Americans face mounting risk of hackers taking over brokerage accounts, regulators say
Ref: Account Takeover 2021 Annual Report: Prevalence, Awareness and Prevention – Security.org The Financial Industry Regulatory Authority, the brokerage industry’s self-regulatory body, said in a recent notice that it has “received an increasing number of reports regarding customer account takeover incidents, which involve bad actors using compromised customer information, such as login credentials, to gain unauthorized entry to customers’ online brokerage accounts.”
Awareness of Account Takeovers Nearly three-quarters of U.S. adults are aware of account takeovers, while 18 percent are unaware, and nine percent are unsure.
How Many People Have Had Account Takeovers? According to security.org research, 22 percent of U.S. adults have had their accounts taken over. As there are 110 million internet-enabled households in the U.S., that means that approximately 24 million U.S. households have experienced account takeovers.
What Types of Accounts Were Taken Over? Of the accounts taken over, the majority were social media accounts at 51 percent. Banking accounts comprised 32 percent of account takeovers, while email and messaging platforms comprised 26 percent. Moreover, research indicated that 80 percent of the accounts taken over were personal, while only 13 percent were business accounts only. Altogether, 93 percent of accounts taken over were personal accounts or a combination of business and personal accounts. Of the financial losses from account takeovers, over 80 percent of respondents recovered the funds, compared to 16 percent who were unable to recover the money.
How to Prevent Account Takeovers Given the large increase in account takeovers throughout the global pandemic, the account takeover market is increasing with it. Business and personal internet users can lessen the likelihood of account takeovers by choosing strong passwords for their accounts and adding multi-factor authentication and security questions when available. • Using different usernames and passwords for various accounts; DO NOT mix user names and passwords for Social media, email and Financial accounts or, better yet, a password manager, can help. • Get suspicious login alerts if they’re available. Ask the companies you do business with to offer suspicious login alerting so that you can stop an account takeover before it becomes a massive headache. • Add security questions or advanced authentication to accounts to prevent unauthorized access. • Read this to understand various authentication options with their pros and cons. Two-Factor and Multi-Factor Authentication: How to Prevent Identity Theft – Security.org
WhatsApp Messaging Will Now Be Full Of Fun; Here’s How
WhatsApp keeps making some changes from time to time to improve the messaging experience of its users. In this episode, the company has made some changes in its app. A lot of new emoji with many features have also come on WhatsApp platform.
If you have not yet received new features or emoji, then update your WhatsApp immediately. WhatsApp has been testing these features in the beta version of its app for a long time. Now this feature has been rolled out for all the users in the stable app and the advanced search option is available to the users in their WhatsApp. At the same time, some users may have to wait a bit for this new feature in their device.
From infiltrations on infrastructure and data breaches to spear phishing and brute force. Online threats are varied and they don’t discriminate organizations from individuals when looking for a target.
You’ve likely heard the term “cyber threat” thrown around in the media. But what exactly are these cyber threats?
A cyber or cyber-security threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber attacks include threats like computer viruses, data breaches, and Denial of Service (DoS) attacks. However, to truly understand this concept, let’s go a bit further into the background of cyber-security.
TABLE OF CONTENTS
What are cyber threats? Types of cyber-security threats Sources of cyber-security threats Best practices for cyber defense and protection Takeaways
https://youtu.be/Rn-L8jDtRKw
WHAT IS A CYBER THREAT?
Cyber threats, sadly, are becoming more and more of a threat in today’s smart world. But what exactly is a cyber threat?
A cyber threat is an act or possible act which intends to steal data (personal or otherwise), harm data, or cause some sort of digital harm.
Today, the term is almost exclusively used to describe information security matters. Because it’s hard to visualize how digital signals traveling across a wire can represent an attack, we’ve taken to visualizing the digital phenomenon as a physical one.
A cyber attack is an attack that is mounted against us (meaning our digital devices) by means of cyberspace. Cyberspace, a virtual space that doesn’t exist, has become the metaphor to help us understand digital weaponry that intends to harm us.
What is real, however, is the intent of the attacker as well as the potential impact. While many cyber attacks are merely nuisances, some are quite serious, even potentially threatening human lives.
WHY IS IT NECESSARY TO PROTECT FROM CYBER THREATS?
Cyber threats are a big deal. Cyber attacks can cause electrical blackouts, failure of military equipment and breaches of national security secrets. They can result in the theft of valuable, sensitive data like medical records. They can disrupt phone and computer networks or paralyze systems, making data unavailable. It’s not an exaggeration to say that cyber threats may affect the functioning of life as we know it.
The threats are growing more serious, too. Gartner explains, “Cybersecurity risks pervade every organization and aren’t always under IT’s direct control. Business leaders are forging ahead with their digital business initiatives, and those leaders are making technology-related risk choices every day. Increased cyber risk is real — but so are the data security solutions.”
The US government is taking cyber threats seriously but appears to be moving too slowly to mitigate them. The White House’s Office of Management and Budget revealed that, of 96 federal agencies it assessed, 74 percent were either “At Risk” or “High Risk” for cyber attacks. They needed immediate security improvements.
The US government has experienced numerous crippling data breaches in the last few years. Examples include the massive breach of the Federal Office of Personnel Management and the theft of secret US Naval codes. Both attacks have been attributed to Chinese state intelligence agencies.
TYPES OF MODERN CYBER-SECURITY THREATS
Cybersecurity threats come in three broad categories of intent. Attackers are after:
Financial gain
Disruption
Espionage (including corporate espionage – the theft of patents or state espionage)
Virtually every cyber threat falls into one of these three modes. In terms of attack techniques, malicious actors have an abundance of options.
10 COMMON CYBER THREATS
Malware. Software that performs a malicious task on a target device or network, e.g. corrupting data or taking over a system.
Phishing. An email-borne attack that involves tricking the email recipient into disclosing confidential information or downloading malware by clicking on a hyperlink in the message.
Spear Phishing. A more sophisticated form of phishing where the attacker learns about the victim and impersonates someone he or she knows and trusts.
“Man in the Middle” (MitM) attack. Where an attacker establishes a position between the sender and recipient of electronic messages and intercepts them, perhaps changing them in transit. The sender and recipient believe they are communicating directly with one another. A MitM attack might be used in the military to confuse an enemy.
Trojans. Named after the Trojan Horse of ancient Greek history, the Trojan is a type of malware that enters a target system looking like one thing, e.g. a standard piece of software, but then lets out the malicious code once inside the host system.
Ransomware. An attack that involves encrypting data on the target system and demanding a ransom in exchange for letting the user have access to the data again. These attacks range from low-level nuisances to serious incidents like the locking down of the entire city of Atlanta’s municipal government data in 2018.
Denial of Service attack or Distributed Denial of Service Attack (DDoS). Where an attacker takes over many (perhaps thousands) of devices and uses them to invoke the functions of a target system, e.g. a website, causing it to crash from an overload of demand.
Attacks on IoT Devices. IoT devices like industrial sensors are vulnerable to multiple types of cyber threats. These include hackers taking over the device to make it part of a DDoS attack and unauthorized access to data being collected by the device. Given their numbers, geographic distribution and frequently out-of-date operating systems, IoT devices are a prime target for malicious actors.
Data Breaches. A data breach is a theft of data by a malicious actor. Motives for data breaches include crime (i.e. identity theft), a desire to embarrass an institution (e.g. Edward Snowden or the DNC hack) and espionage.
Malware on Mobile Apps. Mobile devices are vulnerable to malware attacks just like other computing hardware. Attackers may embed malware in app downloads, mobile websites or phishing emails and text messages. Once compromised, a mobile device can give the malicious actor access to personal information, location data, financial accounts and more.
EMERGING CYBER THREATS
Cyber threats are never static. There are millions being created every year. Most threats follow the standard structures described above. However, they are becoming more and more potent.
For example, there is a new generation of “zero-day” threats that are able to surprise defenses because they carry no detectable digital signatures.
Another worrisome trend is the continuing “improvement” of what experts call “Advanced Persistent Threats” (APTs). As Business Insider describes APTs, “It’s the best way to define the hackers who burrow into networks and maintain ‘persistence’ — a connection that can’t be stopped simply by software updates or rebooting a computer.”
The notorious Sony Pictures hack is an example of an APT, where a nation-state actor lurked inside the company’s network for months, evading detection while ex-filtrating enormous amounts of data.
SOURCES OF CYBERSECURITY THREATS
Cyber threats come from a variety of places, people and contexts. Malicious actors include:
Individuals that create attack vectors using their own software tools
Criminal organizations that are run like corporations, with large numbers of employees developing attack vectors and executing attacks
Nation states
Terrorists
Industrial spies
Organized crime groups
Unhappy insiders
Hackers
Business competitors
Nation states are the sources of many of the most serious attacks. There are several different versions of nation-state cyber threats. Some are basic espionage— trying to learn another country’s national secrets. Others are aimed at disruption.
For example, Chris Painter of the U.S. Department of State commented in a Brookings Institution article that China and North Korea “have frequently exercised their cyber power to achieve their strategic goals around the globe.”
He noted, though, “Their motivations and objectives differ: While North Korea primarily aims to develop capabilities for revenue generation and destructive capabilities for potential conflicts outside North Korea, China mainly utilizes its cyber means for espionage and intellectual property theft. “Naming and shaming” has been an effective tool against China because of its government’s concerns on the potential blow back on its soft power.”
These are the so-called “cyber weapons” that might be used to shut off electricity in enemy territory during a war. In some countries, the boundaries between criminal organizations and national intelligence are blurred, with the criminals doing the actual work of cyber espionage.
Many cyber threats are bought and sold on the “dark web,” a disorganized but widespread criminal segment of the Internet. In this online bazaar, aspiring hackers can buy ransomware, malware, credentials for breached systems and more. The dark web serves as a multiplier for threats, with one hacker being able to sell his or her creation over and over.
BEST PRACTICES FOR CYBER DEFENSE AND PROTECTION
It’s easy to get frustrated over the severity of the threat environment. However, it is possible to protect your business from cyber threats. Consumers can also defend themselves.
CYBER DEFENSE FOR BUSINESSES
Enterprise best practices for defense from cyber defense include basic but extremely important countermeasures like patching systems. When a tech vendor discovers (or is informed of) a security flaw in their product, they typically write code that fixes or “patches” the problem.
For example, if Microsoft finds that a hacker can gain root access to Windows Server through a code exploit, the company will issue a patch and distribute it to all owners of Windows Server licenses. They, among many others, do this at least once a month. Many attacks would fail if IT departments applied all security patches on a timely basis.
A host of new technologies and services are coming onto the market that make it easier to mount a robust defense against cyber threats. These include:
Outsourced security services
Systems that enable collaboration between security team members
Continual attack simulation tools
Point solutions for anti-phishing and secure browsing
CYBER DEFENSE FOR INDIVIDUALS
For individuals, the best practices are simple. The good news is that in most cases, some pretty big security organizations stand between the consumer and the hacker, e.g. the SecOps team at Verizon or AT&T. There are still preventative measures you should take to help ensure your information’s safety:
Password hygiene. Big security organizations cannot protect consumers against phishing or hackers who can guess passwords like “1234.” Common sense and password hygiene can go a long way to protect consumers from cyber threats.
Anti-virus software. Subscribe to anti-virus software and keep your system up to date with automated, scheduled scans.
Cautionagainst phishing attacks. Be careful about opening file attachments. Phishing and spear phishing emails ones that look real but are not. if you pay attention. For instance, if you get an email that says “past due invoice” with a PDF attachment, don’t open it unless you are 100% sure you know who sent it. If you double check, you’ll probably see it comes from an unusual email, like this one, from anny234526426@gmail.com:A PHISHING EMAIL IN ACTION
TAKEAWAYS
It can be a scary time for businesses and consumers who are worried about cyber threats. The threats certainly exist, and they’re getting increasingly potent and frequent. The attackers are varied, with many worrisome imbalances between attackers and their targets.
BUT DON’T BE AFRAID
Even if a company is targeted by a powerful nation-state, it is still possible to protect critical digital assets. It takes planning and commitment of resources, but a good security operations team or a proactive individual can stay on top of most of the most serious cyber threats.
Moving to the cloud can improve a company’s security posture — but cloud services aren’t without risks, and organizations should both understand and address these risks before buying these services and deploying workloads in the cloud. To that end, the National Security Agency (NSA) published new guidance titled “Mitigating Cloud Vulnerabilities.”
The report targets companies’ leadership and technical staff. It highlights the basic components of cloud architecture and threat actors. And then it also ranks four different types of cloud security risks — misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities — that, according to the NSA, account for the vast majority of known security flaws.
While each cloud service providers’ architecture will be slightly different, most clouds have four components in common. This includes identity and access management — these are the controls in place for customers to protect access to their resources as well as controls that the service providers use to protect back-end cloud resources — as well as compute, networking, and storage.
Shared Responsibility
The NSA report also discusses the concept of shared responsibility. This is important because security vendors and cloud service providers alike say many of their customers still don’t have a strong grasp on this model and how it works. Cloud providers like Amazon Web Services (AWS) and Microsoft Azure are responsible for protecting their public cloud infrastructure and implementing logical controls to separate customer data. The customer, however, is responsible for configuring application-level security controls, and for protecting its workloads running on cloud servers. In other words, both the cloud provider and the customer have a shared responsibility when it comes to cloud security.
“Shared-responsibility model is a tough one,” said James Christiansen, VP of cloud security transformation at Netskope. Part of the difficulty comes from “a mindset that when you outsource something, you wash your hands of it.”
In other words, when companies move from their on-premises infrastructure and into the public cloud, often they just assume that AWS or Azure is responsible for all the security measures needed to protect the resources running in the cloud. However, this is not the case.
Also, Christiansen says he’s not a fan of the term “shared responsibility.” Instead, “I would just go with a responsibility matrix: these are your responsibilities, and these are ours,” he added. “There are very distinct responsibilities, and when you see those failures, it’s often the failure of not understanding the part that they are responsible for.”
NSA’s Top 4 Cloud Vulnerabilities
The NSA categorizes cloud vulnerabilities and mitigations into four groups. It also says how prevalent each one is, and what level of sophistication it requires for an attacker to pull it off.
Misconfiguraiton, a widespread threat that requires a low level of sophistication, tops the list. According to the NSA, misconfiguration of cloud resources remains the most prevent cloud vulnerability. “Often arising from cloud service policy mistakes or misunderstanding shared responsibility, misconfiguration has an impact that varies from denial of service susceptibility to account compromise,” the report says. “The rapid pace of [cloud service providers’] innovation creates new functionality but also adds complexity to securely configuring an organization’s cloud resources.”
The report says least privilege and defense in depth are two of the security principles that organizations should apply from the planning phase. A least-privilege model restricts access for accounts to only the resources required to perform routine, legitimate activities. Defense in depth involves placing multiple layers of security controls throughout an IT system.
The No. 2 vulnerability — poor access control — happens when companies have weak authentication methods in place to allow access to cloud resources, or when these cloud resources have flaws that enable attackers to bypass these methods. The NSA deems this vulnerability widespread and says it requires a moderate level of sophistication to pull off.
Organizations can mitigate poor access control by enforcing strong authentication protocols such as multi-factor authentication and using automated tools to audit access logs.
No. 3, shared tenancy vulnerabilities, remain rare, according to the report, and require a high level of sophistication. But these types of vulnerabilities in cloud hypervisors or container platforms can be especially severe.
To mitigate these, the NSA advises enforcing encryption of data at rest and in transit. And for especially sensitive workloads, companies should use dedicated or bare-metal cloud instances.
If companies don’t use a dedicated instance, Christiansen suggests requiring that the cloud provider perform a forensic analysis of the logs, separating your logs from those of the other tenants. Organizations should write this into the contract when they initially buy cloud services, he said.
Supply Chain Security
Finally, the NSA says the No. 4 vulnerability — supply chain security flaws — remain rare, and require highly sophisticated attackers. But many threat hunters and security vendors agree supply chain security risks are becoming more common and they expect to see these types of attacks increase this year.
Supply chain vulnerabilities include inside attackers, intentional flaws and backdoors in hardware and software, as well as companies’ partners and suppliers whose security may not by up to par, and thus, allow attackers to access their targets’ cloud resources via their suppliers’ networks.
Christiansen agrees that attackers need be pretty sophisticated to pull off a supply chain attack, but says he was surprised to see it rated rare.
“You think about the big corporations and they have done a really good job of fortifying their security,” he said. “But then when they go to a third party, the third party doesn’t have the same level of security, and that’s when you are seeing the weakest-link problem. We’ve seen this as far back as the Target breach. It’s a very big attack surface, and I believe that third parties are absolutely a target for state-sponsored attacks and organized attacks.”
While cloud service providers “mitigate the risk of inside attackers through controls such as role separation, two-person integrity for especially sensitive operations, and alerting on suspicious administrator activities,” enterprises can improve their security posture against supply chain compromise, the report says. This includes encrypting data at rest and in transit, and also selecting cloud offerings that have had critical components evaluated against National Information Assurance Partnership (NIAP) Protection Profiles (PPs).
You Can’t Secure What You Can’t See
Christiansen suggests the NSA report could have included a couple additional pieces of cloud security guidance.
“The real salient parts are the right ones, and those are the things companies should be looking at when they evaluate their security strategy,” he said. “But where it’s less obvious” is in companies’ multi- and hybrid-cloud environment, where organizations may run some workloads on AWS, others on Azure, and still others in a private cloud. “How do we bring all these multi-cloud threat detection tools and be able to monitor these different environments? That point got a little lost. You have to look at not just one cloud provider, but all the cloud providers, and bring those all together in a single pane of glass.”
He also suggests putting controls in place to ensure that the security and IT teams know when a business unit uses a company credit card to purchase a new cloud instance or even software-as-a-service. “A business unit could do this, load confidential information on it, and it would be completely insecure because we didn’t even know about,” Christiansen said. “You can’t do all those things in the [NSA] guidance if you don’t know about it.”
Meet with the procurement and financial groups to review credit card statements and look for cloud purchases, he said. And then, implement a policy that says “thou shalt not do this, enforce that policy, and educate your staff.”
