8 security trends 2019

True to tradition, Basefarm’s Head of Security Operation have looked deep into his crystal ball to see what the new year holds. Here are 8 security trends to look out for in 2019.

1. Workforce gap necessitates different solutions

According to the (ISC)2 organisation, we have a shortage of three million cybersecurity professionals. Without the shortfall, the organisation’s 138,000 membership would be even larger. Europe alone has a workforce gap of 147,000. The shortfall calls for a different approach to meeting security needs, for example, through competence-sharing with other enterprises or security operations centres (SOC).

2. DDoS attacks are becoming less common but more powerful

Distributed Denial of Service (DDoS) attacks is a major worry. Initially, this type of attack was designed to sabotage, but the aim nowadays is often to steal important data and then blackmail the victims. The trend among perpetrators is not to spread their efforts widely, but rather to focus the attacks more aggressively.

3. Cryptojacking less risky for the attackers than DDoS

The downside for the bad guys of DDoS and many other cyberattacks is the risk of discovery. For this reason, many are turning to cryptojacking instead. Cryptojacking involves infiltrating a large number of computers in order to “mine” cryptocurrency. It is a quick way for cybercriminals to earn money, by getting thousands of computers to work for them for free. There’s no obvious damage done and many people are scarcely aware of the extra processing power and electricity used. If the victims discover the intrusion, they will often just be content to block access.

4. IoT made for trouble

The security issues linked to IoT are not new, but the trend is from bad to worse. This is caused, in simple terms, by a steep rise in sales of IoT gizmos. Not only are unit sales increasing, but more manufacturers are also trying to join in the fun. Not all of them take security as seriously as the established big brands. The key concerns here are configuration errors, default passwords and a lack of upgrade options.

5. And you thought GDPR was strict? Now NIS is on the way

GDPR sets a deadline to notify impacted individuals of 72 hours from detection of a data breach. Looking the other way and detecting nothing is not a solution. Businesses therefore need to monitor infrastructure and logs using an in-house or external SIRT (Security Incident Response Team). In certain sectors, breach reporting needs to be done within 24 hours. Key aspects of the NIS Directive apply from November 2018. A lot of businesses will need to get their heads round this.

6. Safer in an unlit back alley than online

According to the UK’s Office for National Statistics, you are 30 times more likely to be robbed online than in ‘real’ life. With people’s purses and wallets containing little more than easily blocked credit cards, street robbery is going out of fashion. Money is moving over to cyberspace, with the thieves hot on its tail.

7. Decryption is sneaking up from down under

The Australian Anti-Encryption Bill was passed on 6 December 2018 and comes into force early in 2019. Under the legislation, the law enforcement authorities can oblige the tech giants like Google, Facebook, WhatsApp, Amazon and Microsoft to grant them access to encrypted data. The measures include removing electronic protection, installing existing decryption software and developing new software. Serious financial penalties await non-compliant companies

8. IT pros and the white hats strike back

Some of the largest and best-known cyberhacks have been down to sloppy IT practices. The black hat hackers are becoming more sophisticated, but so too are the white hat hackers and other infosec professionals aswell/too. Measures that go a long way to protect enterprises include scanning applications and fixing detected vulnerabilities, two-factor/multifactor authentication, more user names and long passwords, patching/installation of security updates and controlling user curiosity about funny-looking emails.

SEE ALSO: Star Wars – good versus evil – white hats against black hats.

Author: Fredrik Svantes, Senior Information Security Manager, Basefarm

Fredrik Svantes is the Head of the Basefarm Security Operations department and has also lead the Basefarm Security Incident Response Team for the past seven years. Previously he has worked for companies such as Blizzard Entertainment, doing detective work on logs for massive online platforms running games such as World of Warcraft. Blog: http://bfblogg.wpengine.com . Twitter: @fredriksvantes .

Multi-factor authentication time?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

With billions of user credentials being freely distributed online it’s high time to implement multi-factor authentication as the default way to authenticate.

Wired has written an article about the magnitude of leaks:

“Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a patched-together set of breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all.”

Read more

Top 5 Security News

How to improve control and save cost with Service Organization Controls (SOC) reports.

All types of outsourcing of IT services, whether it’s to a local service provider or a global hyperscale cloud provider, have this in common: You can outsource a business process, but you cannot outsource the ownership to your business’s risk.

That is why most companies that outsource must find ways to ensure their service providers are performing according to the rules, the standards and the laws that your business requires.

Traditionally, the way this works is that the companies include “right-to-audit” clauses in their contracts with the service providers. And then, typically once a year, this right is exercised, by having IT auditors visiting the service provider to have a closer look at their set-up, the services they provide, the sites, infrastructure, operational processes, system support and people.

In today’s hybrid, complex and distributed IT world, on-site audits are only able to focus on a very limited set of controls, or they will be extremely time-consuming and expensive. As the contracting party, you normally must cover expenses for IT auditors, your own staff that spends time on preparing, attending and interpreting findings, as well as paying your service provider for the time they spend.

Most of the time, due to time and cost restrains, such audits only scratch the surface at the service provider.

So, what should you do to satisfy your own or your auditor’s need to get assurance that the services are provided in accordance with your security requirements, and with a quality of service that reduces your risk?

Let us introduce Third Party Attestation Reporting (SOC reports)

What is it?

Service Organization Controls (SOC) reports are prepared and issued by an independent auditing company and include descriptions of the service organizations internal security controls, as well as the auditor’s assessment on the suitability and effectiveness of the controls. The full and unedited reports are distributed to the service organizations customers, and their auditors.

Report types and intended use

There are several types of reporting standards:

  • ISAE3402 / SOC1. This primarily includes internal controls relevant for financial reporting, with the purpose of the compliance with laws and regulations. The intended users of these reports are the customer’s management and their auditors
  • SOC2. This will report on internal controls related to general Information Security, Availability and Confidentiality. For each of these domains the control objectives are predefined by the standard. Intended users are customer’s management, Information Security Managers and regulators.
  • SOC3. This is less detailed reports, usually an executive summary of a SOC2 report. As these reports discloses less details, these reports also typically are made generally available, for instance through the service provider’s website.

SOC1 and SOC2 both come in Type I and Type II.

Type I will be point-in-time based, as they only focus on how the security controls have been defined and implemented by the service organization, at the time of the audit.

Type II reports however, will assess and validate both the suitability of the controls (that the controls are defined and implemented in a way that meet the control objectives), and the effectiveness (that the controls are consistently used by the service organization). To prove the latter, the auditor performs randomized sampling and collect evidence from the entire reporting period, typically one calendar year.

What makes this different from ISO certifications?

There is a great deal of overlap between the Information Security Management standard ISO27001 and SOC attestation reports. The ISO-standard however, allow companies to define their own scope, and their own benchmarks (security policies and goals). So, for anyone to accept a Service Provider’s ISO27001 certification as evidence that the provider fulfills your security requirements, you at least need to understand the scope and the security policies the certification is based on and check that it matches your needs.

ISO audit reports are generally not available to other than the audited party. Customers may be provided the actual certificate, perhaps a copy of the security policies, and a document explaining the scope of the audited management system, but organizations are usually not allowed to distribute the full audit report.

For an ISAE3402 or SOC2 report however, you can get full insight into all parts of the very comprehensive reports. The reports among other things include both the organizations management statements and descriptions of their security controls, as well as the independent auditors test procedures, test results and findings.

Note that SOC reports not is a certification as such, but rather compliance reports produced by an independent auditor.

The main benefits

Getting the appropriate SOC report from your service provider will give you the following benefit

  • Save cost on performing your own audits. Such audits will no longer be required, or will at least need to have a much-decreased scope
  • Get the full picture. As the reports will be based on samples from the full (12 months) reporting period, these reports will cover a lot more than you will be able to assess in customer specific audits
  • Leverage these reports in your own audit and reporting. As these reports are based on internationally recognized standards, your auditors can easily make use of them directly
  • Get insight into your service providers security controls. The reports include the service provider’s description of the control environment, processes and the individual controls
  • Get a verification on the control effectiveness. This will enable you to assess if the service provider’s regular control effectiveness is satisfactory, and where you should focus your improvement efforts.

Win-Win strategy

Even the service provider will benefit from this, as the number of audits will be reduced, and the actual auditing more coordinated and efficient. This eventually should result in lower compliance cost, which should benefit all parties.

The next time you are reviewing the security compliance of your service provider, or the next time you select an outsourcing partner, check if you can get access to their SOC reports. That will make you get better control, at a lower cost. That is what we all want, right?

Find out more about Service Organization Controls HERE

 

Esten Hoel is our SVP Security and Compliance and is part of the Basefarm management team. He has a long history in the IT industry but has also worked within the mobile communication and for the Winter Olympics in Lillehammer in 1994. He is passionate about transforming security to support the people and organizations and he believes that policies, technology and processes are here to help, not to stop organizations, and to enable innovation. His motto is “systematic work, always works”.

Esten Hoel, SVP Security and Compliance, Basefarm

 

Unprotected Government Server Exposes Years of FBI Investigations

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

“A massive government data belonging to the Oklahoma Department of Securities (ODS) was left unsecured on a storage server for at least a week, exposing a whopping 3 terabytes of data containing millions of sensitive files.

The unsecured storage server, discovered by Greg Pollock, a researcher with cybersecurity firm UpGuard, also contained decades worth of confidential case files from the Oklahoma Securities Commission and many sensitive FBI investigations—all wide open and accessible to anyone without any password.”

Read more

Top 5 Security News

Give Up the Ghost: A Backdoor by Another Name

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Government Communications Headquarters (GCHQ), the UK’s counterpart to the National Security Agency (NSA), has fired the latest shot in the crypto wars. In a post to Lawfare titled Principles for a More Informed Exceptional Access Debate, two of Britain’s top spooks introduced what they’re framing as a kinder, gentler approach to compromising the encryption that keeps us safe online. This new proposal from GCHQ—which we’ve heard rumors of for nearly a year—eschews one discredited method for breaking encryption (key escrow) and instead adopts a novel approach referred to as the “ghost.”

But let’s be clear: regardless of what they’re calling it, GCHQ’s “ghost” is still a mandated encryption backdoor with all the security and privacy risks that come with it.

Read more

Top 5 Security News

Security Software & Tools Tips – January 2019

In this monthly post, we try to make you aware of five different security related products.
This is a repost from my personal website Ulyaoth.

This month we have chosen for the following:
* Elastic Stack
* Security Onion
* Wireshark
* Cuckoo
* BeEF

Elastic Stack

Information from the Elastic Stack website:

Threats don’t follow templates. Neither should you. The Elastic Stack gives you the edge you need to keep pace with the attack vectors of today and tomorrow.

Website:

https://www.elastic.co/

Security Onion

Information from the Security Onion website:

Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!.

Website:

https://securityonion.net/

Wireshark

Information from the Wireshark website:

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

Website:

https://www.wireshark.org/

Cuckoo

Information from the Cuckoo website:

Cuckoo Sandbox is the leading open source automated malware analysis system. What does that mean? It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Website:

https://cuckoosandbox.org/

BeEF

Information from the BeEF website:

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Website:

https://beefproject.com/

Photo by Markus Spiske on Unsplash

EU launches bug bounty programs for 15 software

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The European Commission decided to launch its bug bounty initiative, the Free and Open Source Software Audit (FOSSA) project.

Starting in January, the European Commission is going to fund bug bounty programs for a number of open source projects that are used by members of the EU. The initiative is part of the third edition of the Free and Open Source Software Audit (FOSSA) project, which aims to ensure the integrity and reliability of the internet and other infrastructure.

Read more

Top 5 Security News

What is the Australian Anti-Encryption Bill?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The Australian “Telecommunications Assistance and Access Bill 2018,” also known as the Anti-Encryption Bill, was passed on the 6th of December, and it’s expected that it becomes law in early 2019. This new bill allows Australian law enforcement to force tech giants such as Google, Facebook, WhatsApp, Amazon and Microsoft to help them access encrypted information.

With this bill, the Australian government and law enforcement agencies will be able to tell tech companies to do to assist in obtaining encrypted data by doing things like remove electronic protection, installing existing software or build new capabilities to decrypt communications. Those companies that would not comply are set to face massive financial penalties.

Read more

 

Top 5 Security News

 

 

Should you build your own SOC or use one as a service?

You’ve done your homework and decided your company needs a Security Operations Center (SOC) to keep yourself protected and your customers’ data secure. You have a few options available: should you build your own SOC or find a provider for SOC as a service?

The benefit of having your own SOC is having your own SOC. Depending upon your needs you might need one, but there are quite a few problems here.

Big money for rare security talent

Good security people are hard to find and aren’t cheap. You’ll need to hire quite a few rare and expensive specialists if you want true 24/7/365 coverage, so be prepared for a long recruitment process. You will have high upfront capital costs of starting a new department in your company, and you will also need to worry about the running expenses. The overwhelming majority of corporations think it isn’t realistic to build their own SOC due to the costs.

Additionally, your own SOC will only handle incidents at your own company. Most likely this will not happen very often, so your experts will get rusty over time. A provider of SOC as a service will have a plethora of clients so will see what is happening in the threat landscape before it reaches you.

The corporate landscape is always changing, with mergers, acquisitions, strategic business decisions and the like. If your corporation makes a major change, your own SOC will need to change as well. Scaling up your SOC as your corporation changes is a painful and time-consuming process, which is another disadvantage.

Efficiency of SOC as a service

Going to a SOC provider like Basefarm means you are going to a professional who has already invested in the necessary staff, equipment and tools. They will have many other clients, so you get the benefit of their experience. Most likely they will also be heavily involved in the security industry, being members of various associations where they can hone their skills and pass along the latest knowledge. SOC as a service is probably also going to be much cheaper.

Building your own SOC v. contracting SOC as a service will come down to your company’s individual needs. It is quite possible that creating your own is the best option for you, but hiring an expert SOC provider makes more sense for the majority of firms. You get the skills, experience, industry contacts, continuous learning and efficiency at a lower cost, which is a pretty easy business case to make.

Read more about our SOC services HERE

This might interest you too:

What is a Security Operation Center and why do you need it?

How do you find the right SOC provider for your company? 

 

Author: Fredrik Svantes, Senior Information Security Manager, Basefarm

Fredrik Svantes is the Head of the Basefarm Security Operations department and has also lead the Basefarm Security Incident Response Team for the past seven years. Previously he has worked for companies such as Blizzard Entertainment, doing detective work on logs for massive online platforms running games such as World of Warcraft. Blog: http://bfblogg.wpengine.com . Twitter: @fredriksvantes .

What is a Security Operations Center and why do you need it?

Your company has digital assets that need to be protected. GDPR requires that a company detect any security incident involving personal data and report them within 72 hours, so you also have a legal obligation to be secure. You have responsibly defended yourself with cyber security tools like firewalls, antivirus and intrusion detection. So you’re good, right? Well, maybe not.

Put guards on your walls

This defensive equipment is set to perform specific tasks, but new vulnerabilities are discovered every day. New attacks and new threats constantly develop. These defensive tools are useful, but there is no such thing as 100% protection. If you haven’t been breached yet, most likely you will be.

Only having security tools is like building a wall to keep out the barbarians but neglecting to staff it with guards. You can’t just install your security tools and leave them running; you need someone to also monitor what is going on.

When an incident happens, you need to detect it and respond very quickly. This is the job of the Security Operations Center (SOC), and this is what makes it invaluable.

Be active, not passive

A SOC is a department which is dedicated and organized to prevent, detect, assess and respond to security issues in IT systems and IT infrastructure. These are your guards on the walls, ready to react when they see barbarians at the gate. An SOC can be either your own department or a provider of SOC as a service.

Basefarm’s SOC includes:

• Certified security Alert Analysts who review and act on security incidents 24/7/365.
• A Security Incident Response Team (BF-SIRT) who work on incidents escalated from the security analysts.
• Security Engineers who continuously improve and implement security solutions and are ready to react to emerging threats.

More than simply reacting to events

An SOC responds quickly to incidents, but these security experts also provide proactive security. They are aware of new threats before they materialize. They know what hardware and software you are running so can keep an eye on specific developing threats. They provide suggestions to improve and strengthen your IT environment. When something does occur, they can help with forensics to learn from the incident and take steps to further strengthen yourself.

Read more about our SOC services HERE

This might interest you too:

Should you build your own SOC or use one as a service?

How do you find the right SOC provider?

 

Author: Fredrik Svantes, Senior Information Security Manager, Basefarm

Fredrik Svantes is the Head of the Basefarm Security Operations department and has also lead the Basefarm Security Incident Response Team for the past seven years. Previously he has worked for companies such as Blizzard Entertainment, doing detective work on logs for massive online platforms running games such as World of Warcraft. Blog: http://bfblogg.wpengine.com . Twitter: @fredriksvantes .