InfoSec Island

Google Skips Chrome 82, Resumes Stable Releases

InfoSec Island - 5 hours 29 min ago

Google is on track to resume the roll-out of stable Chrome releases next week, but says it will skip one version of the browser.

Last week, the Internet search giant said it was pausing upcoming releases of the browser, following an adjusted work schedule due to the COVID-19 (coronavirus) pandemic, and that both Chrome and Chrome OS releases would be affected.

At the time, the company revealed it would focus on the stability and security of releases, and that it would prioritize security updates for Chrome 80.

Now, Google says it is ready to resume pushing releases to the Stable channel as soon as the next week, with security and critical fixes meant for version 80 of the browser.

Moving forth, the company is planning the release of Chrome 81 in early April, but says it would then jump directly to Chrome 83, which is set to arrive in mid-May, thus skipping Chrome 82.

“M83 will be released three weeks earlier than previously planned and will include all M82 work as we cancelled the M82 release (all channels),” Google said.

This week, the company will resume the Canary, Dev and Beta channels, with Chrome 83 moving to Dev.

“We continue to closely monitor that Chrome and Chrome OS are stable, secure, and work reliably. We’ll keep everyone informed of any changes on our schedule,” the Internet giant said.

The company hasn’t shared any details on when Chrome 84 releases would start arriving, but said it would provide the information in a future update.

Following Google’s announcement last week, Microsoft said it would pause stable Edge releases, to align with the Chromium Project. Today, the Redmond-based tech company announced that Edge build 83.0.461.1 was released to the Dev channel.

“As you can see, this is the first update from major version 83.  This is a slight deviation from our normal schedule due to current events,” Microsoft says, adding that version 81 is heading for the Stable channel soon.

Related: Google Patches High-Risk Chrome Flaws, Halts Upcoming Releases

RelatedChrome 80 Released With 56 Security Fixes

Related: Chrome Will Block Insecure Downloads on HTTPS Pages

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Examining Potential Election Vulnerabilities: Are They Avoidable?

InfoSec Island - Fri, 03/27/2020 - 12:37pm

In the U.S and global communities, election security is a large concern because so many aspects of it can be insecure and open to attacks that may shift public opinion or be used for personal gain. Not only does the complexity of the U.S. government raise concerns about security, campaigns also have weak points that make it a target for attacks.

Limited IT Resources Put Campaigns and Voters at Risk

Given limited IT budgets, volunteers— who often work directly with voters, sometimes use their own personal devices and applications to communicate with other team members and supporters; they also have access to key private data belonging to candidates and team members. These personal devices are also used to access campaign systems such as the Voter Activation Network (NGP VAN) that include voter information to support operations such as phone banking and door-to-door canvassing. Without proper security controls, these personal devices can be used by adversaries to put both the campaign and voters at risk. Additionally, the threat of fake news has evolved with the advent of deepfake technology, which in recent times has been combined with artificial intelligence (AI), video and audio to create media that appears to be authentic— but is not. 

Although security controls such as two-factor authentication (2FA) are helpful, campaigns and voters may still be at risk. Abel Morales, a security engineer at Exabeam, recommends that campaigns use user and entity behavior analysis (UEBA) to detect anomalous authentications. “By monitoring staffers’ behaviors and detecting anomalies from their typical workflows, IT would be able to reduce the impact of threats introduced through social engineering, phishing and other malicious techniques.” This method also can be used to detect voter anomalies as well.

The continuing threat of ransomware attacks and nation-state attacks 

Ransomware attacks on voter databases and systems can facilitate payments in exchange for voter information. Ransomware encrypts data until a ransom is paid and could also be used to manipulate voting results or lock administrators out of critical data during an election therefore compromising voter confidence. Additionally, the increase in nation-state attacks are another major concern. Some officials believe that foreign influence on our elections will more likely come through social media to shape public opinion towards whatever direction serves their specific goals. In particular, the FBI is worried that Russia will use social media to cause further division between the political parties or hack campaign websites to spread misinformation.   

Does the government’s structure make election security more difficult?.

The intricacies of the U.S. voting system also affect the security of elections because state and local governments are not forced to use the federal government’s testing standards. State and local governments have the option to adopt these security standards, use their own, or a hybrid. Also, testing for state and local governments can be completed by private companies or local universities, as there is no single federal test certification program. This deviation from the federal standard is also seen in the lack of mandatory audits to verify the integrity of the machines and testing procedures, and the management of the voter registration database system which contains voter records. Many of these database systems are outdated and ill-equipped to handle today’s cybersecurity threats, making it easier for adversaries to delete or add voters. Although these differences can be detrimental to the security of elections, they make it difficult for attackers to launch a large-scale, coordinated attack. 

The makeup of the voting machine market is a huge risk

Three companies make up more than 90 percent of the voting machine market, suggesting that a compromise of just one of these three companies could have a significant impact on any election. Manipulation is not a formidable task given many of these machines are running outdated software with existing vulnerabilities. Some machines are still running Windows software that Microsoft no longer supports. With the support of federal funding, state and local counties have been upgrading their systems. These machines also use a software-only security approach that offers less protection than a combination of software and hardware security and can easily be manipulated.

Internet-connected devices increase risk

Our U.S. voting system is comprised of many different types of devices with varying functions including tallying and reporting votes. Security experts note that web-based systems such as election-reporting websites, candidate websites and voter roll websites are easier to attack compared to a voting machine. Many of these systems are IoT devices that have their own unique security challenges. Often, they are shipped with factory-set, hardcoded passwords; they’re unable to be patched or updated; and have outdated protocols and lack encryption. They are also susceptible to botnets that can exploit large numbers of devices in a short period. IoT attacks could also compromise a user’s browser to manipulate votes and cut power to polling stations. 

Proactive responses to help understaffed election IT teams

To prevent targeted attacks, campaign IT tech teams and staffers are performing training courses to learn how to detect and report suspicious emails. The DNC has created a security checklist for campaigns with recommendations, and the Center for Internet Security has also developed a library of resources to help campaigns including a Handbook for Elections Infrastructure Security.  Machine-based learning systems enable limited teams to operate 50 percent more efficiently through automation – which is essential given the scale and number of elections. Security orchestration, automation, and response (SOAR) as part of a modern SIEM can also orchestrate remediation in response to an identified anomaly through playbooks.  SOAR automatically identifies and prioritizes cybersecurity risks and responds to low-level security events, which is extremely useful for state and local government agencies that operate with small cybersecurity teams.  

Republicans and Democrats unite to offer a helping hand

In late 2019, recognizing the seriousness of election attacks and the lack of security resources, former campaign managers for Hillary Clinton and Mitt Romney launched a non-profit organization, Defending Digital Campaigns (DDC), which offers free to low-cost security technology and services to federal election campaigns. Some experts predict that the 2020 election will be one of the most anticipated digital security events in U.S. history. Given the complexity of the election process and voting system, security automation, behavior analytics and security education can be a part of the solution for managing a secure voting process.

About the author: Tim Matthews brings over 20 years of experience building and running software marketing teams and a focus on the security market. Prior to Exabeam, he was Vice President of Marketing at Imperva, where he led a worldwide marketing team.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Benchmarking the State of the CISO in 2020

InfoSec Island - Fri, 03/27/2020 - 12:14pm

Driving digital transformation initiatives while safeguarding the enterprise is a mammoth task. In some aspects, it might even sound counter-intuitive when it comes to opening up IT infrastructure, or converging IT and OT networks to allow external parties such as partners and customers to closely interact with the organization to embrace new business models and collaboration (think cloud applications, APIs, sensors, mobile devices, etc.).

Although new technology is being adopted quickly, especially web frontends, applications and APIs, much of the underlying IT infrastructure as well as the supporting processes and governance models are somewhat legacy, and struggle to keep up.

For its 2020 CISO Benchmark Report, Cisco surveyed some 2,800 CISOs and other IT decision-makers from 13 countries, how they cope with that, and they came up with a number of interesting findings.

Cyber-threats are a global business risk

The World Economic Forum says business leaders view cyber-attacks as the #2 global risk to business in advanced economies, taking a back seat only to financial crises. Not surprisingly,89 percent of the respondents in the Cisco study say their executives still view security as a high priority, but this number is down by 7 percent from previous years.

Nine out of ten respondents felt their company executives had solid measures for gauging the effectiveness of their security programs. This is encouraging, as clear metrics are key to a security framework, and it’s often difficult to get diverse executives and security players to agree on how to measure operational improvement and security results.

Leadership matters

The share of companies that have clarified the security roles and responsibilities on the executive team has risen and fallen in recent years, but it settled at 89 percent in 2020. Given that cyber-security is being taken more seriously and there is a major need for security leaders at top levels, the need to continue clarifying roles and responsibilities will remain critical.

The frequency with which companies are building cyber-risk assessments into their overall risk assessment strategies has shrunk by five percent from last year. Still, 91 percent of the survey respondents reported that they’re doing it. Similarly, 90 percent of executive teams are setting clear metrics to assess the effectiveness of their security programs, although this figure too is down by six percent from last year.  

Cloud protection is not solid

It’s almost impossible for a company to go digital without turning to the cloud. The Cisco report found that in 2020, over 83 percent of organizations will be managing (internally or externally) more than 20 percent of their IT infrastructure in the cloud. But protecting off-premises assets remains a challenge.

A hefty 41percent of the surveyed organizations say their data centers are very or extremely difficult to defend from attacks. Thirty-nine percent report that they struggle to keep applications secure. Similarly, private cloud infrastructure is a major security issue for organizations; half of the respondents said it was very or extremely difficult to defend.

The most problematic data of all is data stored in the public cloud. Just over half (52 percent) of the respondents find it very or extremely challenging to secure.Another 41 percent of organizations find network infrastructure very or extremely challenging to defend.

Time-to-remediate scores most important

The Cisco study enquired about the after-effects of breaches using measures such as downtime, records, and finances. How much and how often are companies suffering from downtime? It turns out that organizations across the board issued similar answers. Large enterprises (10,000 or more employees) are more likely to have less downtime (between zero and four hours) because they typically have more technology, money, and people available to help respond and recover from the threats. Small to mid-sized organizations made up most of the five- to 16-hour recovery timespans. Potentially business-killing downtimes of 17-48 hours were infrequent among companies of all sizes.

After a security incident, rapid recovery is critical to keeping disruption and damages to a minimum. As a result, of all the metrics, time-to-remediate (also known as “time-to-mitigate”) scores are the ones most important when reporting to the C-suite or the company’s board of directors, the study concludes.

Automating security is not optional – it’s mandatory

The total number of daily security alerts that organizations are faced with is constantly growing. Three years ago, half of organizations had 5,000 or fewer alerts per day. Today, that number is only 36 percent. The number of companies that receive 100,000 or more alerts per day has risen to 17 percent this year, from 11 percent in 2017. Due to the greater alert volumes and the considerable resources needed to process them, investigation of alerts is at a four-year low: just under 48 percent of companies say they can keep up. That number was 56 percent in 2017, and it’s been shrinking every year since. The rate of legitimate incidents (26 percent) has remained more or less constant, which suggests that a lot of investigations are coming up with false positives.

Perhaps the biggest side-effect of this never-ending alert activity is cyber-security fatigue. Of the companies that report that it exists among their ranks, 93 percent of them receive more than 5,000 security warnings every day.

A sizeable majority (77 percent) of Cisco’s survey respondents expect to implement more automated security solutions to simplify and accelerate their threat response times. No surprise here. These days, they basically have no choice but to automate.

Vigilance pays dividends

Organizations that had 100,000 or more records affected by their worst security incident increased to 19 percent this year, up four percent from 2019. The study also found that a major breach can impact nine critical areas of a company, including operations and brand reputation, finances, intellectual property, and customer retention.

Three years ago, 26 percent of the respondents said their brand reputation had taken a hit from a security incident; this year, 33 percent said the same. This is why, to help minimize damages and recover fast, it’s key to incorporate crisis communications planning into the company’s broader incidence response strategy.

Finally, the share of survey respondents that reported that they voluntarily disclosed a breach last year (61 percent) is the highest in four years.The upshot is that overall, companies are actively reporting breaches. This may be due to new privacy legislation (GDPR and others), or because they want to maintain the trust and confidence of their customers. In all likelihood, it’s both.

In conclusion, the CISO Benchmark report shows a balance of positives and negatives. Organizations are looking to automate security processes to accelerate response times, security leadership is strengthening and setting metrics to improve overall protection, and more breaches are being identified and reported.  But there’s still work to be done to embed security into everything organizations do as they evolve their business.

About the author: Marc Wilczek is Chief Operating Officer at Link11, an IT security provider specializing in DDoS protection, and has more than 20 years of experience within the information and communication technology (ICT) space.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Cyberattacks a Top Concern for Gov Workers

InfoSec Island - Tue, 03/03/2020 - 9:30am

More than half of city and state employees in the United States are more concerned about cyberattacks than they are of other threats, a new study discovered.

Conducted by The Harris Poll on behalf of IBM, the survey shows that over 50% of city and state employees are more concerned about cyberattacks than natural disasters and terrorist attacks. Moreover, three in four government employees (73% of the respondents) are concerned about impending ransomware threats.

With over 100 cities across the U.S. reported as being hit with ransomware in 2019, the concern is not surprising. However, the survey suggests that ransomware attacks might be even more widespread, as 1 in 6 respondents admitted that their department was impacted.

Alarmingly though, despite the increase in the frequency of these attacks, only 38% of the surveyed government employees said they received general ransomware prevention training, and 52% said that budgets for managing cyberattacks haven’t seen an increase.

“The emerging ransomware epidemic in our cities highlights the need for cities to better prepare for cyber-attacks just as frequently as they prepare for natural disasters,” said Wendi Whitmore, VP of threat intelligence at IBM Security.

While 30% of the respondents believe their employer is not investing enough in prevention, 29% believe their employer is not taking the threat of a cyberattack seriously enough. More than 70% agreed that responses and support for cyberattacks should be on-par with those for natural disasters.

On the other hand, when asked about their ability to overcome cyberattacks, 66% said their employer is prepared, while 74% said they were confident in their own ability to recognize and prevent an attack.

“The data in this new study suggests local and state employees recognize the threat but demonstrate over confidence in their ability to react to and manage it. Meanwhile, cities and states across the country remain a ripe target for cybercriminals,” Whitmore also said.

The respondents also expressed concerns regarding the impending 2020 election in the U.S., with 63% admitting concern that a cyberattack could disrupt the process.

While half of them say they expect attacks in their community to increase in the following year, six in ten even expect for their workplace to be hit. Administrative offices, utilities and the board of elections were considered the most vulnerable.

Employees in education emerged as those less prepared to face a cyberattack, with 44% saying they did not receive basic cyber-security training, and 70% admitting to not receiving adequate training on how to respond to cyberattacks.

The survey was conducted online, from January 16 through February 3, 2020, among 690 employees who work for state or local government organizations in the United States. All respondents were adults over 18, employed full time or part time.

Related: Christmas Ransomware Attack Hit New York Airport Servers

Related: Ransomware Attack Hits Louisiana State Servers

Related: Massachusetts Electric Utility Hit by Ransomware

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island