STE WILLIAMS

Defense Evasion Dominated 2019 Attack Tactics

Researchers mapped tactics and techniques to the MITRE ATTCK framework to determine which were most popular last year.

Discovery and defense evasion were the predominant attacker tactics observed in 2019, a team of researchers report in a new ranking of common MITRE ATTCK tactics used in the past year.

In 2019, Recorded Future’s Insikt Group began to integrate data on attack tactics, techniques, and procedures (TTPs) based on the MITRE ATTCK framework into its data collection and analysis. Researchers reviewed the identifiers across sandbox submissions throughout the year and compiled a list of the most frequently referenced tactics and techniques. Defense evasion dominated tactics, and security software discovery is the most popular technique for doing it.

“There were really three main takeaways we saw based on this data,” says David Carver, manager and analyst for on-demand services at Recorded Future. “Either we’re looking at criminals becoming more interested in the defense perspective, or security tools are getting better, or both. We don’t have evidence to lead one way or the other, but I suspect it’s both.” 

Through defense evasion, attackers bypass detection by obfuscating malicious scripts, hiding in trusted processes, and disabling security software, among other tricks. Discovery, the next most-common tactic, involves learning and understanding a target network or host. Techniques related to discovery and defense evasion made up seven out of the top 10 most common; their prominence was consistent across all months throughout the year, researchers report.

Discovery “is one of those baselines that’s required for any kind of successful malware operation,” as it allows an attacker to understand whether the system has everything needed to succeed. “It’s knowing not just your target but what I can do once I’m on a target,” Carver adds. This is essential for attackers because it tells them whether further activity is possible on a host.

Defense evasion benefits from discovery but is more related to understanding how an attacker can avoid network defenders, whether through certain processes or knowing which security tools are on a system. It’s more concerned with detecting defenses than collecting target data. Evasion can be as basic as obfuscating a binary in a simple way that a signature-based detection won’t pick up, Carver continues.

“The two play off each other in a lot of different ways,” he says. “I can’t know what I’m evading unless I understand the system that I’m on.” The two tactics let cybercriminals operate like a “fly on the wall” in target networks, the researchers explain in a blog post on their findings.

There are other common techniques that work hand in hand, he explains. Following security software discovery, frequent MITRE ATTCK TTPs included obfuscated files or information, process injection, system information discovery, process discovery, software packing, DLL side-loading, data encryption, execution through API, and standard cryptographic protocol.

As an example, Carver points to security software discovery and process discovery, both of which are key to process injection. An attacker can’t know which process is better to inject without the discovery process. Similarly, system information discovery is key for understanding whether there is anything to take advantage of from a cryptographic or obfuscation standpoint.

“I am confident we’ll continue to see these tactics not just represented but near the top of the list over the next year or two,” Carver says of this year’s rankings.

Nearly all of the top 10 techniques combined were found to be linked to well-known malware variants also seen in sandbox results. These included Trojans such as Emotet, TrickBot, and njRAT; botnets including Gafgyt and Mirai; and cryptocurrency miners such as Coinminer. Out of about 1,180 malware variants in the results, the most common were TrickBot, Coinminer, and njRAT.

“Based on this report, it’s likely we’ll continue to see more back and forth between the development of comprehensive security tools and criminal interest in how to bypass those,” Carver says. “The better network defenders can do their job, the more criminals have to pay attention to what’s on the system they’re targeting.”

In many cases, these techniques involve the use of legitimate software capabilities, which can make pure signature-based detection tough. Researchers recommend high familiarity with normal network configurations and activity. They advise businesses to monitor for new instances of, or unusual changes to, common processes, configuration files, API calls, and file systems. Security teams should also keep their antivirus programs updated and monitor for unusual or frequent command arguments, which are often used in discovery techniques.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Untangling Third-Party Risk (and Fourth, and Fifth…).

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/defense-evasion-dominated-2019-attack-tactics/d/d-id/1337457?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers speed the death of ‘bad’ data in the race against good

How fast does malware spread? Does it spread faster than security patches for zero days?

And what about fake news? Could the World Health Organization (WHO) ever manage to spread reliable information about COVID-19 protection strategies faster than misinformation? Such as, for example, the incorrect claim that gargling with salt water prevents the virus from penetrating cells in the throat?

Researchers say yes: Good data can beat bad data in the race to spread. In a paper published on Friday, researchers from North Carolina State University (NC State) and the Army Research Office have demonstrated a new model of how competing pieces of information spread in online social networks and the Internet of Things (IoT).

The model uses network topology that includes factors such as network size, how interconnected it is, and which networks slow down data with bottlenecks caused by a limited number of nodes. The researchers suggest that their findings could be used to quickly disseminate accurate information so as to displace false information about anything – from computer security to public health.

It would be like figuring out exactly where to make an injection so that a vaccine goes to work faster than the illness it’s battling, according to Jie Wang, a postdoctoral researcher at NC State and first author of the paper.

Ultimately, our work can be used to determine the best places to inject new data into a network so that the old data can be eliminated faster.

According to the findings, a network’s size matters when it comes to the speed of good data displacing bad data. Bigger isn’t always better, though: rather, the speed at which good data travels is primarily affected by network structure.

A highly interconnected network can disseminate new data very quickly. And the larger the network, the faster the new data will travel.

However, in networks that are connected primarily by a limited number of key nodes, those nodes serve as bottlenecks. As a result, the larger this type of network is, the slower the new data will travel.

The researchers created an algorithm that they used to assess where, exactly, to inject new data so that it can spread as fast as possible.

Wenye Wang, co-author of a paper on the work and a professor of electrical and computer engineering at NC State:

Practically speaking, this could be used to ensure that an IoT network purges old data as quickly as possible and is operating with new, accurate data.

Jie Wang, a postdoctoral researcher at NC State and first author of the paper, says that the findings are applicable to social networks in that they could be used to optimize the speed at which accurate information spreads when it comes to subjects that affect the public: for example, it could be used to battle the spread of misinformation.

That’s an important fight, given what can be the life-threatening consequences of misinformation’s fast spread.

For example, in 2018, Facebook banned the mass-forwarding of messages in its WhatsApp chat app, following people getting lynched in a fake-news crisis that seized India, Myanmar and Sri Lanka. Last week, Facebook confirmed that it may do the same with Facebook Messenger, in an effort to lasso the runaway forwarding of COVID-19 fake news and rumors.

The paper, “Modeling and Analysis of Conflicting Information Propagation in a Finite Time Horizon,” was published in the journal IEEE/ACM Transactions on Networking.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_uy0PUlzN6s/

Data on almost every citizen of Georgia posted on hacker forum

Personally identifiable information (PII) belonging to more than 4.9 million people from the country of Georgia – including full names, home addresses, dates of birth, ID numbers, and mobile phone numbers, including that of dead people – was published on a hacking forum on Saturday.

That’s more than the current total estimated population: according to the National Statistics Office of Georgia, as of 2019, the country had about 3.7 million people.

The data set was first spotted by Under the Breach, a data breach monitoring and prevention service. ZDNet reports that it’s been shared online in a 1.04 GB MDB (Microsoft Access database) file.

One respondent to the Twitter post from Under the Breach said that this is “very old data” that’s been “shared several times on many open/closed forums” and that whoever shared it “is probably a leecher” (link added).

In fact, it appears that all the records date back to 2011.

Under the Breach initially thought that the entire country’s voter database had been ripped off from Georgia’s Central Election Commission (CEC). But the CEC denied it yesterday, saying that it doesn’t capture some of the data included in the dump – including that of dead people.

From a Google translation of its statement:

The CEC portal provides information on about 3.5 million voters, which does not include information about the dead; However, the CEC does not transmit voter lists for the purpose of forming a voter list and therefore does not have information on the voter’s father’s name, telephone number or ID number in the voter database.

The CEC said that it didn’t process the data published on the non-named hacker forum and that the database differs from what the election administration has access to, including in terms of data, format and database structure.

Nor has any cyber incident been reported to the CEC, its statement said. Finally, data verification has shown that the personal numbers and addresses of the data published on the forum don’t match those in the CEC voter database, the commission said.

Under the Breach shared the data with ZDNet, which communicated with one of the people who shared the data on the forums. They declined to say where they got the data from, but later, after ZDNet waved the CEC’s statement in their face, clarified that it wasn’t the CEC. Sorry, they said, we misunderstood: our English isn’t great.

The data-dump sharer said that the data can be verified on the CEC’s website, not that it had been leaked from the commission in the first place.

ZDNet has provided links to the leaked data to Georgian authorities who it says are now investigating the breach.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xZ_IEZSn7CQ/

Dharma ransomware source code on sale for $2,000

The source code for ransomware-as-a-service (RaaS) strain Dharma could now be in the hands of more cybercriminals, as hackers have reportedly put it up for sale for just $2,000.

Dharma evolved from the CrySIS RaaS variant after an anonymous source posted the CrySIS decryption keys online in 2016, and again several times through 2017. Dharma is commonly delivered via spam email as a Trojan in software installers. It is also commonly installed over RDP connections via leaked credentials. Said to heavily target the US healthcare sector, its developers have frequently updated it to produce encrypted files with different extensions. It sometimes uninstalls security software on the victim’s system as part of its attack.

Dharma victims have even included security surveillance cameras in Washington DC, but according to anti-ransomware consulting company Coveware, the ransomware hits small businesses especially hard and charges as little as $1,500 for file recovery.

According to the FBI, CrySis/Dharma was the second most profitable ransomware variant on the internet, netting $24.48m from November 2016 to November 2019. That represented just 40% of the profits made by the leader, Ryuk, but was also three times more than the number three earner, BitPaymer.

Someone also posted the Dharma decryption keys in 2017, although more recent versions use new keys that have not yet been publicly disclosed. Coveware says that its decryption process is more complex than those used by many other ransomware systems.

After paying the ransom, victims must run a scanning tool to produce a key that they then send to the attacker. Only then does the attacker produce the decryption key. They can run into problems using it if any files are changed in the interim. This could require a new key, for which the ransomware authors can charge the victim again.

If the ransomware code falls into the hands of other crooks, it could spark a proliferation of Dharma-derived ransomware tools. The world saw something similar with the Mirai IoT botnet code, which the authors published as open source at the end of 2016. However, an upside is that the source code might also allow ransomware researchers to gain more insight into the encryption code and possibly produce newer decryption keys.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/klNONLIvOUA/

Patch now! Critical flaw found in OpenWrt router software

A researcher has stumbled on a big security flaw affecting OpenWrt, an open source operating system used by millions of home and small business routers and embedded devices.

OpenWrt has become a popular Linux alternative to the stock software that vendors ship with home routers. Other examples of this type of router software include DD-WRT and Tomato.

It can used to replace the factory firmware on any router product with the correct hardware, for example, models from NetGear, Linksys, Zyxel and others.

Discovered by Guido Vranken of ForAllSecure, the OpenWrt flaw is in the OPKG package manager, a program used to install or update OpenWrt.

To ensure these files aren’t corrupted or tampered with before being applied, their integrity is verified against an SHA-256 hash. If the two checksums don’t tarry, the file should be discarded.

Although served over an insecure HTTP connection, OpenWrt’s files are digitally signed, which implicitly guarantees that the listed hash is correct.

The bug arises when installation starts, during which Vranken discovered that the SHA256sum field is not read correctly due to a simple programming error, something which fails invisibly.

This means that as long as an attacker can create a file that matches the stated size, they can sneak malicious software on to the user’s router or device instead of the correct OpenWrt software.

Vranken suggests that attackers could either hijack the OpenWrt server or interfere with the domain’s DNS to redirect users to a rogue server.

Is this likely?

Neither attack would be easy to pull off but if achieved, the user’s router and its traffic would be invisibly compromised by what had looked like legitimate software.

Compromising a legitimate download source is the equivalent of battering down the front door. Because many attackers will never use more effort than they have to, it seems more likely that anyone targeting OpenWrt would try their luck with a brute force attack on its management credentials first.

But it’s still a tempting flaw to aim for and one that deserves immediate attention.

What to do

OpenWrt recommends upgrading to the latest version. The bug (CVE-2020-7982) was introduced in early 2017 and affects OpenWrt versions 18.06.0 through 18.06.6 and 19.07.0, and separately LEDE (an OpenWrt fork) 17.01.0 through 17.01.7.

The fix was applied to versions 18.06.7 and 19.07.1, released at the beginning of February.

OpenWRT’s full advisory can be viewed on the maintainers’ website.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_DnQI4daweY/

Marriott International confirms data breach of up to 5.2 million guests

Marriott International has today announced that it has suffered a data breach affecting up to 5.2 million people.

The hotel chain says it uses an application to help provide services to its guests. Beginning mid-January this year, the login credentials of two employees at a franchised property were used to access guest information on this app.

When the breach was discovered at the end of February, Marriott International says it disabled those login credentials and began its investigation.

What data was accessed?

Marriott says it believes the following information “may have been involved” although the entries weren’t there for every guest:

  • Contact details (name, mailing address, email address, and phone number)
  • Loyalty account information (account number and points balance, but not passwords)
  • Additional personal details (company, gender, and birthday day and month)
  • Partnerships and affiliations (linked airline loyalty programs and numbers)
  • Preferences (stay/room preferences and language preference)

Marriott says there is currently no reason to believe the information accessed included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.

Marriott says it informed guests via email, today (31st March), from the address [email protected]. It says it’s giving guests the option of accessing a data monitoring service for a year.

What to do

  • Marriott International has set up a self-service portal for you to be able to determine if and what information of yours was accessed. It’s also listed a set of phone numbers you can call on its breach announcement page.
  • If your information was involved, Marriott has disabled your password and you’ll be prompted to enter a new one when you next log in. The company is also recommending you enable two-factor authentication (2FA) on your account, although we couldn’t find the option when we logged in.
  • Stay alert for scams. Criminals like to take advantage of breaches to send phishing emails or spin up fake websites. Don’t click on any links, and verify anything you encounter by heading directly to the official breach website or calling the official call centre numbers. Marriott says if it contacts you by email it’ll do so from the [email protected] email address, and won’t send emails with attachments or ones that ask for information.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/a0TI9eVkchs/

Marriot Hotels breached AGAIN: Two compromised logins abused to exfil guests’ personal deets

Marriot Hotels has suffered its second data spillage in as many years after an “unexpected amount” of guests’ data was accessed through two compromised employee logins, the under-fire chain has confirmed.

The size of the latest breach has not been disclosed, though Marriott admitted it seemed to have been taking place since January 2020 and was detected “at the end of February.”

“We identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property,” said Marriott, without identifying which of its 6,900 hotels worldwide was the source of the breach.

“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests,” it continued.

Marriot did not explain why it took four weeks to begin alerting customers of the breach.

Stolen data included name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, gender, date of birth, linked loyalty scheme information from other companies and room/personal preferences.

The hotel chain asserted that credit card data, PINs, passport and driver’s licence information was not accessed by the hackers, whose identities are so far unknown.

Bob Rudis of infosec biz Rapid7 commented on the breach in a statement, saying: “The use of stolen, legitimate credentials is still one of the most popular attack vectors for our adversaries. It is also paramount that you continue to watch for anomalous behaviour of systems and accounts to reduce the time attackers have to accomplish their goals if they do manage to breach your defences.”

Guests are now being emailed from [email protected], with the company publishing a self-help portal so you can, er, input your personal data to find out whether it was exposed or not. A link is available from the Marriott breach notification page. For affected Brits, an 0800 number is provided so one can bellow enraged obscenities at some call centre drone obtain further information.

Free Experian identity monitoring is also being provided to those affected. The idea of this is to notify you if criminals are using your stolen details to clone your identity.

If you are involved, Marriott said in its statement it would force password resets and prompt users to enable multi-factor authentication.

Back in 2018 Marriott lost control of 383 million people’s personal data after China-based criminals broke into its Starwood brand’s guest database. Included in that breach were 8.6 million “encrypted” credit card numbers, though the hotel chain insisted that all but a mere 354,000 had expired by the time staff realised what had happened.

The breach will come as bad news for Marriott’s lawyers and beancounters, who thought they had been successful in kicking the UK ICO’s £99m fine for the 2018 breach into the long grass. And lest we all forget, in 2014 the hotel chain was caught red-handed blocking guests’ own Wi-Fi hotspots in a vain attempt to force them to buy expensive hotel Wi-Fi access instead. ®

Sponsored:
Practical tips for Office 365 tenant-to-tenant migration

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/31/marriott_hotels_data_breached_once_again/

Limited-Time Free Offers to Secure the Enterprise Amid COVID-19

These products and services could be of immediate help to infosec pros now protecting their organizations while working from home.PreviousNext

The novel coronavirus has had an impact on the global economy unlike any health-related issue in modern times. Companies have been told to close offices, while employees have been instructed to shelter in place and avoid travel. The result is an unprecedented change in IT practices at a lightning pace and on a global scale.

To help companies and individuals forced to shift IT operations practically overnight, a number of vendors have made their products and services available free for a limited time or for the duration of the pandemic. The offerings run the gamut from courses to educate employees and professionals to enterprise tools for securing a network.

For this article, we’ve chosen to focus on offerings that could be of immediate help to cybersecurity professionals now protecting their organizations while working from home. That means you’ll see more remote network monitoring and less password management. And we didn’t focus on offerings like remote conferencing, even though those are undoubtably useful in these situations. Look for them in a follow-up article soon.

This list is a work in progress: Given the very fluid environment we’re all working in, as more companies offer free services for enterprise security, we will add them to this list. If you are taking advantage of any of these offers — and if they are helping with the security of your organization in this extraordinary time — let us know in the Comments section, below.

(Image: Yevhen VIA Adobe Stock)

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full BioPreviousNext

Article source: https://www.darkreading.com/limited-time-free-offers-to-secure-the-enterprise-amid-covid-19/d/d-id/1337366?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

How Much Downtime Can Your Company Handle?

Why every business needs cyber resilience and quick recovery times.

Cyber incidents in the past few years have captured the attention of business executives. The World Economic Forum’s “Global Risks Report 2020” cites cyberattacks among today’s top 10 business risks in terms of their likelihood of occurring and ability to inflict catastrophic damage. According to PwC’s “Global CEO Survey,” 53% of American CEOs are losing sleep over the potential for cyber threats to obliterate their company’s prospects for growth.

Remember Hurricane Katrina, the brutal Category 5 hurricane that hit Florida and Louisiana in 2005? Causing a mindboggling $125 billion in damages, it was America’s most destructive natural disaster ever. Still, the fabled insurer Lloyd’s of London warned in 2017 that cyberattacks could wreak even worse damage.

Cybercrime will be a massive problem for businesses and governments over the next 10 years. Because companies and societies everywhere now rely on always-on IT networks, hiccups or stoppages can have wide-ranging negative effects — and cloud services are major targets.

Cloud Computing: A Double-Edged Sword
Corporate use of cloud computing has greatly expanded. Expenditures on it reached $273 billion in 2018 and are expected to reach $623 billion by 2025, according to industry reports.

But when petabytes of data are stored in the cloud, there is a twofold exposure to significant risk. If the local Internet service is attacked — say, overwhelmed by a distributed denial-of-service (DDoS) attack — no data will be processed. A DDoS attack in October 2019 took down Amazon Web Services (AWS) for roughly eight hours. Users couldn’t connect because AWS misread their genuine queries as malicious. The Google Cloud Platform was hit by similar troubles at about the same time, but Google says they weren’t due to a DDoS.

According to Link11’s “2019 DDoS Report,” the biggest attack we’re aware of topped out at 724 Gbit/s in bandwidth. (Full disclosure: I am the COO of Link11.) This is significant because many large companies have a 10 Gbit/s or a 1 Gbit/s Internet connection, so a data tsunami of this size would exceed the size of the pipe by 70 to 700 times. This would stop the victim company’s business in its tracks. And that means VoIP telephones would be useless for the entire duration of the attack.

What’s even more ominous is the looming scenario of Industry 4.0, wherein production lines, warehouses, telematics services, smart grids, building automation (HVAC), etc., are all Internet-facing, meaning that a DDoS attack would be even more devastating. The longest DDoS attack Link11 defended during the second half of 2019 would have caused an outage for more than 100 hours, or five consecutive days.

The proportion of DDoS attacks that abused cloud servers grew from 31% in the second half of 2018 to 51% in the same period in 2019. Link11’s research found that the number of attacks caused by cloud services more or less corresponded to the provider’s market share: AWS, Microsoft Azure, and Google Cloud racked up more cases of corrupt clouds than smaller providers. In 2018, AWS accounts caused a 21-hour DDoS attack on the website of a California candidate for the US House of Representatives. One of the attacks disrupted a live political debate and generated roughly $30,000 in damages.

Complexity and Lack of Automation Create Security Challenges
FireMon’s “2020 State of Hybrid Cloud Security Report” notes that many companies are losing the visibility required to safeguard their cloud systems. Eighteen percent of C-suite respondents see this as their biggest concern. Today, they need more vendors and enforcement points to maintain effective security.

Almost 60% of the respondents think their clouds have grown to the point that their ability to secure their networks in a timely way has been compromised. This percentage was about the same last year, meaning the industry has failed to make headway in this area. The number of security services and enforcement points needed to secure cloud networks is also growing: Just under 80% of respondents use two or more enforcement points. FireMon says that 59% said the same last year. Almost half of the respondents use two or more public cloud services, which further boosts complexity and lowers visibility.

The National Security Agency reports that cloud misconfigurations caused by human-errors are the top vulnerability for security incidents. This may come as no surprise if you consider that a troubling 65.4% of respondents still employ manual processes to manage their hybrid clouds. The Ponemon/IBM “2019 Cost of a Data Breach Report” finds that only 16% of companies use fully automated security solutions.

The potential financial consequences of this are huge. The average total cost of a data breach is 95% greater in companies that lack automated security.

New Regulations and Growing Costs
With revenue, profits, and reputation depending upon the availability and integrity of IT systems, the regulations that dictate network security are tightening up — far beyond GDPR,CCPA, and HIPAA.

The new Federal Financial Institutions Examination Council (FFIEC) guidelines state that if a cyberattack disrupts a company’s operations, the firm must be back online within its “maximum tolerable downtime.” The policy further stipulates that “whether driven by customer expectations or technological advancement, previously established [recovery time objectives (RTOs)] that were a few hours in duration may now require near real-time recovery. Therefore, it may be appropriate for management to reevaluate currently acceptable RTOs.”

The message is clear: Time is of the essence. Malicious breaches are the most common, but inadvertent breaches stemming from human error and system glitches are still the root cause of nearly half (49%) of security incidents. The Ponemon/IBM study says that, respectively, these cause an average loss of $3.24 million and $3.5 million per incident. The cost of lost business averages $1.42 million.

Organizations in the middle of a large migration to the cloud at the time of an incident saw costs jump by $300,000, for an adjusted average cost of $4.22 million. The Ponemon/IBM report says that system complexity increased the cost of a breach by $290,000, for an average cost of $4.21 million.

The Final Word
Simply put, the faster a security incident can be dealt with, the lower its costs. Strict security automation and intelligent orchestration are key to containing damages. As companies implement cloud and digital transformation, they’ll need security solutions that work seamlessly across multiple clouds. The RTOs of current solutions must be reviewed, as some may be unable to keep abreast of changing business demands. Two ways to offset the costs of a security incident are to create an incident response team and to extensively test the incident response plan.

Related Content

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/risk/how-much-downtime-can-your-company-handle-/a/d-id/1337333?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Does the 2020 Online Census Account for Security Risk?

Experts discuss the security issues surrounding a census conducted online and explain how COVID-19 could exacerbate the risk.

For the first time since it was conducted in 1790, the US census is online. A website and mobile app for a task force of field workers aim to make the decennial population count easier and more accessible, but security experts are wondering whether the census is ready to defend against a range of cybersecurity threats – especially in the middle of a global pandemic.

This year’s census went online earlier this month, but its digitization has been in the works for years. A series of tests gave officials an indication of how many people are expected to respond on the Internet; its 2018 test indicated 61% of those who responded on their own did so online. 

People can fill out the Web form with a census ID they should receive in the mail. However, they don’t have to: Phone submissions and paper submission forms are still available and began to arrive in mid-March. As part of the digitization plan, hundreds of thousands of census field workers were to be equipped with tablets to collect in-person responses via mobile app.

The decision to bring the census online was partly driven by a motivation to make responses easier, wrote Census Bureau director Steven Dillingham in a statement to the House Oversight and Reform Committee. “The new options create improved efficiencies, relieve burdens on respondents, and reassure people that assistance is but a phone call away,” he explained. The ability to respond via Internet or phone means “people can reply almost anywhere, at any time.”

A digital census could simplify the response process for Americans with Internet access, but experts fear a greater reliance on modern technology could also introduce cybersecurity risks into the data collection process. The Government Accountability Office (GAO) recognized such concerns in a June 2019 report mandating the Census Bureau fix “fundamental cloud security deficiencies” in order to better secure the 2020 census. An audit of the Census Bureau’s cloud-based systems revealed unsecured GovCloud root user keys, unimplemented security baselines, and a failure to implement basic security practices to protect Title 13 data hosted in the cloud.

One month before the 2020 census began, it was on the GAO’s “High Risk” list. A February 2020 report found “the Bureau continues to face challenges related to addressing cybersecurity weaknesses, tracking and resolving cybersecurity recommendations, and addressing numerous other cybersecurity concerns.” It had made progress, the GAO noted, but more work remained.

“When I see things like the census going online, my initial reaction is there is room for threat,” says Jason Truppi, co-founder of The Shift State. But this doesn’t mean it’s a bad decision, he adds: “I think more and more people might prefer now, and into the future, that it would be only online and not mail-based.” Still, he continues, the census will inherit more risks by going on the Web, and the census has ordered millions of extra paper forms in case people can’t respond online.

This is the government’s best and only ability to collect population data without legal process, and it says it’s ready to bring things online. It will reportedly encrypt responses to keep them confidential and it’s blocking foreign IP addresses and bots from entering data. Still, experts worry. How could digitizing the census put data at risk, and how might a compromise look?

Hacking the Census: Why, Who, and How
Census data is used to allocate seats in the House of Representatives and distribute hundreds of billions of dollars in federal funds to state and local governments, which use the money to fuel essential services, including emergency response, transportation, and healthcare. The data informs critical decisions made by communities, businesses, and all levels of government.

As such, it’s an appealing target for adversaries.

There are a few reasons why attackers would target the census data and collection process. Those who want to disrupt the distribution of funds or interfere with elections could start by compromising this data. “In all cases, the reasons are to sow discord, to erode the confidence of the people in the American process,” says Steve Moore, chief security strategist at Exabeam.

Experts agree that nation-state attackers are more likely to meddle in the census compared with cybercriminals, who could easily buy this kind of data on the Dark Web. “I would spend my effort on the low-hanging fruit, as a hacker,” Truppi says. The census collects addresses and demographics, not financial or payment card data that criminals often seek to monetize. Even nation-states may prefer non-census data sources with more accurate information: Census data is self-reported, meaning the information could be incorrectly entered by any respondent.

“Intelligence gathering and disruption are some of the main motivations for nation-state threat actors,” says Kacey Clark, threat researcher at Digital Shadows. “These motivations are specific to adversaries that target organizations or individuals for espionage or surveillance reasons.”

A denial-of-service (DoS) attack is one way the census could be disrupted. Flooding the website with traffic would generate chaos and block people from entering information. The census anticipates about 120,000 people can try to respond online simultaneously; it has reportedly built the capacity for 600,000 to enter information at the same time. Intruders could seek to manipulate data that has already been entered by breaking into the infrastructure.

(Continued on next page)

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full BioPreviousNext

Article source: https://www.darkreading.com/risk/does-the-2020-online-census-account-for-security-risk/d/d-id/1337447?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple