Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Top 10 Cyber Security Myths

SecurityBoulevard.com have a list of the top 10 cyber security myths that criminals love, including the Number 1 ‘This can’t happen to me’ and a few other prime examples that we do hear in conversation quite often.

Read the full list here: https://securityboulevard.com/2019/10/10-cybersecurity-myths-that-criminals-love/

A security breach is inevitable, IT leaders warned

No matter how much IT security tech and training is in place, sophisticated, targeted attacks are going to breach company defences, Carbon Black warns

A survey by security vendor Carbon Black, as part of their Global threat series study, reported that 84% of UK organisations participating in the study said they have suffered one or more breaches in the past 12 months due to external cyber attacks.

The survey reported that the average number of breaches in affected organisations was 2.89, a reduction from the 3.67 seen in the January 2019 report, with more than half (51.5%) of respondents saying they had been breached only once.

Carbon Black said the number of businesses identifying just a single breach has grown from the previous research, where only 15% had suffered only a single breach. This may indicate that businesses are responding more robustly to breach incidents to ensure that frequency is reduced.

At the other end of the scale, 5.5% of the businesses surveyed admitted they had been breached 10 or more times, and 3% said they didn’t know how many times they had been breached.

The study found that among the IT leaders who took part in the research, 84% reported an increase in cyber attacks in the past 12 months, with nine in 10 saying the attacks they face are becoming more sophisticated. This compares with 87% in the previous report and 82% in the summer of 2018.

https://www.computerweekly.com/news/252471594/A-security-breach-is-inevitable-IT-leaders-warned

Employee negligence can be a leading contributor to data breaches

Two thirds (68%) of businesses reported their organisation has experienced at least one data breach in the past 12 months, and nearly three in four (69%) of those data breaches involved the loss or theft of paper documents or electronic devices containing sensitive information, according to a report conducted by the Ponemon Institute.

https://www.helpnetsecurity.com/2019/10/01/workplace-data-breaches-risk/

UK local authorities hit with hundreds of cyberattacks every hour

Councils across the UK have suffered 263 million attacks in the first six months of the year - equivalent to 800 attacks an hour, or 13 attacks every minute. This is according to a new report by Gallagher, based on a Freedom of Information (FoI) request made towards the councils, with 203 of them answering, and another 204 councils who did not respond so the actual number of attacks could more than double the above, exceeding 500 million in the first half of the year. This gives an idea of the sheer scale and number of attacks going on all the time against all organisations.

https://www.itproportal.com/news/uk-local-authorities-hit-with-hundreds-of-cyberattacks-every-hour/

Microsoft: Any form of MFA takes users out of reach of most attacks

There have been several reports in the media regarding SIM hijacking attacks and the ease with which these types of attacks are being perpetrated, and these reports have raised some doubts or concerns about the security of multi-factor authentication.

This article does a good job of explaining how not all MFA solutions are created equally but the overarching message is that any MFA implementation, anything beyond just a username and password, significantly increases the amount of work for an attacker and as a result accounts with MFA represent less than 0.1% of all attacks.

FBI Stance on Whether Firms Should Pay Ransomware

The FBI in the US came out with hard hitting advice telling firms not to pay ransoms, but to inform the FBI in the event that a firm in the US did decide to pay a ransom.

https://www.zdnet.com/article/fbis-new-ransomware-warning-dont-pay-up-but-if-you-do-tell-us-about-it/

They then softened their stance with an updated version of their guidance including a section discussing the option of paying the hackers to get data decrypted.

https://www.theregister.co.uk/2019/10/03/fbi_softens_stance_on_ransomware/

Best practice around ransomware is always to ensure you have sufficient backups, both online and offline, such that you can restore your data in the event you get hit with ransomware. Firms need to ensure they have tested recovering their data to make sure they could recover if they needed to. It is too late when trying to recover for real to discover the backup doesn’t work or the wrong directory was being backed up.

Do not rely on cloud storage as being sufficient backup as often any ransomware attack will synchronise with files stored in the cloud before the infection is detected.

More Attacks Seen Using ‘Island Hopping’ (using targets with less security to leverage attacks against targets with more security)

Recent attacks, especially recent attacks against the aerospace and defence industries, have seen an increase in ‘island hopping’, where a bigger group or better defended target is attacked indirectly, through its network of weaker, less defended partner companies. These attacks are carried out in a more ‘horizontal' way rather than the more traditional 'vertical' methods.

https://www.zdnet.com/article/this-new-hacking-group-is-using-island-hopping-to-target-victims/

In addition to the recent aerospace attacks island hopping is also becoming more frequently used to attack financial services.

https://www.itpro.co.uk/security/33946/50-of-cyber-attacks-now-use-island-hopping

Half a million British Airways customers have been given the go-ahead to sue the airline over its cybersecurity breach last summer

On Friday a High Court judge granted a group litigation order, paving the way for a mass legal action enabling some 500,000 people affected by a series of breaches between April and September last year.

https://www.thetimes.co.uk/article/half-a-million-customers-can-sue-ba-over-huge-data-breach-n8z0rxpsk 

Cybersecurity breaches to increase nearly 70% in next 5 years

New analysis from Juniper Research has found that the cost of data breaches will rise from $3 trillion each year to over $5 trillion in 2024, an average annual growth of 11%.

 This will primarily be driven by increasing fines for data breaches as regulation tightens, as well as a greater proportion of business lost as enterprises become more dependent on the digital realm.

The new research in The Future of Cybercrime & Security: Threat Analysis, Impact Assessment & Mitigation Strategies 2019-2024 whitepaper noted that while the cost per breach will steadily rise in the future, the levels of data disclosed will make headlines but not impact breach costs directly, as most fines and lost business are not directly related to breach sizes.

https://www.uktech.news/news/cybersecurity-breaches-to-increase-nearly-70%25-in-next-5-years-20191002

Sophisticated tools provide false sense of cyber-security: Survey

Are you confident that your firm is cyber-threat-proof? A Forrester survey among over 250 senior security decision-makers in North America and Europe found that most of them are confident in their firms’ security measures. However, threats to cyber-security remain strong, said the research.

"The abundance of technology investments gives firms a false sense of confidence in their security posture. Their challenges reveal a different story," said the report.

Security executives currently employ a variety of tools and technologies to identify risks and test the effectiveness of their security controls. As a result, they are left with point-in-time assessments that require them to cobble together data from disparate systems to truly understand the organisation’s security posture. This approach is reactive, labour-intensive, and insufficient in scale, explained the report.

https://www.scmagazineuk.com/sophisticated-tools-provide-false-sense-cyber-security-survey/article/1660872 

Fileless Malware on the Rise

According to reports analysing the state of the threat landscape, fileless malware incidents are up to some 265% in the first half of 2019 when compared to the same period in 2018. Fileless malware sometimes has been referred to as a zero-footprint attack or non-malware attack. However, fileless malware may be the best name for the attack method, as the attack is not dependent on end users downloading and running malware via compromised files. Rather, fileless malware executes malicious scripts by piggybacking on legitimate software packages. More often than not, the malware resides in the computer’s random access memory (RAM), not installed on the hard drive.

https://securityboulevard.com/2019/10/fileless-malware-on-the-rise/