A tasty cake with security layers

22 October 2024 Reading time: 7 minutes

Imagine a world where no digital activity is fully safe. A world where malicious forces could hijack monetary transactions, private communication and interactions at any time, crippling businesses and lives alike. Sounds like grim science fiction? Take a look: it's our reality today. Cybercrime has become the leading cause of financial loss for companies worldwide, with projected costs reaching a mind-boggling $10.5 trillion annually by 2025.

The threat is very real, and it's not about big corporations anymore; small and medium-sized enterprises (SMEs) are equally vulnerable, accounting for a staggering 43% of cyberattacks. The digital storm rages on, with new threats emerging every day, each more sophisticated than the last. I think it's the right time to start thinking about fortifying your defences!

According to the annual Cost of a Data Breach Report for 2024 from IBM, the global average cost of a data breach has reached an all-time high of $4.45 million, marking a 15% increase over the last three years. Detection and escalation costs also have seen a significant surge of 42%, accounting for the highest portion of the “cost of breach”. 

This remarkable growth in breach costs underscores the escalating threat landscape and the need for businesses to fortify their security measures to mitigate risks. The increasing cost is largely attributed to the sophistication and complexity of modern attacks, which demand more time-consuming and resource-intensive investigation and resolution processes.

The secret is in layers

Picture your business as a medieval castle under siege. The walls are breached, and the enemy is at the gates. What do you do? You don't just reinforce one wall, hoping it will hold; you fortify every aspect of your defences - the walls, the towers, the moat, the gatehouse. And that's what we call layered cyber security.

If layered security is in place - it makes it much harder for attackers to breach such a system. Each additional layer increases the complexity and difficulty of breaching the whole system. The concept has been proven effective in various industries, from finance and healthcare to government and manufacturing. For example, banks have notoriously implemented multiple layers of security to protect their customers' money, including network firewalls, intrusion detection systems, encryption, access controls, and, of course, regular software updates. Some studies show that organisations with multi-layered security in place were 70% less likely to experience a data breach compared to those without. Another study by IBM Security revealed that companies using multiple security controls were able to detect breaches 26% faster than those with fewer controls. Why am I not surprised?

Give me those layers

The core layers of defence are designed to protect against different types of attacks:

1. Network security. Your first line of defence is network security, acting as the moat around your castle. Firewalls, intrusion detection systems, and prevention systems control traffic flow, detecting suspicious activity and limiting access. And there is a good reason for having it all. The sheer number of cyber-attacks can be mind-boggling (with estimates ranging wildly depending on the criteria used to define an attack, of course). Some reports claim that as many as 5.5 billion malware infections occur annually, while others put the figure for attempted intrusions at a staggering 6.3 trillion. This means a cyber attack every 3 to 11 seconds!
2. Endpoint security. Protecting devices from malware, viruses, and other threats is crucial in today's mobile workforce. Ensure all devices are up-to-date and monitor for threats as they happen. But did you know that 68% of organisations experienced endpoint security incidents in the past year? The threat landscape has never been more daunting.
3. Application security. Secure your software with regular testing and updates to patch vulnerabilities and reduce the risk of attacks. The only hope is that your vendor will be delivering those updates and patches promptly.
4. Data security. Protect sensitive information in storage by implementing encryption and backing it up regularly to ensure confidentiality and availability. Do you remember the average cost of a data breach from the Cost of a Data Breach Report for 2024 from IBM? Check it again.
5. Identity and access management (IAM). Control access to systems and data with strong authentication and role-based access control, safeguarding against insider threats and compromised accounts. IAM is critical in today's world where 70% of organizations face insider threats daily.

Continuous improvement is the only constant

Cybercriminals evolve, and so must your defences. A layered approach is not a set-it-and-forget-it solution; it requires periodic review and adaptation. Start by evaluating your current protection mechanisms regularly, identify gaps, and upgrade whatever is necessary. The future of cyber security surely lies in automated AI-driven tools that process real-time data to predict potential attacks, scale responses, if needed, and put in place advanced monitoring to quickly identify anomalies. But here's a chilling fact: 61% of organisations believe they are not fully prepared to handle a sudden attack. The reality is that no business can afford to wait for the future miracles of AI so thinking about cyber security and investing in security is required right now.

We should not forget that security is everyone's responsibility. Even simple steps like creating strong, unique passwords and being cautious with email attachments can make a significant difference. But even with robust measures in place, internal threats might remain a concern. But in this case, the layered cyber security solutions will help again and address this by implementing stringent access controls and monitoring user activity to catch suspicious behaviour.

A call to action

Cyber security is no longer just an IT issue; it's a business imperative. A multi-layered defence is the only way to stay ahead in today's digital landscape. It requires investment, vigilance, and continuous improvement. So, build your castle with layers of protection - for in this digital storm, the cost of not doing so could be catastrophic.

The stakes are high; the future is uncertain. The choice is yours: invest in cyber security or become another statistic in the ever-growing list of victims of cybercrime. The battle for cyber security is ongoing; ask yourself if you are ready to join the fight.

[The article is also published on LinkedIn]

This is not the WordPress you are looking for

11 October 2024 Reading time: 12 minutes

I know - the topic of web application security is as old as the world. Maybe because I deal with cybersecurity on a daily basis, it still surprises me why individuals (and businesses) do not really understand the threats waiting for their precious web applications, blogs, corporate portals, web services - pretty much anything accessible online.

Why web applications?

Every Internet-facing web application, portal or any other resource is an immediate, constant and obvious target for hackers for several reasons. I would mention just a few.

First and foremost, web applications are always online. This means that anyone can tinker with them as much as they want. See an illustration below in the section “Website traffic from the kitchen”.

Websites often contain useful and/or sensitive information that hackers might want to steal and use (to be specific: monetise). This could include confidential documents, personal data, or company secrets. Automated scripts can quickly crawl websites to gather all available information or perform tasks without permission from the website owner, leading to unauthorised use of resources or data theft. As a result, hackers might abuse websites “for fun and glory” (read about the recent Internet Archive hack) or to gain financial profit. 

Furthermore, Distributed Denial-of-Service (DDoS) attacks can be launched against a website, causing it to become inaccessible and potentially leading to downtime for the site owner's business. Obviously, as a hacker, later you can blackmail the owners and ask for money to stop all this madness.

Did I say that hacked websites could be used to distribute malware which can harm visitors' devices and spread further? 

You might be surprised, but Search Engine Optimization (SEO) is another reason why websites are targeted by hackers as they might manipulate search engine results for their own gain. 

We should finish this list of reasons by saying that political and social influence is also among other motivations for hacking into websites, such as spreading propaganda or disrupting critical services. Nothing new really.

WordPress, or not WordPress, that is the question

WordPress is surely the most popular Content Management System (CMS) in the world. A quick Google search gives you the astonishing statistics. WordPress powers 43.5% of all websites as their CMS. Around 478 million websites are built on WordPress. It clearly dominates the CMS market with a 62.5% share.

But "with great popularity comes great vulnerability". Despite regular updates and security patches, WordPress remains the most favourite target for hackers. If you are one of the millions of happy WordPress users, be warned - you're on every hacker's hit list "by default"! Here are a few reasons why your WordPress site might be vulnerable

• Outdated plugins and themes. Hackers are very smart and effective: they are very good in quickly finding and exploiting vulnerabilities that haven't been fixed yet and where to look for vulnerabilities but in thousands of WordPress plugins and themes?! With over 65000 plugins and more than 30000 themes available, the potential for vulnerabilities increases with each additional component. Both plugins and themes can introduce many vulnerabilities that put the website at risk. Why? Let me name just a few obvious reasons: the code is poorly written (often not by professional programmers), the software is not tested, and especially: the code is not tested for security.
• Abundance of automated attacks. With millions of WordPress sites, it's a numbers game for hackers using automated tools and scripts for probing and exploitation. And, so far, hackers have won this game.
• Common attack patterns. Hackers often exploit common vulnerabilities in PHP and SQL, which WordPress relies on due to its widespread adoption.
• Poor hosting practices. Insecure hosting environments or shared hosting setups where security measures are lacking can additionally increase the long list of security risks for WordPress sites.
• Poor password security. Weak or default passwords (still!) make it easy for hackers to get in.
• Lack of technical/security expertise. Not all users know how to secure their websites properly. A lack of basic cybersecurity knowledge leads to childish mistakes.

Most recent WordPress vulnerabilities

I am not sure if you know, but a high-severity vulnerability has been identified in the LiteSpeed Cache plugin for WordPress that could allow malicious actors to execute arbitrary JavaScript code and potentially take control of websites. The stored Cross-Site Scripting (XSS) flaw, tracked as CVE-2024-47374, affects all versions up to 6.5.0.2 and was addressed in version 6.5.1 on September 25, 2024. WordPress users are advised to update the plugin immediately to protect their sites from potential attacks. In short: the vulnerability allows unauthenticated users to inject malicious scripts into websites that have "CSS Combine" and "Generate UCSS" settings enabled. This could result in data theft, privilege escalation, or even a complete takeover of the website if exploited successfully.

This is not an isolated incident, as several other plugins, including TI WooCommerce Wishlist and Jupiter X Core, have also been found with critical security flaws (it should be noted that it was fixed in version 4.7.8). As you can guess, considering all written above, WordPress users are encouraged to stay up-to-date with plugins updates to ensure their sites remain secure (and live happily ever after).

Website traffic "from the kitchen"

I want to share with you some interesting (and worrying) statistics, based on the incoming requests from the Internet to my own website. I should say right away: my website is not based on WordPress but attackers obviously do not know it. By checking the traffic, I can very quickly see what hackers are after. And this is what I have learnt:

Only 23% of all traffic is related to the website content. All the rest is a massive collection of (predominantly automated) attempts to probe for vulnerabilities of all kinds. So, in short: on a daily basis, 77% of the Internet traffic to my website is malicious. Note: I am talking only about the web traffic, not any usual network scans and probing for open ports - those swipe my server several times a day. Nothing new.

When we take this 77% under a microscope, we can see more interesting things.

52% of all traffic comes straight to my public IP address, instead of the domain. In my opinion, any request by IP should be treated as potentially malicious. Anyone calling your website by IP address surely is not your friend, therefore, I would strongly suggest blocking all such requests immediately. Amongst these requests, you can find attempts to find online (well: on my web server) insecure routers, webcams, databases, IoT devices, configuration files (e.g., XML or JSON) specific to various platforms, multiple known attacks to web applications (e.g., SQL injection) and related infrastructure (e.g. buffer overflow). You can learn a lot about what attackers are after simply by checking logs!

Attempts to discover any WordPress-related vulnerabilities take about 10% of all traffic. It’s checking for (non-existing) plugins, config files, versions, etc. About 5% of the traffic is about finding and exploiting PHP-related vulnerabilities and the remaining 10% is a collection of very weird hacking attempts. You can see some of the web queries below.

More requests from my collection. Anyone can tell me what the attacker wants to do in this case (check the requests below)?

The bottom line of this story is that your website or any other Internet-facing resources constantly 24/7 are under attack. If there is any security vulnerability there - it will be discovered sooner or later.

Is there a remedy?

As someone said a long time ago: the most secure web application is the one that is switched off. I will refrain from such dramatic recommendations but, instead, give you a few hints regarding what can be done, especially with WordPress-based websites.

• Use a web application firewall (WAF). A WAF can monitor traffic to detect and block malicious requests, protecting your website from common attacks.
• Block any request to your web application by IP address. You should only allow requests coming from the website domain name. It will cut ¾ of unnecessary web requests.
• Maintain regular updates. Keep WordPress, plugins, and themes up-to-date. This ensures that any security patches or bug fixes are applied promptly, reducing vulnerabilities.
• Keep PHP up-to-date. Regularly update PHP versions on your server as new releases often include security patches.
• Choose secure WordPress themes and plugins. Select themes and plugins only from reputable sources. Avoid those with poor ratings or known issues. Always read reviews before installing new extensions.
• Use strong passwords. Implement strong passwords for your website's admin account and use a secure password manager if necessary. Two-factor authentication (2FA) can further enhance security.
• Make regular backups. Perform regular backups of your WordPress database and files. This ensures you can easily restore your site in case of a hack or data loss.
• Secure file permissions. Ensure that file permissions are set correctly for all files on your server. Use 644 for files and 755 for directories to prevent unauthorised access.

Last but not least:

• Monitor website activity. Regularly check your website's activity logs for any suspicious behaviour or potential vulnerabilities.
• Educate users. Inform users about security best practices, such as avoiding clicking on suspicious links and using strong passwords.
• And, of course, conduct regular penetration tests. Penetration tests are crucial for maintaining web application security by simulating real-world attacks and identifying vulnerabilities that hackers could exploit. They help uncover weaknesses before they're used by hackers, providing valuable insights into the effectiveness of your cyber defences. Penetration testing also helps prioritise security investments and improvements and raises awareness about ongoing security efforts within an organisation.

Once more time, we see that the Internet is not the safest place on Earth. By paying attention to cybersecurity and implementing these measures, you can surely improve your website's resistance to existing and future hacking attempts. Stay safe!

[The article is also published on LinkedIn]

"Pass the word, Honey" or how the NIST’s new guidelines are changing The Game of Passwords

29 September 2024 Reading time: 4 minutes

Finally, there’s a glimmer of hope at the end of the tunnel for all those tired of remembering insanely complex and frequently changing passwords. Not so long ago (to be specific: on Wednesday, 28 Aug 2024 20:39:12) the National Institute of Standards and Technology (NIST) released its second public draft of SP 800-63-4, providing updated guidance on digital identity verification.

Anyone scrolling through the document would immediately find it long, moderately boring and filled with lots of technical jargon. As you can guess, it certainly would require an extra effort to continue reading and not to give up. To your surprise, NIST’s latest version adds many interesting changes and common sense to password security, challenging many widely used but outdated policies. 

Goodbye, password reset madness

One of the interesting changes in the new guidelines is the recommendation to drop the requirement for frequent password changes. Instead of forcing users to change their passwords every month (a practice that originated decades ago when password security was really poor), organisations should focus on monitoring for signs of compromise or credential abuse. This means goodbye to those frustrating mandatory password reset processes that have become a regular nightmare occurrence in our lives. And the best part? It’s based on common sense – forcing users to change their passwords frequently can actually reduce security because people tend to choose weaker ones that are easier to remember.

Sayonara to password nonsense

Another exciting change is the acknowledgement by NIST that forcing users to create passwords with specific character composition rules (e.g., “must contain at least one capital letter, one lowercase letter, and a special symbol”) is pointless. This means you can finally ditch those annoying password requirements that make it harder for you to remember your own password. According to the new guidelines, passwords should be at least 8 characters long (with a stronger recommendation of at least 15 characters). It’s simple – just create a strong and random password that works for you.

Ditching security questions

The new guidelines also suggest ditching those easy-to-guess security questions like “What was your mother’s maiden name?” or “What was the name of your first pet?” These were found to be too easy for determined attackers to discover, making them virtually useless for authentication. Instead, multi-factor authentication methods like biometrics or hardware tokens should be used when possible.

Seeing is believing

I know it is not easy to believe in what is said above, but please check the original NIST document or see this extract below:

The benefits of the new guidelines

So what do these changes mean for you? If adopted, these new requirements could significantly enhance online security for individuals and organisations alike. The new NIST guidelines aim to improve digital identity verification, reduce security risks, and eliminate unnecessary burdens on end users with less effort.

While the guidelines are currently only binding for government services and contractors, there’s a chance that other industries will follow. Say goodbye to crazy password policies and hello to simpler, more secure methods of authentication – in the end, we all win.

[The article is also published on LinkedIn]

Dreamscapes less travelled

12 September 2024 Reading time: ~1 minute

The world is a vast and wondrous place, full of hidden treasures and secret destinations waiting to be discovered. But what happens when the journey itself becomes impossible? When the roads end, the seas prove impassable, or the skies refuse to clear? Does that mean our imagination will be silenced, our creative spark extinguished by the "constraints of reality"? of course not! In this digital age, the boundaries of possibility are stretched far and wide, and the limits of what's possible are pushed to new exciting heights. With the power of modern technology at our fingertips, we can now create a breathtaking fusion of art and technology that allows us to capture and share our most fantastic dreams and imagination. From the mist-shrouded mountains of mythical lands to the neon-lit skyscrapers of futuristic cities, these imaginary worlds could be brought to life, pixel by pixel, and shared in a way that's both mesmerising and real. Come and join us on this thrilling journey into the realm of digital dreams, where creativity knows no bounds, and the only limit is your imagination!

Geyser islands

Walking along an abandoned railroad track

Isle of Skye

22 August 2024 Reading time: 2 minutes

Step into the mystical realm of the Isle of Skye, where rugged wilderness meets breathtaking natural beauty. This enchanting island in Scotland's northwest corner is a treasure trove of untouched landscapes, hidden coves, and towering mountains that seem to defy gravity. The Isle of Skye is a place where the forces of nature have woven a spellbinding tapestry of sea-sculpted shores, shimmering lochs, and mist-shrouded valleys. Venture into its untamed heart and discover secrets that lie beyond the reaches of mainstream tourism, for in this wild and windswept corner of the world, the beauty is not just a sight to behold but an experience to be savored.

Skye in colour

Neist Point

Falls of Foyers near Loch Ness

Skye in panoramic images

On the way to Fairy Pools

Visiting Talisker distillery

Scotland

21 August 2024 Reading time: 2 minutes

Welcome to the wild and wonderful Scotland, where the rugged landscape meets the majestic skies and the soul is set free. As you wander through this enchanting land, the gentle whispers of lochs, the rustle of heather-covered moors, and the ancient secrets of the Highlands all blend together in a symphony of natural beauty. From the hidden valleys and secret glens that only reveal themselves to those who venture off the beaten path, to the towering mountains and sparkling waterfalls that leave you breathless, Scotland is a treasure trove of unspoiled wilderness and untold wonders waiting to be discovered. In this photo gallery, we invite you to join us on a visual journey through the lesser-known corners of Scotland, where the beauty of nature is unbridled and the charm of this special place will leave your heart skipping a beat.

Scotland in colour

Falls of Feugh near Banchory

Scotland in black & white

Eilean Donan Castle in black & white

The Kelpies

The Kelpies are a pair of monumental steel horse-heads between the Scottish towns of Falkirk and Grangemouth. The name was chosen to reflect the mythological transforming beasts possessing the strength and endurance of (at least) ten horses. Apparently the Kelpies "represent the lineage of the heavy horse of Scottish industry and economy, pulling the wagons, ploughs, barges, and coal ships that shaped the geographical layout of the Falkirk area". The Kelpies are 30 metres high and weigh 300 tonnes each.