STE WILLIAMS

Image Source: Adobe (Andrey Popov)

Cybercriminals love loyalty cards and mobile pay app accounts. According to recent statistics, cyberattacks against these programs are markedly rising as crooks keep probing for the weakest link in financial payment systems to siphon off anything that can be tied to a cash payoff.

Loyalty programs and rewards apps are increasingly high-value targets for several reasons. First of all, they hold financial value without necessarily being monetary implements. By engaging in credential stuffing attacks to take over online loyalty program accounts, attackers gain a lower-risk method of stealing money without the same level of criminality as, say, defrauding a financial institution. Additionally, for those criminals who don’t care about such niceties, these programs are often tied to mobile payment systems and thus linked to credit cards. On top of that, many of the apps and the entire programs themselves are built and administered by third parties that may or may not operate under the same security standards as the brands they work with. All of this is a recipe for fraud.

“Fraudsters are diversifying into softer currencies that are not primarily financial and moving beyond transactional credit card fraud into areas such as loyalty account fraud,” says Michael Reitblat, CEO and co-founder of Forter, which released research last October showing loyalty card fraud increased 89% year over year in 2019.

The anecdotal evidence is piling up to support those numbers, too, as many major brands have gone public lately with news of breaches and exposures of their loyalty and mobile pay apps, many of which share the same underlying platforms. Here are some of the lowlights.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/7-loyalty-program-and-rewards-app-attacks/d/d-id/1337198?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Modern security teams face a daunting task in keeping up with a growing amount of vulnerabilities. While they may not be able to patch all the flaws in their environments, they can cut down on risk by prioritizing high-risk vulnerabilities that are most likely to be exploited.

The volume of published common vulnerabilities and exposures (CVEs) has dramatically increased over the past 20 years, said Benjamin Edwards, senior data scientist with the Cyentia Institute, during the RSA Conference panel “Measuring Vulnerability Remediation Strategies with Real-World Data.” Between 1999 and 2004, an average of 1,300 vulnerabilities were published per year. That number increased to 6,100 per year from 2005 to 2016 and then jumped to 18,000 per year for 2017 to 2020, he explained.

“Recently the number of vulnerabilities has increased quite a bit because we have expanded the number of people who can report and categorize CVEs,” Edwards continued. Right now, there are more than 130,000 published vulnerabilities that can potentially affect organizations.

It’s an overwhelming number denoting a common enterprise problem. Any given business, regardless of size, can patch one in 10 vulnerabilities each month, said Edwards. The data comes from “Prioritization to Prediction, Volume 4: Measuring What Matters in Remediation,” a report recently published by the Cyentia Institute and Kenna Security based on a survey of about 100 organizations.

Forty percent of vulnerabilities in enterprise networks are still open today, researchers found. The median time to remediation is 100 days, and 25% of flaws remain open longer than a year. But, as Edwards pointed out, some vulnerabilities are more dangerous than others. There are flaws that affect millions of assets and those that affect hundreds, those that are easy to exploit and those that are difficult, he says. “Can you fix everything? Nope, not even close,” Edwards said.

The next question becomes, “Can I remediate vulnerabilities before exploitation?” said Wade Baker, Cyentia Institute partner and co-founder. Chances are you won’t patch vulnerabilities before they are weaponized, but you may be able to remediate them before an attacker uses them against you.

“About when a CVE is published, if it’s exploited, it happens quickly,” Baker continued, noting that zero-days and proof-of-concepts may happen before a flaw is disclosed. “The publication of a vulnerability is a trigger for exploitation, in many cases.” Cyentia Institute researchers found 23% of vulnerabilities with published CVEs have associated exploit code.

Exploitation unfolds gradually. The timeline appears like a plateau in which activity initially spikes and then extends for nearly two-and-a-half years after the first exploit, he added. After about three years of activity, the likelihood of that vulnerability being exploited in the wild drops off.

What to Consider in A Remediation Program
The key to effective vulnerability management is knowing which flaws you should prioritize patching. You may not have the capacity to patch everything, but you do have the ability to learn which vulnerabilities are being exploited in the wild and which are in your environment. The research data shows one-third of published CVEs are observed in enterprise environments.

Remediation takes time. According to the research, 40% of vulnerabilities are remediated within the first month and half within the first two months. Nearly one-quarter of vulnerabilities are still open after a year.

The flaws to prioritize are those that have been both observed in enterprise environments and exploited in the wild, which applied to only 5% of all CVEs, researchers found. The “vast majority” (69%) of vulnerabilities never appear in a customer environment, Edwards said. More than half (54%) are never exploited in the wild or seen in enterprise environments. If attackers have not seen a flaw and nobody is using it, it’s less of a concern to security teams.

Two in three organizations successfully remediate high-risk vulnerabilities, with 51% reducing the number of high-risk flaws in their environments and 17% maintaining the same level. Those paying down vulnerability debt are doing so with improved focus and execution, Baker said, pointing to four metrics firms can use to measure better or worse remediation performance:

• Coverage: How comprehensive the remediation is; the percentage of exploited or high-risk flaws addressed.
• Efficiency: How precise the remediation is; how many patched flaws are high-risk?
• Velocity: The speed and progress of the remediation.
• Capacity: Number of flaws that can be patched in a given timeframe and net gain/loss.

“There is statistically significant evidence that if you try to apply risk-based vulnerability management principles across large portions of your environment, you will fix vulnerabilities faster,” Baker said. Researchers also found a simpler remediation process yielded better coverage, whereas more complex processes led to less coverage but slightly better velocity. Programs with adequate budgets fared better than those that lacked enough funds, he added.

The structure of vulnerability management programs made a difference. Time to remediate was about a month-and-a-half shorter among firms that place responsibilities for finding and fixing flaws in separate organizations. This separation of duties also led to higher capacity for remediation, meaning these businesses are less likely to fall behind. Researchers hypothesized having separate teams identify and remediate flaws indicates more resources and maturity.

Researchers also found 40% believed their vulnerability management programs were average, 36% considered them above average, 14% said they were below average, and 8% said they were in the top 10%. “People who think they’re above average tend to be above average,” Edwards said. “I was surprised at how well people knew their own programs.”

Related Content:

• 7 Tax Season Security Tips
• Latest Security News from RSAC 2020
• NSS Labs Revises Endpoint Security Test Model
• The Cybercrime Pandemic Keeps Spreading

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “With New SOL4Ce Lab, Purdue U. and DoE Set Sights on National Security.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/gotta-patch-em-all-not-necessarily-experts-say/d/d-id/1337228?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cyberattacks have become a pervasive threat to individuals, businesses, societies, and worldwide economic growth. The turbulent global geopolitical and geoeconomic environment — one that includes the possibility of a fragmented cyberspace — is also complicating the development and rollout of promising next-generation technologies.

These ideas are driven home in the World Economic Forum’s (WEF) “Global Risks Report 2020,” which positions cyberattacks as the seventh most-likely and eighth most-impactful risks, and the second most-concerning risk, for global business over the next 10 years. Given that revenue, profits, and brand reputation of major firms are on the line, critical infrastructure is exposed, and nation-states are cyber-warring with each other, the stakes have never been higher.

1 Million People Join the Internet Every Day
Without question, the world is embracing digital at an astonishing rate. According to the WEF report, more than half of the world’s population is online. A million additional users hop aboard the Internet daily. Two-thirds of humanity carry a smartphone or some other mobile device.

As a result, data has become the fuel of the digital economy. Cisco’s “VNI Forecast 2017 –2022” predicts that by 2021, IP traffic will hit 3.3 zettabytes annually — in gigabytes, that’s roughly the same as all the movies ever made zipping through the globe’s IP networks every minute. In reality, it means there can be zero tolerance for failure or outages.

To be sure, the modern miracles of 5G networks, quantum computing, artificial intelligence — and the world’s growing reliance on the availability of network services and cloud computing — are creating huge opportunities. But they also introduce systemic risks. Large-scale blackouts can have gargantuan consequences, erode trust, dampen economic growth, exacerbate geopolitical rivalries, and create even more yawning gaps in societies.

Cyberattacks Are Expected to Increase This Year
When asked to describe the “short-term risk outlook”(“short-term” being the next 12 months) 76.1% of the respondents to the WEF’s survey expected cyberattacks to increase in 2020 and named them as one of top five global threats — outpacing even terrorism, which did not make it into the top five. The others were economic confrontations (78.5%), domestic political polarization (78.4%), extreme heatwaves (77.1%), and destruction of natural ecosystems (76.2%).

These days, cybercrime is a highly lucrative underground venture. The notorious Dark Web provides a place to do business, the marketplace where demand shakes hands with supply. The ever-changing cybercrime-as-a-service model offers up a cornucopia of online skullduggery ranging from distributed denial-of-service (DDoS) attacks and malware to massive pilfered data sets on demand. Today, participating in cybercrime is as easy as legal e-commerce.

The WEF assumes that taking down a single cloud provider could already generate between $50 billion and $120 billion in economic harm — comparable to the financial carnage resulting from Hurricane Sandy and Hurricane Katrina. 

The Perils of Digital Innovation
So-called Industry 4.0 technologies are inherently vulnerable to a variety of cyberattacks — from data theft and ransomware to sabotage, each with potentially globally harmful outcomes. Operational technologies are at greater risk, since cyberattacks could cause more traditional kinetic impacts as technology (for example, production lines, logistics) is extended into the physical realm to form cyber-physical systems. However, employing “security-by-design” thinking to incorporate cybersecurity features into new products still plays second fiddle to getting products to market fast.

The Internet of Things (IoT) introduces another layer of worry, as it has the potential to amplify the cyberattack surface by an order of magnitude. There are an estimated 21 billion IoT devices worldwide, and various analysts predict that number will double by 2025. Not surprisingly, attacks on IoT devices ballooned by more than 300% in the first half of 2019, according to the WEF report. In September 2019, IoT devices were harnessed to take down Wikipedia through a DDoS attack, and industry pundits fully expect use of this attack methodology to increase. The WEF report wraps up by saying that, by next year, the cost of cybercrime might hit reach $6 trillion — equal to the gross domestic product of the world’s third-largest economy.

Information Infrastructure Collapse Fated the Sixth Most-Impactful Risk Until 2030
Cyberattacks on critical infrastructure — rated in 2020 as the WEF’s fifth top risk — are the new normal in sectors including energy, healthcare, and transportation. Some attacks have affected entire cities. The public and private sectors alike vulnerable to being held hostage. Well-organized cybercrime groups are uniting, and the likelihood of rooting them out and bringing them to justice is estimated to be as low as 0.05% in the United States, the WEF concludes. Cybercrime-as-a-service is another popular business model, since the growing sophistication of hacking tools for sale on the Dark Web has made online crime cheaper and easily accessible to almost anyone.

The world’s reliance on digital technologies is changing the landscape of international and national security and bring three urgent questions to the fore. How do we protect critical infrastructure, uphold societal values, and prevent the escalation of state-on-state conflicts? More and more, digital tools are playing a key role in asymmetric warfare, enabling smaller countries and non-state actors to attack far larger and better-funded states. Viruses, ransomware, and DDoS attacks created to serve as cyber weapons have been tweaked by bad actors after being released into cyberspace. Today, cyberspace is another military domain that has sparked an entirely new and rapidly evolving arms race.

What’s Next?
It’s a positive sign that cybersecurity has finally attained the awareness it deserves and is on the radar of the world’s leaders. Organizations can do their best to safeguard themselves against the vulnerabilities mentioned, but the days when cybersecurity was IT’s role alone are a thing of the past. Today, cybersecurity is a strategic risk whose implementation and management demands commitment from every corner office on the planet.

Global leaders must commit to taking action beyond uttering fine-sounding words at Davos. Corporate governance models need to be rebuilt from the ground up. The CISO role merits far more attention in corporate boardrooms. In the digital age, every business decision will have a cybersecurity implication in one way or another. More collaborative approaches to tackling cyber threats — whether it’s a coordinated effort among peers within an industry, or public-private partnerships that support information exchange between law enforcement, the legislative branch, and the private sector.

Related Content:

• 7 Recent Wins Against Cybercrime
• 6 Emerging Cyber Threats That Enterprises Face in 2020
• How Enterprises are Attacking the Cybersecurity Problem
• Cybercrime: AI’s Growing Threat
• 7 Recent Wins Against Cybercrime

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “How to Prevent an AWS Cloud Bucket Data Leak.”

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/risk/the-cybercrime-pandemic-keeps-spreading/a/d-id/1337118?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Chinese nationals Tian Yinyin and Li Jiadong have been charged with laundering more than $100 million in cryptocurrency, which was reportedly stolen by North Korean attackers in 2018.

The pleadings allege that in 2018, North Korean threat actors broke into a virtual currency exchange and stole nearly $250 million in cryptocurrency, which was laundered via hundreds of automated cryptocurrency transactions so law enforcement couldn’t trace it. Co-conspirators bypassed exchanges’ know-your-customer rules with doctored photos and false identification.

Between December 2017 and April 2019, Yinyin and Jiadong allegedly laundered over $100 million in virtual currency, most of which was from cryptocurrency hacks. They worked through independent and linked accounts and charged a fee for currency transmission services. Both did business in the US but never registered with the Financial Crimes Enforcement Network.

The North Korean co-conspirators are also linked to the November 2019 theft of $48.5 million in virtual currency from a South Korean exchange. As with their previous attack, they allegedly laundered stolen funds through automated transactions and submitted fake photos and IDs.

A civil forfeiture complaint also unsealed today names 113 cryptocurrency accounts and addresses that the defendants and their unnamed accomplices used to launder funds. A portion of the funds have already been seized; the complaint seeks to recover the rest, the US Department of Justice reports.

The two-count indictment charges Yinyin and Jiadong with money-laundering conspiracy and operating an unlicensed money transmitting business. On March 2, the US Department of Treasury’s Office of Foreign Assets Control imposed sanctions on the defendants and several cryptocurrency addresses for their support for malicious activity linked to North Korean actors.

Read the full DoJ release here.    

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “How to Prevent an AWS Cloud Bucket Data Leak.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/chinese-nationals-charged-with-laundering-$100m-in-cryptocurrency/d/d-id/1337222?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Volodymyr Kvashuk, a former Microsoft software engineer, has been convicted on 18 federal felonies. The conviction covers five counts of wire fraud, six counts of money laundering, two counts of aggravated identity theft, two counts of filing false tax returns, and one count each of mail fraud, access device fraud, and access to a protected computer in furtherance of fraud.

Kvashuk, 25, had been employed in testing Microsoft’s online retail sales platform. He used the access associated with the testing process to steal the value found in online gift cards, ultimately making off with approximately $2.8 million. He used the proceeds to buy, among other things, a $1.6 million lakefront home and a $160,000 Tesla.

Sentencing in the case is scheduled for June 1. Kvashuk faces up to 20 years in federal prison.

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “How to Prevent an AWS Cloud Bucket Data Leak.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/former-microsoft-software-engineer-convicted-of-fraud/d/d-id/1337224?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cybersecurity testing company NSS Labs, which was quietly acquired by a private equity firm late last fall, has launched both a new ratings system for endpoint security product testing that replaces its previous method, and a new nonprofit testing organization for consumer Internet of Things (IoT) products.

NSS Labs in October 2019 was purchased for an undisclosed figure by private equity firm Consecutive Inc., a move that was not publicly announced by the companies but which they later confirmed. Multiple sources close to NSS Labs described the merger as a fire sale of sorts to restructure the company amid financial woes, but NSS Labs CEO Jason Brvenik tells Dark Reading that the deal represents a reorganization by the company in order to better focus its resources.

According to Brvenik, the previous venture capital (VC) model was not a fit for NSS Labs or the testing market, mainly due to VC focus on growth and product. NSS Labs was under pressure from investors to sell a security-as-a-service threat intelligence offering for exploits, but the now-defunct Cyber Advanced Warning System (CAWS) service failed to gather steam among enterprises. CAWS collected threat intel from various vendors in that space and offered continuous threat assessment of an enterprise’s security infrastructure.

“What we heard from the market was they didn’t want more work form us [with the service]; they wanted answers and not data that makes them do more work,” Brvenik says.

“We’re now back to focusing on what we are really good at and what we’re known for,” he says. “It allowed us to look more at what we deliver to market and to make pivots to the cloud” and other areas, he noted.

NSS Labs announced the new initiatives of new test rankings and a new nonprofit testing arm for consumer IoT during the RSA Conference in San Francisco last week. The new product ratings method, which the testing firm has first launched for endpoint protection products, rates vendor tools based on the criteria of management, false-positive rate, resistance to evasion, total cost of ownership, and their block rate of malware, exploits, and targeted attacks. Unlike in its previous tests that flagged products as “Recommended,” “Neutral,” or “Caution,” NSS now rates the products on a grading scale of AAA as the highest to D as the lowest.

The Testing Conundrum
The new moves by NSS Labs come at a time when traditional security product testing is undergoing a slow but welcome transformation. Vendors and test labs long have had an uneasy and often contentious relationship over control of the testing parameters and process, and NSS Labs at times has been at the center of that battle: The company in May 2019 retracted and apologized for a 2017 publicly released endpoint protection test report on CrowdStrike’s Falcon, which CrowdStrike in turn challenged in a lawsuit alleging that the test was incomplete and used illegally obtained Falcon software.

CrowdStrike had hired NSS Labs the year before to conduct private testing of Falcon, but later terminated the testing engagement over concerns over the quality of the tests after it detected legitimate apps as malicious. NSS Labs continued to publicly test Falcon, using software it had acquired through a reseller.

In September 2018, NSS Labs filed an antitrust lawsuit against cybersecurity vendors CrowdStrike, ESET, and Symantec, as well as the nonprofit Anti-Malware Testing Standards Organization (AMTSO), over a vendor-backed testing protocol it deemed as unfair and vendor-centric. AMTSO’s testing protocol aims for transparency between testers and vendors.

But NSS Labs dropped the lawsuit in December 2019, citing “progress” in how AMTSO and vendors were working with test labs. That doesn’t mean that NSS Labs is now all-in for the AMTSO testing protocol, however: Brvenik says NSS Labs has no plans to adopt the AMTSO protocol for its testing programs. “We have not seen sufficient evolution there,” he says. “It remains a vendor-driven environment.”

Meanwhile, enterprises — at which testing is aimed — have been caught in the middle of such spats and faced with an often opaque testing model that critics have described as a vendor pay-to-play. Most don’t have the resources to conduct their own in-house testing of security products, so they are left with recommendations from consulting firms, third-party testing organizations, or just claims of the vendors.

Brian Monkman — executive director of NetSecOPEN, an industry organization that coordinates network security performance testing based on its Internet Engineering Task Force standard-based process — says enterprises should be able to get open and transparent security testing from a neutral third-party testing organization.

“When enterprises are looking at testing results to help them decide what security products get short listed, they need to look at how the testing was done and the level of detail, and what level of detail security product vendors are prepared to provide,” Monkman says. “An open and transparent nature is starting to emerge in the endpoint testing market.”

Take Mitre’s commercial testing of endpoint security products, which it launched in late 2018. The nonprofit evaluates the products against its ATTCK (Adversarial Tactics, Techniques, and Common Knowledge) model, using well-documented attack methods and techniques employed by nation-state and other advanced threat groups. Mitre’s tests are based on open standards and methods, and the vendors perform live defenses with their products. It’s a more collaborative test environment, many security vendors are embracing it, and the results are made public.

Meanwhile, the goal of NSS Labs’ new product ratings scale is to ensure that organizations can choose the product or technology that best fits their needs, which may not be the most leading-edge product, notes Brvenik. Scoring endpoint products with a percentage grade is not necessarily representative of just how good a product is, he says.

“If you have five products and four of them are at 99.9% and one is at 99.5%, it’s going to look like it [stinks] in a 2D [two-dimensional] axis, even though it’s a great product. That model didn’t fit well in that space,” he says.

Chester Wisniewski, a principal research scientist with security vendor Sophos, says customers are demanding more transparency from security vendors. But there are plenty of challenges with endpoint testing, including that vendors can block only the threats they know about, he notes. “There’s no way to test nation-state stuff” with today’s tests, he says.

The underlying issue is that more attacks today are launched by humans behind a keyboard using stolen credentials. “The human will just keep changing the malware until they get through,” Wisniewski says, a scenario that’s difficult to simulate in most test environments.

IoT
The details of NSS Labs’ new nonprofit are still being ironed out, but the organization will use NSS Labs’ test infrastructure to put consumer IoT products under the security microscope and publish the results for the public. One concern is the intersection between enterprise networks and their users when they go home to smart devices and their Wi-Fi networks.

NSS Labs isn’t the first to take on consumer IoT security testing: There’s the Cyber Independent Testing Lab (CITL), a nonprofit led by Peiter “Mudge” Zatko and Sarah Zatko, which recently teamed up with Consumer Reports on a digital standard for consumer privacy, for instance. “They are doing cool consumer stuff, and [looking to conduct] cybersecurity testing in a rigorous” environment, says security expert Bruce Schneier.

Schneier also points to a security and privacy consumer labeling project underway at Carnegie Mellon University’s CyLab, which is building a prototype Privacy and Security Label akin to a nutrition label that could be affixed to an IoT product’s box. The goal is to help inform consumers about an IoT product’s security and privacy features — or lack thereof — including how data it collects is used and whether or how it requires authentication, for example.

Related Content:

• Latest Security News from RSAC 2020
• MITRE Changes the Game in Security Product Testing
• NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
• Cybersecurity Certification in the Spotlight Again
• Assessing Cybersecurity Risk in Today’s Enterprise

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “How to Prevent an AWS Cloud Bucket Data Leak.”

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/iot/nss-labs-revises-endpoint-security-test-model/d/d-id/1337221?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple