Sherman's Security Blog

If you’re brand new to the world of coding and web development, it makes sense to start by teaching yourself using all the free coding resources online.

By taking advantage of these resources as you learn to code for free, you can discover what you like and don’t like before investing money into a certain coding language or set of courses. Once you’ve gone through enough free coding lessons to find that direction, you’ll be able to channel your passion to continue learning coding online most efficiently.

However, there are so many free coding resources and classes and books to choose from. How do you know which are the best places to learn coding online?

Well, I did some research to save you the time! Here are some of the best websites to learn coding for free–from simple coding tutorials to full free online coding courses. 

Please note: all information, topics taught, etc., have been taken at time of updating and are definitely subject to change. Thanks!

Classpert

Classpert is a search engine that helps you find and compare online courses in computer science, data science, business, and more. With over 140,000 free and paid courses from more than 30 course providers, you’ll be spoilt for choice. You can even watch course previews and compare syllabuses side-by-side to find the best course for you..

GENERAL

1. Codecademy

Codecademy is where most people who are new to coding get their start learning programming online, and its reputation is well-deserved. The platform revolves around interactive learning; that is, you read a little, type your code right into the browser, and see results immediately.

What free coding lessons they offer: HTML & CSS, JavaScript, PHP, Python, Ruby, Angularjs, The Command Line, and more

2. freeCodeCamp

This free online coding school teaches coding first through an established curriculum (approx. 800 hours total), then by giving you hands-on experience working on projects for nonprofits. It’s perfect for learners who want to learn code online by getting practical, hands-on experience that will do some good and look impressive on a resume.

Free coding certifications on offer: HTML, CSS, JavaScript, data visualization, DevTools, QA testing, Node.js, React, jQuery, and more

3. Coursera

Coursera is one of the best places to learn to code for free, with its professional and versatile course options. The site is a large online course library where classes are taught by real university professors. All courses are free of charge, but you have the option to pay for a “Coursera Verified Certificate” (prices range between $30-$100) to prove course completion. Sometimes paying for a certificate also grants access to content not available in the free versions. Coursera also offers “Specializations,” which are collections of courses on a specific topic, typically with a capstone project at the end.

What free coding courses they offer: Many (far beyond your basic coding/computer science topics)

4. edX

EdX is an open-source higher education program governed by MIT and Harvard, making it another high-caliber resource where you can learn to code for free online. The site offers 107 great courses under the “computer science” category, teaching various coding languages.

Free programming courses offered: Java, C#, Python, and many more

5. Codewars

Codewars offers a fun and unique way to learn coding. With a martial-arts theme, the program is based on challenges called “kata.” Complete them to earn honor and progress to higher ranks. This is a fun way to learn programming online if you’re motivated by a little gamification!

Coding challenges they offer: CoffeeScript, JavaScript, Python, Ruby, Java, Clojure, and Haskell

6. GA Dash.

This is General Assembly’s free online learning platform. It’s entirely project-based–you build a “project” with each walkthrough–making it ideal for those who like to get hands-on while learning to code online.

They are one of the very few free coding resources that have a course on how to build a Tumblr theme from scratch. Read my review of it here.

What free coding projects they offer: HTML, CSS, JavaScript, responsive design

7. Khan Academy

Khan Academy offers tons of subjects (as their front page says, “You can learn anything”), including many on computer programming. A few courses are offered for younger kids, too–so the whole family can learn to code for free!

Coding resources they offer: JS, HTML/CSS, SQL, much more

8. MIT OpenCourseware

Competition to get into MIT may be stiff, but accessing their course material online has no tuition or minimum SAT score. They maintain an online library of every subject they teach, with no account required for access; just browse for a course and start reviewing the material. Yep…you can learn programming for free at MIT. What a world.

The Massachusetts Institute of Technology OpenCourseWare

The Massachusetts Institute of Technology (MIT) OpenCourseWare (OCW) is a great initiative undertaken by MIT. As part of this platform, all the study materials of the MIT undergraduate and graduate-level courses are brought online so that you can study them at anytime and anywhere with free access to all.

Apart from the other subjects offered, this platform offers free online courses related to computer science.

Some of the introductory programming courses include online learning for Java, Python, C and C++, and MATLAB programming. You can browse through these free courses to search for one that meet your requirements.

9. The Odin Project

Modern-day warriors can set sail for learning to code with the Odin Project. It’s made by the creators of Viking Code School—a premier online coding bootcamp—and the Odin Project is their free, open-source version. While you learn to code for free with their programming tutorials, you can check in for support from other students using the online chat group!

Topics available: HTML, CSS, JavaScript & jQuery, Ruby programming, Ruby on Rails

10. Udacity

Udacity offers individual free coding courses, as well as “nanodegrees” that train you for specific careers like front-end web developer or data analyst. Course materials are free, but nanodegrees require a tuition fee.

What free tech programs they offer: Many (not just coding)

11. SoloLearn

SoloLearn is a social platform where anyone can learn to code. It’s different than other course providers because it’s mobile-based: learn coding on the go, on any device. With bite-sized lessons, achievements to unlock and interactive quizzes, it makes learning to code fun, and it’s free to download.

Coding lessons they offer: Many

12. The Code Player

A compilation of video-based online coding tutorials to help you walk through a process from start to finish. Good for learning code online with “smaller” projects/tasks one at a time.

Free coding tutorials available: HTML5, CSS3, Javascript, Regex, JQuery

13. Bento.io

Their mission is to inspire people to become programmers by making code accessible, affordable, and fun. Given that they offer over 200 topics, anything you’ve been thinking about learning, you can find here.

Web development tracks to choose from: Many

14. Udemy

They offer both paid and free courses. Note that on Udemy, courses can be created by anyone, so make sure to read reviews. Coupons can also be easily found, too, and sales are frequent. Check out their development courses here.

Free coding courses they offer: Many

15. Code.org

Code.org provides learning materials specifically dedicated to increasing the rates of female and minority students entering computer science careers. Their free coding courses are designed for K-12 students, but can be useful to all ages. Start out with their quick Hour of Code tutorials, or build projects in lab courses.

Coding courses offered: HTML, CSS, JavaScript, block programming

16. Scotch.io

This free coding website covers lots of topics related to web development and workflow. The platform features short courses, tutorials, guides, blog posts, and videos.

Free coding resources available: Angular, node.js, laravel, Sublime Text, and more.

17. Hackr.io

This isn’t a platform itself, but it’s a great list of community-curated programming resources. Simply search for the language you want to learn and you’ll get a list of the best online courses, tutorials, and books recommended by coders.

Free coding lessons they offer: None, but they recommend many

18. W3Schools

Perfect for beginners, W3Schools is the world’s largest web developer site, offering free coding tutorials and reference materials for learning just about every aspect of web programming. You can also test your skills with quizzes and complete coding exercises using their online editor.

What free coding tutorials they offer: HTML, CSS, JavaScript, SQL, PHP, jQuery, and more

19. Coderbyte

Learn to code by doing it! Coderbyte teaches you the basics of popular programming languages and lets you build up your new skills using their library of 200+ coding challenges and solutions.

Free coding coding challenges: JavaScript, Ruby, Python, HTML, CSS, Node.js, and more

20. Microsoft Virtual Academy

Microsoft Virtual Academy’s Learning Paths are curated free coding courses designed to help you build valuable skills through video tutorials, demos, assessments, and more. You’ll also get access to free e-books, helpful downloads, and a community support forum.

Free learning paths available: MEAN stack, SQL, Azure, ASP.NET, HTML

21. Edabit

Edabit is “like Duolingo for learning to code,” offering bite-sized coding challenges that simulate what programming is like in the real world.

Topics their challenges cover: Java, JavaScript, PHP, Python, C#, C++, Ruby, Swift

22. Launch School Open Book Shelf

Written to supplement Launch School’s software engineering curriculum, these free books will help you learn the basic foundational building blocks of popular languages.

What free coding topics they cover: Git and GitHub, the Command Line, Ruby on Rails, SQL

23. Datacamp

Featuring free access to Python, SQL, Git, and much more. More than 100 classes, coding tutorials, practice challenges, data projects, and more.

24. QuickCode

QuickCode offers free trials for classes in a number of various programming languages. The most popular project on QuickCode is the opportunity to build a virtual voice assistant.

25. Learn Code The Hard Way

Python, Ruby, JavaScript, SQL and more. As of this writing, the Ruby course is the only one that is completely free, but each of the other lessons has some sizable free material that is worth checking out.

26. Free Code Camp

HTML, Git, JavaScript, databases, CSS and more. FreeCodeCamp is one of the biggest publications on Medium, and some of their YouTube videos have millions of views. When you learn with FreeCodeCamp it’s also a lot like Dash and Codecademy where you learn in the browser. And so, afterwards, you’ll want to learn how to use a text editor.

27. Code Avengers

Code Avengers offers Python, HTML, JavaScript and more. Code Avengers is a site which specializes in kids as well as adult learners, which makes it unique on this long list.

28. MySQLTutorial

A tutorial page for learning SQL that features screenshots. It offers a number of steps to get into SQL, and a helpful tool called MySQL TryIt.

29. Vertabelo Academy

Features basic interactive courses for a number of SQL topics including functions and queries. A helpful Course Advisor lets users know where to begin.

30. onemonth.com

Learn HTML for Free

Curious about coding? Want to learn to speak geek? Don’t be overwhelmed — this beginner course is the perfect introduction to web development with HTML, and CSS.

31. Intro to Programming: Chapter One

Skillshare

Deciding to learn a programming language can seem pretty daunting. That’s why this course is a good place to begin your journey—it’ll show you the basic concepts you need to know and give you that background knowledge so you can tackle coding with all your questions answered.

Length: 9 videos

32. How to Make Apps With No Programming Experience,

Skillshare

Have a great idea for an app, but don’t know how to turn it into a product? Here’s how you can start to make your own prototype today.

Length: 14 videos

33. AGupieWare

AGupieWare is an independent app developer that surveyed computer-science programs from some of the leading institutions in the U.S. It then created a similar curriculum based on the free courses offered by Stanford, MIT, Carnegie Mellon, Berkeley and Columbia. The program was then broken into 15 courses: three introductory classes, seven core classes and five electives.

While you won’t actually receive academic credit, this is a perfect introductory program for prospective computer programmers.

34. Hack.pledge()

This is a community of developers, which include some high-profile developers such as Bram Cohen, the inventor of BitTorrent. Here, you can perfect your programming skills by learning from some of the leading developers in the world.

35. BitDegree

BitDegree offers a ton of free courses that range from programming to game development.

They offer standard online courses and gamified courses. Gamified courses help to bring achievement and interaction into the learning process. All you have to do is choose your language and start learning.

There are a variety of programming languages covered, but the most popular ones are highlighted below:

• HTML
  
• CSS
  
• PHP
  
• Javascript
  
• SQL
  
• JQuery

BitDegree also does something unique by incorporating blockchain into the education process. There are transparent rewards and an achievement system that helps businesses recruit tech talent, and measure course success.

36. Pluralsight

Code School is an online learning platform that offers both free and paid courses. It’s currently impacted over one million students across the globe.

The platform is organized into different learning paths and defined by languages and skills. Their approach to education is laid out as follows:

1. You choose your education path that’s created by professional instructors and work through the material.
   
2. You practice what you’ve learned directly in your browser window, and get immediate feedback.
   
3. You rack up points as you complete each course level.
   
4. You monitor your progress and keep track of all your achievements, badges earned, and material consumed.

Some of the learning tracks offered include:

• HTML and CSS
  
• Javascript
  
• Ruby
  
• Elixir
  
• PHP
  
• Python
  
• iOS
  
• Databases

37. Dash General Assembly

Dash is a free online course that’ll teach you the basics of web development, all within your web browser.

You’ll learn the basics of HTML5, CSS3, and Javascript, and how these languages work together to create a beautiful, modern website. In addition, you will have to build a series of small projects that all integrate together at the end to show you how to create a website of your own.

With Dash, you’ll come away with an understanding of the bigger picture of website development. It’s a great place for beginners with no previous development experience.

38. Code Conquest

Code Conquest is a great platform that’ll help you learn the basics of coding. Even if you’ve never written a line of code in your life, or don’t even know what coding is, this platform will help you get started from square one.

It’s designed to walk you through the process of:

1. Learning what coding is.
   
2. Choosing which languages to learn.
   
3. Knowing how to improve your knowledge and skills.
   
4. Applying these skills to real-life problems.

On the site, you’ll find a variety of tutorials that’ll help you learn programming languages like:

• HTML and CSS
  
• Javascript
  
• PHP
  
• Ruby
  
• jQuery
  
• Python
  
• MySQL

Beyond everything above, you’ll receive specific recommendations to extend your education with different tools and platforms.

39. Codeasy.net

Codeasy.net offers a very unique and fun way to learn how to code. You’ll be immersed in an adventure story that requires real-life programming skills to navigate your way through.

Throughout the story, you’ll be taught the basics of C#, all the way up to more advanced topics and functions. It’s designed with complete beginners in mind, so you don’t need any knowledge of software development to get started.

The best part about this educational experience is that it doesn’t feel like you’re learning. Your goal is to save the world from a machine invasion, and you’ll use your newly acquired coding skills to do it.

40. Upskill

Upskill is a free online boot camp that’ll take you from beginner to advanced developer. The main focus of the course is teaching you web development, and it’s a great place to start, even if you have no experience.

You’ll learn coding skills such as:

• WordPress plugin development
  
• WordPress best practices
  
• Javascript
  
• HTML5 and CSS3
  
• PHP
  
• MySql
  
• Node.js
  
• Ruby on Rails

The curriculum is 100% project-based, which means that you’ll be building a real-world portfolio as you progress through the course.

41. After Hours Programming

After Hours Programming has been around for the past few years and has lots of different tutorials for learning the basic concepts of Python, PHP and much more.

The above is only a short list of platforms or websites that enable you to learn coding or programming online for free.

There may be many other effective code learning tools.

If you have used any such tools with great success, please share your experience in the comments section below and thanks for reading!

YOUTUBE CHANNELS

42. LearnCode.academy

One of my personal favorites! This site features web-development-focused videos made by Will Stern. There are a ton of free cutooding trials on JavaScript and other languages, plus videos about the various tools developers use.

What free coding videos they offer: Sublime Text, Responsive Design, Node.js, Angular.js, Backbone.js, Deployment Strategies, and more

Subscribers: 483,460

43. thenewboston

Here you’ll find over 4,000 videos on a range of programming, game development, and design topics. It’s one of the more popular channels, with almost two million subscribers learning to code with them.

What free programming videos they offer: Android development, C programming, MySQL, Python, and more

Subscribers: 1,987,216

44. Derek Banas

Banas’ specialty is condensing information about coding languages into a single video per language. Good for viewers who like longer but more thorough videos instead of bite-sized chunks, or want to watch overview videos of languages before diving into courses/curriculums.

Free coding videos available: Java, Ruby, PHP, C++, HTML, Android, Python, Assembly language, and more

Subscribers: 818,955

45. ProgrammingKnowledge

A channel perfect for absolute beginners who want a foundation to learn to code. Step-by-step tutorial playlists cover various languages without assuming prior knowledge.

What free coding videos they offer: Java, Python, C, JavaFX, Android programming, Bootstrap, and more.

Subscribers: 645,122

BLOGS

46. David Walsh

This coding blog is run by David Walsh (a senior developer at Mozilla), although there are others who write on the site, too. Dive into free coding tutorials, how-tos, demos, and more.

47. Softwarehow

All about using software tools to solve common problems you encounter in tech. Tips, guides, and specific software reviews.

48. SitePoint

They have lots of writers and publish often. Topics range from HTML and CSS to entrepreneurship. Also have paid books and courses on their child site Learnable. Make sure to check out their newer “collections” – which include coding tutorials on topics like WordPress security, React.JS, and Swift. (And new ones are added daily!)

49. Tuts+

Tons of free programming tutorials, as well as paid options like actual courses. Has over 1,130 expertly-instructed video courses (on all topics, not just computer-related). Also publishes eBooks.

50. A List Apart

Lots of authors participate in A List Apart. They write books, have events, and run a great development/design blog. See all code topics here.

51. CSS-Tricks

Goes very thoroughly into CSS with their big, bad CSS almanac. However, the blog now goes beyond just CSS and talks about other things like Sass, JavaScript, PHP, and more. Explore tons of resources and check out their code snippets.

THE COMMAND LINE

52. Learn Enough Command Line to Be Dangerous

Free command line tutorial for complete beginners. Walks you through the basics of the Unix command line—no technical prerequisites required.

53. Command Line Power User

Free video series created by Wes Bos. More at an intermediate level, so not for total newbies.

54. Conquering the Command Line

Free online book by Mark Bates that goes very in-depth. You can purchase hard copy or screencasts.

GIT AND GITHUB

55. Git Immersion

A guided tour to teach you the basics of Git. Set preferences and create your own projects.

56. Try Git

An interactive series of challenges to learn about and experiment with Git. Created by Code School.

HTML AND CSS

57. HTML5 Dog

Start learning to code with one of the simplest languages. You can find an HTML beginner tutorial here. (They also offer intermediate and advanced HTML tutorials.) CSS tutorials are here.

58. Marksheet.io

An online coding resource for beginners. Broken down into four chapters: the web, HTML5, CSS3, and Sass. It’s like an online ebook, but under a Creative Commons Attribution-Non Commercial-ShareAlike 4.0 International License, so you can adapt it for your needs.

59. Mozilla Developer Network

Free documentation on HTML and CSS (also JavaScript). Has tutorials for people of different levels, introductory to advanced.

60. Learn to Code HTML & CSS

Online coding tutorials to help you build beautiful and intuitive websites. Covers a variety of web design and development topics, ranging from beginner to advanced.

61. HTML5 Rocks

As the name suggests, this platform is mainly focused on learning the nuances of HTML5 which is widely used for website development and mobile application development.

The fascinating thing about this site is that it is a Google project. So, the contributions to this site and all the learning tutorials, including the resource guides and slide decks, offered to you are provided by Google professionals.

The details discussed by HTLM5 Rocks are more useful for those who are trying to improve their existing HTML5 skills. So, a basic understanding of HTML5 may be required before you start using this site.

JAVASCRIPT

62. JavaScript for Cats

It’s like a book on a single webpage, broken down into sections…with cats. Created by programmer Max Ogden. Filled with non-cat gifs but has cat pics at the end. Just because. Lol.

63. NodeSchool

Has in-person workshops and events all over the world, as well as an active web presence. See online tutorials here.

64. Learn JS

Another hands-on way to learn code online! As you go through lessons, you can type in the window at the bottom. Created by the same folks who make learnpython.org.

65. Eloquent Javascript

Another online book, longer than most. it has big-tech financial backerslike Mozilla and Hack Reactor (“the Harvard of coding bootcamps”).

66. Javascript.com

9 mini-lessons created by Code School. Quick and perfect online coding tutorial for absolute beginners. (Warning: JS in real life is a lot tougher.) At the end, it points you to more in-depth JS learning materials.

67. Watch & Code

Straightforward, no-nonsense JavaScript video tutorials. Designed to take you from zero to advanced level. Plus, participate in weekly live study sessions for community support as you learn to code.

WORDPRESS

68. WordPress.tv

Recordings of live WordCamp lectures around the world. Created by Automattic.

69. WPBeginner

Website for beginner WP users. Great WP glossary of terms, plus coupon deals, video tutorials, and a blog which publishes useful articles by different authors.

Bonus resource: WordPress is a great content management system for blogging. If you’re interested in creating your own blog, I highly recommend checking out my friend Ryan Robinson’s detailed guide on starting a blog.

PYTHON

70. A Byte of Python

Free online book for beginners learning to code. You can choose to download it for free as a PDF or spend money for a hard copy.

71. LearnPython.org

Learn to code Python for free in a hands-on way with this interactive online coding tutorial. It has a little window at the bottom where you can write your code as you go through the lessons.

72. Learn Python The Hard Way (Website)

The book costs money, but the website is free. Written by Zed Shaw. (I used the book when I first started learning.)

RUBY

73. Learn Ruby the Hard Way

Another book written by Zed Shaw. A free HTML version of the book is available online. Buying the hard copy also gets you access to videos.

74. Rails For Zombies

A quick, interactive way to learn Ruby on Rails right in your browser. Learn Rails basics like models, views, and controllers in just 1 hour. Created by Code School.

75. Rails Tutorial

12-chapter book by Michael Hartl. You can purchase ebooks, screencasts from author, and more. Or just read it for free online.

76. RubyMonk

Entirely free resource, though you have the option to donate. Based on interactive online coding tutorials, where you read a lesson and type in code. Lastly, “run” it.

RubyMonk has one beginner course option, two intermediate, and one advanced.

77. Ruby In 20 Minutes

Created by the official Ruby website, this is a great option for beginners learning to code Ruby. You’ll learn the basics of the language in 20 minutes or less, giving you a solid starting point.

DATA SCIENCE / ANALYSIS

78. Dataquest

Hands-on free coding courses that teach you the skills you need to become a data scientist, data analyst, or data engineer. Build projects in your browser and work on real-life data science problems.

79. Springboard

A short but intensive intro to data analysis. Learn how to manipulate and analyze data with a carefully planned out curriculum made up of free online lectures, homework assignments, projects, and more. (Plus, no background in data analysis or programming needed!)

80. EliteDataScience

No-nonsense data science and machine learning guides, mini-courses, and tutorials for busy people learning programming online. You can also download code cheat sheets, checklists, and worksheets to shorten the data science learning curve.

MACHINE LEARNING / AI

81. Machine Learning Mastery

Created by professional developer and machine learning practitioner Jason Brownlee, PhD. Offers free tutorials and resources, including a free machine learning crash course, for getting started in machine learning and beyond.

82. Google AI

Learn from ML experts at Google. Offers resources—including tutorials, courses, videos, and exercises—to help you develop AI skills. Perfect for beginners all the way up to seasoned machine learning engineers.

CYBERSECURITY

83. Cybrary

Free crowd-sourced cybersecurity and IT learning videos. Covers topics like computer and forensics, cryptography, and cyber threat intelligence.

84. O’Reilly Security Ebooks

Dive deep into the world of cybersecurity with these free ebooks. Learn about the dark net, privacy, cyber crime, and more.

MOBILE APP DEVELOPMENT

85. Android Developers

Official site for Android app developers. Learn how to build your first Android app with detailed online coding tutorials and training courses.

86. Google Developers Training

Free, self-paced online coding courses for both Android beginners and experienced developers. Created by experts at Google and Udacity.

87. Start Developing iOS Apps (Swift)

Part of Apple’s documentation archive, this is a perfect starting point for learning to code real-world iOS apps that run on iPhone and iPad.

88. Google Android Training

If you are interested in learning the nuances of Android application development from scratch, then Google can be greatly useful to you.

This technical giant offers numerous Android development learning classes, including those designed for absolute beginners. It also provides you with several code samples that can be reused by you for your own Android application development.

If that was not enough, Google even offers you access to different online video training courses related to Android development.

89. Swift Playgrounds

iPad app that lets you experiment with Swift through interactive mini-puzzles. Plus, you’ll get to see your code run in a beautiful 3D world.

UI/UX DESIGN

90. The Encyclopedia of Human-Computer Interaction

An in-depth, 52-chapter look at UI/UX and interaction design. Covers everything you need to know about designing interactive products, like websites, software, smartphones, and even household objects.

91. UXPin

Tons of free UX e-books and guides covering mobile and web prototyping, wireframing, mockups, usability testing, and much more.

92. UX Beginner

Subscribe to free weekly design training and dive into the world of UI/UX with free resources, blog articles, and curated lists of the best UX courses, podcasts, and books.

CONCLUSION

As you can see, there are a ton of options you can use to teach yourself to code for free. And certainly, taking advantage of all the free online coding resources out there is definitely the way to go when you’re just starting out.

However, sometimes even the best free coding courses will only get you so far.

START CODING NOW

So once you have the basics down, you’ll want to start exploring paid options. Check out some paid platforms, tools, and resources here.

If you’re looking for a place to ask beginner-level questions, share resources, and seek advice, join Learn to Code With Me Community—a free online community for self-taught coders.

Cybercriminals took advantage of an open MongoDB database containing data from Choice Hotels and stole 700,000 customer records and then demanded a $3,800 ransom payment for their return.

The unsecured third-party database was first uncovered by Comparitech and security researcher Bob Diachenko, but despite quick action on their part informing Choice of the problem, malicious actors also found the database and removed the data and left a ransom note demanding 0.4 Bitcoin, or about $3,856. The database actually contained 5.6 million records, but Comparitech reported that Choice said the vast majority were test data.

However, 700,000 were true records containing customer names, email addresses, and phone numbers.

Choice told Comparitech it will no longer work with the third-part vendor, which left it fully open not requiring either a password or other authentication method required to view the contents.

The database was first indexed on June 30 by the BinaryEdge search engine. Diachenko then discovered it on July 2 and he emailed Choice hotels about the issue. The server was secured on July 2, although not due to Diachenko’s action as the hotel said his email was filtered out and not read, but at this point the ransom note was already in place on the server.

Diachenko sent a second notification to Choice on July 28 and only then did the hotel chain launch an investigation into the incident.

Even though financial and detailed personal information was not exposed, Comparitech noted the information that was compromised poses a threat.

“Scammers can address users by name and include detailed personal information to make the message more convincing. Aside from emails, scammers might also send phishing messages to users’ phones through SMS texts. Choice Hotels customers should also be ready for an increase in targeted spam to their phones and email accounts,” the company wrote.

via: scmagazine

In one of the biggest data breaches ever, a hacker gained access to more than 100 million Capital One customers’ accounts and credit card applications earlier this year.

Paige Thompson is accused of breaking into a Capital One server and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice.

A criminal complaint says Thompson tried to share the information with others online. The 33-year-old, who lives in Seattle, had previously worked as a tech company software engineer for Amazon (AMZN) Web Services, the cloud hosting company that Capital One was using, the Justice Department said. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing.

Thompson was arrested Monday in connection with the breach, the Justice Department said. Thompson’s attorney could not be immediately reached for comment.

Capital One (COF) said the hack occurred March 22 and 23. The company indicated it fixed the vulnerability and said it is “unlikely that the information was used for fraud or disseminated by this individual.” However, the company is still investigating.

“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Capital One CEO Richard Fairbank in a statement.

The breach affected around 100 million people in the United States and about 6 million people in Canada, according to Capital One.

However, “no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised,” the company noted.

Capital One said it will notify people affected by the breach and will make free credit monitoring and identity protection available. The company expects to incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support due to the hack.

Capital One’s stock was down 5% in premarket trading Tuesday.

How Capital One got hacked

The criminal complaint against Thompson paints a picture of a less-than-careful suspect.

Thompson posted the information on GitHub, using her full first, middle and last name, the complaint says. She also boasted on social media that she had Capital One information.

In a channel on Slack, a chat service often used by businesses as well as other groups, Thompson explained the method she used to break into Capital One, the Justice Department alleges. She claimed to use a special command to extract files in a Capital One directory stored on Amazon’s servers.

“I wanna get it off my server that’s why Im archiving all of it lol,” Thompson allegedly posted on Slack. One person was alarmed by what Thompson found, writing that the information was “sketchy,” adding, “don’t go to jail plz.”

Thompson made little effort to disguise her identity. She allegedly used the screen name “erratic” on Slack, which was the same handle she used on a Twitter account and a Meetup chatroom page.

The FBI special agent who investigated Thompson believes Thompson tweeted that she wanted to distribute Social Security numbers along with full names and dates of birth.

One person who saw the information on GitHub notified Capital One of the “leaked data” belonging to the company. Capital One notified the FBI, and an agent searched Thompson’s residence on Monday. They found devices in her possession that reference Capital One and Amazon as well as other entities that may have been targets of attempted — or actual — breaches.

The complaint indicates Thompson “recognizes that she has acted illegally.”

via:  cnn.com

Companies are looking to hire developers skilled in these coding languages the most, according to a Hired report.

While developers have an opinion about their most loved and hated programming languages, companies have their own opinions, too, according to Hired’s 2019 State of Software Engineers report, released Thursday.

The report surveyed more than 700 software engineers on the Hired platform, and analyzed proprietary data reflecting more than 170,000 interview requests and job offers over the past year.

Here are the 10 most in-demand coding languages globally, and the number of interview requests a developer with that language in their skillset received over an average period of 2-6 weeks on the platform:

1. Go (9.0)
   
2. Scala (8.4)
   
3. Ruby (8.2)
   
4. TypeScript (7.7)
   
5. Kotlin (7.2)
   
6. JavaScript (6.8)
   
7. Objective-C (6.6)
   
8. PHP (6.5)
   
9. Java (6.5)
   
10. HTML (6.4)

Coming in lower down the list were Swift (6.3), Python (6.2), C++ (5.6), C (5.4), C# (5.4), and R (3.3).

Go was named the most in-demand programming language, likely because relatively few developers use it, the report found. Only 7% of those surveyed said they primarily work with Go. The same was true for Scala, Ruby, Typescript, and Kotlin—while all these languages rank in the top five most in-demand by companies, they are less familiar among developers, according to the report.

In terms of languages developers actually use, JavaScript leads the pack at 62%, which makes TypeScript particularly interesting, as it is a superset of JavaScript and therefore easier for JavaScript programmers to learn. Yet only 12% of developers use TypeScript. This presents an opportunity for JavaScript developers to expand their skillset and gain new in-demand job opportunities, the report noted.

To learn more about how to become a developer, check out this TechRepublic cheat sheet.

You may also want to check out:

Top 10 programming languages developers want to learn in 2019

via: techrepublic

Set to go into effect on January 1, 2020, the CCPA will affect lots of companies doing business in California, but 86% have yet to meet compliance goals.

A new report on the state of California Consumer Privacy Act (CCPA) readiness should raise alarms for any tech firms that do business in California.

The report from privacy compliance company TrustArc finds that 86% of companies affected by the CCPA, which goes into effect on January 1, 2020, have yet to meet compliance goals.

With less than 10 months to go until the CCPA goes live, this report is a critical look at what businesses need to do to become compliant before penalties start being assessed.

It’s important to note that the report’s 86% figure doesn’t mean all of those businesses have yet to start working toward compliance. Only 16% have yet to start, 28% said they are working on preliminary plans, 9% have made plans but not started implementation, 19% have begun implementation, and 16% are well on their way.

The study also found that companies who had to comply with the EU’s General Data Protection Regulation (GDPR) are much farther along in their CCPA implementation. Some 21% of companies affected by both GDPR and CCPA are already compliant, as opposed to only 6% for those only affected by CCPA.

As noted by the Future of Privacy Forum, the GDPR and the CCPA have a number of similarities that make meeting compliance for the CCPA a simpler process for organizations that have already worked to meet GDPR rules.

The report makes clear the costs of implementing CCPA rules for affected organizations: 71% of them expect to spend more than $1 million to meet requirements.

As with compliance rates mentioned above, GDPR preparation has been a boon for companies affected by CCPA, with only 62% of them expected to invest $1 million or more on CCPA. Some 78% of companies concerned solely with CCPA will spend the same amount.

What companies need to do to meet CCPA compliance goals

If your organization is affected by CCPA, which covers how companies collect, store, and use user data, it’s time to get serious about meeting compliance goals. The CCPA is going to be the toughest privacy law in the US, and with California being the most populous state there’s a good possibility it affects you and your business.

The report makes clear that organizations need help to meet compliance goals, with 88% of respondents saying the need external help to understand what exactly they need to do to get in line with the CCPA.

TrustArc concludes that investing in CCPA-centric tech solutions and consulting services will be a must for those who still need to enact compliance plans. If you’re still in the exploration phase, or don’t know whether you’re affected, it’s time to start planning and looking for the budget needed to meet the January 1, 2020 deadline.

via: techrepublic

The Department of Health and Human Services on Friday released a publication containing voluntary cybersecurity practices to healthcare organizations ranging in size from local clinics to large hospital systems.

Titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” the four-volume publication is the result of a two-year public-private partnership between HHS and healthcare industry professionals. According to a press statement from HHS, more than 150 cybersecurity and healthcare experts participated in the effort, which was mandated through the Cybersecurity Act of 2015.

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” Janet Vogel, HHS Acting Chief Information Security Officer said in a statement. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

The guidance is a mixture of highly technical solutions and common sense practices applicable to a wide range of healthcare facilities. The core of the document explores the five most relevant threats to the healthcare industry and recommends 10 cybersecurity practices to mitigate them. It also emphasizes the importance of moving quickly to address these threats.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine. “That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert.”

via:  nextgov

Cyber security is the number one new megatrend shaping the industry, according to the Security Industry Association’s (SIA) yearly report defining the major trends and forces at play in the global security industry. By nearly 30 percentage points, industry leaders said cyber security’s impact on physical security solutions was the greatest they were expecting to face in 2019. 

Here is the cybersecurity industry’s annual predictions, online threat forecasts and cybersecurity trend reports. The roundup of top insights from the leading security companies and cyber experts for 2019 and into the 2020s.

1) Trend Micro once again delivers a top-notch, comprehensive security prediction report that is easy to access and based upon “our experts’ analysis of progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape.”

Trend Micro’s report is titled Mapping the Future: Dealing With Pervasive and Persistent Threats and is available in Web and PDF formats. They do a creative job of categorizing their predictions into items for Consumers, Enterprises, Governments, Security Industry, Industrial Control Systems, Cloud Infrastructures and Smart Homes — with pragmatic action items for all.

Here are a few top-line prediction examples (with many more details available in the report linked above)

• Actual Mass Real-World Use of Breached Credentials Will Be Seen
  
• Sextortion Cases Will Rise
  
• Home Networks in Work-From-Home Scenarios Will Open Enterprises to BYOD-like Security Risks
• Innocent Victims Will Get Caught in the Crossfire As Countries Grow Their Cyber Presence
  
• 99% of Exploit-Based Attacks Will Still Not Be Based on 0-Day Vulnerabilities
• Cybercriminals Will Compete for Dominance in an Emerging IoT ‘Worm War’
  
• My favorite from Trend Micro: Cybercriminals Will Use More Techniques to Blend In – “In response to security vendor technologies, specifically the renewed interest in machine learning for cybersecurity, cybercriminals will use more malicious tactics to “blend in.” New ways of using normal computing objects for purposes other than their intended use or design — a practice known as “living off the land” — will continue to be discovered, documented, and shared. We have been observing a few of these.”

2) FireEye once again offers an extensive, intriguing predictions report, which is excellent and definitely worth reading. But for the first time in a few years, they do not require registration to access their prediction details. However, once you read for a few minutes, a box will pop up requiring your contact details to continue, so if you don’t want to register — save the PDF quickly offline. And yes — the report is impressive and thought-provoking.

FireEye’s report is titled: Facing Forward: Cyber Security in 2019 and Beyond. (You can also watch a video overview discussion below from FireEye.) Their leadership took a different approach this year, offering words of wisdom on cybertrends from executives on a variety of topics. It starts with this strong endorsement of prediction reports from Kevin Mandia their CEO: “In the cyber security industry, we’re so frequently working around-the-clock for days at a time that we often forget when one year ends and another begins. It’s a shame, too, because the end of the year is a very important time. It provides a moment to reflect on what we observed and experienced over the past 12 months, and to consider how best to address the challenges we have been facing. Perhaps more critical to our line of work, it offers an opportunity to note what developed into a trend, and what might develop into a trend as we move into the next year and beyond.”

Here are some of the high-level topics covered by FireEye:

• (More) Nations developing offensive capabilities
  
• Breaches continuing due to lack of attribution and accountability
• The widening skills gap, and fewer trained experts to fill security roles
• Lack of resources, especially for small and medium-sized enterprises
  
• Supply chain as a weakness
• Attackers eyeing the cloud, since that’s where the data is headed
  
• Social engineering, considered by many to be the most dangerous threat
  
• Cyberespionage, cybercrime and other threats to the aviation industry

3) McAfee Labs 2019 Threats Prediction Report led with these words: “Greater collaboration among cybercriminals exploiting the underground market, which has allowed them to develop efficiencies in their products. Cybercriminals have been partnering in this way for years; in 2019 this market economy will only expand. The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before. …”

Ever heard of “synergistic threats?” You’ll need to read their report to understand where that trend is going. Here are their top 7 predictions — with details at the links on each item:

• Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats
• Artificial Intelligence the Future of Evasion Techniques
• Synergistic Threats Will Multiply, Requiring Combined Responses
• Misinformation, Extortion Attempts to Challenge Organizations’ Brands
• Data Exfiltration Attacks to Target the Cloud
• Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices
• Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

4) WatchGuard Technologies kept pace with the top-tier cybersecurity rivals in their 2019 prediction report that breaks some new ground. “This year the team at the WatchGuard Threat Lab imagined a string of attacks that could lead to a cybersecurity apocalypse. Our security predictions for 2019 span from likely to audacious, but in all cases there’s hope for preventing them with layered security defenses that meet them head-on!”

My favorite Watchguard Predictions:

• AI-Driven Chatbots Go Rogue
• Utilities and Industrial Control Systems Targeted with Ransomware (heard this from others)
  
• A Nation-State Launches a “Fire Sale” Attack
• Fileless, Self-Propagating “Vaporworms” Attack
• Attackers Hold the Internet Hostage

5) Forcepoint stepped-up their game with an impressive cybersecurity prediction report this year with a 23-page quality presentation in multiple formats including PDF. They went out on a few limbs and countered the masses on areas ranging from AI to the cloud.

Their content is also fresh and not “warmed over from last year” like many other 2019 reports.

Forcepoint Predictions:

• The winter of AI — There is no real AI in cybersecurity, nor any likelihood for it to develop in 2019.
  
• Industrial IoT disruption at scale — Attackers will disrupt Industrial Internet of Things (IIoT) devices using vulnerabilities in cloud infrastructure and hardware
• A counterfeit reflection — Hackers will game end-user face recognition software, and organizations will respond with behavior-based systems.
  
• Courtroom face-off — 2019 will see a court case in which, after a data breach, an employee claims innocence and an employer claims deliberate action.
  
• A collision course to cyber cold war — Isolationist trade policies will incentivize nation states and corporate entities to steal trade secrets and use cybertactics to disrupt government, critical infrastructure, and vital industries
  
• Driven to the edge — Consumer concern about breaches will cause companies to embrace edge computing in order to enhance privacy. Designers will face significant headwinds with adoption due to low user trust.
  
• Cybersecurity cultures that do not adapt will fail — Industrywide security trust ratings will emerge as organizations seek assurances that partners and supply chains are trusted partners.

6) Beyond Trust — Once again offers a solid list of security predictions that have hyperlinks to plenty of supporting details and reasons why (for those who like to dig deeper.) I like the opening by Morey Haber their CTO: “There are three jobs in this world where you can be completely wrong all the time and still not have to worry about being fired. One is a parent. Another is a weatherperson. And the last one is a technology trends forecaster.”

Their top predictions include:

• Privileged attack vectors will continue to be the number one root cause of breaches for both consumer and business data.
  
• Well-known Vulnerabilities Will Continue to Dominate Cyber Attack Reports — “The pattern of successful attacks through the use of well-known and entirely preventable vulnerabilities shows little sign of abating. Organizations continue to focus their efforts injudiciously, ignoring the lower severity vulnerabilities with known exploits in favor of largely academic, high severity vulnerabilities.”
  
• AI on the Attack — Skynet is becoming self-aware!
• Results Section: Millennials Ruin Everything — Evolving Definitions of Privacy
  
• Centralized Information Brokers Emerge

7) Symantec — In a featured blog, Symantec leaders Steve Trilling and Dr. Hugh Thompson offer their list of Cyber Security Predictions: 2019 and Beyond. Their predictions were fairly mainstream. Here are a few:

• Attackers Will Exploit Artificial Intelligence (AI) Systems and Use AI to Aid Assaults
  
• Defenders Will Depend Increasingly on AI to Counter Attacks and Identify Vulnerabilities
  
• Growing 5G Deployment and Adoption Will Begin to Expand the Attack Surface Area
  
• IoT-Based Events Will Move Beyond Massive DDoS Assaults to New, More Dangerous Forms of Attack
  
• Attackers Will Increasingly Capture Data in Transit

8) Kaspersky’s 2019 Predictions were harder to find than last year, but they still offer some very good insights, such as these:

• No more big APTs
  
• Public retaliation
  
• Emergence of newcomers — “The thing is that the entry barrier has never been so low, with hundreds of very effective tools, re-engineered leaked exploits and frameworks of all kinds publicly available for anyone to use. As an additional advantage, such tools make attribution nearly impossible and can be easily customized if necessary.

And these Kaspersky predictions specifically on industrial control systems:

• The ever-increasing attack surface — The increasing amount of automation systems, the variety of automation tools, number of organizations and individuals with direct or remote access to automation systems, as well as the emergence of communication channels for monitoring and remote control between previously independent objects — all expand the opportunities for criminals to plan and execute their attacks.
  
• The underestimation of general threat levels

9) Verizon — I give Verizon a lot of credit for going back every year and looking at how they did at predicting trends from the year before. Verizon offers this list of 7 trends driving enterprise IT transformation in 2019. Most of these are customer focused (and not security-focused) like: “Businesses will invest for performance.” And yet, almost every one of these has a security component that shows up regarding trust and delivery guarantees.

Consider these Verizon predictions:

• Contextual privacy will be front and center
  
• Automation will transform the workforce: Robotic process automation and machine learning (ML) will transform how business operates
  
• We’ll go back to basics on security (again), but also focus on specifics: In 2019, organizations will redouble their efforts to strengthen their security posture. It’s about understanding their risk environment, and ensuring they are doing the basics right to protect their business; practicing IT hygiene to keep infrastructure current to protect against vulnerabilities continues to be critical.

10) AT&T — offers these 5 cybersecurity trends to expect in 2019. Starting the list is cybersecurity automation: “As it relates to staffing, we may see a rise in the automation of security and data privacy. …”

Also, after many predictions from 1993 came true, AT&T recently asked their staff to think more long-term about where the world is heading over the next decade or two. You may wonder, what do any of these have to do with security? Quite a bit, if they are going to come true.

Here are some of those AT&T future predictions:

• Caretaking robots — Robots are already in our homes in the form of vacuum cleaners and cute mechanical dogs, but Andrew McAfee, MIT research scientist, envisions more sophisticated robots helping senior citizens with dementia or children with autism. “One of the great things is they don’t get impatient with human beings,” he said.
  
• AI and your digital self — Artificial intelligence can allow us to leave an imprint of ourselves that can remain a hundred years from now. Alicia Abella, VP of operational automation and program management for AT&T, envisions creating an AI print of her deceased father, a pitcher, who could teach her son how to play baseball.
  
• Shopping — The mundane task of grocery shopping could be eliminated if Abella has her way. She describes virtually picking her own tomatoes, but through an avatar in the store while she sits at home.
  
• Cars — Autonomous driving may end up being a real game changer for the industry. “No one will own a car in 25 years,” said Rsesh Patel, senior executive vice president of retail and care at AT&T.

11) RSA Security (A division of Dell) — Back in October, RSA offered these trends for 2019 in the Middle East, which quite frankly read like more of the same as in 2018. However, this updated December list of 7 trends to watch out for seems more cutting edge — but no big surprises.

Here are a few new RSA security predictions:

• More sophisticated artificial intelligence features of security tools in 2019.
  
• Cryptomining will continue to be a threat as long as attackers can make quick cash from the infections. Be on the lookout and deploy endpoint and intrusion prevention tools designed to detect these exploits. (Note: This is different than others who think this trend is fading.)
  
• Lack of backup verifications will continue to plague IT managers, making ransomware a continued threat in 2019.

12) Forbes — Most readers know that Forbes magazine online offers a wealth of different perspectives and experts on a variety of topics, but they also carefully select who speaks for them. This list of 60 cybersecurity predictions for 2019 by Gill Press is worth reading through, mainly because it covers the thoughts of some of excellent leaders in smaller companies that are breaking ground on new ideas and cybersolutions in areas like AI.

Here are few of my favorites on the Forbes list:

• “Terrorist-related groups will attack population centers with crimeware-as-a-service. …
  
• Managing privacy will be the new normal, like securing data or paying taxes. Privacy will continue on a similar path as the evolution of cybersecurity. …
  
• ”In 2019, healthcare organizations will be the number one target for attackers. …

13) Bitdefender cracks the top list for the first time, with this well-thought-out list from Liviu Arsene, who is a Global Cybersecurity Researcher.

Some of their top predictions:

• macOS attacks on the rise — Apple’s share of the desktop market is rising, and malware designed to infect Macs is growing along with it.
  
• Combating invisible threats — Network-level exploits will enter the limelight next year, and they will likely be hyped by social media, if history is any indication.
  
• A shift toward mobile attacks — Fintech services are paving the way to a very profitable new trend for hackers, particularly in the mobile space. The more money they manage on behalf of their users, or the tighter the integration with traditional banking systems, the more attention they will get from cybercrooks who will likely develop new threats targeting these specific services in 2019.

14) Sophos Labs offers an excellent 2019 Threat Report that highlights cybertrends for the coming year, some pontification about 2018 as well as conclusions like “ransomware is not going away.” Here are a few of the Sophos cyberthreat trend topics covered as we head into 2019:

• Targeted attacks gain popularity, reap deep rewards
  
• What’s old is new again
  
• Transitioning to manual attack mode
  
• SamSam ransom payments — Total: $6.5 million USD
  
• Attacker techniques evolve to use what’s already there
  
• “Living off the land” is the new law of the land
  
• How “LoL” changes malware detection and prevention
  
• The growth explosion of Office exploits
  
• Mobile and IoT: Malware is not slowing down
  
• The growing and persistent threat of mobile malware
• Android: The good, the bad, and the ugly
  
• Unusual malicious campaigns affecting the Android platform
• Attacks against the internet of things

15) IBM’s predictions could not be more different than Forcepoint. In a sentence, Big Blue is going “all-in” on AI and throwing a bit of quantum computing in the mix for 2019 to help solve our growing problems.

• Causality will increasingly replace correlations
  
• Trusted AI will take center stage
  
• Quantum could give AI an assist

IBM’s X-Force Labs also put out their own predictions this week which can be found here.

16) Forrester — The resources of Forrester, Gartner and a few similar companies are extensive in the prediction space, but finding their content can be difficult, given their business models to ask you to pay for details behind their materials. Most of their reports are not free.

Still, there are many ways to get Forrester prediction overviews (with details often hidden unless you pay) in both technology and security.

For technology, here are 14 quick tech predictions for 2019 — leading with “Customer experience (CX) remains under fire.”

For security, this blog lays out Forrester’s 2019 themes, such as “Economic espionage will reawaken because of the US-China trade war.” And, “women CISOs will increase as companies look for different perspectives.”

17) Gartner offers these 2019 “Top Strategic Predictions for 2019 and Beyond.” Here are some interesting samples — that go into the 2020s:

• Affidavits fail cyberbullying — By 2023, 25% of organizations will require employees to sign affidavits to avoid cyberbullying, but 70% of these initiatives will fail.
  
• Personal data poisons blockchain — By 2022, 75% of public blockchains will suffer “privacy poisoning” — inserted personal data that renders the blockchain noncompliant with privacy laws.
  
• Consumers ignore security breaches — Through 2021, social media scandals and security breaches will have effectively zero lasting consumer impact.

18) Nuvias Group — Ian Kilpatrick, EVP Cyber Security, Nuvias Group, offers a simple, straightforward list that seems pragmatic, with few surprises.

Top 3 Predictions:

• Increase in crime, espionage and sabotage by rogue nation-states
  
• GDPR — the pain still to come
  
• Cloud insecurity — it’s your head on the block

19) Barracuda MSP — offers this list of 2019 predictions via ChannelFutures.com — Here are a few:

• Email security will continue to dominate the threat landscape.
  
• Cybersecurity education will be key to mitigating threats and vulnerabilities.
  
• Differentiation will happen through vertical focus. (for channel partners)

Bonus cyber prediction to round off to an even 20 — heading into 2020:

Zscaler offers this excellent list of predictions that starts with these three items:

• We’ll see an increase in attacks targeting specific cloud applications.
  
• Governments will look to the private sector for help with securing cloud apps.
  
• More state-employed white hat hackers will “moonlight” with organized criminal elements.

Honorable Mention Predictions — These are not in my top 19, but offer good predictions. If you don’t see your organization’s predictions on the list, let me know, and I will consider adding after review. (Note: The prediction must be available online to reference details via a link):

• Malwarebytes — Bring your own security grows as trust declines.
  
• Palo Alto Networks disappointed me this year with their Cyberthreats in 2019: The Trends That Will Continue to Move Upward (pretty obvious predictions — nothing sexy).
  
• Imperva — Scaled back their look at the year ahead
  
• CSO magazine — offers another excellent prediction list that has nine mainstream predictions from multiple experts.
  
• CyberArk — Offers some bold predictions, such as social media getting regulated like critical infrastructure in 2019.
  
• Synopsys — Offer predictions on software, such as AI and machine learning being a big help.
• ZDNet — offers a compilation of security predictions from multiple sources and lists what they determine to be the most plausible.
  
• Panda Security — Offers these 12 predictions. They lead with a rise in nation-state attacks.
  
• Experian offers their forecast of the top 5 data breach predictions for 2019 here. Their another organization predicting a major cloud breach as well as biometric hacks.  
• RiskIQ — offers a professional list focused on threat management
  
• DXC Technology offered 10 security predictions worth looking at for 2018, like “Serverless computing skews security.” And now for 2019, here are 6 more to disrupt your digital transformation journey — including this video to help.

• Channelnomics.com — Offers these vendor predictions. I like this excerpt: “Ninety-nine percent of partners questioned for a December 2018 survey by network security firm Untangle said that cyber security as an overall part of their business will increase or stay the same in 2019, while 80 percent believe that their cyber security revenue will increase in 2019. …”
  
• SC magazine offers these six cybersecurity predictions, leading with: “Zero Trust Goes from Buzzword to Reality.”  
• Information-management.com offers these 10 cybersecurity predictions for 2019 — leading with “Increase in crime, espionage and sabotage by rogue nation-states.”
  
• DZone offers an extensive list of 2019 security predictions starting here,however, they ask if overall predictions are very different from last year? They believe that “we are making progress against cyber attacks.”  Still, their detailed list is worth reviewing as they are a rare predictor with optimism.

• 
  BioMetricUpdate.com offers these unique and fascinating cybersecurity predictions from the ‘first major biometric hack’ to ‘IoT devices start to scam users’ – meaning that our fridge and washing machines may start buying (authorizing payments) for unwanted items.   
• Thycotic – Joseph Carson, Chief Security Scientist at Thycotic, is very smart, with global experience and has amazing cyberstories. His 5 cyber predictions are worth reading and begin with a unique prediction “million-dollar data breach fines.”
  
• CDO Trends offers these 5 Ways 2019 Can Be Very Different For Cybersecurity. They lead with this from CyberArk: “Emerging ‘unique human identities’ under attack” – meaning “attackers will increasingly target these identities to gather massive amounts of biometric data for future modeling purposes and nefarious use. …”
  
• Splunk has come out with their predictions for 2019, which are highlighted here. Their ebook, which requires registration, covers AI and machine learning, security, IT operations, and IoT. Splunk predicts that security teams will benefit from big data platforms, machine-learning-based analytics, and orchestration and automation technologies.
  
• NTT Security issued their predictions for 2019, and they were one of the few companies saying that a significant cyberattack against critical infrastructure (albeit in a developing nation) will lead to a major health or safety impact on the nation’s citizens.
  
• Robert Ackerman Jr., who is the founder and managing director of AllegisCyber offers his perspective on a worse hacking landscape in 2019. One specific (and new) item on his list – more cyber attacks on satellites. Robert also says ransomware will expand – while others say the opposite.
  
• Healthcare Analytics News (HCANews.com) offers these thoughts on what’s next for cybersecurity. Some of these forecasts are opposites of others on this list (such as the death of passwords being overblown). At the same time, this is unique: “We will get one step closer to living in “The Matrix.” They also are starting to see cybersecurity as a competitive advantage in 2019. (I agree)
• KnowTechie.com offers these cyber security predictions for 2019 from Evan Morris, with many familiar items on his New Year’s Eve list. Here’s a new item near the end: “New jobs appearing, such as chief cybercrime officer (CCO).”
  
• Zack Whittaker, a senior editor at TechCrunch, offered an entertaining list of activities to expect in cybersecurity in 2019 – a few hours before the ball dropped in NYC. I give him credit for including: “Brexit hampering U.K. start-up growth” and “draconian Australian encryption laws will hurt” which are not on other lists. His opening rant on how “predictions are not news,” and “predictions emails piss me off” reminds me of Ira Winkler’s similar sentiments offered a few years back in this Computerworld opinion: “Hocus-pocus! The stupidity of cybersecurity predictions.”  My detailed (contrarian) response to Ira (and now Zach) on why this is happening and how to benefit can be found here. While I can relate to Zach’s experiences related to companies having prediction agendas, this is just a warm-up for 2020. He would get the ‘Ticked Off Award’ – if I had one.  
• ChannelE2E.com brings us Tim Brown, SolarWinds MSP VP of Security, who offers 4 Cybersecurity Predictions for 2019 that focus on how data breach reporting may expand and on how “MSPs and MSSPs will partner.” This piece offers a unique and helpful perspective for security service providers. 

What’s Missing From These Predictions?

Very little mentioned about cyberattacks trying to take advantage of or disrupt global events, from sports events like March Madness betting to the Rugby World Cup scheduled in Japan in 2019 to G8 and other potential gatherings.

It hard to say how financial markets could be impacted in 2019, but the recent big drop in stocks in the USA is certain to cause change and probably some hacker pain somewhere. With Fed testimony on 12/19/18, the market swung over 500 points on the words spoken by the Fed Chairman. Could false online rumors in 2019 cause a major stock market move? Or, could hackers somehow manipulate stocks?

After everyone seemed to have a prediction on bitcoin in 2018, the huge drop in price has quieted talk about cryptocurrencies, but expect more hacking and other shenanigans with digital currencies.

Also, hacktivism is rarely mentioned for 2019, but a comeback of the small guys making headlines is sure to erupt at some point regarding global hacktivist activity. Indeed, I think a lot of that happened in 2018, but was below the radar. Could the “yellow vests” in France or others around the world do more online disruption? I think so. See this piece for more on this trend.

Finally, cyberinsurance will evolve in some of the ways outlined in this UK article.

Closing Thoughts

Here’s one cyberprediction from yours truly (Dan Lohrmann) for 2019 — more organizations and media outlets than ever will be making cyberpredictions for 2020 next October through December about the decade in cyber to come. Expect many more trends and forecast lists with titles similar to “top 20 security predictions for the 2020s.”

And as we head into 2019, I want to thank you for continuing to fight the cyberfight — despite the challenges and moving threat landscape that makes data protection so difficult.

Peter Drucker once said that “trying to predict the future is like trying to drive down a country road at night with no lights while looking out the back window.”

But Alexander Graham Bell once said: “The day will come when the man at the telephone will be able to see the distant person to whom he is speaking.”

How did he know that?

via:  govtech,

The FREE annual SANS Holiday Hack Challenge is underway right now! This year, Santa is hosting KringleCon, a virtual conference at the North Pole, where you walk through Santa’s virtual castle and watch 22 top-notch recorded 12-18 minute talks with directly applicable technical skills. And, within your browser, you can also walk around Santa’s castle solving cyber defense, DFIR, and pen test challenges as an entertaining and surprising holiday plot unfolds. You’ll get to match wits with a holiday super villain while listening to a custom album of holiday tunes. It’s fun for all ages, and it is SANS gift to the cyber security community. Over 15,000 people have played so far! Get it all for free at https://holidayhackchallenge.com.

The devastating 2017 breach of credit-reporting company Equifax, which exposed data on 148 million people, was “entirely preventable” had the company applied proactive security measures, a congressional investigation has concluded.

“Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented,” says the report issued Monday by Republicans on the House Oversight and Government Reform Committee.

The committee’s 96-page report lays out why the hack, which compromised people’s names, social security numbers, addresses, credit card numbers, and other identifiers, has become a case study in failed IT leadership and software patching.

A “lack of accountability and no clear lines of authority in Equifax’s IT management structure” meant key security protocols were neglected, the House panel found: Equifax allowed over 300 security certificates to expire, including 79 for monitoring “business-critical” domains.

Furthermore, the company did not spot data being exfiltrated from its systems because a device used to monitor traffic had an expired security certificate, leaving the devices inactive for 19 months, the report said.

The committee also found that former Equifax CEO Richard Smith’s “aggressive growth strategy,” which included numerous acquisitions, bred security risks at the company. As the credit-monitoring giant’s market share surged, it didn’t grasp how the 18 companies it had acquired changed its security posture, according to the committee.

In a statement, Equifax spokesman Jacob Hawkins said the company had found “significant inaccuracies” in its preliminary review of the committee’s report, and that the company disagreed with “many of the factual findings.”

For example, Hawkins said, the report refers to a settlement with state attorneys general that hasn’t happened and inaccurately describes the company’s online portal for consumer disputes as dating to the 1970s, when it was really built more recently.

“We are deeply disappointed that the committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information,” Hawkins said, adding that Equifax had “worked in good faith for nearly 15 months with the committee.”

Congressional investigators found that Equifax was vastly unprepared for supporting victims of the breach. A website and call centers for victims were flooded, depriving consumers of timely information on how the hack affected them, the committee said.

The long-running fallout from the breach has seen senior executives lose their jobs and U.S. lawmakers excoriate the company for faulty security. Although the company avoided paying a fine with U.S. state regulators in June, a U.K. regulator fined Equifax $664,000 in September for failing to protect information related to 15 million U.K. residents.

With its focus on IT mismanagement, the post-mortem on the Equifax hack is reminiscent of the aftermath of another big compromise of personal information: the 2015 Office of Personnel Management breach. That breach saw alleged Chinese hackers steal sensitive information on some 22 million current and former federal workers.

Although U.S. officials have long suspected and, in some cases, accused, Chinese hackers of breaching OPM, less is publicly known about who orchestrated the Equifax hack. (Two years before it was hacked, Chinese spies targeted Equifax’s confidential business information, the Wall Street Journal reported.) The House Oversight report says that Equifax identified “suspicious traffic” from at least one Chinese IP address while responding to the breach, but these are merely clues in the attack rather than conclusive attribution.

In February, Equifax hired Jamil Farshchi, who helped Home Depot respond to its data breach, as chief information security officer. In a July interview with CyberScoop, Farshchi outlined a three-part plan to change the security culture at Equifax. Farshchi said then that the company didn’t know who carried out the hack.

The House Oversight committee’s 14-month investigation produced several security recommendations for organizations to avoid being the next breach victim, or at least mitigate the damage, including: moving away from the Social Security numbers as an identifier, ditching legacy IT systems, and being more transparent about cybersecurity risk with regulators.

Prior to getting hacked in 2017, Equifax didn’t disclose any cybersecurity incidents or risks it was carrying in its filings with the Securities and Exchange Commission, the committee said. Hawkins, the Equifax spokesman, said that was incorrect, that the company had indeed addressed cybersecurity risk in its SEC disclosures.

House Democrats on Monday released their own report on the Equifax breach, complaining that their suggestions were not included in the report from the House Oversight committee Republicans. The Democrats’ report advocates for a federal law to ensure more timely public notifications of data breaches.

via:  cyberscoop

Marriott International said early Friday that data on roughly 500 million customers staying at Starwood hotel properties had been compromised in a breach that gave unknown attackers access to the Starwood network since 2014.

The company said it has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.

The hotel giant said that on September 8, 2018, it received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. The company said it “quickly engaged leading security experts” to conduct an investigation, which found that there had been unauthorized access to the Starwood network since 2014.

“Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that it was from the Starwood guest reservation database,” the company said in a breach disclosure.

According to the company, customers who made a reservation on or before September 10, 2018 at a Starwood property likely had their information compromised, which the company broke down as follows:

For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information. Marriott reported this incident to law enforcement and continues to support their investigation.

Marriott completed its acquisition of Starwood Hotels & Resorts Worldwide to create the worlds’ largest hotel company.

Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Starwood branded timeshare properties were also impacted by the incident.

Marriott said it was working to phase out Starwood systems and accelerate ongoing security enhancements to its network.

Shares of Marriott International are trading down roughly 6% in pre-market trading at the time of publishing. 

Via:  securityweek