In 2021, cybersecurity got more serious. Already a growing threat, ransomware exploded, with attacks becoming more frequent and costly. The volume of ransomware attacks against U.S. targets rose 185 percent year over year in the first half of 2021, according to Internet security solutions provider SonicWall. Criminals also leaned hard on double extortion and turned their efforts against organizations like food supplier JBS and Colonial Pipeline, where system interruptions wouldnt just harm the victim and their clients, but also a broad swath of society.

Federal response got more serious, too, homing in on defending critical infrastructure, and states havent sat on the sidelines, either. Several moved to ban ransom payments and direct more resources toward defending against the threats, although researchers say fully tackling the problem requires national and international coordination.

Nation-state-driven cyber espionage by Russia and China also loomed heavy in public consciousness, particularly the SolarWinds incident, attributed to Russia. That saw a compromised security patch spread malware to clients, including government agencies, and woke up the U.S. to the need for software supply chain security. Calls for reviewing software development environments and creating a software bill of materials became more pressing.

The federal government also turned attention to states and localities, where efforts to modernize legacy systems and upgrade defenses are often held back by shortages of money, people and guidance on how to invest most impactfully. The Cybersecurity and Infrastructure Security Agency (CISA) has been working to become a go-to resource, however, and could gain more powers and programs next year under the National Defense Authorization Act (NDAA) for Fiscal Year 2022, which has not yet passed at time of writing. Federal efforts like these are also unleashing more dollars, but states and municipalities will need sustained funding.

Even so, agencies cannot just hire their way into safety. They also need to continually train and retrain existing staff about best practices for staying safe and properly implementing technologies. Artificial intelligence tools are helping scan for vulnerabilities and suspicious activity, but cyber criminals will always find plenty of traction in tricking humans. Phishing is the jumping off point for many successful scams and ransomware attacks, with one email fraud incident costing a New Hampshire town $2.3 million. Agencies, therefore, must keep employees cyber awareness fresh.

Not all cyber risks come from deliberate, malicious action, either. Staffs technological mistakes can also be devastating, with failures to adhere to the correct procedures resulting in the Dallas Police Department permanently deleting troves of case materials and Wyoming leaking residents health data, to name just two 2021 examples.

Agencies are becoming more attuned to the need to safeguard residents privacy, whether through security measures intended to thwart data breaches or by simply avoiding ever collecting or retaining information beyond whats strictly necessary. States continued to add chief privacy officer posts in 2021, underscoring the growing attention put on such concerns.

State and local governments are still grappling with unfounded allegations of 2020 voting fraud, with Maricopa County, Ariz.s widely panned Cyber Ninjas election audit only concluding in September, and Wisconsin and Pennsylvania looking to launch their own.

Meanwhile, mis- and disinformation aimed at undermining trust and misleading voters spurred the Jan. 6 insurrection and death threats against election workers. Advocates in 2021 have increasingly drawn attention to how social media platforms amplify falsehoods, and combatting false information as well as curbing other social media harms will remain a major concern of policymakers.

Go here to read the rest:
Did the Cybersecurity Stakes Get Even Higher in 2021? - GovTech

MCLEAN, Va., Nov. 30, 2021 (GLOBE NEWSWIRE) -- GTT Communications, Inc., a leading global cloud networking provider to multinational clients, has announced a managed security service partnership with Palo Alto Networks, the global cybersecurity leader, to power its new SASE platform that will enhance the security, efficiency and control functionality of enterprise networks. The partnership will leverage industry-leading networking and security capabilities of the two companies to fortify the security of network access and use of cloud applications from any location and any device as enterprises adapt their networks to the more dynamic requirements of a hybrid workforce. IDC estimates that 53% of workers are planning to continue to work remotely or adopt a hybrid home-office arrangement as a result of the pandemic.1

The new GTT SASE platform, which utilizes Palo Alto Networks Prisma Access, will deploy a comprehensive set of security features into a single cloud-delivered platform that protects all application traffic, providing seamless connectivity to GTTs global Tier 1 network for the best possible application performance and user experience for customers. The integrated networking and security functions reduce complexity, increase centralized control and efficiency, improve network performance and latency, and enable businesses to adopt a zero-trust network access approach that mitigates security vulnerabilities that can result from a work-from-anywhere model. With the new GTT SASE platform, users will gain access to the network based on their identity, device and application rather than the IP address or physical location enabling seamless and secure networking between users, private and public clouds, and the enterprise data center.

According to Gartner, Digitalization, work from anywhere and cloud-based computing have accelerated cloud-delivered SASE offerings to enable anywhere, anytime access from any device. Gartner projects that by 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access,up from10% in 2020.2

Customers are seeking highly secure and flexible global network solutions to adapt to the rapidly changing business environment, new workforce models and ever-expanding security threat landscape, stated Don MacNeil, GTT COO. Adopting the most advanced security and networking technologies, and enabling our customers to leverage them readily, is the centerpiece of our product strategy, and we are pleased to partner with Palo Alto Networks to meet the stringent security requirements of our customers that GTTs SASE global network services platform will deliver.

Kumar Ramachandran, SVP of Products at Palo Alto Networks, stated, Our partnership with GTT will bring forth an exciting opportunity for customers. Many organizations are now turning to managed security service providers to achieve security that is easily implemented as an overlay service to simplify deployments at the branch. As a result, this new partnership will bring secure cloud scalability to the customers of GTT.

__________________________1 IDC, Enterprise Networking: Emergence of the New Normal Survey, December 2020, U.S.2 Gartner, 2021 Strategic Roadmap for SASE Convergence, Neil McDonald et al., 25 March 2021.

About GTT

GTT provides secure global connectivity, improving network performance and agility for your people, places, applications and clouds. We operate a global Tier 1 internet network and provide a comprehensive suite of cloud networking and managed solutions that utilize advanced software-defined networking and security technologies. We serve thousands of businesses with a portfolio that includes SD-WAN and other WAN services, internet, security and voice services. Our customers benefit from a customer-first service experience underpinned by our commitment to operational excellence. For more information on GTT, please visit http://www.gtt.net.

GTT Media Inquiries:Ed Stevenson, LEWIS+44-207-802-2626gttuk@teamlewis.com

GTT Investor Relations:Charlie Lucas, GTTVP of Financeinvestorrelations@gtt.net

Read more from the original source:
GTT Partners With Palo Alto Networks to Power Its SASE Platform - GlobeNewswire

INNSBRUCK, Austria, Nov. 23, 2021 /PRNewswire/ -- AV-Comparatives has released the results of its 2021 Advanced Threat Protection Tests. Eight consumer-antivirus products and eight enterprise endpoint-security programs for Windows were put through their paces. https://www.av-comparatives.org/testmethod/advanced-threat-protection-tests/

AV-Comparatives state that malware authors continue to write new malicious programs

AV-Comparatives' Advanced Threat Protection Test uses a variety of different attack scenarios, which the tested programs have to defend against. Targeted attacks employ various different techniques to avoid detection by security software. These include fileless attacks, code obfuscation, and the use of legitimate operating-system tools. Disguising malicious code also makes it hard for a security program to recognise. The misuse of legitimate system programs for malicious purposes also makes it easier for cybercriminals to stay under the radar of security measures.

In the Advanced Threat Protection Tests, AV-Comparatives use hacking and penetration techniques that allow attackers to access internal computer systems. These attacks can be broken down into Lockheed Martin's Cybersecurity Kill Chain, and seven distinct phases each with unique IOCs (Indicators of Compromise) for the victims. All our tests use a subset of the TTP (Tactics, Techniques, Procedures) listed in the MITRE ATT&CK(TM) framework. A false alarm test is also included in the reports.

Tested Enterprise Endpoint Security Products include: Acronis Cyber Protect Cloud with Advanced Security Pack; Avast Business Antivirus Pro Plus; Bitdefender Gravity Zone Elite; CrowdStrike Falcon Pro; ESET PROTECT Entry with ESET PROTECT Cloud; G Data Endpoint Protection Business; Kaspersky Endpoint Security for Business Select with KSC; VIPRE Endpoint Cloud.

All the enterprise products listed above blocked at least eight out of fifteen advanced attacks, and so received AV-Comparatives' ATP Enterprise Certification.

Link to report: https://www.av-comparatives.org/tests/advanced-threat-protection-test-2021-enterprise/

Story continues

Tested consumer security programs includes: Avast Free Antivirus; AVG Free Antivirus; Bitdefender Internet Security; ESET Internet Security; G Data Total Security; Kaspersky Internet Security; McAfee Total Protection; VIPRE Advanced Security.

Of these, Avast, AVG, ESET, Kaspersky and McAfee consumer products reached the highest ADVANCED+ rating.

Link to report: https://www.av-comparatives.org/tests/advanced-threat-protection-test-2021-consumer/

"The Advanced Threat Protection Test checks each security product's ability to protect a computer against targeted attacks, which are known as "advanced persistent threats" (APTs). These are complex, multi-stage attacks that are aimed at a specific individual or organisation. Whilst the majority of such attacks may be ultimately aimed at infiltrating enterprise networks, an obvious means of doing this is to target the personal computers of staff members within the organisation. Additionally, cybercriminals may launch targeted attacks against individuals for other reasons. This means that protection against such attacks should be provided by consumer security programs, as well as corporate endpoint protection software.", says Peter Stelzhammer, co-founder of AV-Comparatives.

All of the tested products, consumer and enterprise, had to defend against 15 different complex targeted attacks.

AV-Comparatives is an independent organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises. Using one of the largest sample collections worldwide, it creates a real-world environment for truly accurate testing. AV-Comparatives offers freely accessible results to individuals, news organizations and scientific institutions. Certification by AV-Comparatives provides an official seal of approval for software performance which is globally recognized.

Contact: Peter Stelzhammere-mail: media@av-comparatives.org phone: +43 720115542

Photo - https://mma.prnewswire.com/media/1694890/AV_Comparatives_1.jpg Photo - https://mma.prnewswire.com/media/1694889/AV_Comparatives_2.jpg Logo - https://mma.prnewswire.com/media/1093032/AV_Comparatives_Logo.jpg

Advanced Threat Protection is more important then ever, for enterprise as well as for consumers.

AV-Comparatives logo

Follow this link:
AV-Comparatives Tested Consumer and Enterprise Internet Security Solutions for Protection against Advanced and Targeted Attacks - Yahoo Finance

A visualization of the Internet made using network routing data. Image: Barrett Lyon, opte.org.

Imagine being able to disconnect or redirect Internet traffic destined for some of the worlds biggest companies just by spoofing an email. This is the nature of a threat vector recently removed by a Fortune 500 firm that operates one of the largest Internet backbones.

Based in Monroe, La., Lumen Technologies Inc. [NYSE: LUMN] (formerly CenturyLink) is one of more than two dozen entities that operate whats known as an Internet Routing Registry (IRR). These IRRs maintain routing databases used by network operators to register their assigned network resources i.e., the Internet addresses that have been allocated to their organization.

The data maintained by the IRRs help keep track of which organizations have the right to access what Internet address space in the global routing system. Collectively, the information voluntarily submitted to the IRRs forms a distributed database of Internet routing instructions that helps connect a vast array of individual networks.

There are about 70,000 distinct networks on the Internet today, ranging from huge broadband providers like AT&T, Comcast and Verizon to many thousands of enterprises that connect to the edge of the Internet for access. Each of these so-called Autonomous Systems (ASes) make their own decisions about how and with whom they will connect to the larger Internet.

Regardless of how they get online, each AS uses the same language to specify which Internet IP address ranges they control: Its called the Border Gateway Protocol, or BGP. Using BGP, an AS tells its directly connected neighbor AS(es) the addresses that it can reach. That neighbor in turn passes the information on to its neighbors, and so on, until the information has propagated everywhere [1].

A key function of the BGP data maintained by IRRs is preventing rogue network operators from claiming another networks addresses and hijacking their traffic. In essence, an organization can use IRRs to declare to the rest of the Internet, These specific Internet address ranges are ours, should only originate from our network, and you should ignore any other networks trying to lay claim to these address ranges.

In the early days of the Internet, when organizations wanted to update their records with an IRR, the changes usually involved some amount of human interaction often someone manually editing the new coordinates into an Internet backbone router. But over the years the various IRRs made it easier to automate this process via email.

For a long time, any changes to an organizations routing information with an IRR could be processed via email as long as one of the following authentication methods was successfully used:

-CRYPT-PW: A password is added to the text of an email to the IRR containing the record they wish to add, change or delete (the IRR then compares that password to a hash of the password);

-PGPKEY: The requestor signs the email containing the update with an encryption key the IRR recognizes;

-MAIL-FROM: The requestor sends the record changes in an email to the IRR, and the authentication is based solely on the From: header of the email.

Of these, MAIL-FROM has long been considered insecure, for the simple reason that its not difficult to spoof the return address of an email. And virtually all IRRs have disallowed its use since at least 2012, said Adam Korab, a network engineer and security researcher based in Houston.

All except Level 3 Communications, a major Internet backbone provider acquired by Lumen/CenturyLink.

LEVEL 3 is the last IRR operator which allows the use of this method, although they have discouraged its use since at least 2012, Korab told KrebsOnSecurity. Other IRR operators have fully deprecated MAIL-FROM.

Importantly, the name and email address of each Autonomous Systems official contact for making updates with the IRRs is public information.

Korab filed a vulnerability report with Lumen demonstrating how a simple spoofed email could be used to disrupt Internet service for banks, telecommunications firms and even government entities.

If such an attack were successful, it would result in customer IP address blocks being filtered and dropped, making them unreachable from some or all of the global Internet, Korab said, noting that he found more than 2,000 Lumen customers were potentially affected. This would effectively cut off Internet access for the impacted IP address blocks.

The recent outage that took Facebook, Instagram and WhatsApp offline for the better part of a day was caused by an erroneous BGP update submitted by Facebook. That update took away the map telling the worlds computers how to find its various online properties.

Now consider the mayhem that would ensue if someone spoofed IRR updates to remove or alter routing entries for multiple e-commerce providers, banks and telecommunications companies at the same time.

Depending on the scope of an attack, this could impact individual customers, geographic market areas, or potentially the [Lumen] backbone, Korab continued. This attack is trivial to exploit, and has a difficult recovery. Our conjecture is that any impacted Lumen or customer IP address blocks would be offline for 24-48 hours. In the worst-case scenario, this could extend much longer.

Lumen told KrebsOnSecurity that it continued offering MAIL-FROM: authentication because many of its customers still relied on it due to legacy systems. Nevertheless, after receiving Korabs report the company decided the wisest course of action was to disable MAIL-FROM: authentication altogether.

We recently received notice of a known insecure configuration with our Route Registry, reads a statement Lumen shared with KrebsOnSecurity. We already had mitigating controls in place and to date we have not identified any additional issues. As part of our normal cybersecurity protocol, we carefully considered this notice and took steps to further mitigate any potential risks the vulnerability may have created for our customers or systems.

Level3, now part of Lumen, has long urged customers to avoid using Mail From for authentication, but until very recently they still allowed it.

KC Claffy is the founder and director of the Center for Applied Internet Data Analysis (CAIDA), and a resident research scientist of the San Diego Supercomputer Center at the University of California, San Diego. Claffy said there is scant public evidence of a threat actor using the weakness now fixed by Lumen to hijack Internet routes.

People often dont notice, and a malicious actor certainly works to achieve this, Claffy said in an email to KrebsOnSecurity. But also, if a victim does notice, they generally arent going to release details that theyve been hijacked. This is why we need mandatory reporting of such breaches, as Dan Geer has been saying for years.

But there are plenty of examples of cybercriminals hijacking IP address blocks after a domain name associated with an email address in an IRR record has expired. In those cases, the thieves simply register the expired domain and then send email from it to an IRR specifying any route changes.

While its nice that Lumen is no longer the weakest link in the IRR chain, the remaining authentication mechanisms arent great. Claffy said after years of debate over approaches to improving routing security, the operator community deployed an alternative known as the Resource Public Key Infrastructure (RPKI).

The RPKI includes cryptographic attestation of records, including expiration dates, with each Regional Internet Registry (RIR) operating as a root of trust, wrote Claffy and two other UC San Diego researchers in a paper that is still undergoing peer review. Similar to the IRR, operators can use the RPKI to discard routing messages that do not pass origin validation checks.

However, the additional integrity RPKI brings also comes with a fair amount of added complexity and cost, the researchers found.

Operational and legal implications of potential malfunctions have limited registration in and use of the RPKI, the study observed (link added). In response, some networks have redoubled their efforts to improve the accuracy of IRR registration data. These two technologies are now operating in parallel, along with the option of doing nothing at all to validate routes.

[1]: I borrowed some descriptive text in the 5th and 6th paragraphs from a CAIDA/UCSD draft paper IRR Hygiene in the RPKI Era (PDF).

Further reading:

Trust Zones: A Path to a More Secure Internet Infrastructure (PDF).

Reviewing a historical Internet vulnerability: Why isnt BGP more secure and what can we do about it? (PDF)

Read the original:
The Internet is Held Together With Spit & Baling Wire Krebs on Security - Krebs on Security