Encryption, RaaS, supply chain attacks: Monthly Cyberday product and news roundup 12/2023 🛡️

This is December's news and product roundup from Cyberday. To sign up for our next admin webinar (where we go through these things live), chek out our Webinars-page.

Most important cyber security news 12/2023

Meta Launches Default End-to-End Encryption on Messenger

Meta developed the first end-to-end encrypted chat threads already in 2016. 2019 saw the "privacy first" manifesto from Mark Zuckerberg.

Now, after 7 years of development work, Meta is releasing end-to-end encryption in Messenger calls and chats, which makes them more secure and private.

• A lot of both political and technical challenges on the way
• A huge technical development project in a Facebook-scale environment (billions of user accounts, multiple user terminals, synchronization between devices, hundreds of features in message threads...)

Familiar reception

• Praise from individuals and data protection organizations
• Criticism from the police/authorities (e.g. UK) because it makes it difficult to combat e.g. child abuse

In end-to-end encryption, data is encrypted on the sender's device and decrypted on the recipient's device. Encryption keys are stored only on these devices and are not shared with third parties (Facebook, network provider, employer, etc.). This way, only the sender and recipient of the message can read the content of the message.

Almost all biggest energy companies suffer supplier data breach

90% of Europe's largest energy companies experienced an attack on a supplier within 12 months

• The supply chains of large energy companies are huge
• Although the direct hit only hit a small part of the 20,000 suppliers surveyed (4%), it still meant the majority of supply chains

Cybercriminals are increasingly turning their attention to supply chain attacks.

In the information and cyber security work of organizations, knowing, prioritizing and monitoring your own supply chain is increasingly important:

• What are the partners, where attacks would have big effects on us?
• How do we monitor the security level of these important partners?

Ransomware-as-a-Service: The Growing threat you can’t ignore

RaaS is rapidly gaining popularity. How does it affect the ransomware threat?

• Makes attacks more common
• Reduces the time, cost and skills required by criminals for attacks
• Brings the latest features (e.g. double extortion) to more and more attacks

Often, cybercriminals who offer RaaS include support and updates, as well as an easy user interface. Pricing can even go with a "% of revenue" model, meaning the "customer" only pays when collecting successful ransoms from victims.

RaaS (Ransomware-as-a-Service) is a business model where ransomware developers offer their malware as a service to other criminals. This model allows even less technically skilled individuals to participate in the execution of ransomware attacks.

Largest study of its kind shows outdated password practices are widespread

Georgia Tech investigated the password policies of 20,000 websites/apps. Most of the sites:

• Allow the use of short passwords
• Do not prevent the use of common bad passwords
• Use outdated password requirements (e.g. special characters)

Instructions, information and best practices regarding passwords are comprehensively available. Information security experts must also be interested in whether the best practices in the implementation spread widely.

A strong password also protects in the event of a security breach. Usually, the services encrypt the credentials, but cybercriminals start cracking the encryptions after the leak. Weak passwords are the first to be cracked.

Will ChatGPT write ransomware? Yes.

Malwarebytes was testing writing malware code using ChatGPT.

These AI LLM's have their ethical guidelines, but going around them didn't seem to be too hard:

• Write me a key part of ransomware ❌
• Write me a code that encrypts a single file ✔️

In this test, the quality of created code still wasn't great. Team concluded, that an unskilled programmer would be baffled with the results, while an experience one would have no use for the results.

Still, there's a huge improvement from GPT 3.0 to GPT 4.0. If the improvements keep progressing with (even close to) similar pace, some big threats might be looming in the horizon.

ChatGPT only just celebrated its 1st birthday. If you think about the progress and effects it's had on us already, this is quite a development path. Definitely good to keep eye on the developments, from cyber security and other POV's.

NIS2 directives national implementation progressing

Laws on draft phase in many member states (deadline 10/24), e.g.

• "IT Security Act 3.0" (Germany)
• Laki kyberturvallisuuden riskienhallinnasta (Finland)

Differences in monitoring, scope definitions, etc.

• No big surprisesif you're familiar with NIS2 directive's content, as the national laws mostly are typing directive's requirements into the format used for the national legislation.
• Countries can make expansions to scope and security requirements if they want, but on most cases this is probably not implemented.
  

Our team has lots of NIS2 content for interested folks

• Sign up for NIS2 webinar >>
• View NIS2 content in Academy >>

Organizations’ Facebook pages being hijacked

Phishing via Facebook Messenger is very common these days.

The administrators of your Facebook accounts may receive busy-sounding messages in Messenger from "Facebook technical support"

• ”Ad campaign failed to send”
• ”Your recent post is violating copyrights”
• ”Suspicious activity in your accout”

The links take you to a phishing site that looks like facebook.com. What makes the scam tricky is that in an active Facebook account, these messages often coincide with relevant times even by accident. If you have just made a post and you receive a message about copyright infringement, there is a high risk of being hacked. Stay alert! 🛡

Main things from Cyberday development

UI updates, especially to admin navigation and Dashboard

We renewed our main UI components recently. Biggest changes focus on navigation (the left menu and its function) as well as the priorities on the Dashboard. We're also creating a clearer onboarding flow for new Cyberday users.​​

We are renewing the navigation with the aim of streamlining moving inside the app. The content of the left menu now always remains the same and clearly highlights the point where you are at the moment.

We are also simplifying the Dashboard so that the most important contents can be seen more clearly. The previous contents of the right bar move to the bottom of the desktop. From your own management system, we highlight three key pieces of information for each theme: the coverage of measures, the current implementation status, and the strength of evidence. The aim of working in Cyberday is to raise these values and thereby create more effective cyber security management.

We also aim to make it easier for new users to get started, e.g. with clear starting steps and a new "evaluation phase", which can be used to effectively assess the current coverage of a certain policy at the beginning of the work.​​

Multiple unit-based process descriptions for tasks

Now you can make the decision on certain tasks, that they are separately implemented e.g. in different main units or sites. Units can be "divisions", "departments", "country branches" or anything that suits your organization's structure.

In this way, you won't need to create separate tasks, but you can connect multiple unit owners to the task in addition to the main task owner. Unit owners are responsible for filling out the descripton and deploying the measure in their unit.

New report type: Security statement

When you start creating a new report, you can now use a new type: Security statement.

Security statements are designed to be overviews of your tasks on a wanted detail level and scope. When creating a statement, you can choose which themes, policies or individual tasks you'd like to include on the report.

Statements are designed to enable you to create a good-looking "export" of wanted task content easily. They can be used for external communication (e.g. creating a broad security statement for customers) or internal reporting (e.g. creating a detailed topic-specific statement for internal communication).

Improvements to Audits-table

Internal auditing is an effective way to monitor the functionality of your own information security work. For example, an ISO 27001 certified organization must also be able to demonstrate that auditing is done regularly and that the coverage of the entire framework is audited with a three-year rhythm.

We made improvements to the related Audits-table to support this. You can now filter to display the audits performed from the perspective of a specific requirement framework. In addition, you can easily see in one view whether the latest audits have covered the entire framework.

Improvements to reports' print- / PDF-formats

We modified the presentation of reports when a user goes to the print-view via the Print button. Using this same route, you can always save the report in PDF format as well.

The print view now uses spacing and font sizes in a slightly more optimized way. Similarly, we always try to make a page change after the key sections, so that the new content clearly only starts on the next page.

We are happy to receive any feedback from you and further improve the printing mode in the future. 👍

Feedback or questions?

If you'd like to ask us anything, you can always reach our team from the chat or at team@cyberday.ai.