Researchers unearth a huge botnet army of 500,000 hacked routers

More than half a million routers and storage devices in dozens of countries have been infected with a piece of highly sophisticated IoT botnet malware, likely designed by Russia-baked state-sponsored group.

Cisco’s Talos cyber intelligence unit have discovered an advanced piece of IoT botnet malware, dubbed VPNFilter, that has been designed with versatile capabilities to gather intelligence, interfere with internet communications, as well as conduct destructive cyber attack operations.

The malware has already infected at least 500,000 in at least 54 countries, most of which are small and home offices routers and internet-connected storage devices from Linksys, MikroTik, NETGEAR, and TP-Link. Some network-attached storage (NAS) devices known to have been targeted as well.

VPNFilter is a multi-stage, modular malware that can steal website credentials and monitor industrial controls or SCADA systems, such as those used in electric grids, other infrastructure and factories.

The malware communicates over Tor anonymizing network and even contains a killswitch for routers, where the malware deliberately kills itself.

Unlike most other malware that targets internet-of-things (IoT) devices, the first stage of VPNFilter persists through a reboot, gaining a persistent foothold on the infected device and enabling the deployment of the second stage malware.

VPNFilter is named after a directory (/var/run/vpnfilterw) the malware creates to hide its files on an infected device.

Since the research is still ongoing, Talos researchers “do not have definitive proof on how the threat actor is exploiting the affected devices,” but they strongly believe that VPNFilter does not exploit any zero-day vulnerability to infect its victims.

Instead, the malware targets devices still exposed to well-known, public vulnerabilities or have default credentials, making compromise relatively straightforward.

Talos researchers have high confidence that the Russian government is behind VPNFilter because the malware code overlaps with versions of BlackEnergy—the malware responsible for multiple large-scale attacks targeting devices in Ukraine that the U.S. government has attributed to Russia.

Although devices infected with VPNFilter have been found across 54 countries, researchers believe the hackers are targeting specifically Ukraine, following a surge in the malware infections in the country on May 8.

“The malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide,” Talos researcher William Largent said in a blog post.

The researchers said they released their findings prior to the completion of their research, due to concern over a potential upcoming attack against Ukraine, which has repeatedly been the victim of Russian cyber attacks, including large-scale power outage and NotPetya.

If you are already infected with the malware, reset your router to factory default to remove the potentially destructive malware and update the firmware of your device as soon as possible.

You need to be more vigilant about the security of your smart IoT devices. To prevent yourself against such malware attacks, you are recommended to change default credentials for your device.

If your router is by default vulnerable and cannot be updated, throw it away and buy a new one, it’s that simple. Your security and privacy is more than worth a router’s price.

Moreover, always put your routers behind a firewall, and turn off remote administration until and unless you really need it.

Hackers are exploiting a new zero-day flaw in GPON routers

Even after being aware of various active cyber attacks against the GPON Wi-Fi routers, if you haven’t yet taken them off the Internet, then be careful—because a new botnet has joined the GPON party, which is exploiting an undisclosed zero-day vulnerability in the wild.

Security researchers from Qihoo 360 Netlab have warned of at least one botnet operator exploiting a new zero-day vulnerability in the Gigabit-capable Passive Optical Network (GPON) routers, manufactured by South Korea-based DASAN Zhone Solutions.

The botnet, dubbed TheMoon, which was first seen in 2014 and has added at least 6 IoT device exploits to its successor versions since 2017, now exploits a newly undisclosed zero-day flaw for Dasan GPON routers.

Netlab researchers successfully tested the new attack payload on two different versions of GPON home router, though they didn’t disclose details of the payload or release any further details of the new zero-day vulnerability to prevent more attacks.

TheMoon botnet gained headlines in the year 2015-16 after it was found spreading malware to a large number of ASUS and Linksys router models using remote code execution (RCE) vulnerabilities.

Earlier this month, at least five different botnets were found exploiting two critical vulnerabilities in GPON home routers disclosed last month that eventually allow remote attackers to take full control of the device.

As detailed in our previous post, the 5 botnet families, including Mettle, Muhstik, Mirai, Hajime, and Satori, have been found exploiting an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws in GPON routers.

Shortly after the details of the vulnerabilities went public, a working proof-of-concept (PoC) exploit for GPON router vulnerabilities made available to the public, making its exploitation easier for even unskilled hackers.

In separate research, Trend Micro researchers spotted Mirai-like scanning activity in Mexico, targeting GPON routers that use default usernames and passwords.

Unlike the previous activity, the targets for this new scanning procedure are distributed,” Trend Micro researchers said. “However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords.”


How to Protect Your Wi-Fi Router From Hacking

The previously disclosed two GPON vulnerabilities had already been reported to DASAN, but the company hasn’t yet released any fix, leaving millions of their customers open to these botnet operators.

So, until the router manufacturer releases an official patch, users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet.

Making these changes to your vulnerable routers would restrict access to the local network only, within the range of your Wi-Fi network, thus effectively reducing the attack surface by eliminating remote attackers.

We will update this article with new details, as soon as they are available. Stay Tuned!

DNS-Hijacking Malware Targeting iOS, Android and Desktop Users Worldwide

Widespread routers’ DNS hijacking malware that recently found targeting Android devices has now been upgraded its capabilities to target iOS devices as well as desktop users.

Dubbed Roaming Mantis, the malware was initially found hijacking Internet routers last month to distribute Android banking malware designed to steal users’ login credentials and the secret code for two-factor authentication.

According to security researchers at Kaspersky Labs, the criminal group behind the Roaming Mantis campaign has broadened their targets by adding phishing attacks for iOS devices, and cryptocurrency mining script for PC users.

Moreover, while the initial attacks were designed to target users from South East Asia–including South Korea, China Bangladesh, and Japan–the new campaign now support 27 languages to expand its operations to infect people across Europe and the Middle East.

How the Roaming Mantis Malware Works

Similar to the previous version, the new Roaming Mantis malware is distributed via DNS hijacking, wherein attackers change the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by them.

So, whenever users attempt to access any website via a compromised router, they are redirected to rogue websites, which serves:

  • fake apps infected with banking malware to Android users,
  • phishing sites to iOS users,
  • Sites with cryptocurrency mining script to desktop users

“After the [Android] user is redirected to the malicious site, they are prompted to update the browser [app]. That leads to the download of a malicious app named chrome.apk (there was another version as well, named facebook.apk),” researchers say.

To evade detection, fake websites generate new packages in real time with unique malicious apk files for download, and also set filename as eight random numbers.

Once installed, the attackers can control infected Android devices using 19 built-in backdoor commands, including–sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps, ping and more.

If the victims own an iOS device, the malware redirects users to a phishing site that mimics the Apple website, claiming to be ‘,’ and asks them to enter their user ID, password, card number, card expiration date and CVV number.

Besides stealing sensitive information from Android and iOS devices, researchers found that Roaming Mantis injects a browser-based cryptocurrency mining script from CoinHive on each landing page if visited using desktop browsers to mine Monero.

Keeping in mind these new capabilities and the rapid growth of the campaign, researchers believe that “those behind it have a strong financial motivation and are probably well-funded.”

Here’s How to Protect Yourself from Roaming Mantis

In order to protect yourself from such malware, you are advised to ensure your router is running the latest version of the firmware and protected with a strong password.

Since the hacking campaign is using attacker-controlled DNS servers to spoof legitimate domains and redirect users to malicious download files, you are advised to make sure the sites you are visiting has HTTPS enabled.

You should also disable your router’s remote administration feature and hardcode a trusted DNS server into the operating system network settings.

Android device users are always advised to install apps from official stores, and disable the installation of apps from unknown sources on their smartphone by heading on to Settings → Security → Unknown sources.

To check if your Wi-Fi router is already compromised, review your DNS settings and check the DNS server address. If it does not match the one issued by your provider, change it back to the right one. Also change all your account passwords immediately.

Upgrading cyber attacks to a Grade A risk status

Businesses do themselves a good deal of harm if they think it is only a tech issue and worryingly the Middle East’s response to combat the threat lags the rest of the world.

Cybersecurity — you’re either ready or you’re not. The alarm has been sounding for quite some time. It is no longer a question of if your organisation may be subject to the risks of cyber-threats, but when.

The paradigm has shifted and the harsh realities of cybersecurity are no longer an emerging risk, they have emerged and are a business imperative. Things are only heading in one direction and, left undiagnosed and untreated, the prognosis is alarming.

The assets and wealth of financial institutions in the GCC have been identified as prime targets for cyber-criminals. While this is a global issue, the Middle East’s response to combat the threat lags the rest of the world.

As asset managers in the GCC seek to grow assets under management, they are failing to attract assets from sophisticated and discerning institutional investors who have already woken to the seriousness of the cyber-threat. GCC institutional investors and investment managers need to protect themselves and their investors from the fallout of financial losses, confidential data compromise, unlimited reputational damage and disruption associated with successful cyber-attacks.

The stats are not comforting. In a recent Marsh & McLennan Companies and Firefly survey of European institutions, 23 per cent of respondents acknowledged they had been a victim of a successful cyber-attack in the last 12 months. Nearly two-thirds said cyber-risk is among their organisations’ top five risk management priorities.

Only 45 per cent said they formally estimate the financial impact of a potential cyber event as part of risk management.

Last year was the most damaging for cybersecurity; Wanna Cry ransomware and NotPetya’s “wiper” malware permanently changed the global cyber-landscape. NotPetya is said to be responsible for $1 billion (Dh3.67 billion) in economic losses. If not sufficiently alarming, August 2017 saw the loss of 150 million consumer credit customers’ personal records and wiped $5 billion off market cap.

Whichever way you look at it, the prognosis is worrying. Cyber-incidents once considered extraordinary have rapidly become commonplace.

The cost of cybercrime to businesses over the next five years is expected to be $8 trillion. In a world with 7.6 billion people, there were an estimated 8.4 billion internet-enabled devices in 2017. The figure is projected to grow to 20.4 billion by 2020.

The world is experiencing the rise of cyber-dependency due to increasing digital interconnection of people, things and organisations. Greater cyber-dependency and the exponential rise in cybercrime are inextricably linked.

In response, the World Economic Forum Global Risks Report 2018 upgraded the risk of cyberattacks and data fraud or theft to top five risks by likelihood. In 2017, cyber was not even a standalone risk in the “Global Risk” landscape rankings. Ernst & Young suggest cyber-risk has evolved as a standalone critical risk category to be viewed not only as a technology issue, but as a pervasive business and operational risk with the potential for significant impact on assets, revenues, reputation, confidentiality and profitability.

In an effort to bring greater investor and consumer protections, whilst increasing the cyber-standard expected of organisations, a wave of regulation is emerging. The General Data Protection Regulation (GDPR) imposes far-reaching obligations surrounding cyber-breach disclosure.

Commentators suggest GDPR will “change the world as we know it” and, while GDPR is an EU legislation, other global financial centres are rapidly adopting similar, cyber-laws. GDPR breaches and non-compliance are expected to result in billions of dollars of fines annually.

Governments, regulators, supervisory boards, media and consumers will scrutinise executives’ responses to newly disclosed cyber-incidents that previously remained below the surface. Financial institutions in the GCC should not wait for regional regulators to impose similar requirements. Consider these five steps to manage the cyber-threat:

* Embed C-suite accountability

The stakes have changed for the C-suite. Cybersecurity has firmly taken its place on the corporate risk register and cyber-accountability rests with the board of directors. While the concepts of cybersecurity may be foreign for many executives, protecting your organisation against risk is not.

Experienced executives understand their limitations and leverage resources to fill the gaps. Setting the tone from the top, corporate boards should implement formal data and cybersecurity policies with appropriate governance and awareness processes.

* Understand the threat

Undertake an expert assessment to understand the scope of the threat and your organisation’s vulnerabilities. Understand the volume and criticality of unpatched software vulnerabilities.

* Implement the change

Strengthen your IT infrastructure by comprehensively tackling the vulnerabilities identified in the threat assessment. Further mitigate the risks of penetration by reducing your organisation’s attack surface.

* Educate your people

The role of human error in successful cyber-attacks should not be underestimated. Human behaviour lies at the core of security strategy. Creative and ongoing employee cyber-awareness should be implemented.

Monitor your infrastructure

Establish a framework for continuous IT network monitoring, including responsibility for identifying and applying critical software patches, and escalation to the C-Suite. Re-assess the IT environment and emerging threats regularly to ensure ongoing appropriateness versus the changing landscape.

Failure to take the reality of the cyber-threat seriously would be reckless. By embedding C-suite accountability, understanding the threat, implementing the change, educating your people and continually monitoring your IT infrastructure, you will be taking measures towards mitigating the countless cybersecurity risks we all now face.

— Nigel Morriss is Mercer Investments’ Head of Operational Risk for the Middle East, India, Turkey and Africa

2018: Scariest Year of Evil Things on the Internet

Acts of evil on the internet are on the rise, according to the 2018 Internet of Evil Things survey. In its fourth consecutive year, the survey, conducted by Pwnie Express, polled more than 500 security professionals and found their collective responses to be “the scariest survey results we’ve seen yet.”

The report indicates that security professionals have a heightened concern for growing threats, with 85% of respondents believing their country will suffer a major critical infrastructure cyber-attack in the next five years.

“The attack on a Schneider Electric safety system was considered a watershed moment because it demonstrated how hackers ‘might cause physical damage to a plant, or even kill people by sabotaging safety systems before attacking industrial plants,'” the report quotes Reuters as saying.

In addition to confronting issues with malware and ransomware, the survey found that nearly one-third of respondents reported being part of a distributed denial-of-service (DDoS) attack. Of those, more than 22% discovered attacks on wireless communications or access points.

While many respondents (64%) admitted to being stressed and uneasy about the lack of security in the internet of things (IoT), “one in three respondents said that their organizations were unprepared to detect connected device threats.” Despite nearly half (49%) of respondents admitting that they are concerned about consumer IoT devices, only 23% said they can monitor devices like smartwatches and other types of IoT devices.

Satya Gupta, CTO and co-founder, Virsec, echoed the concerns of survey respondents but noted that, while understandable, anxiety needs to be turned into actionable security.

“There is still a gap in understanding between IT and OT [operational technology],” Gupta said. “While most of the concern focuses on the devices (is my refrigerator spying on me?), most attacks come through IT channels. Especially in the ICS [industrial control system] space, the real dangers are from IT systems that automatically control myriad sensors, switches and other devices. Hacking a one-off device will cause limit damage, but hacking an ICS SCADA system can bring down an entire power plant or worse.”

Despite the risks, security professionals continue to be left out of purchasing decisions. Only 60% of survey respondents said that they have a role in the purchasing approval process for IT devices, which includes computers, mobile devices, and servers.

While 75% of security professionals said that they have a security policy in place for IT devices, only 35% have security policies for their building OT/IoT devices.

Nethammer—Exploiting DRAM Rowhammer Bug Through Network Requests

Last week, we reported about the first network-based remote Rowhammer attack, dubbed Throwhammer, which involves the exploitation a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.

However, a separate team of security researchers has now demonstrated a second network-based remote Rowhammer technique that can be used to attack systems using uncached memory or flush instruction while processing the network requests.

The research was carried out by researchers who discovered Meltdown and Spectre CPU vulnerabilities, which is independent of the Amsterdam researchers who presented a series of Rowhammer attacks, including Throwhammer published last week.

If you are unaware, Rowhammer is a critical issue with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause “bit flipping” in an adjacent row, allowing attackers to change the contents of the memory.

The issue has since been exploited in a number of ways to escalate an attacker’s privilege to kernel level and achieve remote code execution on the vulnerable systems, but the attacker needed access to the victim’s machine.

However, the new Rowhammer attack technique, dubbed Nethammer, can be used to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing, which would be possible only with a fast network connection between the attacker and victim.

This causes a high number of memory accesses to the same set of memory locations, which eventually induces disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.

The resulting data corruption can then be manipulated by the attacker to gain control over the victim’s system.

“To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache,”

Since caching makes an attack difficult, the researchers developed ways that allowed them to bypass the cache and attack directly into the DRAM to cause the row conflicts in the memory cells required for the Rowhammer attack.

 Researchers tested Nethammer for the three cache-bypass techniques:

  • A kernel driver that flushes (and reloads) an address whenever a packet is received.
  • Intel Xeon CPUs with Intel CAT for fast cache eviction
  • Uncached memory on an ARM-based mobile device.

All three scenarios are possible, researchers showed.

In their experimental setup, researchers were successfully able to induce a bit flip every 350 ms by sending a stream of UDP packets with up to 500 Mbit/s to the target system.

Since the Nethammer attack technique does not require any attack code in contrast to a regular Rowhammer attack, for example, no attacker-controlled code on the system, most countermeasures do not prevent this attack.

Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers believe the Rowhammer threat is not only real but also has potential to cause real, severe damage.

For more in-depth details on the new attack technique, you can head on to this paper, titled “Nethammer: Inducing Rowhammer Faults through Network Requests,” published by the researchers earlier this week.

Barracuda Launches Web Application Firewall as a Service

Barracuda is making its Web Application Firewall platform available in a cloud-delivered model that benefits from a new management interface and improved configuration.

Barracuda Networks announced its cloud-delivered Web Application Firewall (WAF) service on May 16, providing organizations with a new approach to managing and deploying application security.

The Barracuda WAF-as-a-Service offering builds on the company’s existing WAF products, which include both physical and virtual appliances. The cloud-delivered version of the WAF, however, offers organizations new ways to manage, deploy and integrate application security into an application delivery stack.

“With the existing WAFs that we had, you would still have to go in—and whether it’s physical or virtual—you would still have to set up the machine, give it an IP address, connect it to the network, manage the policies and deal with failover,” Nitzan Miron, vice president of Product Management for Application Security Services at Barracuda, told eWEEK. “With WAF-as-a-Service, we take all the complexity and do it for customers.”

A WAF is a type of firewall that is purpose-built to help defend against application-layer threats and attacks. WAFs can be used to protect against known vulnerabilities in applications, including input validation and SQL injection types of risks.


Organizations set up WAF-as-a-Service by pointing their web server’s DNS records to Barracuda’s IP address, which filters the traffic and then forwards it, Miron said. Barracuda uses Anycast, a network approach that enables one IP address to be located in multiple locations, to route traffic to the closest geographically located Barracuda data center to help decrease latency and improve performance.

While the actual WAF enforcement engine in the new service is the same core technology that Barracuda has been evolving for over a decade, Miron said the management piece has been completely rewritten. The goal of the new management interface is to make it easier for organisations to configure features.

“When you first get started, you go through this very easy wizard, you set up your application, you enable security and you get the default best practices policy,” Miron said. “But then you can go in and you can modify any of the particular features to a very high level of detail.”

Going a step further, Miron noted that Barracuda’s WAF also benefits from the company’s vulnerability remediation service. With that service, organizations can run a scan of their web applications to identify vulnerabilities and then provide specific recommendations for remediation. He added that the remediations can be automatically configured in the WAF.

Miron said Barracuda is also working on predefined templates for common web frameworks to be able to automatically provide the right WAF policies.


Barracuda is also enabling its WAF-as-a-Service for DevOps with an API that developers can use. The WAF API allows developers to modify behavior of application traffic, Miron said. For example, if a developer is deploying a new system to production, what sometimes happens is as a new copy is deployed, the old copy is destroyed. With the API, Miron said developers can inform the Barracuda WAF to cut over traffic to the new system when it is deployed.

While the new offering is in some respects competitive with what Barracuda already offers, Miron doesn’t expect the new WAF-as-a-Service will cannibalize the company’s existing physical and virtual appliance WAF business.

“We found that customers usually have certain ways they want to do things,” he said. “We don’t see this as a cannibalisation. We’d love to have customers move to WAF-as-a-Service and enjoy the new features that come with the model, but we know some customers will continue to be happy running with what they have.”

Another severe flaw in Signal desktop app lets hackers steal your chats in plaintext

For the second time in less than a week, users of the popular end-to-end encrypted Signal messaging app have to update their desktop applications once again to patch another severe code injection vulnerability.

Discovered yesterday by the same team of security researchers, the newly discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious code on the recipients’ Signal desktop app just by sending them a message—without requiring any user interaction.

To understand more about the first code injection vulnerability (CVE-2018-10994), you can read our previous article covering how researchers find the Signal flaw and how it works.

The only difference between the two is that the previous flaw resides in the function that handles links shared in the chat, whereas the new vulnerability (CVE-2018-11101) exists in a different function that handles the validation of quoted messages, i.e., quoting a previous message in a reply.

In other words, to exploit the newly patched bug on vulnerable versions of Signal desktop app, all an attacker needs to do is send a malicious HTML/javascript code as a message to the victim, and then quote/reply to that same message with any random text.

If the victim receives this quoted message containing the malicious payload on its vulnerable Signal desktop app, it will automatically execute the payload, without requiring any user interaction.

Attackers Could Possibly Steal Windows Password As Well

What’s worse?

In their blog post, the researchers also indicated that an attacker could even include files from a remote SMB share using an HTML iFrame, which can be abused to steal NTLMv2 hashed password for Windows users.

“In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in an SMB share as the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it,” the researchers explain.

Though they haven’t claimed anything about this form of attack, I speculate that if an attacker can exploit code injection to force Windows OS to initiate an automatic authentication with the attacker-controlled SMB server using single sign-on, it would eventually hand over victim’s username, and NTLMv2 hashed password to the attackers, potentially allowing them to gain access to the victim’s system.

We have seen how the same attack technique was recently exploited using a vulnerability in Microsoft Outlook, disclosed last month.

I can not verify this claim at this moment, but we are in contact with few security researchers to confirm this.

Researchers—Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matt Bryant—responsibly reported the vulnerability to Signal, and its developers have patched the vulnerability with the release of Signal desktop version 1.11.0 for Windows, macOS, and Linux users.

Signal users should immediately update their desktop application as soon as possible since now the vulnerability poses a severe risk of getting your secret conversations exposed in plaintext to attackers and further severe consequences.

Around 57% Indian IT managers can’t identify network traffic and 61% are clueless about bandwidth consumption: Sophos report

Nearly 57 percent Indian IT managers can’t identify network traffic while 61 percent don’t know how their bandwidth is consumed, a new report said on Wednesday, adding that the majority of Indian IT managers have legal liabilities when it comes to unidentified traffic at their workplaces.

According to British IT security company Sophos’ global survey titled The Dirty Secrets of Network Firewalls, 89 percent of Indian IT heads opined that stopping malware threats have become harder over the last year

“While 94 percent agree that stopping ransomware should be a top priority in organisations, a lack of effective application visibility is a serious security concern for 90 percent of Indian businesses,” said the report.

The survey polled more than 2,700 IT decision makers across mid-sized businesses in 10 countries worldwide, including India, the US, Canada, Mexico, France, Germany, the UK, Australia, Japan and South Africa.

“Controlling network traffic is an essential role of every firewall yet, 61 percent IT managers can’t tell you how their bandwidth is being consumed,” said Sunil Sharma, managing director Sales at Sophos India & SAARC.

“If you can’t see everything on your network, you can’t ever be confident that your organisation is protected from threats. IT professionals have been ‘flying blind’ for too long and cybercriminals take advantage of this,” Sharma noted.

About 79 percent of IT heads face security risks from unwanted or unnecessary apps.

While 72 percent want to see applications by risk levels through their organisation’s firewall, 60 percent concerned on productivity loss due to unwanted apps and 52 percent had legal liability or compliance concerns due to potentially illegal content,” the report said.

Considering the debilitating impact cyber attacks can have on a business, it’s unsurprising that 90 percent of respondents agree that a lack of application visibility is a serious security concern.

The survey further stated that 61 percent would like to see better perimeter security in their organisation’s network firewall along with better threat visibility and better protection.

“Ineffective firewalls are costing you time and money. On an average, organisations are spending 7 working days to remediate infected machines,” said Sharma.

A single network breach often leads to the compromise of multiple computers, so the faster you can stop the infection from spreading the more you limit the damage and time needed to clean it up.

“Companies are looking for the kind of next-generation, integrated network and endpoint protection that can stop advanced threats and prevent an isolated incident from turning into a widespread outbreak,” Sharma informed.

State of Cybersecurity 2018: Enterprises Can Do Better

There is certainly more awareness about the importance of cybersecurity now than ever before, but are things in cybersecurity better or worse than they were 12 months ago?

In the past year, we have seen mega-malware such as Wannacry and NotPetya temporarily wipe out some enterprises and services. We have seen new records set by DDoS attacks, with the largest event hitting a giddy 1.7 Tbps – and we have also seen that simply handling the capture and sharing of digital personal information about your subscribers in ways they do not like (even if they originally consented to it) can wipe a sizable percentage from the value of a company.

The nature of attacks is changing, too. Twelve months ago, cryptojacking (the hijacking of computer resources to perform paid cryptocurrency mining work) had rarely been heard of and fileless malware (malicious software that can persist and operate in the memory of computer devices) was a rare exploit type.

According to VirusTotal statistics, there were an average of more than one million potential new threat files submitted to them each day in March 2018. On some days, that figure came close to two million.

The speed and pace of the threat landscape evolution is overwhelming. To keep pace, cybersecurity teams are having to continually evolve and adapt to the new threat types, often needing to invest in new security technologies and adjust their defensive processes. They also have to invest in continual training, research and threat intelligence.

ISACA’s 2018 State of Cybersecurity research provides insights on these topics. Here are some of the selected results that raised my eyebrows:

Are boards and CEOs taking security more or less seriously than a year ago?
It seems that over the past 12 months, security has slipped down the boardroom agenda. According to the survey results, only 20% of organizations have their security function reporting to the CEO or main board. This represents an even lower figure than the 24% from last year (although the question in the previous year was phrased slightly differently).

Also, 57% of the practitioners surveyed believed that their main board was adequately supporting security initiatives, a 10% decrease from the 67% figure from the previous year.

On the bright side, 64% of enterprises were expecting to increase their cybersecurity budget this year, which also means that in 36% of enterprises, the expectation is to make do with the same or less money on their security efforts. That is an improvement over last year (where only 50% of respondents expected a security budget increase) but still shows a degree of complacency or risk-optimism in a sizable number of organizations.

Are enterprises keeping pace with emerging threats?
A good indicator of whether an organization is keeping pace is to understand how they are doing with their recruitment of skilled cyber professionals. In this area, 59% of organizations reported they had one or more unfilled vacancy within their teams.

There also was an 11% increase in the number of organizations reporting that the lead time to fill open security positions was now three months or longer (73% reported a recruitment lead time of three months or longer, up from 62% in the survey from the previous year).

Respondents to the survey also reported that over 50% of the candidates that applied were not qualified for the roles they were applying for.

According to the survey, the most frequent and difficult skills shortage area was acquiring people with appropriate operational technical cyber skills. More than 3 in 4 (77%) respondents thought they had needs for more technical staff, whereas only 21% thought they needed more executives and only 46% thought they needed more non-technical staff.

Have the opportunities for cyber-criminals increased or decreased in the past 12 months?
From the survey results, it looks like an overall win for the cyber-criminal. The chances are very good that many organizations have yet to acquire the budget, skills and controls required to match the increase in cyber threat and risk levels from the past 12 months.

Most organizations are still reporting challenges in filling their security team roles. If an enterprise does get hit, in about 80% of cases, the board or CEO will have to face questions about why the security function was not even reporting into the main board.

What can be done about this?
It’s time for every enterprise to think with far more care about their security function. Cybersecurity is a tough business. It requires people willing to continually learn and adapt their skills as the threats evolve. If your enterprise is not making the right investments in the training, recruitment and tooling for your critical security staff, the impact may be far greater than you ever thought.