Source: National Cyber Security – Produced By Gregory Evans Worldwide spending on information security and risk management systems will reach $131B in 2020, increasing to $174B in 2022 approximately $50B will be dedicated to protecting the endpoint according to Gartner’s latest Information Security and Risk Management forecast. Cloud Security platform and application sales are predicted […]
View full post on AmIHackerProof.com
The 2019 cybersecurity landscape was once again littered with attacks. From the resurgence of ransomware to mega data breaches, cybercriminals continue to target organizations and individuals around the world. In addition to the sheer volume of attacks in 2019, the industry also witnessed a mix of old and new threats with hackers using their standard playbook of phishing, botnets, malware, and DDoS to launch more sophisticated attacks with artificial intelligence (AI) and machine learning (ML).
But threats were not the only things that evolved in 2019. The technology being developed and used to counter these attacks – as well as the corporate “value” assigned to security – also continued to evolve. Organizations are investing more in security research teams and bug bounty programs, and new training resources are helping companies reduce insider threats.
As we move into 2020 and the new decade, there have been a lot of cybersecurity predictions and trends grabbing headlines. Here are five that caught our attention:
1) The Shortage of Qualified Cybersecurity Professionals Worsens
The lack of skilled cybersecurity professionals continues to be a paramount issue for the industry as it moves into 2020. According to the 2019 Workforce Report from (ISC)2 there are currently approximately 1.3 million open cybersecurity positions worldwide. In the U.S. alone, CyberSeek currently shows more than 500k job openings (with an average base salary of approximately $96,000 USD). To help change this trend, the industry must continue to take a multipronged approach that not only focuses on creating technology that empowers professionals, but also building on formal education and development programs, and expanding the talent pool. Interested in understanding the job satisfaction level of current security professionals? This recent Help Net Security article explores that dynamic in more detail.
2) Will You Be Cloud Smart?
Cloud everything continues to rise, including concerns with cloud data loss, unauthorized access, misconfiguration, encryption and more. As a matter of fact, 93% of organizations are moderately to extremely concerned about cloud security. But how organizations adapt to these cloud security challenges will be interesting in 2020. There’s no shortage of predictions around this topic as some experts predict a rise in misconfiguration leading to more breaches, while others look to new SaaS SIEM solutions and alliances to move the market forward. Check out these articles from Solutions Review and Forbes to learn more.
3) Artificial Intelligence and Machine Learning as a Tool for Us and Them
When it comes to cybersecurity, metaphorically speaking, humans are the tortoise and threats are the hare. While we might not be able to keep up with the sheer volume of attacks hitting networks, innovation around AI and ML are helping to accelerate early identification of and response to these threats, especially new ones. Unfortunately, hackers are already using this technology to acquire knowledge for AI models, to better conceal malicious code in applications, and much more. As we move into 2020, we could see new AI-modeled malware that evades sandboxing or AI-enabled spear phishing that further increases attacks at scale. Read more about the impact of AI and ML in cybersecurity with these articles from CISO, CIO, and Security Magazine.
4) Cybersecurity and Risk Management Tops Priority List for CIOs
According to the National Association of State Chief Information Officers (NASCIO), cybersecurity is the number one priority when it comes to 2020 strategies, policies and management processes. Security Enhancement Tools claimed the fourth spot on their list of Top 10 Technologies (with Cloud Solutions, Legacy App Modernization and Data Analytics rounding out the top three). Interestingly enough, Forrester Research’s 2020 predictions focused on a different set of challenges that includes talent acquisition and retention, data strategies, and automation. Can you guess what tops the list for CFOs? Check out this Crain’s New York Business article to find out.
5) The IoT Security Problem Grows
The rise in IoT devices continues to present challenges for security teams tasked with securing corporate networks. With IoT attacks up significantly in 2019 (Kaspersky reported an increase from 12 million in the first half of 2018 to 105 million in the first half of 2019), it’s no surprise that many in the industry predict major growth around this attack vector, as hackers enlist compromised devices to launch large scale attacks. Combating this threat means organizations must increase the attack surfaces they monitor, utilize new solutions that simplify management, and reduce the false-positive security alerts that often plague IoT solutions. A recent article from CISO Magazine outlines some of the more unique attacks, which include an Internet-connected gas station and connected coffee machine attacks.
This list easily could have included 10-20 more fascinating trends, predictions, and challenges. We’ll be sure to keep a keen eye out to see what hits and what misses in 2020.
* * *
If you enjoyed this post, you might also like: 18 Cybersecurity Statistics and Research Figures Summarizing 2019
5 Network Security Takeaways from the 2019 Threatscape Report
3 Ways Cloud Adoption is Changing the Role of the CISO
*** This is a Security Bloggers Network syndicated blog from Bricata authored by Bricata. Read the original post at: https://bricata.com/blog/security-trends-2020/
Top Gear Sunday, BBC2, 8pm The intrepid trio of Andrew “Freddie” Flintoff, Chris Harris and Paddy McGuinness have got their feet behind the wheel of the long-running motoring show. After a couple of dodgy runs following the departure of Jeremy Clarkson, James May and Richard Hammond, Top Gear is no longer stuttering like a clapped-out old banger, but purring like a brand new sports car. The 28th series will once again feature a mix of test drives and out-of-this-world adventures, beginning with a road trip in a trio of affordable second-hand convertibles. Also: Harris’s views on the new Ariel Atom and the sight of daredevil Flintoff bungee-jumping off a dam in an old Rover.
Win the Wilderness: Alaska Sunday, BBC2, 9pm Six couples are challenged to prove their survival skills in Alaska’s harsh wilderness, with the most successful pair winning a remarkable home miles from the nearest road, which was built from scratch by its original owners. In the first episode, they receive a crash course in what to do when encountering a bear before being sent into the woods to gather material and build shelters. They must then fell trees, make a fire and brave the freezing waters of Lost Lake.
Keeler, Profumo, Ward and Me Sunday, BBC2, 11pm
If you watched BBC1’s The Trial of Christine Keeler, switch over immediately after the final episode ends for this documentary, which offers a personal insight into the 1963 scandal that brought down Harold Macmillan’s government. Journalist Tom Mangold reported on the story while working as a reporter on Fleet Street, and describes the atmosphere around the country at the time. There’s also a chance to hear secret audio recordings made by the producers of the 1989 film Scandal, in which both Keeler and Mandy Rice-Davies discuss their weekends at Cliveden and their claims that they were pressured into giving evidence against their friend, society osteopath Stephen Ward.
Stockholm Requiem Sunday, Channel 4, 11pm
Channel 4 premieres the first episode of this Swedish psychological crime drama (original title: Sthlm Rekviem), based on Kristina Ohlsson’s bestselling novels, with the entire 10-part series available online on All 4. After a tragic accident, unconventional criminologist Fredrika Bergman (Liv Mjönes) joins a special investigations team in Stockholm and is assigned to work with the leader of the unit, Alex Recht. He is resistant to Bergman’s intellectual presence but they needs her help in tracing the main suspect in the case of an abduction of a little girl: her apparently abusive father.
The Windermere Children Monday, BBC2, 9pm
As the literary and cinematic worlds grapple with a glut of Holocaust-based fiction, is there room for a drama, based on a true story, about a group of children who survived the concentration camps and are brought to England’s Lake District in 1945 to try to rebuild their shattered lives? They’re helped in this slow, painful process by child psychologist (Thomas Kretschmann) and a team of counsellors who include an art therapist (Romola Garai). We’re not expecting any Beatrix Potter-style happy endings by Lake Windermere, but we may just see some glimpses of lost innocence. Followed at 10.30pm on BBC4 by The Windermere Children: In Their Own Words.
Holocaust Memorial Day Monday, BBC2, 7pm Seventy-five years after the liberation of Auschwitz concentration camp, more than 150 survivors attend a commemoration to mark Holocaust Memorial Day. Through music, poetry and powerful personal testimony, all those who were persecuted by the Nazis, as well as those who were victims of later genocides are remembered. Among those taking part are cellist Sheku Kanneh-Mason accompanied by his brother Braimah, actors Simon Russell Beale and Warwick Davis, and the Fourth Choir. Huw Edwards presents.
Bring Back the Bush: Where Did Our Pubic Hair Go? Monday, Channel 4, 10pm There have been a lot of new trends in personal grooming over the past few decades, but there’s one very big (and very personal) one that doesn’t get talked about much, at least not on TV. In this documentary, Chidera Eggerue finds out why so many women are removing their pubic hair. As she discovers, you only have to go back a few decades to find a time when this wasn’t seen as necessary, so what caused the change in our attitudes to our bikini lines – and is it time for the bush to make a comeback? To find out, Eggerue challenges herself and her peers to grow theirs back as part of an exhibition where they will reveal their bodies to the world in their natural, naked state.
Shortscreen: Heartbreak Monday, RTÉ2, 11.35pm Dave Tynan’s Ifta-winning short from 2017, only seven minutes long, is a spoken word film originally commissioned by theatre company ThisisPopBaby. Heartbreak is written and performed by Emmet Kirwan, who narrates the story of a schoolgirl, Youngone (Jordanne Jones), from teenage pregnancy to raising a son as a single mother.
Great Asian Railway Journeys Monday, BBC2, 6.30pm Michael Portillo sets off on the first leg of a new quest as he travels around southeast Asia, guided by his 1913 Bradshaw’s Handbook on a 2,500-mile railway adventure across six countries. Beginning in Hong Kong, the former Conservative politician investigates how Britain won the island and Kowloon from China after two 19th-century wars over the trade in opium, before boarding the island’s most famous funicular to the Peak, and straddling a bamboo pole to learn the traditional Cantonese art of noodle-making.
Ár gClub Tuesday, TG4, 8pm
In the first programme of the series we join Naomh Anna ladies football manager Tony Lee as he prepares his newly promoted team for a season in the Galway Intermediate championship. In Rathnure, Wexford, all five O’Connor family sisters are involved with the club; but Claire has to decide if she will return to the playing fields after the birth of her second child. In Belfast, newly formed Laochra Loch Lao, which played their first game in the Antrim league in 2018, has big ambitions both on and off the field.
Winterwatch Tuesday/Wednesday/Thurday/Friday, BBC2, 8pm Time for a final walk in the winter wonderland that is the Dell of Abernathy in the Cairngorms; Springwatch will move to a new home later in the year. Chris Packham, Michaela Strachan and Gillian Burke pack their thermal underwear, down-filled coats and hardiest walking boots in preparation for sub-zero temperatures. Perhaps they’ll be lucky enough to catch a glimpse of Britain’s only herd of reindeer, which have been residents in the park since 1952. Other creatures popping up include badgers, squirrels and pine martins, whose habits will be viewed via secret cameras. There are also various challenges and pre-filmed reports, with extra content available via the Winterwatch website.
Belsen: Our Story Tuesday, BBC2, 9pm Documentary about the concentration camp in northern Germany, featuring personal accounts from the few remaining survivors and archive footage shot by the British forces that liberated them. Bergen-Belsen was used to hold prisoners evacuated from camps that had fallen to the Allied advance, leading its population to increase to nearly 60,000 by the winter of 1944. Thousands died at the camp from starvation and disease, their bodies left unburied. The British and Canadian forces who discovered the camp were left with no choice but to burn it to the ground.
Farage: The Man Who Made Brexit Wednesday, Channel 4, 9pm
With Brexit looming, here is a profile of the man many people believe is responsible for the UK leaving the EU. Nigel Farage is one of Britain’s most divisive politicians, but this documentary, which was filmed over the course of five months, initially finds him riding high after his Brexit Party’s historic success in last May’s European elections. However, as Britain heads into December’s general election, the poll ratings start to plummet. The documentary asks whether the election is a sign that while the UK voted for Brexit, they don’t necessarily want Farage. Or with a new government that appears to support much of what he stands for, can he claim a bigger victory?
Tabú: Ailléirgí Wednesday, TG4, 9.30pm An in-depth look at the alarming increase in allergies in Ireland. This informative programme blends observational documentary with scientific factual content to give the audience a comprehensive view of the impact allergies are having on Irish society.
Laughter in the Eyre – Vodafone Comedy Carnival Galway Thursday, RTE 2, 10.30pm
A sort of Other Voices of the comedy world, this one-off special is a showcase of the Vodafone Comedy Carnival, held every October in the City of Tribes. Last year the clever producers thought ahead and sent a camera crew into carnival to capture all the comedy action. Now the rest of the country gets to see what all the chuckling was about last autumn in the west of Ireland. An array of laugh-merchants will lay out their wares for the audience’s delight, and if the show’s punning title is anything to go by, there’s a serious danger we might die laughing on our couches. One of the comedians is Andrew Maxwell, but if you saw him looking glum on I’m a Celebrity . . . just before Christmas, don’t be put off. When he’s not being force-fed bugs and bullied by his campmates, he really can be quite funny. Other guffaw-inducing guests include Reginald D Hunter, Terry Alderton, Jo Caulfield and Seann Walsh.
Deep Water Thursday, RTÉ One, 11.50pm
This twisty six-part drama, which originally ran on UTV last August, is set against the backdrop of England’s Lake District and based on the novels by Paula Daly. Deep Water follows the sometimes messy lives of three women as they navigate the choppy waters of family, friendships and finance. Anna Friel plays Lisa, a disorganised mum whose efforts to juggle family life with running her own business often result in chaos. Roz (Sinead Keenan) is a physiotherapist trying to repay crippling debts. And wealthy Kate (Rosalind Eleazar) appears to have the perfect life, the perfect husband and the perfect kids – but is it all just for show?
Save Money: Lose Weight Thursday, UTV, 11.45pm Sian Williams and Dr Ranj Singh takes two fresh diets (the Eat What You Like and Lose Weight for Life cookbook, and Noom, an app that is trending worldwide) and put them through their paces in a 28-day value-for-money road test. The programme also looks at the latest new diet products and finds out which are fleeting fancies and which are future foods worth splashing out on. Williams tests a new super grain, pea milk and a vegetable sheeter, while Singh investigates technology and gadgets designed to boost willpower when it comes to dieting. These include a state-of-the-art headset to fight food cravings and a low-tech fridge piggy gadget that actually oinks when you open the fridge.
The Late Tackle Thursday, Virgin One, 10pm Muireann O’Connell and last year’s Love Island winner, Greg O’Shea, host this new entertainment show focusing on the Guinness Six Nations Championship. Celebrity guests including past and present rugby players, while comedians and actors chat about rugby and life in front of a live audience.
Leaving the EU: BBC News Special Friday, BBC1, 10pm It’s a day some people were hoping would never come and others were getting impatient waiting for. But if all goes to plan, today Britain will leave the EU after Prime Minister Boris Johnson’s Brexit deal was backed by MPs in the wake of the general election. However, not everything is cut and dried, as Britain is now due to enter an 11-month transition period. Huw Edwards hosts a special edition of BBC News covering this momentous day and asking what Britain’s new relationship with the EU will look like.
The Last Leg: Countdown to Brexit Friday, Channel 4, 10pm For a more comical — and opinionated — take on the big Brexit day, The Last Leg team of Adam Hills, Josh Widdicombe and Alex Brooker are conducting their own countdown. They’re joined by writer and director Armando Iannucci, who knows a thing or two about satire via his influential news spoof The Day Today and the savage sitcom The Thick of It. So, if Iannucci was devising a Brexit satire, what angle would he take?
Box Office Friday, Virgin Two, 8.30pm Lisa Cannon returns for another series of the movie-show. In advance of the Virgin Media Dublin International Film Festival, Cannon speaks to festival director Gráinne Humphreys about the very best of world cinema and film talent in Dublin.
All Walks of Life Friday, RTÉ One, 8.30pm
As they wander part of St Kevin’s Way in the Wicklow Mountains, actor Amy Huberman talks to Mary McAleese about the importance of her mixed Catholic-Jewish roots and how she tries to balance her multiple careers with her more private roles as the wife of Irish sporting legend Brian O’Driscoll and the mother of two small children. Huberman is the proud daughter of a Jewish immigrant who came to Ireland in the 1960s to work as a designer. A few years ago, she and her father visited the Auschwitz concentration camp together. She reveals to McAleese what that experience meant to her and her thoughts on being Jewish.
Last year saw ransomware run rampant over state and local governments, a relentless string of data breaches at major corporations, and a first-of-its-kind cyber disruption to the U.S. power grid.
Less than a month into 2020, experts are warning that another long year of hacking risks lies ahead for U.S. energy companies and federal agencies. It’s also an election year, a fact keeping homeland security officials on high alert.
Iran, China and Russia top the list of nation-states poised to test U.S. cyberdefenses in 2020, according to acting Homeland Security Secretary Chad Wolf.
“Each of these countries has a different motivation and end goal, but all attempt to undermine our interests and international standing,” including through “cyber-enabled attacks,” Wolf said at a Homeland Security Experts Group event Friday.
Here’s a look at four cybersecurity issues to watch in 2020:
After the U.S. killed top Iranian Gen. Qassem Soleimani early this month, tensions between the two countries quickly escalated and fears spread of a cyberattack on U.S. electric utilities or oil and gas companies (Energywire, Jan. 6). The worry was not unfounded, as Iran-linked hackers are showing an increasing interest in electric utilities, according to a report out last week from cybersecurity firm Dragos Inc. Iran is also believed to have deployed computer-wiping malware against Saudi state-owned oil giant Saudi Arabian Oil Co. in 2012.
Several U.S. lawmakers have called for more information on Iran’s cyber capabilities following the drone strike on Soleimani. Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee, urged the Trump administration to share its strategy for dealing with potential retaliation, saying that he is concerned over Iran’s capabilities “against state and local governments and critical infrastructure to exact revenge for the death of Soleimani.”
Reps. Frank Pallone (D-N.J.), chairman of the Energy and Commerce Committee, and Mike Doyle (D-Pa.), chairman of the Communications and Technology Subcommittee, called on the Department of Homeland Security and the Federal Communications Commission to brief Congress on the danger Iran presents to telecommunications networks.
Iran is not the only country to have shown interest in hacking energy companies. Russia looms large in many cybersecurity threat assessments after being tied to sophisticated malware that shut down a petrochemical plant in Saudi Arabia in 2017. The Triton malware targeted Schneider Electric SE safety systems, and the hackers behind that potentially deadly tool were seen targeting U.S. facilities in 2018. When it comes to hacking industrial control systems, Russia is still the more experienced, older sibling, according to many experts.
Hacking critical infrastructure doesn’t always bring destructive or disruptive dangers. Cyberespionage is a large problem inside the energy sector, and China is one of the leading culprits, having been accused of leading hacks into managed service providers that oversee huge amounts of proprietary data from a variety of industries in the “cloud” (E&E News PM, Dec. 20, 2018).
That’s not to say China can’t wreak even more havoc. In last year’s Worldwide Threat Assessment by then-Director of National Intelligence Dan Coats, China was called out as having the ability to cause a “disruption of a natural gas pipeline for days to weeks.”
Many analysts see that sort of crippling attack as highly unlikely to occur in practice. Less impactful, but more probable, is the threat posed by ransomware — malware that holds victims’ computer files hostage by encrypting them and demanding payment for the key. Analysts have warned that ransomware can have unintended consequences by infecting operational technology (OT) in industrial control systems like those that run the power grid. The line between information technology and OT is beginning to blur in dangerous ways, and an infected IT system can quickly lead to an infected control pump or circuit breaker.
OT networks are “a really rich environment for ransomware to spread into, and usually unintentionally,” said Greg Young, vice president of cybersecurity at cyberdefense firm Trend Micro.
Many OT systems are susceptible to ransomware because they are old and unpatched, Young said. That makes them perfect fodder for ransomware attacks that use common and previously documented vulnerabilities.
This year marks the first U.S. presidential election since Russia-linked hacking groups interfered in the 2016 race. The big question is: To what degree will suspected Russian operatives try to do so again?
Last week, a report by Area 1 Security Inc. alleged that Russian hackers breached the Ukrainian gas company Burisma Holdings Ltd., a company tied to the impeachment of President Trump (Energywire, Jan. 15). The cybersecurity firm’s report did not detail exactly what information was gained, if any, but history may repeat itself if hackers dig up dirt on one of the leading Democratic presidential contenders, Joe Biden, to sway U.S. voters.
In 2016, the Russian government hacked Democratic National Committee and Democratic Congressional Campaign Committee networks, stealing files during the runup to the election before leaking them to WikiLeaks and DCLeaks, according to multiple U.S. intelligence agencies. WikiLeaks posted troves of politically damaging emails days before the 2016 Democratic National Convention.
The efforts by alleged Russian agents during the last general election, and continued online disinformation campaigns since then, have shifted focus to the social media companies where vast numbers of Americans get their news.
“Finally, this year we’re going to see disinformation become more on the agenda for some of the social media platforms,” Young said, rather than see them “duck” the issue by invoking freedom of speech.
Russia isn’t the only player in the election interference game, the U.S. intelligence community has warned. “Russia, China, Iran, and other foreign malicious actors all will seek to interfere in the voting process or influence voter perceptions” in the upcoming November elections, according to a recent joint statement from seven agencies.
Last October, Microsoft Corp. revealed that Iranian-linked hackers have targeted the email accounts of a presidential campaign. Reuters later reported that it was Trump’s reelection campaign, a case that served as a warning for other presidential candidates of the threats posed by nation-state hackers.
Days before the Iowa primary, Pete Buttigieg lost the only staffer who was working on cybersecurity full time, The Wall Street Journal reported. Mick Baccio quit due to differences over handling of Buttigieg’s “information security program.”
Some candidates, like Sens. Bernie Sanders (I-Vt.) and Elizabeth Warren (D-Mass.), have been largely quiet on how they are handling cybersecurity in their campaign, but others have opened up about steps they are taking.
The most recent candidate to join the Democratic field — billionaire and former New York Mayor Michael Bloomberg — recently announced that his campaign is hiring a team dedicated to cybersecurity.
The first reported cyberattack that disrupted the U.S. grid occurred in 2019. Will 2020 see another?
Last March, a cyberattack on Cisco Systems Inc. equipment installed at renewable energy giant sPower briefly blinded communications between grid control centers and several wind and solar generation sites in Utah, Wyoming and California. The attack didn’t seem to be intentional and the signals were lost for less than five minutes, but the blips served as a reminder of utilities’ increased exposure to attacks as they embrace digitization (Energywire, Sept. 6, 2019).
The North American Electric Reliability Corp. is wagering that information sharing will be at the heart of ensuring similar cyber events don’t happen again. This year, NERC’s Electricity Information Sharing and Analysis Center (E-ISAC) increased its budget to just over $31 million and plans to add at least nine new employees.
The investment is part of its long-term strategic plan to make E-ISAC “a world-class intelligence collecting and analytical capability for the electricity industry.”
E-ISAC spreads the word on the latest cyberthreats and vulnerabilities to registered utilities and other subscribers to its private portal, raising the question: Will members of the public even know if another grid cyberattack happens?
The March incident — a distributed-denial-of-service attack that overwhelms its target with traffic — was only mentioned publicly in a single line on an obscure Department of Energy “electric disturbance” form. Officials at DOE, NERC, DHS, the Federal Energy Regulatory Commission and the Western Electricity Coordinating Council all declined to share more details at the time.
2020 could pose other challenges for cybersecurity transparency as federal regulators puzzle over whether to reveal the names of utilities found to have broken mandatory cybersecurity requirements.
NERC and FERC, the two organizations responsible for setting and enforcing rules for grid cyberdefense, submitted a joint proposal last year that advocated for revealing the names of companies that have violated cybersecurity regulations, along with the general nature of the violation and the penalty amount. The change was aimed at balancing “confidentiality, transparency, security and efficiency concerns” and wouldn’t reveal technical details that could benefit malicious actors.
This proposal was lauded by consumer advocates, but others worried that even revealing the names of rule-breaking companies could put grid reliability at risk. In a comment on the proposal, DOE said that disclosing any identities would be shining a beacon to malicious actors while also discouraging self-reporting by those companies.
“Despite the consequences for transparency, withholding violator identities is the only reasonable way to avoid this undesirable result,” DOE wrote in its comments, signed by Assistant Secretaries Bruce Walker and Karen Evans.
If the last few years saw supply chain security grow in the public consciousness, experts say 2020 will be when action finally occurs. Well, maybe.
FERC’s enforcement of new supply chain regulations for the bulk power grid are set to begin this July. The new standard requires utilities to create a “security risk management plan.” Large power companies must also keep track of remote network access by vendors and verify that software installed in the power grid is not modified or counterfeit.
The impact of the new standards remains to be seen. Patrick Miller, managing partner at Archer Energy Solutions LLC and a former NERC auditor, said that although the regulation does have good sections — such as software verification — it was created too quickly and resulted in a vague and bare-bones supply chain standard.
“Fast regulation is usually not good regulation, and this one is no different,” Miller said.
Supply chain security is one of the five cybersecurity priorities that FERC staff laid out in a presentation in November.
FERC has also created a cybersecurity division under the Office of Electric Reliability, and supply chain security is going to be a “top priority,” FERC Chairman Neil Chatterjee wrote in a letter this month addressing concerns around U.S. power-sector use of equipment from China-based telecommunications giant Huawei Technologies Co.
“My colleagues and I at the Commission will continue to work with the North American Electric Reliability Corporation and our federal partners including the Department of Energy and the Department of Homeland Security to assess the threat posed by Huawei and take additional action as appropriate,” Chatterjee wrote.
The White House and Congress view Huawei as a security threat and have effectively blocked many U.S. companies and manufacturers from using the company’s products in any infrastructure for fifth-generation (5G) wireless technology. The fear is that using Huawei equipment would allow China to spy on Americans or hijack vital equipment during a conflict. Chris Krebs, who leads the Cybersecurity and Infrastructure Security Agency at DHS, told Politico last year that his top priority through 2021 is “China, supply chain and 5G.”
Huawei has countered that there is no firm evidence of its equipment being linked to any Chinese spying and has slammed U.S. restrictions as a baseless attempt to judge companies’ security based on the geography of their headquarters.
The debate over supply chain security is only likely to intensify in 2020, as NERC shares results of a power-sector survey of Huawei’s prevalence in the U.S. power grid.
Cyber Monday — Dec. 2 this year — is poised to be among the biggest shopping days of the year. The National Retail Federation estimates total retail sales for the season to reach as high as $730.7 billion, and 56 percent of holiday shoppers plan on clicking to shop.
While most online retailers are reliable, some are not. Better Business Bureau received more than 32,000 complaints about online retailers and more than 7,200 BBB Scam Tracker reports about online purchase scams so far in 2019. Online purchase scams ranked as the second riskiest scam of 2018 in the St. Louis region.
A St. Louis woman told BBB Scam Tracker in late October 2019 she never received a college sports-themed gift she purchased for her husband in early September 2019. She said the company charged her credit card the day of the purchase and sent an order confirmation, but never sent a shipping confirmation, nor did the purchased item ever arrive. The woman told BBB when she attempted to contact the company, its phone number had been disconnected, and the website URL listed in the order confirmation email pointed to a day care in Australia.
Shoppers can prepare themselves for online shopping by watching ads and browsing for the items they’re seeking in advance. Many online retailers already have set up sites where Cyber Monday offers will be advertised. Unless you’re educated, it can be hard to tell whether an online deal actually will save you money. Read a site’s policies for returns and understand shipping schedules before you enter your credit card number.
BBB’s 10 tips for safe online shopping are as follows:
1. Protect your computer. Install a firewall, anti-virus and anti-spyware software. Check for and install the latest updates and run virus scans regularly.
2. Check a site’s security settings before entering financial data, such as a credit card number. If the site is secure, the URL (web address) on the payment page should start with “https://.”
3. Shop trustworthy websites. Look for BBB Accredited Business seals on websites and click to confirm they’re valid. BBB’s dynamic seal will take you to a site’s BBB Business Profile. You also may find reviews at bbb.org.
5. Beware of too-good-to-be-true deals. Offers on websites and in unsolicited emails may display free or low prices on hard-to-find items. There may be hidden costs, or your purchase may sign you up for a monthly charge. Look for and read the fine print.
6. Beware of phishing. Legitimate businesses do not send emails claiming problems with an order, account or a package to lure the buyer into revealing financial information. If you receive such an email, BBB recommends you call the contact number on the website where the purchase was made to confirm a problem.
7. Pay with a credit card. Under federal law, you can dispute the charges if you don’t receive an item. Shoppers also have dispute rights if there are any unauthorized charges on the card, and many card issuers have zero-liability policies if someone steals and uses your card number. Check your credit card statement regularly for unauthorized charges. Never wire money to someone you don’t know.
8. Keep documentation of your order. Save a copy of the confirmation page of an order or emails confirming the order until you receive the item and are satisfied.
9. Obtain a tracking number for shipments. If you need the product before the holidays, find out when the seller intends to ship it and, if possible, how it will be shipped. The tracking number can help you find a lost order.
10. Know your rights. Federal law requires that orders made by phone, mail or online be shipped by the date promised or within 30 days if no delivery time was stated. If goods aren’t shipped on time, shoppers can cancel and demand a refund. Consumers also may reject merchandise if it is defective or was misrepresented.
Check a company’s BBB Business Profile before you make a purchase by going to bbb.org or by calling 573-886-8965.
Michelle Gleba is the Mid-Missouri regional director for Better Business Bureau.
Source: National Cyber Security – Produced By Gregory Evans The end of November is a busy time in the United States. On Thanksgiving, friends and family gather together to give thanks for good food and good company. Once they’ve put away the leftovers, many Americans don their coats and head to the malls for Black […]
View full post on AmIHackerProof.com
If you’re using the popular rConfig network configuration management utility to protect and manage your network devices, here we have an important and urgent warning for you.
A cybersecurity researcher has recently published details and proof-of-concept exploits for two unpatched, critical remote code execution vulnerabilities in the rConfig utility, at least one of which could allow unauthenticated remote attackers to compromise targeted servers.
Written in native PHP, rConfig is a free, open source network device configuration management utility that allows network engineers to configure and take frequent configuration snapshots of their network devices.
According to the project website, rConfig is being used to manage more than 3.3 million network devices, including switches, routers, firewalls, load-balancer, WAN optimizers.
What’s more worrisome? Both vulnerabilities affect all versions of rConfig, including the latest rConfig version 3.9.2, with no security patch available at the time of writing.
Discovered by Mohammad Askar, each flaw resides in a separate file of rConfig—one, tracked as CVE-2019-16662, can be exploited remotely without requiring pre-authentication, while the other, tracked as CVE-2019-16663, requires authentication before its exploitation.
Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
Authenticated RCE (CVE-2019-16663) in search.crud.php
In both cases, to exploit the flaw, all an attacker needs to do is access the vulnerable files with a malformed GET parameter designed to execute malicious OS commands on the targeted server.
As shown in the screenshots shared by the researcher, the PoC exploits allow attackers to get a remote shell from the victim’s server, enabling them to run any arbitrary command on the compromised server with the same privileges as of the web application.
Meanwhile, another independent security researcher analysed the flaws and discovered that the second RCE vulnerability could also be exploited without requiring authentication in rConfig versions prior to version 3.6.0.
“After reviewing rConfig’s source code, however, I found out that not only rConfig 3.9.2 has those vulnerabilities but also all versions of it. Furthermore, CVE-2019-16663, the post-auth RCE can be exploited without authentication for all versions before rConfig 3.6.0,” said the researcher, who goes by online alias Sudoka.
Askar responsibly reported both vulnerabilities to the rConfig project maintainers almost a month back and then recently decided to release details and PoC publicly after the maintainers failed to acknowledge or respond to his findings.
If you are using rConfig, you are recommended to temporarily remove it from your server until security patches arrive.
Stalkerware and ransomware increasing, password advice and updates to watch for.
Welcome to Cyber Security Today. It’s Friday October 4th, I’m Howard Solomon, contributing reporter on cyber security for ITWorldCanada.com.
A few months ago I warned about stalkerware, which are apps installed on a smartphone or tablet that lets another person keep an eye on what you’re doing. Usually this app gets installed when you’re not looking by a spouse, lover or friend who has access to your device. This is not a parental control app a parent installs on a child’s device. This is is an illegal snooping app. This week security vendor Kaspersky put out some numbers that may give an idea of how common their use is, based on the number of detections from its security software. In the first eight months of the year there were more than 518,000 cases where the software either registered the presence of stalkerware on users’ devices or detected an attempt to install it. And remember, that number is only for devices that use Kaspersky software. Huge numbers of people either don’t use antivirus software on their mobile devices, or use another brand. Some of these apps hide themselves on devices, so victims don’t know its there. Stalkerware has to be installed directly by someone. So think twice before letting a friend, or someone closer, use your phone.
As I mentioned on Wednesday, this is Cyber Security Awareness Month. As part of that Google released a public opinion poll that, if representative, shows a lot of Americans aren’t cyber aware. Twenty-four per cent of respondents said they use weak passwords like “admin” and “1234.” Fifty-nine per cent have used a name or birthday in an online password. Many people must know others use weak passwords because 27 per cent of respondents say they’ve tried to guess someone else’s password — and of those 17 per said they guess right. Well, if you can guess right, so can criminals. Look, it isn’t easy to have to remember lots of passwords. That’s why there are password managers. Google has one it just improved, which is why it released the survey. There are lots of password managers. Go online, do a search, use one of them.
The FBI this week issued a reminder to organizations that ransomware is crippling those who aren’t prepared. The latest hit were three rural hospitals in the same group in Alabama. For a time new patients had to be sent to Birmingham. Last week a major hospital in downtown Toronto was hit. The FBI urges organizations to regularly back up their data and verify its integrity. Ensure backups can’t be infected by being connected to live networks. Focus on employee awareness and training to recognize suspicious email. And make sure all software gets security patches as soon as they are available.
Finally, some product updates to watch for: If you use WhatsApp on an Android device running version 9 or 8 of the operating system, make sure you upgrade to the latest version of WhatsApp. There’s a serious bug that could let a hacker into your device by sending you a repeating video called a GIF. Like one of those videos of a cat doing something silly.
And Microsoft has put out another Windows update to fix a printing problem. This patch is to fix ones that were issued over a week ago. It also updates Internet Explorer.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
Edgewater Federal Solutions is a small business providing Information Technology (IT) consulting services to the Federal government. Founded in 2002, Edgewater is headquartered a few miles south of Frederick, Maryland (near Urbana, MD). Edgewater’s core services are Program Management Support, Business Process Engineering, Cyber Security, and Enterprise Systems Engineering and Operations. Edgewater is currently seeking a Cyber Security Watch Position/Security Engineer to provide support to the DOE IN office located in Washington, D.C.
Serve as the Cybersecurity Watch Analyst responsible for analyzing information collected from a variety of sources to identify, analyze, and report on events to protect information systems and networks from threats.
Perform technical security activities to include:
Characterize and analyze security events to identify anomalous and potential threats to systems
Analyze identified malicious activity to determine exploitation methods and impacts
Triage intrusions, malware, and other cybersecurity threats
Document, track and escalate cybersecurity incidents
Comment on new ODNI/NIST standards / regulations as applies to client environment
Employ best practices when implementing security requirements within an information system.
Participate in IC Community Shared Resources Working Group.
May serve as a technical team or task leader.
Maintains current knowledge of relevant technology as assigned.
Respond to cyber incidents as defined in DOE-IN Incident Response and local SOP.
Participates in special projects as required.
12 years of cyber security experience with a Bachelor’s Degree in a technical field.
Desired Candidates have CISSP or other security certification.
Knowledge of common adversary tactics, techniques, and procedures.
Experience working in a SIEM, interpreting IDS alerts, and deriving context from event logs
Candidates must have the following experience and knowledge:
Knowledge of the IC and audit collection policies.
Possess effective interpersonal and presentation skills as he/she operates in a client-facing role.
Possess the ability to communicate in written and oral form. Publication or presentation experiences a plus.
Experience reporting IT Security events/incidents in the time prescribed based on policies and procedures.
Candidate will be a Proactive Self Starter
Candidate will Require Little to No Immediate Supervision or Day to Day Tasking
Candidate will Possess Excellent Decision Making Skills.
Candidate will Demonstrate Flexibility and Possess the Willingness to Support Shift Work if Needed.
Candidate will Possess Excellent ability to collaborate as a Team and Possess Excellent Interpersonal Skills.
Candidate will Possess Excellent Oral and Written Communication Skills and be able to Interact with Senior Levels of Management.
Preferred To Have/Desired Skills:
Possesses experience supporting the Intelligence Community (IC)
Experience analyzing host based security events and indicators
Experience analyzing network based security events and indicators
Experience working in a SOC and supporting incident response
Experience with supporting the Joint Worldwide Intelligence System (JWICS).
Knowledge of cloud architecture.
Knowledge of virtualization capabilities
It has been and continues to be the policy of Edgewater Federal Solutions to provide equal employment opportunities to all employees and applicants for employment without regard to race, color, religion, gender, and/or other status protected by applicable law.
Better Business Bureau warns if you are traveling this summer and taking advantage of free WiFi, double check before connecting your device. Scammers use fake WiFi hotspots to steal personal information or gain access to your device. “Say you’re at a coffee shop, airport, hotel lobby, or other public place,…