“Completeness of protection” is the top concern among large- and medium-sized businesses that have mobile device and IoT security systems in place, an IHS survey found. The legal battle between Apple and the FBI over iPhone encryption “has put extreme focus on the topic of mobile device security,” IHS said in a Monday report. “Like it or not, a new wave of mobile devices is being connected to corporate networks, changing the way people work and blurring the lines between personal and corporate assets -- and making nearly every enterprise in North America a target for mobile security solutions,” it said. “Buyers are making important budget and technology decisions now, and security vendors wishing to tap into the mobile and IoT device security opportunity need to offer on-device, on-network and even cloud-based solutions.” The research firm canvassed 157 businesses in the U.S. and Canada and found that many IT departments “don’t know how many or which mobile devices are on their networks already,” it said. “Even with security solutions in place, devices are lost, stolen, infected and compromised, so solutions need to address more than threat prevention.” Most IT departments also lack “comprehensive security for mobile devices, and the pressure of also rolling out solutions for IoT devices can be overwhelming,” it said.
Data breaches occurred 10 years ago, but are much more common today, said Michael Stawasz, Department of Justice deputy chief-computer crime, during a panel Thursday sponsored by FCBA. When people think of data breaches, they think of Target and the theft of personal information, he said. “We do a lot of those cases,” Stawasz said. “But today, the model is changing. The market is saturated with people’s information,” the price of stolen data has decreased and cyberthieves are looking for other ways to make money, he said. “Their new business model is. 'I’m just going to mess with you and get you to pay me to stop,'” he said. “Ransomware” has become easier to do and it’s easier to profit from virtual currencies, he said. “Virtual currencies allow them to scale that model to a much larger degree and now you see mass market ransomware.” There has been an “evolution” in the kinds of risks companies face on data breaches, said privacy lawyer Colleen Brown of Sidley Austin. The playing field has changed significantly in recent years, she said. Who is behind the threats, the kind of data targeted and motives have all changed, she said. “Now we have those hacktivists, who aren’t necessarily motivated by financial concerns,” she said. “You have the disgruntled insiders. … The people you’re up against are increasingly sophisticated. They’re increasingly better resourced. … Sometimes these can be very, very large groups of organized individuals.” The threat isn’t domestic, with many perpetrators living in other countries and some even state-sponsored, she said. “This is a very different playing field and there are different fronts to the war.”
The FCC Public Safety Bureau and EchoStar are in a disagreement over security issues for satellite communications terminals. The bureau, in a filing Tuesday in RM-11664, said it was supplementing a previous EchoStar ex parte filing on a meeting between EchoStar and FCC staff over proposed uses of the 28 GHz and 38 GHz bands. At the meeting, FCC staff questioned fixed satellite service security readiness and provided an IOActive presentation describing numerous security vulnerabilities in terminals, such as back doors, hard-coded credentials, insecure protocols and weak password resets. According to the FCC, EchoStar "stated that it was familiar with the IOActive research paper but indicated it contained some inaccuracies, without elaborating." The FCC, in a footnote in Monday's filing, said its staff "is not aware of any inaccuracies associated with this research."
Smartphones pulled ahead of Windows-based laptops, reaching 60 percent of the “malware activity observed in the mobile space” in 2015's second half, said Nokia’s Threat Intelligence Lab Tuesday in a report. It cited an increase in iOS-based malware, the “growing sophistication” of Android malware and the rising threat of mobile ransomware. Ransomware is malware that holds a device hostage by encrypting data and then locking it, which can be reversed only by paying the attacker a ransom fee via a prepaid cash voucher or with bitcoins, it said.
Distributed denial of service (DDoS) attacks continued to rise in Q4 and are increasingly repeating strikes on the same targets, Akamai said Monday in a report. The number of DDoS attacks rose by 40 percent in Q4 from Q3. The average number of repeat attacks continued to increase in Q4 to 24 per target. One surveyed customer was hit with 188 repeat DDoS attacks during the quarter, Akamai said. More than 54 percent of DDoS attacks were aimed at targets in the gaming industry, while 23 percent were aimed at tech firms, Akamai said. Less than 7 percent of Q4 attacks were aimed at financial services, and less than 5 percent were aimed at entertainment companies. China was the top country where DDoS attacks originated in Q4, with 28 percent of all such attacks being sourced there, Akamai said. Twenty-two percent of attacks originated in Turkey, and 15 percent came from within the U.S.
Private sector chief information officers from the U.S., U.K., France and Germany overwhelmingly said they're wasting millions of dollars on failing cybersecurity tools because they "blindly trust" vulnerable cryptographic keys and digital certificates, a survey from cybersecurity company Venafi found. The survey released Wednesday said that 90 percent of 500 CIO respondents said they have been attacked or expect to be by "bad guys" using encrypted traffic to hide their actions, while 87 percent said security controls are inadequate or ineffective because they don't inspect malicious activity or data exfiltration inside encrypted traffic. Eighty-five percent of CIOs expect criminal misuse of keys and certificates to get worse. Venafi said that organizations don't understand just how important keys and certificates are to cybersecurity. Technology researcher Vanson Bourne conducted the survey of CIOs from the financial services, manufacturing, retail, distribution, transport and other commercial sectors in January.
Ericsson officials discussed a company white paper on 5G security during a call with FCC staff, Ericsson said in an FCC filing. "5G Security: Scenarios and Solutions" argues that 5G will present new challenges. “It is easy to think of 5G networks as mainly a quantitative evolution similar to previous transitions, such as higher bitrate, lower latency and more devices,” the paper said. “But this is not the case: 5G security will just as much be a qualitative leap forward to meet the demands of a Networked Society.” Such networks will connect industries as well as people, creating new challenges, the paper said. In the call, Ericsson encouraged the FCC to let industry work through issues as they develop. “We encouraged the FCC to use a light regulatory touch and to focus on ways of facilitating a collaborative, public-private partnership approach to engaging 5G security rather than to impose mandates by regulation,” the filing said. It was posted Tuesday in docket 14-177.
AsusTeK Computer agreed to settle FTC allegations that it put hundreds of thousands of consumers' home networks at risk due to critical security flaws in the Taiwan-based company's routers, and exposed thousands of people's sensitive personal information on the Internet due to insecure cloud services, the commission said in a news release Tuesday. The commission, which voted 4-0 to approve an administrative complaint and proposed consent order, said that Asus must establish and maintain a comprehensive security program over the next 20 years and be subject to independent audits during that time. The company will have to notify consumers about software updates and give them an option to register for direct security notices through email, text message or a push notification, FTC said. The commission will publish the agreement soon in the Federal Register, and the pact will be open for public comment through March 24. The FTC alleged Asus "didn't take reasonable steps to secure the software on its routers," even though the company claimed the devices contained many security features to protect computers from hacking and malware. For instance, the commission said a malware researcher in April discovered a large-scale exploit campaign by hackers who specifically targeted numerous Asus router models, enabling them to hijack consumers' Web traffic. The commission also alleged that Asus advertised secure services on its routers called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own cloud storage, but those services had "serious security flaws." The FTC said hackers could exploit the AiCloud service to get access to people's connected storage device and that AiDisk didn't encrypt consumers' files in transit. In February 2014, hackers exploited these flaws to get access to more than 12,900 consumers' connected storage devices, the commission said. Asus didn't immediately comment.
NTCA “hopes” the forthcoming FCC policy statement that would adopt the Communications Security, Reliability and Interoperability Council’s (CSRIC) 2015 report on recommendations for communications sector cybersecurity risk management “will capture and sustain this need for flexible voluntary collaboration among stakeholders with shared goals,” Senior Vice President-Policy Michael Romano said in a statement Tuesday. The FCC said Friday that it's circulating the policy statement, which would adopt the nine recommendations CSRIC made in its report on how the agency should encourage communications sector use of the National Institute of Standards and Technology's Cybersecurity Framework and other cybersecurity best practices (see 1602220052). NTCA hopes that “all parties will continue to focus in particular on the substantial need for upfront education so that small businesses can be better equipped to identify and respond to cybersecurity challenges,” Romano said.
The FCC said Friday that it’s circulating a policy statement that an agency official and industry lobbyist separately said would adopt the Communications Security, Reliability and Interoperability Council’s (CSRIC) 2015 report on recommendations for communications sector cybersecurity risk management. The CSRIC report, which was meant to adapt the National Institute of Standards and Technology-facilitated Cybersecurity Framework for communications sector use, included nine recommendations to the FCC on how the agency can encourage industry use of the NIST framework and other cybersecurity best practices. The private sector also voluntarily committed via the CSRIC report to promoting the use of FCC-initiated confidential meetings with individual companies to discuss their cyber risks and their use of cybersecurity best practices (see 1503180056). The policy statement would in part set up a process for conducting the confidential FCC-private sector meetings, an industry lobbyist told us.