time

now browsing by tag

 
 

#cybersecurity | #hackerspace | Now Is the Time to Focus on API Security

Source: National Cyber Security – Produced By Gregory Evans

API security could be the most important consideration in serverless environments for preventing large-scale data breaches

Serverless adoption is growing faster than most would have expected. The majority of companies are already using it, and serverless use will grow significantly over the next two years. With serverless, software engineers are able to build applications that deliver scale and business value without consideration for the complexities of operations and security. The serverless application architecture is so innovative and new that most traditional security tools do not interoperate due to lack of operating system or container access.

A new approach is needed to conduct security analysis and provide protection for serverless apps.

While serverless applications have introduced new security problems, our focus needs to shift to the world of application programming interfaces (APIs), where sensitive data is prominently transferred in these modern application designs.

It is important to discover what organizations are doing to secure their cloud-native apps, especially with the benefits DevSecOps offers. This focus is especially timely these days because fundamental changes to application architectures and the infrastructure platforms hosting them are not served by existing cybersecurity technologies and traditional approaches to securing business-critical workloads.

As we move forward into 2020, we believe that APIs are the most vulnerable attack vector for large-scale data breaches. Security teams need to be able to automate and analyze security behind their apps. Here is a list of what DevOps and IT security teams to consider:

API data breaches could represent more than 50% of records lost in the coming months and become the single largest vector of large-scale hacking. According to Verizon’s 2019 Data Breach Incident Report, external hacking remained the largest threat actor (69%) and threat action (53%) respectively for data breaches reported last year. And the top threat vector successfully attacked was web applications, at approximately 67% of the time. When new reports announcing a company has had tens or hundreds of millions of its records compromised or stolen, the specific web attack vector more often than not appears to be RESTful APIs. It is our belief these incidents of large-scale data breaches from APIs connected to both mobile and web applications will create the largest and most significant data breach headlines in the coming months.

Shadow APIs continue to emerge as a new threat to cloud-first enterprises. According to the ESG Report on Security for DevOps, the top new investment that enterprises plan to make to secure cloud-native apps will be API Security (37% of all respondents marked this as the most important new control needed for cloud security). Cloud services enable businesses to ship new applications (mobile and web) faster and cheaper with more scalability. As a result, the number of new microservices and APIs grows exponentially with cloud-native apps. Enterprise security teams are struggling to keep pace with their DevOps counterparts. New APIs are popping up everywhere and being labeled as “shadow APIs” since it’s not clear who owns them and who is responsible for their ongoing security and compliance.

Serverless continues to outpace Kubernetes and container usage.  As much as Kubernetes is being praised by many DevOps thought leaders, the data tells us that most developers appreciate the convenience, speed and ease of building applications with serverless computing. According to CB Insights, serverless is now the highest growth public cloud service ahead of containers, batch computing, machine learning and IoT services. Serverless spending is expected to reach $7.7 billion by 2021, up from $1.9 billion in 2016 with an estimated CAGR of 33%. Today, very few existing security tools can address application security issues specific to serverless applications. This will be an important new security challenge in 2020.

CCPA fines will exceed $200 million in its first year of existence. The California Consumer Privacy Act (CCPA) took effect Jan. 1. However, according to the way the regulation is outlined, lawsuits can be filed for privacy violations occurring in 2019. It is our estimate that very few companies are prepared to meet the guidelines outlined in CCPA. Further, unlike the General Data Protection Regulation (GDPR), which went into effect in May 2018, there are no maximum limits capping how large the fines could be for CCPA violations. The first few CCPA rulings served by the courts may create big headlines to put added pressure on companies to be proactive about protecting the data privacy of their customers.

Many companies successfully mobilized and monetized their data using APIs as an effective way to share information and build services. However, APIs can create compliance and security vulnerabilities the industry is ill-prepared to address. As more companies leverage and build API services and apps natively in the cloud, the industry will face new concerns and cybersecurity threats. While automation is a common practice that enables DevOps speed and scale, security teams need to take advantage of similar automation techniques to keep up with application teams using CI/CD and DevOps practice.

The industry needs to work closely with the top cloud providers to build better application security controls that function across multi-cloud environments. Most organizations are struggling to secure the application layer of their cloud-native apps, and APIs are the most critical attack vector leading to significant data breaches. As an industry, we need to do more to discover and secure APIs to protect ourselves against large-scale data breaches in the months ahead.

Source link

The post #cybersecurity | #hackerspace |<p> Now Is the Time to Focus on API Security <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | The tech giants dominated the decade. But there’s still time to rein them in | Jay Owens | Opinion

Source: National Cyber Security – Produced By Gregory Evans The 2010s will be remembered for a new era in the development of capitalism, one of mind-boggling scale. Apple, Amazon and Microsoft are closing the decade as the world’s first trillion-dollar companies. Last year, Apple’s revenue was larger than Vietnam’s GDP, while Amazon’s research and development […] View full post on AmIHackerProof.com

#cybersecurity | hacker | The time is now for outsourced security services

Source: National Cyber Security – Produced By Gregory Evans For years we’ve been talking about the skills shortage that plagues the cybersecurity industry and which some reports now peg at three million and growing. Organizations lack trained, experienced resources in many areas including expertise in management and monitoring of the infrastructure protecting an environment, incident […] View full post on AmIHackerProof.com

#cybersecurity | hacker | It’s past time to contain identity sprawl. Here’s how to do it.

Source: National Cyber Security – Produced By Gregory Evans Identity sprawl – too many usernames and too many passwords – has never been as big a concern as it is today: More devices are being brought into the enterprise, more people are working remotely and using their own devices, and more users continue to access […] View full post on AmIHackerProof.com

#cybersecurity | #infosec | Hackers attack OnePlus again – this time stealing customer details – HOTforSecurity

Source: National Cyber Security – Produced By Gregory Evans

Hackers have once again successfully compromised the website of Chinese phone manufacturer OnePlus.

Back in January 2018 it was revealed that the credit card details of some 40,000 people using the OnePlus website had been stolen by hackers. On that occasion the attackers managed to inject a malicious script into an payment webpage that skimmed card data as it was entered by customers.

At the time OnePlus said it was conducting an indepth security audit of its systems.

The latest security incident, detailed by OnePlus in an FAQ on its website, isn’t as serious as the payment card breach – but could still lead to customers being put at risk by fraudsters and online criminals.

The cellphone manufacturer has confirmed that customers’ names, contact numbers, email addresses and shipping details have been accessed by an unauthorised party via a vulnerability on its website.

Fortunately, payment information and passwords have not been compromised.

OnePlus has not revealed just how many customers have been impacted by the data breach, but says that all affected users have been sent an email notifying them of the security incident.

Of course, even if your passwords and payment details haven’t been exposed in this latest hack – that doesn’t mean that users have nothing to worry about.

Online criminals could abuse users’ names and contact details to launch phishing attacks, spread spam, or even attempt to commit fraud over the telephone.

Of course, the challenge for affected users is that – unlike passwords – details such as your name and contact details can not be easily changed.

Customers are being advised to contact OnePlus’s support team for assistance if they have any concerns.

According to the company it has since patched the vulnerable website, and checked it for similar security flaws:

“We’ve inspected our website thoroughly to ensure that there are no similar security flaws. We are continually upgrading our security program – we are partnering with a world-renowned security platform next month, and will launch an official bug bounty program by the end of December.”

No details have been shared of the nature of the website vulnerability which allowed the hackers to access customer data, but OnePlus must realise that the patience of customers is not limited – and for a second serious security breach to have occurred in a relatively short period of time will have done nothing to strengthen users’ trust in the brand.

More transparency about what has occurred and how, combined with strengthened security, would go a long way to reassure customers who must be feeling rattled by this latest incident.

OnePlus says it has informed the authorities about the data breach and is working with the police to further investigate who might be responsible for the attack.

Source link

The post #cybersecurity | #infosec | Hackers attack OnePlus again – this time stealing customer details – HOTforSecurity appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Application isolation and virtualization provide a false sense of cybersecurity – It’s time for a better solution

Source: National Cyber Security – Produced By Gregory Evans A recently discovered critical vulnerability presents yet another case study for the shortcomings of the isolation/virtual machine model for cybersecurity. The vulnerability, CVE-2019-14378, has a severity of 8.8, and was first published in the National Vulnerability Database on July 29th, 2019. The vulnerability affects QEMU, the […] View full post on AmIHackerProof.com

#deepweb | Bernie Sanders is right, it’s time to redistribute economic power | Mathew Lawrence | Opinion

Source: National Cyber Security – Produced By Gregory Evans

Oligarchy rules the United States: the republic has been ransacked, its commonwealth privatised, and rentierism runs amok. The richest 10% of Americans capture an estimated 97% of all capital income – including capital gains, corporate dividends and interest payments. Since the financial crisis of 2008, almost half of all new income generated in the US has gone to the top 1%. The three wealthiest people in the US now own more wealth than the bottom 160 million Americans. And the richest family in America – the Walton family, which inherited about half of Walmart’s stock – owns more wealth than the bottom 42% of the American people.

The case for bold action is clear and overwhelming. Only a deep reconstruction of economic and political rights can challenge oligarchic power and halt runaway environmental breakdown. Fortunately, Bernie Sanders has just announced a new plan that matches the scale of the crisis.

His announcement on Monday of the corporate accountability and democracy plan is the latest and boldest proposal for economic democracy in America to emerge from the Democratic presidential race. At its core, it seeks to democratise the company by redistributing economic and political rights within the firm away from external shareholders and executive management toward the workforce as a collective. This is about redistributing wealth and income, but critically, it is also about redistributing power and control. Democratising the company would transform it from an engine of wealth extraction and oligarchic power toward a genuinely purposeful, egalitarian institution, one where workers would have a collective stake and say in how their company operates, and would share in the wealth they create together.

The Sanders plan would transform and democratise economic and political rights by fundamentally rewiring ownership and control of corporate America. Companies would be required to share corporate wealth with their workers, transferring up to 20% of total stock over a decade to democratic employee ownership funds. The monopoly on voting rights that private external shareholders and their financial intermediaries have benefited from would be ended; employees would be guaranteed the right to vote on corporate decision-making at work, and have a voice in setting their pay, regardless of the kind or size of company or firm they work for. Corporate boards would be democratised, with at least 45% of the board of directors in any large corporation directly elected by the firm’s workers. And the outrageous power of asset management – whose actions have done so much to accelerate the climate crisis by continuing to invest heavily in fossil fuel companies – would be ended. Asset managers would be banned from voting on other people’s money – the collective savings of millions of ordinary workers – unless following clear instructions from the savers.

Taken as a whole, Sanders’s plan would radically re-engineer how the company is controlled and for whom. The echoes with Labour’s agenda for democratising economic power is obvious, particularly John McDonnell’s inclusive ownership fund proposal, and further evidence of an increasingly fertile transatlantic pollination of ideas and practice, from the Green New Deal to movement building. Common Wealth, the thinktank that I am the director of, is another example of this, committed to designing ownership models for the democratic economy on both sides of the Atlantic. In this, at least, there is much to learn from the right; Anglo-American conservatism and the new right have long shared intellectual and organisational resources and common aims, from the incubation of neoliberalism, to current salivations over a disaster capitalism-style US-UK trade deal. It is time progressives did the same.

An emphasis on reimagining ownership and governance is a vital step forward. We face two deep crises – environmental breakdown and stark inequalities of status and reward – both sharing a common cause: the deep, undemocratic concentration of power in our economy. Working people lack a meaningful stake and a say in their firm. Corporate voting rights are near-monopolised by a web of extractive financial institutions. The needs of finance are privileged over the interests of labour and nature. Tinkering won’t address this deep imbalance in power. To build an economy that is democratic and sustainable by design, we need to transform how the company operates and for whom.

For the left, remaking corporations must be at the heart of a radical agenda. The company is an extraordinary social institution, an immense engine for coordinating production based on a complex web of relationships. The critical question is who controls how it operates and who has a claim on its surplus. Today, the answer is a combination of shareholders, institutional investors and executive management; the company has been captured by finance and extractive economic practices, but it doesn’t have to be that way.

The company – and the distribution of rights within it – are neither natural nor unchangeable. There is nothing inevitable about the existing, sharply unequal distributions of power and reward within them. The company is a social institution, its rights and privileges publicly defined. We can organise it differently: through social control, not private dominion, via democracy, not oligarchy. Sanders’s announcement is an important step toward that democratisation, and the deeper economic reconstruction that both people and planet deserve.

Mathew Lawrence is director of the thinktank Common Wealth

Source link
——————————————————————————————————

The post #deepweb | <p> Bernie Sanders is right, it’s time to redistribute economic power | Mathew Lawrence | Opinion <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Intel #Chairman: Election #Cybersecurity Fixes ‘Might Not be in #Time to Save the #System’

Homeland Security Secretary Kirstjen Nielsen told senators that most states are being cooperative with the whole-of-government effort to protect voting systems from cyberintrusions, though there are two unnamed states “who aren’t working with us as much as we would like right now.”

Members of the Senate Intelligence Committee grilled Nielsen last week about what is being done to secure the vote in light of Russia’s campaign influence operation in the 2016, and for an inside perspective on that campaign season former DHS Secretary Jeh Johnson joined Nielsen at the witness table.

Chairman Richard Burr (R-N.C.) praised DHS for making “great strides towards better understanding elections, better understanding the states, and providing assistance that makes a difference to the security of our elections.”

“But there’s more to do. There’s a long wait time for DHS premier services. States are still not getting all the information they feel they need to secure their systems,” Burr said. “The department’s ability to collect all the information needed to fully understand the problem is an open question, and attributing cyber attacks quickly and authoritatively is a continuing challenge.”

The chairman stressed that “this issue is urgent — if we start to fix these problems tomorrow, we still might not be in time to save the system for 2016 and 2020.”

Vice-Chairman Mark Warner (D-Va.) noted that in 2016 Russian actors “were able to penetrate Illinois’ voter registration database and access 90,000 voter registration records — they also attempted to target the election systems of at least 20 other states.”

“The intelligence community’s assessment last January concluded that Russia secured and maintained access to multiple elements of U.S. state and local election boards,” he said. “And the truth is clear that 2016 will not be the last of their attempts.”

Nielsen described the DHS arm of the election security mission as providing “assistance and support to those officials in the form of advice, intelligence, technical support, incident response planning, with the ultimate goal of building a more resilient, redundant, and secure election enterprise.”

“Our services are voluntary and not all election officials accept our offer of support. We continue to offer it; we continue to demonstrate its value. But in many cases state and local officials have their own resources and simply don’t require the assistance that we’re offering,” she said.

So far, the secretary told senators, “more than half” of states have signed up for DHS’ cyber hygiene scanning service, an automated remote scan “that gives state and local officials a report identifying vulnerabilities and offering recommendations to mitigate them.”

Another tool DHS is using is information sharing directly with election officials “through trusted third parties such as the Multi-State Information Sharing and Analysis Center, or MS-ISAC, and we look forward to the creation of the Election ISAC.”

Nielsen emphasized the need to “rapidly share information about potential compromises with the broader community so that everyone can defend their systems.”

“This collective defense approach makes all election systems more secure,” she said. “We’re also working with state election officials to share classified information on specific threats, including sponsoring up to three officials per state with security clearances and providing one-day read-ins as needed when needed, as we did in mid-February for the secretaries of state and election directors. We are also working with the intelligence community to rapidly declassify information to share with our stakeholders.”

Unlike DHS’ posture in 2016, Nielsen said the department now knows which person to contact in every state to share threat information.

“DHS is leading federal efforts to support and enhance the security of election systems across the country. Yet we do face a technology deficit that exists not just in election infrastructure but across state and local government systems,” she said. “It will require a significant investment over time and will require a whole-of-government solution to ensure continued confidence in our elections.”

Johnson talked about the Obama administration’s reticence to make a wrong move on Russia’s campaign interference and give the appearance that the White House was stepping into the election.

“The reality is that, given our electoral college and our current politics, national elections are decided in this country in a few precincts in a few key swing states. The outcome, therefore, may dance on the head of a pin. The writers of the TV show House of Cards have figured that out. So can others,” Johnson told lawmakers, adding he’s “pleased by reports that state election officials to various degrees are now taking serious steps to fortify cybersecurity of their election infrastructure and that the Department of Homeland Security is currently taking serious steps to work with them in that effort.”

Nielsen said DHS is trying to get security clearances for those three election contact persons in each state, but only “about 20” of those 150 officials have received the full clearance. “We’re granting interim secret clearances as quickly as we can,” she said, adding later that they’re “widely using day read-ins now, so we’re not going to let security clearances hold us up.”

The secretary said “a lot of work” has been accomplished at DHS over the past year on “related processes,” including working with the intelligence community to declassify information as “some of the information does not originate within DHS, so we need to work with our partners to be able to share it.”

“The second one is on victim notification. We have a role there, but so does FBI and so does MS-ISAC, which in this case the Multi-State Information Sharing and Analysis Center was in some cases the first organization to identify some of the targeting,” Nielsen said. “So we have to work with whomever originates the information. We all have different roles. So we’ve worked to pull it all together so that we can quickly notify victims of what has occurred.”

Pressed on the current level of cyber threat from malicious actors heading into midterm elections, Nielsen replied that “the threat remains high.”

“We think vigilance is important, and we think there is a lot that we all need to do at all levels of government before we have the midterm elections,” she said. “I will say our decentralized nature both makes it difficult to have a nationwide effect, but also makes it perhaps of greater threat at a local level. And, of course, if it’s a swing state or swing area that can, in turn, have a national effect.”

“So what we’re looking at is everything from registration and validation of voters — so those are the databases, through to the casting and the tabulation of votes, through to the transmission — the election night reporting, and then, of course, the — the certification and the auditing on the back end. All of those are potential vulnerabilities. All of those require different tools and different attention by state and locals,” Nielsen continued, adding that the federal government continues to work with state and local jurisdictions “to also help them look at physical security.”

“They need to make sure that the locations where the voting machines are kept, as well as the tabulation areas, they need access control and very traditional security like we would in other critical infrastructure areas,” she said.

Johnson told senators that “with the benefit of two years’ hindsight it does seem plain… that the Russian effort has not been contained; it has not been deterred.”

“In my experience, superpowers respond to sufficient deterrence and will not engage in behavior that is cost prohibitive. Plainly, that has not occurred and more needs to be done,” the former DHS chief said. “With the benefit of hindsight, the sanctions we issued in late December [2016] have not worked as an effective deterrent and it’s now on the current administration to add to those and follow through on those.”

advertisement:

The post Intel #Chairman: Election #Cybersecurity Fixes ‘Might Not be in #Time to Save the #System’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

EU #CYBERSECURITY #ACT: TIME FOR A #TWO-WAY #STREET ON #CYBERSECURITY INFORMATION-SHARING

Europe can minimize and prevent repeats of WannaCry, Heartbleed and other criminal exploitation of large-scale software vulnerabilities. The way to do that is to advance a norm encouraging governments to establish internal processes to review and share information which they have obtained about software vulnerabilities. The proposed EU Cybersecurity Act is a good place to start, with ENISA, the EU Cybersecurity Agency, supporting Member States in sharing and implementing best practices.

Today, European governments and their various departments and agencies come across software vulnerabilities in multiple ways, for example through their own research and development, by purchasing them, through intelligence work, or by reports from third parties.

Vulnerabilities – especially ‘zero-day’ ones – pose a serious cybersecurity threat in that they can also be exploited by cybercriminals to cause serious damage to citizens, enterprises, public services and governments, as witnessed in, for instance, the recent WannaCry, Petya, and Heartbleed cyberattacks.

Yet despite this reality, very few EU Member States have a proper process for these agencies and departments to review and disclose the vulnerabilities they discover to relevant vendors. This inhibits the possibility of affected companies to patch their codes and protect users’ systems before these vulnerabilities become known to other actors and weaponized against the wider public.

Read More….

advertisement:

The post EU #CYBERSECURITY #ACT: TIME FOR A #TWO-WAY #STREET ON #CYBERSECURITY INFORMATION-SHARING appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

IBM’s #Schneier: It’s #Time to Regulate #IoT to Improve #Cyber-Security

Source: National Cyber Security – Produced By Gregory Evans

The time has come for the U.S. government and other governments around the world to start regulating internet of things (IoT) security, according to Bruce Schneier, CTO of IBM’s Resilient Systems.

Schneier delivered his message during a keynote address at the SecTor security conference here Nov. 15. Today everything is basically a computer, whether it’s a car, a watch, a phone or a television, he said. IoT has several parts, including sensors that collect data, computing power to figure out what to do with the collected data and actuators that affect the real world.

“Sensors are the eyes and ears of the internet, actuators are the hands and feet of the internet, and the stuff in the middle is the brain,” Schneier said. “We’re creating an internet that senses, thinks and acts—that’s the classical definition of a robot.

“We’re building a robot the size of the world, and most people don’t even realize it,” he said.

What that means is that internet security is now becoming “everything” security, according to Schneier. As such, he noted that computer security expertise is now needed in the auto industry because cars are now computers and all the lessons of the cyber-world are applicable everywhere.

“Availability and integrity threats are important as real risks to life and property now,” he said. “So now vulnerabilities have very different consequences. There is a difference between when a hacker crashes a computer and you lose your data and when a hacker hacks your car and then you lose your life.”

In Schneier’s view, many of the existing security paradigms fail in the new world of IoT. Whereas traditional software firms and big mobile vendors like Apple and Google have dedicated security teams, the same is not always true for IoT vendors. As such, Schneier said that IoT devices are often not patched quickly, if at all.

“A home DVR could have been part of the Mirai botnet, and likely most people just don’t care so long as the device works,” Schneier said. “Defending against Mirai is hard because it’s not just dropping a patch on Windows and making it go away.”

Time for Regulation

The challenge of cyber-security cannot be effectively solved by industry alone, according to Schneier. Instead, he advocated for government involvement to help regulate technology security. As internet connected devices move into regulated industries, Schneier expects that computer software that has largely been regulation-free will need to change. There are also historical precedents for new technology usage leading to new government agencies and regulations. For example, the emergence of cars, airplanes, radio and television have all led to government agencies and regulation.

“In the 20th century, new technology led to the formation of new agencies all the time,” he said.

There are a lot of problems that markets cannot solve on their own, since markets are typically short-term profit motivated and can’t solve collective action problems, he said. Additionally, Schneier said there is a need to have a counter-balancing force for corporate power.

“Government is how we solve problems like this,” he said.

Schneier expects that there will be a lot of issues that will need to debated and resolved about connected technology regulations, but in his view there really isn’t a better alternative to ensuring cyber-security safety than government regulations. That said, the reason why he was speaking at SecTor was to help raise awareness and get cyber-security professionals engaged in government policy conversations, he said.

“As technologists, we need to get involved in policy, since IoT brings enormous potential and enormous risks,” Schneier said. “As internet security becomes everything security, all security has strong technological components.

“We’ll never get policy right if policy makers get technology wrong,” he said.

The post IBM’s #Schneier: It’s #Time to Regulate #IoT to Improve #Cyber-Security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures