Reports / Surveys
Security tool sprawl increases cyber risk in most firms
In an attempt to address mounting cyber threats, organizations are buying more and more security tools, even though they often lack the resources to properly implement and monitor those solutions, leading to “tool sprawl” and additional gaps in security, a recent survey by ReliaQuest found. 47% of firms have deployed 11-50 security tools, but these are rarely used continuously (15%); to their full potential (14%); and as intended (13%). In fact, 76% of infosec pros identify a tool tipping point after which additional tools begin undermining security, and a majority (53%) believe this tipping point, estimated at 22 tools, has been reached in their firm. In order to get the most out of their tools, organizations require better visibility (94%) and more integration and automation (93%).
Poor password management continues to put work and personal accounts at risk.
A new study by HYPR underscores the challenges and risks of password-based authentication. A first issue is quantity, with 57% of individuals and 19% of employees using 10 passwords or more. In order to manage those passwords, about one-third of people rely on physical or digital lists at work (32%) and in their personal life (35%), even though this constitutes a major security risk. Password management apps are used by only 26% of employees and 30% of individual consumers, while the remaining 42% of workers and 35% of consumers rely on their memory alone. In their personal life, 72% of people reuse passwords across multiple accounts. People usually fail to keep track of all of their passwords, as a result of which many had to reset work (57%) and personal (78%) passwords in the last 90 days. Another disturbing finding is that about half (49%) of employees respond to a forced password change at work by reusing their old credentials with a minor change, which isn’t much safer than keeping the same password.
38% of employees use personal IoT devices at work, often without considering the security implications
Just 35% of consumers install security and other updates for their Internet-of-things (IoT) devices as soon as they are available, while 44% don’t install such patches at all, according to research[pdf]by Karamba Security. The failure of almost two in three (65%) people to promptly update their connected devices, puts those devices at risk of compromise by threat actors. Moreover, the vast majority (72%) of consumers would continue to use an IoT device if they discovered it wasn’t properly secured against cyberattacks. The poor IoT security hygiene of consumers impacts organizations as well, since 38% of employees use personal IoT devices on their company’s network, and only 31% of those workers are certain the IT team knows about their personal connected devices.
Suspected holiday cyber fraud rose 60% since 2017
Suspected holiday cyber fraud in the five-day period between Thanksgiving and Cyber Monday has increased by 60% since 2017 and currently makes up 15% of all ecommerce transactions in this period, a recent iovation report shows. Almost two-thirds (63%) of suspected transactions were initiated from a mobile device, up from 59% in 2018 and 51% in 2017. This confirms the findings of a recent TransUnion survey, indicating that 46% of consumers worry about being targeted in a holiday cyber fraud campaign during the holiday season.
For more information about holiday cyber scams and how to avoid them, check out our recent blog post on this topic.
Leaky cloud buckets expose 1B email account passwords and 750K birth certificate applications in separate incidents
Two recent data breaches highlight how companies continue to leak sensitive user data by failing to secure cloud storage buckets. Last week, an independent security researcher found an unsecured ElasticSearch database containing over 2.7 billion email addresses together with 1 billion plaintext email account passwords. This week, researchers with Fidus Information Security reported that they discovered a leaky AWS S3 storage bucket containing over 752,000 US birth certificate applications. The exposed data includes full names, birth dates, home and email addresses, phone numbers and other personal data.
Freaky Infosec Fact of the Week
Russian hackers can accomplish a major breach within 19 minutes after gaining a foothold on a targeted network.
Figures released by CrowdStrike earlier this year show that in 2018, Russian nation-state threat actors accomplished an average "breakout time" - from initial compromise to major breach - of 19 minutes. This was way faster than hackers from North Korea (140 min), China (240 min) and Iran (309 min).
What You Can Do
As mentioned in the beginning of this post, many organizations are just deploying tools within the environment but are not fully using them. This is a critical security concern as it is important to be able to detect and respond to incidents in a timely manner. Considering many attacks don't get noticed for several months, it is imperative that organizations fully embrace the technology they use within their environment.
Furthermore, organizations should ensure that they need these tools and technologies. Many of the attacks that occur within an environment can be monitored for and detected using native operating system tools and security technology that already exists. To evaluate whether or not additional technology is even needed, organizations should consider first identifying their risks by performing a risk assessment based on a common framework such as NIST.
About Vonahi Security
Vonahi Security is building the future of offensive cybersecurity consulting services through automation. We provide the world's first and only automated penetration test that replicates full attack simulations with zero configuration. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io