McAfee Labs Threats Report

McAfee researchers observed cybercriminals are still using spear-phishing tactics, but an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP and virtual network computing (VNC). RDP credentials can be brute-forced, obtained from password leaks, or simply bought in underground markets. Where past ransomware criminals would set up a command and control environment for the ransomware and decryption keys, most criminals now approach victims with ransom notes that include an anonymous email service address, allowing bad actors to remain better hidden.


Big Security in a Small Business World 2020. By Cisco

This report  based on a survey of almost 500 SMBs (defined here as organizations with 250-499 employees)  reveals that not only do you take security very seriously, but that your innovative and entrepreneurial approach to security is also paying dividends. It’s time to bust some myths about the way in which SMBs are using their cybersecurity resources.


2020 Roundup Of Cybersecurity Forecasts And Market Estimates

  • Enterprises are predicted to spend $12.6B on cloud security tools by 2023, up from $5.6B in 2018, according to Forrester.
  • Enterprise spending on cloud security solutions is predicted to increase from $636M in 2020 to $1.63B in 2023, attaining a 26.5% CAGR.
  • Spending on Infrastructure Protection is predicted to increase from $18.3B in 2020 to $24.6B in 2023, attaining a 7.68% CAGR.
  • Endpoint security tools are 24% of all I.T. security spending, and by 2020 global I.T. security spending will reach $128B according to Morgan Stanley Research.
  • 71% of UK-based business decision makers believe the shift to 100% remote working during the COVID-19 crisis has increased the likelihood of a cyber-breach according to research by Centrify.
  • 70% of all breaches still originate at endpoints, despite the increased I.T. spending on this threat surface, according to IDC.

Cybersecurity now dominates the priorities of every organization as each adapts to a post-COVID 19 world. Remote workers identities’ and devices are the new security perimeter. This is what Zero Trust Security was designed for, and the post-pandemic world is its acid test and crucible. To learn more about how zero trust works, be sure to watch Forrester Principal Analyst Dr. Chase Cunningham’s video, Zero Trust, in Practice here. Dr. Cunningham’s latest book Cyber Warfare – Truth, Tactics, And Strategies, is a good read. Cyber attackers are quick to attack new unprotected threat surfaces created when tens of millions of employees started working from home. In a post-COVID-19 world, cybersecurity is as critical as Internet access itself.

Key insights from the series of cybersecurity market forecasts and market estimates include the following:

  • The global cybersecurity market is currently worth $173B in 2020, growing to $270B by 2026. By 2026, 77% of cybersecurity spending will be for externally managed security services.  While money spent on in-house or internal cybersecurity functions is expected to grow 7.2% each year to 2026, global spending on external cybersecurity products and services is projected to increase by 8.4% annually over the same period. Source: Australian Cyber Security Growth Network, SCP – Chapter 1 – The global outlook for cybersecurity, 2020. 
  • Network, data, and endpoint security are the three leading use cases of A.I. in cybersecurity today, according to I.T. executives. Capgemini interviewed I.T. executives from ten nations to gain new insights into A.I.’s most popular use cases for cybersecurity. The COVID-19 pandemic has accelerated each of these use cases, with endpoint security becoming the most urgent priority, as nearly every organization has employees working from home. Source: Statistica.
  • The global cybersecurity market is predicted to grow from $167.1B in 2019 to $248.26B by 2023, attaining a 10.4% CAGR, according to Statista. Worldwide security spending on Identity Access Management reached $10.58B in 2019. The study also found that spending on security services, the largest segment of the information security market, reached $64.24B in 2019 as well. Source: Statista.
  • 87% of enterprises are seeing mobile threats growing the fastest this year, outpacing other threat types, based on Verizon’s Mobile Security Index 2019. Mobile devices and the identities they represent are the new security perimeter for every organization today.  By killing passwords and replacing them with a zero-trust framework, breach attempts launched from any mobile device using pirated privileged access credentials can be thwarted. Leaders in the area of mobile-centric zero trust security include MobileIron, whose innovative approach to zero sign-on solves the problems of passwords at scale. When every mobile device is secured through a zero-trust platform built on a foundation of unified endpoint management (UEM) capabilities, zero sign-on from managed and unmanaged services become achievable for the first time. Sources: Verizon’s Mobile Security Index 2019 and Verizon Mobile Security Index (MSI) 2020.
  • The global cyber insurance market, as measured by gross written premiums, is forecast to be $8B by 2020, compared to a $124B global cybersecurity market.  Organizations primarily focus their cyber risk management strategies on prevention by investing in technological frontline cyber defenses. Meanwhile, spending on other tools and resources for cyber risk management, such as cyber insurance or event response training, remains a fraction of the technology budget. Source: Microsoft, 2019 Global Cyber Risk Perception Survey, September 2019
  • Over 42% of endpoints experience encryption failures, leaving entire networks at risk from a breach and 100% of all devices experiencing encryption failures within one year. They’re most commonly disabled by users, malfunction, or have error conditions or have never been installed correctly in the first place. Absolute Software’s 2019 Endpoint Security Trends Report found that endpoints often failed due to the fragile nature of their encryption agents’ configurations. 2% of encryption agents fail every week, and over half of all encryption failures occurred within two weeks, fueling a constant 8% rate of decay every 30 days. Multiple endpoint security solutions conflict with each other and create more opportunities for breaches than avert them. The study is based on data gathered from over 1B change events on over 6M devices is the basis of the multi-phased methodology. The devices represent data from 12,000 anonymized organizations across North America and Europe. Each device had Absolute’s endpoint visibility and control platform activated. Source: Absolute Software 2019 Endpoint Security Trends Report.
  • There has been a 667% increase in spear-fishing e-mail attacks related to COVID-19 since the end of February alone. Microsoft thwarts billions of phishing attempts a year on Office365 alone by relying on heuristics, detonation, and machine learning, strengthened by Microsoft Threat Protection Services. Kount discovered that e-mail age is one of the most reliable identity trust signals there are for identifying and stopping automated, fraudulent activity. Based on their research and product development, Kount announced Email First Seen capabilities as part of its AI-powered Identity Trust Global Network, which consists of fraud and trust signals from over half a billion email addresses. It also spans 32 billion annual interactions and 17.5 billion devices across 75 business sectors and 50-plus payment providers and card networks. The following is an overview of Kount’s technology stack and their Email First Seen solution. Source: How To Know If An E-Mail Is Trustworthy, March 11, 2020.
  • Fraud detection, malware detection, intrusion detection, scoring risk in a network, and user/machine behavioral analysis are the five highest A.I. use cases for improving cybersecurity. Capgemini analyzed 20 use cases across information technology (I.T.), operational technology (O.T.), and the Internet of Things (IoT) and ranked them according to their implementation complexity and resultant benefits (in terms of time reduction). The following graphic compares the recommended use cases by the level of benefit and relative complexity. Source: Capgemini, Reinventing Cybersecurity with Artificial Intelligence, A new frontier in digital security


Cisco and Palo Alto Networks appliances impacted by Kerberos authentication bypass

Cisco Systems and Palo Alto Networks have fixed similar high-risk authentication bypass vulnerabilities in their network security devices that were caused by an oversight in the implementation of the Kerberos protocol. Man-in-the-middle (MitM) attackers could exploit these weaknesses to get administrative control over the appliances.

Researchers from security firm Silverfort discovered both vulnerabilities, which are similar and could potentially exist in other Kerberos implementations. Cisco patched the flaw earlier this month and Palo Alto Networks this week.

The Kerberos vulnerabilities

The vulnerability in PAN-OS, the operating system that runs on network security devices and appliances from Palo Alto Networks, is tracked as CVE-2020-2002 and is rated high risk. The flaw exists in PAN-OS 7.1 versions earlier than 7.1.26, PAN-OS 8.1 versions earlier than 8.1.13, PAN-OS 9.0 versions earlier than 9.0.6, and all versions of PAN-OS 8.0. PAN-OS 8.0 has reached end-of-support and did not receive an update.

"An authentication bypass by spoofing vulnerability exists in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS by failing to verify the integrity of the Kerberos key distribution center (KDC) before authenticating users," the company said in its advisory. "This affects all forms of authentication that use a Kerberos authentication profile. A man-in-the-middle type of attacker with the ability to intercept communication between PAN-OS and KDC can login to PAN-OS as an administrator."

A similar vulnerability, tracked as CVE-2020-3125, exists in the Cisco Adaptive Security Appliance (ASA) Software and was patched on May 6. Devices running Cisco ASA Software are affected if they have Kerberos authentication configured for VPN or local device access.

Cisco's advisory contains manual instructions for administrators to check if Kerberos authentication is configured, as well as a table with fixed Cisco ASA versions. However, the company warns that addressing this issue requires making some configuration changes even after the software has been updated.

"Cisco ASA devices are vulnerable and can still be exploited unless the CLI commands validate-kdc and aaa kerberos import-keytab are configured," Cisco said. "These new configuration commands ensure that the ASA validates the KDC during every user authentication transaction, which prevents the vulnerability that is described in this security advisory."

Impersonating the Kerberos Key Distribution Center

Kerberos is a popular authentication protocol in enterprise active directory environments. However, to provide maximum security the protocol has three authentication steps: The user authenticates to the server, the server authenticates to the client, and the Kerberos key distribution center (KDC) authenticates to the server.

"Apparently, KDC authentication to the server is often overlooked," the Silverfort researchers said in a blog post. "Perhaps because requiring it complicates the configuration requirements. However, if the KDC does not authenticate to the server, the security of the protocol is entirely compromised, allowing an attacker that hijacked the network traffic to authenticate to PAN-OS with any password, even a wrong one."

Kerberos KDC spoofing is not actually a new attack and was first reported ten years ago by a security researcher named Dug Song. This suggests that both the Cisco ASA and Palo Alto PAN-OS implementations have been vulnerable for a long time. The Silverfort researchers discovered the oversight while trying to implement a multi-factor authentication solution compatible with third-party security appliances.

The company has the following recommendations for any developers implementing Kerberos:

  • Validate that the implementation of Kerberos requires a password or keytab: To validate the DC, you need to use some kind of shared secret. If your solution does not enable configuring a keytab file, or a service account password, the application is surely susceptible to KDC spoofing.
  • Run Wireshark: Use Wireshark to see what Kerberos requests are sent during authentication. If there is no TGS_REQ, it’s a red flag.
  • Follow protocol RFCs: If you want to implement an authentication protocol yourself, you must follow the protocol RFCs diligently. Silverfort recommends taking the easier route and use an existing implementation of these protocols.
  • Use third-party libraries properly: Some third-party libraries require specific configuration to avoid KDC spoofing. For example, a common library used for Kerberos called pam-krb5, has to have a keytab configured to work properly.