The official Call for Papers (presentations) for SecurityWeek's 2017 Singapore Industrial Control Systems (ICS) Cyber Security Conference, being held April 25–27 at the Fairmont Singapore is now open.   

As the largest and longest-running cyber security-focused event series for the industrial control systems sectors, the conference caters to the energy, water, utility, chemical, transportation, manufacturing, and other industrial and critical infrastructure organizations.

With a long history, the conference has proven to bring value to attendees through the robust exchange of technical information, actual incidents, insights, and best practices to help protect critical infrastructures from cyber attacks.

Produced by SecurityWeek, the conference addresses ICS/SCADA topics including protection for SCADA systems, plant control systems, engineering workstations, substation equipment, programmable logic controllers (PLCs), and other field control system devices.

The Conference is unique and has historically focused on control system end-users from various industries and what cyber vulnerabilities mean to control system reliability and safe operation. It also has a long history of having discussions of actual ICS cyber incidents.

The 2017 Conference is expected to attract hundreds professionals from the Asia Pacific (APAC) region, including large critical infrastructure and industrial organizations, military and government officials.

Through the Call for Papers, a conference committee will accept speaker submissions for possible inclusion in the program at SecurityWeek’ 2017 ICS Cyber Security Conference | Singapore.

The conference committee encourages proposals for both main track and “In Focus” sessions. All sessions are 45 minutes in length including Q&A.

The Conference Committee is particularly interested in submissions on the following topics: ICS/SCADA cyber incidents in the APAC region, results and observations from ICS/SCADA mitigation measures, results and observations from ICS/SCADA vulnerability assessments, live attack demonstrations, vulnerabilities and exploits, and results and observations from joint IT/ICS projects.

To be considered, interested speakers should submit proposals by email to events(at)securityweek.com with the subject line “ICSS2017 CFP” by February 28, 2017. Submissions will be reviewed on an ongoing basis so early submission is encouraged.

Submissions must include proposed presentation title, an informative session abstract, including learning objectives for attendees if relevant; and contact information and bio for the proposed speaker.

All speakers must adhere to the 100% vendor neutral / no commercial policy of the conference. If speakers cannot respect this policy, they should not submit a proposal.

Plan on Attending the 2017 ICS Cyber Security Conference | Singapore? Online registration is now open, with discounts available for early registration.

Sponsorship Opportunities

Sponsorship and exhibitor opportunities for SecurityWeek’s 2017 Singapore ICS Cyber Security Conference are available. Please contact events(at)securityweek.com for information.

Detected as Android.Skyfin.1.origin, the malware was designed to infiltrate running Google Play processes to engage into software downloading activities. The malware is believed to be distributed via Trojans in the Android.DownLoader family, which usually gain root access onto infected devices and covertly install additional malicious applications into the system directory.

According to Dr.Web security researchers, because Trojans such as Android.DownLoader.252.origin and Android.DownLoader.255.origin contain snippets of code that are characteristic to that of Android.Skyfin.1.origin, it’s likely that Skyfin is distributed specifically by those malicious applications, since they are related to it.

When launched on the infected machine, the malware injects a second module called Android.Skyfin.2.origin in the process of Google Play. This module is designed to steals the mobile device’s unique ID, along with device owner’s account, as well as internal authorization codes for connecting to the Google Play catalog, and various other confidential data.

The stolen information, which allows the malware to interact with Google services, is passed to the main component of Android.Skyfin.1.origin. The Trojan also sends all of the gathered data, along with the device’s technical information, to the command and control server.

The malware abuses the stolen data to connect to the Google Play catalog and simulate the operation of the Play Store application. Some of the commands it can execute include searching in the catalog to simulate user action, request application purchases, confirm purchases, confirm consent to a license agreement’s terms, and request link to download an APK file from the catalog.

Additionally, the malicious program was designed to add, delete, and rate reviews in the Google Play marketplace, as well as to confirm a program’s download, which artificially inflates the total number of installs for that application.

Downloaded programs, however, are not installed, but instead saved to the SD card, which prevents victims from noticing an increase in the number of applications on their devices. This also means that the Trojan is likely to stay unnoticed on the infected devices longer, where it can continue increasing the number of installs of specific Google Play applications and artificially raising their popularity.

The security researchers explain that several modifications of the Trojan are at large, including one that can download any app from the store, based on a list of software that the cybercriminals provide the malware with. Another variant can download only one program, namely com.op.blinkingcamera.

“The Trojan simulates a tap on a Google AdMob banner containing an advertisement of this program, downloads its APK file, and automatically increases the number of total installs by confirming the bogus installation on the Google server,” the security researchers reveal.

Because Android.Skyfin.1.origin is installed in the system directory, only anti-malware applications that have root access on the infected device can remove it, Doctor Web notes.

Related: "Gooligan" Android Malware Steals Authentication Tokens to Hack Accounts

Related: Xiny Android Trojans Can Infect System Processes

Related: Mobile Malware Shows Rapid Growth in Volume and Sophistication

FriendFinder Networks owns several adult-only websites where individuals input their own details in the hope of finding a match, and this is not the first time it has been hit by a data breach. In May 2015, the details of four million users were leaked. Unfortunately, it seems that FriendFinder has not learnt its lesson, as this recent attack is very similar to the one it suffered the previous year. It would seem that it has done very little to improve its security, with many newly registered accounts having passwords still stored in clear-text.

The latest leak, which included 412 million FriendFinder users’ personal information, is the largest breach of its kind and just one more in a long list of high profile attacks to occur in the past few years. Customers who had previously deleted their accounts have also found their details to have been stolen, bringing to light the fact that FriendFinder is storing deleted customer account details without permission. It has become apparent that FriendFinder also did not store passwords using secure methods. In total, 99%of the passwords, including those hashed with SHA-1 or stored in plain visible format, were discovered by LeakedSource, a data breach monitoring service.

Furthermore, the effect of the breach of passwords was not limited to accounts on FriendFinder, as it is still a common practice for people to use the same password multiple times. This makes a hacker’s job far easier, as once they have successfully discovered a password they will try to use it on all other sites requiring one, potentially gaining access to numerous accounts.

Best practice for protecting passwords

FriendFinder is far from the only company to fall short when it comes to password best practice however, and there are a number of steps all companies should be taking to prevent themselves becoming the next headline.

When it comes to protecting sensitive information on websites, users should be advised on how to create strong passwords. Traditionally, the usage of a mixture of upper and lower case letters, words, numbers and symbols has been suggested. General advice is also to avoid using easily guessed combinations of words or numbers, especially consecutive ones or ones which someone could easily deduce, for example dates of birth or well known names connected to you. Words found in the dictionary can also be easy to hack, and there are password-cracking tools readily available on the internet that often contain dictionary and common word or name lists.

The National Cyber Security Centre (previously CESG) has recently published more modern advice on how to choose strong passwords. These guidelines encourage the usage of long, memorable phrases rather than short passwords that expire often. These are more difficult to crack for attackers.

But protecting passwords is not just a user’s responsibility. It is also essential that companies take appropriate measures to store user credentials. The current preferred way to store passwords is by using adaptive one-way functions that support the configuration of salts and work factors. Cryptographically strong salt values augment entropy and prevent dictionary attacks based on pre-computed lookup tables. Moreover, work factors allow us to impose long verification times on the attackers, making them less effective at cracking passwords at scale. Examples of such algorithms that should be used today to store passwords include: Argon2, PBKDF, scrypt and bcyrpt.

We must assume that, even with strong passwords and appropriate storage, an attacker could still in some cases manage to retrieve some passwords, such as through key loggers. In such cases, an additional defence-in-depth control should be considered in the form of multi-factor authentication as an obvious step to increase account security and mitigate the exposure of accounts whose passwords have been compromised. 

Preventing password theft

Finally, it is also important to build processes and controls that help reduce the probability of credentials being stolen. The FriendFinder breach was reportedly caused by a Local File Inclusion (LFI) vulnerability. Introducing security activities from the very beginning in the Software Development Lifecycle and ensuring all developers are properly trained on security topics are good controls that would have helped prevent and/or detect this type of vulnerability before the application went live. ​

Given the number of large scale attacks we have seen in a relatively short space of time –TalkTalk and The Panama Papers, to name just two – it is more important than ever to ensure that organisation’s make data security a priority. They must implement software that will store all passwords following the most updated security guidelines. They also need to advise users on how to create strong passwords or passphrases that are difficult to guess or decipher using brute force methods. Every extra character used makes it an order of magnitude harder to crack.

This most recent incident holds the dubious distinction of being the largest known breach in the history of the Internet, and may finally seal Yahoo’s fate. It follows closely on the heels of Yahoo’s September breach announcement about a 2014 attack that resulted in 500,000 stolen user account records, which topped yet another breach in 2012 that affected 450,000 users. Yahoo had ample warning and time, but there is evidence that security was not a high enough priority at the company struggling to reinvent itself in the shadow of giants Google and Facebook.

Unfortunately for Yahoo, they may become a legendary cautionary tale. Their $4.8 billion dollar deal with Verizonwill likely be downsized, their reputation with customers and partners sullied, and their stock devalued. We’ve seen other massive breaches lead to a cascade of negative incidents: stolen credentials that were used on multiple sites and services can be used to commit identity thefts, account takeovers, bank fraud, and breaches at other organizations.

Being jolted by such a harsh reality check should spur us to learn from others’ lessons and take meaningful preventative measures. Based on comprehensive assessments of the threat landscape, Information Security Forum recommends that businesses focus on the following security topics in 2017:

• The Internet of Things (IoT) Adds Unmanaged Risks
• Crime Syndicates Take a Quantum Leap
• Government and Regulators Won’t Do It For You
• The Role of the End User – the Weakest or Strongest Link in the Security Chain

We’ve provided an overview for each of these areas below:

 1. The IoT Adds Unmanaged Risks

Just as privacy has developed into a highly regulated discipline, the same will happen for data breaches sourced in the IoT environment. Fines for data breaches will increase. As more regulators wake up to the potential for insecure storage and processing of information, they will demand more transparency from organizations and impose even bigger fines. The European Commission has said it is planning to push industry governance measures to improve the security of internet connected devices such as cameras, set-top boxes and other consumer electronics, amidst increasing exploitation of such devices to carry out online attacks.

The IoT will also transform supply chain leaders' access to information, as well as the exposure of operations to cyber-risk. Organizations of all sizes need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate information. Even the smallest supplier, or the slightest supply chain hiccup, can have dangerous impacts on your business. Brand management and brand reputation are subject to the successful security of your supply chain and thus both are constantly at stake.  Businesses must focus fixes on the most vulnerable spots in their supply chain now, before hackers, or other cybercriminals, find their way in to disrupt your global distribution of goods and services.

When it comes to corporate communications, the primary way that many connected devices communicate is via the cloud. Organizations need to understand that putting private information into the cloud creates risk and must be understood and managed properly. Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. In moving their sensitive data to the cloud, all organizations must know whether the information they are holding about an individual is Personally Identifiable Information (PII) and therefore needs adequate protection. With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access your data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing.

2. Crime Syndicates Take a Quantum Leap

Criminal organizations will continue their ongoing development and become increasingly more sophisticated. The complex hierarchies, partnerships and collaborations that mimic large private sector organizations will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some organizations will have roots in existing criminal structures, while others will emerge focused purely on cybercrime.

Organizations will struggle to keep pace with this increased sophistication and the impact will extend worldwide.Rogue governments will continue to exploit this situation and the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously, leading to business disruption and loss of trust in existing security controls. Emerging markets will be hit the hardest, particularly where newly connected organizations are novices with online security. This may also occur where the rule of law is weak and political structures are susceptible to co-option or corruption. Cooperation between governments and international organizations such as Interpol will be strained and appear feeble when faced by the challenges of safe havens for criminal organizations.

Legal grey areas will open up new market niches to organized crime. One of the most prominent markets will be for criminal groups who ‘hack back’ on behalf of legitimate organizations and who base their operations in countries with permissive legal environments.  These groups will leverage ‘jurisdictional arbitrage’ to provide services to companies who have lost valuable data and are frustrated with the inability of law enforcement to cooperate internationally and deter expensive and embarrassing hacking incidents.

3. Government and Regulators Won’t Do It For You

In 2017, the number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organizations of all sizes. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Public opinion will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. International regulations will create new compliance headaches for organizations while doing little to deter attackers.

With reform on the horizon, organizations conducting business in Europe, or those planning to do so must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it. The demands of the incoming EU General Data Protection Regulation and the Network Information Security Directive will present significant data management challenges to the unprepared with the potential for hefty fines for those who fail to demonstrate security by design and fall victim to cyber-attack or information loss.

4. The Role of the End User – The Weakest or Strongest Link in the Security Chain

In the coming year, organizations need to place a focus on shifting from promoting awareness of the security “problem” to creating solutions and embedding information security behaviors that affect risk positively. The risks are real because people remain a ‘wild card’. Many organizations recognize people as their biggest asset, yet many still fail to recognize the need to secure ‘the human element’ of information security. In essence, people should be an organization’s strongest control.

Instead of merely making people aware of their information security responsibilities, and how they should respond, the answer for businesses of all sizes is to embed positive information security behaviors that will result in “stop and think” behavior and habits that become part of an organization’s information security culture. While many organizations have compliance activities which fall under the general heading of ‘security awareness’, the real commercial driver should be risk, and how new behaviors can reduce that risk.

A Continued Need to Engage with the Board

The role of the C-Suite has undergone significant transformation over the last decade. Public scrutiny of business leaders is at an all-time high, in part due to massive hacks and data breaches. It’s become increasingly clear in the last two years that in the event of a breach, the hacked organization will be blamed and held accountable. That means everyone in the C-suite is potentially on the chopping block.

The executive team sitting at the top of an organization has the clearest, broadest view. A serious, shared commitment to common values and strategies is at the heart of a good working relationship between the C-suite and the board. Without sincere, ongoing collaboration, complex challenges like cyber security will be unmanageable. Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is better achieved when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives.

Given the rapid pace of business and technology, and the myriad elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure assets and protect people.

Don’t Become a Legend for the Wrong Reason

In the face of Yahoo’s bad news—and many other high profile breaches around the world—it is hard to ignore the pervasive threat of cyber attacks and their cancerous consequences. Government agencies, democratic elections, critical infrastructure, multinational corporations, and high profile individuals have been targeted and damaged this year. Every kind of organization needs to be more aware of emerging threats, shifting attack vectors, and the latest strategies for defending against them. And every person, from the CEO to the cashier, should be held to a higher standard of security awareness and accountability. The Internet is a vital, shared resource—a reality that should be more ingrained in our corporate and civic culture.

Incidents will happened; it’s impossible to avoid every breach. But you can commit to building a mature, realistic, broad-based, collaborative approach to cyber security and resilience. Maturing your organization’s ability to detect intrusions quickly and respond expeditiously will be of the highest importance in 2017 and beyond.

Alan Turing thought about such information technology challenges almost a century ago. In 1936, Turing argued that humans can never predict whether a computer (a “Turing machine”), even given infinite processing power, storage space, and time, will provide a final Yes or No answer (given a random program and random input). In other words, we cannot know if or when a computer will finish its work, or simply run forever, calculating who knows what. The reason is that any algorithm can be made to contradict itself. Therefore, humans just have to wait for a computer to provide some kind of answer, and then evaluate whether it is what they were looking for, and whether the result seems reasonable.

Over the years, there have been interesting variations on this theme. In 1983, Turing Award winner Ken Thompson argued that an evil compiler could automatically insert a secret backdoor into every program it generates, and that no one could know about it because every “trace of malice” in the compiler’s source code could be removed. The moral, Thompson wrote, is that you cannot trust code that you do not “totally” create yourself – including the compiler.

These are not idle, philosophical questions with no practical value. For the analysis of malicious code – or “malware” for short – simple programs do not pose too much of a problem. However, in the current IT landscape, there is simply too much “attack space.” Hackers regularly sneak malware into images, advertisements, software updates, steganography, and more within the millions of lines of code passing through your network every day. And even with access to source code, it is not possible to discover all possible vulnerabilities and attacks, from buffer overflows to SQL injection techniques.

Furthermore, we have to consider the impact of time. Software analysis is not only complex, but also time-consuming. In the Internet era, the average human’s attention span is down to 9 seconds. Consider an analogy from tournament chess, where each player has two opponents: the person sitting across the table, and the ticking chess clock. The business world has the same problem: time is money, and you have to move fast.

Attackers know that complexity plus time constraints are a dynamite combination. Your employees need access to untrusted files and programs, but your anti-malware solutions cannot deliver a reliable verdict within a reasonable time frame.

So what is the best way to secure your network? In order to keep workers happy and productivity high, sometimes you have to run untrusted code. But that code should be run in quarantine, where it cannot damage your IT infrastructure. In parallel, the untrusted code must be subject to a combination of software and (if need be) human analysis. Following that, the previously unknown code can be added to the whitelist of trusted files – or to the blacklist, where it will stay forever.

About the author: Kenneth Geers (PhD, CISSP) is Senior Research Scientist at Comodo, a global innovator and developer of cybersecurity solutions. He is also a NATO CCD COE (Cyber Centre) Ambassador, a Non-Resident Senior Fellow at the Atlantic Council, an Affiliate at the Digital Society Institute of Berlin, a Visiting Professor at Taras Shevchenko National University of Kyiv in Ukraine and an accomplished author.

It’s a sure bet, however, none of the conferences you plan to attend will lead with a session like “UC Communications: The Way In!” But maybe they should. IP-based Unified Communications (UC) and phone security is one of the most overlooked and misunderstood pieces in your security fabric.  

Your Communications Network Is Likely Unsecure 

In the late 90s and early 00s, a lot of companies, including Sonus, were part of a massive Voice over IP (VoIP) revolution that quietly moved most wired and wireless communications onto IP-based networks through a protocol known as SIP (Session Initiation Protocol). Most consumers weren’t even aware of the change. Prices became cheaper, and phone quality was initially an issue for some of the early adopters, but today it’s nearly impossible to tell the difference between a voice call that traverses the Internet and one that runs over a private network.  

But here’s the problem: the changeover was so subtle, many people kept thinking of their phone as a device connected to a private network, rather than one connected to the public Internet. For those of you still using a desk phone; yes, it is probably an IP device. The same goes for those of you using a softphone—that’s also an IP device just like your smartphone, laptop or personal computer. And the signaling and messaging between the devices is all over IP, typically the SIP protocol. Many companies have had to disable their firewalls for SIP communications because it doesn’t work if your firewall blocks the SIP ports. This leaves your mobile clients and your communications networks susceptible to Internet-based attacks including DDoS attacks, fraud, malware and more. Independent risk assessments, penetration testing and compliance audits have all shown this to be one of the most common vulnerability gaps in network security.  

How Much Trouble Can an IP-based Communications Cause?

Any IP-based device that is connected to both the Internet and your internal network represents a potential “hole” in your network. That device may be a smartphone that has access to business apps, a laptop carrying sensitive financial data or an office phone with access to your corporate directory. For most of us, I hope, securing our smartphones and laptops is second nature. Yet how many of us really give a second’s thought to securing the UC network and mobile clients that power our communications?  

If you need some incentive to secure your UC network, here are several powerful reasons:  

Toll Fraud

Every year, businesses lose billions of dollars through long-distance phone call fees that are placed illegally from their business. How do hackers get access to their phone system? Through the UC enabled Private Branch Exchange (PBX) or by hacking an employee’s mobile client directly. Each year, more enterprises—and, sadly, small businesses too—discover that someone has breached their phone system and racked up tens of thousands of dollars in long-distance fees. Unfortunately, these companies are often responsible for these fees even if they can prove the calls didn’t originate from their employees.  

Distributed Denial-of-Service (DDoS) Attacks

DDoS attacks have been making headlines after recent high-profile attacks temporarily took down the sites of Twitter, Airbnb, the New York Times and many others. But websites aren’t the only target of DDoS attacks; call centers are also vulnerable. By targeting a phone number or SIP URL instead of a website’s URL—remember, in the Internet world, both are simply IP addresses—DDoS attacks can paralyze customer service and shut down phone sales for hours, severely impacting business.   

Caller ID Spoofing

For better or worse, caller ID carries a more implicit sense of trust than an email. That makes the act of caller ID “spoofing”—displaying a false caller ID—more dangerous. One criminal group, for example, was able to steal millions of dollars from unsuspecting U.S. citizens by posing as the Internal Revenue Service. These calls, which claimed that the victims owed the I.R.S. various payments for taxes, prominently displayed the I.R.S. credentials on the victim’s caller ID. Never one to miss an opportunity, criminals are now using caller ID spoofing to collect personal information, a tactic known as “vishing” (a portmanteau of “voice phishing”).  

For Security Beyond the Call, Dial “SBC”

Although VoIP and SIP allowed enterprises to consolidate their voice and data networks into a single IP-based network, voice and data communications still have unique characteristics. Specifically, voice (and live video) have a much lower tolerance for latency and packet loss. These real-time communication (RTC) sessions need to be handled more sensitively in the network because they have different requirements than data, such as media transcoding, SIP message manipulation and special security considerations (e.g., network topology hiding, NAT traversal, blacklists).  

Using a standard data firewall to protect your IP network and mobile clients will likely backfire, because firewalls aren’t designed to support RTC’s requirements. Instead, companies need a session border controller (SBC) to secure RTC—and provide the transcoding and interoperability features as well. You can think of an SBC as a “traffic cop” that can enforce rules, give directions (in a variety of languages) and ensure that network real-time traffic flows smoothly and safely.  

As with many network technologies today, the SBC as a network element is increasingly being “virtualized” to reduce hardware, simplify deployment and support network service automation. In our own business, we’ve seen an increase in demand for virtualized SBCs that can be deployed in public or private clouds so they can scale up and down as traffic increases or decreases. This is especially useful in the case of DDoS attacks, which can range from light to heavy, and often do by design.  

The reality is that office voice communications are not going away any time soon. In fact, with the popularity of UC, we’re seeing the role of the UC mobile client increase to handle live video, text messages and more. Despite our longstanding comfort with the phone as a business tool, companies need to remember that each mobile client is a connected, potential doorway into their network. SBCs can shut that door—and offer a host of other benefits, from high-definition voice capabilities to toll-free routing. It’s something that every business should be talking about, because it’s only a matter of time before hackers come knocking on your communications network.  

Key takeaways

• The first set of SAP Security Notes of 2017 consist of 23 security patches. Most of them address XSS and Missing authorization check vulnerabilities.
• The most dangerous security issue was assessed 9.8 (of 10) by CVSS base score v.3.0.
• SAP SSO has a DoS vulnerability. This mechanism provides access for cloud and on-premises solutions, web applications, via mobile devices, and native SAP clients. Thus, by exploiting the vulnerability, an attacker can prevent numerous SAP customers from accessing applications required to their work.

SAP Security Notes – January 2017

SAP has released the monthly critical patch update for January 2017. This patch update closes 23 vulnerabilities in SAP products (19 SAP Security Patch Day Notes and 4 Support Package Notes).

4 of all the Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 2 of all the Notes are updates to a previously released Security Notes.

1 of the released SAP Security Notes has a Hot News priority rating. The highest CVSS score of the vulnerabilities is 9.8.

The most common vulnerability type is Missing Authorization check.

Issues that were patched with the help of ERPScan

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Mathieu Geli and Vahagn Vardanyan were closed.

Below are the details of the SAP vulnerability, which was identified by ERPScan researchers.

• A Denial of service vulnerability in SAP Single Sign-On (CVSS Base Score: 7.5). Update is available in SAP Security Note 2389042. An attacker can use Denial of service vulnerability to terminate a process of vulnerable component. For this time, nobody would be able to use this service, which negatively influences on a business processes, system downtime, and, as a result, business reputation.
• An XML external entity vulnerability in SAP Netweaver Visual Composer (CVSS Base Score: 6.4). Update is available in SAP Security Note 2347439. An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests that will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS file system.
• A Cross-Site Scripting vulnerability in SAP Enterprise Portal Real Time Collaboration (CVSS Base Score: 6.1). Update is available in SAP Security Note 2341302. The component does not sufficiently encode user input, resulting in a Cross-Site Scripting vulnerability
• An SQL Injection vulnerability in SAP Netweaver UDDI Server (CVSS Base Score: 4.1). Update is available in SAP Security Note 2356504. An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, removedata or make it unavailable. Also, in some cases, an attacker can access system data or execute OS commands.

About Denial of service vulnerability in SAP Single Sign-On

SSO (Single Sign-On) is a mechanism that allows a user to use one set of login credentials instead of numerous sets of passwords, which may be weak, reused, or written down somewhere, to access multiple applications the user has rights to access. Thus, it enhances the security level and protects sensitive company and personal data.

SAP states that SAP SSO technology provides SAP customers with a secure access to SAP and non-SAP business applications across the whole landscape. It also “supports both cloud and on-premises scenarios, providing simple and secure single sign-on access through the web, via mobile devices, and using native SAP clients” (source).

Unfortunately, sometimes security measures implemented by a vendor could pose another security risk. This month, SAP closed a DoS vulnerability in the SAP SSO solution identified by ERPScan’s researcher. The issue allows an attacker to crash or flood the service, as a result, legitimate users won’t be able to access all linked applications. A downtime may prevent a victim company of profit.

It is not the first time ERPScan researchers discover vulnerabilities in solutions introducing security measures. For example, there is a vulnerability in PeopleSoft SSO and several critical security issues in SAP Afaria (an MDM solution from SAP).

The most critical issues closed by SAP Security Notes January 2017 identified by other researchers

The most dangerous vulnerabilities of this update can be patched by the following SAP Security Notes:

• 2407862: SAP Sybase Asset Management has Multiple buffer overflows vulnerabilities (CVSS Base Score: 9.8), CVE-2015-8277. An attacker can use a Buffer overflow vulnerability to inject specially crafted code into a working memory that will be executed by a vulnerable application. Executed commands will run with the same privileges as the service that executed the command. This can lead to taking complete control of the application, denial of service, command execution, and others. Install this SAP Security Note to prevent the risks.
• 2361633: SAP Business Intelligence platform has an SQL Injection vulnerability (CVSS Base Score: 6.4). An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He or she can read and modify sensitive information from a database, execute administration operations on a database, remove data or make it unavailable. Also, in some cases, an attacker can access system data or execute OS commands. Install this SAP Security Note to prevent the risks.
• 2377626: SAP Enterprise Portal Theme Editor has an Cross-Site Scripting vulnerability (CVSS Base Score: 6.1). An attacker can use Cross-site scripting vulnerability for injecting a malicious script into a page. Install this SAP Security Note to prevent the risks.

Advisories for these SAP vulnerabilities with technical details will be available in 3 months on erpscan.com. Exploits for the most critical vulnerabilities are already available in ERPScan Security Monitoring Suite.

SAP customers as well as companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services should be well-informed about the latest SAP Security news. Stay tuned for next month’s SAP Cyber Threat Intelligence report.

Usually, cybercriminals attach the malicious documents directly to the spam emails, but they took a different approach this time, by including only a link to that document. This approach is unexpected mainly because the servers on which these malicious files are hosted usually have a short time to live window.

The emails included in this campaign were supposedly from Microsoft Security Office, while the linked document, named “Microsoft.report.doc,” would allegedly include a full security report. Once the user attempts to open the document, however, they are prompted to enable macros to view the content.

As soon as the malicious macro is executed, however, the final payload is downloaded and executed, and the victim’s computer is infected with the Neutrino bot. This piece of malware can perform a variety of malicious activities, such as the launch of distributed denial of service (DDoS) attacks, keystroke capturing, form grabbing, and screenshot taking, the spoofing of DNS requests, and malware download.

The malware installs itself in %APPDATA% in a folder called “UmJn,” a folder typical for this version of the malware. Next, Neutrino attempt to connect to the C&C to start receiving commands and perform malicious actions, by querying a script called “tasks.php.”

The list of URLs is hardcoded in the malicious app, and security researchers say that a cookie with a hardcoded value is used for authentication. Moreover, they reveal that this value has been modified between versions, and that the malware’s code appears to have been partially rewritten as well, although the purpose and major features didn’t change much.

The features in the new variant, which researchers say is 5.2, have been reorganized, although they are about the same. The screenshot-taking functionality, for example, is still there, albeit the implementation details have changed.

The malware takes screenshots of the victim’s desktop when it receive a command from the C&C, and immediately sends the shot to the server. Previously, the feature was associated with a keylogger, but the new implementation provides the malware author with increased control over execution.

“Just like in the previous case we are dealing with a fully-fledged multipurpose bot – with various features allowing to steal data and invade privacy, but also to use infected computers for DDoS attacks or download other malware,” Malwarebytes Labs researchers explain.

As always, users are advised to be extremely careful with Office documents masquerading as invoice reports, especially those that leverage the macro feature to execute code. Users should not enable macros unless they completely trust source of the file, or if they open it in a virtualized environment. Network admins should set policies to permanently disable macros, the researchers say.

Related: OPM-Impersonating Spam Emails Distribute Locky Ransomware

Related: Tofsee Malware Distribution Switched From Exploit Kit to Spam

Related: Necurs Botnet Fuels Jump in Spam Email

Specifically, Action Items 4.1.1 and 4.1.2 recommend the training of 100,000 new cybersecurity practitioners for the workforce by 2020 and an additional 50,000 trained through an apprenticeship program within the same timeframe. This signifies an enormous increase to the current total number of trained cybersecurity workers, and should make a large indentation in the endless need for more security experts everywhere. 

However, most every Chief Information Security Officer (CISO) or Chief Security Officer (CSO) today has an immediate need for this kind of expertise, and as the number of cyberattacks continues to explode, most can’t afford to wait until 2020 to tap into this flood of eligible, and available, potential employees.

Thankfully, the Commission has presented a few other recommendations that, in my view, recognize the need for additional, more socially-focused security measures which should help to improve the overall effectiveness of individual security programs and augment the proposed increase in the workforce.

Two in particular are:

• Action Item 2.2.2 which states, “The U.S. government should support cybersecurity-focused research into traditionally underfunded areas, including human factors and usability, policy, law, metrics, and the social impacts of privacy and security technologies…”
• Action Item 3.2.1 which states, “The next Administration and Congress should prioritize research on human behavior and cybersecurity, of the basis of the 2016 Federal Cybersecurity Research and Development Strategic Plan.”

These two, seemingly small statements represent a massive shift in the thinking of not only the government in how it approaches cybersecurity strategy, but the industry as a whole. Specifically, in putting a focus on the more human and policy-centric needs for strengthening cybersecurity, it starts to move away from the idea of simply acquiring the latest and greatest piece of software, all-in-one appliance or other security technology which promises the solution to all of your security despairs.

However, applying more and more technology is not adequate to fully protect a network infrastructure and the critical data stored there. Attackers will simply fine-tune their tactics to evade new protections put in place and continue to launch assaults against their targets.

After all, no matter the number of layers of defense put in place, it only takes one authorized user within your organization to click on a malicious link in a phishing email that captures their credentials and feeds them to an attacker who can then use those credentials to sidestep every security control that a user is allowed to navigate.  

Since humans will make mistakes like this, social engineering continues to be an effective form of attack, no matter the technology controls put into place.  It has been long past time for organizations to put more focus on the human side of their security program, specifically in the areas mentioned by the Commission in Action Items 2.2.2 and 3.2.1.

Any security program can benefit immediately by beginning a review of their own internal policies, improving the types of metrics used to measure the success of the program, and consulting with legal counsel to ensure proper insurances and other risk mitigation plans are in place. These activities cost very little, have immediate turnaround timeframes, and can deliver quite a lot of return to the organization.

Perhaps most importantly is to comprehend the behavior of their employees and implement programs to help them work and operate in a more secure manner. Security awareness training and education programs may not be the glitziest pieces of a security program, but they are critical to its success. Even beyond that, is to involve employees more directly and understand why social engineering attacks work on them and to help address any questions and concerns.

Security teams who sit down with staff at all levels, whether it’s through roundtable sessions, town hall forums, brown bag lunch sessions or other similar gatherings have a much stronger understanding of the needs and challenges of the employees in the organization who are the front line of defense for the entire infrastructure. With this understanding comes the means to develop more germane policies and procedures, offer better, more focused solutions for the security problems being faced by staff, and can even guide technology purchasing decisions to help best fill in the gaps.

At AsTech Consulting, we believe that there is plenty of work yet to do, and we will certainly need a larger cybersecurity workforce. Nonetheless, while waiting for that to come about, there is a lot more that every organization can do today to refocus their efforts around the more human elements of information security and bring about a much stronger security posture for everyone.

The Cybersecurity Capacity Problem

The way companies approach cybersecurity is evolving, and can be examined in three phases:

1. Prevention – Just 10 years ago, companies focused their efforts on prevention: avoiding compromise. Companies built walls and fortified networks to keep their adversaries out.
2. Detection – Based on an increase in the volume and sophistication of attacks, organizations then implemented detection systems to alert them when potentially malicious threats made it through their defenses.
3. Response – Looking at prevention and detection systems, you’ll notice that these technologies are automated and very fast. However, until now, organizations have relied on people to make sense of the alerts generated by these products, and expect them to perform manual tasks to investigate whether the threats are real or benign. The resulting response is slow and repetitive, and incident response teams are drowning in alerts with no chance of keeping up.

The incident response challenge coupled with a staggering cybersecurity skills gap presents a cybersecurity capacity problem. As Doug Graham, CISO at Nuance Communications puts it:

"It’s easy to end up in a cycle where one buys more tools, gets more alerts and, despite working hard to correlate those alerts, still finds the volume of resulting actions staggering.

Companies need to find ways to break this cycle or turn down the volume of alerts, as there will never be enough staff bandwidth to properly process every alert."

The only way organizations can keep up with the volume of threats and subsequent alerts is through security automation, and artificial intelligence is a critical capability of security automation technology.

Defining the Terms

An article in the Wall Street Journal by Yann LeCun, director of artificial-intelligence research at Facebook asks the question “What’s Next for Artificial Intelligence”? From the article:

The traditional definition of artificial intelligence is the ability of machines to execute tasks and solve problems in ways normally attributed to humans. Some tasks that we consider simple—recognizing an object in a photo, driving a car—are incredibly complex for AI. Machines can surpass us when it comes to things like playing chess, but those machines are limited by the manual nature of their programming; a $30 gadget can beat us at a board game, but it can’t do—or learn to do—anything else.

The article then goes on to delineate AI, machine learning, and deep learning, and the expected consequences each will have on careers, the economy, and a fundamental change in the way humans interact with machines. And while the movement to involve systems more in functions traditionally attributed to human cognition is well underway, let’s take a step back to see what these terms actually mean.

What is Artificial Intelligence?

A quick look at the Wikipedia definition of AI:

Artificial intelligence (AI) is the intelligence exhibited by machines. In computer science, an ideal "intelligent" machine is a flexible rational agent that perceives its environment and takes actions that maximize its chance of success at an arbitrary goal.[1] Colloquially, the term "artificial intelligence" is likely to be applied when a machine uses cutting-edge techniques to competently perform or mimic "cognitive" functions that we intuitively associate with human minds, such as "learning" and "problem solving".

Without wandering too far down the rabbit hole, the definition of rational agent:

In economics, game theory, decision theory, and artificial intelligence, a rational agent is an agent that has clear preferences, models uncertainty via expected values of variables or functions of variables, and always chooses to perform the action with the optimal expected outcome for itself from among all feasible actions. A rational agent can be anything that makes decisions, typically a person, firm, machine, or software.

Artificial Intelligence in the context of a computer system needs to be able to solve problems and execute tasks that mimic the human cognitive process including:

• Understanding the scope of the problem at hand
• Knowing where to find sources of information to help solve the problem
• Being able to ingest data from the outside
• Having the capacity to analyze data
• Deciding what actions to take based on data analysis
• Determining whether those actions solved the problem
• Running an analysis to see whether what was uncovered in the course of the above process can be applied elsewhere

Let’s take these one-by-one as they relate to cybersecurity automation and orchestration.

Understanding the Scope of a Cyber Threat

An automated system that aims to investigate, evaluate, and then remediate a cyber threat must also be able to understand the scope and breadth of the threat. Without knowing the magnitude of the problem, such a system would never be able to fully solve the problem.

Let’s look at a common incident response scenario as a human cyber analyst.

When a detection system like FireEye sends an alert about a known malicious IP address to a cyber analyst, the analyst could perform the following logical steps:

1. Determine which machine on the network has connected to the offending IP address
2. Inspect the endpoint and perform an investigation to see if the machine has malware that is connecting to the IP address
3. Take remediation steps to clean the machine and make sure there’s nothing left behind
4. Add a firewall block rule to stop any other machine from accessing the IP address

Those four steps can solve the issue as it was presented, and you could argue that the analyst did what they were expected to do. However, a system that uses artificial intelligence and security automation would need to perform additional steps:

1. Query network resources to determine what other machines on the network have accessed (or attempted to access) the IP address
2. Automatically trigger additional investigations on each machine to kill processes, quarantine files, and remove anything malicious from memory
3. Send the results of each investigation back to a ticketing system

In many cases, a single alert is a symptom of a much larger issue and an artificially intelligent system must be able to understand the bigger picture.

Knowing Where to Find Sources of Information to Help Solve the Problem

Keeping with the example of a FireEye alert about a malicious IP address, we saw that the artificially intelligent system was able to query network resources to determine what other machines had accessed the offending IP address. In that one step, the system had to perform a complex chain of actions that are necessary to be considered AI:

• The system must know where and how to access additional network resources
• It must know the purpose of these resources and what data should be there
• It must have the ability to parse through the data to find what is relevant and actionable
• The system is required to apply the relevant findings to translate what it has found into a series of subsequent actions

All of these steps seem elementary to us, as they are both logical and how our brains function. However, being able to codify the decision-making process involved when looking for additional information to solve a problem is incredibly complex and a hallmark of artificial intelligence.

The Ability to Ingest Data from Outside

Resourcefulness is an innate human trait. Just think of how often you look for external sources of information every day. From checking the weather to reading a paper on artificial intelligence, we are constantly querying data from the outside to help us make decisions.

In the cybersecurity world, the ability to access up-to-date information about known threats is essential for any security tool to function. The volume and sophistication of threats require constant updates to things like AV signatures and threat intel feeds in order to thwart attacks at scale.

An artificially intelligent incident response system must be able to access an array of different threat intelligence sources constantly if it aims to evaluate every cyber alert it sees. In doing so, the system is able to always incriminate or exonerate potential threats with the highest level of confidence possible.

The Capacity to Analyze Data

Analysis of data by an artificially intelligent system can only be accomplished by determining content, context, and meaning.

• Content – Put simply: what are we looking at? In the case of an alert, what pieces of data should the system be looking for in order to take the next step. Examples could include IP address and location of potential threat.
• Context – What type of alert is this? Was it sent by an AV? A DLP system? A SIEM?
• Meaning – Given content and context, what should the system do next?

Deciding on a Course of Action Based on Data Analysis

Once an artificially intelligent system has performed the requisite analysis, it must know what to do next based on codified logic. And while a similar investigation flow can be applied to multiple alerts, the remediation process can be vastly different. Some examples:

• Phishing Email – Who is the sender? What files are attached? Has anyone clicked the attachment? Downloaded and run the executable? Given their credentials? The resulting remediation actions based on the answers to these questions are conditionally dependent and require advanced decision logic.
• Malicious IP Address – If an IP address deemed to be malicious is accessed by a device on a network, what happens next? Is the IP address just a symptom of a malware-based infection on an endpoint? What kind? Is it ransomware making a call to the IP address and encrypting files? How many other machines are making calls to the IP? Once the root problem is cleaned on the endpoint, does it make sense to automatically add a firewall block rule to prohibit others from accessing that IP?
• AV Alert – If the system gets an alert about a Trojan on a laptop and sees that the AV has successfully removed the offending files, is that a sign of a successful remediation? Or should the system instead run a full investigation to ensure that the Trojan wasn’t just an entry point to spawn malicious processes and morph into something the AV has missed?

Knowing what to do after a determination has been made about a potential threat is arguably the most critical capability of an artificially intelligent cybersecurity solution. Understanding how to rigorously investigate, remediate, and continue the cycle is what makes an AI solution valuable.

Determining Whether Actions Taken Solved the Problem

Evaluating whether the actions taken actually solve the entirety of the problem is the critical last step of the alert to investigation and remediation workflow. While some products and processes will stop at the remediation phase, any artificially intelligent system must be able to both verify that the remediation actions have been successful and that no additional actions are necessary.

Keeping with the AV example referenced earlier, an AI-based cybersecurity solution would verify that the AV product successfully removed the files and processes at the root of the infection, check for anything left in memory, launch parallel investigations to determine if there was any lateral movement, and re-investigate to make sure those steps have fully remediated all traces of the infection environment-wide.

Applying Results Elsewhere

Finally, once an AI-based cybersecurity solution has completed the end-to-end flow from alert to remediation and verification, it must be able to apply its findings universally. For example, if an alert from a detection system is determined to be an unknown threat, the system can then detonate the suspicious entity in a sandbox to examine behavior and incriminate or exonerate based on characteristics observed. Just because a threat is unknown to threat intelligence feeds, for instance, does not mean investigation should stop. When a new threat is uncovered, an artificially intelligent system is able to apply its newly-found knowledge to all other systems in its network, launching investigations to find out whether other machines exhibit evidence of the threat or threat type.

About the Author: Nathan Burke is Vice President of Marketing at Hexadite, where he is responsible for bringing Hexadite's intelligent security orchestration and automation solutions to market. For 10 years, Nathan has taken on marketing leadership roles in information security-related startups. He has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action. 

Related Reading: The Role of Artificial Intelligence in Cyber Security

• 85 percent of organizations have suffered phishing attacks in the last 12 months.(Wombat Security’s 2016 State of the Phish report) The number and sophistication level of phishing attacks organizations experience has gone up. Two-thirds of the organizations in the study reported attacks that were targeted and personalized, up 22 percent from the year prior. 
• 30 percent of phishing emails get opened. (Verizon’s DBIR 2016) It’s a delivery tactic that works—zero day attacks are proven to defeat prevention systems—so there is no need for attackers to develop anything more sophisticated to scam money or information from their victims.
• No. 1 delivery vehicle for malware is email attachments. (Verizon’s DBIR 2016) Despite email filtering and user education, well-disguised content influences the user to click and download.
• $1.6 million is the average cost of a spear phishing attack. (Cloudmark) Companies hit by a successful spear phishing attack in the past 12 months suffered an average financial cost of $1.6 million.

The evidence is clear, phishing and other email-related attacks exploit either technical vulnerabilities or leverage social engineering to take advantage of human weakness.

With the risks for an inevitable breach so high, it’s clear that companies need to take more active measures in preparing for the inevitable moment when a phishing, spear-phishing or whaling attack is successful. User awareness education, signature-based technologies and email filtering is not enough, especially where zero-day attacks are concerned. To accomplish this, the enterprise must direct its efforts at rapid detection and blocking of successful attempts at a speed fast enough to minimize and/or avoid any significant high value data access or loss.

While many technologies exist today that tackle elements of threat detection, including machine learning, user behavior and entity analytics, threat modeling, etc., the most effective solutions are those that combine the best of these capabilities to deliver rapid, real-time detection and response. Consider techniques and solutions that correlate machine learning, feature, device and user behavior analytics to derive insight, detect legitimate threats and create prioritized alerts that allow enterprise systems to direct or take prescript action immediately, shutting down invasive threats before humans even realize they are there. Automated solutions effective at stopping these threats within minutes exist today. By providing visibility and fully automating the immediate analysis, detection and elimination of threats, these solutions can finally give the enterprise a leg up in defending against any successful phishing attack.

When evaluating solutions to compliment your existing cybersecurity posture around phishing, consider the following questions:

• Can it detect abnormal use of credentials from that of normal usage?  Can it detect abnormal activity from both north-south through the firewall, and east-west activity within the organization to verify credentials have been lost? Can it monitor credential usage and detect abnormal usage behavior from that of normal usage?
• Does it avoid false positives by leveraging a combination of data collection and analysis, machine learning, predictive and behavioral analytics and then correlate findings to surface legitimate threats?

False positives can lead to needlessly generating too many incidents that need looking into, and unnecessary remediation. The ideal solution should correlate and verify threat behavior from various sources in real-time so that an accurate depiction of the threat can be detailed and enough information can be correlated together to corroborate the threat is real.

• Can its architecture scale to process billions of inputs and generate correlated outputs of all related threat behavior in seconds so that it can detect such threats accurately in minutes after compromise?

Knowing the volume and complexity of phishing threats are on the rise, consider systems that can scale to meet even the largest enterprise need.

• Can it be set-up to be fully automated, including rule sets, analysis, alerts, remediation and reports – so that it works 24x7x365 without need for human involvement?

Automation saves time, which is critical to mitigating the damage of such attacks, while also saving on dedicated 24x7 monitoring resources.

• Most importantly, has it been proven to be effective in stopping the threat and blocking the exfiltration and/or damage of critical data?
• Can it write rules to a firewall to block command and control communication? Can it isolate devices that have been infected? Can it write policy to directory services to disable compromised users credentials?  Can all this be done with a single click from the detection application or be fully automated to speed the time to stopping the threat once detected to seconds?

Threat actors will assuredly continue to employ phishing techniques to tempt users with appealing documents and links, but next-generation threat detection and elimination technologies arm today’s organizations with greater capability than ever to catch and eliminate phishing threats before they do damage.

About the author: Gary Southwell is co-founder and chief strategy officer for Seceon, a cyber security startup offering the first-fully automated threat detection and remediation system to detect, analyze and eliminate all cyber-threats in minutes.

If companies give into the FUD, they’ll continue to buy more and more point solutions in search of the “right one.” This is essentially the same approach as trying to lose weight by purchasing quick fixes, instead of putting together a targeted plan on how to move the needle. Here are four best practices on how to avoid FUD and build security with confidence, assurance and resiliency. 

Demand Transparency

Too few cybersecurity vendors practice transparency. They don’t give users a look beneath the hood of their technology and often overpromise on capabilities. Cybersecurity isn’t some sort of black magic yet security vendors have been treating it that way, framing their product as the sole solution to all the fear, uncertainty and doubt. By not providing this transparency, everyone loses out with a lack of education and improvement. Transparency enables organizations to have full visibility into their software development life cycle – meaning which tools are integrated into what part of the pipeline, if there are any vulnerabilities found and what they are, and recommendations on how to rapidly remediate them. With full transparency and visibility of the whole situation, organizations can protect themselves with confidence, assurance and resiliency rather than falling into FUD. 

Incorporate Security In At Every Stage

The software development life cycle needs to have security tests built in at every stage, from code commit to application delivery. Putting implicit checks into place increases overall confidence that your code and application are much more resilient to application security attacks. This also increases assurance, as everyone knows exactly what tests were performed and what the results were in real-time. Instead of taking the insurance approach, where you simply hope that nothing bad ever happens, take the assurance route by being proactive with your application security testing.

Know Your Strengths and Weaknesses

Most security professionals can’t confidently answer the following question: how secure are we really?

If you don’t have the answer to this seemingly simple yet fundamental question, your security team is working blindly, which puts your company, its reputation and its customers at an unnecessarily increased risk. All organizations should do a full examination of their security processes and vulnerabilities to uncover their security strengths and weakness. Without this knowledge, there is no confidence, assurance and resiliency.

Understand that Security Isn’t a One-Size Fits All

There is no one cybersecurity solution that will be a perfect fit for every company. Each organization has unique security needs, strengths and weaknesses and a good security plan should take all of those factors into account. Too many companies have fallen into the FUD trap that “tool X” or “package Y” will be the solution to every security need. Cybersecurity isn’t a silver bullet so organizations need to do their research to figure out what the best security plan for them entails and not fall into the one-size-fits-all security package built on FUD.

Selling products on the basis of FUD is a scam and security vendors who are guilty of inducing FUD need to make it right. The current state of cybercrime has rightfully put the security industry on edge but we are not helpless and cybersecurity tools shouldn’t been seen as an enigmatic quick fix. Leave FUD behind and build security with confidence, assurance and resiliency by demanding transparency, incorporating security at every stage, knowing your strengths and weakness, and understanding that security isn’t one-size-fits-all. We have access to the best cybersecurity technology but each organization needs to build a personalized security plan built on confidence and assurance to ensure their resiliency.

The value of Industrial Internet of Things (IIoT) technology within manufacturing is becoming clearer than ever to industry. Used correctly, it has the potential to revolutionise manufacturing environments - driving a shift from reactive to predictive maintenance, boosting productivity, and deciphering swathes of big data for optimised business intelligence. A key factor behind uptake, however, is ROI and the IIoT’s potential to greatly increase profitability within whichever environment it is implemented.

The IIoT is set to be valued at $13.49 billion by 2020 – a 228 percent increase from its value of $4.11 billion in 2015. Furthermore, investment within IIoT has been estimated to exceed $60 trillion over the next 15 years. While it is clear businesses are taking notice of the opportunities that come with connected devices, they aren’t the only ones. A greater number of security issues are surfacing each day, attributed to both an increased number of vulnerable points within a network and the number of threat actors looking to take advantage of them.

The double-edged sword of IIoT profitability

With the networking of traditionally non-connected devices comes an increased risk of threats not often associated with Operational Technology (OT). Malware such as ransomware, worms and Trojans are now as much of a threat to OT systems as IT. In some cases, the threat carries even greater consequences due to underdeveloped security barriers within industrial environments. Because of these risks, without significant investment in IIoT security, the reliability and safety of manufacturing and industrial facilities is more than likely to be negatively affected in the long-term.

A variety of threats to OT systems have recently been unveiled – technology which had previously remained unexposed due to the practice of air-gapping systems and the implicit barrier between IT and OT. This includes threats such as rogue firmware in controllers, PLC worms, and IoT botnets utilised for launching massive DDoS attacks.

As attackers discover IIoT to be a lucrative business, a greater market for cyber threats is developed. Cybercrime-as-a-Service through the dark web, for example, is a serious issue that will increasingly affect industrial facilities. Due to the increased availability of ‘do-it-yourself’ hacking kits, less skilled attackers can target larger organisations - aiming for greater levels of profit. Often these kits require no upfront fee, instead claiming a percentage of the total dividend resulting from the hack, thus adding a ‘no win, no fee’ type incentive to utilising the malicious software. 

Securing future profits; IIoT security as a business enabler

The boost in productivity offered by IIoT devices comes with an increased level of vulnerability. Currently, IIoT security is still immature and requires significant attention. As industrial systems shift from isolated, air gapped systems to an open and inherently insecure infrastructure, systems that were once presumed to be secure are now ripe for attack. Overall, industries still focus solely on the business benefits of IIoT, with security considerations addressed as a secondary concern. IIoT security must therefore be addressed at an early stage through two key avenues – namely, through ensuring a baseline of security within manufacturing environments and a push towards comprehensive testing and assurances around the IIoT device ecosystem prior to deployment.

In the first instance, a product must be created that is, at its core, secure by design and secure during deployment. In short – end users must be placed within an environment which already operates under a high standard of security, operates under the assumption that attacks will almost certainly happen, and takes steps to mitigate these risks. Once this has been achieved, the education of developers into appropriate secure coding practices can be considered, placing manufacturers in a position to protect products against both prevalent security risks and the associated costs of remediation.

It is simply a matter of time until the threat actors behind Cybercrime-as-a-Service begin to expand their offering to Industrial Internet with a greater focus on vulnerable, networked systems. With a greater number of threats and vulnerabilities surrounding IIoT, the onus is therefore on manufacturers and end users to ensure security and long-term profitability – an approach that will often require expert guidance. With a significant, concerted focus on security as a core business practice, organisations will be able to ensure both short and long-term gains within manufacturing environments.

About the author: Jalal Bouhdada is the Founder and Principal ICS Security Consultant at Applied Risk.

Any summary of 2016 must start by recognizing that a global anti-establishment mood brought upsets that defied "expert" predictions — both online and offline. The surprising Brexit vote, Donald Trump’s shocking election victory and Italy’s "no" vote in a referendum on constitutional reform are just a few examples of how this "anti" trend stunned the world in major events led by anti-elitist uprisings.

Online, hacktivists engaged in a long list of diverse acts of hacktivism — even prior to the election, which took center stage in supporting (or opposing) a vast array of causes that range from anti-Wall Street to anti-free trade to anti-corruption to anti-fill-in-the-blank. This is not just about distributed denial of service (DDoS) attacks, but stealing data in a variety of ways — for their causes.  

As I sit here, a number of questions are swirling about election hacking: who knew what and when, Russian involvement and motives in picking winners and losers, President Obama’s promised retaliation, and much more. What is clear is that this major, end-of-the-year hacking story, will bleed well into 2017 and beyond. 

"Hackers will hack" for an overabundance of reasons, and plenty of black hats were, and still are, trying make a buck or two via old-fashioned online robbery, extortion and stealing credentials from Yahoo and many others. Still, the top hacker impacts revolved around politics and wealthy people being exposed for hiding money in offshore accounts in the Panama Papers — which some experts called history’s biggest data leak ever.

From Clinton campaign emails revealed by WikiLeaks to DDoS attacks against governments, banks and other corporations, the dark side of the Web never slept in 2016.

The Top Cyber Stories For 2016  

Without question, the top cyber trend in 2016 was hacktivism. Specifically, the uncovering of hidden information went into hyper-drive — with groups such as Anonymous, WikiLeaks and DC Leaks shaping the news and impacting global dialogue, while undermining trust in digitally stored information.

Second was the growth in ransomware attacks. The overall numbers were up a staggering 6,000 percent according to IBM — with hospitals, governments and many others experiencing major cyber incidents.

As CNBC reported: “The problem is, the business model works: 70 percent of business victims paid the hackers to get their data back, the study found. Of those who paid, 50 percent paid more than $10,000 and 20 percent paid more than $40,000. …”

Third, overall data breach numbers and incidents remained high. Yahoo topped the list, with announcements about two huge breaches that actually happened a few years back. Other notable data breaches in 2016 occurred with Olympic athletes, the IRS, Wendy’s, Medstar and the Justice Department. 

Fourth, Distributed denial of service (DDoS) attacks brought down large parts of the Internet using Internet of Things devices. 

Fifth, Power grids and other significant infrastructure cyberattacks made headlines. 

Sixth, the so called "Apple vs FBI encryption battle" foreshadows future arguments over privacy of data versus national security. 

Seventh, whaling and online fraud schemes make social engineering attacks a top FBI issue for cybercrime. There were many stories about the people side of cyber fraud, one of which highlights whaling (phishing 3.0), while others point to social engineering attacks.

Finally, there were no cyber 9/11 or crippling Internet surprise that lasted days. This is actually good news. Most technology worked well, and we recovered well from security and infrastructure outages. While some want to see Russian hacking here or other nation-state cyber battles, I am grouping those still-debated topics under #1 — with more to come on that front below.   

Why 'Hackers with a Cause' Compare to the Heroes of Rogue One

On a global stage, hacktivism took the spotlight in 2016, and that is why it is my #1 cyber story for the year. Some will say that many of these hacks were sponsored by major world powers such as Russia. Foreign government involvement is likely the case, but there is disagreement in the intelligence community over who was behind which hacks and what their motives were.

In Rogue One: A Star Wars Story, unknown rebels accomplish unpredicted results. Yes, the story is science fiction, but the similarity lies in the way hackers stole center stage from powerful establishment organizations that were overconfident in 2016.  

"In a time of conflict, a group of unlikely hero’s band together on a mission to steal the plans to the Death Star, the Empire's ultimate weapon of destruction. This key event in the Star Wars timeline brings together ordinary people who choose to do extraordinary things, and in doing so, become part of something greater than themselves."

This could very well describe the global hacktivists view of the world in 2016.

Note: the "Death Star plans" are synonymous with any data, plan, information or emails that hackers deem are relevant to achieving their wider cause.

Regardless of whether you can relate to any cyber analogies thrown at you, hacking for a cause is set to explode into a complex set of state and local government challenges.

Final Thoughts

What have we learned over the past year? Sadly, we’re not winning more global cyber battles. The bad guys are still outgunning the good guys.

While many cyber defenses are improving in global enterprises, the number of bad actors is also growing rapidly. As the list above shows, the breadth and depth of cyber threats and online vulnerabilities continues to grow online — especially with new Internet of Things (IoT) devices coming onto the market.

The U.S., our allies and foreign adversaries are progressively engaging in sophisticated cyberbattles that equate to a cyber cold war and cybersecurity arms race. New relationships, partners in cyberspace and causes are evolving in unpredictable ways, and third-world hackers are teaming with first-world experts to achieve desired results.

What's disconcerting to me is the new thinking that is emerging regarding right, wrong and ethics in cyberspace — with hacktivists all around the world. The mix of fake news, misinformation, ransomware websites that come and go, and other hacker dirty tricks results in a diminishing of the public’s trust and legitimacy of data — both online and offline. This trend is impacting governments, mainstream news media, private corporations and global relationships.

A new world of hacking motivations and causes is starting to develop — along with convenient, easy-to-use tools for computer novices to do many dangerous things online. Who knows what "Death Star plans" the hacktivists will go after next.

A recent NASDAQ survey highlights alarming gaps between awareness and accountability at the highest levels of global enterprises: too many board members and executives are unable to understand security briefings and unwilling to accept responsibility for data breaches.

The simultaneous explosion of connected technology and devices, Big Data, and cybercrime has led to wider adoption of new executive roles such as the Chief Security Officer (CSO), Chief Information Security Officer (CISO) and Chief Digital Officer (CDO). As information governance, risk management, and compliance activities grow in scope and complexity, there is more than enough high-level strategy and oversight to keep an expanded C-suite challenged and busy. However, additional silos of responsibility can create confusion and inefficiencies when roles are not clearly defined, or collaboration is subdued.

When it comes to cyber security, it’s more important than ever for board members and core executives—especially those not directly involved with deploying security programs—to fully participate and contribute on a continuous basis.

The roles of the CEO, CFO, CIO, and CMO have undergone significant transformation over the past decade. Public scrutiny of business leaders is at an all-time high, in part due to enormous hacks and global data breaches. It’s become increasingly clear in the last few years that in the event of a breach, the hacked organization will be blamed and held fully accountable. Therefore, everyone in the C-suite is potentially going to have their feet held to the fire.

The good news, however, is that executives are beginning to pay more attention to the security measures protecting their organization’s assets, data, employees and customers. The cautionary tales, Armageddon scenarios, and the threat of public humiliation have made a significant impact. Executive awareness and engagement are finally increasing to meet the threats, but building a solid line of defense requires ongoing, strategic collaboration. Leaders must commit to adopting a culture of responsibility from the top, making sure their message reaches out to the edges of the enterprise and everywhere in between.

Covering all the bases—defense, risk management, prevention, detection, remediation, and incident response—is more feasible when leaders contribute from their expertise and use their unique vantage point to help set priorities and keep security efforts aligned with business objectives. Let’s take a look at each role within the C-Suite:

CEO

CEOs are on the hot seat and being pulled in a million directions at once. They face an influx of new regulations and risk factors related to the IT infrastructure and services that keep their enterprise up and running. These challenges can only be addressed through collaborative teamwork. Building a robust, encompassing cyber security program requires strong leadership from the CEO and a willingness to coordinate with the board and other executives to bridge traditional silos and redefine roles. By keeping security programs aligned with strategic business objectives, CEOs can help their organizations develop competitive advantage and dive into emerging opportunities with confidence.

In order to maintain an accurate, big picture understanding of their organization’s security preparedness, CEOs must actively solicit and distill security-related concerns, opinions, and contributions from multiple stakeholders. It’s important to make sure your team thinks of security breaches in terms of “when” not “if”—cyber-attacks are so numerous and sophisticated, it is foolish to think they can be entirely avoided.

In the event of a breach, you have to be ready with a quick and effective incident response; the faster the response, the better the outcome. In the eyes of regulators and consumers, credibility is bolstered by evidence of comprehensive, ongoing cyber security efforts. CEOs must espouse strategies that intentionally build resilience through security analysis, training, planning, and testing. The CEO leads the way by emphasizing the importance of ongoing communication and collaboration. Championing a culture of security awareness throughout the organization and supply chain strengthens your defenses; “insider threats” are still the most common attack vector.

CFO

Cyber criminals attack financial systems directly and indirectly, and data breaches of all kinds impact an organization’s bottom line. These ongoing threats require CFOs to become intimately involved in security measures and cyber risk management. CFOs are also concerned with loss of funds through theft, waste, and supply chain issues, all of which can originate or proliferate in the cyber realm.

From internal operations to investor relations, every part of a CFO’s role involves highly sensitive data that must be closely controlled and protected. To fulfill their fiduciary duties, CFOs must maintain a thorough understanding of where this vital information is, who might want to steal it, and how they might gain access to it. Their responsibilities include disclosing to the board the potential impact of a cyber-attack. This includes integrating security risks into discussions and decisions about investments, procurement, and partnerships. Analyzing the feasibility and cost effectiveness of cyber insurance and security solutions also falls in the CFO’s domain. Last but not least, CFOs should be intimately involved in crafting and rehearsing the portion of the organization’s incident response plan that involves communicating with shareholders, partners, suppliers, and customers.

CFOs have always played an important role in advocating for and pursuing critical investments that promote long-term business growth. Forward-looking CFOs recognize the importance of investing in cyber security as a primary method of protecting reputation, stock price, financial resources, and proprietary information.

CIO

The CIO role is, of course, most closely connected to cyber security responsibilities. It’s clear that CIOs have the most to gain from a broader, more collaborative approach. A united front that recruits champions from across the organizations is stronger than a thin, overwhelmed line of defense made up on only IT team members.

As new roles like CISO and CDO step in to alleviate their workload, CIOs should take the lead in engaging non-technical executives and board members. Their new directive is to excel at calm, clear communication with all stakeholders in order to obtain better funding and support for security initiatives. They have to speak the language of business and risk in order to convince boards and investors of the crucial link between IT enablement and risk management. Boards want regularly updated metrics and assessments they can compare over time as well as a way to form these into an accurate, holistic picture of information technology risk. The NASDAQ survey found that a vast majority of board members, especially those at vulnerable organizations, were unable to interpret cyber security reports. It is the CIO’s job to bridge this dangerous divide.

The CIO’s mandate is maintaining an effective, working balance between technology benefits, security controls, and risk management. By aligning their efforts with strategic business objectives, CIOs will partner more closely with their colleagues in the C-suite to shape business decisions, competitive strategy, and sustainable innovation.

CMO

The CMO oversees a digital realm that is more closely tied to the customer than ever before, so it’s not surprising that their role has seen the biggest changes in recent years. The advances made possible by mobile marketing, social media, ad tech and Big Data have prompted an astonishing rise in the amount of consumer data that is gathered and analyzed for marketing purposes. Part of managing this data, much of which falls under privacy regulations, is securing it against theft and abuse. After all, cybercriminals are just as interested in that data as you are. Data-driven marketing depends on customer trust, and repeated headlines about spectacular breaches are eroding that trust.

More and more, we see brands and customer relationships damaged in the aftermath of an attack. In the event of a breach, CMOs will find themselves front and center, so they should make sure they are part of the incident response and data security planning. One of the big lessons learned from recent incidents is that financial and reputational damage will be amplified or mitigated depending on how quick, credible, and efficient the brand response is. All of a CMO’s hard work can go up in smoke if customers sense a lack of care or transparency.

In today’s enterprise, the CMO’s organization drives digital based growth. The board and executive team rely on them to lead brand, product, and innovation efforts to competitive advantage, without coming into conflict with data privacy legislation. It’s the CMO’s job to make sure the brand stands out for all of the right reasons.

Responsibility Starts at the Top

The C-Suite has the clearest, broadest “big picture” view of how their organization’s components intersect. A serious, shared commitment to common values and strategies is key to a productive relationship between the executive team and the board. Only through sincere, ongoing collaboration, can complex threats like cyber-crime and espionage be managed. Without synchronized oversight, risk factors will multiply unimpeded.

In a global enterprise, there are so many elements beyond the C-suite’s control and traditional risk management isn’t agile enough to deal with the dangers of cyberspace activity. By building on a foundation of preparedness, executives can create cyber resilience by assessing threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the sure-fire way to secure assets and protect customers, partners and employees.

It’s time for all executives to step up and bridge the gap between awareness and action. Organizations that create a deeply rooted culture of security and accountability from the top down will be able to withstand the persistent, dynamic nature of today’s ever-expanding, global cyber threats. 

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Over the last decade, one could argue that parts of the private sector have demonstrated more examples of best practice in cyber security. That doesn’t mean to say that all businesses are adequately secure – on the contrary. However, by the same token those businesses, whose very existence in a global competitive market depends on good security, offer a good blueprint for success in protecting sensitive data. One fundamental principle that such organisations have embraced is the importance of balancing security against the competing challenges of usability and cost. An inability to focus on all three will result in failure, as users will find ways to sidestep security measures if they prove too onerous and managers will continue to weigh up cyber risk and the cost of compromise against the corresponding cost of investing in cyber security. Only relatively recently has this triple imperative been widely recognised by government; a reality which has in the past been hampered by out-dated practices including slow and cumbersome certifications and accreditation processes.

Cost, risk and usability, the triple imperative

In the past three to four years there has been a cultural shift within government as the term ‘commercial best practice’ became pervasive. This has had a profound effect on the way that systems have been architected, procured and deployed and how government is looking to the private sector for both inspiration and guidance in the introduction of technology and practices. The recently introduced Government Classification Scheme (GCS), is reflective of this approach to security, which in part seeks to redress the balance between cost, risk and usability. For example, today processes like the Commercial Product Assurance (CPA), run by the National Cyber Security Centre, which dictates the process for new products to be certified for government use, is much more flexible and efficient than its past equivalents. There has also been a real drive to give responsibility for informed risk management to the data owner rather than using process to obscure responsibility. However, the nature and scale of threats faced by government within the cyber domain today is of an unprecedented scale and magnitude. This means that some differences will continue to exist between the public and private sector, however the principle of efficiency, cost and usability is now well established.

World-leading ambitions

On a global scale the UK has a world leading reputation for security expertise, but arguably this has not yet translated into a vibrant home-grown cyber security industry of a scale that fulfils national potential. Cyber security is recognised by the British government as a tier one national threat that is attracting substantial government funding and driving an increased need for collaboration between government, academia and industry, which is in turn driving innovation in the cyber security ecosystem.  

Both private and public sectors face a fundamental challenge: to address the asymmetry that exists between the capabilities most businesses present to the world and the huge number of adversaries wishing to exploit them, reflecting the cost and effort required to detect and respond effectively to today’s threats. One area that government is arguably ahead of industry, is in gaining confidence in the identity and state of end user devices. Most high-profile data breaches involve the exploitation of vulnerabilities on end user devices. In the field of identity and access management, technologies exist to enable the authentication not only of users but also to determine the level of trust that can and should be conferred on devices. By increasing the level of trust in both devices and users, businesses can significantly reduce their attack surface. 

A move towards the secure desktop

Many of the building blocks in use today in government have evolved out of the commercial space.  One such example is the Trusted Platform Module (TPM), a cryptographic chip that ships with most Intel devices (with Trust Zone a similar technology for ARM-based devices). These ‘trust anchors’, as they are known, are hardware standards becoming increasingly adopted in government circles, to enable the establishment of a level of trust in the state of a device by taking cryptographic measurements of systems and patches deployed on that device.  Initiatives such as these are leading to the widespread deployment of secure desktops in government.  Systems for accessing cloud based platforms, containing some of these trust-supporting features to offer secure browser-based access to virtual applications across varying form factors. This move towards secure desktops is making it an order of magnitude more difficult for attackers to exploit than common desktop systems. Typically using open-source operating systems at their core, they are mature enough to address cyber threats, using a robust architecture, whilst balancing the triple challenge of security, usability and cost efficiency that is critical for success. This is an example of where government are driving standards adoption that the private sector may do well to embrace. 

Another area where government has a natural advantage is the area of data classification. An important element of any mature IT security strategy involves conducting regular security audits, which as part of an ongoing risk management regime should entail identifying and prioritising data assets. Introducing appropriate data classification schemes is likely to become increasingly relevant to commercial businesses, faced with the need to comply with the EU General Data Protection Regulations, due to come into effect in 2018, as they seek to avoid the threat of substantial fines of up to 4 per cent of turnover, associated with the loss of personally identifiable information.

The role of legislation

In future, we are likely to see continued convergence between public and private sector with approaches to Cyber security. There is an imperative for businesses to demonstrate security best practice, and industry giants like Google and Facebook are investing in some areas of cyber significantly beyond related investments from national budgets, driving innovation in multiple fields of cyber security. This will ensure that there will continue to be an interchange of skills, knowledge and technology between the private and public sectors. The question for both commercial and public organisations to address, is how their organisation lines up on a spectrum of security conscience ranging between ‘best practice’ at one end and ‘negligence’ on the other. Government is increasingly taking a lead in publicising the threat of cyberattack, but to date has only enjoyed limited success in raising awareness of good practice with initiatives like the Cyber Security Essentials Scheme. Recent history suggests that for many businesses, left to their own devices, they will continue to minimise their investment in security. As the EU GDPR is somewhat non-prescriptive in the measures that businesses need to deploy to demonstrate best practice, it’s likely that either further regulation or more compelling guidance will be needed to drive many businesses to take the necessary steps to protect themselves, their employees and the public, in a world where digital transformation and increasingly interconnected devices forms a potent mix with a cyber threat that continues to grow.

About the author: Co-founder and Chief Executive Officer of BeCrypt, Bernard Parsons is a technology expert with more than 25 years of experience spanning robotics, embedded systems and telecommunications as well as high-end security technology.