IDC Forecasts Security Spending Will Reach $133.7B in 2022

cybersecurity spending

Market research firm IDC forecasts that security spending on hardware, software, and services will reach $133.7 billion in 2022.

The security market should deliver a compound annual growth rate (CAGR) of 9.9 percent through 2022. By then, security spending will be 45 percent greater than the $92.1 billion forecast for 2018.

Security services will be both the largest ($40.2 billion in 2018) and the fastest growing category of worldwide security spending. Managed security services will be the largest segment within the services category, delivering nearly half of the category total in 2022.

Security software takes the second spot, with spending expected to total $34.4 billion in 2018. Endpoint security software will be the largest software segment throughout the forecast period. This will be followed by identity and access management software and security and vulnerability management software.

Hardware spending will be led by unified threat management solutions, followed by firewall and content management.

Banking Leads Other Industries in Security Spending

Banking will make the largest investment in security solutions, growing from $10.5 billion in 2018 to $16.0 billion in 2022. Security-related services, led by managed security services, will account for more than half of the industry’s spend throughout the forecast.

The second and third largest industries will be discrete manufacturing and federal/central government ($8.9 billion and $7.8 billion in 2018, respectively). They will follow a similar pattern with services representing roughly half of each industry’s total spending.

The industries that will see the fastest growth in security spending will be telecommunications (13.1 percent CAGR), state/local government (12.3 percent CAGR), and the resource industry (11.8 percent CAGR).

“Security remains an investment priority in every industry as companies seek to protect themselves from large-scale cyber attacks and to meet expanding regulatory requirements,” said IDC Customer Insights and Analysis Program Director Eileen Smith.

“While security services are an important part of this investment strategy, companies are also investing in the infrastructure and applications needed to meet the challenges of a steadily evolving threat environment,” she added.

The United States will be largest market for security solutions with total spending of $39.3 billion this year. The United Kingdom will be the second largest geographic market in 2018 at $6.1 billion. Rounding out the top five are China ($5.6 billion), Japan ($5.1 billion), and Germany ($4.6 billion).

Study Finds $250B Economic Benefit from NIST Encryption Standard

encryption standardThe NIST advanced encryption standard (AES) has had at least a $250 billion global economic impact over the past 20 years, a new report concluded.

AES uses a cryptographic algorithm that was approved for federal government use in 2001. It has since been widely adopted by private industry.

As a result, AES protects everything from classified data and bank transactions to online shopping and social media apps.

For the report, RM Advisory Services relied on a survey of encryption users and developers of encryption hardware or software.

Search for New Encryption Standard

In 1997, NIST launched its effort to identify a new standard encryption algorithm for the federal government. It recognized that the 20-year-old Data Encryption Standard (DES) was growing vulnerable in the face of advances in cryptanalysis and computing power.

Following an open international competition, in 2000 NIST announced its proposal for the replacement standard. Rijndael, an algorithm that was submitted by two cryptographers from Belgium, Vincent Rijmen and Joan Daemen, was selected.

The unclassified, publicly disclosed encryption algorithm used in the AES standard is available royalty free, worldwide. And it is used by the US government in its FIPS standard and voluntarily by private organizations worldwide.

The development process involved the collaboration of the worldwide cryptography community. The AES program continues to create economic value by transferring know-how into the network of communications and transactions.

“AES has been tremendously successful at helping to establish trust in IT systems around the world,” said NIST’s Charles Romine. “We are pleased with how it has stood the test of time in its ability to provide security in a wide range of commercial products and public and private systems.”

DDoS Attacks Targeting Critical Infrastructure, Europol Warns

ddos attacksDDoS attacks are being used to target critical infrastructure, warned European law enforcement agency Europol in its 2018 Internet Organised Crime Threat Assessment report.

Last year, a DDoS attack crippled train networks in Sweden by targeting internet service providers. Another attack shut down communications on the Finnish Aland Island after a telecom provider was targeted.

Europol noted that DDoS attacks are becoming more accessible and involve low cost and low risk for attackers.

DDoS attackers are increasingly using botnets of infected IoT devices to carry out their attacks. The Mirai botnet in 2016 is just one example.

This week, the Department of Justice said the creators of the Mirai botnet cooperated with the FBI and were given five years’ probation.

Close to two-thirds of EU law enforcement reported cases of DDoS attacks last year. And one-third of those emphasized the growing number of cases.

More than one-third of organizations faced a DDoS attack last year, compared to 17 percent in 2016, according to ENISA. Other reports cited by Europol indicated that DDoS attacks accounted for around 70 percent of incidents that compromised network integrity.

DDoS-for-Hire Services on the Rise

One of the reasons for the increase in DDoS attacks is the use of booters or stressers. These are DDoS-for-hire services that provide access to botnets for a small fee. The use of these services is making it much easier for unskilled attackers to launch major DDoS attacks.

In April of this year, the operators of the DDoS marketplace webstresser.org were arrested as result of Operation Power Off. This was an investigation led by Dutch Police and the British National Crime Agency with support from Europol and a dozen law enforcement agencies.

Webstresser.org was the largest DDoS marketplace with more than 136,000 registered users and 4 million attacks. When it was shut down, there was a 60 percent decrease in DDoS attack across Europe, the report noted.

Malware Samples Targeting Internet of Things Devices Soar

Internet of ThingsThere was a dramatic rise in malware samples targeting Internet of Things devices, according to a new report by Kaspersky Lab.

In fact, the security firm found three times as many malware samples in the first half of 2018 as in all of 2017. Last year, there were ten times more malware samples targeting Internet of Things devices than in 2016. “That doesn’t bode well for the years ahead,” the researchers observed.

Kaspersky Lab set up honeypots to catch cybercriminals in the act. What it found was that that one of the most popular attack and infection vector was cracking Telnet passwords.

Surprisingly, Brazil was the top country from which Telnet password attacks originated. Perennial favorite Russia only finished fourth, behind China and Japan. Better luck next time, Vlad.

Once the criminals crack the Telnet password, their favorite malware to download is Mirai.

For the first six months of 2018, the Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses. Malware was downloaded from 27,693 unique IP addresses.

Reaper Botnet Infects Internet of Things

An alternative vector to Telnet password cracking is the Reaper botnet. Its assets at end-2017 numbered about two million Internet of Things devices. Instead of targeting Telnet passwords, this botnet attacks known software vulnerabilities.

With the Reaper botnet, infections occur faster. And it is much harder to patch a software vulnerability than change a password.

“Although this method is more difficult to implement, it found favor with many virus writers,” the researchers wrote.

Infected devices that attacked Kaspersky’s honeypots included MikroTik, TP-Link, SonicWall, AV tech, Vigor, Ubiquiti, D-Link, Cisco, AirTies, Cyberroam, HikVision, ZTE, and Miele.

“Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks,” the researchers concluded.

Critical Infrastructure Protection Firm Indegy Raises $18M in Financing Round

critical infrastructure protection
Photo by Zorba the Greek

Critical infrastructure protection firm Indegy closed Aug. 28 on an $18 million Series B round of financing led by Liberty Technology Venture Capital, a subsidiary of Liberty Media.

Energy firm Centrica, O.G. Tech Ventures, and existing investors Shlomo Kramer, Magma Venture Partners, Vertex Ventures, and Aspect Ventures also participated in the financing round.

Centrica supplies energy and services to 25 million customers mainly in the UK, Ireland, and North America through British Gas, Direct Energy and Bord Gáis Energy. Centrica made the investment through its Innovations arm.

“With a growing customer portfolio that spans 35 countries, we’re working to bring businesses world-leading energy management solutions that will allow customers to take greater control of their energy,” said Christophe Defert, vice president of ventures for Centrica Innovations.

“In an increasingly connected world, we’re looking forward to working with Indegy as we explore ways to deploy distributed energy resources with the optimal security solution.”

Indegy will use the money to accelerate growth and expand market initiatives for its critical infrastructure protection suite of products, which protect systems used in manufacturing, energy, water, pharmaceuticals, and other critical infrastructures from cyberattacks.

“Recent reports by the DHS and FBI regarding attacks against critical infrastructures have created a greater sense of urgency among industrial organizations to shore up their defenses, and produced a major spike in new business for Indegy,” said Indegy CEO Barak Perelman.

“This capital infusion provides the financial resources required to scale up the company and capitalize on this market opportunity,” he added.

Scotto, Warwick Join Indegy

Furthermore, Indegy appointed two new executives to its management team. Joe Scotto joins as chief marketing officer, and Todd Warwick takes over as vice president of sales for the Americas.

Scotto joins Indegy from BAE Systems, where he served as vice president for Americas marketing. Previously, he held positions with KPMG, Avaya and Time Warner, where he led product and solutions marketing for their multichannel global SMB business.

Warwick joins Indegy from Imperva, where he served as AVP of sales. He has held sales management positions at Check Point Software and Alcatel-Lucent which was acquired by Nokia in 2016.

CVE Program Takes Heat from Republican Lawmakers

CVE programRepublican leaders of the House Energy and Commerce Committee are calling for changes to the CVE program, which provides common identifiers for known cybersecurity vulnerabilities.

Common Vulnerabilities and Exposures (CVE) program is sponsored by the Department of Homeland Security (DHS) under contract with MITRE.

The lawmakers want DHS to transition the CVE program from a contract-based funding model to a cost-neutral dedicated program, project, or activity line item in the department’s annual budget. In addition, they want DHS and MITRE to perform biennial reviews of the program’s stability and effectiveness.

CVE Is Critical Cyber Infrastructure

“The CVE program has become inextricably integrated with cybersecurity practices during its nearly 20-year existence. Yet the documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyber infrastructure,” wrote Energy and Commerce Committee Chairman Greg Walden (R-OR), Oversight and Investigations Subcommittee Chairman Gregg Harper (R-MS), Communications and Technology Subcommittee Chairman Marsha Blackburn (R-TN), and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-OH) in letters to DHS and MITRE.

“The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society,” the lawmakers noted.

“The Committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the Committee’s initial request. However, many of these reforms target symptoms that stem from what the Committee considers to be underlying root-causes – the contract-based nature of the program and the lack of oversight – which have yet to be addressed. For DHS and MITRE to address these deep-seated issues, they will have to make significant changes to the very foundation of the CVE program.”

The committee gave DHS and MITRE until September 10 to respond to the lawmakers’ recommended changes.

Worldwide Information Security Spending to Exceed $124B in 2019, Says Gartner

IT_securityGarner forecasts that worldwide information security spending will top $124 billion in 2019, an 8.7 percent increase from $114 billion this year.

The top drivers are security risks, business needs, industry changes, and privacy concerns. As a result, privacy concerns will drive at least 10 percent of market demand for information security services through 2019. In particular, privacy worries will impact identity and access management, identity governance and administration, and data loss prevention, according to Gartner.

“Security leaders are striving to help their organizations securely use technology platforms to become more competitive and drive growth for the business,” said Gartner Research Director Siddharth Deshpande. “Persisting skills shortages and regulatory changes like the EU’s Global Data Protection Regulation [GDPR] are driving continued growth in the security services market.”

Deshpande said publicized data breaches reinforce the need to view sensitive data and IT systems as critical infrastructure.

Therefore, “security and risk management has to be a critical part of any digital business initiative,” he said.

A focus on building detection and response capabilities, privacy regulations, and the need to address digital business risks are the main drivers for information security spending.

Key IT security trends

Gartner has identified a number of key trends affecting information security spending in 2018-2019:

1) At least 30 percent of organizations will spend money on GDPR-related consulting and implementation services through 2019.

Organizations are continuing their journey toward compliance with the GDPR. Implementing, assessing, and auditing the business processes related to the GDPR will be the focus of security service spending for EU-based organizations and for those whose customers and employees reside there.

2) Risk management and privacy concerns within digital transformation initiatives will drive additional security service spending through 2020 for more than 40 percent of organizations.

Consulting and implementation service providers have retooled their service offerings over several years to support customers on their digital transformation journey. Security is a key factor in the uptake of that transformation process for regulated data, critical operations, and intellectual property protection spanning public cloud, SaaS and the use of IoT devices.

3) Services (subscription and managed) will represent at least 50 percent of security software delivery by 2020.

Security-as-a-service is on the way to surpassing on-premises deployments. And hybrid deployments are enticing buyers. Respondents to Gartner’s security buying behavior survey said they plan to deploy security technologies in a hybrid deployment model in the next two years. Managed services represented roughly 24 percent of deployments.

“On-premises deployments are still the most popular, but cloud-delivered security is becoming the preferred delivery model,” said Deshpande.

Smart Irrigation System Botnets Threaten Public Water Supply

smart irrigation system

Smart irrigation system vulnerabilities could pose risks to the public water supply, warned researchers from Israel-based Ben-Gurion University of the Negev.

The researchers found that attackers could employ a botnet of smart irrigation systems used by city and local governments to remotely turn watering systems on and off at will. This would enable attackers to empty public water supplies held in towers and reservoirs.

The researchers demonstrated how a bot running on a compromised device can detect a smart irrigation system connected to its local area network in less than 15 minutes. The bot can turn on watering of each smart irrigation system using a set of session hijacking and replay attacks.

“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty flood water reservoir overnight,” said Ben Nassi, one of the researchers who conducted the study.

The researchers examined three popular smart irrigation systems: GreenIQ, BlueSpray, and RainMachine. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware,” said Nassi.

“Although the current generation of IoT devices is being used to regulate water and electricity obtained from critical infrastructures, such as the smart-grid and urban water services, they contain serious security vulnerabilities and will soon become primary targets for attackers,” he added.

Countermeasures to Stop Attacks

For countermeasures, organizations running these smart irrigation systems should consider monitoring unusual water consumption in urban water services. Once unusual activities is detected, the organizations can stop the water distribution. Unfortunately, this also prevents people from getting water, which is not a long term solution.

The organization can upgrade from HTTP to HTTPS in their communications. This would prevent attackers from spoofing TCP packets.

Also, organizations can disable SSH because it is not needed to communicate with a smart irrigation system when a cloud serves as a mediator. This will prevent attackers from executing a code on a smart irrigation system by detecting weak passwords, the researchers concluded.

More than 4M PHI Records Exposed by Firebase Mobile App Vulnerability

mobile app vulnerabilityA mobile app vulnerability in Google Firebase is exposing protected health information (PHI) and other sensitive data.

Mobile app security firm Appthority found more than 2,300 unsecured Firebase databases and 3,000 iOS and Android apps with this security flaw.

Users have downloaded Android versions of these apps more than 620 million times.

The mobile app vulnerability exposed more than four million PHI records, such as chat messages and prescription details.

All told, the vulnerability exposed more than 100 million sensitive records, including 2.6 million plain text passwords and user IDs, 25 million GPS location records, and 50,000 financial records.

Firebase is a backend database technology for mobile apps, but it does not secure user data by default, explained Appthority.

Developers must secure all tables and rows of data to avoid data leaks. Attackers can easily find open Firebase app databases and gain access to millions of private mobile data app records.

Firebase Wears HospitalGown

The Firebase data exposure is a new variant of HospitalGown that occurs when mobile app developers fail to require authentication to a Google Firebase cloud database.

HospitalGown exposes an enterprise to Big Data exfiltration, leakage of personally identifiable information, and data theft.

Apps suffering from the HospitalGown flaw are doing what they are supposed to do. They don’t compromise the device and aren’t being attacked.

These apps are available on reputable sites like Google Play and the Apple App Store. Apps with this mobile app vulnerability likely pass all mobile app reputation tests.

Massive amounts of data come from these apps. In total, Appthority found the HospitalGown vulnerability exposed almost 43 terabytes of data and affected 1,000 apps.

A thousand apps leak terabytes of data, all due to simple human error: failure to secure the backend data stores.

Certain Volkswagen Connected Cars Are Vulnerable to Hackers

connected car

Hackers could gain control of systems in Volkswagen connected cars through vulnerabilities in the in-vehicle infotainment systems, researchers at Computest have discovered.

The vulnerabilities in the connected cars—2015 Volkswagen Golf GTE and Audi A3 e-tron—cannot be fixed remotely. Owners must bring their vehicles into the dealer to get the firmware upgrade. This means owners will continue to be vulnerable to the attack until they bring their cars in.

The researchers, Daan Keuper and Thijs Alkemade, exploite vulnerabilities in the infotainment system manufactured by Harman. They were then able to gain control of the central screen, speakers, and microphone. “This is a level of access that no attacker should be able to achieve,” the researchers opined.

At the same time, the researchers said that they were not able to directly affect driving behavior or any safety systems because of the control area network (CAN) gateway.

“A remote adversary is new territory for most industrial component manufacturers, which, to be mitigated effectively, requires embedding security in the software development lifecycle,” they observed.

“This is easier in an environment with automatic testing, continuous deployment and possibility to quickly apply updates after release. This is not always possible in the hardware industry, due to local regulations and the ecosystem. It often requires coordination between many vendors. But, if we want to protect future cars, these are problems we have to solve,” they concluded.