technology consultant Expleo, and two other contractors that were not publicly identified.

Airbus has only publicly admitted to one attack that resulted in unauthorized access to data. AFP cited security professionals with direct knowledge of the attacks for the remaining information. Airbus has issued a public statement indicating that supply chain cyber security defenses have been hardened against vendor vulnerabilities.

Before you continue reading, how about a follow on LinkedIn?

One of the sources claimed that the compromise of Expleo was discovered early this year, but that the company had been breached long before that. Expleo shared a virtual private network (VPN) with Airbus that the hackers were able to gain access to. Rolls-Royce was compromised by the same hacking group at some point after Expleo was.

Though there is a lack of hard evidence at this point, the cyber security sources believed that Chinese intelligence was involved due to the focus on stealing documents related to the engine and propulsion systems of military transport planes and passenger jets. China has been working on a mid-range airliner and a long-range jet for some time, but has struggled with research and development of engine systems. The methods used and goals closely fit the known patterns of APT10, the group of Chinese hackers that went on a tear of attacking managed service providers for major companies with strategic importance to global governments last year.

Supply chain cyber security lessons from the Airbus attacks

One of the most interesting items in this report was the news that a VPN may have been breached. That’s obviously a very worrying development for any company, but particularly for a defense contractor.

VPNs are supposed to be an enhanced security step implemented specifically to prevent breaches – when one fails it’s a pretty big deal. How could this have happened? The most likely answer is that the encryption key was stolen. It’s also possible that a trusted username/password combination was phished from an employee somewhere outside of the VPN, perhaps from a personal account. Of course, it’s also possible to crack the encryption – something beyond the reach of the average hacker, but perhaps not beyond the reach of the resources of a major nation-state.

What lessons should companies take from these major attacks on Airbus? VPNs are still a powerful privacy and security tool, but not an infallible one. In some cases, breaches may not even be their fault – APT groups have been known to develop exploits for particular VPNs in private, and they are sometimes unknown to the rest of the world until they are deployed successfully in a cyber attack.

Vital operators

Certain companies considered to be “vital operators” by their governments are subject to special cyber security regulations, but these regulations do not necessarily extend to their vendors.

Unfortunately, the process of obtaining contracts in many countries often forces companies to select the lowest reasonable bidder in order to win. Guess what aspect of operations often gets its budget slashed because it is seen as “unnecessary?” Companies often underestimate the importance of supply chain cyber security spending until a breach of critical infrastructure hits and the cleanup bill comes due.

Compliance monitoring of vendors is also a complex issue for an enterprise-scale defense contractor. For example, Airbus has tens of thousands of suppliers located all over the world. Ongoing compliance checks for such a sprawling network of vendors is a virtual impossibility. The solution to this particular problem usually has to come from government regulation of contractors; not only setting supply chain cyber security standards, but in some cases requiring smaller vendors to use only paper records or to do all of their work on the primary contractor’s secure system.

Proper supply chain cyber security is simply a cost of doing business for even smaller vendors. Their larger partners are becoming increasingly likely to have rigorous terms and regular audits laid out in their contracts. Even if they don’t, any vendor that leaves supply chain cyber security unattended due to budget or lack of awareness is gambling. The stakes are their reputation as a trusted partner, fines and potentially even damages from a lawsuit. Smaller vendors must understand that though they themselves may not possess the really juicy information that hackers are after, hackers are scrutinizing them as a vulnerable initial opening to get into the partner network.

Attacks on Airbus suppliers are suspected to be linked to Chinese intelligence due to the specific technical documents targeted by #hackers. #respectdata Click to Tweet

Enterprise-scale companies that work with many vendors need to understand what it is that hackers will test the supply chain cyber security for: access and shared sensitive information. Both should be limited to absolute necessities. Enterprise companies must also resist the temptation to downgrade their security to make it easier for multiple vendors to access their systems. The costs of data breaches always need to be calculated and weighed against the costs of simply getting the security right in the first place.


Source link

The post #cybersecurity | Attacks on Multiple Airbus Suppliers Demonstrate a Need for Renewed Focus on Supply Chain Cyber Security appeared first on National Cyber Security.

View full post on National Cyber Security

Why #Companies Need to #Focus on their #Cybersecurity for #Complete #Visibility

Source: National Cyber Security News

Digitization has taken over and how. But as every company makes a move to digital, it also opens up a plethora of dangers from the dark side of the Internet. Cybersecurity is a necessity has been reminded to us time and again in the past year with malware like Ransomware hitting the biggest companies across the world.

Tackling this growing threat and ensuring that companies are growing faster but safer is CTM360, a cybersecurity company based out of Bahrain. Entrepreneur India caught up with Vinod Johnson, Technical Accounts Manager, CTM360 on the sidelines of the Unbound Bahrain event, as he spoke about the need for companies to be vigilant and how Bahrain is the right place to start a company.

Managing Your Cyber Side

As a cybersecurity company, they offer cyber threat management services based on a subscription model. From digital risk management to detection and even response, Johnson said that they look at all sorts of cyber threats and take actions on the same.

Johnson admits that because of the growth of digitization, there’s so much stuff out there which is often missed by companies. “Companies don’t have a good visibility of their cyber assets.

Read More….


View full post on National Cyber Security Ventures

Cybersecurity #policymaking is #out of #focus. Bureaucracy #hackers can #help.

Source: National Cyber Security News

The cybersecurity industry is in desperate need of more “bureaucracy hackers” — individuals within federal and state governments who are authorities on the intricacies of policy creation and the nature of today’s rapidly-evolving technology and threat landscapes.

To understand why, look no further than Georgia State Bill 315: Introduced in the Georgia state senate earlier this month, the bill has the entire cybersecurity community shaking its head in disbelief. In short, the bill is modeled after the highly-controversial Computer Fraud and Abuse Act, which makes accessing a network or computer without authorization illegal – even if there is no theft or damage. While many parts of the U.S. government are advancing cybersecurity by adopting industry’s best practices, such as allowing security researchers to identify and disclose vulnerabilities that make us all safer, Georgia is closing the door to these folks.

Sen. Mark Warner’s IOT Improvement Act is another clear example: Drafted and supported by a bipartisan group of senators, the bill aims to protect increasingly “connected” citizens and their homes by introducing a baseline security standard for all internet-connected devices.

In principle, this is exactly the type of legislative action we want to see from lawmakers.

Read More….


View full post on National Cyber Security Ventures

For better #cyber-security, focus on #behavior

Source: National Cyber Security – Produced By Gregory Evans

For better #cyber-security, focus on #behavior

William Mackey thinks the old-school approach to cyber-security — wait for a problem, then tweak the technology — needs to go the way of Windows ’98.

If Americans expect to protect sensitive information, the country needs to shift its perception from hardware to human behavior when it comes to security, he said.

Mackey, an assistant professor of criminology and criminal justice at Indiana State University, told the more than 100 students and staff members packed in Dede 1 of the Hulman Memorial Student Union at ISU on Wednesday that the country needs an approach that couples technology with the way people actually behave.

“We’ve gotten complacent, in fact, these data breaches are happening so often,” Mackey said. “The way that we’ve been fighting this so far has been through purely technological means.

“We’re fighting technology with technology. We try to figure out how much money we can dump into our IT systems, how much IT staff we can get and then we react.

“What we’re suggesting is a different way to look at cyber-security in general. A lot of the data breaches that have happened, happened specifically because of a human behavioral impetus. It started because of somebody, not necessarily a machine, that was an employee or had a user name and password. There’s always somebody behind the machine.”

Mackey’s presentation on cyber-security was part of a round-table discussion on the future of cyber-security and the impact criminology and sociology students can have in shaping that future.

“We don’t need people, necessarily, that have computer programming backgrounds, in fact most of the time I don’t think that’s a good idea,” Mackey said. “We need people with fresh perspectives on things and people who understand why people do things, how we motivate, how to train effectively. What better place to look for that than a criminology background.

“That’s what we focus on, right? Why did they do it, how did they do it and how do we prevent it. It’s what criminologists do already.”

“Seventy-two percent of all data breaches that have happened since 2005 have had a human behavioral component. That is to say, they would not have happened if that human behavioral action didn’t take place,” Mackey said. “We’re not focusing on this human behavioral aspect at all right now. It’s simply not the focus.”

Chetrice Mosely, cyber-security program director for Indiana’s Cybersecurity Council, echoed Mackey’s point, saying the over-sharing of information online is a personal issue, not a technological one.

“To the professor’s point, more than 70 percent of the problem is us,” Mosely said. “It’s not a technology issue, it’s not an IT division issue, it’s an employee issue, it’s a personal issue.

“We share way too much information online because either we think it’s already out there or we don’t care because we’re apathetic.”

The problem needs to be tackled in a human way, she said.

If hackers understand its easier to exploit people than it is technology, then security experts need to retrain the public, not just tweak the technology, she said.

The pair also touched on the great need for qualified people in the cybersecurity field.

More than 6 million jobs are expected discipline-wide in 2019, and forecasts say only about 3.5 million candidates will be ready. Mackey said the average starting salary of those breaking into cybersecurity is around $95,000.

But Mosely reiterated the professor’s earlier point that employers are looking for fresh eyes.

“What businesses are looking for is not people with an IT background, but people with critical thinking skills and who are problem solvers,” Mosely said. “They need the people who can communicate well and can quickly figure things out. If you can do that on day one, then they can teach you the IT stuff.”

The post For better #cyber-security, focus on #behavior appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Trump’s cybersecurity EO is ‘terrible’ says former AT&T CISO, recommends focus on 3 areas

Source: National Cyber Security – Produced By Gregory Evans

Ed Amoroso, the former chief security officer of AT&T, once wrote a blog post grading the previous administrations in Washington in cybersecurity. They all rated badly. That included the recent Obama administration, which Amoroso said, got “too wrapped up in privacy.” He gave the Obama administration a simple recommendation on…

The post Trump’s cybersecurity EO is ‘terrible’ says former AT&T CISO, recommends focus on 3 areas appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

SC businesses hold Cybersecurity Summit to focus on threats

Source: National Cyber Security – Produced By Gregory Evans

SC businesses hold Cybersecurity Summit to focus on threats

Small and medium-sized businesses from across South Carolina were in Columbia Tuesday for a Cybersecurity Summit, to learn how to better protect themselves and your personal information. “Those governmental agencies or businesses have your information, so businesses are doing all they can to protect it,” says Ted Pitts, president and CEO of the South Carolina Chamber of Commerce, which hosted …

The post SC businesses hold Cybersecurity Summit to focus on threats appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Private sector urged to focus on cyber security defense

Source: National Cyber Security – Produced By Gregory Evans

The private sector will come under increased focus to serve as the first line of defense for cyber security, a former general counsel for the U.S. National Security Agency said Wednesday. Rajesh De, now a partner at Mayer Brown’s Washington …

The post Private sector urged to focus on cyber security defense appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures