Article | February 27, 2020
Picture this: a news story detailing a cyberattack in which no data was exfiltrated, thousands (or even millions) of credit card details weren’t stolen, and no data was breached. While this isn’t the type of headline we often see, it recently became a reality in Las Vegas, Nev. On January 7, 2020, news broke that the city of Las Vegas had successfully avoided a cyberattack. While not many details were offered in the city’s public statement, local press reported that the attack did employ an email vector, likely in the form of a direct ransomware attack or phishing attack. The use of the word “devastating” in the public statement led many to believe ransomware was involved. This inference isn’t farfetched—and is likely a correct conclusion—given that cities throughout the U.S. have seen ransomware attacks on critical systems. Attacks that have cost those cities millions of dollars.
Article | February 27, 2020
While not flashy, cryptographic processing is foundational and critical for data confidentiality, integrity, and authentication. Cryptography is what powers the world’s transactions, so it must be highly available, fast, and scalable — and, most importantly, secure. For Futurex, cryptography is in the limelight every day. As a global company, we have a presence in many of the largest banks, retailers, IoT device manufacturers, and corporations. Let me shed some light on what trends we are seeing:
1. Data encryption delivered via a service-oriented architecture:Organizations have ever-increasing volumes of applications and services that require strong cryptography with HSM-backed data encryption and key management. Managing complex cryptographic environments can be overwhelming, time-consuming, and expensive — and if not deployed or managed correctly, can introduce significant data security risks. Therefore, organizations are looking at other options and looking to experts. We’re having regular conversations with customers about how data encryption can be delivered from a service-oriented architecture standpoint. The industry is reaching a new level of maturity and is adopting cryptography and key management as a native component of its environments.
2. Cloud-based data security hardware security modules (HSMs):Enterprises and financial services organizations are increasing their adoption of cloud-based data security infrastructure. With new developments in cloud adoption, regulatory compliance, and greater data residency capabilities — and HSMs in the cloud, the infrastructure is in place. And it’s been tested. We pioneered cloud-based HSMs back in 2015, with the VirtuCrypt Hardened Enterprise Security Cloud.
3. HSM flexibility:Organizations are looking at robust solutions that meet the highest level of encryption, but that are flexible to fit the needs of their use cases, organizational infrastructure, expertise, and budget. These days, organizations have different options with HSMs: on-premises, cloud, and hybrid. A quick overview: an HSM’s core functionality is centered around encryption: the process by which sensitive data is rendered indecipherable to all except authorized recipients. Encryption is made possible using encryption keys. Because knowledge of the encryption key aids in decrypting information, it is vital that these keys are secured in a private environment.
Hardware Security Module considerations
4. Next level remote key loading: encrypted key loading. Remote key loading is not new, it’s been around for more than a decade. Remote key loading enables users — point-of-sale terminal deployers, banks, encryption services organizations (ESOs), major retailers — to remotely inject encryption keys anytime wherever they are deployed, saving time, cost, and hassle. With the growth of mobile-based terminals, remote key loading has become a necessity, ensuring that the utmost security and compliance requirements are met.
5. Contactless payments with CPoC:Contactless payments eliminate the need for card reading hardware and provide a high level of security. CPoC is a PCI SSC compliance standard that stands for Contactless Payments on COTS, or commercial off-the-shelf. This standard is helping to accelerate adoption of SoftPOS contactless payments for individuals and small businesses, while giving large retailers news ways of improving the customer payment experience. It is also expected to be widely adopted in developing economies. Contactless payments extend the point of sale beyond the checkout counter using near-field communication (NFC) chips embedded in smartphones and tablets available off the shelf. CPoC-based applications, with their transaction processing functionality and high level of security, make them advantageous for all merchants who need payment agility and scalability.
6. Future-proofing for quantum computing:OK, this is not yet a trend, but it needs to be! The rise of quantum computers is on the horizon, and this inevitable threat stands to break public key cryptography as we know it. Once quantum computers become more widespread, they will be capable of breaking common cryptographic methods used today, such as RSA, ECC, or Diffie-Hellman, simply because of how quickly they can calculate solutions. This is concerning for every organization whose security depends on public key cryptography and particularly serious for long-lifespan Internet of Things (IoT) devices such as satellites, automobiles, and critical infrastructure components that rely on cryptography for code signing. Are organization prepared for the post-quantum shift? Not yet. Enterprise-level code signing is the best way to ensure your organization’s cryptographic infrastructure remains secure now with the rise of quantum computing.
If every industry — banking, groceries, satellites, automobiles — relies on cryptography for data protection, transmission, and transactions, isn’t it time to take a closer look at your cryptographic infrastructure?
Article | February 27, 2020
What’s more, organisations should also keep in mind that prevention alone is not enough; according to IBM, the average breach detection and containment times currently sits in the region of 280 days. In this time, it’s easy for cyber attackers to gain a foothold in an environment and quickly cause damage.
“When developing a cyber security strategy, traditionally enterprises have focused on the threat prevention with little attention given to detection and often none to response,” said Martin Riley, director of managed security services at Bridewell Consulting.
Article | February 27, 2020
Global leaders want to carve out specific areas of critical infrastructure to be protected under international agreements from cyber-attacks. But where does that leave others?
There are ‘four or five steps you could take that could significantly mitigate this risk,’ Falk said. These are patching, multifactor authentication and all the stuff in the Australian Signals Directorate's Essential Eight baseline mitigation strategies. …”
Back in April of this year, a BBC News headline read, "The ransomware surge ruining lives."
And that was before the cyber-attacks on critical infrastructure sectors like Colonial Pipeline, meat-processing giant JBS, the Irish Health Service and so many others.
And when President Biden met with Russian President Putin last month in Geneva, he declared that certain critical infrastructure should be “off-limits” to cyber-attacks.
“We agreed to task experts in both our countries to work on specific understandings about what is off-limits,” Biden said. “We’ll find out whether we have a cybersecurity arrangement that begins to bring some order.”
As an initial positive step forward, this cyber defense policy makes sense. In fact, most global experts applaud these moves and efforts to better protect and clarify international crimes in cyberspace.
Previous administrations going back to George W. Bush have taken aggressive steps to ensure critical infrastructure is protected in the U.S. and around the world through actions involving people, process and technology, both offline and online. The 16 critical infrastructure sectors identified by DHS/CISA can be found here.
Still, many questions remain regarding this new policy: Will all global governments actually agree on the wording? More importantly, even if they do agree, how will the agreements be enforced? Also, what happens if some countries continue to allow criminals to attack these critical infrastructure sectors from their soil?
And my main question goes further: Even if all of these agreements and actions are 100 percent agreed upon and enforced, which most people don’t believe will happen, does this imply that every organization not covered under these 16 critical infrastructure sectors can be openly attacked without a response? Is this giving into cyber criminals for everyone else?
For example, would K-12 schools or small businesses be “fair game” and not off limits? Could this actually increase attacks for any organization not considered on the CISA list?
No doubt, some will say that schools are a part of government, and yet there are private schools. In addition, if we do cover all others somehow, perhaps as a supplier of these 16 sectors, doesn’t that make the “off-limits” list essentially meaningless?
Essentially, where is the line? Who is included, and what happens when some nation or criminal group crosses the line?
These questions became more than an intellectual thought exercise recently when the Kaseya ransomware attack impacted more than 1,500 businesses, without, in their words, impacting critical infrastructure.
CBS News reports, “Still, Kaseya says the cyber-attack it experienced over the July 4th weekend was never a threat and had no impact on critical infrastructure. The Russian-linked gang behind the ransomware had demanded $70 million to end the attack, but CNBC reported that the hackers reduced their demands to $50 million in private conversations.
"The Miami-based company said Tuesday that it was alerted on July 2 to a potential attack by internal and external sources. It immediately shut down access to the software in question. The incident impacted about 50 Kaseya customers.”
OTHER RECENT RANSOMWARE NEWS
Meanwhile, in a bit of a surprise, ransomware group REvil disappeared from the Internet this past week, when its website became inaccessible.
As Engadget reported, “According to CNBC, Reuters and The Washington Post, the websites operated by the group REvil went down in the early hours of Tuesday. Dmitri Alperovitch, former chief technology officer of the cyber firm CrowdStrike, told The Post that the group's blog in the dark web is still reachable. However, its critical sites victims use to negotiate with the group and to receive decryption tools if they pay up are no longer available. Visitors to those websites now see a message that says ‘A server with the specified host name could not be found.’"
CNBC reported: “There are 3 main possibilities for the criminal gang’s disappearance — each of which carries good and bad news for U.S. efforts to combat the ransomware scourge emanating from Russia.
The Kremlin bent under U.S. pressure and forced REvil to close up shop.
U.S. officials tired of waiting for Kremlin cooperation and launched a cyber operation that took REvil offline.
REvil’s operators were feeling the heat and decided to lay low for a while.
"This situation may send a message to some of the players that they need to find a less-aggressive business model, which could mean avoiding critical infrastructure, or it could mean avoiding U.S. targets.”
Also, the Biden administration announced several other measures to combat ransomware: “The Biden administration will offer rewards up to $10 million for information leading to the identification of foreign state-sanctioned malicious cyber activity against critical U.S. infrastructure — including ransomware attacks — and the White House has launched a task force to coordinate efforts to stem the ransomware scourge.
"It is also launching the website stopransomware.gov to offer the public resources for countering the threat and building more resilience into networks, a senior administration official told reporters.”
And yet, many experts are still predicting that ransomware will continue to grow in the near future. For example, TechHQ wrote that “identifying the culprits often isn't as big an obstacle as apprehending them.”
To show recent growth of ransomware attacks, Fox Business offered details on a Check Point report this past week that “ransomware attacks surge, growing 93 percent each week.”
Also: “'The ransomware business is booming. We’re seeing global surges in ransomware across every major geography, especially in the last two months,' said Lotem Finkelstein, head of threat intelligence at Check Point Software. 'We believe the trend is driven by scores of new entrants into the ransomware business.'"
For more background on this hot topic, a few weeks back I appeared on MiTech News to discuss the ransomware crisis.
I’d like to close with this article which offers a slightly different perspective on ransomware from ZDNet Australia:
“The threat of ransomware dominates the cyber news right now, and rightly so. But this week Rachael Falk, chief executive officer of Australia's Cyber Security Cooperative Research Centre, made a very good point.
Ransomware is ‘Totally foreseeable and preventable because it's a known problem," Falk told a panel discussion at the Australian Strategy Policy Institute (ASPI) on Tuesday.
‘"It's known that ransomware is out there. And it's known that, invariably, the cyber criminals get into organisations through stealing credentials that they get on the dark web [or a user] clicking on a link and a vulnerability," she said.
‘We're not talking about some sort of nation-state really funky sort of zero day that's happening. This is going on the world over, so it's entirely foreseeable.’"
Article Orginal Source: