Cybersecurity vendors and organizations put out a steady stream of research, sometimes in support of a product, but it almost always has something to say about the state of cyberthreats. Research released in October 2018 provided insight into a broad swath of the cybersecurity landscape, including IoT, compliance, threat hunting, two-factor authentication (2FA) and cloud security. We summarize key takeaways from nine of those reports -- and the controls that enterprise could implement to protect themselves against those risks.
- Beazley Breach Insights Report
- CyberX 2019 Global ICS and IIoT Risk Report
- Carbon Black Quarterly Incident Response Threat Report
- Dashlane Two-Factor Authentication (2FA) Power Rankings
- Fidelis 2018 State of Threat Hunting Detection Report
- F5 The Hunt for IOT
- Focal Point Cyber Balance Sheet Report
- McAfee Cloud Adoption and Risk Report
- PwC Digital Trust Insights
Ransomware demands spiked in the third quarter of 2018, according to the Beazely breach insights report for October 2018. At the top end of the scale, when criminals target a specific organization, ransomware demands reached a high of $2.8 million. Overall however, Beazley Breach Response (BBR) reported that the median demand is $10,000, which is still a 10X jump over the average $1,000 demand from the company's October 2016 breach insights report.
"Unfortunately it is often smaller businesses that are most vulnerable to attack by cyber criminals, as they frequently lack the resources and protocols of larger firms," said Katherine Keefe, head of BBR Services at Beazley. "However, businesses of all sizes need to ensure their IT employees are aware of the risks through up-to-date training and implementation of cyber security measures.”
Key Takeaway: If you haven't brushed up on ransomware prevention in a while, there's no time like the present.
As the world becomes increasingly connected, there is a corresponding increase in risk for Industrial Control System (ICS) and the Industrial Internet of Things (IIoT). According to CyberX's 2019 Global ICS and IIoT Risk Report, 69 percent of industrial sites have plain text passwords traversing the network.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
There is also a myth that many ICS deployments are not connected to the internet, but CyberX found a different reality. According to CyberX, 40 percent of ICS sites have at least one direct connection to the public internet.
"We’re not here to create FUD [fear, uncertainty and doubt], but we think it’s important for business leaders to have a data-driven view of ICS risk so they can ask the right questions," said Dan Shugrue, senior director of industrial cybersecurity for CyberX. "We’re definitely making progress in reducing ICS risk, but we have a long way to go."
Key Takeaways: Most environments are connected to the internet, so secure things appropriately.
Carbon Black's Quarterly Incident Response Threat Report found that attacks are doing more damage, with victims experiencing destructive attacks that aim to destroy or erase data 32 percent of the time.
41 of 113 investigation conducted in the third quarter of 2018 had attacks attributed to Russia and China.
"Our research found that today’s attackers are increasingly punitive, sophisticated and confident," said Tom Kellermann, Chief Cybersecurity Officer for Carbon Black and one of the report's authors. "And because of the dark web, they have access to complex tools and compromised infrastructures, including voter databases. This allows attackers to exploit new security vulnerabilities and operate at a higher level of sophistication than before."
Key Takeaways: Attacks are no longer just a nuisance, they are increasingly destructive.
Two-Factor Authentication (2FA) is a security mechanism that requires uses to input a second password (or factor) in order to gain access to a site or service. According to Dashlane's Two-Factor Authentication (2FA) Power Rankings report 76 percent of sites do not offer users a full set of 2FA usage options.
2FA can be enabled via SMS, an app, or via a hardware security key. While many sites did not meet all of Dashlane's criteria for 2FA success, among those that are doing it right are Facebook, Google and Twitter.
"Through the course of our research we found that information on 2FA is often presented in a way that is unclear, making it difficult for consumers to confirm 2FA offerings," said Emmanuel Schalit, CEO of Dashlane. "In fact, our researchers were forced to omit a large number of popular websites from our testing simply because the sites don't provide any straightforward or easily accessible information about their 2FA offerings."
Key Takeaways: 2FA is a useful tool for security, but it's often hard to use or readily available.
Preventing threats at the enterprise perimeter is not a strategy that can mitigate all risks, which is why there is a growing need for threat hunting activities. Despite that need, the Fidelis 2018 State of Threat Hunting Detection Report found that 63 percent of organizations indicated that they do not currently employ threat hunting or do not know if they do.
The need for threat hunting is further highlighted by the finding that only 22 percent of respondents to the Fidelis study said they felt "highly confident" in their preventive defenses.
"In discussions with our enterprise customers from around the globe, a recurring theme is the desire to hunt for threats," said Nick Lantuh, CEO of Fidelis. "The common challenges they face are the lack of resources and expertise necessary to do it right, which our study has also confirmed."
Key Takeaways: Learn about threat hunting to detect and identify risks that have got past perimeter defenses.
According to F5's The Hunt for IoT report, IoT devices are now the number one attack target on the Internet, surpassing web and application servers, email servers, and databases. Brute force attacks via SSH is the number one attack type targeting IoT devices, followed by telnet.
F5 also found that the top 50 attacking IP addresses used in IoT attacks from Jan. 1 to June 30 were all new.
Key Takeaways: IoT attacks are rampant and device users and vendors need to secure SSH logins and take other IoT security measures.
Integrated risk management firm Focal Point Data Risk released its Cyber Balance Sheet Report showing some positive trends into how boardrooms view cybersecurity.
Over 40 percent of respondents reported that they were "very satisfied" with the board-level cybersecurity reporting within their organizations. Yet despite that fact only approximately 20 percent of organizations are very confident that their company is effectively managing cyber risk.
"This year’s Cyber Balance Sheet Report dispels the 'cyber is a boardroom issue' cliché by showing that not only have board members already received the cyber risk message loud and clear, they are actively initiating more discussion about breaches and threats that could upend their organizations," said Andrew Cannata, Focal Point’s CISO and national Cyber Security Practice leader.
Key Takeaways: Measuring and reporting on cyber risk doesn't always directly correspond to an improvement in risk reduction.
The McAfee Cloud Adoption and Risk Report found a surprising number of cloud misconfigurations. According to the report, the average enterprise experiences more than 2,200 misconfiguration incidents per month in their infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) instances.
The McAfee report also clearly shows that mutlicloud is a reality, with 78 percent of organizations that use IaaS/PaaS making use of both Amazon Web Services (AWS) and Microsoft Azure.
In terms of risks, McAfee found that 80 percent of all organizations experience on average at least one compromised account threat per month, and 92 percent of all organizations have stolen cloud credentials that are being offered for sale on illicit web forums.
"Operating in the cloud has become the new normal for organizations, so much so that our employees do not think twice about storing and sharing sensitive data in the cloud," said Rajiv Gupta, senior vice president of the Cloud Security Business at McAfee. "Accidental sharing, collaboration errors in SaaS cloud services, configuration errors in IaaS/PaaS cloud services, and threats are all increasing. In order to continue to accelerate their business, organizations need a cloud-native and frictionless way to consistently protect their data and defend from threats across the spectrum of SaaS, IaaS and PaaS."
Key Takeaways: Cloud requires its own security and control points, to limit the risk of credential misuse.
PwC released its Digital Trust Insights report on Oct. 31, a reinvention of the Global State of Information Security Survey (GSISS) that had been issued every year for the past 20 years.
Among the key findings in the report that surveyed over 3,000 business leaders around the world is that only 27 percent of executives had the view that their board of directors receives adequate metrics for cyber and privacy risk management.
In terms of risk assessment, only 31 percent of respondents worldwide reported that they are very comfortable that their company has identified those parties who might attack their organization's digital assets. Regulatory compliance is also a key concern for organizations, with 41 percent of respondent noting that staying aware of the latest regulatory developments is a top digital compliance challenge.
"Cyber risk priorities have evolved from focusing on information security to a more holistic focus on digital risk management," said Sean Joyce, U.S. Cybersecurity and Privacy Leader at PwC. "Companies that show the connected world how to lead on safety, security, reliability, data privacy, and ethics will be the titans of tomorrow."
Key Takeaway: Understanding adversaries and compliance requirements are key challenges for many organizations.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.