Year-end cybersecurity research reports reveal a security threat landscape that’s becoming more perilous, particular for Internet of Things (IoT) devices and the rising threat of nation-state actors.
Other cybersecurity issues highlighted in December 2018 research reports include the need for identity and access management, bug bounty programs and vulnerability disclosures. Here are some findings from 7 reports released this month, along with cyber defenses organizations should consider implementing to reduce their risk.
- Bugcrowd – Inside the Mind of Hacker
- Comodo Global Threat Report 2018 Q3
- Juniper Networks IoT Study
- McAfee Labs Threats Report: December 2018
- Morphisec Labs Threat Report
- Sailpoint 2018 Identity Report
- Tenable Cyber Risk Report
Bugcrowd is in the business of operating managed bug bounty programs for its customers. With a bug bounty, a security researcher is awarded a financial reward (the “bounty”) for privately and responsibly disclosing security flaws.
In Bugcrowd’s Inside the Mind of a Hacker 2018 report, the company revealed that the average bug submission payout in 2018 was $783.38. The report also disclosed that 66 percent of those that participate in bug bounty programs spend up to 10 hours a week looking for flaws. Half of those that identified as bug bounty hunters did so on top of their regular day jobs, as a way to supplement income and as a way to gain experience to land a job in cybersecurity.
“There is currently a glut of unfilled cybersecurity positions today, with some reports saying cybercrime will more than triple the number of job openings over the next 5 years,” stated Casey Ellis, founder and CTO at Bugcrowd. “Bug hunting is a perfect entry point for would-be info security professionals, providing real-world application security experience. It’s also a great way for seasoned infosec professionals to hone their skills and supplement their income.”
Key takeaway: Consider expanding your cybersecurity resources with a bug bounty program to supplement in-house skills.
Comodo released its Global Threat Report 2018 Q3 on Dec. 12, noting to no one’s surprise that phishing continues to be a problem for global organizations. According to the report, phishing represents one of every 100 emails received by enterprises. The most phished brands in the quarter included Microsoft (19 percent), PayPal (17 percent) and Google (9.7 percent).
Comodo also identified an increase in malware distribution leading up to major national elections in Turkey, Mali, Sierra Leone, Azerbaijan and Columbia.
“It is inescapable that state actors today employ malware and other cyberthreats as both extensions of soft power and outright military weapons, as do their lesser-resourced adversaries in asymmetric response,” said Fatih Orhan, VP of Comodo Cybersecurity Threat Research Labs.
Key takeaway: Don’t overlook email security. It’s not a new threat, but it’s not a threat that’s going away anytime soon either.
The increasing use of Internet of Things (IoT) devices and their security implications is the focus of a report issued this month by Juniper Networks.
The study found that 51 percent of organizations run their IoT application workloads in their private data or control centers, while 36 percent maintained deployments at the network edge and the remainder run their workloads in a public cloud. The top challenge identified by 51 percent of respondents is that it is hard to detect sophisticated IoT threats. 39 percent of respondents noted that maintaining compliance for IoT devices is also a key challenge.
“In today’s era of sophisticated zero-day attacks, the traditional perimeter-based approach to security is no longer sufficient,” stated Laurence Pitt, Strategic Security Director for Juniper Networks. “Safeguarding business assets, data and IoT ecosystems must start with the network. This means visibility and protection must be embedded into the network fabric to enable real-time monitoring, detection and remediation and prevent cybercriminals from compromising valuable business information.”
Key takeaways: Make sure that your organization has network level visibility into all IoT devices and things to help control and mitigate risk.
McAfee Labs Threats Report: December 2018 also found significant issues with IoT security. According to McAfee, new IoT device malware grew by 73 percent in the third quarter, as attackers continue to find ways to infect IoT devices and use them as entry points into organizations.
McAfee noted that while IoT devices typically lack computing power, when linked together, it’s possible to create unauthorized cryptocurrency mining operations. Overall during the quarter, McAfee reported a 55 percent increase in the volume of cryptomining malware.
“Cybercriminals are eager to weaponize vulnerabilities both new and old, and the number of services now available on underground markets has dramatically increased their effectiveness,” warned Christiaan Beek, lead scientist at McAfee.
Key takeaway: Have measures in place to identify and block unauthorized cryptocurrency mining.
Like McAfee’s report, the Morphisec Labs Threat Report also found an uptick in cryptocurrency mining malware. According to Morphisec, coin mining malware accounted for 30 percent of attacks in the third quarter.
Morphisec also reported an increase in attacks against the banking industry during the third quarter. Banking Trojans represented 25 percent of all attacks in the third quarter, up from 16.7 percent in the first quarter.
“Attacks targeting the banking industry, and specifically payment records and credentials, consistently topped Morphisec’s threat list for the second half of 2018,” said Michael Gorelik, Chief Technology Officer and Head of Threat Research at Morphisec. “Malicious actors utilizing banking trojans to make a quick financial profit are especially dangerous during Q4, as holiday browsing habits make victims more susceptible to threats.”
Key takeaways: Take extra precautions and remain vigilant when using banking applications to avoid the risk of being victimized by a banking trojan.
For enterprises, having technology in place to manage user identity is a foundational element. The Sailpoint 2018 Identity Report found that 54 percent of organizations have some form of program in place to help manage identity.
The challenge is that while many organizations aim to manage identity, only 20 percent of organizations reported that they have visibility of all their users, and 7 percent have no visibility over their users at all. Going a step further, the study found that 88 percent of organizations are not properly governing access to data stored in files as part of an identity and access management program.
“The ultimate goal of any identity program is to efficiently deliver access to users, securely and confidently,” said Kari Hanson, Vice President of Corporate Marketing at SailPoint. “When enterprises are able to see, understand and govern their users’ access to all business applications and data, they are better protected against potential threats.”
Key takeaway: You can’t govern what you don’t manage, so make sure to have comprehensive identity and access management technology in place.
The need to measure IT operations in order to manage risk is a theme that Tenable picked up on in its Measuring and Managing the Cyber Risks to Business Operations Report.
The report found that 60 percent of organizations globally had suffered two or more business-disrupting cyber events in the last 24 months. Yet despite being a victim, the report found that 54 percent of organization are not measuring the business costs of cyber risk.
Other key challenges outlined in the report include the fact only 29 percent of respondents reported having sufficient visibility into their organization’s attack surface. Additionally, 58 percent of respondents admitted that their organizations do not have the staff required to properly scan for vulnerabilities in a timely manner.
“In today’s digital economy, cyber risk equates to business risk,” said Tenable CSO Bob Huber. “It’s shocking to learn that organizations are suffering business-impacting cyber events yet are struggling to accurately measure the resulting financial cost.”
Key takeaways: Cybersecurity isn’t just about providing defenses, it’s also about measuring and understanding risk.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.