threat - RiskInsight

CDT Watch – November 2022

CERT-W — Thu, 01 Dec 2022 15:54:26 +0000

EDITO

What are the supply chain threats?

What’s a picture of the current situation?

Since 2019, there has been a growing focus on third-party attacks. With good reason: CyberArck estimates in a study from 2022 that 71% of organizations suffered a successful

software supply chain-related attack that resulted in data loss or asset compromise. According to Argon Security – recently acquired by Aqua Security – published the latest edition of its annual Software Supply Chain Security Review this week. The Software Supply Chain Security Review from Argon’s report that software supply chain attacks grew by more than 300% in 2021 compared to 2020.

In terms of maturity, in 2022: a survey of 1,000 CIOs found that 82% said their organization is vulnerable to cyber-attacks targeting software supply chains (Venafi). From our own Cyberbenchmark, we can see that 50% of our interviewee don’t control their security requirements with their third party and 15% conduct audits on their most critical suppliers in 2022.

What kind of attacks are we talking about?

Attacks on the supply chain are related to threats around third parties. ENISA defines this type of attack as follows: “ A supply chain attack is a combination of at least two attacks. The first attack is on a supplier that is then used to attack the target to gain access to its assets. The target can be the final customer or another supplier. Therefore, for an attack to be classified as a supply chain one, both the supplier and the customer have to be targets.”

As a reminder the supply chain involves a wide range of resources (hardware and software), storage (cloud or local), distribution mechanisms (web applications, online stores), and management software

Indirect or bounce attack: An attack on one or more intermediate information systems. The attacker uses the supplier as an entry vector to retrieve the information needed to access the final target.
Supply chain attack: the attacker relies on a software production chain to infect a legitimate program and distribute it to third parties.

Why is it serious?

First because these attacks are complicated to detect: originally used for espionage, these are attacks where the attacker aims to remain discreet until the attack is launched. Second because it is a one-to-many kind of attack. A small change in software source code can affect the entire supply chain (plus, the chains are increasingly interconnected). The most known example is Kaseya and its 800 and 1,500 total businesses affected victims. Thirdly, many enterprises don’t have enough visibility on their ecosystem to anticipate or even detect the flaws in their IS. As we have seen, the security maturity in this field is currently quite low.

There are some aggravating factors:

The cyber criminal’s ecosystem has matured and industrialized, allowing more sophisticated attacks to target matured victims. They can therefore afford this kind of sophisticated attack which used to take time, financial investment, and expertise…
Expansion of the attack surface: The IS ecosystem is increasingly large, and increasingly interconnected, and more and more third parties are involved. They have potentially less control of the IS and less visibility, therefore potentially less control of the security of all these third parties, particularly in IAM management: who has very privileged access rights to its IS…
The risk is to give access to third parties who can represent entry points for attackers: to one’s IS and to one’s sensitive data since one shares them with third parties
In 2021, in an analysis conducted with 1200 CISOs (in America, Europe and Singapore), about 38% of respondents said that they had no way of knowing when or whether an issue arises with a third-party supplier’s cybersecurity (in 2020, it was 31%) (BlueVoyant66)
Github estimates that there is 203 dependencies on an average software project in 2022. If a popular app includes one compromised dependency, every business that downloads from the vendor is compromised as well, so the number of victims can grow exponentially.

Examples of attacks

Compromise intermediate elements of the supply chain (i.e. source code tools)

Midstream attacks target intermediate elements such as software development tools, manipulating the build process of the artifact

Ex: SolarWinds
Compromise upstream software (i.e. compromising the source code)

Infects a system that is ‘upstream’ of users, for example through a malicious update, which then infects all ‘downstream’ users who download it.

One of the biggest was the compromise of CCleaner 2017 update with 2.3 million users impacted

Compromise project interdependencies

Compromise third-party components, such as an open-source package

Dependencies confusion: the attackers provide a fake “new” upgrade of a software’s project needed component for the targeted software to automatically download it and implement it in the project.

Ex: Apple, Microsoft, Uber, Paypal (BugBounty 2020)

Within these strategies, one of the most impactful methods is to target the CI/CD pipeline. If the infrastructure is not secured enough and there is a poor access management (our audit teams often see this), it can be easily targeted. Once compromised, the attacker has access to a part of the critical ‘linfra, to the source code of the application and the infrastructure and can generally do what he wants

The impacts are high:

Attackers have access to critical IT infrastructure, development processes, source code, libraries, and applications:
Modify the code or inject malicious code during the build process and alter the application
Deploy malware via the orchestrator directly on production environments

CERT-W: FROM THE FRONT LINE

The First Responder Word

READING OF THE MONTH

ENISA

This is the tenth edition of the ENISA Threat Landscape (ETL) report, an annual report on the status of the cybersecurity threat landscape. It identifies the top threats, major trends observed with respect to threats, threat actors and attack techniques, as well as impact and motivation analysis.

Link to the report

SEE YOU NEXT MONTH!!

Cet article CDT Watch – November 2022 est apparu en premier sur RiskInsight.

Hackuity | Shake’Up – The future of vulnerability management: threat status and current issues in vulnerability management (1/2)

Patrick Ragaru — Wed, 10 Feb 2021 07:00:15 +0000

We have recently opened the contributions to this blog to start-ups accelerated by our Shake’Up project. Hackuity rethinks vulnerability management with a platform that collects, standardizes and orchestrates automated and manual security assessment practices and enriches them with Cyber Threat Intelligence data sources, technical context elements and business impacts. Hackuity enables you to leverage your existing vulnerability detection arsenal, to prioritize the most important vulnerabilities, to save time on low-value tasks and reduce remediation costs, to gain access to a comprehensive and continuous view of the company’s security posture, and to meet compliance obligations.

What are we talking about?

ISO 27005 defines a vulnerability as “a weakness of an asset or group of assets that can be exploited by one or more cyber threats where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization’s mission”. For the SANS Institute, vulnerability management is “the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization”. Over time, Vulnerability Management has become a fundamental practice in cybersecurity, and now all industry professionals would agree to say that it is an essential process for minimizing the company’s attack surface.

Source: https://blogs.gartner.com/augusto-barros/2019/10/25/new-vulnerability-management-guidance-framework/

Nowadays, vulnerability management is integrated into all the major security frameworks, standards, sector regulations, guides and good security practices (ISO, PCI-DSS, GDPR, Basel agreements, French LPM, NIS, etc.) and is even regulatory in some contexts. Every “good” corporate security policy includes a significant chapter on this topic. Many would consider that a necessary evil.

Vulnérabilités : état de la menace

However, in 2019, according to a study conducted by the Ponemon Institute[1], “60% of security incidents were [still] the consequence of exploiting a vulnerability that is known but not yet corrected by companies”. To illustrate the current extent of the phenomenon, let’s consider ransomwares, the main cyber threat of 2020 and probably 2021. Although ransomwares are generally spread through user-initiated actions, such as clicking on a malicious link in a spam or visiting a compromised website, a large proportion of ransomwares also exploits computer vulnerabilities. Thus, if we look at the top-5 most virulent 2020 ransomwares ranked by intel471[2], we can see that their “kill-chains” all exploit vulnerabilities (CVE).

Ransomware Name	First known occurrence	Known exploited CVE	CVE publication date	Patch / workaround	CVSS V2.0 Score
Maze(aka ChaCha)	05-2019	CVE-2018-15982CVE-2018-4878 CVE-2019-11510 CVE-2018-8174 CVE-2019-19781	18/01/201906/02/2018 08/05/2019 05/09/2018 27/12/2019	12-201802-2018 04-2019 08-2018 12-2019	107.5 7.5 7.6 7.5
REvil(aka Sodinokibi)	04-2019	CVE-2018-8453CVE-2019-11510 CVE-2019-2725	10/10/201808/05/2019 26/04/2019	10-201805-2019 04-2019	7,27,5 7,5
Netwalker	09-2019	CVE-2015-1701CVE-2017-0213 CVE-2020-0796 CVE-2019-1458	21/04/201512/05/2017 12/03/2020 10/12/2019	05-201505-2017 03-2020 12-2019	7,21.9 7,5 7.2
Ryuk	08-2018	CVE-2013-2618CVE-2017-6884 CVE-2018-8389 CVE-2018-12808 CVE-2020-1472	05/06/201406/04/2017 15/08/2018 29/08/2018 17/08/2020	*-201404-2017 08-2018 08-2018 08-2020	4,39,0 7,6 7,5 9,3
DopplePaymer	04-2019	CVE-2019-1978CVE-2019-19781	05/11/201927/12/2019	*-201901-2020	5,07,5

Source: Hackuity & National Vulnerability Database (https://nvd.nist.gov/)

It is worth noticing that such vulnerabilities have often been referenced by the NIST when the ransomware first appeared, sometimes for several years. Moreover, patches or workarounds have often been released in most cases. A recent CheckPoint[3] study confirms that the oldest vulnerabilities are always the most exploited. In mid-2020, more than 80% of the cyberattacks identified used a vulnerability published before 2017 and more than 20% of these attacks even exploited a vulnerability that had been known for more than 7 years.

This highlights the importance – even today – of rapid installation of security patch as a defense mechanism to minimize cyber risks. Therefore, it’s not surprising that Vulnerability Management – one of the oldest practices in cybersecurity – remains one of the major 2021 CISO challenges for Wavestone[4]. Does this mean that we should try to correct all the vulnerabilities? Let’s go back in time.

« Vulnerability Assessment » vs. « Vulnerability Management »

When they first appeared on the market at the end of the 1990s, the vulnerability management solutions worked similarly to an antivirus: the objective was to detect as many potential threats as possible. They were more commonly referred to as “vulnerability scanners”.

The volume of vulnerabilities then was relatively low compared to today. In 2000, the NVD identified about 1,000 new vulnerabilities over the year, compared to more than 18,000 in 2020.

A comprehensive and manual treatment of vulnerabilities was still possible at that time. Scanners provided a list of vulnerabilities, their relevance in the business context was analyzed by IT teams and a report was sent to business managers. Once the report was approved, administrators would fix the vulnerabilities and re-test to ensure that patches were properly implemented.

Source : National Vulnerability Database (https://nvd.nist.gov/)

Over the next two decades, the number of discovered vulnerabilities has increased steadily at first, then started to skyrocket in 2017, a trend that is still continuing today. In 2020, a record of more than 18,000 new vulnerabilities were published by the NIST. But no, the code quality is not worse than ever! There are several reasons behind the growing number of vulnerabilities being disclosed:

Innovation and the accelerated digitization of business lead to an increase in published hardware and software products. In 2010, the NIST recorded 22,188 new entries in its CPE repository, including 1,332 new products and 406 publishers. In 2020, 324,810 entries (+1,460 %), 35,794 new products (+2,690 %) and 6,060 publishers (+1,490%) have appeared in the repository.
Demand for faster time-to-market is driving vendors to shorten development cycles to release and sell products faster, even if it means saving on resources needed for quality assurance and security testing.
Cybercrime has become a lucrative business. A growing number of vulnerabilities are now attributed to cybercriminals seeking new tools to support their attacks.
At the same time, the number of experts and independent organizations involved in the research and disclosure of vulnerabilities is increasing. The democratization and industrialization of Bug-Bounty programs are not unrelated to this.
And finally, with rare exceptions such as GDPR, in the lack of adequate legislation and regulations to protect consumer rights in the event of software vulnerabilities, the industry has no incentive to invest in safer products nor take responsibility for the damage caused.

However, the problem is not only the higher number of vulnerabilities identified in the NVD databases or other repositories. With the advent of ultra-mobility, home-office, cloud-computing, social media, IoT, but also the convergence between IT and OT, Information Systems have continued to become more complex and to expand, open up and multiply the number of their suppliers, …creating as many potential new entry points for cybercriminals.

At the same time, companies are deploying and operating a vulnerabilities detection arsenal that is continually growing and has become more mature in recent years, or even commoditized:

Intrusion tests & red-teams,
Vulnerability scanners: on the entire external and/or internal park
Vulnerability Watch
SAST, DAST & SCA: often directly integrated into development pipelines
Bounty Bug Campaigns

All these detection practices are complementary and generally stacked in a best-of-breed approach to evaluate specific parts of the IS or SDLC. Unfortunately, it is often once the arsenal in place that the problems are obvious (non-exhaustive list):

The heterogeneity in the deliverables’ formats: pentest reports in PDF or Excel files, results of scans in the tool own console, vulnerabilities on the bug bounty platform, …, often force the company to adopt a siloed Vulnerability Management approach. It’s the same for vulnerability scores, which in the end turns out to be a patchwork of CVSS and its multiple versions, proprietary scales and a clever (J) mix of the two.
This results in the inability to prioritize remediation efforts globally due to a fragmented and heterogeneous perception of vulnerabilities stock.
Managing volumes of data that have become far too large to be processed manually: it is not uncommon for a company that performs authenticated scans on its fleet to see the volume of vulnerabilities exceed several million entries in the scanner’s console.
Difficulty in coordinating remediation actions: identification of the asset owner and the holder of a share, exchange of e-mails, progress monitoring, Excel reporting, etc…
The frustration of the teams in charge of remediation, who do not have factual reporting reflecting the remediation effort on the company’s overall security posture.

Facing these problems, companies have no choice but to work on the implementation of processes that are often costly because they rely on manual actions, the development of ad-hoc tooling or an assembly of bits and pieces of solutions gleaned here and there. The lack of automation of this process is all the more absurd since it generally mobilizes rare and expensive cyber security experts on low-value tasks such as compiling data in Excel, endlessly searching for the right stakeholder or tracking email threads.

In its study “Cost and consequences of gaps in vulnerability management responses” (2019), the Ponemon institute estimates that companies with more than 10,000 employees spent an average of more than 21,000 hours (or nearly 12 FTEs) in 2019 on the prevention, detection and treatment of vulnerabilities. This represents a total of more than $1M for a very disappointing quality/price ratio.

The « patching paradox »

In theory, the best way to stay protected is to keep each system up to date by correcting each new vulnerability, as soon as it is identified. IRL, this task has become impossible due to the volume of vulnerabilities too large, the human or financial resources too limited, the existence of legacy systems, and the time of availability of the fix or operational constraints on patch deployment.

Ultimately, no matter how large or small an organization may be, it will never have enough human or financial resources to address all of its vulnerabilities. In fact, the mistaken belief that more people dedicated to addressing vulnerabilities equals better security is called the “Patching Paradox” in the industry.

To reduce the pressure to increase staff at a time when there is a shortage of qualified security experts, and to prevent Vulnerability Management from becoming a frantic and lost race to fix more and more vulnerabilities, organizations today need to determine which ones of their vulnarabilities should be addressed first.

After having seen in this first article the threat status and the current issues related to the management of vulnerabilities, we will see in a second article the new approaches to be taken into account to better manage vulnerabilities.

[1] Ponemon Institute – Cost and consequences of gapes in vulnerability management responses – 2019

[2] https://intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

[3] https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf

[4] https://www.wavestone.com/fr/insight/radar-rssi-quelles-priorites-2021/

Cet article Hackuity | Shake’Up – The future of vulnerability management: threat status and current issues in vulnerability management (1/2) est apparu en premier sur RiskInsight.

CISO, between post-COVID world and persistent threats, what are the priorities for 2021?

Gérôme Billois — Mon, 01 Feb 2021 10:21:29 +0000

Since the last edition of the radar, the world has been hit hard by an unprecedented viral pandemic. This has piled on the pressure to fast track digital transformations set in a context of increasingly active cybercriminals and an ever-growing threat. Against this twin backdrop of public-health and economic crises, what should you do to plan for 2021? And what are the trends to watch to assure cybersecurity in large organizations?

One fundamental theme won’t change: the threat – the starting point for all thinking about cybersecurity. In our view, unsurprisingly, ransomware will remain the major threat facing businesses. Since the end of 2019, and the exploits of Maze, Sodinokibi, and, more recently Egregor, these destructive attacks have been paired with massive data exfiltration – adding a new dimension to criminal blackmail operations. All types of organizations are affected: from local authorities, through SMEs, to large international groups – wherever they are in the world.

In addition, as we recently discussed in Le Monde, cybercriminal operations have become highly professionalized, ensuring the perpetrators reap a return on their considerable investments. These investments will enable them to mount increasingly deep, and technically sophisticated, attacks in the future – attacks that will have no qualms about targeting activities that are core to business functions (such as industrial networks, payment systems, etc.). In 2021, the stakes in the tug of war over the payment of ransoms are likely to be raised – with a determined effort by criminal groups to achieve higher profile attacks. We saw some early signs this year with the use of sophisticated procedures: from an attack being announced via Facebook advertisements, through direct negotiation with patients in healthcare-sector attacks, to the printing of ransom demands via in-store cash registers… There will be a need to anticipate such situations to the maximum extent possible, either by simulating them in crisis exercises or by tailoring specific, well-thought-out responses in advance.

In addition to the many-headed beast of ransomware, our teams out in the field anticipate strong growth in two other threat areas in 2021. First, indirect attacks, using third-party services: cybercriminals are heavily focused on circumventing the security arrangements of major players by exploiting vulnerabilities in their less-protected partners or targeting their IT service providers. In addition, attacks that target cloud-based systems are expected to accelerate and manifest new types of compromise. Exploiting vulnerabilities in identity and access management (IAM), in particular via supplier APIs to compromise ever more critical areas of business, will be one of the hallmarks of incidents in 2021. Today, this area represents a real challenge for IT teams, who are still much too unfamiliar with the fast-developing particularities of these platforms.

Faced with such a range of threats, CISOs will need to be both agile and robust, especially in their mastery of security fundamentals (in particular, the Active Directory, the application of patches, and multi-factor authentication) and in solidly demonstrating their cyber-resilience capabilities (with ever-more demanding commitments in terms of reconstruction times and the ability of business functions to be resilient without IT capacity).

In parallel, there are several areas that will be central to developments in IT departments, and CISOs can turn them into opportunities to improve cybersecurity within their organizations. In particular, we have in mind “Digital Workplace” projects – and the work to optimize available security measures, which will have to be done against the current backdrop of constrained budgets. Previous years’ investments in cybersecurity have often added new functionalities that are little known or used, especially when it comes to the cloud. Looking to these may offer a way to improve cybersecurity at lower cost.

From a regulatory perspective, 2021 will see another increase in issues linked to cyber borders or even cyber-protectionism. It will mean considering demanding isolation and protection requirements, and also the issue of the interconnection of new and little-known systems (for example, Alibaba in China, Yandex in Russia, etc.) with organizational networks.

In terms of technological developments to keep in mind, we have identified three trends: Zero-trust, Confidential Computing, and Quantum Computing. We discuss these in more detail below and set out the minimum level of monitoring that you should plan for.

Threats are becoming more complex and resources increasingly limited… CISOs will need to demonstrate their agility in 2021, by addressing a range of issues while still maintaining a clear strategic direction: they’ll need to be able to protect their organizations against cyber criminals while supporting, or even developing, new digital uses.

Methodology

The CISO Radar is a tool that Wavestone has developed and published since 2011. More than 40 experts meet three times a year to discuss news and key topics, based on what they’ve observed while working with Wavestone’s clients. This assessment includes all Wavestone’s offices – from New York to Hong Kong – taking in Paris and several others.

Every year, the Radar presents a broad selection of the topics that CISOs have to grapple with in their role. It covers over 100 topics, which are considered and analyzed by our experts.

It’s presented as a series of dials covering key themes (identity, protection, detection, risk management, compliance, and continuity) on three levels: Mature, News, and Emergent. The “Mature” level covers topics that every CISO can, and must, master. The “News” level covers topics currently being addressed; these are new areas where initial feedback can be shared. The “Emergent” level covers topics on the horizon that are still little known or that have no obvious solutions. These topics are included to better predict future developments and prepare for their emergence in organizations.

What are the threads to develop in 2021?

Mastery of cybersecurity fundamentals

Patches not being applied; weaknesses in Active Directories; vulnerabilities in attack channels… In 2020, cybercriminals have regularly reminded us of the importance of mastering cybersecurity fundamentals. Unsurprisingly, we believe these fundamentals will remain key in 2021 – a time when cyber attackers are likely to remain highly opportunistic (58% according to an assessment of recent incidents where Wavestone has provided support) and where we continue to see a daily stream of new fixes to critical vulnerabilities.

Now is the time for cybersecurity teams to act on their responsibilities: they can no longer operate in the background in their key areas – such as the management and maintenance of security, which are core to digital trust and other key systems. CISOs will need to be robust and responsive in opening up these areas with production teams. We should note that startups like Hackuity can bring new impetus and help unlock the complex process of vulnerability management.

Consolidate work on cyber-resilience

For several years now, cyber-resilience has been a phrase on everybody’s lips – and rightly so. As we observe, cybercriminals are an increasingly active menace. It’s no longer a question of “Will we be attacked?” but “When will we be attacked?” Against this backdrop, it’s essential to have in place an appropriate strategy and be prepared to respond to an attack – by limiting its impact, in order to restart as securely and quickly as possible. In 2021, the involvement of business functions will remain an issue that continues to occupy security teams as they work to increase efficiency.

Nevertheless, we’re now seeing a new trend in cyber-resilience: CISOs are increasingly being asked to provide concrete evidence of the organization’s capacity to resist and recover from a cyber-attack. Percentage of production capacity preserved in the event of a loss of IT and the resilience of business activities; the precise timescale for rebuilding core confidence; and the restoration of data under time constraints… Both regulators and business leaders are asking for guarantees and defined commitments to provide them with reassurance. In such a context, we should be prepared to push systems to their limits; for example, by conducting realistic reconstruction tests, working in partnership with operational teams.

Which areas represent opportunities for cybersecurity?

Continuing pressure to make progress on digital transformation

It’s a matter of fact that the public-health crisis has allowed many organizations to take major steps toward creating latest-generation digital workspaces. This situation presents a real opportunity for CISOs, who can capitalize on it by becoming involved in numerous innovative projects and help their organizations move to an in-depth, cloud-based approach.

More than ever, it offers an opportunity for cybersecurity teams to deliver a step change in approach and overcome numerous long-standing challenges: the simplification of remote access, authentication that reduces the use of passwords (Passwordless), enhanced detection of data leaks, expansion of SOCs and cloud-related detection capacities, etc.

Cyber-effectiveness

In a period when expenditure is under greater scrutiny than ever, CISOs must continue to rationalize the use of their budgets, while also demonstrating the effectiveness of the interventions they make. Given this, one of the first actions you should consider is the scope to capitalize on investments made in previous years: teams already in place and, for technical solutions or cloud-based services undergoing rapid changes, unlocking functionalities that can be easily activated at no additional cost. A genuinely rich seam to provide better security in the year ahead. In some areas, outsourcing may be an option in the interests of rationalizing costs.

For some business sectors, cybersecurity may become, or may already be, a market differentiator. CISOs, then, have an opportunity to develop their role – by getting closer to the business functions and unlocking cross-functional projects that were previously unworkable.

Borders in cyberspace

While the internet is often considered a borderless space, there is an increasing tendency among regulators, and some countries, to want to ringfence data within their borders and prevent it from being hosted elsewhere. This trend is firming in Europe, where we saw the GDPR come into effect in 2018, and, more recently, a ruling that the US Privacy Shield is invalid; but also in China and Russia, where new regulations are proliferating, some of which could be classed as examples of “cyber-protectionism.”

As a result, many regulators and authorities are imposing rules that only encrypted data can be stored abroad, the key to which is a closely guarded secret (HYOK). This situation requires rethinking on data flows, the systems that will host them, and especially the need to adapt to local solutions. This presents a real challenge for CISOs; for example, when considering connections between the networks of global organizations that are using French, American, Russian, and Chinese systems… Integrating these systems into an overall cybersecurity approach is a real challenge in the face of their fragmentation and the difficulties in making a concrete assessment of the risks and the quality of the systems to be used.

What are the emerging topics for 2021 and beyond?

Taking a new, entirely cloud-based approach, with Zero trust

Promoted by Forrester in the late noughties, use of the Zero Trust security model is on the rise. As a reminder, this system is the opposite of the traditional castle approach, which aimed to defend the periphery using sizable ramparts (i.e., firewalls), but which is gradually being rendered impotent in the face of new threats.

Digital transformation has had profound impacts on system architecture and interconnections with third parties. As a result, it is no longer enough to protect oneself from the outside only; so much so, that even the concept of “the outside” is no longer that meaningful: nowadays threats can more easily use their target’s ecosystem to penetrate systems and compromise them. Access management, identities, and privileged accounts are central to the Zero Trust model – areas pertinent to many of the problems we face today. In 2021, businesses will continue their move toward the cloud. This provides a real opportunity to gradually base architectures and systems on the Zero-Trust principle, or, for latecomers, to begin to clear the way for it.

Get ready for a data-protection revolution with confidential computing

One of the major challenges for the cloud remains that of trust with the various partners involved, especially when it comes to organizations’ most sensitive data. In response to this problem, concepts like Confidential Computing and Data Privacy by Design have emerged gradually over recent years, in parallel with more concrete solutions.

Among these, homomorphic encryption enables algorithms to encrypt data while maintaining the option of processing it, something that greatly reduces the risks of disclosure and data leakage. IBM is one step ahead here, and, in the summer of 2020, shared its open-source library, HElib, on the topic. French startups Cosmian and Zama are also active in the area.

Lastly, synthetic data can also offer an original response to the issue. By using algorithms enhanced by artificial intelligence, synthetic data generators, such as the one offered by British startup Hazy make it possible to create data sets that retain the characteristics and logic of the real data without featuring that data in any way. Yet another way to avoid any risk of a data breach in the cloud.

Anticipate longer-term threats from Quantum computing

Eight hours: this is the time it will take a sufficiently powerful and reliable quantum computer to undermine the security of our communications by breaking today’s commonly used encryption algorithms. The global technological race has already begun, and companies and institutions must begin preparing themselves now, because considerable investments will be needed to put in place the required technical migrations. Which data must be protected as a priority, because it needs to remain confidential in the years to come? Which clauses should I include in my contracts today, to ensure the systems I purchase are compatible with the new encryption solutions? And which providers can support these migrations?

In France, several players have already taken the initiative for example the INRIA-Sorbonne spin-off CryptoNext-Security – the winner of several innovation competitions, which offers a quantum-safe cryptography solution that has already been tested by the French army for use with an instant-messaging application on mobiles.

It’s an area that raises many questions, which will all need to be rapidly addressed. One thing is certain though: CISOs will have a major role in these developments and need to anticipate the many related activities that will be required.

Cet article CISO, between post-COVID world and persistent threats, what are the priorities for 2021? est apparu en premier sur RiskInsight.

Fileless attack : Le retour à la terre

ThomasSghedon1 — Tue, 23 Oct 2018 09:01:53 +0000

Le panorama des menaces informatiques évolue constamment, et chaque année se retrouve baptisée du nom de la nouvelle tendance ou innovation qui semble bousculer le monde de la sécurité informatique. Si 2017 était l’année du ransomware, il se pourrait que 2018 soit celle des fileless attacks (comprendre « les attaques sans fichiers »). Si le concept de ce mode d’attaque n’est pas nouveau, sa popularité croissante auprès des pirates, elle, l’est. Cela signifie-t-il que qui va nous imposer de repenser notre façon d’appréhender la sécurité des systèmes d’information ?

Tu quoque mi programme

Pour se faire une idée un peu plus détaillée et précise de cette menace, commençons par définir ce qu’est une fileless attack. Également nommée non-malware attack (attaque sans malware), zero-footprint attack (attaque sans empreinte) ou living-off-the-land attack (attaque hors sol), la particularité de ce type de menace est qu’elle n’impose pas à l’attaquant d’installer un programme sur la machine cible pour exécuter des actions malveillantes. En effet, le principe même de l’attaque est de détourner l’usage d’outils ou de programmes parfaitement licites et déjà installés sur les équipements informatiques à des fins, elles, illicites. Comment procèdent donc les attaquants pour arriver à leurs fins ?

Dans la majorité des cas, Pour établir cette tête de pont, ils utilisent la plupart du temps des techniques classiques de phishing ou spear-phishing. En effet, il est important de bien garder à l’esprit que la particularité de cette typologie d’attaque consiste dans la non-installation du programme malveillant chez la cible, ce qui ne préjuge pas de l’utilisation de fichiers à d’autres moments (comme lors d’un phishing). Alternativement, des attaques par force brute ou la mise à profit d’exploit permettant l’exécution de code à distance peuvent également permettre d’accéder à la machine cible et de perpétrer des attaques sans fichiers.

Quelle que soit la technique utilisée, l’objectif final est, comme on l’a vu, de détourner l’usage d’un programme légitime. La cible principale de ce « programme-jacking » est PowerShell (Windows Management Instrumentation étant également un bon client). Cet outil système, installé de manière native sur certaines machines tournant avec un système d’exploitation Windows, a la particularité de pouvoir exécuter des tâches instruites depuis la console de commande directement dans la mémoire vive de l’appareil. Dans certains cas, une simple macro bien construite sur un fichier Word malveillant, l’exploitation d’une faille de Flash ou la redirection vers un site malveillant suffit à invoquer PowerShell. Une fois celui-ci ouvert, il se connecte alors à un serveur de command & control et télécharge un script malveillant qui s’exécute donc depuis la mémoire vive et qui peut procéder à toute une variété d’actions, comme par exemple localiser et envoyer des données vers l’attaquant ou miner des crypto-monnaies. Des fileless attacks exploitant les vulnérabilités de Java (Java Process) sont également connues.

Malware : le grand remplacement

Et il faut croire que cette typologie d’attaque est facile à mettre en œuvre si on jette un œil aux chiffres. , pour 77% des entreprises reconnaissant avoir subi une attaque ayant réussi à compromettre le système d’information de l’entreprise, la technique utilisée est une fileless attack. Symantec a signalé en juillet dernier qu’entre le premier semestre 2017 et le premier semestre 2018, l’usage malveillant de PowerShell avait augmenté de 661%. Ainsi, Carbon Black a annoncé dans son rapport de menace 2017 que 97% de ses clients avaient subi une tentative de la sorte et que les attaques sans fichier utilisant des failles PowerShell ou WMI ont représenté au global 52% du total des attaques en 2017, dépassant pour la première fois de l’histoire les attaques classiques utilisant des malwares installés en dur sur la machine cible.

La raison principale de l’explosion de cette typologie de menaces trouve son origine dans la façon même qu’ont les organisations de se défendre. d’analyser de manière statique les signatures des fichiers sur le disque afin d’identifier les programmes illicites, et éventuellement de les exécuter dans des bacs à sables. La plupart de ces antivirus utilisent une fonctionnalité de l’OS pour être notifiés des nouvelles écritures sur le disque et ainsi déclencher un scan. Or, pas de fichier, pas de notification, et pas de notification, pas de scan. Les attaquants étant des personnes pragmatiques, ils ont simplement décidé de court-circuiter cette étape et de mettre ainsi en défaut l’ensemble des défenses basées sur ces anti-virus traditionnels fonctionnant par base de signatures, ces derniers devenant de plus en plus performants.

Les pirates de leur côté s’équipent afin de procéder plus facilement aux attaques en systématisant et simplifiant les manipulations à faire pour contourner ces anti-virus. Certains outils d’attaque actuels, comme Metasploit, facilitent les fileless attacks grâce à la construction de charges utiles malveillantes clefs en main à charger directement depuis Powershell.

Comment chasser un malware qui n’existe pas ?

Les méthodes de défense traditionnelles étant peu adaptées, il est nécessaire de repenser son approche. Si certaines menaces peuvent être stoppées simplement en redémarrant la machine (son arrêt stoppant les programmes actifs), les hackers ont trouvé la parade par l’installation d’un script dans le registry de Windows, entraînant la résurgence de la brèche au redémarrage par son exécution automatique avec le reste des scripts systèmes, eux légitimes. Si ce script est suffisamment court, il n’a même pas besoin d’être enregistré dans un fichier. Certaines attaques plus complexes peuvent demander l’enregistrement de leur script dans un fichier, ce qui en fait une catégorie hybride de fileless attack, où si un fichier est effectivement nécessaire, ça n’est toujours pas le malware en lui-même.

Depuis quelques années, le développement des solutions de type Endpoint Detection Response se trouve être au cœur de l’activité des éditeurs antivirus. Ces produits ne se limitent plus à la simple analyse de fichiers mais adoptent des techniques d’étude comportementale. L’idée derrière cette nouvelle façon de procéder est d’identifier les activations de programmes qui, individuellement, seraient légitimes mais dont l’exécution en parallèle ou séquentielle est suspicieuse. Par exemple, la consultation du web, l’utilisation d’une macro Microsoft Word ou l’exécution de PowerShell est légitime. En revanche, leur activation concomitante peut résulter d’un phishing réussi emmenant l’utilisateur sur un site web malveillant, déclenchant l’activation en cascade de PowerShell à travers une faille du premier. La solution antivirale peut donc réaliser qu’il ne s’agit pas d’une situation normale de fonctionnement et procéder aux actions de sécurité nécessaires.

Néanmoins, ces solutions étant basées sur des heuristiques, elles sont par définition faillibles. L’équilibre entre l’exhaustivité des détections et le nombre de faux positifs, entraînant potentiellement des incidents d’exploitation, est difficile à atteindre. Des solutions de plus en plus stables et performantes apparaissent néanmoins progressivement sur le marché, et permettent de lutter contre cette menace grandissante de manière efficace, pour peu que les terminaux utilisateurs en soient équipés.

Cet article Fileless attack : Le retour à la terre est apparu en premier sur RiskInsight.

FinTech: at the time of the digital revolution how well are the risks understood?

B3noitL4diEu — Thu, 08 Jun 2017 15:36:21 +0000

The FinTech phenomenon is on the rise around the world, and also in France where numerous start-ups are making their presence felt. In June 2015, the association France Fintech was created for the purpose of uniting and promoting the activities of the different players in this sector by putting them in touch with customers, investors, public authorities and the banking ecosystem.

A rapidly growing market

On the global scale, investments in the FinTech sector multiplied tenfold between 2010 and 2015 to reach $22 billion. The amount invested in 2016 is estimated to be $36 billion, with this substantial increase being due to the arrival of several major financial players wishing to secure their share in this very promising market.

In October 2015, the European Commission also adopted Directive PSD2, providing a legal framework promoting the use of innovative and disruptive solutions for banking and payment services. This new Directive has helped to change the definition of “payment institution” by making it more flexible and enabling new third parties to enter the market for banking services, which represents a real opportunity for the FinTech players.

This Directive has been in force since January 1^st 2016 in all countries within the European Union and has substantially modified the role of these new entrants into the banking landscape. These new regulations require the banks to open up to these new entrants by developing APIs that allow the FinTech players to interact with their banking applications and have access to some customer data. This new context, seen initially as a threat by the traditional financial institutions, has turned into an opportunity for the banks that have speeded up their digitalization process.

In fact, the banking institutions’ digital transformation strategy has embraced this change and the big banks have not hesitated to create partnerships or acquire FinTech start-ups. Societe Generale, for example, which bought Fiduceo, and BNP that joined the project by Xavier Niel, Station F, the biggest campus of start-ups in the world, located in Paris. The disruption caused in the banking industry by FinTech is due to both the evolution and simplification of services to customers thanks to an improved user experience and greater flexibility, and to the new technologies which are becoming the medium for these innovative services.

Smartphones: Pillar of the FinTech companies

The way that FinTech companies have evolved over the past few years has been driven by two major factors that have been the catalyst for growth in the sector. On the one hand, the financial crisis in 2008: the markets collapsed and the big investment banks went under. Investors no longer trusted the big financial institutions that were losing money, and a certain number of them preferred to turn to the promising digital enterprises in Silicon Valley.

Second factor: 2008 was also the year in which the blockchain was created, and the year when smartphones appeared, following the revolution initiated by Apple in 2007 with the launch of the iPhone. As the solutions offered by the FinTech players were disruptive and based on flexibility and simplicity of use, their growth was further boosted by the widespread availability of smartphones, which have become an everyday necessity. The expansion of the FinTech sector was thus encouraged by the level of maturity attained by smartphones and the applications that they host, which in turn helped them to develop and provide their services directly to users.

The smartphone is also a major vector in the transformation of payment methods, generally agreed to be one of the areas most remodeled by the FinTech revolution. The smartphone is not only the device that provides access to the services, but is also becoming the means of payment with NFC chips, in the same way as a bank card. Applications such as Lydia also make it possible for users to transfer money to their contacts free-of-charge and without having to make the normal bank transfer.

From the very launch of Apple Pay on iPhone, vulnerabilities in the design of the function had led to a rate of 6% of fraudulent transactions in 2016 as it was possible to use any card, without the CVV number and without any verification of the user’s identity, to make payments.

However, the security of FinTech companies cannot simply rely on that of smartphones and it must take into account all the links in the chain: from the design of the service to the data center where the company hosts its infrastructures.

Control of technology and security of the devices: major risk factors

The programming, the infrastructures used and the user’s device are the keyelements that are critical to the reliability, robustness, security and integrity of a financial service. Each of them has inherent weaknesses that it is important to make secure by suitable means that satisfy both the relevant regulations and correspond to external and internal risks. The main weaknesses that have been identified for the elements that are essential to the services provided by FinTech companies are as follows:

1) Devices

As mentioned above, the majority of financial services offered by FinTech companies are accessible to users through their own devices (PCs, tablets, smartphones, etc.). The security of the transactions carried out depends therefore to a large extent on the level of security of the device that is used. In 2016, it became apparent that smartphones were, in just the same way as computers, a target for Trojan Horse type malware that attempts to retrieve the login information of users on the home pages of their online banks. This weakness, which is inherent to the operating system of smartphones, is generally detected when it is too late when it has already been exploited by the hackers. As for the FinTech companies, the solution they most often use to protect themselves against fraudulent operations, following the theft of an ID or password, is multiple factor authentication. This method, already widely used by businesses, is now increasingly widespread among private individuals when they log on to a sensitive online application. The second factor is generally a code sent by SMS or generated by a special application, or biometric authentication using fingerprint sensors embedded in smartphones. However, even a two factors identification along with a code sent by SMS can be ineffectual against a determined hacker who might be able to intercept the SMS if they have managed to compromise the smartphone beforehand.

The manufacturers are therefore working on making their mobile devices secure, and have even made it a priority with regular security updates for the purpose of covering the vulnerabilities that are detected. Every weakness discovered in the operating system of a device receives widespread media coverage and could have a significant impact on sales in this very competitive market, in which the customer’s growing awareness of security can influence the final purchase decision. The most recent smartphones are, therefore, generally considered to be less vulnerable than an aging laptop.

2) Programming

The case of the mutualized investor-led capital fund The DAO , based on the blockchain “Ethereum”, a network that uses a cryptographic currency, is an interesting example to illustrate how a programming error can lead to a substantial financial loss. In this case, an error present in the code that made it possible to carry out false transactions resulted in the embezzlement of $50 million belonging to the various “shareholders” in The DAO.

This risk of hacking using a flaw in the programming is omnipresent for businesses seeking to develop applications and other web services. It is, however, possible to limit the risks arising from these programming errors by carrying out audits on the source codes and using vulnerability scanners on the applications.

In 2016, the researcher Vincent Haupert in hacking the mobile application of the German 100% online neo-bank N26 , not by compromising the smartphone but based on weaknesses in the application architecture. He was able to take full control and carry out illicit transactions. Following his discovery, the bank launched “Bug Bounty” campaign, an operation designed to reward people who report security breaches. Many companies, like the GAFA, but also of a more modest size, have already resorted to this type of campaign to detect potential weaknesses in their products.

FinTech companies therefore need to put security at the heart of their preoccupations when developing their services by integrating it in the design stage. All the more so because the financial sector is a prime target for hackers seeking to exploit any weaknesses they can identify in order to misappropriate large sums. As FinTech businesses tend to grow very quickly, the race for growth sometimes receives more attention than product security.

3) Infrastructures

But the Cloud is not infallible. For example, on February 28, 2016, thousands of websites and web applications belonging to various large companies, including Apple and all over the world, became inaccessible following a failure of the Amazon cloud.

The choice of IaaS and PaaS Cloud services providers is therefore important for businesses like the FinTech companies that supply sensitive services. The latter are subject to a large number of banking regulations, such as the PCI DSS for the protection of account information, or European regulations such as the General Regulation on Data Protection (GRDP) which will come into effect in May 2018, and expose businesses to some very dissuasive financial sanctions (up to 4% of global revenue).

Companies must therefore be certain that the level of security and the related processes put in place by their suppliers comply with the regulations that cover them. At end-2016, in an attempt to help companies outsource their infrastructures, the French data protection agency ANSSI published a standard to be used to certify trustworthy providers of Cloud services with the Franco-German label: European Secure Cloud.

In the more specific context of FinTech companies, ANSSI has also invited itself to the table to contribute its recommendations. ANSSI has become a partner of the FinTech Forum created by the French financial markets regulator (AMF) and prudential and resolution control authority (ACPR). The purpose of this forum is to encourage the emergence of these new financial sector players by assessing the risks and opportunities associated with their development.

National agencies, fully aware of the challenges posed by the transformation of the financial sector, are working towards creating greater transparency in companies regarding their overall ecosystem, and also on cyber security.

Risks that are indeed difficult to cover for FinTech companies

So, the cyber risks that are omnipresent for any business are all the more critical for FinTech companies. Viral infections and cryptolockers, attacks on web applications, and Distributed Denial of Service (DDoS) attacks, to mention but the most commonplace, can just as well affect devices, as applications and infrastructures, as discussed above.

The fight against these risks, inevitable for a business whose applications are exposed on the Internet, requires specific security skills and the putting in place of incident response plans in order to ensure the integrity and quality of their services. To respond to these challenges, banks have considerable resources, such as teams that are responsible for the continuous supervision of digital infrastructures, and they invest several tens of millions of euros every year simply to be able to guarantee their cyber security. As things stand, FinTech companies are not always able to put in place comparable financial and human resources. However, their advantage lies in their agility and the modernity and lack of obsolescence of their infrastructures, making it possible to implement effective security measures more quickly and at a lower cost. Furthermore, the increasingly close cooperation between the big traditional players and the FinTech companies means that they can benefit from the formers’ maturity in terms of security, with the crux being to strike a balance between security and flexibility, one of the success factors of the FinTech companies.

Cet article FinTech: at the time of the digital revolution how well are the risks understood? est apparu en premier sur RiskInsight.

What security for cyberspace in 2020?

Benjamin Pivot — Thu, 18 May 2017 16:08:04 +0000

By 2020, the Internet will depend upon an ever-growing universe of connected objects and personal data, and will play an omnipresent role in our daily lives. These new technologies and possibilities are naturally attracting the attention of both regulatory bodies and cyber criminals alike. Security is a major challenge in view of the new threats expected to accompany the Web 3.0 as it evolves.

Changing Internet thechnologies and uses

At the user end, the uses that have emerged over the last decade will simply become more prevalent and will further expand by 2020. The growth and diversification of social media will make it possible to further accelerate the sharing of personal data with increases in technical efficiencies and the numbers of users. This phenomenon, profoundly generational in nature, might well continue to develop and therefore raise numerous questions relative to trusting in information and the limits of freedom of expression.

At the company end, as part of the ongoing virtualization of the workstation, teleworking is becoming an issue in the strategic roadmaps of many groups who see it as an opportunity to reduce property overheads that generally constitute their second highest budget item. Cloud Computing is growing and is leading to the integration of an ever greater share of the information capital of businesses by specialized service providers, especially in the security of infrastructures.

Finally, the IoT and Machine Learning will cause major upheavals to the business models and the positioning of historical players in all fields. 3 new societal needs will have to be taken into account in order to remain competitive: mobility, knowledge and trust.

A regulatory framework yet to be defined

The recent demonstrations of the power of the GAFA, capable of combining gigantic databases of users with leading edge artificial intelligence methods, are ushering in a new era devoted to the ultra-personalization of services, but also to mass monitoring. In fact, the immense opportunities opened up in the area of marketing through the ultra-personalization of services and mass monitoring hide a more alarming reality: a regulatory framework that provides less than adequate protection for Internet users confronted with the abusive and discriminatory practices of public and private players alike.

Given the situation, “intelligence acts” are emerging in many western countries in an attempt to impose standards on the already widespread practices of these services. Begging the question of the individual freedoms being under threat because of the pretext of the fight against terrorism, these laws are regularly adopted despite the protests voiced by civil society.

After a number of revelations about the activities of the NSA in Europe, the European Union decided, in October 2015, to overturn the Safe Harbor agreement that had until then allowed the United States and Europe to freely exchange data, considering that its partner across the Atlantic was no longer able to guarantee a sufficient or adequate level of data protection. To fill the legal void surrounding the use of personal data, the GDPR is the new benchmark law for personal data protection in Europe, applicable by the 28 member states as of spring 2018. The law will actually protect users to the detriment of companies who will at best see their potential usage reduced to a need to seek “explicit and positive” consent. Similarly, the European NIS Directive for the security of digital services, will gradually be transposed into national legislation, including in France in connection with the military programming law.

Finally, the recent tussles between the giants of the web and the American administration have proved the government’s inability of imposing on Apple and Google the enforcement of the Patriot Act. This has enabled these players to claim a certain primacy in the respect for individual freedoms and a certain autonomy from political bodies, which had previously been the sole arbitrators in these types of situation. There is a slow but definite shift in the historical balance of power, with state authorities losing out to the major players in the economy, and it is as yet very difficult to say where this will all lead.

Therefore, two factors will have become decisive by 2020, and even after that, in adapting to the technological age: innovating and surviving beyond the rapid evolution of the rules of competition. On the one hand, a comprehensive knowledge of the regulatory limits and constraints, and on the other hand, an ability to make the most of the available data without crossing the legally authorized limits. The whole challenge in the future environment based on the Web 3.0 will therefore be to build and maintain a relationship of mutual trust with both customers and stakeholders, particularly government.

New threats in cyberspace

As part of a forward-looking study aiming to establish how cybercrime might evolve by 2020, a committee of experts has announced the types of recurrent threats to be expected by private enterprise and individuals. The primary threat to businesses will be attacks on the availability of their systems, such as denial of service, the theft of strategic data for sale to the highest bidder, and attacks on the corporate image (disinformation and denigration campaigns). For individuals, the most important threats to consider are scams and misappropriation, to which must be added attacks on alarm and home automation systems in support of physical intrusions.

Two scenarios will become widespread and will feed into each other to become characteristic of the overall landscape of threats in 2020:

The “attack as a service” The rapid and continuous growth of the number of connections to the Web will lead mathematically to the opening up of a very broad area to attack. Non-targeted attacks, or those based on networks of slave machines (machines controlled remotely by a hacker and used in large numbers to saturate web services, for example) could be deployed on massand achieve such a level of firepower that we cannot currently even begin to imagine it. A study conducted by university academics in Israel has estimated that 6,000 smartphones would be enough to destroy an emergency call system such as 911 in the United States; what then, might not be achieved with a network of millions, or even billions, of objects infected by Botnet malware (malware that allows a hacker to remotely control the infected machines)? These attacks are of low complexity, but massive impact.
Economic warfare A context of extreme competition between the major economic players in industrialized countries will lead to higher levels of “geostrategic” threat. The Internet will become a new battlefield on which will be played out the economic and political interests of nations. The threats will be targeted and will range from acts of sabotage, as was the case with the Stuxnet virus, to industrial espionage. These offensives could reach high levels of complexity and will be implemented by teams of professionals with the benefit of various forms of protection and extensive, or even unlimited, financial and operational resources.

With Cloud Computing and connected objects becoming more widespread, the digital uses currently emerging will be commonplace by 2020. New threats are expected to accompany this evolution, less targeted at businesses and individuals and more at governments . The legislative framework, subject to major change, is currently designed as much to protect Internet users as to support businesses, and where the balance of power will end up is anybody’s guess.

Cet article What security for cyberspace in 2020? est apparu en premier sur RiskInsight.

JO2016 : qui aura la médaille d’or chez les cybercriminels ?

Gérôme Billois — Thu, 04 Aug 2016 13:55:15 +0000

Les JO approchent et les risques cyber associés également, n’hésitez pas à relayer cet article de sensibilisation au ton volontairement ludique.

Il n’y a pas que les athlètes qui préparent l’événement sportif international de l’année, les cybercriminels également. Chaque spécialité est bien représentée et va lutter pour obtenir la médaille d’or de la méthode la plus efficace de vol et de fraude. Tour d’horizon des équipes en présence et de leur stratégie.

L’équipe Phishing et son lancer de faux emails

Habituée des grands événements, l’équipe Phishing inonde les boîtes emails de faux messages demandant de communiquer des données sensibles comme ses identifiants ou ses coordonnées bancaires. Leur meilleure technique pendant les JO : vous proposer des loteries pour gagner des tickets gratuits ou des accès à des retransmissions TV ! Le meilleur moyen de leur résister ? Être attentif aux messages trop alléchants, trop urgents et qui contiennent des fautes de frappe ou de grammaire. Un bon réflexe : ne jamais aller sur un site en cliquant sur un lien depuis un email, mais le retaper directement dans le navigateur.

Les cybersquatters et leurs tours de passe-passe quasi indétectables

Les cybersquatters affutent leurs méthodes depuis plusieurs mois, ils ont créé près de 4000 faux sites web dont l’adresse ressemble étrangement à celle des sites officiels mais qui vous emmènent dans leurs pièges ! Quoi de plus ressemblant entre www.rio-olympics.com et www.rio-olympisc.com ? Restez donc attentifs aux sites que vous visitez en vous assurant qu’ils ne contiennent pas d’erreur dans leur nom. Vous éviterez ainsi de tomber sur des sites dangereux qui pourraient vous forcer à télécharger des logiciels malveillants ou vous demander des données personnelles.

L’équipe Ransomware et sa clé de bras numérique

Cette équipe a un moyen très efficace pour vous soutirer de l’argent, elle bloque votre ordinateur et/ou votre téléphone portable et vous demande une rançon ! Une vraie clé de bras numérique digne d’un lutteur ou d’un judoka. L’équipe Ransomware joue collectif car elle fait souvent alliance avec les équipes Phishing et Cybersquatteurs qui leurs ouvrent la route via des faux emails ou des faux sites qui ensuite vous demande d’installer des logiciels complémentaires… Et c’est là où l’équipe Ransomware surgit et qu’elle déploie ses outils qui bloqueront votre ordinateur. Pour éviter d’être piégé, soyez très attentif et surtout n’installez pas d’applications alléchantes qui vous propose des accès gratuits à des flux TV ou à du contenu exclusif. Utilisez les boutiques d’applications officielles qui disposent d’un choix très fourni et légal.

Les cybercriminels locaux et leurs faux points d’accès Wi-Fi

Une équipe à domicile est toujours plus forte, c’est bien connu ! Et il faut s’attendre à ce que les cybercriminels brésiliens, présent sur place, essaient de détourner les bornes Wifi mises à disposition des visiteurs dans les lieux publics pour intercepter leurs échanges et ainsi voler des données. Le meilleur réflexe c’est d’acheter une carte SIM locale pour utiliser votre téléphone et accéder à Internet. Pour les plus férus de technologies, un VPN apportera également un bon niveau de protection, il existe de nombreuses applications comme celle d’Opera. Et si vous devez vraiment utiliser du Wi-Fi, restez attentifs au moindre message d’erreur concernant la sécurité. Lorsque vous allez sur des sites Internet et que de tels messages apparaissent, c’est un signe que le point d’accès est peut-être piraté : déconnectez-vous immédiatement.

L’équipe APT et sa précision redoutable

Cette équipe ne vise pas le grand public, elle cherche à gagner la course en s’introduisant frauduleusement dans les systèmes de l’organisation des JO. Elle pourra ainsi y voler directement les données des athlètes, des spectateurs, mais aussi aller jusqu’à modifier des résultats, interrompre des compétitions ou empêcher leur rediffusion ! Le CIO est mobilisé sur ces menaces depuis de nombreuses années et met en œuvre un dispositif spécifique de cybersécurité. Le retour des JO de Londres nous montre clairement la réalité de cette menace avec plus de 165 millions d’événements liés à la cybersécurité qui ont conduit à 6 attaques majeures. Rio devrait subir une pression encore plus forte au regard de l’évolution de la cybercriminalité sur ces 4 dernières années.

Un bon réflexe : ce qui est trop beau pour être vrai est certainement un piège

Ne tombez pas dans les pièges des cybercriminels, soyez attentifs lorsque vous surfez et lisez vos emails. Et n’oubliez pas de faire une sauvegarde de vos données, de mettre à jour votre ordinateur et votre téléphone en appliquant les correctifs de sécurité proposés et en vous assurant d’avoir un anti-virus à jour.

Voici l’entraînement que vous devez suivre pour vivre des Jeux Olympiques en toute cybersécurité !

Cet article JO2016 : qui aura la médaille d’or chez les cybercriminels ? est apparu en premier sur RiskInsight.

Cybersécurité : priorité à la professionnalisation en 2016 ?

Gérôme Billois — Tue, 22 Dec 2015 10:40:27 +0000

2015 sera certainement perçue dans le futur comme une année charnière. En effet, de grands programmes de cybersécurité ont fait leur apparition cette année. Ces derniers, associés à des budgets conséquents, montrent la prise de conscience au plus haut niveau dans les entreprises des risques cyber.

Mais au-delà de cette succession de nouveautés, cette situation pose surtout des défis en termes d’organisation et de gestion des compétences qui devront être au cœur des actions en 2016.

2015 : une année charnière

L’actualité du triptyque « menaces / réglementations / produits » a été débordante sur 2015.

Des incidents ultra-médiatisés (Sony Pictures, TV5 Monde, Ashley Madison, VTech…) ont rappelé régulièrement les vulnérabilités des systèmes et l’attrait des cybercriminels et des états pour les données immatérielles des entreprises. Cette médiatisation, parfois exagérée, a au moins le mérite d’attirer l’attention sur la cybersécurité au plus haut niveau dans les entreprises mais aussi largement sur l’ensemble de la population.

Les réglementations se sont renforcées drastiquement (Loi de Programmation Militaire, Règlement européen sur les données à caractère personnel…) et vont nécessiter des investissements de grande ampleur. 2016 sera une année où il faudra intégrer ces nouvelles exigences et cadrer les projets de déclinaison, les échéances commençant à tomber dès 2017.

Les éditeurs n’ont pas été sans imagination pour inventer des nouvelles catégories de produits ou de nouveaux concepts. Après « l’anti APT », les mots-clés « machine learning », « Self Defined Security », « Cloud Access Security Broker – CASB » et bien d’autres nous promettent d’arriver à sécuriser les données dans un contexte de changement permanent où les frontières du SI n’existent plus et où le Cloud est devenu une réalité. De nombreuses startups émergent dans ces domaines et des incubateurs/accélérateurs se spécialisent (Euratechnologies, Cylon…). Nous ne serons donc pas à court de solutions innovantes.

Les cercles et associations s’intéressant à la cybersécurité connaissent également une progression rapide et des commissions « cybersécurité » se relancent ou font leur apparition dans des cercles d’influence qui en étaient alors dépourvus (Syntec, Cigref, Medef…).

Compétences et pilotage : les clés pour réussir les grands programmes cybersécurité

Mais au-delà de cette succession d’évènements à prendre en compte, la situation actuelle pose des défis nouveaux en matière de professionnalisation et de gestion des compétences qui devront être au cœur des actions en 2016.

En particulier, le retour d’expérience du déroulement des grands programmes met en lumière deux limites.

La première, c’est la difficulté à disposer des compétences nécessaires pour mener à bien ces programmes. Que cela soit dans les entreprises ou au niveau des fournisseurs conseil ou intégration, les profils ne sont pas aujourd’hui assez nombreux. D’importants efforts de reconversion ou de recrutement sont en cours (par exemple chez Solucom nous avons recruté plus de 90 personnes cette année dans le domaine de la cybersécurité). Mais ceux-ci ne donneront tous leurs fruits que dans quelques années.

La deuxième c’est la difficulté à faire aboutir ces programmes d’ampleur. D’un côté les acteurs historiques de la cybersécurité sont peu habitués à gérer autant de projets (parfois quasiment une centaine) et de budget (plusieurs dizaines de millions d’euros), dans des délais aussi courts. De l’autre côté, ces chantiers impactent de manière transversale l’entreprise, et en particulier les équipes en charge du SI. Ces dernières, qui sont plutôt en phase de réduction des coûts, comprennent peu l’engagement de moyens sur la cybersécurité, voire n’ont pas la capacité à réaliser les actions demandées. D’autant plus qu’il s’agit souvent d’actions « de fond » telles que la cartographie du SI ou encore une gestion rapide et efficace des changements et des incidents, sujets déjà complexes et en souffrance depuis des années. Sans oublier que le système d’information est de plus en plus diffus, en particulier via le Cloud, et il est toujours aussi difficile de savoir où sont et où vont les données alors qu’elles constituent pourtant – encore plus aujourd’hui qu’hier – une grande partie du patrimoine de l’entreprise.

Ce constat nécessite de renforcer la filière cybersécurité, en particulier de lui adjoindre des ressources, pas forcément expertes en sécurité, mais en mesure de porter des grands programmes.

Une priorité : réinventer la filière « cybersécurité »

2016 sera très certainement une année rythmée par des incidents, des cadrages réglementaires, des grands programmes de sécurité et des tests de produits innovants. Mais 2016 devrait aussi être l’année où la filière « cybersécurite » tirera les fruits de la prise de conscience et se réinventera en s’emparant de ces enjeux.

Comme souvent dans notre secteur, les banques montrent le chemin. Elles ont lancé cette année plusieurs projets de réorganisation de leur filière pour l’adapter aux nouveaux enjeux. Ce mouvement doit se décliner dans les autres secteurs d’activité et entraîner la mise en place d’une organisation équilibrée, répartie dans et hors de la DSI. Cette nouvelle organisation devra être à même de porter des grands programmes et de s’emparer des enjeux métiers, tout en développant son expertise et en assurant au quotidien le maintien en condition de sécurité du système d’information.

Ce qui pouvait paraître impossible précédemment l’est de moins en moins avec le support évident aujourd’hui des directions générales. Mais ces dernières attendent des résultats visibles et rapides.

Cet article Cybersécurité : priorité à la professionnalisation en 2016 ? est apparu en premier sur RiskInsight.

Une nouvelle année pour une nouvelle stratégie sécurité : priorité à la détection et la réaction

Gérôme Billois — Wed, 23 Jan 2013 19:52:47 +0000

2012 a été marquée par de très nombreux cas d’attaques sur les systèmes d’information. Les exemples abondent : Saudi Amramco, Gauss ou encore Red October, pour ne citer que les plus relayés. Ces attaques ont mis en lumière les limites de la stratégie sécurité en vigueur dans la plupart des entreprises : un focus quasiment unique sur la protection.

Un modèle de sécurité qui atteint ses limites

La protection des informations avec les moyens conventionnels (pare-feu, antivirus, correctif, contrôle d’accès…) comporte de nombreuses limites ; les attaquants les connaissent et surtout, savent les contourner efficacement. Les attaques par ingénierie sociale permettent d’accéder aux informations d’utilisateurs légitimes et ce malgré de nombreuses sessions de sensibilisation en entreprise, les failles « zero-day » permettent d’attaquer des systèmes même maintenus à jour, l’encapsulation ou encore le chiffrement de trafic qui permettent de traverser les pare-feux sans être inquiétés.

Doit-on pour autant baisser les bras et reculer face aux menaces? Non, certainement pas ! Il s’agit de réorienter ses efforts différemment, accepter les risques, et se doter des moyens permettant de limiter l’impact des attaques. La détection des attaques et l’identification de réactions appropriées sont donc à prioriser pour 2013.

Détecter et réagir : les priorités de 2013

Ce changement d’orientation nécessite de nombreuses évolutions, tant en termes technique qu’organisationnel. Il faut réfléchir à la mise en place de nouveaux moyens, internes ou externes, afin de mieux observer le SI et d’en tirer des alertes pertinentes. Nous pensons bien évidemment aux solutions de surveillance de journaux classiques mais pas uniquement ! De nouvelles solutions, spécialisées dans les analyses statistiques permettent d’obtenir des vues pour détecter les fameux signaux fiables relatifs aux attaques. D’autres produits permettent de détecter dans les flux de données des comportements étranges, en simulant l’ouverture des pièces jointes ou des fichiers. Même si cela peut paraître démesuré, certaines organisations ont mis en place ces solutions sur 2012 et en tirent aujourd’hui des bénéfices concrets.

Et comme l’outil ne résout rien seul, certains processus seront aussi à revoir, en particulier sur la surveillance du SI et la gestion de crise. La création, ou le renfort, d’une cellule dédiée en charge de ces problématiques, le fameux CERT ou SOC, pourra être une solution. Cette cellule sera à même de piloter les crises, de prendre les bonnes décisions pour limiter les impacts et d’empêcher les propagations.

Différents scénarios de crise sont à envisager en fonction du métier et de l’exposition : attaque en déni de service, vol d’information, défacement de site, vols de données sensibles, mais aussi et peut être surtout compromission du SI… Ils devront être testés par les équipes opérationnelles mais également les métiers et la direction générale, acteurs essentiels en cas d’attaques cybercriminels.

Bien évidemment, il n’est pas question d’abandonner toutes les mesures de protection. Bien souvent, elles retarderont la réussite de l’attaque, voire même sur certains périmètres très protégés et face à des attaquants de niveau intermédiaire, elles les bloqueront. Mais aujourd’hui, se baser uniquement sur une protection est illusoire, il est indispensable de revoir sa stratégie sécurité et en 2013 d’orienter sa réflexion vers la détection et la réaction !

Cet article Une nouvelle année pour une nouvelle stratégie sécurité : priorité à la détection et la réaction est apparu en premier sur RiskInsight.