Research is at the center of the cybersecurity industry, with a steady stream of reports that highlight weaknesses in cyber defenses and potential solutions. Last week was a particularly busy week for cybersecurity research, with at least 10 different reports issued, on topics like the state of email security, mobile risks, Internet of Things (IoT) threats and cybersecurity skills in the workplace.
- DMARC Email Security
- Akamai State of Internet Security
- IoT Security
- Account Takeover
- Europol Organized Crime Threat Assessment
- ISC2 IT Workforce
- Nationwide Business Owners Survey
- RiskIQ Mobile Threat
- SecurityScorecard PCI-DSS Compliance
- Travelers Risk Index
On Sept. 20, email security firm Agari released its latest research report on the state of DMARC protocol adoption within the U.S. government. Domain-based Message Authentication (DMARC) is a topic that eSecurity Planet has covered extensively, including an overview of the DMARC protocol as well as a guide on how to implement DMARC.
The U.S. Government has a deadline of Oct. 16 for DMARC to be deployed across email systems managed by the federal government. According to Agari, as of September 14, 83 percent of federal executive branch domains have adopted DMARC.
Akamai released its 2018 State of the Internet/Security Credential Stuffing Attacks report on Sept. 19. Credential stuffing occurs when attackers attempt to use legitimate user authentication information that has been stolen to get into various websites and services.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
According to Akamai, it detected 8.3 billion malicious login attempts in May and June alone. One particularly virulent botnet attempted 300,000 malicious logins per hour.
The report underscores the need for strong authentication, like identity and access management and multi-factor authentication. And user and entity behavior analytics (UEBA) could help spot questionable network activity.
HPE's Aruba networking division worked on a report with the Ponemon Institute titled "Closing the IT Security Gap with Automation & AI in the Era of IoT."
Among the high-level findings in the report is that most organizations (68 percent) are hopeful that security products with AI functionality will help to reduce false alerts.
Lack of visibility when it comes to Internet of Things (IoT) security is a real risk. 60 percent of the Aruba survey's respondents said that in their view even simple IoT devices pose a threat. Two-thirds of the study's respondents noted that they had little or no ability to protect their IoT devices from attack.
Barracuda Networks released a report on account takeovers, in which attackers aim to steal user credentials to launch attacks from an internal account.
The study found that after attackers successfully take over an account, 78 percent of the time the compromised accounts are used for phishing email attacks.
"In these phishing emails, the goal of the attacker was typically to infect additional internal and external accounts," Barracuda's report states. "The email usually impersonates the employee and asks the recipient to click on a link. The attackers sometimes made the email appear as if the employee is sending an invitation to a link from a popular web service, such as OneDrive or DocuSign."
Europol released its Internet Organized Crime Threat Assessment (IOCTA) on Sept. 19, which provides insight into the agency's view on internet crime.
Though ransomware isn't growing as fast as it did in 2017, Europol still sees ransomware as one of the top threats facing organizations today. Europol also sees a rising trend of unauthorized cryptocurrency mining attacks, known as cryptojacking.
"Cryptojacking is an emerging cybercrime trend, referring to the exploitation of internet users's bandwidth and processing power to mine cryptocurrencies," the Europol report stated. "While it is not illegal in some cases, it nonetheless creates additional revenue streams and therefore motivation for attackers to hack legitimate websites to exploit their visitor systems."
Be sure to check out eSecurity Planet's guide to limiting cryptojacking risk.
Non-profit cybersecurity professional association (ISC)2 released its "Building a Resilient Cybersecurity Culture" report.
"The growing cybersecurity workforce gap has received a lot of media attention," said (ISC)2 Director of Cybersecurity Advocacy for North America John McCumber. "What we haven't heard as much about is how some companies are actually succeeding in building their security teams even in the face of this competition for talent."
The report found that nearly all (97 percent) of respondents felt that their organization's executive management team understands the importance of strong security practices. 70 percent of organizations hire individuals that have certified security credentials. And 70 percent of respondents say they train and promote IT security stuff from within their own organizations.
Insurance company Nationwide detailed the results of its fourth annual Business Owner Survey on Sept. 21. While the ISC2 study highlighted positive trends in the cybersecurity skills landscape, Nationwide's report had a different perspective.
The report said that 65 percent of business owners with fewer than 300 employees do not have a dedicated employee or vendor in place to monitor for cyberattacks, an 8 point increase from 2017.
There is a clear need for small businesses to have more security, as 50 percent of the study's respondents indicated their organizations had been the victim of a harmful cyber activity.
Mobile continues to be a growing area of focus for cybercriminals. On Sept. 18, RiskIQ released its Q2 2018 Mobile Threat Landscape report.
RiskIQ observed 52,885 blacklisted apps in the second quarter, which was 4 percent of all apps seen by the company and a 2% increase over the first quarter, with Trojans and Adware being the most common dangers.
Blacklisted apps are ones that are deemed to be malicious or harmful in some way.
SecurityScorecard released its 2018 Retail Cybersecurity report, revealing that over 90 percent of the 1,444 retail domains analyzed were not compliant with PCI-DSS (Payment Card Industry Data Security Standard) compliance requirements.
"This year the retail industry's security posture fell lower than in years past, both in application security and social engineering," Fouad Khalil, head of compliance at SecurityScorecard, wrote in a statement. "To remain competitive, retailers are adopting new payment and digital technologies, exposing them as prime targets for cybercriminals."
POS security remains at the heart of retail security.
Insurance group Travelers released its 2018 Risk Index, noting that 52 percent of businesses consider it inevitable that at some point they will be a victim of a cyberattack.
Even though the majority of organizations expect to be a victim, more than half (55 percent) have not completed a cyber risk assessment for their business. Additionally 50 percent of organizations do not have cyber insurance to help protect against damages from a cyber incident.
"Cyber risks carry serious consequences for any business, threatening everything from revenue to operations," said Tim Francis, Enterprise Cyber Lead at Travelers. "These findings reveal some surprising things about how companies view their cyber exposures, their relative confidence in dealing with them and the clear opportunity that exists for them to be better prepared for a cyberattack."
In the aggregate, the research paints a picture of a landscape that has plenty of challenges for organizations of all sizes (especially smaller ones) and potential opportunities for improvement.
The need for email security is obvious, and DMARC adoption by the U.S. Government is a good step forward that organizations of all sizes should consider following. The need to protect against credential abuse and takeover is another key trend identified in the reports. Being prepared to tackle security challenges, either by hiring the right type of IT professional as identified by ISC2, or just simply having responsible people handling security is another key observation.
While cyberattacks might well be inevitable, there are technologies, processes and people that organizations can employ to reduce risk.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.