Infosecurity Europe 2019, held in the Olympia, London, is a leading event in the cyber security calendar bringing business, tech and communities together. Uleska CEO and founder Gary Robinson was a speaker at the event, addressing two prevalent cyber issues, whilst Uleska exhibited to a plethora of cyber practitioners. Here are just some of the key trends Uleska noticed throughout the event.

Automation and orchestration continues to be a trend that is driving the wider cyber security industry. On the security operations side, Security Orchestration, Automation, and Response (SOAR) is gaining a firm foothold in the organisation’s mindsets.

In contrast to the software security side, Application Security Testing and Orchestration (ASTO) is a few years behind SOAR, yet the success of SOAR is helping organisations’ see the value of ASTO.

Numerous visitors to the Uleska booth were attracted by an independent (i.e. non-tool vendor) view of the coverage provided by combinations of technical tooling against their security standards and regulations they need to meet. 

Many security tool vendors will have marketing departments which promise to cover every technical issue, yet the industry realises this is not the case.  While organisations accept that no one tool will fix everything, they are finding it hard to get independent advice as to what tool coverage they do need.

Chief Risk Officers (CROs) have to deal with a lot of data. Cyber security has fought for years to get onto both the board and risk agendas and is now a firmly placed issue that must be addressed.

However, CROs have many aspects to consider. From finance, human resources, natural disasters, and geopolitics, with cyber security being one more issue to be addressed on that list.

Yet within each aspect, there are many subplots, such as for cyber, ransomware, viruses, network security, infrastructure security, application security, and more.

As previously mentioned, this means that each element the CRO has to manage, measure, and report on has to be succinct – the best case being one number of stats that shows the current state, impact, and whether things are getting better or worse. 

Application security has historically been awful at this, throwing thousands of technical issues and high/medium/lows to describe the current state, which is simply not consumable for a CRO.

Cyber value-at-risk, culminating in a single monetary risk number that changes with the real risk in the software estate, provides such a measure that CROs can work with.

Many organisations are interested in maturing to a ‘standards-based approach’ to security testing, instead of a ‘tools based approach’. 

This means they are looking at the standards and regulations they need to adhere to, and asking “Which tools and processes can be combined to provide as much coverage of these as possible?”. 

This is a much more comprehensive approach than previous doctrine which started with using one or two tools or processes, allowing them to find issues towards the end of a project, fixing those issues, and then assuming all standards and regulations were covered.

All /processes were aligned to the standards and regulations. this without doing any analysis of how those tools. This has led to blind spots in their technical programs which led to breaches.

Uleska recently exhibited at CyberUK 2019 in Glasgow’s Scottish Event Campus. The event highlighted the progress that needs to be taken within cyber security and showcased innovative solutions currently on the market. Here are Uleska’s top five takeaways from the event.

CyberUK is the UK government’s flagship cyber security event. Hosted by the National Cyber Security Centre (NCSC), it features world-class speakers, solutions and opportunities for interaction between the public and private sectors.

The conference showcased evolving cyber threats that face the UK and how we must respond as individuals and organisations to keep cyber security one step ahead of malicious hackers.

Here are our top five security trends.

1) Many companies are in need of faster and more frequent software security checks and assurance.

In today’s software-driven climate, major companies are releasing software updates thousands of times a day. Amazon, for example, was doing a production deployment every 11.6 seconds in 2013.

Current testing to determine the weaknesses within an application can take months, and with software releases being pushed so frequently the traditional processes simply cannot guarantee software security.

This lack of speed and frequency can lead to release and security management practices being ignored. Akin to building skyscrapers from the same materials we used to build huts, if this continues we can expect software to continue to randomly, and catastrophically, fail.

The need for faster and more frequent security testing has also been pointed at the skills gap within cyber.

Gillian Arnott, International Communications and Marketing Manager, and Nick Chaffey, Chief Executive UK and Europe for Northrop Grumann asked the question of how we are going to meet the government target of filling 1.2m new technical roles.

Through engaging, educating and enthusing a new generation of cyber security practitioners, they are confident that they can capture new ability to push for innovative ways to test faster and more frequently.

2) Automation and orchestration of software security is moving from industry advisories, such as Gartner and Forrester, into everyday practice by industry.

Both Gartner and Forrester input’s into the importance of automation and orchestration within security testing has gone from advice to everyday practice.

Last year, for example, Gartner advised that by 2020 15 per cent of organisations with five or more IT security professionals will be using automation and orchestration tools to security test.

This advice has already started to work its way into best practices and many are taking the ASTO approach to security testing.

Speaking at CyberUK Cyber Security Partner at PwC, Colin Slater, backed up their everyday practices coming to fruition. He spoke about automation and orchestration services letting organisations hunt the threats they need to focus on, not just the alerts.

3) Consulting organisations servicing the public sector are being asked to innovate around their services, due to pressures on time, scope, and pricing.

The public sector faces a multitude of pressures, not least the financial challenge of shrinking budgets and increased expectations of service users.

Due to the speed of software development, the increasing scope of vulnerabilities and the expense of traditional security testing, public sector serving security companies are having to change the way they approach security testing and operations.

4) Regulatory concerns, in terms of breach fines, continue to be the largest driving factor in the procurement of cyber security services.  However, with more and more public sector initiatives involving software, the scale of this challenge is growing fast.

If a data breach doesn’t kill your business, the fine might.

Breaches and the associated fines have a massive negative impact on a company’s customer base, particularly if the breach involved sensitive data.

This fine driven fear has prompted numerous organisations to obtain cyber security resources, however, these organisations are starting to see the scale of security that is now needed due to the vast initiatives involving software.

5) The NCSC advisories on Cloud First and the 14 principles of Cloud Security are proving to be strong advisories, allowing public sector departments to involve these advisories in their procurement and evaluation discussions.

Everyone wants to know that their information is safe and secure and businesses have legal obligations to keep client data secure.

Two of the NCSC’s most senior researchers into cloud usage outlined some of the biggest threats that come with using the cloud. Their talked outlined some of the 14 principles in greater detail and presented the latest thoughts on laaS vs. “serverless” technologies.

NCSC’s 14 principles include the likes of a Governance framework, identity and authentication and secure development.

This advisory list details the context for the 14 Cloud Security Principles, including their goals and technical implementation, which means that any level of personnel in an organisation can understand the framework that needs to be in place for safer cloud security.

Uleska has accepted a place on the London Office for Rapid Cybersecurity Advancement (LORCA) programme for 2019, an incredible opportunity in the life of the Belfast based cyber security company.

The team at Uleska is proud to announce the company’s involvement and acceptance within the LORCA workspace.

This opportunity will allow Uleska to bring cyber solutions to market at greater pace and scale, and to collaborate with some of the largest software and IT  companies within the UK.

The involvement will allow Uleska to work with enterprises to ensure its solutions meet the industry’s biggest challenges.  It will also allow Uleska to build its international cybersecurity profile by engaging with worldwide enterprises and participating in targeted trade missions to the US.

LORCA is a joint collaboration between Plexal, CSIT and Deloitte, funded by the Department for Digital, Culture, Media & Sport as part of the National Cyber Security Strategy.

LORCA is convening organisations small and large; investors, academics, sister programmes and the international community, to maximise the commercial potential of great cyber solutions, minimise the barriers to scale and increase speed to market.

By 2021, LORCA will have stimulated the growth of the UK’s high-potential cyber security companies, encourage the growth of up to 2,000 jobs, and secure £40m in investment.

Gary Robinson, Founder and CEO, Uleska said, “This is a fantastic opportunity for the Uleska team to expand our product intelligence through working and networking with expert cyber security practitioners and listening to the challenges of enterprises.”  

He continued, “LORCA’s goals and ambitions of Secure by Design, Securing the Basics, and Beyond, were developed in collaboration with industry and fit perfectly with Uleska’s offering that allows organisations to handle more security assurance with less personnel, measure and prioritise their software security every day, and communicate their security strategy easily.  

“As such, LORCA’s attitude towards cyber security fits perfectly into those of Uleska and we are extremely excited by the collaboration.”

If you wish to speak to the Uleska team about our recent acceptance on to the LORCA programme, please contact info@uleska.com.

For further information regarding LORCA, please visit www.lorca.co.uk.

Security researchers have found over 9,000 Cisco routers that are vulnerable to two serious bugs that Cisco released patches for this month. 

Businesses are being urged to install Cisco’s updates detailed in its January 23 security advisories because of  publicly available exploit code that could give attackers an easy route to rummaging through an organization’s network. 

The two flaws affect the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers. Admins use it to configure router settings. 

The information disclosure flaw, CVE-2019-1653, allows an unauthenticated remote attacker to obtain configuration files from the device, revealing sensitive configuration information as well as the administrator’s hashed password. 

The other flaw, a remote command execution bug tracked as CVE-2019-165, allows an attacker to remotely execute commands on the device if the attacker has gained valid credentials.       

The pair of bugs were reported by German pen-testing outfit RedTeam Pentesting GmbH, which described the risks to organisations. 

“By downloading the configuration, attackers can obtain internal network configuration, VPN or IPsec secrets, as well as password hashes for the router’s user accounts, explained RedTeam Pentesting. 

“Knowledge of a user’s password hash is sufficient to log into the router’s web interface. Any information obtained through exploitation of this vulnerability can be used to facilitate further compromise of the device itself or attached networks.” 

Things became more dangerous for those using affected Cisco routers after Darren Martyn, a researcher at UK security firm Xiphos Research, who uses the handle 0x27, published exploit code for the bugs two days after Cisco’s advisory. While the disclosure should give cause for users to patch affected devices, it could help attackers breach organizations that haven’t installed the update.

The Japanese government has announced that beginning next month it will actively try to hack into its citizens’ internet-connected devices in their homes, reports NHK. Starting in February, the country’s National Institute of Information and Communications Technology will use default passwords and password dictionaries and randomly try to infiltrate 200 million devices in homes across Japan, starting with routers and webcams, before moving on to other smart home “internet of things” devices.

Owners of devices that are successfully breached will be informed they were hacked and urged to change their passwords to something more secure. The hacking program is an initiative aimed at increasing cybersecurity in Japan before the 2020 Olympics and Paralympics in Tokyo next year. In a recent survey, the National Institute of Information and Communications Technology found that 54% of cyberattacks it detected in 2017 were aimed at IoT devices in Japanese homes.

However, the hacking initiative has come under criticism. Researchers have said the National Institute of Information and Communications Technology could gain access to people’s webcam images and other data during the hacks, violating a citizen’s right to privacy. It’s also unclear whether the National Institute of Information and Communications Technology will retain any such data and for how long, or how they would protect it to make sure any data gleaned from the test doesn’t fall into the hands of actual hackers.

This month’s round up from the world of cyber security features news that University Hospitals of Morecambe Bay NHS Trust has been hit by more than 140 cyber attacks in the last five years. Elsewhere, a number of digital health firms have received Cyber Essentials Plus certification.

FOI reveals impact of cyber attacks on University Hospitals of Morecambe Bay NHS Trust

University Hospitals of Morecambe Bay NHS Trust was hit by more than 140 cyber attacks in the last five years.

A Freedom of Information (FOI) request by BBC News, revealed that the trust has spent £29,600 in 2017 dealing with such attacks.

A total of 147 attacks were directed at the trust though it told the BBC that the “vast majority” were “untargeted and unsuccessful.

Populo Consulting secures Cyber Essentials Plus certification

Digital health consultancy firm Populo has secured Cyber Essentials Plus certification.

Cyber Essentials Plus is a scheme developed by the National Cyber Security Centre, which builds on the government-backed Cyber Essentials programme.

The essentials programme allows organisations to self-certify they have taken basic steps to secure their internet connection, devices and data from cyber-attack.

Cyber Essentials Plus goes further and requires, testing and verification by independent auditors from an accredited organisation, in this case Xyone Cyber Security.

Jonah Aburrow-Jones, managing director of Populo, said: “Cyber Essentials Plus is like a security MOT and it demonstrates our commitment to putting standards and adherence to standards at the heart of what we do.

“We understand the expectations that are being placed on health and care organisations to keep critical systems and sensitive data safe and secure.

“Now, they can be assured that their values will be reflected in our work, because we take cyber security as seriously as they do.”

Government launches plans to make UK ‘world leader in cyber security’

The UK’s Business Secretary has announced measures for the UK to become a world leader in the race against some of the most damaging cyber security threats.

Greg Clark confirmed a £70million government investment would go towards research into the design and development of more secure and resilient hardware.

The investment comes from the government’s Industrial Strategy Challenge Fund as well as other industry investors.

Clark said: “This could be a real step-change in computer and online security, better protecting businesses, services and consumers from cyber-attacks resulting in benefits for consumers and the economy.

“This is our modern Industrial Strategy in action. Building on the UK’s heritage and strengths in computing and cyber security alongside the government and industry investing together to ensure the UK capitalises on its position to become a leader in the growing markets and technologies of tomorrow.”

Healthcare Computing awarded Cyber Essentials Plus certification

Healthcare Computing has announced it has also been awarded a Cyber Essentials Plus accreditation.

The accreditation requires an independent third-party audit and involved a more rigorous check into a HC’s IT services.

Being awarded the certification shows the NHS IT Infrastructure and Support provider is able to protect its IT systems against common cyber threats, proves to customers its data security ethics, and enables HC to bid for future Government contracts.

Alistair Samways, CIO at Healthcare Computing, said: “Cyber Essentials Plus assures our partners and customers that we take cyber security very seriously. This certification demonstrates that we are fully compliant when it comes to cyber security and we are always looking for ways to improve how we manage cyber security threats. For those we work with, this certification provides additional peace of mind”.

New UK government fund launched to help drive diversity in cyber security

The UK government has launched four new projects across England to encourage more women, BAME, and neurodiverse candidates into a career in cyber security.

Each project will benefit from a total investment of at least £500,000 as part of the next round of the Cyber Skills Immediate Impact Fund (CSIIF).

The aim is to boost not only the total number, but the diversity of those working in the UK’s cyber security industry.

Digital Minister, Margot James, said: “Our cyber security industry is thriving but to support this growing success we need a skilled and diverse workforce to match.

“These latest projects show that whatever your background, ethnicity or sex, there are opportunities to join the cyber security profession.

“We want to demonstrate that you can have a dynamic and exciting career in a sector that sits at the heart of our economy and is a key part of our modern Industrial Strategy.”

WHEN HACKERS BREACHED companies like Dropbox and LinkedIn in recent years—stealing 71 and 117 million passwords, respectively—they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords, and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year’s phone book.

Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a set of cobbled-together breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch.

“This is the biggest collection of breaches we’ve ever seen,” says Chris Rouland, a cybersecurity researcher and founder of the IoT security firm Phosphorus.io, who pulled Collections #1–5 in recent days from torrented files. He says the collection has already circulated widely among the hacker underground: He could see that the tracker file he downloaded was being “seeded” by more than 130 people who possessed the data dump, and that it had already been downloaded more than 1,000 times. “It’s an unprecedented amount of information and credentials that will eventually get out into the public domain,” Rouland says.

Size Over Substance

Despite its unthinkable size, which was first reported by the German news site Heise.de, most of the stolen data appears to come from previous thefts, like the breaches of Yahoo, LinkedIn, and Dropbox. WIRED examined a sample of the data and confirmed that the credentials are indeed valid, but mostly represent passwords from years-old leaks.

But the leak is still significant for its quantity of privacy violation, if not its quality. WIRED asked Rouland to search for more than a dozen people’s email addresses; all but a couple turned up at least one password they had used for an online service that had been hacked in recent years.

“For the internet as a whole, this is still very impactful.”

CHRIS ROULAND

As another measure of the data’s importance, Hasso Plattner Institute’s researchers found that 750 million of the credentials weren’t previously included in their database of leaked usernames and passwords, Info Leak Checker, and that 611 million of the credentials in Collections #2–5 weren’t included in the Collection #1 data. Hasso Plattner Institute researcher David Jaeger suggests that some parts of the collection may come from the automated hacking of smaller, obscure websites to steal their password databases, which means that a significant fraction of the passwords are being leaked for the first time.

The sheer size of the collection also means it could offer a powerful tool for unskilled hackers to simply try previously leaked usernames and passwords on any public internet site in the hopes that people have reused passwords—a technique known as credential stuffing. “For the internet as a whole, this is still very impactful,” Rouland says.

Rouland notes that he’s in the process of reaching out to affected companies, and will also share the data with any chief information security officer that contacts him seeking to protect staff or users.

You can check for your own username in the breach using Hasso Plattner Institute’s tool here, and should change the passwords for any breached sites it flags for which you haven’t already. As always, don’t reuse passwords, and use a password manager. (Troy Hunt’s service HaveIBeenPwnedoffers another helpful check of whether your passwords have been compromised, though as of this writing it doesn’t yet include Collections #2-5.)

Bargain Bin

Rouland speculates that the data may have been stitched together from older breaches and put up for sale, but then stolen or bought by a hacker who, perhaps to devalue an enemy’s product, leaked it more broadly. The torrent tracker file he used to download the collection included a “readme” that requested downloaders “please seed for as long as possible,” Rouland notes. “Someone wants this out there,” he says. (The “readme” also noted that another dump of data missing from the current torrent collection might be coming soon.)

But other researchers say that such a massive database being freely shared represents something else: That enough old megabreaches of personal information have piled up in the hacker underground over the years that they can comprise a sprawling, impactful amount of personal information and yet be practically worthless.

“Probably the skilled hackers, the guys really interested in getting money from this, had it for multiple years already,” says David Jaeger, a researcher at Hasso Plattner Institute who analyzed the collections. “After some time, they’ve tried all these on the major services, so it doesn’t make sense to keep them any longer, they sell it for a small amount of money.”

Below a certain price, Jaeger adds, hackers often barter the information for other data, spreading it further and devaluing it until it’s practically free. But it could still be used for smaller scale hacking, such as breaking into social media accounts, or cracking lesser-known sites. “Maybe it’s worthless for the people who originally created these data dumps, but for random hackers it can still be used for many services,” Jaeger adds.

Hunt, after publishing the initial Collection #1 earlier this month, says he was surprised to find multiple people immediately offering to send him links to Collections #2-5. “What this represents that’s unprecedented is the volume of data and the extent it’s circulating in big public channels,” Hunt says. “It’s not the world’s biggest hack, it’s the fact that it’s circulating with an unprecedented fluidity.”

In that sense, Collections #1-5 represent a new kind of milestone: That the rotting detritus of the internet’s privacy breaches has gotten so voluminous and devalued that it’s become virtually free and therefore public, degrading any last private information it might have held. “When enough people have secret data, someone shares it,” Rouland says. “It’s entropy. When the data is out there, it’s going to leak.”

In the wake of Apple’s FaceTime privacy bug, we should learn from the superstar who predicted such breaches

It’s hard to convince people to take data safety seriously. Installing updates, changing passwords, refusing permissions: it can be exhausting, and it’s hard to stay motivated when the work seems endless. That’s why Taylor Swift is the information security icon the world needs.

The superstar has long spoken out about her desire to stay secure. More than a typical celebrity’s fondness for the sort of privacy that involves massive propertes to defeat the long paparazzi lenses, Swift has frequently shown a keen understanding of why – and how – digital security is important to her. In a Rolling Stone interview in 2014, she revealed that she kept the only full version of her forthcoming album, 1989, on her iPhone – and would only play it on headphones, for fear of wiretaps. “Don’t even get me started on wiretaps. It’s not a good thing for me to talk about socially. I freak out … I have to stop myself from thinking about how many aspects of technology I don’t understand.” The article continues: “‘Like speakers,’ she says. ‘Speakers put sound out … so can’t they take sound in? Or’ – she holds up her cellphone – ‘they can turn this on, right? I’m just saying. We don’t even know.’”

Sound familiar? It’s only Swift more or less predicting this week’s iPhone “hellbug” that briefly let anyone with your phone number call you on FaceTime and listen in via your phone’s mic before you picked up, without your knowledge or consent. Maybe we should have listened closer.

In 2017, Ed Sheeran revealed that collaborating with Swift involved NSA-level security: “I was in San Francisco and they sent someone with a locked briefcase with an iPad and one song on it and they … played the song I’ve done with her,” he told the Brazilian magazine Capricho. “They asked if I like it, and I was like, ‘Yeah,’ and then they took it back, that’s how I heard it.”

Swift’s extreme caution has even led to the creation of a Twitter fan account, SwiftOnSecurity. It is genuinely the most informative cybersecurity resource on the internet. But if you don’t want to follow Swift on tech security, just steer clear of her celebrity foe, Kanye West. Greatest rapper of his generation, yes, but no one whose iPhone passcode, reports say, is 000000 should be trusted with data protection advice.