[an error occurred while processing the directive]
RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2023/11/15 09:23:07

Information security in the company

Information security is the comprehensive security of information and its supporting infrastructure against any accidental or malicious impacts that may result in damage to the information itself, its owners or supporting infrastructure. Information security tasks are reduced to minimizing damage, as well as predicting and preventing such impacts.

Content

Main article:Information security

2023

Presented TOP-10 vulnerabilities of the external perimeter of Russian companies

Angara Security on November 14, 2023 presented a TOP-10 of vulnerabilities in the external perimeter of Russian companies.

The weakest points in the external perimeter of companies are support for TLS the 1.0/1.1 protocol, the use of weak algorithms enciphering SSL and the expiration of the SSL certificate. These vulnerabilities lead to the fact that the connection channel to a remote resource, for example, a website, will be unprotected, or modern browsers ones will notify users that the resource is unsafe, which can eventually lead to an outflow of clients.

Also, anti-rating includes self-signed SSL certificates, the absence of the HSTS header (RFC 6797), the use of the Diffie-Hellman module in SSL/TLS <= 1024 бит (Logjam), подпись SSL-сертификата нестойким алгоритмом хеширования.

In addition to the listed vulnerabilities, the top 10 includes parameters such as the use of an unsupported version of the web server, support for a weak set of RC4 ciphers, and a SSL certificate chain that contains RSA keys less than 2048 bits.

File:Aquote1.png
Information security employees may simply not be aware of the new services deployed by the IT department. To do this, you need to regularly inventory the external perimeter: daily, weekly. Vulnerabilities can cause both the unfinished vulnerability management process and the consequence of the exclusion of DevSecOps during the development of digital services, said Andrey Makarenko, head of business development at Angara Security.
File:Aquote2.png

Among the recommendations, Angara Security also notes the use of continuous monitoring services for the security of the external perimeter. On the one hand, this allows you to identify attacked digital assets in real time, on the other hand, verify the criticality of cyber threats by various indicators in automatic mode.

More than 50% of Russian companies take into account information security risks when making decisions

More than half (52%) of the surveyed Russian companies make key decisions taking into account information security risks. Large and medium-sized businesses pay attention to risks especially often, while the public sector is less involved in the issues of their analysis and assessment. This follows from the results of a study of information security risk management in organizations conducted by the Solar group of companies, which announced this on October 26, 2023.

The study was attended by 157 representatives of Russian companies from Moscow, St. Petersburg, as well as a number of cities of the Russian Federation with a population of more than 500 thousand people. 47% of the surveyed companies represent the medium-sized business segment (with revenues from 800 million to 5 billion rubles per year), 26% - large (with revenues from 5 billion to 60 billion rubles per year), 15% - the public sector and 12% - Enterprise (with revenues from 60 billion rubles per year). The average number of employees in respondent companies was 2,570.

According to the study, 60% of medium-sized businesses make most of the key decisions taking into account risks. Among large companies, this share is 46%, and in the public sector and Enterprise - 41% each. At the same time, the state segment of companies making key decisions without taking into account risks is larger than in other industries - their share is 32% of the surveyed state-owned companies. For comparison, in the segments of Enterprise and in the average business of such organizations almost twice as much (18%), and in large businesses their share does not exceed 17%.

In only 12% of the surveyed companies, risk management is at the formation stage, in others it is implemented and works to one degree or another. Enterprise is the leader in terms of maturity in assessing and analyzing risks: in 18% of companies in this segment, the most developed and advanced risk management systems, and in almost half of cases it significantly affects the work of the organization. In second place in terms of maturity is large business (7% of the total number of companies in this segment), in third - the public sector (5%), in last - medium-sized business (3%).

In about half of organizations, risk analysis occurs at least once a year, and only in 17% it occurs situationally - in the event of major changes, after incidents, etc. The average period for revising the risk and threat model is one and a half years.

After the introduction of risk analysis, most companies (40%) note a reduction in the number of incidents in information security, 33% - a reduction in losses from incidents, and another 28% - a decrease in the cost of eliminating the consequences of incidents.

File:Aquote1.png
It is worth emphasizing that almost all (95%) Russian companies analyze the risks for significant digital and business changes. Analysis and assessment of information security risks is an important and demanded procedure that ensures the full functioning of the company and its effective development. Business understands this, but it still has to go a long way to reach a sufficient level of maturity, "said Darya Koshkina, head of cyber threat analytics at Solar Group.
File:Aquote2.png

More than 90% of Russian companies have implemented or are ready to implement solutions to identify Internet threats

The vast majority (92%) of Russian companies are open to working with solutions for detecting Internet threats. Of these, 31% are already working with this class, and another 61% plan to implement within the next two years. These are the results of a study by Solar Group of Companies on the level of knowledge and use of products to identify Internet threats in the domestic market. The company announced this on October 20, 2023.

The survey was attended by 153 Russian companies from Moscow, St. Petersburg and other cities with a population of more than 500 thousand people. 15% of the surveyed companies are representatives of the Enterprise segment (with revenue of more than 60 billion rubles per year), 22% are representatives of large business (revenue from 5 to 60 billion rubles per year), 29% - medium-sized businesses (revenue from 800 million to 5 billion) and 34% - public sector. The average number of employees in respondent companies was 23 thousand people.

Over the past year, among threats to information security, Russian companies have more often faced sensitive data leaks (33%), attacks on unprotected resources associated with the withdrawal of new information assets (26%), the appearance of fake news (25%) and negative publications about business in open sources (23%). The average damage from one such incident amounted to about 2 million rubles (excluding reputational losses, as a rule, stretched over time for 3-5 years).

At the same time, more than half of the specialists (55%) in the information security market are not familiar enough with services to identify Internet threats, follows from the study. 11% of companies surveyed know this class of solutions well and have personal experience, and 43% are well aware, but have not tested solutions in practice. At the same time, medium-sized businesses are somewhat more familiar with such services in comparison with large businesses.

Companies that have already implemented solutions to identify Internet threats are more likely to use them to detect leaks (53%), search for public resources that illegally use the company's brand (47%), monitor negativity in the media (45%) and detect new or incorrectly decommissioned information assets infrastructure tours (43%).

File:Aquote1.png
Our external digital threat monitoring service Solar AURA revealed that since the beginning of the year, 92 TB of confidential data from 200 Russian organizations have been publicly available. Cybercriminals are constantly improving tools for attacks on business and government agencies, so it is important to pay attention not only to protecting the company's perimeter itself, but also to the external cyberlandschaft, to identify and block Internet threats in a timely manner. To this end, we implement comprehensive monitoring of both open and shadow external sources for our customers, and also offer an operational response to phishing (blocking the found malicious site takes from 1 hours), and conduct analytical investigations, "said Igor Sergienko, director of the Solar AURA Solar Group Center for Monitoring External Digital Threats.
File:Aquote2.png

Security analysis and network security are leading among the most demanded information security services in the financial and insurance sector

Angara Security experts based on the analysis of more than 450 competitive procedures and implemented projects in the banking sector for 2022-2023. have identified five key areas in the field of information security that are relevant for banks, financial organizations and insurance companies. Angara Security announced this on October 18, 2023.

The leader in the ranking of the most popular services (more than 21%) was the consulting and audit services of the information infrastructure, which include compliance, the formation of information security policies in accordance with the requirements of market regulators, the categorization of CII objects, as well as the search for optimal models of information security loop formation, taking into account the equipment and software available on the market.

In second place (more than 20%) is the services for analyzing the security of the information infrastructure. These include services for finding vulnerabilities in web applications, user interfaces, IT systems of organizations that manage personal data arrays, technological processes, as well as identifying vulnerabilities in foreign software and equipment that were left without support after the vendors left. At the same time, the demand for these services increased from 14% in 2022 to 20% in 2023.

In third place (more than 15%) is perimeter protection and network security. It is here that the lack of import substitution solutions ready for implementation, for example, SIEM and NGFW, software-managed network infrastructures and domain infrastructure management solutions, network access control solutions, secure cloud access brokers and automation of firewall audit, is most seriously affected .

In fourth place are services of SOC centers, as well as event monitoring and response (more than 7%). Unlike large banks, which deploy their own SOC centers on their infrastructure, for most mid-level organizations, projects of this level of inhouse are not available only on the basis of their own resources. At the same time, such organizations (for example, regional subsidiaries of large financial and insurance institutions) are considered as an "entry point" for cyber attacks on the infrastructure of federal banks due to the lower level of information security of dependent organizations and their contractors, lack of funding and specialists, including in the field of cyber criminalism. In fifth place (7%) are services for protection against target and DDoS attacks.

File:Aquote1.png
When migrating from foreign solutions, customers from Russian solutions of similar functionality and reliability. However, copying the functionality of information security products is clearly not enough. In the development and development of Russian solutions, it is necessary to focus on the creation and implementation of breakthrough technologies in products, which is critical for the long-term development of the market, - experts from Angara Security note.
File:Aquote2.png

The company also notes among the promising areas of AI-based solutions, the widespread use of DevSecOps in fintech, Threat Intelligence, cyber criminalism, vulnerability management services, brand protection practices for mass financial services.

Shortage of personnel and funding - the main problems in the formation of information security infrastructure of state organizations

Since the beginning of 2022, regional and federal authorities have been facing cyber attacks on the IT infrastructure of departments - this was reported by 73% of respondents to a joint study by the Center for Training Managers and Teams of Digital Transformation of the Higher School of Economics, RANEPA and Angara Security. The survey was attended by more than 100 representatives of Russian federal and regional departments - heads of IT and information security divisions, directions for digital transformation and specialists of relevant areas. This was announced on September 28, 2023 by Angara Security.

Cyber attacks on IT infrastructure are combined and based on tools such as malicious software, phishing attacks and DDoS attacks on external services (sites, servers, network equipment). Each of these types of attacks occurs in 40% of incidents related to attacks on infrastructure. To a lesser extent, direct attacks on users using social engineering methods are recorded.

File:Aquote1.png
The intensive development of hacker technologies requires a response at various levels - from incident response to system monitoring and security audit, the development of the digital culture of the organization's employees, including regular training on both the basic principles of security in the digital world and trends in the development of information technology and information security. At the same time, the digital culture of employees should be built into the corporate culture of the organization and considered as a priority for ensuring the security of information and data, - said Natalya Garkusha, director of the Center for Training Managers and Teams of Digital Transformation of the Higher School of Economics of the RANEPA.
File:Aquote2.png

File:Aquote1.png
In most cases, cyber attacks target both employees and network protection of the external perimeter of organizations. Cybercriminals most often use the easiest to implement and low-cost tools, while a person remains the most vulnerable link in the chain. Therefore, at the basic level, it is important to build system monitoring of the protection of the external perimeter and regularly increase cyber literacy and awareness of employees who are not related to information security and IT infrastructure activities, the Angara Security press service noted.
File:Aquote2.png

Angara Security experts note that already to protect ON against malware only antivirus software is not enough, more modern methods are needed detection of threats, such as sandboxes, that allow you to run any file from an unknown source in a secure isolation environment and detect malware that can be skipped by antivirus. In addition, antivirus software is less effective when using phishing attacks that lead users to web resources.

Managers and information security specialists also identified a number of challenges faced as part of protecting organizations from cyber attacks. Most respondents noted difficulties with a shortage of personnel in the field of IT and information security (68%) and lack of funding for the purchase of necessary software and equipment (64%).

23% of organizations do not have resources to process information coming from funds information protection, 18% do not have enough expertise to configure the information security system to the target level.

59% of the heads of information security departments began to have a positive attitude towards "remote"

59% of the heads of information security departments began to have a positive attitude towards "remote." This was announced on September 20, 2023 by the SearchInform company.

More than 330 service leaders information security from the Russian companies -,,, and creditfinancial industrial oil and gas transport construction others - took part in the survey. industries

At the same time, the heads of information security services still believe that some specialists should not be allowed to work remotely. Thus, 32% of respondents are not ready to allow employees with access to critical data to work from home, and 9% - regular violators of security policies.

Image:Рис1 как вы относитесь к удаленке.png

Interestingly, the results of the SearchInform study, which was carried out after the start of the lockdown, in April 2020, showed a mirror change in the attitude of information security directors to the remote format of work. Then 61% of the heads of Russian companies considered the "remote" unsafe from the point of view of information security. And according to the results of the first pandemic year, 90% of respondents noted that at the "remote" IT infrastructure of their organizations became more vulnerable.

Image:Рис2 кого нельзя пускать на удаленку.png
File:Aquote1.png
The positive attitude towards remote work reflects the trend of the last three years: business processes have normalized, companies have adapted to control employees outside the office and ensure security. Despite the fact that in 2020, only 23% of companies did not control employees remotely. Information security specialists have experience in organizing protection in various formats of employee work, know how to practically rebuild the IT infrastructure. Companies have begun to more effectively use existing information security tools, in particular DLP systems, thereby reducing the risks of data leaks, "said Alexey Parfentiev, head of analytics at SearchInform.
File:Aquote2.png

71% of Russian companies faced cyber attacks on their web resources in the first half of the year

According to to data a survey conducted by Croc Cloud Services and developer of a solution for protecting web applications, in SolidWall the first half of 2023, 71% the Russian of companies collided with their cyber attacks web resources. Most of them suffered from several types of combined attacks at the same time. At the same time, 37% of respondents admitted that they still do not protect their web resources. This was announced on September 15, 2023. CROC

According to the survey results, DDoS-attacks 64% of respondents were the most common. This simple type of attack is the mass generation of the same type of resource requests, often using botnets either vulnerabilities redirection on third-party sites. While massive DDoS attacks distract the attention of security experts, attackers often launch a bust, passwords which is part of an already targeted attack. 57% of respondents faced this type of attack.

The number of attacks exploiting various software vulnerabilities increased by 28%. They also often go in conjunction with DDoS. In 2022, 15% of companies mentioned such attacks, and in the first half of 2023, 43% were already affected by them. Basically, known vulnerabilities in Open source components or popular frameworks and CMS are used to carry them out. This is due to the fact that as of September 2023, attackers have many tools for their massive search on the Internet. Also, quite often companies are faced with ransomware viruses (18%).

Separately, there is a growing trend in attacks on mobile applications. At the same time, the level of their security is not growing. This is partly due to not the most effective methods of development and testing, but partly to the low level of literacy of users. Often this opens the criminal access to the data and devices of the user himself. At the same time, for some years, the company's potential vulnerabilities have not been deliberately eliminated for the convenience of using the application, for example: the absence of two-factor authentication, password complexity requirements, etc. This situation will continue, as mobile applications are increasingly pouring into the lives of ordinary people, and the speed of implementation of secure development methods does not keep up with the needs of the business. The latter is aggravated by a general shortage of specialists.

File:Aquote1.png
The main trend associated with threats to web resources is increasing capabilities and simplifying the implementation of attacks. This is due to the fact that specific tools and knowledge for searching, exploiting vulnerabilities, as well as using the results are becoming available to a wider range of cybercriminals, "said Vyacheslav Zheleznyakov, director of business development at SolidSoft.
File:Aquote2.png

The survey found that 37% of companies do not have web resources protected at all. The most popular means of protection were Anti-DDoS (63%), WAF (42%), Antibot (32%). The main barriers to deploying their own protection tools, in addition to underestimating risks, are their high cost, long delivery times, connections and settings, lack of the necessary competencies. All these factors influenced the rapid growth in demand for cloud-based security tools. The number of such requests to the Cloud has CROC increased 2 times over the past six months. The most effective defense for repelling attacks was shown to be in three echelons: Anti-DDoS, Antibot and WAF. They help neutralize DDoS attacks, filter botnet requests, and protect web resources from cyber attacks in real time.

File:Aquote1.png
Protecting a company's web resources is a necessity for running a successful business. The growing demand for cloud protection has been the market's logical response to the multiplying threats and the inability of companies to provide security on their own. First, providing protection from the cloud dramatically reduces the cost of deploying and supporting them, while enabling rapid implementation. Secondly, cloud protection allows you to guarantee continuous updates and monitoring, freeing the company from the need to spend resources on independent maintenance and infrastructure update, "said Sergey Zinkevich, director of the CROC Cloud Services business unit.
File:Aquote2.png

67% of companies avoid public statements about data breach incidents

SearchInform experts analyzed the situation with information leaks in domestic companies for the first half of 2023. In particular, they investigated how companies respond to leaks and how many organizations notify Roskomnadzor of the incident. This was announced by SearchInform on August 7, 2023.


According to SearchInform estimates, 103 leaks occurred at the end of June. Most often, incidents with confidential data occur in retail companies - more than a quarter of all cases. Every 12th incident falls on financial and IT companies (including those that serve state and near government customers). The remaining leaks were identified in organizations in the field of education, catering, industry, construction, health care and other industries, whose incidents in number did not exceed 2%. Together with personal data, the source codes of projects, internal documentation, technical information, medical information, corporate e-mail addresses, etc. leaked 88% of leaks occur in commercial organizations, 11% - in state, 1% - in NPOs.

Image:Image014.png

The vast majority of organizations prefer to refrain from commenting in the media or publicly apologizing on their website or in blogs - this is 67%. Small companies whose name has not yet become a "brand" are more likely to completely avoid comments. One in 11 companies decided to directly confirm the leak to the media. Another 7% of companies confirmed the leak, but with reservations that the leak was old, was caused by a third-party service or contained non-critical data. 5% completely denied the leak, and 2%, despite the negative response from the media, transmitted information about the incident to Roskomnadzor.

Image:Image015 реакция компаний на утечки.png

After incidents, organizations restore services, check all security systems, reset all passwords in the system if necessary, change the keys to servers and services that could have been compromised, investigate the leak and send data to Roskomnadzor. Roskomnadzor publicly announced the inspection of the companies 23 times, of which at least 5 organizations did not notify the department of the incident. For fresh leaks in the first half of the year, 3 companies were fined. All fines did not go beyond 60 thousand rubles - this is the lowest bar from which the punishment for PD leakage begins.

File:Aquote1.png
The situation with leaks was greatly influenced by the moratorium on inspections of enterprises and entrepreneurs. Companies that store huge amounts of client data: services, local retail, microfinance organizations are small and medium-sized businesses. The "hands" of Roskomnadzor did not always reach them before, and taking into account the ban, over these six months there was no authority to check companies at all. On the issue of the number of fines and their amount, I agree with the opinion of deputy Alexander Khinshtein. There should not be many fines, they are not a source of filling the budget, but a preventive measure and motivation for the head of the company to think about data protection. The amount of working fines is already known, their upper limit will be 500 million rubles. The amount is significant, but this is not the only payment that could threaten companies. After a large-scale leak in Yandex.Eda, judicial practice began to develop - some users file lawsuits. There are not many such precendents yet, since the amount of compensation is low, there are difficulties with assessing "evidence from the Internet," but this trend cannot be discounted. Even compensation in the amount of 5,000 rubles with a leak of more than 100 thousand lines and payment of a potential fine can be equal to an amount that is quite comparable to the budget for the purchase of protective solutions, and for someone it exceeds it, - shared Olga Minaeva, GR-director of SearchInform.
File:Aquote2.png

There were no high-profile incidents with claims against personal data operators in the first half of 2023 - not a single company received a lawsuit from customers whose data was compromised.

Many Russian companies do not have professional protection against DDoS attacks at the L7 level

The company StormWall conducted an analytical study on the availability of professional protection from DDoS-attacks among the 100 largest the Russian companies in terms of revenue, as reported on July 4, 2023. According to to data experts, all leading companies use external solutions to protect against at attacks the L3-L4 level (network level), but the situation with protection at other levels raises concerns. Experts have revealed that 30% of companies on the TOP-100 list do not have any professional protection against attacks at the L7 level (application level). In this case, companies are either not protected at all, or are trying to fight attacks on their own, which is not always effective. More. here

More than 60% of the heads of information security departments have already identified events that are unacceptable for their organizations or plan to do so

Positive Technologies on May 31, 2023 presented the results of a survey in which it found out that domestic companies and organizations are actively introducing the concept of effective cybersecurity. According to the study, 71% of respondents are familiar with this concept, and more than 60% of surveyed specialists and managers have already identified events that are unacceptable for their organizations or plan to do so in the near future. Twenty percent of all respondents reported that cyber training was carried out in their organizations or bagbounty programs were launched. The level of awareness of the concept of effective security in the community is growing, and the demand for measurable cybersecurity with a guaranteed result is increasing in the market.

The survey revealed that some organizations are improving internal processes in accordance with the new approach: 27% of all respondents reported that their companies have already compiled a list of unacceptable events for them, and another 34% plan to do so. In 22% of cases, respondents replied that their organizations were able to build a number of processes necessary to maintain cyber resilience, including such as monitoring and countering cyber threats.

File:Aquote1.png
Every fifth respondent noted that their companies have introduced the practice of conducting cyber exercises or even launched a program for searching for vulnerabilities for a fee - bagbounty, - said Ekaterina Semykina, an analyst at the Positive Technologies research group. - Earlier it was believed that the launch of such programs was primarily interesting for high-tech companies. We see how this trend also covers segments such as services, retail, government and financial institutions, insurance, transport and others. In the coming years, we predict the development of a new type of program aimed not only at finding vulnerabilities, but also at demonstrating the implementation of an unacceptable event for organizing. Companies are already showing interest in this approach and are waiting for the first successful examples of its implementation.
File:Aquote2.png

A study by Positive Technologies notes that the role of cybersecurity in business sustainability states is becoming more and more significant, and the need for effective security is one of the key ideas in achieving a high level of security. At the same time, experts emphasize that the changes are noticeable at the level of regulators: the Presidential Decree RUSSIAN FEDERATION of May 1, 2022 No. 250 "On Additional Measures to Ensure" information security of the Russian Federation forced many Russian companies to reconsider the approach to ensuring their protection, and also indicated that responsibility for cybersecurity now lies with the leadership and first persons of the company. A tangible contribution in this direction was made by Federal Law No., 152-FZ which obliges companies to notify FSB Roskomnadzor about what happened within 24 hours, personal data leaks as well as the experiment Ministry of Digital Development described in Resolution No. 860 Government of the Russian Federation and aimed at assessing the approach of effective safety.

Cybercriminals need an average of 7 days to achieve the goal

to cybercriminals It takes an average of 7 days to achieve the goal. Such conclusions follow from the report prepared by Solar JSOC the company's CERT incident investigation center, which RTK-Solar announced this on April 14, 2023.

Experts attribute this trend to an increase in the number of attacks for political reasons, as well as their complication. Less professional hackers unite under the leadership of highly qualified attackers, and various tools for implementing attacks (HPE, exploits, etc.) are increasingly distributed free of charge on forums on the dark web or even on TG channels. At the same time, the cyber protection of many organizations is still not high enough.

The analytics are based on investigations conducted from March 2022 to March 2023. In total, 40 successful attacks related to penetration into the IT infrastructure of Russian organizations representing the public sector, industry, power, retail, telecom, media, finance were dismantled.

Investigations have shown that cybercriminals have 3 main goals: data encryption for ransom, cyber espionage and hacktivism. The latter became the main trend in 2022 - the number of such cases increased 5 times. For the greatest resonance, hacktivists chose organizations known to the general public from the public sector, the media, finance, telecom and other industries as victims.

To penetrate the victim's infrastructure, 54% of cases used vulnerabilities in services available from the Internet. The most common example is ProxyLogon (a critical vulnerability of 2021 in Microsoft Exchange Server). Despite the spread of this mail service, many companies are in no hurry to fix the flaw. As a result, attackers can not only quickly gain access to employee correspondence, but also, having penetrated the IT infrastructure, develop an attack already on the local network. Also in the investigations of Solar JSOC CERT there were hacks of services such as Apache, Oracle WebLogic Server, Bitrix. As a rule, this technique was used by hacktivists and hackers who encrypt the infrastructure.

Professional APT groups used a more diverse method of obtaining primary access. In the reporting period, for the first time, attacks through contractors were used more often than infection through classic phishing. Against the backdrop of an increasing threat, large companies have strengthened cyber protection, including from sending malware through mail, so professional attackers had to look for entry points in contractors. The latter are usually worse protected, and through them you can get into the infrastructure as the basis of the victim.

File:Aquote1.png
We saw a lot of alarming trends. Firstly, the attention of cybercriminals is now attracted by the entire Russian IT infrastructure, and not by its individual segments, as before. We see how the activity of pro-state APT groups has grown. Their interests have long been not limited to federal and regional authorities. We meet them in the infrastructures of energy companies and even the media. We must not forget about accelerating the development of attacks and improving the skills of hackers. Increasingly, professional attackers are uniting hacktivists under their leadership. The latter learn not only to organize DDoS or deface, but are aimed at a long presence in the IT infrastructure and even gaining access through related organizations. All this suggests that protection against cyber attacks is becoming a priority for all areas and industries, "said Igor Zalevsky, head of the Solar JSOC CERT Cyber ​ ​ Incident Investigation Center at RTK-Solar.
File:Aquote2.png

Over the year, companies strengthened the external perimeter, but forgot about internal networks

Over the year, against the background of numerous cyber attacks the Russian companies, they strengthened the protection of - IT perimeters, but they still underestimate the threat of an internal intruder. This follows from the results pentests conducted by experts "" from RTK-Solar March 2022 to March 2023. So a third (35%) of companies passed the test with an external pentest (a year earlier this figure was only 24%). At the same time, goals within - IT perimeters were achieved in 100% of cases (a year ago - only in 63%). The company announced this on April 3, 2023.

In total, during the reporting period, experts from the security analysis department of the Solar JSOC cyber attack counteraction center of RTK-Solar implemented about 80 projects in various industries, including the public sector, telecom, power, IT, retail. The results suggest that companies have really taken care of the real security of their IT infrastructure and closed some of the weaknesses. The impetus for this was constant attacks after the start of the SVO, the active exploitation by attackers of various vulnerabilities and reports by information security specialists on current threats. In particular, this applies to corporate web applications, which have always been and remain the weakest link in the external perimeter. If at the beginning of 2022 a low level of their security was noted in 53% of projects, now this figure is 20%.

However, the number of successful internal pentests has grown significantly. At the same time, more than 90% of the examined infrastructures were marked by a low level of security. This means that organizations do not pay due attention to protecting the internal perimeter, even despite constant cyber attacks.

File:Aquote1.png
The past year has greatly influenced the approach of companies to their own cybersecurity. Weaknesses on the external perimeters, which formed over 2 years of pandemic and remote, had to be hastily closed, because many vulnerabilities were easily located and exploited even by medium-qualified hackers. Meanwhile, internal networks still show an extremely low level of security. Moreover, most of the vectors that our specialists have successfully implemented include the exploitation of well-known vulnerabilities that allow you to gain full control over the domain and do not require complex tools and a customized set of exploits, "said Alexander Kolesov, head of the security analysis department at RTK-Solar.
File:Aquote2.png

The most common vulnerabilities in external perimeters are associated with weak [passwords' passwords]] from accounts, lack of access control, exploitation of vulnerabilities in well-known software (for example, Bitrix) and the ability to inject SQL code.

Weak and repetitive passwords are also a key issue in internal networks. In one of the organizations, this vulnerability made it possible to implement the Password Spraying attack (aimed at selecting accounts) data and compromise more than 180 domain accounts.

The problem with the absolute majority (more than 80%) of web applications is incorrect access settings, and the most common example is insecure direct links to objects. Thanks to this vulnerability, an attacker can, without the permission of an administrator, gain access to an object (user, account in his personal account, etc.) and perform various manipulations on it. And in 62% of applications, data on their structure, components and features of work were disclosed. At the same time, in most cases, vulnerable functionality is available to any external user, even if he does not have any privileges in the application.

Over 60% of companies face privileged access threats on a monthly basis

The company "Rostelecom-Solar" on March 20, 2023 published the results of the study "Threats of privileged access in Russian organizations." More than 1 Russian companies face threats from privileged users 60% once a month or more often. The most common type of threats is downloading prohibited content: 13% of large and small companies, as well as 11% of government agencies, deal with it once a month and more often. In addition, organizations are seriously threatened by bypassing privileged users of security policies for personal purposes: 19% of large companies, 18% of small organizations and 21% of government agencies suffer from this monthly and more often.

Over 50% of respondents fear an increase in the number of impersonal and unmanaged accounts in the organization and the lack of visibility of all privileged users. It is these factors, according to most large companies, that most interfere with organizations in protecting against threats of privileged access.

Moreover, most of the problems of such access of the organization are associated with, and remote not with, office employees. In remote format, in 80% of cases it is more difficult to establish whether data the remote privileged user's credentials have been compromised. In this category, 80% of users work on their personal devices, and 80% of them have problems authentication with in the corporate network (s, "" etc passwordstwo-factor.)

More than half of Russian companies see the implementation of full control over the actions of external suppliers, counterparties and contractors in the company's information systems as the main task in reducing threats of privileged access. At the same time, information security market experts note that as of March 2023, almost half of all data leaks from domestic organizations occur through counterparties.

At the same time, only 10% of companies use the appropriate specialized systems to solve problems with privileged access. 30% use some other non-target systems, 41% of companies control the access of privileged users manually (accordingly, the threats associated with the human factor are seriously increasing). And another 19% of organizations have accepted these risks and do not control the access of privileged users at all.

File:Aquote1.png
Some of the respondents we interviewed noted with regret that so far the management of Russian companies lacks an understanding of the importance of reducing the risks of privileged access. Others lamented the lack of budgets for information security in general and access management in particular. Meanwhile, more than half of all violations of access rights lead to leaks of confidential information, the punishment for which the country's leadership seeks to tighten. And stolen privileged accounts are used in the vast majority of cyber attacks, "said Dmitry Bondar, director of the Solar inRights access control competence center at Rostelecom-Solar.
File:Aquote2.png

For the purpose of the study, more than 100 Russian companies were interviewed in the B2G, B2E, B2B and SMB segments. The companies are represented by regions, Moscow St. Petersburg as well as cities population with over 1 million inhabitants. Over 60% of organizations belong to the commercial sector, 20% of respondents were companies with state participation, the rest were government agencies. The survey included specialists in/, INFORMATION SECURITY IT IT/, IB-directors department managers, operating directors and business owners.

75% of companies do not comply with the requirements of the law on personal data

On March 1, 2023, the company K2 Integration announced a survey among enterprises on the implementation of the requirements of the federal law "On Personal." data It turned out that 75% of companies have not yet complied with the provisions of the law, which began to operate in September 2022. And almost no one is fully ready to comply with the second part of the amendments, which comes into force on March 1, 2023. More than 100 business representatives from different took part in the survey. industries economies

On September 1, 2022, the first part of the requirements of the Federal Law of 14.07.2022 No. 266-FZ came into force. It aims to increase the responsibility of operators personal data, make their activities more transparent and protect personal data the Russian citizens. In particular, the law obliges companies SP to notify about Roskomnadzor incidents related leaks to personal data within 24 hours, and then report information the results of an internal investigation into such an incident within 72 hours.

The entry into force of the second part of the amendments to the Law "On Personal Data" from March 1, 2023 implies a further strengthening of measures to control the processes of processing personal data (PD). For example, in the March package of changes, the greatest attention is paid to the cross-border transfer of PD: a requirement was introduced to notify Roskomnadzor about the cross-border transfer of personal data, the timing and procedure for their consideration were determined, cases of restriction and prohibition on cross-border transfer of PD were established. In addition, the degrees of harm that can be caused to the subject of personal data are introduced, the procedure for assessing and documenting the results is determined, and requirements for confirming the fact of destruction of personal data are established.

According to the results of the company's survey K2 Integration, a third of respondents (31%) are ready to fulfill the March requirements in varying degrees of readiness, while only 3% are fully ready, and 66% have not yet started this process.

A considerable part of those who seek to fulfill all the requirements of the FZ-266 law experience difficulties in its application. So the most difficulties among the surveyed companies are caused by the fulfillment of the requirements for notification of incidents in the field of personal data: 56% of respondents face them. Almost the same - 53% - have not yet figured out the nuances of assessing harm to subjects; 47% consider the most difficult to make changes to local regulations in the field of personal data, responsible for the system of processing personal data within the organization, and 41% - compliance with the requirements for the destruction of personal data.

File:Aquote1.png
In 2022, according to Roskomnadzor in Russia, there were more than 150 data leaks, according to other sources, there were even more of them. Such an increase in the number of leaks explains to a certain extent the tightening of requirements for the processing of incidents in the field of personal data, "said consulting INFORMATION SECURITY Anastasia Fedorova, head of K2 Integration. - At the same time, since September 2022, about 100 notifications of leaks have already been submitted to Roskomnadzor.
File:Aquote2.png

2022

The overwhelming majority of companies pay attention to improving the information security literacy of employees

On February 20, 2023, the SearchInform company announced that it had found out in which companies they were actively training employees on information security rules.

According to the company, SearchInform experts analyzed the situation with the level of information security (information security) in domestic companies. In particular, they investigated how organizations solve the issue of teaching employees the basics of information security - creating complex passwords, recognizing phishing, telephone fraud, etc. This is important for the prevention of internal violations and external attacks, where the entry point is an employee (such are recorded by 11% of organizations).

Do you teach employees the rules of information security?

The overwhelming majority (78%) of companies pay attention to improving the information security literacy of employees. Of these, 59% are written regulations that employees must study on their own - this is the most popular form of training.

{{quote 'author
= told Aleksei Drozd, head of the information security department "SearchInform"|As of February 2023, this is the most common approach, because the simplest is to formulate the rules for working with data once. But few people read such regulations. It's like a fire safety briefing. Familiarizing with them "under the signature" is useless - people will sign "for show" or read "diagonally," because they do not believe in the reality of risk or do not understand why it concerns them and is important in their work. It is necessary to at least check how much information is learned, and better to show its benefits in practice. This takes time and effort, which is limited for information security departments, and management is not always ready tear employees away from work for the sake of non-core training. It is necessary to increase the security of companies and reduce the risks of attacks and leaks - because the negative consequences of information security incidents will affect the entire business, including employees.}}

Realizing that instructions alone are not enough, some organizations combine approaches to learning. Thus, 51% send letters to employees with warnings about threats, 12% conduct webinars demonstrating information security problems and ways to avoid them, and 16% arrange full-scale cyber training. Some respondents turn to the services of specialized organizations: 27% use free training programs from information security experts, 17% are ready to pay for such courses for employees.

How does the company train information security literacy employees?

It is noteworthy that 82% of state organizations conduct training for staff, while 77% are engaged in improving information security literacy of personnel in the public sector. Also, the public sector is more willing to order paid training from suppliers (22% versus 15% in the private sector), but it is much less likely to organize cyber training (10% versus 19% in business).

In the context of industries, the situation with information security literacy of personnel looks best in retail and healthcare - 80% of organizations conduct regular training there, this is more than, for example, in industry. However, in medicine, this is limited to providing employees with information security regulations for independent study (70%), and in retail only in 5% of cases they resort to courses of external information security experts. Practice-oriented training methods are most often used in oil and gas companies: 21% organize cyber training, 13% conduct webinar demonstrations.

File:Aquote1.png
Clarity in teaching such abstract things as cyber literacy is the key to success. So that the conditional manager understands why it is important to have different passwords accounts for personal and work accounts, learned - and to distinguish Internetfraud made sure that outsiders do not get access to his work documents, you need to show him using live examples how non-compliance with the rules turns out. It is important that the examples are as close as possible to his field of activity and habits. Then you need to make a "cut" as employees learned the information. One of the most effective ways is cyber learning. This is an opportunity for information security specialists to assess the vigilance of employees, and for employees to feel a threat on themselves.

recommended Aleksei Drozd
File:Aquote2.png

The SearchInform study took place from September to November 2022 in 25 cities. It was attended by more than 1,100 respondents - specialists and managers in IT information security from state, commercial and non-profit organizations in all areas. economies

77% of organizations in Russia are not sufficiently protected from hacking

The Innostage Security Analysis Group conducted penetration testing (pentest) in Russian companies and shared the interim results on December 28, 2022. The purpose of the pentest was to obtain the maximum possible privileges or perform an illegitimate action in relation to the organization's IT infrastructure.

In 77% of organizations, specialists managed to gain administrative access to critical objects or sensitive information, being outside the external perimeter.

As part of internal pentests (from inside the IT infrastructure), 91% of participating organizations managed to compromise the domain infrastructure. The record speed compromise took only 3 hours.

In the process of sending phishing mailings to each second company, more than 10% of employees responded to the letter and performed the appropriate actions: sent a response letter with the requested information, launched, malware entered credentials. In data one company, this feedback rate reached 34%, which clearly indicates a lack of employee awareness of attacks the application. social engineering

File:Aquote1.png
"The results we have obtained say that in 61.5% of organizations the level of security is insufficient to counter an external violator and 91% is insufficient to protect against an internal violator," ― said Alexander Borisov, head of the Innostage security analysis department.
File:Aquote2.png

Innostage analysts note that the main vulnerabilities used in overcoming the network perimeter are vulnerabilities in web applications and the use of weak passwords for external network services.

The use of predictable passwords by users not only enables an external remote attacker to overcome the network perimeter of the organization, but also makes the internal IT infrastructure vulnerable. Often, password policy in companies exists only on paper. Additional means that could control its implementation, the organization did not apply. Standard controls used by companies could not ensure decent compliance with password length or complexity requirements. In services that do not support centralized password policy management, credential control was completely absent.

In addition to using dictionary passwords, Innostage analysts distinguish redundant and unsafe protocols. However, in most cases they were not a technical necessity, representing a "default" setting.

Vulnerabilities whose exploitation contributed to the successful conduct of attacks during internal testing, and the percentage of the frequency of use during the work by Innostage specialists are presented below:

  • use of predictable passwords (87%),
  • use of unsafe protocols (78%),
  • insecure configuration of accounts in AD (39%),
  • insecure configuration of hosts in the domain (39%),
  • absence of forced signing of protocols (34%),
  • insecure password storage (30%),
  • lack of delimitation of access to information placed in shared network folders (17%),
  • insecure AD CS configuration (13%).

Based on the results of the work, the organizations received recommendations to increase the level of security, taking into account the peculiarities of import substitution.

A third of Russian companies increase the budget for security

The results of a survey conducted among 1124 information security specialists and information security directors of Russian companies showed that a third of Russian companies increase the budget for security. The main growth in purchases is expected from 2023. This was announced on December 16, 2022 by the SearchInform company.

According to the company, the security budget grew the most among companies that belong to critical infrastructure - 39% of the surveyed representatives of the KII subjects reported this. Slightly behind are those classified as system-forming organizations (36%).

File:Aquote1.png
The picture for system-forming organizations and CII subjects reflects the general attention to safety in these categories of companies. The summary data and individual government organizations are of concern. Given that almost 100% of them are persdata operators, it can be seen that the aspect of protecting this information remains underestimated. There are not enough budgets allocated for protection. At the same time, with their shortage, there are no significant measures of state support so that PD operators can actively implement protective software, especially in the field of small and medium-sized businesses.

commented Alexey Parfentiev, Head of Analytics at SearchInform
File:Aquote2.png

How the budget for the purchase of protective software has changed

Companies most often allocate a budget for the extension of license keys (78% of respondents), for the purchase of equipment and software (54%). For all organizations that belong to CII subjects, backbone or PD operators, these figures are higher.

Companies whose information security costs increased in 2022 are noticeably more likely to send the budget for the purchase of equipment and software. This is due more to the fact that companies sought to pay for iron before it rose in price or fearing a shortage.

What goals are spent by information security budgets

The real needs of the business still noticeably overtake the motive to fulfill the requirement of regulators. The mirror picture is only among companies - subjects of KII, state organizations.

File:Aquote1.png
State organizations and subjects of CII are holders of huge volumes of PD and sensitive information. Strict legislative requirements have a positive effect on the equipment with protective solutions. But information security programs are usually complex systems that you need to work with. And if information security specialists do not see the benefits for themselves, this creates the risk of formal, and not real protection. The section by industry shows that only companies financial oil and gas and areas are actively increasing budgets. In other industries, especially in, the retail situation is worse than the general picture. At the same time, the sphere trade has always been among the "leaders" in terms of equipping protective software. The abundance of personal and commercial data that needs to be protected motivated the active introduction of software. Therefore, it data protection will be more correct to draw conclusions about whether we are observing a vector to reduce attention to the task in 2023.

told Alexey Parfentiev
File:Aquote2.png

What is the main motivator for the implementation of protective software
How the budget for information security in organizations has changed

The general picture of budget allocation was noticeably different only in the 2020 pandemic year, when companies were forced to urgently reorient themselves to a remote format of work and security issues were postponed. In about 60% of companies, the budget remains unchanged, while information security in companies is underfunded - equipment with protective equipment remains insufficient. According to a 2021 study, less than half of companies in Russia are introducing serious means of protection against cyber attacks, and most cost only antivirus.

How the budget for the purchase of protective software is changing
File:Aquote1.png
We predict that the situation will begin to change starting in 2023. This is a global trend - Gartner reports that in 2023 the market, unbalanced by geopolitical uncertainty, will normalize. This global trend in Russia has its own development. In 2022, the problem of information protection became obvious. In addition to the traditional risks of information leaks and attacks by ransomware viruses, which most have faced before, many companies have become victims of the so-called hacktivism. In addition, we predict that deferred demand will begin to work. Even those companies that are not obliged to switch to Russian software lay the business risks of leaving foreign vendors. Trust in them has been undermined, and at a comfortable pace for themselves, companies will strive to import substitution.

supplemented by Alexey Parfentiev
File:Aquote2.png

"SearchInform" conducts a study "The situation with information security in companies in Russia and the CIS" for the sixth year in a row. Respondents - more than 1000 information security specialists and information security directors. The survey was conducted between September and November 2022.

Half of Russian companies saw the need to rebuild their own cyber defense systems

By the end of 2022, almost half (42%) of Russian organizations have come to the conclusion that they need to rebuild their cyber defense system. At the same time, this figure is higher in the public sector - 61%. The main reasons that forced to revise the approach to information security: the growth of cyber threats (more than 50% increased the number of significant incidents after the start of SVO), the introduced regulatory requirements (Decree No. 250 and not only), the departure of foreign vendors from Russia and the need for import substitution. Such data follow from a study conducted by experts of the RTK-Solar company, which announced this on November 25.

In total, more than 150 respondents were interviewed, representing government, large and medium-sized businesses, including IT industry,,,,. transport retail health care The survey was conducted in the 1st and 4th quarters of 2022, which allowed us to see the results in dynamics. It was also analyzed information on procurement and the actual number of decisions on the cyber security Russian market.

Organizations plan to rebuild their information security systems with the help of Russian information security vendors. And 76% of respondents said they would switch to domestic SMTs by the end of 2022. However, as early as November 2022, the share of Russian information security solutions is 35% (in Q1, this figure was 29%). And by the end of 2023, their share may already reach 52%, so the pace of import substitution will not decrease.

VPN gateways are in greatest demand - 29% of respondents plan to implement or change them. Information protection regulations play an important role here . In second place in popularity (19%) are leak protection systems (DLP), which is due to an increase in incidents due to insiders. The respondents also plan to introduce domestic security gateways (SWG), firewalls ( NGFW), web application protection systems (WAF) and security event management systems (SIEM).

File:Aquote1.png
The actual share of domestic decisions increased by 6-8% in 2022. But at the same time, certain barriers remain that interfere with import substitution. In particular, respondents pointed to an increase in the cost of Russian IPS - an average of 14%. Also, more and more companies are talking about increasing delivery times. In Q1, 47% of respondents faced a similar problem, and by Q4 their share rose to 59%. So that the situation does not worsen, it is already necessary to work out approaches to import substitution of key SSIs, "said Yulia Kosova, head of the market analytics group at RTK-Solar.
File:Aquote2.png

The purchase of new SMTs is not the only measure that organizations are taking against the backdrop of an increasing threat. So large commercial companies began to actively develop plans to respond to incidents. If at the beginning of the year there were only 50% of such companies, then by the 4th quarter there were already 70%. The public sector is trying to strengthen its own information security services. In the 4th quarter, 24% of respondents noted that they hired new specialists, and at the beginning of the year there were only 12% of them. It is noteworthy that for commercial companies, a cyber attack is associated primarily with reputational risks, while the public sector is more afraid for the loss of data from closed systems.

Open trend vulnerabilities found in 100% of companies investigated

In 100% of the companies studied, unclosed trend ones were found. vulnerabilities data Such on November 22, 2022, the company announced. The Positive Technologies top 10 most common trend vulnerabilities in companies include known product vulnerabilities, Microsoft most of them in components OS Windows and packages. Microsoft Office

Trend vulnerabilities are dangerous vulnerabilities that are actively used attacks in or with a high degree of probability will be applied in the near future. The time top 10 common trend vulnerabilities include vulnerabilities of past years - according to Positive Technologies, they continue to be relevant and are actively used by attackers.

The study builds on the results of MaxPatrol VM's 27 largest pilot projects, which were conducted in 2022. In all organizations (100% of the companies studied), trend vulnerabilities were discovered that are actively exploited by attackers and for which vendors have already released recommendations and updates.

On average, about 600 trend vulnerabilities were detected within the pilot zone, a tenth of these vulnerabilities were contained on assets of a high degree of significance. For every 100 assets, there are an average of 47 trend vulnerabilities, and for one asset of high significance - 2 trend vulnerabilities.

{{quote 'According to our data, the most dangerous vulnerabilities (we call them trend) are widespread everywhere in all industries, including on critical assets. In a situation where it is impossible to install all available software updates, and there are few experts ready to work with vulnerabilities (prioritize, eliminate, check the installation of updates or introduce other compensation measures), companies need domestic solutions that will help build an effective vulnerability management (VM) process and will interact with related systems to achieve the optimal result, - said Elman Beibutov, Director of Product Business Development, Positive Technologies. }}

For example, a critical CVE-2020-0646 vulnerability in the Microsoft.NET Framework was identified in the infrastructure of 48% of organizations, and a high-level vulnerability in Microsoft Office CVE-2021-40444 was identified in the infrastructure of 41% of organizations. These vulnerabilities have also been identified on high-level assets.

Top 10 most common trend vulnerabilities.
File:Aquote1.png
The fact that on pilot projects we see already known vulnerabilities (to which vendors have already released appropriate patches or updated software versions) suggests that companies have a poorly built vulnerability management process, "said Pavel Popov, leader in vulnerability management and information security monitoring products, Positive Technologies. - Companies either do not control the elimination of vulnerabilities, so they do not know that something has dropped out of the patch management process. Or they incorrectly prioritize vulnerabilities - they do not take into account their criticality or the significance of the assets on which they are located. But for November 2022, the market already has approaches and solutions that can provide inventory, categorization, vulnerability search, control over the elimination and another wagon of functions.
File:Aquote2.png

Portrait of the companies involved in the study.

96% of organizations are not protected from intrusion into the local network

On November 16, 2022, Positive Technologies shared the results of a study of the state of security of Russian companies. During the pentests, 96% of organizations were not protected from penetration into the local network, in all organizations full control over the infrastructure was obtained. On average, it was possible to get access to the internal network of the company in five days and four hours. Among all unacceptable events indicated by organizations, 89% managed to confirm the possibility of their implementation.

According to to data the study, the level of protection against external and internal intruder in the analyzed companies turned out to be predominantly low: many confirmed vectors were found in organizations attacks aimed at accessing critical resources, while a potential intruder does not need to be highly qualified to use these vectors.

The analysis showed that in 96% of organizations, an attacker could overcome the network perimeter and penetrate the internal network. 57% of companies had a penetration vector consisting of no more than two steps; on average, this would take four steps. The fastest attack was carried out by pentesters in an hour. Research has shown that, on average, it could take an attacker five days and four hours to penetrate the company's internal network.

The main entry points were vulnerabilities and shortcomings in the configuration of web applications - such vectors were identified in all companies without exception. Among all web penetration vectors that exploited web application vulnerabilities, 14% included zero-day exploitation of vulnerabilities. In total, five such vulnerabilities were identified during an external pentest. Most often, critical vulnerabilities were associated with insufficient severity of password policy and lack of software updates; half of the companies studied identified critical vulnerabilities in the code of web applications. In order to ensure the security of web applications, Positive Technologies experts recommend regular security analysis, vulnerability management, and application-level firewalls.

According to the study, when conducting an external pentest in 9 out of 10 companies, potential attackers could gain unauthorized access to confidential, information for example, information constituting a trade secret. Cybercriminals may sell such information to competitors of the victim company or use it to demand a ransom for non-disclosure. In addition to access to the company's internal network, an attack on network perimeter resources can entail other negative consequences: for example, defacement of a web application, changing information on official resources or placing malicious code a victim to attack clients, obtaining accounting data employees and, as a result, access to corporate resources and mail with subsequent distribution and. spam phishing

When conducting an internal pentest in 100% of organizations, the ability to gain full control over domain resources was proven. 68% of companies were able to access confidential information. For example, personal data of customers and databases of companies acted as confidential information. 85% of organizations identified critical and high-risk vulnerabilities associated with password policy flaws. 60% of companies have identified critical and high-level vulnerabilities related to the use of outdated software versions. Positive Technologies experts recommend implementing a strict password policy, as well as using two-factor authentication to access critical resources.

In 47% of the companies studied, specific pentest goals were set, and in 27% of them unacceptable events were verified. Most often, the list of unacceptable events included theft of critical information, access to the accounts of top managers of companies, theft of funds, and stopping key business processes.

File:Aquote1.png
Among all unacceptable events identified by organizations, 89% managed to confirm the possibility of their implementation, - said Positive Technologies analyst Yana Yurakova. - On average, it would take attackers 10 days to carry out an unacceptable event. In some cases, this did not even require maximum privileges in the domain. Most of the unacceptable events for which the possibility of their implementation has been proven are associated with potential damage to reputation (61% of events), regulatory sanctions (57%) and financial losses (39%).
File:Aquote2.png

The study presents the MITRE ATT&CK heat map, which shows popular techniques and subtypes that have been successfully used by Positive Technologies pentesters. The company believes that such a card can be especially useful for specialists in prompt response to incidents and persons responsible for information security, because pentesters simulate the actions of real attackers. Knowing the approaches of criminals, it is possible to provide preventive protection and pay special attention to monitoring and responding to incidents.

Only 8% of companies in Russia do not have a separate information security division

On November 8, 2022, Jet Infosystems shared the results of a study of the peculiarities of organizing information security services in various areas of business. Its results showed that almost half of the organizations surveyed (41%) have their own information security service subordinate to higher management. In 23% of cases, the information security service is subordinate to the IT block, in 25% to the security service, 3% have a different subordination structure.

Image:Скриншот 10-11-2022 113233.jpg

At the same time, only 8% of companies do not have a separate information security division. These are usually small organizations of the commercial sector. Information security processes in such companies are informally supported by IT workers who receive responsibilities such as additional workload and perform them on a residual basis.

File:Aquote1.png
The data obtained are significantly different from those that we recorded in Russian companies 5-7 years ago. There is a growing understanding of the need to remove information security units from subordination to IT and security services, which is confirmed by a rather high figure of 41%, - said Alexander Morkuchin, an information security expert at Jet Infosystems.
File:Aquote2.png

Image:Скриншот 10-11-2022 113409.jpg

On May 1, 2022, Presidential Decree RUSSIAN FEDERATION No. 250 "On Additional Measures to Ensure Information Security" was signed. of the Russian Federation The decree covers companies from many areas of business: commercial state and organizations, including strategic, system-forming entities. CUES The key requirements of the decree are the creation in the company of a structural unit responsible for information security issues, as well as the appointment of a person responsible for information security, who must report to the head of the organization and be a member of the main advisory bodies.

The key goal of the Jet Infosystems study was to assess the level of compliance of companies with the introduced requirements. The conclusions were made on the basis of data obtained during information security audit projects in 2019-2021, and the results of a survey of the company's customers. The sample includes 100 companies from more than 10 industries, the geography of the study includes companies from Russia, Azerbaijan and Uzbekistan.

Image:Скриншот 10-11-2022 113437.jpg

The practice of allocating information security services into an independent structural unit is most typical for companies in the financial and public sectors, services, and development. The subordination of security officers to the IT department is most often found in telecom and industry. The situation when information security belongs to the security service is characteristic of the fuel and energy complex and retail.

The study also collected information on the integral level of maturity of information security processes. The measurement tool has become Capability Maturity Model Integration (CMMI) - a process improvement model characterized by six levels. Most (58%) of companies have an integral second (repeatable) maturity level, which shows the availability of the minimum necessary means of protection, planning and repeatability of information security processes. At the same time, this level is characterized by a lack of compliance with generally accepted practices and poor process control, including due to lack of resources.

File:Aquote1.png
Despite the fact that about 92% of companies already have their own information security specialists, the overall level of maturity of information security processes is still quite low. This situation is due to both a lack of professional personnel and insufficient financing from the business. The most mature industries traditionally remain the financial sector and large IT companies, - said Alexander Morkovchin.
File:Aquote2.png

Almost every third Russian company does not check software for security

RTK-Solar on November 1, 2022 presented the results of a study of the security of software in Russian organizations. 32% of organizations do not check the applications being developed or used for security. 59% of organizations believe that they need to strengthen the processes of monitoring and eliminating vulnerabilities (24% of companies are already taking the necessary measures, 35% - such measures are not planned). At the same time, almost every third company faces financial (31%) or reputational (31%) damage due to an incident related to vulnerabilities.

The survey results showed that 32% of organizations do not check the applications being developed or used for security. The same number of respondents (32%) said that, on the contrary, they regularly check the security of software. From case to case, 22% of companies conduct the analysis. 14% of respondents scan applications for security every six months.

Among those who conduct application security analysis, almost half (46%) eliminate all vulnerabilities, 31% - vulnerabilities of high and medium criticality. 12% of respondents are limited to eliminating vulnerabilities only of high criticality. Russian companies noted that the most common vulnerabilities in the code are ineffective monitoring (38%), the use of components with known vulnerabilities (30%), and unsafe configuration (30%). Exploitation of these vulnerabilities by cybercriminals can result in compromise of vulnerable systems, violation of privacy and availability of processed data.

Almost one in three companies face financial (31%) or reputational (31%) damage due to a vulnerability incident. Most often, financial damage is expressed in the additional resource costs of fixing vulnerabilities, which confirms the need to move from a traditional testing model to a shift left model. It consists in moving the testing stage to the early stages of the software development life cycle and allows you to simplify and speed up the correction of errors in the code.

Even those companies that develop custom applications do not always analyze the security of the software being developed: 23% of respondents noted that they do not check the security of applications, 32% - check from time to time, 35% - check constantly during the development of a new version (code analysis is built into the development process), 10% - scan applications once every six months. Lack of application security leads to expected results. Among custom software developers who do not check the security of the software or check from case to case, every fourth respondent (25%) noted that vulnerabilities in the software led to significant information security incidents. This highlights the need to analyze application security and eliminate vulnerabilities and NDV in the code.

File:Aquote1.png
Every year the number of digital tools used is growing. It is important for companies that use them to provide them to employees as soon as possible in order to improve the efficiency of business processes. It is important for companies that develop them to release a product or new version as soon as possible in order to close the current needs of customers. In this race, business is more likely to prioritise speed, doing so at the expense of safety. Starting in the spring of 2022, amid numerous reports of an increase in cyber attacks on Russian organizations, the situation has changed. We note an increase in demand for application security analysis tools. So that customers do not need to compromise on the speed at which updates are delivered, we recommend implementing vulnerability analysis tools in the software development cycle.
said Daniil Chernov, Director of the Solar appScreen Center of RTK-Solar.
File:Aquote2.png

59% of organizations believe that they need to strengthen the processes of monitoring and eliminating vulnerabilities (24% are already taking the necessary measures, 35% are not planned). 41% of respondents believe that the current tools are enough to close the tasks of identifying and eliminating vulnerabilities.

What threats in the field of information security are most relevant for Russian companies in 2022

Pressure from cybercriminals on Russian companies and public sector enterprises has seriously increased since the end of February 2022. Attackers are testing the most modern types of cyber attacks on domestic organizations. Nevertheless, according to experts, all problems are known and solvable. However, an integrated approach to ensuring information security and qualified information security employees are needed.

Many expected that after the departure of foreign vendors, panic would come in the information security market, these expectations were not met. Yes, the choice of information security funds has decreased, but nevertheless, in almost all classes of solutions there are domestic analogues, - explains Dmitry Gusev, Deputy General Director of InfoTeCS.


Of course, in some cases it will be necessary to make efforts to find a convenient combination of products and their integration with the existing customer infrastructure, and this will take some time, but all problems can be solved, the InfoTeCS expert reassures.

The most urgent threat at the moment is politically active hackers aimed at causing maximum damage and organized criminal groups, says Vitaly Masyutin, deputy head of the IBS Platformix information security expertise center.

You can protect yourself from hackers and other threats. This requires a competent combination of technical means, organizational measures and the constant participation of qualified specialists, Masyutin notes.


Cross Technologies specialists agree with him. According to them, there are specialized means to neutralize these threats, but for the most part the secret of good protection lies in the qualification of the information security employees of the customer or the servicing (consulting) company.

Information leaks and loss of access to data due to cyber attacks are among the most pressing threats, said Roman Podkopaev, CEO of Makves (Makves). In his opinion, to protect data, it is necessary to use a set of solutions that is selected for the tasks, scale and specifics of the business.

Now the Russian information security market offers solutions in almost any class. In turn, we propose to conceptually change the approach to threats and focus on protecting the data of interest to hackers in the first place. DCAP/DAG solutions help significantly reduce the surface of a cyber attack and ensure reliable data protection, the expert explains.


The list of current threats is individual for each organization, agrees Nikolai Fokin, director of the LANIT-Integration Information Security Center (part of the LANIT group). According to the observations of the company's specialists, the greatest risks are now associated with threats from hacker attacks. For example, more frequent DDoS attacks can make web resources and part of the infrastructure services of organizations that fall under it inaccessible. Specialized services and equipment can cope with them.

In addition, computer attacks are popular using known vulnerabilities for which there are exploits in the public domain. To minimize the risks associated with such attacks, you need to configure patch management and vulnerability management processes.

At the same time, web and mobile applications are susceptible to computer attacks. To protect them, they use solutions for analyzing source code for vulnerabilities and web application firewall (WAF).

As noted in the AST company, threats associated with the compromise of applications developed without taking into account the requirements for secure development are now also coming to the fore.

In the absence of enough time to develop and the heavy nature of import substitution, vulnerabilities become critical, the company says.


Another common threat at the moment is computer attacks using ransomware. Their main vectors are social engineering using infected websites and phishing emails. In addition, attackers can gain access to the infrastructure, for example, through stolen user accounts.

To build an effective defense that will help contain such attacks, an integrated approach to ensuring information security is needed, confirms Nikolai Fokin. - It is also worth noting computer attacks on supply chains. Indeed, they have been observed before, but now this is one of the key risks associated both with the use of open-source solutions and libraries in development and with receiving updates to foreign software.


Security Vision CEO Ruslan Rakhmetov warns that after the hasty departure of foreign vendors, even minor threats that ceased to be mitigated by their decisions have become dangerous: if the security functionality is partially or completely disabled, a banal phishing link or well-known malware can cause the company a lot of trouble. Therefore, migration from Western solutions should be carried out promptly, comparing the available Russian alternatives in terms of functionality, cost, the declared quality of the related consulting, implementation, and support services provided.

The market of Russian information security solutions is quite extensive, it covers almost the entire range of current cyber threats. Even if there is no domestic means of protection for a specific cyber risk now, then customers can solve the problem with compensating measures, protected by configuring endpoints and servers, restricting network access, implementing the principle of least authority, etc., explains the Security Vision expert.


Dmitry Romanchenko, head of the information security department at Rubytech, urges not to forget that today we have to exist in a multifactorial cyber war, which only a powerful and continuously developing industry can withstand.

Studied the readiness of Russian companies to outsource protection against leaks

The national provider of technologies and cybersecurity services "RTK-Solar" on September 19, 2022 released an analytical study "Control of confidential information: outsourcing or inhouse?." As of September 2022, only a little more than 18% of the surveyed companies use information leakage protection services: 52% of respondents operate the DLP system on their own, and almost 30% do not have specialized leak protection tools at all in the company.

Interestingly, among most companies that use protection against leaks "at home," 11% nevertheless consider partial outsourcing of DLP to be the best option, when it is possible to give either technical support for the solution or its analytical support to an external contractor. At the same time, the share of DLP service users in a purely service model (full outsourcing: both technical support and analytical support) is low, only 4%.

File:Aquote1.png
These studies suggest that customers are almost 4 times more concerned about the confidentiality of the information collected than about third-party access to DLP system hardware: they outsource technical support 4 times more often than they involve external analysts to work with internal, sensitive traffic. Thus, the main barrier to a massive transition to DLP as a Service is concerns related to access to confidential information of third parties - outsourcing analysts,
said Elena Chernikova, senior business analyst at the Dozor Product Center "RTK-Solar."
File:Aquote2.png

The study participants called the leakage of information about leaks from the company the greatest risk of the outsourcing model (76% of respondents). The second most critical risk is associated with a decrease in the speed of response to incidents: 17% of respondents are worried about this.

As expected, in the regions the volume of use of protection services against leaks is lower than in the capital: 23% and 77%, respectively.

As for the cost of DLP services, the vast majority - 75% of respondents - believe that the cost of an outsourcing model should be determined by the scale of possible damage. Another 21% of the study participants name the average fixed cost within the boundaries of 1 to 10 million rubles for installing a DLP system on workstations of 1000 employees.

For the purpose of the study, RTK-Solar analysts interviewed over 200 representatives of Russian organizations belonging to medium and large business segments.

Half of Russian companies are not able to protect personal data of customers

On September 5, 2022, HFLabs announced that despite high-profile personal data leaks, only 50% of Russian companies plan to increase the budget for their protection. At the same time, more than half of the respondents are not sure that the personal information of their clients is safe.

Personal data leak

HFLabs interviewed representatives of 172 Russian companies to understand how the business responds to high-profile leaks and whether it plans to change its approaches to working with personal data.

53% of respondents said that "leaks are likely" in their company, and another 9% reported that they were already happening. And only 37% of respondents are confident that there will be no leakage of customer data in their organization.

The number of such incidents in Russia increased eightfold in the first half of 2022, compared to the same period in 2021. So, on the to data Telegram channel "Database Leaks" in 2022, 33 "leaks" of personal data of Russians occurred during this period - 167 million lines with personal information of clients of different organizations were in the public domain. In 2021, in the period from January to July - seven leaks for 21 million lines.

Among the measures that companies are taking for September 2022 to protect customer information, survey participants most often called restricting employee access to personal data, introducing IT systems to protect data and tightening data rules. At the same time, almost 50% of respondents reported that their organizations do not plan to increase the budget for the protection of personal data.

{{quote 'author = believes Dmitry Zhuravlev, co-founder and CEO of HFLabs .|Information tends to leak. Any data transmitted by the client about themselves will also sooner or later be in the public domain. Therefore, citizens should be able to receive goods and services, while remaining completely anonymous. For example, to deliver food, the company does not need to know the name and phone number of a person - a courier can contact him through a call center or any other surrogate identifier. In fact, a business can exist without collecting so much personal data. And, of course, people themselves must observe digital hygiene and monitor where and what information they leave about themselves,}}

Only 5.2% of companies in the HFLabs surveyed recorded a significant number of calls from customers after major data breaches. Another 15% of respondents reported single consumers who were concerned about the safety of personal information.

10% of companies have a leak action plan. Another 11% understand its necessity, but they do not yet have a plan. Interestingly, in 2022, the number of leaks with full names, phones and email addresses of Russians increased significantly. But the number of leaks with contacts from instant messengers, password hashes, logins and IP addresses, on the contrary, has decreased.

Identity theft continues to be the most popular method of attack

Ponemon Institute A 2022 report said 54% of incidents involving were caused cyber crime by identity theft. After her, extortionate and go in the "top ON." DDoS-attacks In addition, 59% of organizations do not cancel accounts data that are no longer needed, thereby making them easy prey for. hackers This became known on August 16, 2022.

In turn, Verizon's 2022 Data Breach Investigation report said nearly 50% of all data breaches were due to identity theft. According to the same report, stolen credentials are most often used to attack web applications. Experts emphasized that web applications are one of the main vectors of attacks, as organizations from different industries are trying to implement digital solutions and Internet technologies to optimize their work.

As examples, we can take the manufacturing industry and the healthcare sector: in both industries, devices are almost always connected to the Internet to receive updates and quickly perform their tasks, making it easier for employees. However, this also leads to risks at each access point.

If ordinary users can use the Internet to access networks, servers and data, then an attacker can do so. Exactly the same way it works with credentials. And if we also take into account the fact that third-party software vendors can remotely access some systems and servers, then a very unpleasant combination of possible risks and vulnerabilities is obtained.

Therefore, organizations have to constantly run behind the latest trends in information security, ensuring maximum security of credentials and IoT. After all, if they do not do this, then they will have to run and correct all the damage that was caused by attackers[1] be[2].

Weak passwords turned out to be one of the key problems of external IT perimeters of companies

Unreliable passwords were found in the systems and applications of the external perimeter of almost 80% of organizations. These are the results of projects to analyze the security of Russian companies conducted by Rostelecom-Solar experts from the beginning of 2021 to May 2022. The company announced this on July 8, 2022. Most often, such a drawback occurs in applications and services, including remote access (for example, VPN or RDP, etc.). Work has shown that web applications have become the most likely point of penetration of hackers into the corporate network. The objects of the study were organizations from the field of finance, the energy complex, IT, telecom, retail and other industries.

It is noteworthy that back in 2020, a weak password policy (unreliable, dictionary, repeating and default passwords) was most often characteristic of applications in the internal perimeter. However, over the past year and a half, the number of applications and services has grown significantly, including remote access systems, which have been brought to the external perimeter, experts say. This is because most companies decided to maintain a remote or hybrid work format, and they needed to give employees the opportunity to use corporate resources from home.

File:Aquote1.png
Of course, the very presence of corporate resources on the external perimeter does not carry additional risks, but the use of weak passwords and the absence of a second authentication factor when remotely connected create the possibility of their illegitimate use. During the work, we met even such easily selected combinations of login and password as Administrator:123, test: test, admin: admin. Simple credentials give hackers privileged access to applications, as well as access to internal networks, for example, through remote access systems, - said Alexander Kolesov, head of the security analysis department at Rostelecom-Solar.
File:Aquote2.png

In addition to remote access systems, most of the vectors of penetration into the network of organizations are associated with the exploitation of vulnerabilities in web applications (for example, email, employee portal, personal account on the site). According to the results of the work, a low level of security was noted in 53% of the investigated web applications. A number of projects used training, project, business process and advertising management systems, corporate chats to overcome the external perimeter. Among the common problems of web applications: the implementation of OS-level commands, loading executable files, access to administrative functionality bypassing access rules, incorrect configuration of access rights.

In the internal networks of organizations, in addition to weak password policies, unsafe is also often found: data storage sensitive information in public directories was found in 42% of projects. For example, in some organizations, Rostelecom-Solar experts, in internal perimeters, managed to find accounts from data services, financial documents and data for connecting to critical systems in the public domain.

Despite many shortcomings in systems and networks, companies are still striving to eliminate them. This is indicated by the fact that during repeated tests, an average of 63% of all previously discovered vulnerabilities have already been fixed. At the same time, companies pay more attention to vulnerabilities with a high degree of criticality, which pose a serious threat to security. Vulnerabilities with low criticality may remain unresolved for longer.

Russian business faces information security challenges, but underestimates the likelihood of hacker attacks

Half of entrepreneurs (53%) reported that over the past month they faced problems in the region information security in their companies - equipment failures, viruses fraudulent schemes. At the same time, 68% of entrepreneurs consider it hacker attacks unlikely on their company. These are the results of a study conducted by the Analytical Center NAFI in conjunction with the company "," Cyberprotect which announced this on June 30, 2022.

Two-thirds of Russian entrepreneurs (68%) consider it unlikely or impossible to threaten a hacker attack on their companies (most often, representatives of the construction industry say so - 83%, heads of micro-enterprises - 66%). The probability of cyber threats is admitted by 21% of organizations.

Table 1. "How likely is it that your enterprise will be attacked by computer intruders in the near future?,"% of all respondents

More often, cyber threats are expected by companies operating in the field of digital technologies, information and communications (52%), as well as enterprises operating in the market for more than 10 years (17%).

Half of entrepreneurs (53%) note that over the past month they have faced problems in the field of information security.

The TOP-3 of problems faced by businessmen included:

  • data loss as a result of breakdown, malfunction of devices or human factors - 19%,
  • internet fraud (misleading to obtain money or confidential information) - 18%,
  • infection with viruses of employees' work computers, including followed by extortion of money - 14%.

Table 2. "What information protection measures are being taken in your company?,"% of all respondents

In addition, over the past month, respondents have faced attacks on the company's website and unauthorized access to corporate information (10% each), hacking employee mailboxes (9%), theft of customer personal data (6%).

Companies small and medium-sized businesses are taking measures to ensure information security and protect their data. Most company representatives noted that their companies install (78%) on each computer anti-virus software , information security rules are developed and communicated to employees (64%), backup data is carried out (62%).

Table 3. "Which of the information threats has your company faced in the last month?,"% of all respondents Paste text here that doesn't need to be formatted *
* The response rate may exceed 100% because respondents had the option to choose multiple answer options

{{quote 'author = said Leysan Baimuratova, Director of Digital Economy Research at NAFI Analytical Center. | It may seem that SMEs are much less interesting to cybercriminals than large businesses. However, this is not the case. Practice shows that even the smallest organizations are under threat. In particular, phishing emails and malicious attachments pose a danger to companies of any size where employees have a low level of digital literacy. The credulity, digital incompetence of even one employee who opened a phishing email and allowed the activation of a fraudulent program can lead to negative consequences for the whole business. On the one hand, it is important for Russian entrepreneurs to invest in software and hardware solutions to ensure information security, on the other hand, to actively increase the level of digital competencies of their employees in order to protect themselves as much as possible from digital threats in modern conditions,}}

{{quote 'author = noted Elena Bocherova, executive director of Cyberprotect. | Unfortunately, there are no more companies that use information technology and never face cyber attacks. Moreover, attacks not only increase the burden on information systems of organizations, but also achieve their goals - it is only a matter of time. We see that even the most secure organizations suffer from successful cyber attacks. Attention to information security reduces the likelihood of their success, and if the attackers' goals are achieved, competent actions of information security services allow you to restore the organization's activities quickly and without significant losses. This is confirmed by the results of the survey: companies that work for a long time in the market soberly assess threats and prepare for cyber attacks in advance. Obviously, they've already had to respond to cybersecurity incidents. As of June 2022, the most vulnerable points of any organization include: the stability of information systems, the loss of important data and reputational risks. Reliable protection, responsible attitude to possible data leaks, storage, backup - key tasks of information security services,}}

An all-Russian representative survey of entrepreneurs was conducted by the NAFI Analytical Center in May 2022. 500 representatives of micro, small and medium-sized businesses of all major industries economies in all federal districts were interviewed. The RUSSIAN FEDERATION respondents were business owners, top officials of companies and individual entrepreneurs.

In Russia, the demand for training of top managers of information security companies has sharply increased

By the end of May 2022, the demand for training of top managers of information security companies increased sharply in Russia. This is partly due to the presidential decree, according to which the responsibility for cybersecurity falls on deputy heads of enterprises.

According to Kommersant, citing data from Group-IB, in May 2022, the number of requests for training information security specialists increased by 30% compared to the same period in 2021. First of all, large and fast-growing companies apply for the service, they are interested in Incident Response courses (incident response and incident localization) and the construction of SOC (Security operations center), experts noted.

In Russia, the demand for training of top managers of information security companies has sharply increased

Kaspersky Lab also sees high demand for cybersecurity programs for managers and trainings to improve the cyber literacy of ordinary employees. More than half of all trainings conducted are in the industrial sector.

Marina Tarnopolskaya, CEO of Kontakt Intersearch, says that when recruiting for leadership positions, the employer pays special attention to knowledge in the field of information security. Therefore, the top management of the company wants to understand in more detail the cyber threats and, on the basis of this, make decisions on the development of the direction, believes CEO CyberokSergey Gordeichik.

File:Aquote1.png
By decree of the president, the head in the field of information security, in fact, becomes a strategist and begins to be responsible for the development of this area in the future for three to five years, he said.
File:Aquote2.png

According to the source of the newspaper on the information security market, the responsibility of top management for incidents is already reaching criminal and the leaders want to understand what they are responsible for.[3]

Putin signed a decree on additional measures to ensure Russia's information security

On May 1, 2022, it became known that Putin signed a decree on additional measures to ensure Russia's information security.

The text of the decree was posted on the official Internet portal of legal information.

File:Aquote1.png
In order to increase the stability and safety of the functioning of information resources of the Russian Federation, I decide: the heads of federal executive bodies, the highest executive bodies of state power of the constituent entities of the Russian Federation, state funds, state corporations and other organizations... entrust the deputy head of the body with the authority to ensure the information security of the body, including the detection, prevention and elimination of the consequences of computer attacks, response to computer incidents, the report says.
File:Aquote2.png

Putin instructed the heads of departments and regions, state funds, state corporations, strategic and system-forming enterprises to "entrust the deputy head of the body (organization) with the authority to ensure information security" in the field of computer attacks.

It is noted that in each department, institution and system-forming enterprises it was instructed to create IT security units.

In addition, the president demanded "to provide officials of the Federal Security Service with unhindered access to the bodies (organizations) owned by them or the information resources they use, access to which is provided through the use of the information and telecommunication Internet."

In addition, from January 1, 2025, it is prohibited in Russia to use information protection tools originating from unfriendly countries.

File:Aquote1.png
From January 1, 2025, bodies (organizations) are prohibited from using information protection tools, countries of origin of which are foreign states committing against the Russian Federation, Russian legal entities and individuals unfriendly actions, or whose producers are organizations, under the jurisdiction of such foreign states, directly or indirectly controlled by them, or affiliated with them, "Putin said in a statement[4].
File:Aquote2.png

Group-IB discovered 7,500 unsecured databases in Russia

On April 27, 2022, Group-IB reported that a global digital asset survey had identified about 400,000 publicly available databases held in the public domain. Almost 7,500 "ownerless" are located on Russian servers. Group-IB experts warn that unprotected databases are easy prey for cybercriminals and can lead not only to personal data leaks, but also targeted attacks on organizations.

According to the company, a global study conducted by experts from the Group-IB Attack Surface Management division covers the period from Q1 2021 to Q1 2022. According to the report, by the end of 2021, the number of publicly available databases in the world was 308,000. Most of them were stored in servers ,,, and USA. In China Germany France India the first quarter of 2022, their number increased by 12% and reached 399,200.

Number of databases found in the public domain from Q1 2021 to Q1 2022

By discovering an accessible database, attackers can steal sensitive information or use it as an entry point for further advancement across the network. According to IBM, in 2021, the average cost of data leakage increased from $3.86 million to $4.24 million, and international companies were fined almost $1.2 billion for violating the General Regulation for the Protection of Personal Data (GDPR).

In Russia, in 2021, 5,493 unprotected databases were discovered, and in general, for the period Q1 2021 -Q1 2022 - 7,426. According to the conclusions of the Group-IB Attack Surface Management division, an average of 250 days takes place from the moment the base is discovered until it is withdrawn from public access in Russia, despite the fact that this procedure takes place faster in the world - on average in 170 days.

Top 10 countries in terms of the number of databases found in the public domain in 2021

Further digitalization of services, data migration to cloud infrastructures, lead to the growth of digital assets in the world. Some of them find themselves in the "shadow" - despite the fact that they have access from the outside, the organization does not update them, does not control and does not protect them.

Group-IB Attack Surface Management scans the IPv4 space every day (Internet Protocol version 4, actually the entire Internet) and detects not only current cyber threats - malware, phishing panels, but also unprotected corporate digital assets. These can include forgotten cloud services with vulnerable software, incorrectly configured databases that accidentally became available from the network, or self-deployed web servers - anything that can lead to unauthorized access to the company's infrastructure.

File:Aquote1.png
The emergence of uncontrolled IT resources exposes organizations to serious risk and negates investments in network security. According to our data, more than 50% of the incidents investigated by the Group-IB Digital Forensics Laboratory in 2021 occurred as a result of the exploitation of perimeter vulnerabilities and could be prevented. This requires robust tools to monitor and comprehensively inventory existing digital assets.

comments Tim Boback, Head of Group-IB Attack Surface Management
File:Aquote2.png

99% of cloud resources provide excessive permissions

On April 14, 2022, it was reported that a team Palo Alto of Unit 42 researchers concluded that cloudy users, roles, services and resources were providing excessive permissions, putting organizations at risk of compromise. According to experts, incorrectly configured control identification and access () IAM opens the door for malefactors targeting cloud infrastructure and accounting. data More. here

75% of vulnerabilities in companies could be closed using patches

For 75% of vulnerabilities found in the infrastructures of Russian organizations, there are simple ways to fix, including patch management. However, they remain unclosed on April 12, 2022, follows from the Rostelecom-Solar report. At the same time, in some infrastructures there are well-known vulnerabilities, updates for which were released several years ago. This was announced by the Rostelecom-Solar Company on April 12, 2022. Closing such vulnerabilities is becoming a critical condition for organizations to basic cyber defense, experts warn.

In total, the study analyzed internal and external network perimeters, as well as web applications of more than 50 organizations from various industries (IT, industry, retail, medicine, government agencies). As a result, more than 150 thousand vulnerabilities were identified, of which 7.5 thousand (that is, 5%) are unique. Most (94%) of the latter have an above average criticality level, and for a large number of these vulnerabilities there is a published exploit, which makes them an available tool for attackers.

Vulnerabilities over 20 years old are found in the inner perimeter. On average, the attacker's window of opportunity is 10-12 years (the difference between the oldest and newest vulnerability with an exploit found in the infrastructure). Among the trend vulnerabilities that have been identified in the internal perimeter are Log4j, BlueKeep, ShellShock, EternalBlue, etc. And despite the fact that both information security experts and the general public have talked a lot about them, in a number of companies they remain uncorrected.

File:Aquote1.png
Regular monitoring of vulnerabilities could significantly increase the cybersecurity of organizations. Exploits for old and known vulnerabilities are in the public domain, and it is not difficult for attackers to use them. And for April 2022, when the number of cyber attacks on Russian companies is growing, the likelihood that hackers will find a weak point in the infrastructure increases significantly. As a result, the absence of such a simple thing as updating can result in financial and reputational losses for the organization, as well as stopping key business processes,
noted the head of the Vulnerability Management department of Rostelecom-Solar Maxim Bronzinsky.
File:Aquote2.png

Also, no trend vulnerabilities were found on the external perimeters of companies, but Rostelecom-Solar experts record problems with inventory. In addition, all companies under investigation use unsafe encryption methods or have difficulties with certificates or configuration, which can violate the integrity of data and lead to their interception. This problem can be resolved by making the correct settings.

Web applications also remain quite vulnerable to attackers. In 56% of cases, there is a problem of using vulnerable and outdated components. Other errors include the ability to conduct SQL injections and cross-site scripting (XSS) attacks, the use of vulnerable security configurations, and encryption problems.

89% of organizations do not ensure data protection at the proper level

On February 22, 2022, Veeam Software announced that 88% of IT executives expect data protection budgets to grow faster than total IT spending, as data becomes a critical factor in business success and the challenges of protecting it more complex. More than two-thirds of companies are moving to cloud services to protect their data.

89% of organizations do not ensure data protection at the proper level. Photo: digital.report

According to the company, in the preparation of the Veeam Data Protection Trends Report 2022, a survey of more than 3,000 decision-makers (SCLs) in global corporations was conducted, which helped to create an up-to-date view of data protection strategies for the coming years. The study answers questions about how companies are preparing to respond to the IT challenges they face, including the explosive growth in the use of cloud services and native cloud infrastructure, and the expanding landscape of cyber attacks, as well as what measures they are taking to implement modern data protection strategies that ensure business continuity.

File:Aquote1.png
Over the past two years (since the beginning of the pandemic), the volume of data has more than doubled, in large part due to the transition to remote work and the use of cloud services. As data grows, security risks increase. Ransomware viruses are a prime example . The study found that organizations are aware of these issues and are investing heavily to provide the necessary level of protection that users expect. The pace of modernization of production platforms is ahead of the pace of improvement in protection methods and strategies. Data volumes and platform diversity will continue to grow, just as space for other cyber threats will expand. Business leaders should therefore invest in a strategy that closes existing gaps and meets growing data protection requirements.

noted Anand Eswaran, CEO of Veeam
File:Aquote2.png

Respondents pointed out that their data protection capabilities lag behind business needs, with 89% noting a gap between how much data they can afford to lose as a result of the failure and how often backups are made. Over the past year, this figure has increased by 13%, which indicates that although the volume and value of data continues to grow, there remain difficulties in ensuring their protection at the proper level. The key reason is that the data protection IT challenges companies face are massive and diverse.

For the second year in a row, cyber attacks have become the main cause of downtime. Over the past year, 76% of organizations have reported at least one ransomware virus incident. The concern is not just the frequency but the scale of these incidents. As a result of one attack, companies were unable to recover 36% of the lost data, which proves the inability of the applied data protection strategies to prevent, eliminate and restore business operations after ransomware attacks.

File:Aquote1.png
In a situation where cyber attacks are becoming more complex and more difficult to prevent, backup and recovery solutions are becoming the most important foundation of a modern data protection strategy for any organization. Companies should be 100% confident that backups are performed within a dedicated window, and recovery is performed in accordance with the required SLA. The best way to protect and recover data in the event of a ransomware virus attack is to engage a third-party specialist and invest in an automated orchestration solution that protects the numerous data centers and cloud production platforms that businesses of all sizes rely on in 2022.

says Danny Allan, Chief Technology Officer at Veeam
File:Aquote2.png

To bridge the gap between data protection capabilities and the growing range of threats, organizations plan to invest an average of 6% more in data protection each year than in IT as a whole. Although this will only slightly outweigh the emerging trend of lagging data protection from the rapidly growing needs for such protection, it is good that business leaders recognize the urgent need to implement modern data protection strategies.

Clouds are gradually becoming the dominant platform storages and data processing, and 67% of organizations are already using cloud services as part of their data protection strategies, and 56% are either already using containers in their daily work, or plan to start using them in the next 12 months. In 2022, the diversity of platforms will continue to expand, and the gap between shares (data centers 52%) and cloud (servers 48%) will continue to narrow. This is one reason why 21% of companies cited the ability to protect cloud-hosted workloads as a major factor in buying enterprise data protection solutions in 2022. 39% believe that IaaSSaaS capabilities/are a key feature of the modern approach to data protection.

File:Aquote1.png
The hybrid IT infrastructure provides enough power to meet both production and security needs, providing both cloud storage and disaster recovery with cloud-hosted infrastructure. Investment opportunities in today's data protection extend well beyond business peace of mind, business continuity, and customer trust. To ensure the right balance between strategic digital initiatives and costs, IT managers must implement robust solutions at the lowest possible cost.

noted Danny Allan
File:Aquote2.png

Key findings of Veeam Data Protection Trends Report 2022:

  • Companies are experiencing an "availability gap" problem, with 90% of respondents confirming they are facing an "availability gap" problem - the difference between the expected level of SLA and how quickly they can return to normal operation. This figure increased by 10% compared to 2021.
  • Data remains unprotected: Even though backup is a core component of any data protection strategy, data from 18% of organizations worldwide remains unprotected - that is, completely unprotected.
  • Human errors occur too often: technical errors continue to be the most common cause of downtime, with an average of 53% of respondents experiencing infrastructure/network failures, as well as hardware and software components of servers. 46% of respondents experienced configuration errors by administrators, and 49% experienced accidental deletion/overwriting of data or corruption by users.
  • Protecting remote workers: only 25% of all organizations use solutions to orchestrate workflows and reconnect resources in the event of a failure, 45% run pre-written scripts, and 29% reconfigure user connection schemes manually.
  • The price factor continues to play a crucial role: The cost-effectiveness of such a solution is the decisive factor for buying an enterprise data solution for 25% of IT managers.

Key findings of the Veeam Data Protection Trends Report 2022 for Russia:

  • 77% of Russian companies face the problem of a "defense gap." 82% experience an "availability gap" problem.
  • On average, 16% of these companies remain unprotected.
  • In 2022, 93% of Russian companies plan to increase budgets for data protection - on average, this is 7% higher than in 2021.
  • 97% of companies have experienced unforeseen outages over the past year.
  • 69% of Russian companies suffered from ransomware attacks; For the second year in a row, it was cyber attacks that became one of the key reasons for downtime.
  • On average, 29% of data lost in an attack cannot be recovered. 71% of companies failed to recover at least some of the lost data.
  • 44% of companies cited accidental deletion, overwriting or data corruption as the main cause of IT failures. 37% of companies experienced malfunctions caused by configuration errors and malfunctions due to deliberate actions of administrators or users.
  • 32% of Russian companies use solutions to orchestrate workflows to reconnect resources in the event of a failure. 44% of companies run pre-configured scripts, and 24% reconfigure user connections manually.
  • 64% of Russian companies already use cloud services as part of their data protection strategy.
  • 70% of large companies already use containers in their main activities, and 26% plan to begin using them within 2022.
  • 52% of the data infrastructure of large companies is located in the data center, and 48% - in the cloud.

2021

Threat monitoring tools in Russia are not being introduced due to personnel hunger

SearchInform On September 12, 2022, the company announced a study on the practical application of event monitoring and management systems information security (SIEM) Russian in business. The survey involved 300 commercial, state and from non-profit organizations different. industries economies More. here

In the public sector, 71% of companies invest in information security to comply with standards

The equipment of information security organizations in the near future may fall by a third. This will affect those segments of information security where the share of foreign software is large. On April 7, 2022, the SearchInform company shared the data of its survey on the equipment with protective solutions of Russian organizations.

According to the company, the equipment of Russian companies with security software does not correspond to the level of existing threats to information security. According to the SearchInform study, which the company conducted at the end of 2021, even security tools built into operating systems are not used everywhere.

Image:Испозьзуемые сз.jpg
Protective equipment used

Respondents from the commercial sector call the real business needs (70%) the main motivator for the implementation of information security software. In second place are the requirements of regulators (32%). In the public sector, the picture is the opposite: there 71% of companies invest in information security to comply with standards and only 31.5% feel a real need for. data protection Also state organizations , three times more often face punishment from regulators for violations of information security requirements (25.5% of respondents versus 8% in the commercial sector), although the main problem after leaks consider damage to reputation. Thus, 55% of state-owned companies declare that they mainly bear image damage from such incidents, only 22% of respondents record it in business.

Companies most often spend budgets on the extension of license keys for security solutions and technical support (86% of respondents). A little more than half of the respondents (53%) spoke about the purchase of equipment and software.

Image:На какие меры выд бюджет.jpg
What information security measures does the organization allocate a budget for?
Image:Как менялся бюджет.jpg
How has the budget for security in organizations changed for three years in the Russian Federation?
File:Aquote1.png
In the current situation, organizations face the question of strengthening protection. But over the past three years, we have seen that only a quarter of Russian companies are increasing information security costs. In 62% of companies, the budget remains unchanged and spends it on the extension of license keys and technical support, while in 2022 purchases and scaling of already implemented software are required. Another problem facing companies is the need to replace those foreign solutions that have suspended work on the Russian market. This will cause the need to increase the budgets for the purchase of software - we predict an increase in the cost of replenishing losses twice during the year. In this regard, government support measures to subsidize procurement will be of great importance. Unfortunately, as of April 2022, a limited range of software is subsidized, this is not enough. For example, there is a measure to support the introduction of cloud programs for SMEs, but it does not imply subsidies for information security software. This creates a risk that the business process will be translated into a figure, but will not be protected. But replacement is not always possible or impossible at a fast pace, so the equipment of companies in some classes of software products will fall by a third. In particular, we are talking about specialized industry software, which is unique for each industry. For example, software for digitalization of production will be difficult to replace - software for engineering or production control. Not only is this software often foreign, but in each case it is also finalized for a specific enterprise for years. That is, companies will have to start the whole path of introducing software over again, even if an analogue from the Russian Federation formally exists.

told Alexey Parfentiev, head of analytics at SearchInform
File:Aquote2.png

1286 people took part in the study: these are heads and employees of information security departments, industry experts and heads of organizations from commercial (74%), state (24%) and non-commercial areas (2%). The study affected the IT oil and gas sector, and, industry transport the credit financial sector,, and retail health care other industries.

The survey was conducted in the cities of Russia and the CIS. Respondents were interviewed in September - November 2021 in an offline format in the regions of Russia and online in the CIS countries.

Top 5 trends among cyber threats for corporate networks

Accenture On February 27, 2022, the company presented data the Cyber ​ ​ Threat Intelligence Report for the second half of 2021.

For more than 20 years, Accenture experts have been comprehensively monitoring and analyzing cases of cyber intrusion and the risks they pose to business. The company's specialists also consider methods of repelling cyber attacks in corporate networks. Based on these data, they identified five key trends that should be taken into account by business when forming an information security strategy.

Trend# 1: Ransomware attacks still hit the target

According to Accenture, the share of attacks from ransomware accounted for 35% of the total volume of all attacks in 2021, which is 107% more than in 2020. A large number of such attacks in the world are in the United States: almost 45% of the total.

Basically, ransomware attacks are used against manufacturing, industries financial sector,, - health care IT sphere construction and industry enterprises. Ransomware attacks remain the most expensive for businesses. hacker LockBit and Conti are named among the most active groups. At the same time, it is extremely difficult to track the ultimate beneficiaries of such cybercrimes.

Trend# 2: Supply Chains - Under Attack

Technological landscapes are constantly becoming more complex, with many sectors of the supply chain increasingly branching, spanning different cities, countries and continents. The complexity of supply chains and the lack of a uniform data policy for all links is becoming a new headache for companies.

There is a problem of access through partners, which becomes more complex as the market becomes more complex.

Hackers can use weak links in supply chains for cryptojacking (unauthorized use of other people's devices for the purpose of hidden mining of cryptocurrencies), industrial espionage, deployment of ransomware and targeted attacks. In 2021, according to Accenture, 30% of all incidents were related to backdoor threats, that is, unauthorized access to networks and software of companies.

Trend# 3: Corporate Information Theft Boom

Corporate information theft accounted for 10% of all attacks committed in 2021. In the black market, data has intensified trade with compromised data to log into various systems, including corporate ones. This is passwords for login, system information files and use of cookies. The situation is aggravated by the relatively low prices for such information in. The Darknet availability of data frees the hands of attackers to access the network of companies.

Trend# 4: Clouds are becoming a new target for hackers

The popularity of the cloud computing model carries many advantages for business, but at the same time draws the attention of hackers to storage systems in the cloud.

Attackers are increasingly using public cloud infrastructure as a springboard for attacks. One of the potential scenarios here is cryptojacking (cryptomining). Hackers use other people's computing resources to "mine" cryptocurrencies. At the same time, not all companies control the cloud infrastructure as well as local servers.

Migrating processes to clouds complicates data protection, but risks are often far-fetched. 74% of companies surveyed by IDG and Accenture consider placing data in the clouds safe. 73% said that as a result of migration, they received the best level of information security.

Moreover, the high level of data protection today is among the top 3 factors in deciding whether to move to the cloud. Back in 2016, more than 50% of companies called information security risks the main barrier to migration. But already at the end of 2017, as many organizations indicated the reliability of data protection as one of the reasons for the transfer of IT systems to the cloud.

Trend No. 5: Further development of technologies for searching for vulnerabilities

Accenture experts note a significant growth in the market for clandestine technologies for finding vulnerabilities that allow attackers to gain unauthorized access to corporate networks. Common security measures for companies include the implementation of the principle of "zero trust," monitoring network security, strict control of network access and all user endpoints.

According to Andrei Tymoshenko, head of Accenture's information security practice in Russia, the trends presented in the study are also relevant for Russia, but with certain reservations.

For example, in Russia, the transition to clouds is conditionally at an early stage, so the domestic market has yet to feel all the possible consequences of using insufficiently protected clouds.

File:Aquote1.png
With regard to ransomware viruses, there are a number of factors that allow us to argue that this is less common in our country. On the one hand, "Russian hackers" (if they exist) do not want to contact our law enforcement agencies, so they try not to attack Russian companies. On the other hand, there is reason to believe that domestic antivirus software works more effectively against ransomware viruses. And finally, we have mandatory requirements to inform state regulators about computer attacks apply mainly to banks and critical information infrastructure facilities. The rest of the companies probably don't disclose that information. And those who must report are often simply unaware that they have been hacked. Therefore, we know only about the most high-profile cases, - notes Andrey Tymoshenko.
File:Aquote2.png

More than half of organisations face challenges in Zero Trust implementation

Fortinet presented the Global State of Zero Trust Report on January 26, 2022. The survey shows that although most organizations understand the importance of implementing Zero Trust or are in the process of implementing initiatives related to this technology, more than half of them cannot translate this representation into the solutions they implement due to the lack of some basic Zero Trust fundamentals.

File:Aquote1.png
With the development of the cyber threat landscape, the transition to remote work, and the need for secure application management in the cloud, the Zero Trust model is a top priority for organizations. Our research has shown that while most organisations try to implement Zero Trust in some form, they do not have a holistic strategy and cannot implement some of the basic safety principles of this approach. An effective solution to close all of the Zero Trust's core infrastructure needs, including endpoints, cloud, and local systems, requires a mesh-structured cybersecurity platform-based approach. If the solution does not include all these items, it will be devoid of broad visibility and integration into all processes, said John Maddison, first vice president of product and solutions marketing at Fortinet.
File:Aquote2.png

FortiGuard Labs' Threat Landscape Report demonstrated an increase in the number and sophistication of attacks targeting individuals, organizations, and critical infrastructure. Organizations are looking for solutions to protect against these evolving threats, and the Zero Trust comes first here for several reasons. In addition, the transition to remote work has drawn particular attention to zero-trust network access (ZTNA), as organizations need to protect themselves and their assets from the consequences of unsafe connections to home networks with poor protection.

The report demonstrates some confusion in understanding what the Zero Trust's full implementation strategy includes. Respondents indicated that they understood the Zero Trust concept (77%) and ZTNA (75%), and more than 80% reported already having or developing a Zero Trust and/or ZTNA implementation strategy. However, a little more than 50% indicated that they could not implement the main capabilities of the Zero Trust. Almost 60% indicated that they do not have the ability to authenticate users and devices on an ongoing basis, and 54% have difficulty monitoring users after authentication.

This gap is a concern as these functions are the most important principles of the Zero Trust and this calls into question the real state of their implementation in organisations. Additional confusion is introduced by the terms "zero trust access" and "zero trust network access (ZTNA)," which are sometimes used interchangeably.

Image:Zero Trust.png

Priorities for Zero Trust are: "minimizing the effects of violations and intrusions," followed by "protecting remote access" and "ensuring business or other business continuity." "Improving user experience" and "achieving flexibility to ensure safety anywhere" are also important priorities.

Image:Zero Trust на первом месте, но приоритеты различны.png

"Security of the entire surface of digital attacks" was the single most important quality cited by respondents, followed by "the best user experience for remote work (VPN)."

Image:Безопасность всей поверхности цифровых атак.png

The vast majority of survey participants believe that it is vital for zero-trust security solutions to be integrated into existing infrastructure, run in cloud and on-premises environments, and be application-level secure. However, more than 80% of respondents noted that the implementation of the Zero Trust strategy in the expanded network is fraught with difficulties. For organizations that do not have or do not develop such a strategy, barriers include a lack of qualified resources, and 35% of organizations use other IT strategies to solve the Zero Trust problem.

The study is based on a global survey of IT executives [[]], which aims to better understand how far organizations have come on their way to Zero Trust. The purpose of the survey is to understand the following:

  • how well respondents understand the essence of Zero Trust and ZTNA.
  • perception of benefits and challenges in implementing the Zero Trust strategy.
  • implementation and elements included in the zero trust strategy.

The survey was conducted in September 2021 with 472 IT and security executives from 24 countries representing virtually all industries, including the public sector.

31,000 vulnerabilities identified per MaxPatrol VM pilot

On January 17, 2022, Positive Technologies announced the factors that affect the significance of vulnerabilities, why it is necessary to quickly eliminate a trend vulnerability if one was found in the system, what is the mistake of companies in determining threats and how to optimize the process of prioritizing vulnerabilities.

Positive Technologies specialists analyzed the data obtained as part of the MaxPatrol VM pilot projects in 2021, as a result of which more than 15,000 network nodes were scanned in the infrastructures of state institutions, scientific and educational institutions, financial organizations and telecommunications companies.

On average, 31,066 vulnerabilities were identified during scans in one pilot project, while critical vulnerabilities were found on all pilot projects. On average, more than 800 vulnerabilities in the infrastructure of companies are extremely dangerous, such vulnerabilities Positive Technologies calls trending (which are actively used in attacks or will be used with a high degree of probability in the near future), requiring priority actions to eliminate.

Positive Technologies experts emphasize the need to prioritize vulnerabilities by their impact on the implementation of unacceptable events for companies, since not all vulnerabilities, even those with critical and high risk, can negatively affect the company's most valuable assets.

File:Aquote1.png
In our opinion, there are two groups of factors that affect the priority of eliminating the vulnerability: the significance and availability for the attacker of the asset on which the vulnerability was found, and the degree of danger of the vulnerability itself - the high probability that the attacker will exploit it. Often, security experts forget about the first group of factors and are guided only by the second. For example, according to the results of our survey, it turned out that 29% of respondents prioritize the discovered vulnerabilities only by type, basic CVSS assessment and the presence of an exploit. However, we believe that not a single group of factors should be neglected, "said Yana Yurakova, an analyst at Positive Technologies.
File:Aquote2.png

Table 1 - Examples of trend vulnerabilities

Image:Скриншот 17-01-2022 154526.jpg

According to Positive Technologies experts, before proceeding to the process of identifying vulnerabilities, you need to make sure that node scanning is performed correctly. The vulnerability management process should cover the entire IT infrastructure company, that is, it is necessary to check that all assets, and in are identified the event of new nodes or decommissioning of systems, the list of nodes for scanning will be updated. Otherwise, there may be a situation where an important asset, for example, server 1C or a domain controller does not fall into the scan area.

To do this, it is proposed to sequentially carry out the following steps:

  • determine what events could cause unacceptable damage to the company, identify key and target systems, and mark assets by degree of significance;
  • Assess the impact of exploiting the vulnerability. To do this, you need to understand what the attacker will be able to do as a result of its exploitation;
  • rank vulnerabilities by the presence of a public exploit or PoC;
  • Determine the availability of the system and the privileges of the attacker who could potentially exploit the vulnerability.
  • determine the vulnerability hazard level from the CVSS baseline assessment.

This approach will be relevant if the company wants to build an effective security system.

Positive Technologies believes that using this approach will allow, first of all, to eliminate the most dangerous vulnerabilities on truly critical assets, and only when the most important systems are protected, it will be possible to move to eliminate vulnerabilities on less significant assets using the same principle.

72.5% of organizations register cases of violations in terms of access control in information systems

The company "Rostelecom-Solar" on December 3, 2021 presented the results of the study "Violations in terms of access control in Russian companies." After interviewing representatives of about 100 metropolitan and regional companies from 9 industries, experts found out: 72.5% of organizations register cases of violations in terms of managing access to information systems, and in 55% of Russian companies such incidents lead to the leakage of confidential information.

At the same time, almost 90% of the study participants admitted that the number of such violations in companies in 2021 increased compared to the previous year. 40% of companies register cases of access violations more than 3 times a year, and 32.5% - over 5 times a year. About 30% of organizations face such a problem no more than 2 times a year. At the same time, no survey participant indicated that his company had not encountered such cases.

The leak of confidential information from companies is called the most frequent consequence, which is caused by various kinds of violations of access to the organization's infrastructure - as more than half of the respondents believe. The second most common consequence of such violations (in 40% of cases) is the temporary unavailability of the company's information systems - sites, client services, etc.

In general, the survey participants attribute the most frequent mistakes of corporate users to the careless or negligent attitude of personnel towards information security issues and low information security literacy. 40% of access violations are caused by the transfer by employees of their login passwords from the company's internal systems to colleagues, contractors, friends; In 30% of cases, staff use unreliable passwords and in another 22.5% - it is unsafe to store them.

File:Aquote1.png
This problem is relevant for all companies without exception, and it is difficult to survive. The most vulnerable link in information security is the human factor - low responsibility of people and awareness of information security issues, which leads to serious damage to the company - not only to a hypothetical reputational, but also quite real financial. These are leaks of confidential information, which in some cases can lead to the loss of the entire business. And the disabling of the organization's IT resources, short-term or long-term, which is fraught with compensation to partners and customers for downtime as part of the company's fulfillment of its obligations, loss of customers and lost profits. It's not easy to deal with. The most promising solution is the use of specialized automated access control systems using multifactor authentication, biometrics and similar advanced technologies, - said Dmitry Bondar, director of the Solar inRights Access Control Competence Center of Rostelecom-Solar.
File:Aquote2.png

Another acute problem in the information security of organizations is associated with the weak spread of the practice of automated blocking of accounts of employees who quit the company. According to the study, in 50% of companies, the access of resigned employees to internal systems in one way or another remains unblocked. Some of the workers who left the company are simply forgotten, not all systems are blocked from leaving the personnel, or the "accounts" of the departed specialists are not blocked at all. According to the observations of Rostelecom-Solar experts, such situations are not uncommon not only in small companies, but also, for example, in large Russian banking organizations. Also, the problem is relevant for large IT enterprises, although their level of maturity in information security issues seems to be high.

The geography of the respondents was distributed among the 7 federal districts of Russia, the number of respondents did not include representatives of the Far Eastern Federal District. The survey of respondents was conducted in October-November 2021.

36% of employees at home care less about data security than in the office

On November 30, 2021 Iron Mountain , Incorporated shared the results of a study of the behavior in September 2021. 11,000 employees of companies out of 10 were interviewed. countries Europe The results of the study showed that low awareness of the risks of unauthorized access to data is becoming a growing threat to. information security Helping companies improve their resilience in the face of a "new normality" can rethink their risk management strategy.

A quarter (25%) of respondents said they were victims of fraud or phishing. Despite this, employees continue to compromise data security, with 34% of respondents using the same password across multiple platforms; 27% - forget to close their laptop when they leave their workplace; 24% use public Wi-Fi while working; 18% - store a note with their password on the table; 11% leave documents with sensitive data on the table.

Only 32% of respondents see the point in paper shredding.

In hybrid work, risks increase, with more than a third of employees (36%) admitting that they care less about data security at home than in the office.

According to the data obtained, one in three employees (32%) claims to have made a "critical" mistake when working with information, and 14% took a risk that cost their organization money.

Three quarters of employees believe that risk management is vital to protecting confidential information, but half of respondents (49%) still believe that it is worth taking risks at work - and this is what more men consider than women (54% versus 44%).

File:Aquote1.png
We all make mistakes, so risk by definition is an ever-present factor in the business, "said Sue Trombley, managing director of consulting at Iron Mountain. But in the digital age, risks increase, therefore, risk management must constantly develop. In the context of the resulting business models, hybrid work and the growing threat of cyber attacks, it is more important than ever to effectively manage employees and internal risks in order to create resistance to external influences intentionally.
File:Aquote2.png

While the average cost of a data breach has reached US $4.24 million, these trends highlight the importance of effective workplace training for each employee to rethink their role in risk management.

However, the study's findings also make one think about the impact of ongoing awareness-raising efforts. While 66% of data management managers surveyed said 50-100% of employees attend risk training, more than a third (36%) of workers reported never having received such training.

File:Aquote1.png
A fraction of the riskiness allows businesses to innovate, but a lack of awareness of the potential daily dangers could hinder long-term sustainability, added Sue Trombley. - We advise you to enable each employee to understand their role in risk management by introducing risk awareness into the company's culture.
File:Aquote2.png

An external attacker can penetrate the local network of 93% of enterprises

Positive Technologies experts analyzed the results of penetration testing and found that in 93% of cases an external attacker can overcome the network perimeter and gain access to local network resources, and it takes an average of two days to penetrate the company's internal network. In 100% of companies investigated, an internal attacker can gain full control over the infrastructure. PT announced this on November 29, 2021.

The study was conducted among financial organizations (29%), fuel and energy complex organizations (18%), in state (16%), industrial (16%) and IT companies (13%), as well as in companies from some other industries.

In the course of work on the analysis of security against an external attacker, Positive Technologies experts managed to overcome the network perimeter in 93% of projects. According to the company's experts, this figure has remained at a high level for many years and confirms that for almost any corporate infrastructure, criminals will be able to pick up the key and get inside.

File:Aquote1.png
In 20% of projects, verification of information security events unacceptable for companies was carried out, "said Ekaterina Kilyusheva, head of the research group of the information security analytics department at Positive Technologies. - In these projects, companies on average identified six unacceptable events that needed to be implemented. In the opinion of our customers, the greatest danger to them is events related to violation of technological processes, services, theft of funds and important information. In total, it was possible to confirm the possibility of implementing 71% of the indicated events. It is noteworthy that an attack that will lead to the implementation of an unacceptable event will take an attacker no more than a month. The development of attacks on some systems can occur in a matter of days.
File:Aquote2.png

Despite the fact that financial institutions are considered one of the most protected, as part of the verification of unacceptable events in each bank, specialists were able to perform actions that violate the bank's business processes and affect the quality of the services provided. For example, an ATM management system has been accessed for theft of funds.

The path of an attacker from external networks to target systems begins with overcoming the network perimeter. According to the study, on average, it takes two days to penetrate the company's internal network. Experts called the selection of credentials (71% of projects) the main way to penetrate the corporate network, primarily due to the fact that employees like to set simple passwords, including for accounts used to administer systems.

An attacker with credentials with domain administrator privileges can obtain many other credentials to move horizontally across the corporate network and access key computers and servers. Administrative, virtualization, security, or monitoring tools often help the intruder gain access to isolated network segments. According to the study, most companies do not segment the network by business processes, which allows you to develop several attack vectors until several unacceptable events are implemented at the same time.

File:Aquote1.png
To build an effective protection system, you need to understand what unacceptable events are relevant for a particular company, - said Ekaterina Kilyusheva. - Following the path of the business process from unacceptable events to target and key systems, you can track the relationships and determine the sequence of protection measures applied. To make it difficult for an attacker to move inside the corporate network towards target systems, we offer a number of interchangeable and complementary measures, including separation of business processes, configuration security control, enhanced monitoring and lengthening of the attack chain. The choice of certain solutions should be based on the capabilities of the company and its infrastructure.
File:Aquote2.png

90% of workers believe that organizations often sacrifice cybersecurity for other purposes

On November 26, 2021, Trend Micro Incorporated got hooked on the results of a study according to which 90% of IT leaders say that their companies are ready to compromise on cybersecurity in favor of digital transformation, productivity or other goals. Moreover, 82% of respondents felt that they were being pressured, demanding to downplay the seriousness of cyber risks in front of the board of directors.

File:Aquote1.png
IT leaders are forced to engage in self-censorship: speaking to the board of directors, they are afraid to sound too persistent or too pessimistic. Almost a third of them feel pressure constantly. But this approach only reinforces a vicious cycle in which top managers do not realize the true scale of the risks, said Bharat Mistry, chief technology officer at Trend Micro in the UK. - Risks should be talked about in such a way that cybersecurity is seen as a fundamental driver of business growth, helping to unite the efforts of IT executives and company executives who are actually fighting for the same thing.
File:Aquote2.png

File:Aquote1.png
IT decision makers should in no way downplay the severity of cyber risks to the board. But they may have to choose different terminology so that both sides understand each other, "said Phil Gough, head of information security at Nuffield Health, the UK's largest healthcare company. - This is the first step towards aligning the business strategy with the cybersecurity strategy, and this step is very important. Formulating cyber risks in business terms will draw the necessary attention to them and help senior management recognize security as a factor in growth, and not an obstacle to innovation.
File:Aquote2.png

The study shows that only 50% of IT executives and 38% of business decision makers believe that top management is fully aware of the scale of cyber risks. Although some believe that this is due to the fact that the topic is complex and constantly changing, many are sure that the manager is either not trying enough (26%), or simply does not want to understand (20%).

There are also disagreements between IT leaders and business leaders over who is ultimately responsible for managing and mitigating risks. CIOs are almost twice as likely as business leaders to point to CIOs and CIOs. 49% of respondents argue that cyber risks are still seen as an IT problem, not business risks.

Such a contradiction can cause serious trouble: 52% of respondents agree that their organization's attitude to cyber risks is inconsistent and changes from month to month. However, 31% of respondents believe that cybersecurity is the biggest business risk, and 66% argue that it has the greatest impact on costs of all business risks - this looks like a contradiction when you consider the general willingness to compromise on security.

Respondents believe that there are three main factors that will force senior management to pay more attention to cyber risks:

  • 62% think this will happen after hacking an organization,
  • 62% believe that it will help to provide a clearer and more understandable explanation of the business risks caused by cyber threats,
  • 61% are confident that customers can influence the situation - if they start demanding better data protection.

File:Aquote1.png
For cybersecurity to become a board-level issue, top management must view it as a full-fledged business support tool, said Marc Walsh, an architect of corporate security at Coillte, an Irish forestry company. - This will encourage IT and security executives to formulate concerns before the board in the language of business risk. And that would require priority proactive investment from the board, not just temporary solutions after the hack.
File:Aquote2.png

A third of Russian companies were targeted

On November 9, 2021, Positive Technologies announced that it had conducted an anonymous survey among information security specialists of companies from nine industries: financial, industrial, public sector, fuel and energy complex, education, telecommunications, healthcare, media and IT. In each area, organizations were found that were subjected to targeted attacks. Most often, financial companies became victims - 44% of cases, enterprises of the fuel and energy complex were in second place - 33%, state institutions close the top three - 29% of cases. Read more here.

More than 55% of large companies are not sufficiently protected from cyber attacks

On November 8, 2021, Accenture announced that it had released the "State of Cybersecurity Resilience 2021" report. The study answers the question: how effective companies are taking measures to protect corporate networks. The Accenture Research team surveyed 4,744 CEOs of companies with annual revenues of at least $1 billion in 23 industries and 18 countries worldwide.

More than 55% of large companies do not effectively prevent cyber attacks, as well as detect and fix vulnerabilities too slowly, according to an Accenture study.

According to the company, 81% of respondents believe that the cost of preventing cyber attacks unjustifiably high. In the 2020 study, only 69% of respondents thought so.

82% of companies increased spending on cybersecurity, but the number of hacks, including unauthorized access to data, applications, services, networks or devices, increased by 31% compared with 2020. On average, one company accounted for 270 such incidents.

The report emphasizes the need to use measures to protect information not only within the company, but also within the partner network throughout the ecosystem. Corporate network hacks often occur through "links" in the chain of organizations connected by electronic document management. 67% of companies believe that their ecosystem is safe, but indirect (through a partner) attacks accounted for 61% of the total in 2021 (44% - a year earlier).

Accenture analysts identified a small group of companies among the respondents - 5%, which turned out to be not only cyber resistant, but also paid off investments in security. They were called "Cyber ​ ​ Champions."

The strategy of "cyber champions" consists of several points:

  • there is a balance between the capabilities of technology to ensure cybersecurity and the company's desires and business goals to develop and expand;
  • Information Security Departments report directly to the CEO and Board of Directors, demonstrating a greater understanding of development strategy and risks in working closely with business units and the CFO;
  • Additional measures have been taken and technologies implemented to ensure data protection, including for applications and data in the clouds
  • the maturity and performance of the cybersecurity program is assessed regularly, at least once a year.

To achieve sustainable and measurable cyber resilience, information security directors need to move beyond their security-only function and begin working with other units within the organization to gain a full understanding of business risks and priorities.

File:Aquote1.png
"There are still companies in Russia that have not fully implemented even a basic or" gentleman's "set of protection measures, not to mention a layered defense system against cyber attacks. In such organizations, there is a direct correlation between the level of cybersecurity maturity and support from management and business. The more management support and engagement, the greater the company's cyber resilience and vice versa, "-

says Andrey Tymoshenko, head of Accenture's information security practice in Russia.
File:Aquote2.png

At the same time, according to him, Russia also has its own "cyber champions" - companies that are more focused on cybercriminals and invest enough in security than others.

According to Andrei Tymoshenko, in conditions of limited resources - such as time, qualified personnel, funding - it is necessary to correctly prioritize and make efforts to ensure cyber stability.

File:Aquote1.png
"Developing competencies and raising security awareness beyond the information security function, automating routine operations and complying with regulatory requirements will help strengthen the security system in the short and long term," -

adds Andrey Tymoshenko.
File:Aquote2.png

Hybrid jobs cybersecurity threatened by perfect storm

On October 28, 2021, the company HP Inc. published HP Wolf Security's hearts Out of Sight & Out of Mind report on changes in user behavior and the emergence of problems for IT units associated with the growth of hybrid jobs.

According to the study, an increasing number of users purchase and connect devices to the corporate network without the knowledge or approval of IT departments. In the HP Wolf Security report, experts also note the increased level of threats and an increase in the number of successful security bypasses phishing attacks , which happen more and more often. As a result, IT support for employees is more complex, time-consuming, and costly than ever.

The "Out of Sight, Out of Mind" report combines data from the YouGov global online survey, which involved 8,000 office employees who switched to remote work during the pandemic, as well as survey data from 1,100 IT decision makers conducted by Toluna. Among the main conclusions are the following:

The use of "shadow IT" violates corporate security standards: the term "Shadow IT" means the use of work tools bypassing IT specialists. Such a phenomenon is becoming very common. In 2020, about 45% of interviewed employees purchased IT equipment (such as printers or PCs) to work from home. At the same time, 68% said that security issues were not included in the list of main criteria for making a purchase decision, 43% of respondents did not transfer their new laptop or PC for verification and configuration to an IT specialist, 50% similarly answered a similar question about their new printer.

Phishing attacks began to achieve the goal more often: 74% of IT employees noted that over the past year there have been more transitions to malicious links or discoveries of infected attachments in e-mail. During 2020, 40% of interviewed office workers between the ages of 18 and 24 opened unsafe emails, with nearly half (49%) attributing it to switching to remote work. Of the office employees who received "trap links" from cybercriminals, 70% did not report switching to malicious sites in the IT department, 24% did not consider it important, 20% indicated a "complexity factor," and 12% were afraid of disciplinary sanctions.

The increase in the number of hacked devices is proportional to the number of recovery requests: 79% of IT professionals report that the number of requests for recovery of hacked systems has increased during the pandemic. The volume of cases directly correlates with the number of personal devices that need to clean and reinstall the software due to the fact that they were attacked. This, in turn, means that more attackers are successfully overcoming existing protection. The real figure may be even higher: 80% of IT respondents fear that employees' devices may be hacked, while users themselves may not be aware of this.

{{quote 'Users often don't know if they've followed some malicious links and opened infected attachments, so the real numbers can be much higher, "said Ian Pratt, global head of personal system security at HP Inc. - Attackers tend to do everything to stay unnoticed for as long as possible. Acting carefully, they make their way into the depths of the infrastructure, where the cost of damage is already completely different. So, for example, they use cloudy reserve copies to extract confidential data, cipher these files on servers and then demand a multi-million dollar ransom.

You should not allow such an easy penetration of intruders into the system due to the opening of a mail attachment. Isolating and containing threats can mitigate any devastating impact by preventing malicious code from being pinned and preventing an attack from scaling up.}}

As threats grow, IT departments are finding it harder to support information security. In particular, 77% of specialists reported that over the past year, the cost of resources required to identify threats increased, while 62% of alerts about the risk of hacking devices turned out to be false, which led to a waste of time. As IT teams are busy working out such signals, it becomes more difficult for them to identify threats and integrate new workers into the corporate network:

  • 65% of IT specialists say that installing security patches on personal devices takes a lot of time and is complicated by the massive transition of employees to a remote mode of operation. When asked about providing and configuring a security system for new users, 64% of specialists cited the same difficulties.
  • As a result, experts estimate that the cost of IT security support has increased by 52% over the past 12 months.
  • 83% of IT employees note an increase in workload during the pandemic due to problems with the protection of users who are in remote mode of operation. 77% of IT teams say that the transition of employees to a remote format greatly complicates the workflow. The companies fear that this will lead to professional burnout of cybersecurity specialists and, as a result, the outflow of personnel.

File:Aquote1.png
With the increased workload and complexity of IT teams, it's becoming more difficult to manage security processes, "Pratt concluded. - For hybrid work to be successful, IT employees must be relieved of the need to spend hours processing routine user requests to focus on higher priorities. We need a new security architecture that protects not only against known and not yet identified threats, but also helps reduce the burden on specialists and users. By adhering to Zero Trust principles, organizations can develop sustainable security systems to protect businesses and ensure rapid system recovery should they be compromised.
File:Aquote2.png

HP helps organizations secure hybrid workplaces by providing teams with all the management tools they need. With HP Wolf Security, organizations get robust built-in protection from hardware to cloud and from BIOS to browser. HP Wolf Security allows you to analyze reporting data from devices, which helps teams achieve comprehensive protection and privacy.

Companies respond to cyber attacks only after 2 days

In mid-October 2021, information appeared that the average company takes 20.9 hours to respond to cyber attacks, which is more than two working days. This follows a new report by Deep Instinct, which says 86% of security professionals are unsure that their employees will not follow malicious links.

The report from Deep Instinct analyzed the answers of 1.5 thousand cybersecurity specialists working in companies with a staff of more than 1 thousand people from 11 countries. Respondents cited a lack of threat prevention tools specific to never-before-seen malware as one of their top concerns, followed by a shortage of qualified employees and covert countermeasures tactics.

Deep Instinct: Companies respond to cyber attacks only after 2 days
File:Aquote1.png
Attacks by ransomware viruses and malware will not stop in the near future. That is why organizations need to be better prepared to deal with potential threats by adopting a prevention-based approach. Our findings shed light on the numerous challenges security teams face on a daily basis and provide insight into the serious needs the industry needs to address, "said Deep Instinct CEO Guy Caspi.
File:Aquote2.png

The study also found that 99% of respondents believe that not all endpoints in their companies are protected by at least one software agent. Only one-third say all endpoints have the same level of protection, with 60% saying they cannot consistently block threats on different endpoints.

Participants in a survey conducted by Deep Instinct also noted that compromises in cloud and file storage are still difficult to fix. 80% reported that files stored in the cloud are not checked for vulnerabilities, and 68% said they have at least some concern that they have at least some concern about fellow employees unwittingly downloading malicious files and compromising the environment.[5]

Global organizations use an average of 29 security monitoring solutions

On October 12, 2021, Trend Micro Incorporated announced that global organizations are using an average of 29 security monitoring solutions. This complicates the work of cybersecurity management centers (SOCs) to prioritize alerts and effectively manage risk.

A global independent study has identified serious challenges facing SOC teams in detecting and responding to cyber threats. Specialists who work in organizations with more than 10 thousand employees deal on average with almost 46 monitoring tools.

Half (51%) of respondents said they did not actually use many of the available tools for these reasons:

  • lack of integration (42%),
  • lack of qualified specialists (39%),
  • difficulties in managing instruments (38%),
  • obsolescence of instruments (37%),
  • lack of trust in them (20%).

The potential damage as a result of such problems can be high: respondents said that on average their organizations could lose more than 235,000 US dollars if the GDPR regulations were violated due to an incident.

File:Aquote1.png
An excessive number of tools is an increasingly common phenomenon in global organizations of any size. However, when it comes to incident detection and response, costs, sometimes unconfirmed, continue to rise, said Bharat Mistry, CTO of Trend Micro in the UK.
File:Aquote2.png

The study also found that 92% of respondents considered outsourcing detection and response using managed services. Solutions such as these usually help to recoup the lack of internal resources and provide the company with a single unified platform for improving incident response.

File:Aquote1.png
Despite the fact that organizations are forced to pay for licensing and maintenance, SOC teams are increasingly stressed by trying to manage several solutions at the same time. Failure to prioritize alerts can result in loss. data Unsurprisingly, many organisations prefer the scheme ″ Security Management Centre as a ″ Service (SOC-as-a-Service), Bharat Mistry added.
File:Aquote2.png

The study is based on interviews with 2,303 IT security decision makers in 21 countries. They include executives who manage SOC teams (85%) and those who manage SecOps from the internal IT security group (15%). All respondents represented companies with more than 250 employees.

Over 77% of Russian entrepreneurs are not ready to pay a ransom for decrypting data

On September 23, 2021, the company Group-IB reported that 77.4% the Russian of entrepreneurs are completely not ready to pay a ransom for decryption, data while more than half of the respondents - 51.9% - admit that their company is "rather not protected" from. attacks programs extortioners

In early September 2021, The Bell, together with Group-IB experts, conducted an online study among Russian entrepreneurs on whether they encountered cyber attacks, whether their networks are protected from ransomware, and whether businessmen understand well that even such a familiar thing as e-mail can become an entry point for attackers.

According to the survey, 27.4% of Russian entrepreneurs have been subjected to cyber attacks over the past two years, the majority (59.4%) say that this problem did not affect - "they were lucky," another 13% do not know whether there were such attacks at all, because IT specialists or security should deal with this issue. More than half of the surveyed businessmen (50.9%) consider the threat of ransomware dangerous, and about the same (51.9%) are convinced that their company is "rather not protected" from ransomware attacks.

It is worth noting that in recent years, not only large corporations, but also companies from the medium and small business segment, including in Russia, have been targeted for ransomware. According to the Group-IB Computer Forensics Laboratory, the number of attacks on organizations in the Russian Federation in 2021 increased by more than 200%. The amount of redemption requested from Russian companies, as a rule, depends on the size of the organization. In general, the "fork" ranges from several hundred thousand to tens of millions of rubles, while the average ransom paid in 2021 amounted to about 3 million rubles. The average downtime of the attacked company is 18 days.

77.4% of representatives of Russian small and medium-sized businesses surveyed by The Bell are "completely unprepared to pay" cybercriminals to decrypt data if they are attacked by a ransomware program. Another 17.9% are ready to part with 5 million rubles, and 3.7% will transfer even 10 million rubles to attackers in order to return valuable data. Only 1% of respondents said they would not regret decoding 100 million rubles. At the same time, 33% of entrepreneurs said that the stop for only a few hours is already critical for their business, for another 30% it is critical that it is simple for 1 day.

Email, along with the compromise of publicly available terminal servers (RDP), remains one of the most popular primary vectors of targeted attack, both for cyber crime and pro-state hacker groups. 50% of Russian entrepreneurs surveyed by The Bell know that email in 40-60% is a point of penetration into the network. At the same time, the same number - 50% - do not use additional mail protection technologies, limiting themselves to built-in capabilities. About 16% do not think at all that mail needs to be somehow protected.

File:Aquote1.png
Despite the fact that the results of our study look rather optimistic, they showed a paradoxical thing: most of the respondents know that they are not protected from attacks, realize the danger of ransomware, but do not try to effectively protect themselves from them. Until I saw an email that could not be "punched." Underestimating this simplest vector of penetration of the same ransomware is dangerous. The illusion of security is fueled by the fact that there is no big news with huge buyouts, as in the West, in Russia. But it's only a matter of time,
said Oleg Skulkin, deputy head of the Group-IB Computer Forensics Laboratory.
File:Aquote2.png

Group-IB specialists have developed an online test to assess the level of email protection and the likelihood of becoming a victim of intruders. The test is built on more than 30 scenarios of real cyber attacks. It was invited to pass all Bell.Club participants. According to the survey, 50% of entrepreneurs expressed their readiness to assess how protected they are.

1 out of 10 Russian organizations is aware of the danger of vulnerabilities in web applications

In 2020, web attacks accounted for a third of all information security incidents. However, only 10% of Russian organizations believe that web applications are a priority element of the infrastructure for scanning for vulnerabilities. This follows from the Roste lecom-Solar survey on Vulnerability Management (VM) trends, which the company shared on September 14, 2021. Regular penetration tests conducted by the company's specialists show that more than half (57%) of web resources have critical vulnerabilities that even unprofessional hackers can exploit.

As part of the study, which was conducted in April-June 2021, representatives of 200 organizations of various scales and profiles (public sector, finance, industry, IT, etc.) were interviewed.

According to the survey, only 7% of organizations realize the importance of scanning an isolated (i.e. not connected to the Internet) segment of the IT infrastructure. For example, these are industrial networks or closed government data exchange systems. Scanning the external perimeter is considered important by 29% of respondents. 45% of respondents named the organization's local network as the key element for analyzing vulnerabilities. And only a tenth of respondents consider it important to scan all elements of the infrastructure.

File:Aquote1.png
Concentration on one of the infrastructure segments leads to a significant weakening of the security of the other. On the one hand, it is the vulnerabilities of internal network nodes that hackers use to develop an attack within the infrastructure (to steal data, influence technological processes, etc.). On the other hand, companies, concentrating on internal vulnerabilities, pay insufficient attention to external ones, which allow attackers to penetrate the internal circuit, - said Maxim Bronzinsky, head of the Vulnerability Management department of the cybersecurity services platform Solar MSS of Rostelecom-Solar. - According to our estimate, 44% of web applications (for example, corporate portals, mail applications) have incorrect access rights settings, and 29% have the ability to implement SQL injection. If we talk about an isolated circuit, then automatic software updates that close many vulnerabilities are not available here due to the lack of an Internet connection. This becomes critical, since the manual or semi-manual process of installing patches is absent in 90% of Russian organizations.
File:Aquote2.png

In general, according to the survey, 70% of organizations have vulnerability control in one form or another. However, in most of them, scans are not done regularly enough: more than 60% of companies scan infrastructure once a quarter or less. This, according to experts of "Rostelecom-Solar," does not correspond to the dynamics of the emergence of vulnerabilities. At the same time, analysis of critical servers and work computers of employees is carried out more regularly. Once a quarter and less often, these infrastructure elements are checked by 40% of respondents, the rest - more often.

In almost all organizations, scanning is either carried out automatically (as 41% of respondents answered), or by one dedicated information security specialist (39%). This is not enough for the operational processing of data received from the scanner and the formation of current recommendations for closing the found vulnerabilities, experts say.

At the same time, some of the respondents point to problems in the interaction between information security services and IT administrators of their organizations in terms of installing patches. In 12% of the surveyed companies, IT services do not respond in any way to requests for the necessary updates, even during the period of massive pandemic attacks.

Regular scans provide, among other things, an inventory of digital assets. If the company does not have a vulnerability management process and does not have resources to process the received data, the so-called shadow IT arise in the infrastructure - unaccounted for and therefore unprotected areas of the IT landscape that can be used by hackers to carry out an attack.

Production enterprises are the most frequent "victims" of internal information security violations

The company Rostelecom-Solar"" on September 9, 2021 shared the results of the study "Which organizations are more likely than others to be subject to internal violations of corporate security and service discipline?" After analyzing data pilot projects for using the protection system leaks Solar Dozor in 97 the Russian companies from 2018 to 2020, analysts "" Rostelecom compiled a portrait of the organization - a typical "victim" of internal violators.

The average organization in which various violations of internal information security and labor discipline occur most often (including violation of the rules for the safe handling of confidential information) belongs to the production/research and production sphere, has more than 1000 people on staff. Here, an average of 1900 violations are recorded in 3 months, 7 of which are recognized by the information security service as highly critical.

File:Aquote1.png
Contrary to the popular belief that information leaks are not typical for the production unit and here people are busy, and not sitting on social networks, piloting our DLP system in organizations in this area demonstrates the opposite. In general, here the bulk of violations are recorded among the so-called office, or administrative, personnel of production enterprises. A significant share of these violations are violations of official discipline - part-time work, misuse of working time and equipment of the employer. At the same time, such companies have something to lose and, accordingly, seriously protect: the leakage of innovative and secret developments, the results of scientific research is fraught with serious losses, both reputational and financial. And in the case of state research and production organizations, we may well talk about leaks of information constituting a state secret,
said Elena Chernikova, senior business analyst at Rostelecom.
File:Aquote2.png

Of the 97 organizations that tested the operation of the leak protection system, 70 recorded various events. information security Their total number was over 320 thousand - that is, about 4600 potential disciplinary and information security violations on average in each organization. One of the "leaders" in the number and frequency of detection of critical violations was consulting the management and recruitment company: 196 critical violations out of 14.5 thousand "events" recorded (each 80th security event is critical). 172 critical level events were recorded in the organization - the transportlogistic sphere, the total volume of accumulated traffic in which for 2 months of piloting amounted to slightly less than 780 thousand messages. A large financial institution closes the "cheerful top three," in which 54 critical events were recorded among the accumulated 13 million messages.

In general, the "Top 5" industries in which companies faced the most critical violations include research and production organizations (4181 violations), production (1968), financial organizations (1847), transport and logistics (1335), public authorities and the provision of public services (460). Most often in companies in these industries there are internal violations of the rules for working with documents with the heading "For official use" and other confidential documents. They are uncontrollably copied to removable media, sent to external email addresses on free mail services, stored in the public domain on the internal network.

The leaders in the number of violations detected are the units serving the main production processes: accounting (14.8%), IT and technical support (12.9%), personnel and marketing (10.3%) and procurement (9.5%). In total, they account for almost half of all violations. Here, most often, the common type of violation "misuse of working time" appears. At the same time, risks from more "disciplined" units should not be underestimated. Here, internal violations can result in the most serious consequences for the company: sensitive information about customers can "leak" through the sales department, and unique technological developments through the design bureau.

The study is based on an analysis of impersonal data reports on the piloting of the Solar Dozor DLP system in 97 organizations Russia CIS and over three years: from 2018 to 2020. At the same time, just under 300 specialists from various departments of these organizations were also interviewed for the purpose of the study. Half of the organizations participating in the study are companies of over 1000 people. The sample includes such market segments as Production,, Education Finance,, Retail Services,, Transport Culture,,, ,/, Medicine Industry ITTelecom Public Administration and a number of other areas - over 15 industries in total.

91% of IT employees are forced to compromise on cybersecurity issues

HP Inc. On September 9, 2021, HP Wolf Security published a report titled 'Rebels & Rejections' - a global study indicating the presence of internal friction and tension between - IT specialists and employees working in. remote mode To protect jobs in the future, security chiefs should pay attention to this issue.

The results of the study show that against the backdrop of growing threats, IT employees are forced to make compromises and risk enterprise cybersecurity to ensure business continuity. To exacerbate the situation, their efforts and efforts to improve security measures for remote employees often do not find understanding among these very employees. This is especially true for young people aged 18-24, who are increasingly disappointed that safety rules prevent them from doing work on schedule, which is why many are forced to bypass control measures.

The HP Wolf Security report presents pooled data from the YouGov global online survey, which involved 8,443 office workers who switched to a remote work format during the pandemic, as well as a global survey conducted by research firm Toluna among 1,100 IT decision makers. Among the main conclusions are the following:

  • 76% of IT employees surveyed admit that security issues take a back seat to ensure business continuity during a pandemic, with 91% of respondents reporting that they are forced to compromise on security issues to please maintain business continuity.
  • Almost half (48%) of young office employees surveyed (aged 18-24) perceive security measures as interference in the performance of their work, as a result of which almost a third (31%) of respondents try to bypass corporate security policies in order to fulfill their tasks in a timely manner.
  • 48% of office workers surveyed agreed that safety measures, although they look necessary, lead to a significant loss of time, and this figure increases to 64% for those aged 18 to 24 years.
  • More than half (54%) of young respondents between the ages of 18 and 24 were more concerned about keeping deadlines than that their organisation might be susceptible to data breaches; 39% did not know what corporate security policies were saying, or even the existence of those in their companies, which indicates a growing indifference among young employees.
  • As a result, 83% of IT professionals believe that an increase in the proportion of employees working from home leads to the effect of a "time bomb," and will inevitably lead to a hacking of the corporate network.

File:Aquote1.png
The fact that workers are actively bypassing security measures should be of concern to any information security director - this is how threats arise and leaks happen, said Eun Pratt, head of the security department at HP Inc. "If the security system is too complex and interferes with people, people will somehow find a way to bypass it. Therefore, it must be as consistent as possible with existing workflows and use unobtrusive, secure and intuitive technologies for users. Ultimately, we need to make sure that safe work is as simple and convenient as working without protective technology, and we can achieve this by initially embedding security in corporate systems.
File:Aquote2.png

The report highlights that 91% of companies have updated their security policies to account for the growing number of employees working from home, while 78% have restricted their access to websites and apps. However, all these measures often displease users who reject and oppose innovations, as a result of which the employees responsible for IT security feel that they are not taken seriously:

  • 37% of office employees surveyed say that security technologies are often too strict.
  • 80% of IT security professionals faced opposition from users who do not like the measures taken for those working from home; 67% of IT professionals report receiving user complaints about this every week.
  • 83% of IT professionals said attempts to establish and enforce corporate cybersecurity policies are impossible due to the fact that the boundaries between the personal and professional lives of employees are extremely blurred.
  • 80% of IT professionals believe that ensuring information security is becoming a "thankless task" because no one listens to their opinion.
  • 69% of IT professionals claim that due to the need to impose such restrictions, they feel "like villains."

{{quote 'Information security directors are facing a growing volume of attacks, an increase in their speed and severity of their character, "said Joanna Burkey, Director of Information Security (CISO) at HP Inc. - Their teams have to work around the clock to ensure information security, and at the same time try to digitalize their business in conditions when employees' devices are outside the company's perimeter. The burden of ensuring security should not rest solely on the shoulders of IT professionals, because information security is a complex task in which everyone should participate.

To make a safety culture a common cause, we must involve employees in its formation and educate them about the growing risks. At the same time, IT needs to better understand how cybersecurity affects employee workflows and productivity. So we need to rethink security with both business and hybrid workforce needs.}}

Technology network of 75% of industrial enterprises is open to hacker attacks

Positive Technologies experts noted the low security of companies in the industrial sector. During penetration tests, the company's specialists gained access to the technological segment of the network of 75% of industrial companies. PT announced this on August 24, 2021.

According to experts, the attack vector for accessing critical systems can be simple, and the potential damage can be serious. Thus, gaining access to process control systems by an attacker can lead to a shutdown of production, disabling industrial equipment, damage to products and an accident.

File:Aquote1.png
As of August 2021, security in most industrial companies is at a low level, "said Olga Zinenko, senior analyst at Positive Technologies. - The main disadvantages are weak protection of the external perimeter of the network available from the Internet, low protection against penetration into the technological network, device configuration shortcomings, as well as the use of dictionary passwords and outdated software versions.
File:Aquote2.png

According to the study, 75% of industrial companies gained access to the technology segment of the network, which then allowed 56% of cases to access process control systems. Thus, when gaining access to the technological segment of the network, attackers in more than half of the cases will also be able to gain access to the production process control system, which can lead to serious consequences: from disruption of the enterprise to loss of life.

According to Positive Technologies experts, it is impossible to verify the implementation of most unacceptable events in the real infrastructure. Here a cyber police can come to the rescue, the use of which to analyze the security of production systems will allow, without fear of violating real business processes, correctly verify unacceptable events and the consequences of their implementation, and assess possible damage. For example, on the cyber police The Standoff 2021, the attacking teams were asked to implement unacceptable events on the infrastructure of the gas distribution station. It took the attackers two days to disrupt the gas supply process. The hackers managed to gain access to the gas station control system, stop the gas supply process and arrange an explosion. In real life, a hacker attack on a gas distribution station can lead to human casualties, the resignation of leadership, and lawsuits. It would definitely not be allowed for information security experts to carry out attacks that violate or stop technological or business processes on real infrastructure, which means that the feasibility of unacceptable events would remain in question.

Year-over-year increase in risk of cyber attacks on businesses worldwide by 24%

On August 06, 2021, the company Avast , based on data its own research, reported that the likelihood that the business would face cyber threats increased worldwide by 24% over the year, from 11.25% to 13.9%. This information is presented in the latest Avast Global PC Risk Report, which examines the threats to Avast PERSONAL COMPUTER blocked in March-April 2021. The results are compared to 2020 data for the same period.

Global Attack Data Map: All Threats to Business

According to the report, in Russia, the probability that a business will face any type of PC malware is 20.64%. This is higher when compared with the average in the world.

File:Aquote1.png
"Due to pandemics many companies, they were forced to transfer their employees remote work from home in a very short time. This created serious problems for: safety not every organization was ready to provide access through VPN and solutions for remote access. Cybercriminals took advantage of it. We observed an increase in RDP- (attacks RDP - Remote Desktop Protocol); increased ransomware attacks. In general, the likelihood that organizations will face malware attacks has increased worldwide, "-

narrated by Michal Salat, director of threat analysis at Avast.
File:Aquote2.png

In the report, researchers also consider the risk of business defeat advanced threats. Avast defines advanced threats as new, previously overlooked anti-virus threat software developers designed to bypass common technologies protection included in security, software such as signatures, heuristics, emulation, filtering - URL addresses and. scanning email For the advanced type of threats, the risk ratio for business in Russia is 4.17%, in the world as a whole - 2.29%.

World Attack Data Map: Advanced Threats to Business

The situation in the world

Regions with more acute, conflicted socio-political situations seem to be at greater risk in. networks The Asian countries are among the countries with the greatest risk to business, followed by countries Africa and Eastern. Europe

Top 10 countries where business is most at risk of colliding with threats:

Regions with the lowest risk of colliding with all types of threats are the countries of Northern, Western and Central Europe, as well as the United States, Latvia and the Dominican Republic.

The situation changes when considering complex threats, where the common denominator seems to be the size of states with a population of less than 11 million people.

The Avast Global PC Risk Report contains a static section of cyber attacks for the first half of 2021 (taking into account data for the period from March 16, 2021 to April 14, 2021).[6]

More than half of web applications allow hackers to penetrate the infrastructure of Russian enterprises

57% of web applications contain critical vulnerabilities that allow hackers to steal sensitive data, run arbitrary code and fully control the operation of the attacked resource. These are the results of an analysis of the security of Russian companies, implemented by Rostelecom-Solar experts during the year, which the company shared on July 22, 2021. The objects of the study were organizations from the field of finance, energy complex, information technology, telecom and other industries.

Web applications are sites that interact with users. For example, email, personal account of a bank or online store, corporate portal for employees, etc. Such interactive resources have become even more relevant during the pandemic, when many activities have moved online and the Internet has become a key channel of interaction with customers, business partners and colleagues.

File:Aquote1.png
A poorly protected web application opens up a lot of opportunities for attackers. This can be access to the company's local network, control over the server, disruption of the application itself, distribution of malware, theft of the database, and much more. At the same time, most of the vulnerabilities and shortcomings that we find during penetration tests have a fairly low complexity of exploitation, that is, even amateur hackers, not to mention professional cybercriminals, can carry out a successful attack with their help. This makes the web application one of the most vulnerable elements of the external perimeter. Therefore, it is important to analyze the security of the developed applications before they are output to the product, as well as during updates, in order to fix critical vulnerabilities, - said Alexander Kolesov, head of the security analysis department at Rostelecom-Solar.
File:Aquote2.png

The most common web vulnerabilities are incorrect configuration of access rights and disclosure of configuration data. Incorrect configuration of access rights allows the user to perform actions to which he should not have rights, for example, to upgrade his account to the level of an administrator. This vulnerability is related to the complex logic of web applications, which include different functionality for a large number of user roles.

When disclosing configuration data, an attacker receives information about the structure of a web application (internal IP addresses, API keys, debug scripts, application logs). At the same time, in addition to technical information, you can sometimes find personal data of customers and employees of the organization in application logs.

Some vulnerabilities discovered allow you to penetrate the company's network even without a complete "capture" of the application. For example, by spoofing a server-side request (SSRF). With this vulnerability, an attacker can send requests on behalf of the server to both external and internal resources and extract closed information from the system. Such a scenario is possible when the application, having received a URL or HTTP message, does not check the destination addresses before sending the request.

Also in some systems, experts found errors that allow an attack directly on the user (for example, cross-site scripting - XSS). Such attacks work according to the following principle: JavaScript code is injected into the application, which is then executed in the victim's browser. Hackers can have different goals: performing actions on behalf of the user, stealing his personal data, mining cryptocurrencies and much more.

In addition to web applications, remote access systems (for example, VPN or RDP) are also a likely point of penetration into the corporate network. During the pandemic, the number of such attacks increased significantly, as many companies switched to remote operation. A common drawback here is the lack of an additional authentication factor when connecting to the service, as well as weak and repeated user passwords. Often attackers gain access to the network through a VPN connection using a previously compromised password.

By 2025, full-fledged cyber technologies will appear to kill people at enterprises

According to the forecast of the research company Gartner, the technological equipment of cybercriminals by 2025 will allow them to carry out targeted attacks on enterprises for the specific purpose of injuring and killing people. This became known on July 21, 2021. Analysts predict that the use of paramilitary operating technologies and other cyberphysical systems by cybercriminals only taking into account the deaths by 2023 will cause damage around the world in the amount of more than $50 billion.

According to analysts, even if it were not for having to talk about the value of human life, the costs of companies for litigation, compensation payments, insurance, payments of fines to regulators will be significant, not to mention gigantic reputational losses. The company predicts that most executives will be personally responsible for such incidents.

File:Aquote1.png
Heads of security and risk management should be more concerned about real threats to people and the environment than about information theft, "said Wam Voster, senior research director at Gartner. - A study of the experience of Gartner customers shows that it is sometimes difficult for companies in resource-intensive industries such as manufacturing, mining and utilities to determine the appropriate control systems for them.
File:Aquote2.png

Attacks by cybercriminals on the IT infrastructure of enterprises in Gartner are called third-party malicious attacks on hardware and software complexes that monitor or control the operation of industrial equipment. Against the background of digitalization and the introduction of automatic processes in production, militarized operating technologies also go their way of evolution, analysts say - from incidents to temporarily stop the technological process at the plant to violation of the integrity of the industrial environment and targeted causing physical damage.

Gartner classifies security incidents in the operating technology environment into three main classes of motivation: to cause actual damage; for the purpose of commercial vandalism, leading to a decrease in productivity; for the purposes of reputational vandalism, as a result of which the manufacturer is recognized as unreliable and untrustworthy.

To improve safety at industrial sites and prevent digital cyber attacks to damage equipment or physically harm employees, Gartner has developed ten recommendations that are outlined in Reduce Risk to Human Life by Implementing this OT Security Control Framework.

Gartner recommends assigning an Operational Technology Safety Manager for each industrial or manufacturing facility. The Manager shall be responsible for distributing and documenting safety-related roles and responsibilities to all employees, senior managers and any third parties who have access to the facility.

Each employee involved in operational technology is required to have the necessary skills to perform his/her duties. Employees at each site should be trained to recognize and assess security risks, the most common areas of spread of attacks, as well as trained to perform specific actions in the event of a security incident.

A dedicated Operational Technology Security Incident Management Protocol should be implemented for each facility. It must include four stages: preparation; detection and analysis; localization, liquidation and restoration; actions after the incident.

The enterprise IT infrastructure must be equipped with appropriate backup and disaster recovery mechanisms. To avoid the impact of physical destructive events such as fire, keep backup media separate from the backup system. Backup media must be protected from unauthorized access or misuse. To prevent fatal events resulting from high-severity incidents, it must be possible to restore a backup to a new system or virtual machine.

The company should implement a policy of mandatory scanning of all portable storage media, including USB storage devices and portable ones, computers regardless of whether the device belongs to an employee or third-party visitor - for example, a representative of a subcontractor or equipment manufacturer.

Only verified media without malicious code or unwanted software can be connected to the operating technology environment.

The Security Manager should inventory the hardware and software involved in the operating technology environment and keep this list up-to-date.

The networks of the operating technology environment must be physically or logically separated from any other network - both inside and outside the perimeter of the enterprise IT infrastructure. All network traffic between operating technologies and the rest of the network must be carried out through a secure gateway, and sessions with operating technologies must take place with multi-factor authentication on the gateway.

Appropriate policies and procedures must be implemented to automatically record and analyze potential and actual safety events in the enterprise. They should clearly define the shelf life of security logs and be protected from unauthorized access or modification.

Secure configurations must be developed, standardized, and deployed for all systems used in the operating technology environment - such as desktops, servers, network devices, and off-site devices. Workplace security software, such as antiviruses, must be installed on all supported components of the operating technology environment.

Prior to deploying the operating technology environment, you must implement the process of checking and installing updates. After verification by equipment manufacturers, updates can be deployed in the corresponding systems with a predetermined frequency[7].

Informzaschita investigated the hacking of the telephone network of a state-owned industrial enterprise

Cybercriminals "" Informzaschita investigated the hacking of the state industrial company's telephone network. Experts warn that, IP-telephony which is implemented in almost every organization, is too open to attacks attackers. Informazashchita announced this on May 27, 2021. More. here

Companies have experienced downtime due to data loss despite up to 10 information protection solutions

On April 12, 2021, Acronis, a representative in the field of cyber defense, released the results of its second annual Cyber ​ ​ Protection Week study, which revealed a dangerous imbalance between the need to protect data and the inefficiency of companies' investments in achieving this goal.

Although in 2020 companies purchased new security systems of remote employees during the COVID-19 pandemic, these investments do not pay off. A global survey found that 80% of companies currently use up to 10 data protection and cybersecurity solutions at a time, yet more than half of those organizations last year suffered unforeseen downtime due to data loss.

The results of the annual Acronis survey, which surveyed 4,400 IT users and professionals in 22 countries across six continents, dispel the myth that simply including additional solutions will solve cybersecurity and data protection challenges. Investing in more and more solutions not only does not provide more robust protection, but in many cases, trying to manage protection across multiple solutions creates more complexity and less transparency for the IT group, which increases risk.

A 2021 Cyber ​ ​ Protection Week study clearly shows that more solutions do not provide more robust protection, since using separate tools to solve certain types of vulnerabilities is complex, ineffective and expensive, "said Sergey Belousov, founder and CEO of Acronis. These findings reinforce our belief that a smarter approach is cyber protection, which integrates data protection, cybersecurity and endpoint management into one.


The situation is complicated by the fact that users and IT professionals do not realize what IT and cybersecurity capabilities are available to them, which can lead to the loss of valuable time, money and security.

  • 68% of IT users and 20% of IT professionals did not know whether their data was changed without their knowledge, because their solution makes it difficult to determine this kind of hack.
  • 43% of IT users do not know if anti-virus ON zero-day threats stop them, because their solution does not provide easy access to this one. information Easy access to such cybersecurity information is critical to ensuring data protection.
  • 10% of IT professionals do not know whether their organizations are subject to the provisions on the protection of personal data. If the persons responsible for ensuring the confidentiality of personal data do not know that they are to blame, they cannot implement strategies or evaluate the decisions necessary to fulfill the requirements. This ignorance puts businesses at huge risk of being hit with hefty fines for potential breaches in 2021.

For those who use multiple solutions to perform their IT and cybersecurity tasks, the opacity of such information is only exacerbated. Not only should they remember which solution provides a specific data point, but they are constantly switching between consoles to find the right details, which leads to inefficiency.

The survey also found a strikingly weak approach to data protection among IT users.

  • 83% of IT users spent more time using their devices in 2020, but only half of them took additional measures to protect them.
  • 33% admit that they have not updated their devices for at least a week after receiving notification of the problem.
  • 90% of IT users reported running backups, but 73% permanently lost data at least once, suggesting they don't know how to perform backups or restores properly.

The efforts of individuals to protect their data do not guard against threats, which is likely due to false assumptions or the use of automated solutions.

Malware detected in every government and industry company

Positive Technologies on March 10, 2021 reported the results of a network activity monitoring analysis at 41 companies that conducted pilot projects to implement PT Network Attack Discovery (PT NAD) and the complex for early detection of complex threats (PT Anti-APT), which includes PT NAD. During the analysis, most companies identified suspicious network activity, and malware was detected in each state and industrial organization.

According to the results of pilot projects in 90% of companies, suspicious network activity was detected, for example, hiding traffic, launching network scanning tools, attempts to remotely start processes. Experts note that the use of NTA systems allows not only to detect suspicious connections in time, but also to refer to the history of the host's network activity and check if there were any other such attempts.

File:Aquote1.png
The transition of companies to remote work also affected network activity: the share of connections to an external network using the RDP protocol has increased, - said Olga Zinenko, senior analyst at Positive Technologies. - Such connections should be carefully monitored, because the number of attacks through remote access protocols in 2020 has tripled.
File:Aquote2.png

Violations of information security regulations met in each organization. One of the frequently identified violations of information security regulations was the use of unprotected data transfer protocols (64%). According to experts, this suggests that in the infrastructure important data is transmitted in clear text, which means that anyone in the corporate network, including a potential attacker, can intercept traffic and search for confidential information in it, such as logins and passwords.

During pilot projects to monitor network activity and identify complex threats in 2020, experts encountered the activity of 36 malicious families. ON Experts name among them, WannaCry ransomware banking trojans RTM, Ursnif and Dridex. In 68% of the analyzed companies, activity was detected, malware while HVE was detected in all studied state and industrial organizations. Every third company noted attempts to exploit vulnerabilities in the software.

File:Aquote1.png
It may happen that at the time of the attack, there were no rules for detecting threats and indicators of compromise, which later became available. Therefore, it is necessary to check traffic not only in real time, but also to conduct a retrospective analysis taking into account the information that has appeared, - comments Natalia Kazankova, product marketing manager at Positive Technologies. - Storing copies of traffic and re-analyzing it using the NTA system allows you to conduct a detailed investigation and detect the actions of the attacker, even for those events that occurred earlier.
File:Aquote2.png

BYOD concept transformed into BYEH

On February 26, 2021, the company McAfee talked cyber security about "" and the remote latest Bring Your Enterprise Home concept.

For more than 20 years, the attention of cybersecurity specialists has been focused on working with enterprises, and not on building an integrated security system, and certainly not on integrated protection of home networks. And while smart home devices are gaining popularity and recognition, the industry's top priority is still corporate security.

For example, the NIST Cybersecurity Framework, one of the main American regulations, is addressed to enterprises, not individuals. At the same time, the number of devices and connections in many homes far exceeds similar indicators typical for small businesses 20 years ago. Home IT systems are developing in the same way as small business systems and therefore need additional attention and protection.

The COVID-19 pandemic overnight changed the usual way of life of organizations and caused the forced transfer of employees from centralized working environments to highly distributed infrastructures to work from home. The sudden transition to an unprotected and uncontrolled "remote" (including IT, IoT, mobile, cloud and other environments) has significantly complicated enterprise cybersecurity and at the same time seriously expanded the surface of digital attacks. Since many employees have to use personal devices to solve work problems, organizations need to implement policies that will improve management and control over them. The concept of BYOD (Bring Your Own Device) has transformed into BYEH - Bring Your Enterprise Home. To adapt to this change, new safety standards and procedures are needed.

Although various companies and enterprises initially had policies, processes and controls, equipment and software to protect such a distributed corporate ecosystem, they were developed taking into account the fact that a modern private home is not the most "hospitable" environment for implementing protections.

For example, the house has smart locks and sockets, several TVsSmart TVs and data streaming devices, a security system, digital assistants, wireless lights, speakers, cameras, thermostats and other connected devices. And all this is not counting computers, laptops, tablets and smartphones. IoT devices, the number of which is constantly growing, allow you to turn ordinary houses into smart ones. But owners do not always know how to effectively protect this equipment from cybercriminals. In addition, many solutions do not support integration or communication with other systems, which reduces the ability to detect security weaknesses.

A hacker can enter the house without crossing his doorstep and steal the most valuable thing - a bank account, access details and peace of mind (for example, turning on the light at 3 in the morning or music from smart speakers at full volume). This is a serious problem for both individuals and companies and the state: for them, "remote" is an opportunity to continue working despite the COVID-19 pandemic.

You need to calculate all the devices (smart and ordinary) in the apartment and multiply them by the number of employees of the federal government in order to get an idea of ​ ​ the scale of the threat that was created by the transfer of staff to remote work. If you add government contractors to this, the security level of the systems of which is usually lower than that of full-time employees. It is not only the government that is at risk - it is a threat of a national scale, so companies and organizations need to ensure reliable protection of employees' remote access to corporate resources.

At the same time, cybersecurity is only one of the areas to pay attention to. For example, in the event of a hardware failure, service providers primarily provide support to corporate customers. If the company reported the malfunction, it will be fixed in a couple of hours. Consumers can wait several days for a solution to the problem.

"Remote" turned apartments into home offices, virtual classrooms, doctor's offices and shops, and each connected personal device into a potential source of danger for employers.

While adaptation to realities is underway, it is very important to rethink the safety of houses and apartments and develop standards for their protection.

The equipment of organizations with systems for protection against leaks remains insufficient

Russia In, the provision of businesses with funds is growing, information security but the situation is improving only in terms of security against. hacker attacks This conclusion can be made on the basis of data the study "," SearchInform which the company put forward on February 17, 2021.

According to a survey for four years (since 2017), the provision of administrative tools increased by 31%, antivirus programs by 15%, SIEM systems - by 7%. The dynamics of equipping programs to protect against data leaks is worse, DLP systems cost 31% of companies, which is only 3% more than in 2017. At the same time, the number of information leaks also almost does not change from year to year - the number of affected companies remains at the level of 60% annually. The vast majority of data loss is due to an insider breach or error.

Thus, the equipment of INFORMATION SECURITY the Russian organizations remains insufficient. This is especially true where public sectors the base ON for protection against leaks (DLP systems), judging by the survey, is in 20% of companies, which is 11% lower than in the private sector. At the same time, the program has become a familiar tool for a number of industries: - creditfinancial spheres,,,,. In industries IT ENERGY INDUSTRY retail those companies where DLP is located, 72% of internal incidents are detected using this software and only 6% of leaks are detected not within the information security department, but by someone outside the company. This is half as much as in other organizations.

Audit databases and file storage systems (DCAP and DAM systems for protecting the so-called "data at rest") are still a little-known tool for the Russian market and are used in no more than 1-2% of organizations.

Image:Используемые средства защиты.jpg
File:Aquote1.png
One of the reasons for the lack of equipment is that companies have to solve protection issues in a limited budget mode. Moreover, in 2020, twice as many companies reported that it had contracted, and this trend continued for the third year in a row. But security software is becoming part of the base package of IT solutions for business, so companies will more often turn to more budgetary options to provide protection. We predict that the distribution of the service, MSSP model will become widespread in the next year or two, and the dynamics will accelerate. Companies will more often rent software, choose cloud solutions and outsourcing DLP. This is a good temporary solution in an environment where organizations cannot allocate budgets at once. This is also relevant in the context of a shortage of personnel, - comments Alexey Parfentiev, head of analytics at SearchInform.
File:Aquote2.png

The figures of the study are also indicative of how trending technologies take root in the infobese.

File:Aquote1.png
In 2020, companies were mostly not before the introduction of tools, but organizations are showing interest in them. Companies see technology as an opportunity to reduce security costs: automate control and reduce labor input. But the main thing is that the request of companies is fundamentally changing: it is too late to identify an incident upon commission, it is necessary to prevent and predict it. This allows you to do behavioral technologies, "says Alexey Parfentiev.
File:Aquote2.png

The SearchInform study is a traditional report on the information security situation in companies in Russia and the CIS. The study involved 833 people: heads and employees of information security departments, industry experts and heads of organizations from commercial (71.5%), state (26.5%) and non-commercial spheres (2%). The study affected IT, the oil and gas sector, industry and transport, credit and finance, retail, healthcare and other industries. The survey was conducted in the cities of Russia and the CIS. Respondents were interviewed in September - November 2020 in an offline format in the regions of Russia and online in the CIS countries.

58% of Russian Data Science specialists used additional data protection measures

In December 2020 - January 2021, DIS Group interviewed specialists on the work of commissioned from large and medium-sized Russian companies. More than half of respondents said that their organizations in 2020 were forced to introduce additional measures to protect corporate data. DIS Group announced this on February 5, 2021.

File:Aquote1.png
The need for additional measures could arise due to the transition of many employees to remote, as well as due to the activation of fraudsters, - said Pavel Likhnitsky, CEO of DIS Group.
File:Aquote2.png

Data protection is increasingly becoming a key priority for most organizations. Consulting company IDC in the summer of 2020, commissioned by Informatica Corporation, conducted a large-scale study of the features of data management in organizations around the world. The study involved more than 1,200 data directors and staff from their offices. 65% of those surveyed said they believed data protection was one of the chief data officer's top KPIs.

However, few people still manage to build information protection in their company. 40% of IDC respondents said that their organizations do not monitor risk indicators related to corporate data, 53% do not use tools to protect data and manage confidential information, 80% admitted that four or fewer employees are responsible for data protection.

Earlier, according to the results of the previous two quarters of 2020, DIS Group noted an increase in interest in solutions for data protection - data masking and creating test environments - by 20%.

During the pandemic, the importance of protecting confidential information in companies has grown

The Cisco 2021 Data Privacy Benchmark Study, a report on corporate information protection practices, demonstrated that both the importance of privacy and the benefits that companies implementing enhanced security measures receive have grown during the pandemic. The anonymous independent report analysed the responses of 4,400 security and data protection professionals from 25 countries, including Russia. In particular, the attitude towards legislative acts related to privacy protection and the appearance of privacy indicators in reports to senior management were investigated, Cisco Systems said on February 3, 2021.

Against the background of the destabilization and uncertainty caused by the pandemic, people saw that they were expected, and sometimes required to provide personal information to combat the spread of COVID-19. At the same time, most of life activity has moved to the Internet - as usual, this process could take more than one year. Such large-scale changes, affecting people's communication and immersion in the digital environment, have raised many issues related to the protection of privacy before organizations that want to comply with the law and stop the pandemic, while respecting the rights of the individual. There is growing concern among consumers and the general public about how their personal data is used .

The main conclusions of the report:

  • Privacy has ceased to be simply a matter of compliance with the requirements of the regulator: business considers it as one of the basic rules, compliance with which top managers should give priority.
  • 60% of organizations said they were not ready for the transition remote work safety to data protection requirements.
  • 93% of organizations turned to their own data protection specialists to solve these problems.
  • 87% of consumers expressed concern about the level of data security in the tools necessary for remote work, interaction and connection.
  • 90% of organizations now report to top managers and boards of directors on data protection indicators.
  • There is a clear transition of privacy to the category of standard mandatory requirements when discussing issues of digitalization and achieving business goals.
  • More than 140 countries have already passed comprehensive privacy legislation; almost 80% of respondents believe that these laws have a positive impact.
  • Most agree to provide information about their health to protect the workplace and combat the pandemic, but at the same time they are distrustful of the use of this data for other purposes, for example, for research.
  • 57% support the use of personal data by employers to improve the safety of workplaces, while less than half of those surveyed agree with locating, tracing contacts, disclosing information about infected people and using personal data for research purposes.
  • The ecosystem of privacy protection in particular and cybersecurity in general will play a key role in the growth of the economy and its recovery from the COVID-19 pandemic.
  • With the restoration of economic and social life, many important issues will arise related to how states, businesses and individuals maintain a balance of human rights and public interests in the process of collecting, processing and protecting personal data.
  • The attractiveness of investments in the protection of personal data remains: 75% of organizations believe that they are beneficial in terms of mitigating security damage, increasing maneuverability, innovation and operational efficiency, as well as to strengthen customer loyalty and trust.
  • More than a third of organisations benefit from at least double the investment invested.

File:Aquote1.png
"Privacy has come of age - it is recognized as one of the basic human rights and has become a critical priority for senior management," said Harvey Jang, vice president and chief data protection officer at Cisco. "Now, against the backdrop of the growing tendency to work anywhere in the world, privacy is increasingly important for digitalization, corporate sustainability, maneuverability and innovation."
File:Aquote2.png

Data for Russia:

  • According to the results of the 2021 Data Privacy Benchmark Study, in relation to the number of remote employees, Russian organizations were distributed as follows:
    • in 24% of companies, the share of remote employees is 76-100%;
    • in 31% of enterprises 51-75% of specialists work from home;
    • in 27% of organizations, 26-50% of employees use a remote interaction format;
    • in 18% of companies between 1 and 25% of employees perform their duties remotely.

  • An analysis of the responses of information security specialists from Russia made it possible to conclude that the average cost of data protection in their organizations amounted to about $1.4 million.
  • According to the report, in 66% of Russian organizations, investments in data protection "contributed to innovation."
  • The advantages that their companies received due to the strengthening of data protection measures, Russian respondents estimated at $2.1 million per year.
  • Those interviewed from Russia said that the benefit of introducing data protection technologies is twice the investment.

2020

76% of companies recorded an increase in the number of cyber attacks aimed at remote employees

VMware on June 10, 2021 presented the fourth part of the Global Security Insights report, based on the results of an online survey of 3,542 Chief information officers, technical directors and directors of information security from around the world conducted in December 2020. The report focuses on the problem of cyber attacks and security vulnerabilities, as well as their impact on the work of organizations.

The rapid digital transformation leads to the fact that cybersecurity specialists have to face more and more threats: cybercriminals conduct targeted attacks using fundamentally new vulnerabilities. The transfer of employees to remote work demonstrated the vulnerability of outdated technologies and security policies - almost 80% of business representatives surveyed said that their company was the target of a cyber attack.

File:Aquote1.png
"The massive implementation cloud technologies has given organization leaders the opportunity to reconsider their approach to cybersecurity," said Rick McElroy, head of cybersecurity strategy at VMware. - Organizations need a solution that allows them to move from endpoint protection to workload control, increasing data security and application security. We continue to implement information security tools designed specifically for the cloudy environment and are working to create solutions to quickly identify and prevent hacking attempts. "
File:Aquote2.png

According to the respondents, the problem is not given due attention, despite the rapid increase in the number of hacks with serious consequences. Over the past twelve months, 81% of respondents have suffered from cyber attacks, with 4 out of 5 cases (82%) causing significant damage. Yet just 56% said they feared cyber attack damage would rise next year, and just over a third (41%) updated security policies to reduce risks.

The emergence of new ransomware and remote work create a favorable environment for attackers. 76% of respondents said that the volume of attacks has increased, with the majority citing employees working from home as the reason for this, and 79% said that attacks have become more sophisticated. In 2020, cloud attacks were the most common type of attack, while the main reasons for the hack were third-party applications (14%) and ransomware (14%).

The survey showed that cloud security strategies have found application in all industries. 98% of respondents are already using or planning to use a cloud security strategy. However, the move to the cloud has led to an increase in the number of potential threats. Almost two-thirds of respondents (61%) agree that with the expansion of opportunities for attackers, it is necessary to take a different look at the security problem.

Application security is a major concern for information security directors. Applications are considered the most vulnerable points in the data transfer path. 60% of those surveyed shared that their company's top management is increasingly skeptical about using new applications due to growing threats and damage from cyber attacks.

The next stage in business innovation could be the use of artificial intelligence. However, more than half of the respondents (56%) say that security problems keep them from introducing artificial intelligence and machine learning.

The Global Security Insights report also provides information on the structure of the cybersecurity system, trends in cyber attacks and protection against them, as well as current security priorities. The survey was conducted by independent research organization Opinion Matters in December 2020.

Every fifth Russian company registered information security incidents related to access rights

The national provider of services and technologies of cybersecurity "Rostelecom-Solar" on May 17, 2021 announced the results of a study of access control problems in Russian companies. After interviewing over 200 organizations, experts found that 20% of companies in 2020 registered information security incidents related to access rights. 46% of them indicated average and high criticality of the identified incidents.

File:Aquote1.png
Unauthorized access often has the most serious consequences for companies. These are fraudulent actions with customer data, and damage to the company's infrastructure, and financial and reputational damage. Everyone has heard cases when, as a result of illegal access to client databases stored in banks, fraudsters withdraw funds from accounts. Incidents of interference of special services in the work of critical facilities of other countries with the help of compromised access are known,
notes Dmitry Bondar, director of the Solar inRights Access Control Competence Center of Rostelecom-Solar.
File:Aquote2.png

At the same time, not a single respondent noted the presence of complete automation of access rights management in the company. This means that each Russian company has the practice of providing them manually, which often leads to errors - the accumulation of excessive access rights among employees, late blocking of access upon dismissal, and more. The consequence of this is information security incidents, financial and reputational damage to the organization.

At the same time, as you can see from the results of the study, companies are sufficiently aware of the severity of the problem. Thus, 56% of respondents expressed complete dissatisfaction or average satisfaction with the existing access control system in the company. Representatives of private companies are more dissatisfied with the solutions and approaches used - 58% compared to 52% in government organizations.

Among the main reasons for low satisfaction with the existing access control system, companies identified the lack of access control tools to ensure information protection (66% of those dissatisfied with the current access control system indicated) and a high burden on the company's IT staff (40% of those dissatisfied noted).

File:Aquote1.png
Indeed, partial automation closes some of the tasks associated with replacing manual labor in access control processes, but does not solve all the problems for a large company with a heterogeneous IT architecture. To implement full access control, a centralized mechanism is needed that will unite all disparate processes, different IT systems and the geographically distributed structure of the company into a single whole, will allow introducing common policies and procedures to control the entire IT landscape of the company, "said Dmitry Bondar, director of the Solar inRights Access Management Competence Center at Rostelecom-Solar.
File:Aquote2.png

At the same time, more than 40% of companies that took part in the study are ready to automate their access control processes: such readiness is more often expressed by metropolitan companies - 51% of respondents - compared to 41% in the regions. Among the main obstacles to such automation, respondents identified the lack of budgets for solving access control problems and the high cost of solutions of this class.

In "Rostelecom-Solar" noted that respondents from state-owned companies are more actively expressing their readiness to automate access control processes - 47% of respondents vs 43% in the commercial sector. According to Rostelecom-Solar experts, this factor is explained by a lower degree of automation of access control processes in the Russian public sector compared to commercial companies for May 2021..

61% of Russian companies do not have a comprehensive cybersecurity strategy

On May 14, 2021, Microsoft presented the results of a study conducted by the analytical company IDC in six countries of Central and Eastern Europe. The study showed that business is not ready to fully respond to challenges in the field of information security: more than half of companies (58%) do not have a comprehensive cybersecurity strategy.

The study was conducted from September to November 2020 in Hungary, Greece, Poland, Russia, Romania and the Czech Republic, and was attended by security specialists, as well as IT specialists and business leaders from different industries. The companies answered questions about the events of 2020 and about plans for two years in advance. The study involved 1,500 people, of which 400 were from Russia, of which 48% were representatives of small and medium-sized businesses.

The year of the pandemic revealed numerous cybersecurity problems, as companies were forced to urgently adapt to the "norm" of remote and hybrid work, this entailed an increase in the number of vulnerabilities and risks.

79% of respondents in six countries cited secure remote access to corporate networks as their main area of ​ ​ focus. Previously, the first place was occupied by endpoint protection (69%). In Russia, these indicators amounted to 79% and 61%.

The study showed that the importance of cybersecurity has increased: 9 out of 10 companies plan to maintain or increase the security budget in the next two years. 60% of Russian companies will maintain the previous budget for information security, and only less than a third (28%) will increase information security costs in the next two years. This is below the average number of companies planning to increase the budget in Central and Eastern Europe (36%).

Only 42% of companies in Central and Eastern Europe developed a comprehensive security strategy, with a large majority of respondents (86%) saying they were satisfied with their organization's cybersecurity level. That could mean some companies have a false sense of security. It is vital that the approach to cybersecurity is dynamic, enabling protection against attacks that become more sophisticated every day.

In Russia, the number of companies that have developed an information security strategy is below the average for Central and Eastern European countries (39% versus 42%). Greece became the leader in these indicators, where 63% of companies have already developed a comprehensive cybersecurity strategy and 66% intend to increase the budget for information security.

One of the factors affecting the level of information security is cloud solutions: 54% of respondents said they plan to switch to cloud technologies within two years. In Russia, this figure is even higher: 66% of respondents plan to use the cloud in two years.

This is a positive trend for companies seeking to maintain the flexibility of their approach, since cloud solutions are usually more secure and allow faster updates of information security systems.

File:Aquote1.png
With the help of machine learning, we can automatically analyze patterns in the field of information security. This allows organizations to identify the fact of intruders' penetration, how they move in the system, and even what end goal they pursue. All this is monitored in real time. Such analysis can only provide cloud solutions, they help companies stay safe,
said Andrey Savchuk, Head of Corporate Security, Compliance and Identification for Microsoft in Central and Eastern Europe.
File:Aquote2.png

The survey revealed the main directions of development of companies in the field of information security for the next two years. We can note the growing importance of continuous training of both employees and IT specialists in the field of information security. In 2020, the majority of organizations (54%) conducted training on information security only on an ad hoc basis. It seems that the situation will change, as companies see advanced training as the main driver of higher information security.

68% of companies in Central and Eastern Europe plan to organize training for employees on the principles of cyber hygiene within two years, while 56% will pay attention to improving the level of technical specialists. In Russia, comparable indicators: 68% plan to increase cybersecurity knowledge for employees, and 48% plan to develop a security strategy or improve the existing strategy.

The past 12 months have brought significant changes to all areas of the working life and stimulated many organizations to accelerate digital transformation. The study's findings highlight the need for a proactive approach to cybersecurity to align with this evolution.

File:Aquote1.png
The business must use the Zero Trust model, in which every user requesting any access must pass strict authentication, authorization subject to policy restrictions, and an anomaly check - only then can access be granted. To prevent intrusions, you check everything from user identities to the application hosting environment.
noted Andrey Savchuk, Head of Corporate Security, Compliance, and Identity for Microsoft in Central and Eastern Europe.
File:Aquote2.png

Executives in Europe expect only 5% of employees to return to office work on a permanent basis. To reduce the risk associated with keeping remote employees safe, company executives must support their workers: both by raising the level of cyber hygiene and by providing tools that reduce risk while allowing employees to remain productive.

Incidents at industrial plants increased by 91%

On April 28, 2021, Positive Technologies announced that its experts analyzed the cyber threats of 2020 and found that compared to 2019, the number of incidents at industrial enterprises increased by 91%, and the number of attacks using malware increased by 54%. In first place in the number of attacks using ransomware were medical institutions.

As the study showed, the total number of cyber incidents in 2020 increased by 51% compared to 2019. Seven out of ten attacks were targeted. Most of the attackers were interested in government agencies (19%), industrial companies (12%) and medical organizations (9%).

Compared to 2019, in 2020, the number of attacks on industrial companies almost doubled: the increase was 91%. This industry was mainly attacked by ransomware operators, in particular RansomExx, Networker, Clop, Maze, Ragnar Locker LockBit, as well DoppelPaymer as Snake, which enciphering removes shadow copies before starting and has functions to forcibly stop processes in. APCS industry Many APT groups are also targeted. countries CIS RTM attacks remain relevant for the group: in 2020, PT Expert Security Center experts identified more than 100 phishing mailings of this group.

File:Aquote1.png
The implementation of risks in industry entails global consequences, as in the case of an attack on the water supply and sewage infrastructure in Israel or in the case of a power outage due to a cyber attack in India, - comments Dmitry Darensky, head of industrial cybersecurity practice at Positive Technologies. - Because of the attacks, some companies, such as Huber + Suhner and Honda, were forced to suspend production. It is difficult to predict the possibility of realizing the most dangerous risks and assess the scale of consequences at critical infrastructure facilities, since even the most experienced specialists cannot guarantee that all the provided protective mechanisms will work as needed. There are not enough penetration tests and audits with typical threat modeling to adequately assess current enterprise risks. Typical security analysis methods either cannot be used in the current infrastructure, or they are simply ineffective. The key aspect of security analysis is the verification of the most dangerous, unacceptable production and business risks. It is possible to simulate the course of a hacker attack and at the same time not harm "combat" systems using digital twins or on a cyber poligon, where in a safe environment there is an opportunity to get the most complete idea of ​ ​ whether it is realistic to carry out specific risks (e.g. oil storage overflows), the ability to check if the protection mechanisms will work and if the security team will have time to see the incident in time and prevent it from developing.
File:Aquote2.png

According to to data Positive Technologies, the use of malware is ON still in trend. In 2020, the number of such attacks increased by 54% compared to 2019. HPE developers paid a lot of attention to methods of concealing destructive effects and improved delivery methods, switched to exploiting vulnerabilities on the network perimeter. Organizations became mainly victims of ransomware, and individuals were more often attacked using spyware and banking. trojans

The share of ransomware attacks among all HPE attacks aimed at organizations is 45%. At the same time, medical institutions (17%) were in first place in terms of the number of attacks using ransomware. The second and third places went to state institutions (16%) and industrial enterprises (15%), respectively.

File:Aquote1.png
We see an increase in the trend for data theft before encryption, followed by a double ransom demand - for a decryptor and non-disclosure of stolen information, - said Positive Technologies analyst Yana Yurakova. - Throughout 2020, sites of ransomware operators appeared to post stolen information, for which its owners refused to pay. In case of refusal, ransomware operators not only blackmailed victims with the disclosure of stolen information, but also staged DDoS attacks. In addition, the attackers united in new groups and speculated on their involvement in more "powerful" ransomware operators.
File:Aquote2.png

97% of organizations in the world were attacked on mobile devices

On April 13, 2021, the company, a Check Point Software Technologies provider of solutions in the field, cyber security published a report on mobile security. In the Mobile Security Report 2021, Check Point investigated the latest threats targeting enterprise mobile devices and provided an overview of major trends in mobile, malware vulnerability cyber attacks state , and tier. The report outlines information how organizations can protect themselves from complex mobile threats and how these threats can develop in the near future.

The transition to mass remote work during the COVID-19 pandemic led to a sharp increase in the number of mobile attacks, as a result of which 97% of organizations faced threats from several directions at once. Experts predict that by 2024 the 60% of all office employees will become mobile, so protecting mobile devices should be a priority for organizations.

Absolutely all companies are at risk of mobile attacks: almost every organization in 2020 has faced at least one mobile malicious attack. 93% of threats occurred on those sides of the network and were aimed at stealing credentials, data or tried to convince users to install malware from infected websites or URL addresses.

Almost half of organizations in the world have been affected by malicious mobile applications: in 46% of companies, at least one employee downloaded a malicious application in 2020, thereby endangering the corporate data and the organization's network as a whole.

Four in ten mobile devices worldwide are vulnerable: the Check Point Achilles study found that at least 40% of mobile devices in the world contain vulnerabilities in the chip set that need urgent fixes. Growth in the number of mobile malware: in 2020, the activity of banks trojans that are capable of stealing credentials of mobile banking users increased by 15%. Often, attackers distribute mobile malware, ON including Trojans for remote access to mobile devices (MRAT), banking Trojans and premium dialing programs through applications allegedly related to COVID-19.

APT groups are attacking mobile devices: for example, in 2020, the Iranian group Rampant Kitten carried out elaborate multi-level targeted attacks to spy on users and steal sensitive data.

File:Aquote1.png
2020 showed that the landscape of mobile threats continues to expand, and almost every organization faces attacks, "comments Vasily Diaghilev, head of Check Point Software Technologies in Russia and the CIS. - We all work to one degree or another on mobile devices, and the line between personal and worker is erased. But this does not mean that the protection of personal mobile devices is exclusively in the hands of end users. Cybercriminals are beginning to actively use the trend and adapt their attack methods to it in order to access corporate data through end and often personal mobile devices of users. Organizations should seriously think about their protection.
File:Aquote2.png

In 2020, Check Point first discovered an attack in which attackers used a mobile device management system (MDM) of a large international corporation. Through a solution that was originally intended to manage devices in the organization, hackers managed to spread malware to more than 75% of the company's mobile devices.

The Check Point 2021 Mobile Security Report is based on statistics from 1,800 organizations that use Check Point Harmony Mobile, a mobile threat protection solution, from Jan. 1 to Dec. 31, 2020. The report also analyzed analytics data from Check Point ThreatCloud, a collaborative anti-threat network cyber crime that provides threat and attack trend data from a global network of threat sensors. The report also took into account data from investigations by Check Point Research (CPR) and research by external organizations over the past 12 months.

Pandemic and remote work made information protection tools relevant

Cisco has summed up the results of 2020 in the field of information security. This became known on March 5, 2021. The pandemic and remote work have made information protection more relevant than ever before. Organizations have had to protect and scale remote access tools at an accelerated pace amid increased cybersecurity risks.

{{quote "In 2020, there was a massive surge in threats, the reasons for which could be both the acceleration of digital transformation in all industries and the widespread transition to remote work," commented Alexey Lukatsky, Cisco security business consultant. - During the year, the number of cyber attacks grew, their complexity increased, and it became more and more difficult to resist them. Cisco regularly publishes studies in which it analyzes current threats and provides recommendations for countering them. Reports submitted at the end of 2020 contain comprehensive information about current risks, as well as recommendations for protecting against cyber attacks. Based on these studies, companies can safely implement digital transformation plans and build a reliable and secure IT infrastructure. }}

According to Cisco, these trends were most noticeable in 2020:

Trend 1: Strengthening healthcare protection

In 2020, the sphere became a critical point in the field of information security against the background of the outbreak of the pandemic. health care

Legacy and outdated technologies have become a huge problem. The Global Cybersecurity Report Cisco 2021 Security Outcomes Study, which was attended by 4,800 specialists in the field of information security, IT and privacy protection from 25 countries, confirmed that the effective interaction of IT and information security services in the healthcare sector has increased the ability of organizations to avoid serious incidents by an average of almost 16% and minimize unplanned and resource-intensive work by an average of 20%.

Trend 2: Remote Connection Protection

The transition to remote work in 2020 meant, firstly, that all employees should be able to work safely from home, and secondly, that they retain access to all the necessary corporate resources. Therefore, many have turned to Remote Desktop technology, which allows the user to remotely connect to a computer.

Any remote desktop solution in the event of a compromise gives the attacker access to the resources of the organization. Companies that use the RDP protocol must take additional protective measures to protect themselves and their employees.

Trend 3: Personal Information Security

Among the information security specialists who took part in the survey, more than a third said that data privacy is one of the main areas of responsibility, along with risk assessment and management and response to threats. Moreover, more than a third of organizations investing in the protection of personal data receive benefits that are at least twice the amount of invested funds.

With regard to the number of remote employees, Russian organizations were distributed as follows:

· 24% of companies, the share of remote employees is 76-100%; · 31% of enterprises 51-75% of specialists work from home; · 27% of organizations, 26-50% of employees use a remote interaction format; · 18% of companies from 1 to 25% of employees perform their duties remotely.

The average annual cost of data protection in Russian organizations participating in the survey amounted to about $1.4 million.

The advantages that their companies received due to the strengthening of data protection measures, Russian respondents estimated at $2.1 million per year.

Trend 4: updating ransomware

In 2020, attacks on corporate networks through ransomware were distinguished by new tactics. For example, attackers began to embed countdown timers into ransomware, threatening to permanently destroy data or launch a Big Game Hunting attack.

Mailings with sales ads have become more frequent, in which criminals sell access to various networks to other attackers. In addition, they now use "double blackmail": before the launch of ransomware, large amounts of corporate data are stolen, and victims have to not only restore compromised networks, but also eliminate the threat of disclosure of intellectual property, commercial secrets and other confidential information.

Other methods that positively influence the achievement of desired results in the field of information security include accurate detection of threats, timely response to incidents and effective use of automation. Important factors in ensuring cybersecurity are also the observance of the principle of zero trust and a thorough inventory of assets, since it is impossible to truly secure what you do not suspect.

Trend 5: Password Hunting

According to the Verizon 2020 Data Breach Investigations Report, identification data theft ranks second among the most common actions of burglars. And this is very serious, because using legal passwords, attackers can access the entire network, remaining unnoticed.

Top 6 cybersecurity trends for 2021

On December 22, 2020, it became known that according to experts' forecasts. In HP Inc 2021, the negative impact of the pandemic on COVID-19 safety IT infrastructures companies will continue, which will form a number of current trends.

Top 6 cybersecurity trends for 2021

Corporate security vulnerability will lead to an increase in insider threats

As explained, radical changes in workflow and other consequences of COVID-19 caused the weakening of the protection of IT infrastructure. Inefficient implementation of remote access, vulnerabilities in VPNs, and a lack of staff to solve these problems have left corporate data at risk of unauthorized access.

Home devices are also at increased risk: the increased number of remote employees has created conditions where attackers easily connect to corporate PCs through unsecured local networks, and users are unable to quickly contact IT specialists and prevent the threat of unauthorized intrusion.

When working remotely, employees blur the line between performing work and personal tasks on a corporate device, and harmless actions - such as reading personal emails - can have serious consequences. Companies will increasingly face the emotional burnout of employees, which can lead to an increase in mistakes.

The number of cyberattacks for extortion will continue to grow

Programs extortioners have become a favorite tool, and cybercriminals this trend will continue in 2021. The increase in the number of ransomware drives the development of an entire ecosystem of criminal tools. Harmful ON emailed, and the likes viruses of Emotet, TrickBot and Dridex often precede the rollout of these programs. Many criminal groups use aggressive tools to hack into controllers, domains which often turn out to be the most suitable points for implementing ransomware.

The increase in the number of two-stage ransomware campaigns, in which victim data is filtered before encryption, will especially hit government agencies with a large amount of personal data.

Innovations in phishing will lead to an increase in the number of cyber attacks "session interception" and "wailing"

In 2021, there will be more innovative phishing decoys designed to deceive users and complicate them. identifications attacks The most innovative method of mass phishing, which is observed for December 2020, is the interception of botnet Emotet email. The botnet automatically creates decoy letters using data stolen from hacked email services. This data is subsequently used in correspondence, which makes it very convincing and pushes victims to open files with malware.

The prospect of continuing the self-isolation regime encourages people to exchange a lot of personal information on the Internet, which can become a weapon in the hands of cybercriminals. "Whaling" - a type of phishing aimed at senior executives will become even more dangerous, as cybercriminals will be able to use personal information found or stolen on the Internet to create convincing decoys to corporate mail addresses. At the same time, hackers will actively exploit the hot topics of 2020 in order to push people to open malicious emails. This could be information about COVID vaccines, warnings about financial problems or political instability.

Hacker attacks will target key social infrastructures

One of the industries most at risk in 2021 will be health care. Healthcare organizations tend to be under-resourced to protect IT infrastructures, averse to change, and slow to innovate. Education also meets the criteria for vulnerability and can become one of the main targets. At the same time, the threat extends not only to hospitals and medical institutions, but also to larger research centers. In the race to create a vaccine, pharmaceutical companies and research centers will face increased risks.

Electric transport car manufacturers will also be targets for cyberattacks as their prestige and profits rise. In addition, we can expect an increase in the number of hacker attacks on critical infrastructures and the industrial Internet of Things (IIOT).

Zero trust model will be effective if it becomes transparent to users

Traditional ways of protecting access to the corporate network, applications and data no longer work, the strategy of building network protection around the perimeter is outdated. In addition, over the years, staff decentralization has led to an increase in the popularity of the SaaS model - this means that critical data ends up outside of local corporate servers. Organizations have to defend themselves against previously unknown threats, so technologies such as biometrics will be actively used by companies in the future.

Zero trust is an approach to protect information when working remotely, but to effectively manage identity and access, the system must be easy to use. The key priority of the zero trust model is qualitative authentication methods, such as biometrics.

The need for a different security approach will increase

2020 demonstrated the urgent need to implement other endpoint secure remote access approaches and secure management of distributed endpoint infrastructure. In the future, every element of IT infrastructure will become a battleground for cybersecurity, from PCs and smartphones of remote employees to industrial components of the Internet of Things. Organizations need to adapt security and management systems, implement the necessary technological innovations in work processes.

Technologies such as microvirtualization are transparent to end users. This means that they can with open email attachments and download files knowing that the system will protect their device from virus penetration. This approach to protection leaves hackers no chance, helping organizations deal with any threats in both 2021 and the long-term future.

File:Aquote1.png
2020 turned out to be a difficult year for both private business and state and social structures. State institutions, production enterprises, medical and educational organizations, as well as the financial industry were especially actively attacked. The transition to remote work has expanded the front of attacks and made life difficult for information security services. This means that the days when the main task was to protect the network around the perimeter were left behind. For December 2020, it is necessary to shift the emphasis to ensuring the protection of endpoints. Throughout 2020, we have seen an increase in the targeting of hacker attacks, the use of sophisticated decoys that encourage users to take risky actions. In 2021, we will see a further development of these trends, an increase in the number of ingenious targeted hacks aimed at users and endpoints. Organizations cannot afford to ignore the increasing threat and simply hope for an improvement, so it is imperative to protect endpoints, which will allow them to always be one step ahead of cybercriminals.

commented Pavel Anokhin, CEO of HP Inc. in Russia
File:Aquote2.png

Every second organization reports an increase in cyber attacks during a pandemic

On December 15, 2020, Check Point Software Technologies Ltd. (NASDAQ: CHKP), a provider of cybersecurity solutions around the world, presented the results of a study that showed the main priorities and problems of cybersecurity organizations until 2023, as well as the main changes in their cybersecurity strategies arising from the COVID-19 pandemic in 2020.

Below are the key findings from a survey of more than 600 IT and information security professionals worldwide:

The main security issues in 2021 are:

  • Ensuring the safety of employees working remotely - this was noted by 47% of respondents
  • Protection against phishing and social engineering attacks - 42%
  • Providing secure remote access - 41%
  • Application and cloudy Infrastructure Protection - 39%

The main safety tasks for the next 2 years:

  • Providing remote work - 61% of respondents
  • Endpoint and Mobile Security - 59%
  • Protect public and hybrid clouds - 52%

Our reality:

  • 50% of all respondents believe that their approach to safety will not return to pre-pandemic standards.
  • 29% said that at some point in the future they expect a return to those norms that were before COVID-19

Since the beginning of the pandemic, organizations have faced a growing number of attacks:

  • 58% of respondents said that their organizations have experienced an increase in attacks and threats since the beginning of the outbreak of COVID-19.
  • 39% said the volume of attacks remained the same.

Changes in security strategies for 2020:

  • 95% of respondents said their strategies changed in the second half of the year. At the same time, the largest change was the possibility of mass remote work - 67% of respondents told about it.
  • 39% noted that now basic cybersecurity rules are being trained for employees.
  • 37% said they have improved network security and threat prevention.
  • 37% said they have expanded endpoint and mobile security.
  • 31% noted the rapid adoption of cloud technologies.
  • 27% said they accelerated current IT projects during 2020 - for most, measures taken due to the pandemic included an unplanned rethinking of their business model.

Check Point tips to help organizations improve their security strategies:

  • Prevent in real time. Vaccination is better than treatment - this rule also applies in cybersecurity. Prevention is key to protecting networks, employees, and data from attacks and threats.
  • Protect all parts of the network. Organizations should review and verify the level of security and the relevance of their network infrastructure, devices, processes, the compliance of connected devices (including IoT), etc. Active cloud enforcement requires increased security, especially in technologies that protect workloads, containers, and serverless applications.
  • Combine solutions and reduce the number of vendors. With so many changes made to organisations "infrastructure, it's important to ask ourselves regularly: are we really providing the security we need, are we all protecting, are there no blind spots. High network visibility improves security efficiency. The ideal solution is unified management and improved risk visibility across the entire security architecture. But this can only be achieved by reducing the number of suppliers and point solutions.

File:Aquote1.png
Most organizations don't expect their current concerns and safety priorities to change much over the next two years, according to the study. For many, the temporary changes they made to their networks and infrastructures during the pandemic will remain forever, "says Vasily Diaghilev, head of Check Point Software Technologies in Russia and the CIS. - At the same time, the number of cyber attacks and threats is growing as hackers try to take advantage of this situation. Companies need to address any gaps in their new distributed networks - from employees "personal devices to the data center. Overcoming the impact of the pandemic on business and ensuring work with maximum efficiency and security are the most important tasks for most organizations.
File:Aquote2.png

A quarter of organizations around the world were subjected to at least seven cyber attacks in a year

On December 7, 2020, Trend Micro presented the results of a survey, according to which over the past year, 23% of organizations around the world have been subjected to seven or more attacks, culminating in penetration into their networks or systems. The vast majority (83%) of organizations surveyed believe that there is "some" or "high" likelihood of a successful attack in the next 12 months.

The American The Ponemon Institute research organization Ponemon Institute has published the latest version of the Trend Micro Cyber ​ ​ Risk Index (Cyber Risk Index - CRI), for the calculation of which the difference between the current level of security of the organization and the likelihood of being attacked is measured.

File:Aquote1.png
"This year we have added data for Europe and Asia Pacific so that a truly global picture can be presented. This will help organizations around the world find more effective ways to simplify work, reduce threats from insider actions and due to a lack of skills, as well as increase the security level of cloud environments and, as a result, minimize cyber risks and support rapid recovery from a pandemic, "said Jon Clay, director of global threat awareness at Trend Micro.
File:Aquote2.png

The CRI index is a numerical scale from -10 to 10, where -10 is the highest risk level. The current global index is -0.41, which corresponds to an "increased" risk. The highest risk was recorded in the United States (-1.07) due to insufficient readiness of protection systems against cyber attacks compared to other regions.

According to organizations, the main cyber risks in the world are:

Organizations around the world are most concerned about:

  • Loss of customer data
  • access to financial information;
  • loss of customers;
  • theft or damage to equipment.

There are differences between some countries. The United States is the only country where respondents noted the emergence of costs for the payment of external consultants as the main negative consequence of the attack, while in the countries of the Asia-Pacific region more excitement causes damage to the critical infrastructure of the organization.

Key global safety risks IT infrastructures include:

  • inconsistency and complexity of systems within the organization;
  • negligence of employees;
  • cloud computing infrastructure and its providers;
  • lack of qualified personnel;
  • the actions of insider intruders.

The CRI study is being conducted in the United States for the third time. It demonstrates a significant increase in cyber risks in 2020. The full report displays the change in associated metrics over time, provides information on the most serious security issues for businesses around the world, and tips for minimizing security threats.

After the pandemic, 12% of companies decided to create an information security department "from scratch"

After the pandemic, 12% of companies decided to create an information security department "from scratch." HeadHunter announced this on November 12, 2020.

88% of information security specialists believe that the IT infrastructure has become more vulnerable during the pandemic, while 59% of companies were forced to do without information security specialists at all.

Companies are experiencing a shortage of personnel - more than a quarter of information security specialists surveyed reported that they lacked hands during an emergency transfer to a remote location in 2020. 30% were able to hire new employees, another 24% increased their staff due to the personnel reserve. 12% strengthened the team at the expense of resources on the side - outsourcing companies.

Despite the difficulties faced by companies, 61% of companies do not plan personnel changes in the information security department for 2021: neither an increase in the number of employees, nor a reduction. A quarter of the respondents reported that they were planning to expand the staff, 12% of companies decided to create a division "from scratch."

File:Aquote1.png
The transfer of employees to remote work has led to an increase in the vulnerability of the IT infrastructure. Companies realized that it was necessary to repel not only external attacks, but also to control their own employees from accidental and intentional violations. Our survey showed that there are not enough information security specialists in companies. And it is not enough qualified professionals who know how to identify, investigate and prevent information security incidents. Therefore, we predict that the situation will force companies to increasingly resort to outsourcing information security processes.
File:Aquote2.png

Vitaly Terentyev, Director of the Department of Special Projects hh.ru: {{quote Data|, obtained during the SearchInform survey, confirm that the pandemic and the massive transition to online greatly influenced the growth in demand for specialists in the field cyber security: 25% of companies, already under the influence of these circumstances, expanded the staff of such specialists by hiring employees or transferring from other departments. According to hh.ru, the number of vacancies for such specialists RUSSIAN FEDERATION in show double-digit growth rates: if in 2018 more than 17 thousand vacancies were opened, then for incomplete 2020 (from January to October) almost 30 thousand. The resume of information security specialists is growing even faster: in 2018 there were 18 thousand of them, in 2019 - 25 thousand, and for incomplete 2020 - already over 55 thousand. The competition indicator in this area is very low - in 2018-2019. it was at level 1 and only in 2020 it reached the level of 2 people per place, which indicates an acute deficit. }}

SearchInform conducted a survey in September - October 2020, more than 800 respondents took part in it: heads and employees of information security departments, industry experts and heads of Russian organizations.

Most Russian companies are ready to spend 25% of the annual budget on cyberpolygons of information security

On November 10, 2020, Positive Technologies announced the results of a survey among domestic information security specialists to find out how they assess the cyber security of their companies, what cyber risks they faced during 2020, and what protection tools are considered the most effective.

The survey was attended by visitors to Internet the Positive Technologies website, the audience-portal SecurityLab.ru and members of a number of industry communities.

The sample includes respondents from various industries:, IT creditfinancial-,,,, etc industry retail state organizations.

57% of respondents said that their organizations became victims of cyber attacks. Here are TOP-5 of the most commonly mentioned consequences of targeted actions by attackers:

  • information leakage (in 37% of cases);
  • simple infrastructure (27%);
  • process disruption (20%);
  • data destruction (20%);
  • damage reparations (17%).

It is difficult to estimate financial losses as a result of data leakage, since in most cases we are talking about lost profit or, say, reputational damage, but the damage from stopping all systems for at least one day, as one of our earlier studies showed, most companies estimate in amounts from 0.5 to 2 million rubles.

At the same time, only less than a quarter of respondents (23%) believe that the allocated budget for information security in their companies is enough to implement all the necessary measures to ensure information security (most of the respondents - about 30% - are content with introducing a minimum set of appropriate measures). Nevertheless, the results of the survey showed that the topic of cyber training is relevant and 87% of respondents would like to take part in them in order to:

  • improve the qualifications of employees (75% of respondents note this task);
  • analyze the security of systems (66%);
  • verify potential risks (55%);
  • test the means of protection in the process of cyber training (59% of respondents, and this was the answer of two-thirds of those who believe that the company accepts insufficient means of protection).

The company noted that a third of respondents (32%) are ready (or can afford) to spend no more than 2 million rubles on cyber training, and another 5% of ― can allocate up to 10 million rubles for this. As one of our earlier studies showed, most of the companies (almost 70%), ranging in size from 500 to 1000 people. has a budget of less than 10 million rubles. Thus, domestic companies are ready to spend a fifth of their annual budget on participating in cyber policing, which indicates an understanding of the importance of practical security even in conditions of insufficient funding.

File:Aquote1.png
The best solution is to conduct cyber exercises with the involvement of several teams attacking the digital model of the organization, corresponding to the real infrastructure of the company - digital twin. In this concept, we have been developing The Standoff for more than one year as a tool for modeling threats and assessing the real level of security of specific technologies, ― explains Andrey Bershadsky, director of the competence center, Positive Technologies. ― In recent years, we have seen an increase in the demand for cyber policing as a service. So, if in 2019, in one form or another, 15 companies were active participants in the landfill, then their number exceeded 20. And each company has integrated certain parts of its infrastructure and business processes into the virtual environment of the landfill. That is, there is an increase in demand, the market is maturing, but, in addition, the maximum price efficiency remains relevant, and this is achieved only on centralized online sites.
File:Aquote2.png

The monthly audience of the Securitylab.ru portal for November 2020 has about half a million visitors per month, most of which are programmers, IT and information security specialists, heads of relevant departments.

The total audience of communities of more than 16,000 IT and information security experts from various fields of domestic business.

Disagreements between IT and information security departments affect business security

Positive Technologies On November 6, 2020, the company announced the results of a survey among experts on, the INFORMATION SECURITY purpose of which was to find out how the vulnerability management process was built the Russian in organizations. The survey involved information security specialists from (22 public sectors %), - creditfinancial organizations (17%), industrial (17%) and - IT companies (16%), (9%) ENERGY INDUSTRY and other industries (19%).

As the survey showed, information security specialists spend the most time analyzing scan results for vulnerabilities in the IT infrastructure and trying to convince IT specialists to install updates (this is how 48% of respondents answered). In addition, there is a trend: the larger the company, the more difficult it is for information security specialists to agree with the IT department. If for representatives of small businesses the most time-consuming process is the analysis of scan results (50% of respondents), then for representatives of medium and large businesses this is the approval of the installation of updates (55% and 56%, respectively).

Also, 31% of specialists attributed the verification of the elimination of vulnerabilities to labor-intensive tasks (this is typical for both large and small companies).

In the survey, 11% of respondents said that they have to separately justify the elimination of each vulnerability. At the same time, 11% of respondents do not check whether the IT department has eliminated the discovered vulnerabilities. This suggests that many Russian companies lack such an important stage of the vulnerability management process as monitoring the level of security of IT assets.

Not all experts are in a hurry to install updates - every tenth respondent replied that critical vulnerabilities on important assets have not been eliminated in his company for more than six months. Companies drag on with updates, while attackers act quickly and adapt exploits for their attacks sometimes within 24 hours.

File:Aquote1.png
Vulnerability management should be effective both in normal mode and during emergency checks, "says Anastasia Lyashenko, product marketing manager at Positive Technologies. - We asked respondents to answer what they will do first if they find out about a serious vulnerability in the software. Half of the respondents will need to conduct an additional scan to find out about the existence of vulnerable software on the network, 19% will be able to immediately take measures to protect the company. Given the complex process of coordinating a full-fledged scan in many companies, it will be difficult to quickly find out if an infrastructure vulnerability is dangerous. More effectively, if the vulnerability management system stores information about scanned assets and can calculate the applicability of the vulnerability to the network automatically based on past scanning.
File:Aquote2.png

The survey showed that in the process of vulnerability management, information security specialists face many difficult tasks. Special systems will be able to solve them, which help to correctly build asset management, compliance with scanning regulations, control the elimination of vulnerabilities, as well as close cooperation of the information security service with the IT division.

Only 4% of SMBs have strong IT protection

On September 14, 2020, Softline summed up the results of the first month of the implementation of the Basic Analysis of Infrastructure Security service. The results of the study showed that information systems of 96% of small and medium-sized businesses are vulnerable to external attacks.

During the month, Infosecurity a Softline Company specialists assessed the level of security of 47 Russian SMB segment organizations using their own service, Basic Analysis of Infrastructure Security. During the study, serious vulnerabilities were discovered in 45 companies.

The most common problem is the lack of installed security updates. Incidents of this kind were identified in absolutely all proven organizations, and in some cases vulnerable versions of software were used at facilities that were critical to the operation of the company.

In second place is the use of weak or default passwords. 70 percent of companies reported using unreliable passwords on both workstations and network equipment.

More than half of the companies that used the Basic Infrastructure Security Analysis service found critical vulnerabilities that allowed remote execution of arbitrary code, which made these organizations completely defenseless in the face of external intruders. In addition, in 11 cases, Infosecurity specialists found traces of previous hacks (web shells, database dumps and illegitimately created accounts). All this once again testifies to the fact that cybercriminals show an active interest in any weak companies, trying to benefit from this material benefit, which means that it is extremely important for medium and small businesses to pay increased attention to information protection issues.

Information security provider experts have prepared recommendations for eliminating all identified vulnerabilities. In addition, a free re-audit of the company's infrastructure is available within 30 days of completion of the initial analysis to assess the quality of the work to eliminate threats.

Along with attacks on the company's infrastructure related to penetrating the protected perimeter, in recent months Infosecurity has recorded an increase in the number of DDoS attacks on small and medium-sized businesses. At the same time, DDoS attacks are used not only to disrupt the functioning of external services of the company and, as a result, to complicate communication with partners and clients, but also to prevent access of employees at remote work to the infrastructure of the organization, which entails the actual shutdown of business processes and can cause serious damage to business.

Malware is the main vector of cyber attacks on Russian companies in the first half of the year

On August 28, 2020, analysts at Angara Professional Assistance, a service provider of replicated cybersecurity services for Angara, shared the results of a study of information security events for the first half of 2020.

According to the study, in January-June 2020, the main vectors of attacks on the information systems of Russian companies fell on infection with malicious software (HPE, 28%), exploitation of vulnerabilities (12%) and delivery of HPE through e-mail (i.e. phishing, 7%). For comparison, in the second half of 2019, the share of HPE infection was at the level of 7%, and the share of exploitation of vulnerabilities and delivery of HPE through e-mail was at the level of 4% each.

File:Aquote1.png
"Such a profile of confirmed information security incidents in the first half of 2020 is a consequence of the emergency transition of companies to remote work and the subsequent adaptation of IT infrastructures to a new format of interaction," said Oksana Vasilyeva, head of Angara Professional Assistance. "The blurring of the information security perimeter, insufficient attention to the protection of remote access means led to an avalanche-like growth of the simplest types of attacks."
File:Aquote2.png

It follows from the report that a large number of HPEs were downloaded by users under the guise of legitimate applications (including gaming, ON software hacking tools messengers , etc.). Similar incidents directly related to remote work accounted for 12% of all events related to HVE. The increase in their number is caused by direct access to the network Internet past corporate web traffic analysis tools.

ACRC analysts have recorded a large number of phishing emails to corporate addresses of companies containing malicious attachments or links to malicious ones. content Most often, a malicious attachment is delivered in an archive with, password which allows you to bypass content verification by anti-virus means of protection on the mail. server One of the notable phishing emails was disguised as a request: Federal Tax Service of Russia the user received a letter from the addressee of the info@nalog.ru with the topic "Request." The FTS attachment contained an executable file that at startup initiated the installation of the Remote Manipulator System (RMS) remote administration tool, which cybercriminals have long used to manage compromised hosts.

As for the exploitation of vulnerabilities, incidents related to the exploitation of vulnerabilities such as CVE-2019-0708 (BlueKeep) and CVE-2017-0144 (EternalBlue) of the RDP and SMB protocols on corporate hosts were recorded during remote work. During the investigation, it turned out that the hosts were given white Internet addresses to work from home, which allowed external attackers to attempt to exploit vulnerabilities.

According to monthly statistics, the situation stabilized in May: the number of confirmed information security incidents fell by 45% compared to the previous month.

File:Aquote1.png
"In the first half of the year, the world faced new challenges. All, in particular, commercial service providers SOC, had to adapt in a short time. The Cyber ​ ​ Resistance Center and our clients managed to adapt to the current situation in a short time and, although there was a general increase in malicious activity, it did not affect the functioning of the customers' business, "Oksana Vasilyeva summed up.
File:Aquote2.png

The Angara Professional Assistance report is based on statistics collected as part of the provision of information security monitoring and incident management services based on the Angara Cyber Resilience Center (ACRC).

Top five trends in cybersecurity

Microsoft Corporation on August 19, 2020 shared the results of a study in which large companies in India, Germany, Great Britain and the United States took part. The purpose of the study was to identify changes that occurred in the first two months of the coronavirus pandemic in the field of digital transformation and information security. The results of the study reflected five major trends in cybersecurity.

1. Security is the foundation for productivity in the digital age.

Improving productivity during remote work is the main priority of business managers for information security (41%), and respondents called the "extension of data protection technologies to more applications for remote work" the most positive phenomenon for users in this area. Not surprisingly, "providing secure remote access to resources, applications, and data" is also the most challenging task. Most of the companies surveyed cited the introduction of a multifactor authentication system as the first step towards this goal.

2. Everyone is on their way to the Zero Trust concept.

The concept in the very first days of the pandemic from an interesting opportunity turned into a business priority. In light of the transition to remote work, 51% of information security managers are accelerating the deployment of the Zero Trust architecture. As a result, the concept could become an industry standard, since 94% of companies report that they are already implementing Zero Trust elements to one degree or another, Microsoft noted.

3. More different datasets - more information about possible threats.

The pandemic has made it possible to assess the capabilities of cloud technologies. Microsoft monitors more than 8 trillion threat signals every day from a wide variety of sources (products, services, subscriptions to compromise indicators, etc.) around the world. Automated tools have helped security professionals identify new threats before they reach customers - sometimes in a split second.

Cloud filters and threat detection tools also made it possible to warn security services about suspicious behavior, which was extremely relevant for business, since 54% of security executives reported an increase in phishing attacks since the beginning of the pandemic. Successful phishing attacks were reported significantly more often by companies that described their resources as predominantly local (36%), compared to 26% in companies that rely on cloud infrastructure.

4. Cybersecurity is the basis for operational resiliency.

As more organizations provide employees with secure remote work solutions. Cloud technologies simplify the development of a comprehensive strategy for ensuring the protection and continuity of business in the context of active cyber threats (cyber resistance) and preparation for a wide range of unforeseen circumstances. More than half of companies using cloud or hybrid technologies report having a cyber resilience strategy for most scenarios, compared to 40% of organizations that rely on local infrastructure, of which 19% do not have such a plan at all in a documented form.

5. The cloud is a prerequisite for effective security.

While experts often thought of security as a suite of deployment solutions on top of existing infrastructure, events such as a massive transition to remote work demonstrate the need to implement integrated security systems for companies of all sizes.

In addition, since the start of the pandemic, more than 80% of companies have hired security specialists. Most leaders of information security services reported an increase in the budget for information security (58%) and compliance with regulatory requirements (65%) in order to adapt to the numerous consequences of the pandemic for business.

At the same time, 81% of them also reported the need to reduce the costs of information security of the company as a whole. To reduce costs in the short term, executives are working to improve integrated threat protection systems to significantly reduce the risk of damage from cyber attacks. Nearly 40% of businesses say they favor investing in cloud security in the long term, followed by data and information security (28%) and anti-phishing tools (26%).

High-risk vulnerabilities identified on network perimeter of 84% of companies

Positive Technologies experts on August 12, 2020 shared the results of an instrumental analysis of the security of network perimeters of corporate information systems. According to the study, 84% of organizations have identified high-risk vulnerabilities, and 58% of companies have at least one node with a high-risk vulnerability for which there is a public exploit. There are exploits in the public domain for 10% of all identified vulnerabilities, which means that an attacker can exploit every tenth vulnerability without even having professional programming skills or reverse development experience. This despite the fact that half of the vulnerabilities can be fixed by installing current software updates, Positive Technologies emphasized.

Average number of vulnerabilities per site based on risk level
File:Aquote1.png
"Problems with the availability of updates have been identified in all companies," said Yana Avezova, an analyst at Positive Technologies. - And 42% of organizations use software products whose manufacturers have officially discontinued support and are no longer releasing security updates. For example, 32% of companies have applications written in the PHP programming language version 5, which has not been supported since January 2019. By the way, the age of the oldest vulnerability discovered during instrumental analysis is 16 years. "
File:Aquote2.png

Distribution of vulnerabilities by risk level

According to the study, in 26% of companies on nodes with external network interfaces, network port 445/is open, TCP which puts companies at risk of infection. encoder WannaCry

Maximum vulnerability risk (share of organizations)

On the network perimeter of most companies, web services, e-mail, interfaces for remote administration, and file services were identified. In more than half of organizations, external resources contain vulnerabilities related to arbitrary code execution or privilege escalation. Maximum privileges allow you to edit and delete any information on the site, therefore, there is a risk of denial of service, and for web servers - the possibility of deface, unauthorized access to the database, and attacks on clients. In addition, the attacker has the opportunity to develop an attack on other nodes. Experts advise limiting the number of services on the network perimeter and making sure that interfaces open for connection should indeed be available from the Internet. If so, it is necessary to ensure their secure configuration and install updates that close known vulnerabilities, according to Positive Technologies.

Distribution of vulnerabilities by services and risk levels

All companies have identified nodes on which this or that technical information is disclosed: the contents of configuration files, routes to the scanned node, OS versions or supported protocol versions. The more such information about the attacked system an attacker manages to collect, the higher his chance of success. According to experts, the reason lies in the unsafe configuration of services.

Vulnerable software (share of vulnerabilities associated with the use of outdated versions)

According to experts, information security vulnerability management is a difficult task in solving which it is impossible for specialists to do without tools. Modern security analysis tools not only automate resource inventory and vulnerability scanning, but also assess infrastructure compliance with security policies. At the same time, as the Positive Technologies company emphasized, instrumental scanning of network resources is only the first step towards an acceptable level of company security, which must be followed by verification, prioritization, elimination of risks and causes of their occurrence.

More than half of Russian companies during the pandemic increased spending on cybersecurity

57% the Russian of companies during the pandemic have made cyber security one of their strategic priorities. This is the conclusion reached by the experts of the HR Lab project. "HR Innovation Laboratory" and the "Academy of Health" platforms that conducted the study for the Think Tank. " AlfaStrakhovanie». Medicine AlfaStrakhovanie announced this on July 17, 2020.

Specialists interviewed the heads of IT departments of more than 100 Russian companies (with a turnover of 100 million rubles per year).

48% of respondents said that their company has always paid attention to the security of information processes, but the transition of employees to a remote format posed special tasks for IT departments. 36% noticed that electronic document management in remote work required additional protection measures for users' home computers.

27% of respondents noted that the activities of their employees are related to settlements with customers, so the company had to allocate funds for the installation of additional security software to ensure the security of transactions. 24% of the survey participants drew attention to the fact that their colleagues needed remote access to the databases of companies to work from home, which also required installing security programs on home computers.

Among all respondents, 70% noticed that their leadership was ready for additional spending on cybersecurity. At the same time, for 30% in a pandemic, such expenses came as a surprise and negatively affected the company's economic results.

{{quote 'The pandemic and the transfer of a significant share of workflows online have created an additional burden on the IT divisions of Russian companies. Cybersecurity is not an area that can be saved on, because information and data in the modern world are at the heart of business processes. Most Russian companies were able to establish secure work for employees who went to work remotely, and this is a good indicator of the state of the business. All this made it possible not to stop work in self-isolation. And the fact that more than half of the companies recognized cybersecurity as their strategic priority suggests that in case of unforeseen situations in the future, the transition to telecommuting will become less painful, says Alisa Bezlyudova, director of the marketing department of Medicine at AlfaInsurance Group. }}

Project "HR Lab. - HR Innovation Laboratory "in partnership with the digital publishing house" Alpina Digital, "the company HeadHunter and HBR-Russia has been operating since March 2016. The project is aimed at HR directors, specialists in the field, Human Resources Management owners and CEOs of the company. Its main task is to find and accumulate all the necessary tools, competencies and practices for successful work with personnel in a turbulent market.

40% of small businesses recorded cyber attacks on employees' personal devices

According to a study by Kaspersky Lab, 85% of employees of Russian companies whose staff does not exceed 50 people use personal devices for remote work during a pandemic. The Laboratory announced this on June 9, 2020.

At the same time, 19% of employees began to use their own devices for business purposes after switching to remote operation, and 54% noted that they had done this before.

As a rule, it is difficult for microbusiness to provide the entire staff with the necessary equipment, so the Bring Your Own Device policy is often widespread in such companies BYOD. However, the use of third-party equipment can be associated with certain cyber risks. If the employee's device connected to the corporate network is not well protected, then attackers will easily get to non-public ones. data

Even before the pandemic, entrepreneurs reported that they became victims attacks malwares of employees' personal devices - during a study by Kaspersky Lab, 40% of respondents confirmed this. With the increasing use of personal devices and the increasingly active transition of business into the digital space, these indicators may even deteriorate.

In this situation, companies should improve the digital literacy of employees and inform them about such basic information security requirements as the presence of a security solution on a working device, the use of reliable and unique passwords, and regular software updates. But only 8% of employees of small organizations received such instructions.

{{quote 'Small companies are in difficult conditions, they have to fight for their business and keep their jobs. Therefore, it is not surprising that cybersecurity cares them to a lesser extent. However, the implementation of even basic measures to protect against digital threats can significantly reduce the likelihood of financial damage or encryption of documents as a result of a ransomware attack, "comments Andrei Dankevich, Kaspersky Lab expert on cyber protection for small and medium-sized businesses. - There is a certain set of important rules for digital hygiene of business on the remote. And, of course, they must be observed not only during self-isolation, but also on an ongoing basis. }}

For effective protection against cyber threats, Kaspersky Lab recommends that small companies:

  • use passwords for all devices, including mobile phones and. Wi-Fi router If the router has a default password, you should change it to a new one;
  • Configure the encryption type in the router. Ideally, this should be the most secure type - WPA2;
  • enable VPN, especially if the employee uses public Wi-Fi access points;
    • 1 XLIFFService: Error in XliffFile2XliffString method.

Until September 1, 2020, small companies can install and use this solution for free by following the link: kas.pr/free-ksos-- >;

  • provide employees with a list of reliable cloud services that they can use to store or transfer corporate data;
    • 1 XLIFFService: Error in XliffFile2XliffString method.

As part of Kaspersky Security Awareness, Kaspersky Lab launched such a course in conjunction with the Lyceum Area9. You can complete the program for free by registering here: https://kas.pr/free-course.-- >

70% of companies on the "remote" do not have an objective picture of internal information security incidents

On April 22, 2020, SearchInform reported that according to the study, less than half of companies that have switched to a remote format of work control the actions of employees through specialized programs. At the same time, 15% of respondents use software to assess discipline, but not information security. As a result, in a third of organizations they cannot assess how the number of information security incidents is changing in connection with the emergency transition to remote work. This is evidenced by the data of an anonymous survey "SearchInform." Read more here.

Attackers can access one in 10 open remote desktops

On March 27, 2020, the company Positive Technologies announced that during the monitoring of current threats (threat intelligence), the company's experts found out that Russia the number of network nodes in available via the Remote Desktop Protocol (RDP) in just three weeks (since the end of February 2020) increased by 9% and amounted to more than 112,000. Already, over 10% of such resources are vulnerable to the BlueKeep security bug (CVE-2019-0708), which allows the attacker to gain full control over the computer database. Windows

To attack, it is enough to send a special RDP request to vulnerable remote desktop services (RDS). Authentication is not required. If successful, an attacker will be able to install and remove programs on a compromised system, create accounts with the maximum level of access, read and edit confidential information. Vulnerabilities affect operating systems Windows 7, Windows Server 2008 and Windows Server 2008 R2.

Remote work

According to the dynamics of growth in the number of nodes opened by RDP, as of March 2020, the Ural Federal District is in the lead: it increased by 21%, and the total share of nodes vulnerable to BlueKeep is 17%. This is followed by Siberian (21% and 16%, respectively), Northwestern (19% and 13%), North Caucasus (18% and 17%), Southern (11% and 14%), Volga (8% and 18%), Far Eastern (5% and 14%) and Central Federal Districts (4% and 11%).

File:Aquote1.png
On the network perimeter of Russian companies, the number of resources began to increase, an attack on which will allow attackers to gain control over the server and penetrate the local network. We associate this, first of all, with the hasty transfer of some of the employees to remote work. Regardless of the type of remote connection selected, it is reasonable to provide remote access through a special gateway. For RDP connections, this is Remote Desktop Gateway (RDG), for VPN - VPN Gateway. Remote connection directly to the workplace is not recommended,

- noted Alexey Novikov, director of the security expert center Positive Technologies
File:Aquote2.png

Positive Technologies warns that opening access to individual subnets to all VPN users at once significantly reduces the security of the organization and not only gives ample opportunities to an external attacker, but also increases the risk of an insider attack. Therefore, IT professionals need to maintain network segmentation and allocate the required number of VPN pools.

Positive Technologies experts separately emphasize the threat of remote access channels to business-critical networks and systems (for example, technological networks in manufacturing and power, ATM management networks or card processing in banks, 1C servers, confidential document management). Information Security Services recommends strictly monitoring administrators' attempts to simplify their management and configuration tasks for such segments using a separate unsecured connection. You can ensure control by constantly monitoring the perimeter of the organization's network, especially its key segments. In addition, it is necessary to strictly regulate the use of software for remote administration (for example, RAdmin or TeamViewer) and track cases of their illegal use (for example, by artifacts in traffic using NTA solutions). Also, in the context of a change in the traditional behavior model of organization employees (mass remote access), it is necessary to reconfigure the correlation rules in the monitoring and protection systems used against cyber attacks.

In addition, Positive Technologies recommends paying attention to a critical vulnerability (CVE-2019-19781) in Citrix software, which is used in corporate networks, including for organizing terminal access of employees to the company's internal applications from any device via the Internet. If this vulnerability is exploited, the attacker gains direct access to the company's local network from the Internet. To carry out such an attack, access to any accounts is not required, which means that any external violator can perform it.

In addition, vulnerabilities that require special attention in the context of an increased number of open remote accesses include a vulnerability in the CVE-2012-0002 (MS11-065) eight-year-old desktop protocol, which is still found on the network perimeters of organizations, and vulnerabilities in remote desktop services CVE-2019-1181/1182 in various versions operating system Microsoft (including). Windows 10 A vulnerability in PHP 7 (CVE-2019-11043) should also be eliminated, which, according to Positive Technologies, was included in the list of the most dangerous in 2019. The fact of the listed vulnerabilities in the company's infrastructure can be quickly identified through scanners vulnerabilities. To eliminate vulnerabilities in all cases, you must at least follow the appropriate recommendations of the manufacturer of the vulnerable version of the software or hardware.

Only 17% of companies are ready to effectively resist cyber attacks

On February 19, 2020, Accenture summed up the cybersecurity research. It was attended by 4644 heads of information security departments (information security) of companies with an income of more than $1 billion from 24 different industries in 16 countries. The third annual Cyber Resilience Report focuses on identifying key success factors for leading companies to protect businesses from cyber threats.

Despite many years of growth in the level of investment in information security, only 17% of companies were able to build effective security systems ("leaders") on their foundation, the rest of the companies were defined as "average" (9%) and "lagging" (74%). The results of the study revealed the following:

  • "leaders" are able to warn and stop 4 times more attacks - only 1 in 27 attacks violate the security of the company;
  • "leaders" detect penetrations 4 times faster (88% of violations are detected within one day), and eliminate them 3 times faster (96% of "leaders" eliminate penetrations in less than 15 days), "laggards" take much longer - from 16 days or more, and almost half of them sometimes spend more than one month on this;
  • "leaders" are also able to significantly reduce damage from attacks (58% of penetrations do not cause them any damage).

In addition, "leaders" direct most of their budget to support existing security systems, while "laggards" are more focused on piloting and launching new solutions. Also, "leaders" are 3 times more likely to train staff and provide them with the necessary safety tools.

File:Aquote1.png
"Our practical experience suggests that for Russia the distribution of" leaders "and" average "is significantly less than twenty-six percent due to their lack of basic protection systems and mature information security processes, as well as, unfortunately, due to a significant lag in information security funding,"
File:Aquote2.png

The authors of the study cite three key indicators as the main factors of cyber resistance:

  • rate of detection of security violations - for 58% of "leaders" this is the main criterion for the effectiveness of their security program in the company;
  • recovery rate after the incident is the second most important criterion for 53% of leading companies;
  • incident response rate is the third main criterion for 52% of "leaders."

The leadership approach to information security technologies is focused on the speed of discovery, response, and recovery. Thus, the number of companies allocating more than 6% of the budget for information security has doubled over the past 3 years.

At the same time, they clearly understand the need to maximize the value of each individual investment. To do this, they apply the scaling of information security technologies to the entire organization, develop cooperation with partners, professional and industry communities and, of course, pay great attention to the full training of information security and information security specialists, as well as users in handling adopted security tools.

However, in pursuit of new security tools, we must not forget about the information security solutions already implemented in the company. Unlike "laggards," "leaders" see the benefits of investing in supporting and modernizing the protection tools implemented. They distribute the budget in more or less equal proportions between the introduction of new technologies, their scaling and improving the work of existing information security solutions. "Laggards" are more likely to spend time piloting and introducing new means of protection, while the capabilities of existing information security solutions in the company are not fully disclosed.

File:Aquote1.png
"This approach is relevant for Russian companies, which traditionally have an imbalance between financing such areas as the acquisition of new protection systems, the expansion of the staff of information security specialists and the support and development of existing means of protection. Often, when buying a new modern means of protection, there is simply not enough specialists who can squeeze the maximum benefit out of it, "

noted Andrey Tymoshenko, head of Accenture Security practice in Russia
File:Aquote2.png

The report also cites additional differences between leaders and laggards:

  • "leaders" were almost 3 times less likely to have leaks more than 500,000 customer records as a result cyber attacks over the past 12 months (15% versus 44% for "laggards");
  • "leaders" are about 3 times more likely to conduct the necessary training on the use of information protection tools for their users (30% - versus 9% for laggards).

By introducing the approach taken by leaders, the company can significantly increase its cyber resilience and reduce the cost of information security incidents - from $380 thousand to $107 thousand, according to Accenture.

83% of respondents believe that for full protection it is necessary to ensure the security of not only their company, but also the ecosystem in which it operates. It is necessary to take measures to reduce the potential danger posed by partners, suppliers, vendors, etc., because about 40% of threats and violations of information security, according to the authors of the study, are associated with them.

Based on data from the study, the Accenture Security team recommends three practical steps each organization can take to get closer to cybersecurity "leaders."

  1. Invest in speed - Prioritize technologies that accelerate discovery, response, and recovery.
  2. Invest wisely - scale, train and collaborate more.
  3. Support what is - increase the impact of implemented solutions and basic protection tools.

Networks of 97% of companies contain traces of possible compromise

On February 10, 2020, Positive Technologies announced that its experts analyzed the network activity of large companies (with a staff of more than a thousand people) from key sectors of the economy in Russia and the CIS. According to the results of in-depth analysis of network traffic, 97% of companies found suspicious network activity, and 81% of companies found malware activity.

During the analysis, experts called suspicious activity in the network traffic of the companies under study (97%) the main sign of possible compromise. In 64% of cases, this is a concealment of traffic (VPN tunneling, connecting to an anonymous Tor network or proxying), and in every third company there are traces of scanning the internal network, which may indicate intelligence of intruders inside the infrastructure.

File:Aquote1.png
The danger of hiding traffic is that while employees connect to Tor, raise proxies servers and configure VPNs to bypass blocking web resources, attackers can use the same technologies to communicate with control servers. With their help, attackers can control malicious ON and send payloads,
Positive Technologies analyst Yana Avezova comments on the results of the study
File:Aquote2.png

This fear is not unreasonable, since in 81% of companies, analysis of network traffic revealed the activity of malware - miners (55% of the total share of infected companies), advertising (28%), spyware (24%), etc. In 47% of organizations, several types of malware were detected at once.

According to experts, violations of information security regulations (revealed in 94% of companies) directly affect the decrease in the level of security, practically open the doors of the organization to hackers. Thus, in the IT infrastructure of 81% of companies, sensitive data is transmitted in clear text, which allows a potential attacker to search traffic for logins and passwords to move through corporate resources. 67% of companies use remote management software such as RAdmin, TeamViewer, Ammyy Admin. By penetrating the infrastructure, an attacker will be able to use these tools to move around the network, remaining overlooked by means of protection.

In 44% of companies, employees use the BitTorrent protocol to transfer data, for example, to download films. According to experts, this not only creates an additional load on the communication channel and reduces its bandwidth, but also increases the risk of malware infection.

The vast majority of threats (92%) were identified inside the perimeter. According to experts, this indicates that it is important not only to prevent attacks on the perimeter, but also to monitor the internal network, including analyzing network traffic. This will identify attackers in the first stages of the attack.

2019

82% of companies affected by cyber attacks and incidents

According to a study by Dell Technologies, Global Data Protection Index 2020 Snapshot conducted in 2020, as of March 2020, organizations manage 13.53 petabytes (PB) of data, which is 40% more than in the average year 2018 (9.7 PB) and 831% more than in 2016 (1.45PB). A significant increase in data gives rise to natural difficulties. An absolute majority (81%) of respondents noted that current data protection solutions do not meet future business needs. This review is a follow-up to the biennial Global Data Protection Index study. He presents the results of a survey of 1,000 IT executives from 15 countries who work in public and private organizations with more than 250 employees on the impact of these issues and advanced technologies on companies' data protection readiness. The results also show positive changes, as more organizations - 80% in 2019 versus 74% in 2018 - understand the value of their data and derive or plan to benefit from it.

Dell Technologies Research Data
File:Aquote1.png
"Data is the lifeblood of a business and the key to digitally transforming an organization. We are entering a new decade of digital data, and we need robust and state-of-the-art data protection strategies to help businesses make informed, responsive decisions and deal with the consequences of costly failures. "

noted Beth Phalen, President of Data Protection at Dell Technologies
File:Aquote2.png

From cyber attacks to data loss to system downtime, the biggest data risk is a growing number of incidents, according to the study. Most organisations (82% in 2019 compared to 76% in 2018) say they have been affected by such incidents in the past year. Another 68% worry that their organisation will face such an incident within the next 12 months.

Dell Technologies Research Data

Even more concerning is the fact that organizations that use more than one data protection solution provider are about twice as likely to be at risk of cyber attacks (so the percentage of exposure to cyber attacks is 39% for companies with two or more suppliers compared to 20% for companies with one supplier). At the same time, the use of services from several suppliers is becoming more and more popular. For example, 80% of organizations choose data protection solutions from two or more providers, which is 20% higher than in 2016.

The cost of disaster recovery is also rising rapidly. The average cost of downtime increased from 2018 to 2019 by 54%, thus, the estimated cost increased from $526.845 in 2018 to $810.018 in 2019. The estimated cost of the data breach also increased from $995.613 in 2018 to $1,013.075 in 2019. This cost is significantly higher for organizations that use more than one data protection provider - on average, the cost of downtime is twice as high and the cost of leakage is five.

Dell Technologies Research Data

The development of modern technologies and the formation of a digital environment forces organizations to learn how to use these technologies to achieve better results. The study shows that almost every organization invests in emerging technologies. The most popular of these cloudy applications are (58%); artificial intelligence (AI) and (machine learning MO) (53%); cloud () software services (SaaS 51%); 5G and cloud (49%) Edge infrastructure ;/ Internet of Things endpoints (36%).

However, almost three-quarters (71%) of respondents believe that modern technology creates more difficulties for data protection, and 61% noted that technology poses a risk to it. More than half of companies that use emerging technologies are trying to find effective data protection solutions that meet their needs, including:

  • 5G and cloud edge infrastructure (67%),
  • MO and AI platforms (64%),
  • cloud applications (60%),
  • Internet of Things and endpoints (59%),
  • robotic process automation (56%).

Dell Technologies Research Data

During the study, 81% of respondents said that data protection solutions operating in the organization will not cope with business problems in the future. Respondents are uncertain about the following areas:

  • data recovery after cyber attacks (69%),
  • data recovery after data leakage (64%),
  • compliance with local data management legislation (62%),
  • Meet backup and recovery service objectives (62%)

When deploying business applications and protecting workloads (including containers, cloud applications, and SaaS), companies use a combination of different cloud technologies. Research shows that organizations prefer to use public cloud/ SaaS aaS (43%), hybrid cloud (42%) and private cloud (39%) as an environment to host new applications. In addition, 85% of organizations surveyed stated the extreme importance of ensuring the safety of cloud applications by data protection solution providers.

Dell Technologies Research Data

With large amounts of data flowing through the Edge environment, many respondents prefer to use cloud backup to manage and protect data created on Edge networks. At the same time, 62% chose a private cloud to host solutions and 49% a public cloud.

File:Aquote1.png
"These studies prove that data protection must be a key element in a company's business strategy. As the data landscape becomes more complex, organizations need flexible, sustainable data protection strategies that can work in a multi-platform, multi-cloud world, "

noted Beth Phalen, President of Data Protection at Dell Technologies
File:Aquote2.png

IBM X-Force study: Identity theft and vulnerabilities have become the main enemies of business

On February 11, 2020, the company IBM published the annual IBM X-Force Threat Intelligence Index 2020, which showed how methods have changed cybercriminals over several decades of illegally accessing billions of corporate and personal records and exploiting hundreds of thousands of vulnerabilities in software. According to the study, 60% of primary intrusions infrastructure into victims were carried out using previously stolen credentials data and known vulnerabilities, which ON made it possible to to malefactors rely less on deceiving users to get access to the data.

IBM X-Force Research Data

The IBM X-Force report clearly demonstrates the factors that contributed to this shift, including three main vectors: attacks

  • Phishing was successfully used as the initial method of penetration in less than a third of cases (31%), while in 2018 this figure reached half.
  • Identifying and exploiting vulnerabilities was responsible for 30% of hacks, up from 8% in 2018. And even long-known vulnerabilities in Microsoft Office and Windows Server Message Block continue to be successfully and extensively exploited.
  • The use of previously stolen credentials is also gaining popularity as an entry point: we are talking about 29% of cases. In 2019 alone, more than 8.5 billion records were compromised - this is 200% more than in the previous year, which means that even more credentials fell into the hands of criminals, which can be used in the future.

File:Aquote1.png
"The number of hacked accounts we see suggests that more and more keys are falling into the hands of cybercriminals, opening up access to our privacy and work. They no longer have to waste time inventing cunning ways to infiltrate a company - criminals can infiltrate the network and carry out attacks simply using known methods such as logging in with stolen credentials. Enhanced security measures such as multi-factor authentication or single sign-on technologies are necessary to ensure the cyber resistance of the organization and protect user data, "

noted Wendy Whitmore, vice president of IBM X-Force Threat Intelligence
File:Aquote2.png

IBM X-Force reports, analyzing more than 70 billion information security events every day in more than 130 countries around the world. Additional data sources are also used: X-Force IRIS, X-Force Red, IBM Managed Security Services and officially published leak reports. In addition, IBM X-Force specialists use thousands of spam traps around the world and track tens of millions of phishing and spam attacks daily, as well as analyze billions of web pages and images to detect fraud or illegal use of brands, IBM noted.

IBM X-Force Research Data

Key findings presented in the report:

  • Sloppy configuration. IBM's analysis showed that of the reports on more than 8.5 billion hacked records in 2019, 7 billion, that is, more than 85%, were associated with incorrect configuration cloudy servers and other incorrectly configured systems. This is a striking change from 2018, when the corresponding figure did not exceed half of all hacked records.
  • Encryption viruses in the banking sector. According to a 2019 report, some of the most active banking Trojans, such as TrickBot, have become more commonly used as a staging ground for large-scale ransomware attacks. In fact, ransomware viruses and new codes used by banking Trojans topped the ranking of malware considered in the report.
  • Phishing on trust. Technology companies, social networks and streaming services are among the ten brands whose representatives are most often fraudsters for the purpose of phishing. These changes may suggest that people have become more trusting of technology providers rather than retail chains and financial firms as they used to be. Among the largest brands used in fraudulent schemes are Google, YouTube and Apple.

The IBM X-Force report revealed global trends in ransomware attacks that hit both the public and private sectors. 2019 showed a significant increase in the activity of ransomware viruses - the IBM X-Force division has strengthened its specialized response service to support its customers from 13 different industries around the world, confirming once again that such attacks are not tied to the industry.

IBM X-Force Research Data

More than 100 government services in the United States were attacked by ransomware viruses last year. IBM X-Force specialists also noted large-scale attacks against retailers, production and transport companies - all of them, as you know, own large amounts of monetized data or rely on outdated technologies and, as a result, are at risk. In 80% of attacks, criminals exploited Windows Server Message Block vulnerabilities. The same tactic was used to spread the WannaCry virus, which hurt companies in 150 countries in 2017.

Ransomware virus attacks cost organizations more than $7.5 billion in 2019, while attackers are enjoying their prey and do not plan to stop in 2020. An IBM report prepared in conjunction with Intezer states that the new malicious code was seen in 45% of banking Trojans and 36% of ransomware viruses. This suggests that by creating new codes, criminals continue to work to avoid their detection.

IBM X-Force specialists noted a close connection between ransomware viruses and banking Trojans: Trojans open the door to targeted and highly profitable ransomware attacks. This expands the way ransomware is deployed. For example, there are suspicions that the most active financial malware TrickBot was used to deploy the Ryuk virus on corporate networks. Other banking Trojans, such as QakBot, GootKit, Dridex, are also developing in this direction.

IBM X-Force Research Data

The more users learn about phishing emails, the more targeted attacks become. Together with the non-profit organization Quad9, IBM specialists have identified an increasing trend in phishing: criminals impersonate large consumer technology brands (technology companies, social networks, streaming services) and fake links to their sites for phishing purposes.

Almost 6 out of 10 brands most commonly used by scammers belonged to Google and YouTube domains. Brands Apple (15%) and Amazon (12%) were also used by scammers to steal monetizable user data. According to IBM X-Force, these brands were chosen primarily because they have monetizable data.

Facebook, Instagram and Netflix were also among the top 10 most spoofed brands, but with a significantly lower share of usage. Perhaps the reason is that they usually do not have data that can be directly monetized. Since scammers often rely on the use of the same passwords - and succeed - IBM X-Force experts believe that the frequent use of the same passwords could just make these brands the main target of criminal attacks. An IBM study by The Future of Identity found that 41% of millennials surveyed use the same password many times, and Gen Z has an average of just five different passwords, meaning the degree of reuse is very high.

IBM X-Force Research Data

It can be very difficult to distinguish a fake domain from a real one - this is exactly what scammers use. The ten most commonly spoofed brands identified in the report, which account for an estimated 10bn accounts in total, open criminals to a wide field of activity. With such a scale, it is highly likely that an unsuspecting user will click on a fake link.

Other findings presented in the report:

  • Retail positions are growing in the ratings of target industries. The retail industry became the second most attacked industry in 2019. With a small difference in the number of attacks, the financial sector took first place on this list for the fourth year in a row. The Magecart attacks, which affected 80 online store sites in the summer of 2019, were among the most significant attacks on retail. Probably, the goal of cybercriminals was consumer personal data, payment card data and even valuable information from loyalty programs. Retailers have also been hit by a large number of ransomware viruses, according to IBM's security incident response division.
  • Increasing attacks on Industrial Control Systems (ICS) and Operating Technology (OT). In 2019, the number of attacks on OT systems increased 21 times compared to last year. This is an unprecedented number of attacks on ICS and OT in at least the last three years. The largest attacks exploited known vulnerabilities in the hardware of SCADA and ICS systems, combined with the selection of passwords by "spraying" them.
  • North America and Asia are the most attacked regions. In these regions, last year there was the largest number of attacks (more than 5 billion) and the most significant data leaks - more than 2 billion records.

IBM X-Force Research Data

The report used data collected by IBM in 2019 to analyze the global threat landscape and inform cybersecurity professionals about the dangers most relevant to an organization.

More than half of Russian companies worry about protecting personal data of employees and customers

On January 17, 2020, it became known that more than half of Russian companies are worried about the za­shchite of per­so­nal­nykh dan­nykh employees and customers. This was reported by Eset following the results of its study. Thus, 90% of enterprises were affected by different types of ki­berug­roz. 60% of Russian IT managers vser­ez oza­boche­ny sokh­rannostyu personal dan­nykh. Researchers attribute the trend to tougher legislation and increased accountability for violations.

Most often Russian , the business is faced with. spam This was noted in the Eset survey by 65% of respondents. In second place - malware 47%. 22% of respondents reported that their companies were victims, 21 phishing attacks% suffered from and 35 DDoS-attacks % from. of encryptors

Protecting personal data is a concern for businesses

According to Eset, 54% of respondents are concerned about the security of contact databases, information about clients and partners, 55% believe that financial information needs special protection.

To ensure information security, companies mainly resort to antiviruses to protect workstations - 90% of organizations; 53% establish control over software updates; 45% monitor external media.

Eset found that 58% of respondents are satisfied with the level of security in their companies and believe that the measures taken are enough. 5% are thinking about increasing the budget for information security.

Ruslan Suleimanov, Director of the Information Technology Department of Eset Russia, believes that in 2020, the situation in the information security industry will not change much. Spam and phishing will remain the main ways malware penetrates the corporate network. The specialist expects an increase in the volume of IoT devices used as a possible vector of attacks on corporate infrastructure.

File:Aquote1.png
"Ending support for Windows 7 will play a role. Despite the risks, many Russian companies will continue to use the operating system at their workplaces. This will increase the risk of infection with new viruses, compromise and loss of corporate data, "

noted Ruslan Suleimanov, Director of Information Technology Department Eset Russia
File:Aquote2.png

In addition, support for Windows 2008 and Windows 2008 R2 server systems ended on January 14, 2020. They are used by many medium and small businesses. According to Ruslan Suleimanov, in 2020 the trend for powerful and frequent DDoS attacks on the corporate sector will remain relevant, and the danger of deepfakes will remain.

Elena Ageeva, a consultant at the Jet Infosystems Information Security Center, notes among the threats that were relevant for Russian companies last year, social engineering, attacks by ransomware viruses and cryptominers, as well as personal data leaks.

File:Aquote1.png
" We expect them to remain relevant in 2020 as well. In addition, the development of cloud technologies will continue to increase the number of attacks on cloud services. Attacks on supply chains will also be relevant, the essence of which is the compromise of companies by their contractors, "

noted' Elena Ageeva, consultant of the information security center "Jet Infosystems" '
File:Aquote2.png

In 2019, there was a noticeable increase in phishing attacks and the spread of malware, including ransomware viruses. According to InfoWatch, in Russia, ordinary employees were and remain the main threat to the personal information of the clients of the companies. They account for more than 70% of the violations that led to leaks.

Andrei Arsentiev, head of analytics and special projects at InfoWatch, believes that phishing attacks will receive further development in 2020. With the development of artificial intelligence technologies, the risk of using deepfake methods to carry out attacks on companies, including with the aim of causing a serious blow to the reputation of the business, increases.

File:Aquote1.png
"To obtain personal data, external attackers will widely use attacks on the supply chain of software products,"

noted Andrey Arsentiev, Head of Analytics and Special Projects at InfoWatch
File:Aquote2.png

Gradually, the security of personal information in Russia is approaching Western practice. As a result, the business is increasingly beginning to feel the problems associated with leaks. Regulators tighten liability, data loss affects customer loyalty, many leaks lead to direct financial losses and hurt reputations. Andrei Arsentiev draws attention to this.

According to a study by Kaspersky Lab, Russian companies are indeed very concerned about the need to prevent data leaks, as well as protect the infrastructure from targeted attacks. In 2019, organizations faced malware infections of corporate (43%) and BYOD devices (37%), as well as the problem of employees losing their devices (33%). In 2020, companies plan to begin training employees on cybersecurity rules, implement services to respond to cyber incidents and protect against targeted attacks. The fact that such solutions are used in organizations was reported by almost a third of respondents.

According to Dmitry Stetsenko, head of the Kaspersky Lab system architects group, attacks through supply chains and BEC (Business Email Compromise) are gaining more and more popularity. After infecting the system, attackers prefer to use legal IT tools to develop an attack, which also complicates data protection.

According to the Positive Technologies report, one of the key trends in the cybersecurity market in 2019 was data leaks - along with targeted attacks (APT attacks) and the search for hardware vulnerabilities.

File:Aquote1.png
"News of the leaks in 2019 has become particularly loud. This is also due to a change in the approaches of attackers. Cybercriminals have begun to combine the data collected over the past years into a single array for trading in the shadow market with more complete digital dossiers. Phishing was used in the segment of financial organizations in 74% of attacks and malware in 80% of attacks, phishing was used in the segment of industrial companies in 83% of attacks and infected software in 89% of attacks, phishing was used in the segment of government organizations in 49% of attacks, and malware in 63%. "
File:Aquote2.png

In his opinion, from the point of view of compromise techniques in 2019, attackers most often used phishing and malware.

Cyberattacks to steal information dominate other hacks. According to Positive Technologies, in the third quarter of 2019, the 61% of cyber attacks is aimed precisely at data theft. In every fourth cyber attack, personal data of employees or customers of the company is stolen. This trend was noted in the first half of 2019. For example, in the second quarter, personal data leaked into the 29% of cyber attacks on organizations.

File:Aquote1.png
"In 2020, business will remain in the zone of increased risk of both mass cyber campaigns and targeted attacks by groups. Hackers will have to resort not only to sophisticated phishing and the creation of more advanced samples of HPE, but also to hacking less secure companies affiliated with organizations targeted for attackers. Attacks aimed at stealing information will prevail over attacks aimed at direct financial theft. Moreover, as he suggests, targeted attacks will prevail over mass ones. This is due to the fact that organizations from any industry try to protect themselves as much as possible from financial losses and think over such risks in the first place. And the incident with data theft may go completely unnoticed for a long time, especially if the company does not provide constant monitoring of information security events and investigation of cyber incidents[8],

noted Evgeny Gnedin, Head of Analytics at Positive Technologies
File:Aquote2.png

Analysis of "high-profile" incidents in the field of information security in 2019

2019 was rich in incidents. There have been many cases of improper storage of information and late elimination of critical vulnerabilities that led to major data leaks, as well as many attacks on financial institutions, retail, and Internet of Things devices. Several dangerous attacks were carried out on industrial enterprises. The article describes the largest and most interesting attacks in conditional sorting by a key breach in the defense system or a key action carried out by an attacker.

Cybersecurity budgets up 20%, but companies don't have time to spend them

On December 19, 2019 Positive Technologies , the company reported that Russia in 2019, the planned budgets for cyber security increased by an average of 20%, but the companies did not have time to spend them. The reason is the need to go through long competitive procedures: companies simply do not have time to purchase the funds protection that they need. In addition, Positive Technologies experts note that a request for practical has been formed among the top management of domestic companies. information security However, companies that set themselves the goal of really protecting themselves in cyberspace face a total shortage of personnel with a sufficient level of knowledge and skills. Specialists with several competencies are becoming more and more in demand, for example, combining knowledge in the field with cyber security knowledge in the field or. data science Business APCS is aware of the lack of such specialists in its state and comes to or, to outsourcing and in to outstaffing some cases even forced to independently train this kind of personnel.

Positive Technologies: Companies do not have time to spend budgets on information security and face a shortage of personnel

Among the key trends that formed in 2019, Positive Technologies experts noted the following:

  • Secure development in trend. For manufacturers financial ON , the mandatory passage of vulnerability analysis becomes a competitive advantage. Many developers banking software talk about concluding contracts with leading companies in the field for INFORMATION SECURITY analysis work. source code Positive Technologies expects that over the next two to three years, building a provable cycle of secure development for banking software manufacturers will become mainstream.
  • Advantage on the side of intruders. The balance of power between criminals and defenders is not in favor of the latter. For example, up to three years can pass between the use of the latest hacking techniques and the introduction of the latest protective equipment. And if we compare the speed of exploitation of new vulnerabilities and the speed of release of fixes, the victory is almost always on the side of attackers who adapt the latest exploits for their attacks sometimes within 24 hours.
  • The public sector is under attack. Government agencies around the world are in the crosshairs of sophisticated targeted attacks. According to Positive Technologies, 68% of APT groups investigated by specialists from the Positive Technologies security expert center are attacked by government agencies. In 2019, PT ESC experts identified the Calypso group, specializing specifically in attacks by government agencies in different countries. The use of basic protective equipment, the illiteracy of employees in information security issues, as well as the publicity of information about public procurement of protective software play into the hands of cybercriminals.
  • Mass attacks on the financial sector are losing their meaning. The total number of attacks on financial institutions has decreased. This can be explained by a significant decrease in the proportion of mass attacks on such institutions. Most banks, especially large ones, are ready to effectively repel a massive attack (for example, sending a ransomware), and hackers have focused on other, less secure industries. At the same time, the number of targeted attacks remains at the same level. Experts also note an increase in the number of fraudulent transactions with contactless payment: this is mainly due to operations below CVM (Cardholder Verification Method) limits, in which the user does not need to enter a PIN to confirm transactions.
  • Criminals combine leaks of different years and sell in bulk in the shadow market. Moreover, attackers who distribute such full digital dossiers for money do not need to be hackers at all, it is enough to simply correctly recycle information about leaks in the history of a particular company. Such incidents affect primarily the reputation of the company that leaked.
  • Hardware vulnerabilities dictate business to change the threat model. The last two years have shown only the tip of the iceberg of hardware vulnerabilities, their search has become a real trend among researchers who are moving to an increasingly lower level, looking for (and finding!) Vulnerabilities at the PCB level, elements of hardware logic. Large companies recognize the scale of the problem by embedding such vulnerabilities in their threat model; in particular, invest in the development of protective equipment and in personnel training.

Among the possible negative scenarios of 2020, Positive Technologies experts note:

  • Cyber sales service schemes will evolve. Thus, the access as a service scheme can gain great popularity, in which attackers who break into company infrastructures sell or lease such access to other participants in the shadow market.
  • Industrial cyber espionage will continue. Attacks to spy on the industrial and fuel and energy sectors could be a continuation of those attacks that were successfully carried out earlier. At the same time, companies will learn to identify them. This will be facilitated not only by the requirements of regulators for the protection of CII, but also by the awareness by the management of industrial and energy companies of the need to build a truly effective information security system.
  • The US elections may be at risk. As a study of smart ballot boxes has shown, such systems are extremely poorly protected and can be easily hacked by cybercriminals. On the eve of the presidential elections in the United States, we should also expect resonant cyber attacks that will be aimed at defacing the websites of political parties and presidential candidates. In addition, attempts to influence public opinion through social networks can be expected, according to Positive Technologies.
  • The introduction of 5G networks promises new risks for operators. In the modern world, in any network, an attacker can disable elements of a smart home or industrial IoT. With the spread of 5G networks and the development of the Internet of Things, the scale of the threat will increase, connected cars or life support systems of the city may become victims of a cyber attack. As long as real 5G networks are built on the basis of networks of past generations, all the shortcomings of their protection will be relevant for 5G subscribers.
  • The number of attacks on users of Internet resources will increase. The rapid growth of the e-commerce market will provoke hackers to new sophisticated attacks on individuals using web vulnerabilities, including those caused by code development errors, which in 2019 accounted for 82% of the total share of web application vulnerabilities.
  • There will be more news about leaks. Cases of sales of user data will become more frequent - not only stolen, but also compiled from previous leaks. Positive Technologies suggests that database leaks will be increasingly covered in the media.
  • Hackers will focus on attacks on mobile financial applications. Most likely, criminals will be interested in vulnerabilities related to the disclosure of information about users, in connection with which news about leaked personal and bank card data can be expected.

75% of information security specialists believe that their company is not sufficiently protected

On November 11, 2019, SearchInform presented the results of a survey of representatives of information security services about the main information security threats and how to increase the level of business security.

According to the survey, information security fraud schemes are considered by specialists to be the biggest threat to the company's internal security. 45% of respondents reported that kickbacks, side schemes and document fraud threaten the most damage. In second place are data drains. The severity of this threat was reported by 19% of respondents. Industrial espionage, sabotage and the irrational use of working hours and resources by employees worry 14.5% of security professionals.

Data from the SearchInform study

At the same time, only 15% of security representatives say that the company has a sufficient level of security. The rest of the respondents believe that they lack "hands" - almost half of the respondents reported this. 22% said more advanced technical protections were needed. Another 15% admitted that the company lacks either "hands" or technical equipment.

Data from the SearchInform study

As for the provision of personnel, only 2% of respondents believe that there is no shortage of them in the information security market. 12% designate the situation as "acute personnel shortage," the majority - 79% - say that a specialist can be found, but it takes a lot of time.

Data from the SearchInform study

As a result, almost half of companies are forced to raise personnel on their own, and 15% poach specialists from competitors.

Data from the SearchInform study

53% believe that not all Russian companies are yet ready to give the question to freelance specialists. But more than a third of respondents believe that outsourcing information security would help improve the situation.

Data from the SearchInform study
File:Aquote1.png
" Two-thirds of those surveyed think their companies are not protected enough and these figures seem to look daunting. But for the field of information security, it is normal and correct to proceed from pessimistic assessments of the situation, because this allows us to provide truly effective protection measures. The requirements for measures to ensure information security and the role of a specialist are increasing. But against the background of these assessments, it looks alarming that information security services are actually underfunded. Only 2% of respondents do not experience a personnel shortage, and more than 36% need additional technical tools. At the same time, the attitude towards outsourcing as an alternative solution to the problem remains skeptical. Although the situation is changing: 2-3 years ago, information security specialists were sure that the analysis of internal processes was categorically contraindicated to transfer to the staff. Over time, examples of successful practices have accumulated, and outsourcing is becoming more widespread, "

noted' Georgy Minasyan, Director of Security "SearchInform" '
File:Aquote2.png

The weak link in endpoint protection is personnel

Security Code conducted an analytical study on endpoint protection, identifying existing problems and solutions. Experts have identified current attack vectors, the most dangerous consequences of incidents for different industries, as well as the prevalence of various types of protective equipment. The results of the study showed that the most relevant are attacks related to personnel actions. This was reported on October 21, 2019 by the Security Code company.

To assess the peculiarities of provision INFORMATION SECURITY at the endpoints, Security Code analysts interviewed 220 specialists of information security departments of organizations from 10 industries:,,,,,,,, and public sector health care IT telecom education industry transport fuel and energy complex services, trade and. culture finance

Digitalization of the Russian economy is one of the main trends in the development of information technologies. Artificial intelligence, machine vision and learning, the Internet of Things, virtual and augmented reality, cloud solutions are being introduced everywhere. At the same time, digitalization brings new reasons for concern: the number of attack vectors inevitably increases. According to the Corporate Network Protection study, almost half of respondents believe that the greatest danger is an attack on workstations. Security Code analysts have identified the most relevant attack vectors in 2019.

Safety Code Study Data

As the respondents noted, one of the biggest threats to the IT infrastructure is its own staff. To reduce the risk, it is necessary to take measures of an organizational (separation of powers, the principle of the minimum necessary rights) and educational (training in the basics of digital hygiene, regular testing and knowledge tests) nature.

The high relevance of attacks related to the presence of vulnerabilities in the operating system and application software is caused by the development of the IT infrastructure and ineffective internal vulnerability management processes. To meet these challenges, you need to debug the process of prioritizing updates and invest in security monitoring and timely adaptation of security policies for security features.

Every fifth respondent noted the relevance of attacks using bookmarks. Most of the measures that will help deal with this type of attack are in the area of supplier management and supply chain management. Special checks and special investigations of critical elements of the IT infrastructure may also be advisable.

The consequences of any attacks and, accordingly, the priority when allocating resources for certain information security tasks vary significantly depending on the industry. Security Code experts identified the most relevant types of consequences: fines for regulators, stopping business processes, theft of money, reputational damage, etc.

The regulator's fine is most feared by organizations with strict regulation: state-owned companies (62%), health organizations (62%), educational (41%) and financial organizations (40%). Many industries consider stopping business processes to be the most unpleasant consequence of information security threats. Reputational damage became important in importance: for the transport industry (81%); IT and telecom companies (79%); educational organizations (65%), the financial sector (60%). Banks and other financial companies have noted increased concern about the consequences of cash theft.

Information security can only be provided with comprehensive protection measures, an important part of which is technical means. In turn, a large "fleet" of protective equipment can create difficulties for the company's IT infrastructure, researchers say.

Safety Code Study Data

The main "cyberbole" when using endpoint protection tools for users was a decrease in system performance - 66% of respondents noted it. In second place, market participants put conflicts between various IPS installed in the system - 64%. And 49% of information security specialists called the key inconvenience associated with conflicts between operated IPS and applied software.

The state continues to actively stimulate the transition of Russian organizations to domestic solutions. In the process of import substitution of the IT infrastructure, a group of leaders with the most mature offers stood out. Among the operating systems are RusBITex and BASEALT, among the telecommunication equipment - Eltex. The level of readiness to switch to Russian products is gradually growing.

Safety Code Study Data

Since 2018, the number of Russian organizations planning to use domestic solutions has increased by 12%. They plan to replace the following IT elements: personal computers (21%); servers (17%); network equipment (16%); Storage (7%) tablets (4%). 2/3 of the survey participants noted that they do not plan to change anything.

Segmentation or grouping of computers into separate groups according to any characteristics is carried out to increase the availability of the necessary data to authorized employees and to limit the availability of data to unauthorized employees. Most Russian companies (68%) realize the importance of organizing a segmented internal network to prevent attacks on critical system resources.

Safety Code Study Data

The majority of respondents (79%) prefer hardware types of solutions. Software tools that allow segmentation at lower budgets in virtual infrastructures, as well as in networks of complex topology, are used by 17% of respondents. The main reason companies do not use network segmentation solutions is the lack of funding; in second place is the lack of specialists to operate segmentation tools.

As the threat landscape evolves and corporate information security requirements increase, more security is on the market.

Safety Code Study Data

According to the survey results, the researchers identified two large groups of used SMTs: priority and additional. Among the priorities are firewall (86%), antivirus (82%), intrusion detection system (67%) and anti-unauthorized access protection (65%). The second group is additional means of protection, which are used to protect against specific IS risks. These include leak protection systems (DLP, 35%), information security event management systems (SIEM, 30%), sandboxes (Sandbox, 20%), web application layer firewalls (WAF, 14%), deep traffic analysis systems (DPI, 10%) and complex threat detection and response systems (EDR, 6%).

Security Code believes that an effective endpoint protection strategy should include a number of measures that can be conditionally divided into organizational and technical.

Technical measures include:

  • Implement a combination of anti-data malware protection and anti-data protection unauthorized access. Moreover, at the selection stage, you should give preference to compatible and easy-to-configure security tools. In the case of workstations, priority should be given to protection against. malicious code For servers, in turn, a closed-loop approach is more suitable, where security prevents the launch of any unauthorized code and provides deep control of integrity, files processes and drivers. OS
  • Internal network segmentation. It will limit the spread of the attacker if he still gained unauthorized access to endpoints within the network. Segmentation can be implemented both by hardware (firewall) and by a software module built into the MPS from the NSD.

Organizational measures include:

  • Risk-based vulnerability management. An organization should not only maintain a list of discovered vulnerabilities, it should implement the practice of assessing the danger of vulnerability to its infrastructure.
  • User training. A combination of measures from face-to-face and remote learning, regular verification of users' knowledge and testing of their vigilance using special tools that emulate phishing is needed.

Key threats to business information security

On September 20, 2019, Accenture presented the results of a study in which it identified the main threats to business information security in 2019.

Accenture estimates that the cybersecurity services market is growing at a pace similar to Digital and IT markets. Accenture predicts that by 2021 the volume of the global information security market will increase by 66% and amount to $202 billion. At the same time, the total global damage from cyber attacks could grow by 39% to $2.1 billion by 2021.

In a global report, Accenture cites major trends in business cybersecurity in 2019.

The first trend is related to. The misinformation authors of the report note that political following disinformation, the purpose of which is to influence public opinion, economic disinformation is increasingly gaining momentum. Financial sphere, and, in particular, high-frequency, based trade algorithms on fast text sources of information, will be subjected to large-scale ones in the future. to the attacks

According to Andrei Tymoshenko, Accenture Information Security Manager in Russia, the development of machine learning, artificial intelligence (AI) methods and the introduction of 5G-based communication networks will provide ample opportunities for the production and spread of disinformation.

File:Aquote1.png
"One example of AI application is the creation of high quality fake images or videos that can be used to discredit and blackmail a political opponent, a rival company, or create mass panic. 5G technology also poses serious risks - controlling 5G infrastructure hardware and software could allow a small group of companies or attackers to conduct information operations by faking or spreading misinformation to large groups of 5G users. "

noted 'Andriy Tymoshenko '
File:Aquote2.png

The second trend is the unification of cybercriminals into syndicates and the sharing of advanced tools that automate the process of mass production and distribution of malicious software, spam and applications for sending malware using modern technologies such as clouds, big data, AI. With syndicates working together, the boundaries between threat groups become even more blurred, making identifying a cybercriminal agent even more difficult.

In addition to infection with ransomware viruses (ransomware) through the organization of large-scale spam campaigns, attackers are increasingly introducing them directly into organizations' networks, acquiring remote access to compromised servers in underground hacker communities and marketplace-based software. This means that "cybercriminals will continue to change their tactics to reduce the risks of detection and failure," the report said.

File:Aquote1.png
"The use of machine learning and artificial intelligence methods in phishing attacks will allow cybercriminals to increase their effectiveness and lead to an even more massive spread of ransomware viruses, which can become the main weapon in cyber wars,"

noted 'Andriy Tymoshenko '
File:Aquote2.png

Another trend is associated with the vulnerability of ecosystems. This business depends on the interconnectedness of the elements of the system, and connections increase the exposure of companies to risk. Threats appearing in chains turn friends, partners and customers of the company into a source of danger. "Organizations can try to improve protection through the sharing of information about cyber threats, through the inclusion of information security verification and testing of suppliers and partners, as well as the implementation of industry safety rules and risk management standards," the report said.

According to Andrei Tymoshenko, there are groups of companies in Russia that were formed as a result of mergers and acquisitions of organizations with different levels of IT development and different levels of security.

File:Aquote1.png
"An important task for groups of companies and ecosystems is to bring the protection system to a common denominator. One of the options for solving it may be to centralize the security system using cloud technologies, "

noted 'Andriy Tymoshenko '
File:Aquote2.png

According to the authors of the study, companies should look at the issue of cybersecurity comprehensively and take into account the weaknesses and vulnerabilities of partners and third parties in their cyber strategies. They must learn how to create security centers by adapting the approaches they apply to the latest requirements.

File:Aquote1.png
"The trends indicated in the study in global security threats apply to Russia, possibly on a smaller scale due to the size of the economy. But Russia is part of the global IT world, uses foreign IT platforms with their advantages and vulnerabilities and cannot isolate itself, "

noted 'Andriy Tymoshenko '
File:Aquote2.png

According to him, computer incidents of the last two to three years have also affected Russian companies, which motivates owners and management to invest in sustainable and safe development. At the same time, there is a shortage of qualified information security specialists within companies, and the security sector is so extensive that it requires various, not always easily compatible competencies. In this regard, many turn to external security providers.

75% of companies are unsure about the effectiveness of their cybersecurity system

On July 16, 2019, it became known that only a quarter (25%) of leading companies in the EMEA region (Europe, Middle East, Africa) are confident in the reliability of their information security system . This data was obtained by VMware as part of a joint study with Forbes Insights.

Nearly three-quarters (70%) Russian of market leaders and specialists information security believe that the solutions their organization uses to protect its systems are outdated. At the same time, 42% of respondents note that in 2018 their company acquired more recent tools aimed at combating potential threats. 75% of respondents plan to increase discovery costs and. identification attacks At the same time, 20% of the study participants reported that their organization is already applying 26 or more security solutions.

Just 13% of IT professionals say it takes less than one week to resolve cybersecurity-related issues. In today's world, where data processing is done in real time, the number of Internet users increases by more than a million people every day, and most of the operations go through applications in seconds, such a slow response poses a serious danger.

It is especially dramatic that many companies are faced with the productivity paradox, when information security costs are rising and efficiency is not. So, in Russia, 96% of respondents plan to introduce fresh information security solutions within the next three years.

The study, which involved 650 companies in Europe, the Middle East and Africa, revealed a dangerous trend: enterprises use slow and ineffective methods to combat the latest cyber threats. At the same time, according to the European Union, the scale of the economic consequences of cybercrime increased fivefold compared to 2013.

The current approach to security has led organizations to increasingly see themselves as unprotected in the face of cyber threats. Only a quarter (26.6%) of respondents said they were fully confident in the reliability of their cloud deployments. And only 23.3% of respondents are confident in the readiness of their employees to solve security problems.

Company leaders and their security teams have very different ideas about progress and collaboration in the fight against cyber threats. Only 36% of IT professionals believe that senior managers in their enterprises are quite responsive and actively involved in solving problems of this kind. At the same time, 27% of executives say they pay significant attention to joint work in the field of security. With cyber security this statement, according to only 16% of information security professionals surveyed.

2018

Positive Technologies: Every second company in the regions of the Russian Federation has undergone a successful cyber attack

Positive Technologies specialists on December 26, 2018 published the results of a survey conducted among 192 Russian companies from various regions. 87% of survey participants admitted that the protection measures used in their organizations are not enough, and 27% of organizations note that management does not allocate the necessary funds for cybersecurity.

The study found that one in two of the respondent companies surveyed were subjected to successful cyber attacks. Among them - 43% of enterprises in the power sector. Experts note that the true state of affairs may be even worse, since 30% of energy respondents admitted that there is no practice of identifying incidents in their companies.

Despite the fact that the information security division is in most companies that took part in the survey, only 30% of companies conduct regular tests for penetration into corporate infrastructure, three quarters of which are financial institutions.

According to the survey, 16% of organizations turned to the help of third-party specialists to investigate incidents, the budget for information security in most of them exceeds 10 million rubles. Only 6% of respondent companies have their own SOC (Security Management Center).

Companies are trying to compensate for the lack of integrated protection systems by implementing anti-virus ON and - firewalls they are used in almost all organizations surveyed. According to the survey, more than a third of respondents were unable to repel attacks using HVE and prevent infection of their resources, despite the use of antivirus. software 57% of companies consider the lack or inefficiency of protective equipment to be the reason for the success of cyber attacks.

According to the study, most often organizations faced attempts to infect workstations of employees and servers with various harmful software (, etc.): encoders miners the share of such companies was 60%. phishing 57% of the surveyed companies faced.

More than half of the respondents cited ignorance of staff in information security issues as a possible reason for the success of cyber attacks, and slightly fewer respondents noted unintentional actions of employees. At the same time, most of the companies do not see a threat in insiders - disloyal employees who disclose confidential information about their company or help to carry out attacks on it for money.

In addition, the survey showed that most organizations that disclose information about incidents that have occurred are limited to reporting to the regulator and do not report attacks to their customers and partners.

According to the analysis, 32% of survey participants suffered direct financial losses from cyber attacks. One in four companies suffered from infrastructure downtime, including 30% of industrial companies.

At the same time, most respondent companies are confident that they will be able to eliminate the consequences of a cyber attack within 24 hours - an assessment that experts tend to consider too optimistic: depending on the type of attack, downtime can last up to 10 days or more, Positive Technologies said in a statement.

File:Aquote1.png
The results of the study show that the security of regional organizations in our country is at a low level, - said Dmitry Sivokon, director of regional sales at Positive Technologies. - The majority of respondent companies (82%) were targeted by hackers in 2018. A third of respondents note direct financial losses from cyber attacks. Losses are especially acute against the background of modest budgeting in most surveyed organizations: investments in information security of every second company do not exceed 5 million rubles. In this regard, many use only basic protective equipment. In the context of a limited budget, we advise you to allocate the most valuable assets and ensure their comprehensive protection.
File:Aquote2.png

Dmitry Sivokon also noted that a person is still a weak link in the protection of information. In his opinion, business leaders need to instill in their employees a culture of information security. And of course, qualified personnel are needed, the shortage of which in the regions is felt many times more than in the Central Federal District. The lack of information protection specialists was noted by every fourth participant in the survey. If the company does not have a dedicated information security department, it is worth considering the possibility of delegating part of the tasks to third-party specialists with the appropriate licenses.

97% of companies are not ready for Fifth Generation cyber attacks

According to the 2018 Security Report, prepared by Check Point Software Technologies, more than 300 mobile applications distributed through official stores contain malicious code. Check Point also notes that the number of cloud threats, cryptomainer attacks, MacOS vulnerabilities and IoT devices continues to grow.

File:Aquote1.png
We are seeing the next generation of cyber attacks - these are multi-vector, large-scale and rapidly spreading attacks of the Fifth Generation (Gen V), "said Peter Alexander, chief marketing officer of Check Point Software Technologies. - 77% of information security directors expressed concern that organizations are not ready for such modern cyber attacks, and that the vast majority of company security infrastructures are hopelessly outdated.
File:Aquote2.png

For more information on the modern cyber threat landscape, Check Point surveyed 443 IT and information security professionals around the world about the challenges they face while fending off Fifth Generation attacks. The results of the study showed that the protection of most companies is 10 years behind and at least two generations behind modern Gen V cyberattacks. This suggests a global widespread vulnerability to Fifth Generation attacks.

File:Aquote1.png
According to the 2018 Security Report, Gen V cyber attacks are becoming more frequent, "said Doug Kahil, group leader and senior cybersecurity analyst at Enterprise Strategy Group. - Everyone is at risk: medical institutions, government services, large corporations, etc. 97% of companies do not have solutions that can withstand Gen V cyber attacks, and this needs to be changed.
File:Aquote2.png

According to Check Point, 2018 Security Report relies on data from numerous studies among Chief information officers and business leaders, as well as Check Point's Threat Cloud and Threat Intelligence Report. The study covers all modern threats directed at various industries such as health care, industry and government entities.

2017

PwC: Most Russian companies cannot withstand cyber attacks

Most Russian companies cannot successfully withstand cyber attacks, according to a study by the international consulting company PwC, released in November 2017.[9].

PwC believes companies should invest time and money in cybersecurity technology

Half of Russian respondents note that their companies do not have a common information security strategy, and 48% of companies do not have a training program aimed at increasing employee awareness of security issues.

In addition, 56% of companies admitted that they have not worked out the process of responding to cyber attacks. Only 19% of PwC study participants in Russia and 39% of respondents worldwide are fully confident in the ability to find hackers.

Among the main measures for detecting cyber risks, Russian survey participants named an assessment of cyber threats (50%), constant monitoring of the information security system (48%), an assessment of the level of vulnerability (44%) and a penetration test to check the protection system (40%).

Almost a quarter of Russian companies claim that the use of mobile devices has led to information security problems. This factor took second place after phishing attacks, which lead among the called threats.

File:Aquote1.png
Cyber ​ ​ incidents occur every day, while the brand and reputation of the company that has become the target of a hacker attack is seriously damaged. Companies need to protect customer confidence by investing time and money in the implementation of appropriate systems and technologies aimed at ensuring cybersecurity, "said Roman Chaplygin, head of PwC information security services practice in Russia.
File:Aquote2.png

According to him, another effective tool in the fight against cybercrime can be the regular exchange of information between companies.

Real-world examples of IT insecurity in large companies

When conducting an information security audit, experts face many different vulnerabilities. Some of them cause at least surprise, even though it has long been unusual for information security specialists to experience any illusions.

In October 2017 TAdviser , he received a review from experts, which provides several particularly outstanding examples of how unsafe systems of large and wealthy commercial companies can be.

Here we need to make a reservation that all these companies have a more than adequate understanding of the need to protect their internal resources. In this regard, companies follow the established best practices and regulated standards in the field of information security.

However, in the course of meticulous testing of internal systems "in manual mode," various architectural mistakes were revealed, which provided potential hackers with the widest possibilities for compromise. All the examples given are completely real. For granted, the names of specific firms and organizations will not be given.

Episode I: A large insurance company requests an audit of its internal systems. There are several of them at once. A separate system is responsible for data accounting, another for generating reporting, the third for introducing operating activities, and so on.

In the course of the study, experts stumble upon a number of vulnerabilities that allow a number of fraudulent actions to bypass the current access delimitation tools and cause considerable damage to the entire company's business.

For example, one of these architectural vulnerabilities made it possible to steal authorization tokens and use them to carry out an attack such as cross-site spoofing of a request, despite the fact that these tokens are just needed to protect against such attacks. The problem was that the old Java application, written last decade, lacked protection against CSRF attacks; the developers did not want to completely abandon this application, instead they integrated a ready-made third-party CSRF protection solution into it, but despite these changes, the system remained quite vulnerable.

As a result, an attacker could either secretly create accounts in the system with administrative powers, or seize a large number of accounts and perform real operational activities from under them.

In particular, it was possible to bypass the upper limit of insurance compensation: the amount of compensation was checked only on the client's side, the server part calmly took the values ​ ​ sent from the client application. Many accounts could be Pod Kontrolem of the attacker, and he could carry out fraudulent actions from under any of them, or even several at once, which would significantly complicate the investigation of the incident.

Potentially, all this together could mean huge damage, and not only financial, but also reputational.

Episode II: A major service company providing services to Swiss telecoms is requesting a review of an internet application written for its employees.

This application turned out to be very problematic in itself. Vulnerabilities were predominantly typical; some of the shortcomings were related to the use of "default" settings, which had to be changed every time the application was deployed.

For example, by default, not only SCP (Secure Copy) functionality was available to users, but also shell access. It needed to be turned off, but this was not done.

However, in the process of further research, many problems were revealed with the configuration of servers, which provided attackers with the widest possible capabilities.

For example, there were no firewall settings on the server, which meant the ability to initiate any incoming and outgoing connections without restrictions; the port forwarding function was still active, and this is, in fact, an analogue of a VPN channel inside the network of the entire organization.

In general, if you had access to the account of an ordinary employee, an attacker could log in via SSH on one of the company's servers (while he also had the opportunity to raise his privileges to the level of a superuser) and develop an attack on the company's internal systems. With all that it implies.

Episode III: The hypermarket chain has requested testing of its loyalty program app. Like many other large retail chains, our client has his own loyalty program mobile application , with one of the main tools, and his own payment system. The infrastructure used the resources of the cloudy service Azure using the protection tools it offered.

As it turned out, there are very serious vulnerabilities in this loyalty program, allowing, in particular, to compromise user accounts, to select secret security codes used in payment authentication.

A problem was also identified with verification transactions that are carried out when linking a user's credit card to a loyalty program. As it turned out, such transactions (with a volume of one euro cent) can be carried out many times, and the only restriction on such a withdrawal of funds can only be fraud monitoring on the payment processing side of the cardholder. If there are no anti-fraud funds, then there are no restrictions on the number of such transactions.

Exploiting this vulnerability could mean huge reputational damage to the retail network.

Episode IV: A major bank has commissioned an audit of its specialist investment management application.

The application is a "thick client," that is, a regular desktop application accessible via VPN. The application turned out to be full of vulnerabilities of various kinds, and some of them were absolutely critical, providing a huge "attack surface" for potential attackers.

For example, a virtual environment technology deployed with Citrix XenApp was used to deploy the application. Citrix's developments are equipped with fairly effective protections, and in this case they have been properly activated.

However, during the security audit of the application, it was possible to find in it the ability to make the so-called "breakout" from a protected environment and gain access to a server located in the corresponding segment of the network, which in itself opens up huge opportunities to develop an attack.

During the further audit of the application, it was possible to find out the authentication data: databases Oracle the application communicated with the database directly, bypassing any program interfaces - this approach cannot be called safe.

It's not hard to imagine what that might mean for a bank - an organisation that works with the personal data and money of many people and organisations. Successful exploitation of the identified vulnerabilities would mean huge financial, and, no less significant, reputational losses.

Conclusion

The question is not whether there are vulnerabilities in the infrastructure of a particular company. Critical or uncritical, but there will be vulnerabilities, and this is an objective given.

The question is how business owners and technicians themselves feel about this. Whether they are ready to consider this as a kind of "abstract given," that is, ignore and, as a result, risk both money and reputation for the sake of insignificant savings, or do what should be done - regularly audit their security, on their own or involving external experts.

External audit is a much more productive approach, already due to the fact that third-party experts can devote maximum resources to checking, "said Georgy Lagoda, CEO of SEQ (formerly SEC Consult Services), which conducted the described research. 'So it's very unlikely they'll miss anything.

See also

Notes