Finally, after 2 years I am back to my blogging. After inconsistent with my blogging this year I have decided to publish at least 24 blog post 2 blogs each month. I still have don’t have any vision about my blogging goal but I will try to cover as many topics, technologies and product reviews around cyber security.
Year 2019 was bit game changer for me as I got the opportunity to move Ireland and server the Irish clients. It was a tough decision for me to leave behind my project where I did so much up-scaling, innovations, POCs and implementations. 2019 was overall was good for me where I actually wore the hat as security architect / per-sales started solution’s. The journey was bit tough but I got the enough support from my mentors and seniors hoping I will be able to turn that experience in personal and financial growth for my team.
Ransomware
Yes, Ransomware was the number one reasons to engage all the cyber security force to engage through out the year 2019. Interestingly there was no major impact ransomware in first half of the year 2019 but in second half they won the show. Below ate few stats about ransomware-
- Two-thirds of ransomware attacks targeted state and local governments.
- 55% of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks.
- Over 500 US schools were affected by ransomware attacks in 2019.
- Almost 70 US government organizations were infected with ransomware since January 2019.
- A total of 140 US local governments, police stations, and hospitals have been infected with ransomware.
- In the third quarter of 2019, the average ransomware payout increased to $41,000.
The City Council Riviera Beach City Florida paid the highest ransom in 2019, they paid around 600,000 (65 Bitcoins) Us Dollars to the attackers. Unlike Riviera Beach City Florida others decided to ignore the ransom amount and decided to recover themselves which costed them more than what attackers asked.
Security Researchers
Year 2019 security researchers played a major role in identifying and responsibly disclosing multiple data breaches. Many security researchers come forward with notifying millions of breached user accounts whether its available on the dark web for sell or simply stored on public cloud without appropriate protection. Millions of records customers, personal records were kept on Cloud Environment on Nonstandard databases (Elasticsearch, MongoDB). This situation might possibly lead to the increased demand around cloud security portfolio and cloud security leads. Security. Listed my top three but I have my favorite one and that’s Capital One.
- Orvibo
- TrueDialog
- BinaryEdge Search Engine
Microsoft Patches and Zero-Days
Year 2019 Microsoft didn’t disappoint in terms of next security patches total 180+ security patches were released by Microsoft out of which 10 are zero-days and 130 + were critical and also exploited/targeted towards users.
The story continued from 2018, few of the unhappy security researches discloses POC on twitter because of the nature and response got from the Microsoft security team.
Bounty Hunters and Responsible Disclosure
Responsible disclosure and bounty hunters played major role in year 2019 as combined bounty platform paid average 62 Million. Total 120,000 responsible disclosures have been reported for 2000 + vendors few of them are Google, Microsoft, Facebook, Twitter.
Alone Facebook paid around 2.3 million US dollar to the 1300 disclosures reports, average bounty was 1,500 US Dollar and most of the bounties are paid into three major regions India, Tunisia and USA.
HackerOne published an interesting report around their Bug Bounty Program for year 2019, below are few key highlights I will include the report link in the references.
- The average bounty paid for critical vulnerabilities increased to $3,384 in the past year. A 48% increase over last year’s average of $2,281 and a 71% increase over the 2016 average of $1,977. Bounty values for less severe vulnerabilities are also rising, with the average platform-wide bounty increasing 65%.
- Governments had the strongest year over year industry growth at 214%, and last year saw the first launch of programs at the municipal level. Strong program adoption took place in Automotive (113%), Telecommunications (91%), Consumer Goods (64%), and Cryptocurrency & Blockchain (64%) industries.
- The majority of bug bounty programs remain private at 79% with little change from years prior. Public bug bounty programs engage six times as many hackers.
- Today six out of 10 of the top banks in North America are running hacker-powered security programs on HackerOne. Financial services organizations running hacker-powered security programs increased 41% this year.
- Six hackers surpassed $1 million in lifetime earnings, seven more hit $500,000 in lifetime earnings, and more than 50 earned $100,000 or more in the past year alone. Skilled and dedicated hackers have the potential to build a career and make a competitive living with the opportunities offered by hacker-powered security.
Overall year 2019 was not that bad of the cyber security folks, because of these incidents cyber security professionals are in much demands. In my next blog I will write about my cyber security predictions for year 2020.
