Category Archives: Safety & Security

Cybersecurity confirmation in March quarter earnings

Cybersecurity confirmation in March quarter earnings

We are in the thick of the March quarter earnings season and following a week of Big Tech earnings that included Apple (AAPL), Alphabet (GOOGL), Facebook (FB), and Amazon (AMZN), the coming week will be an earnings barn burner for constituents in the Foxberry Tematica Research Cybersecurity & Data Privacy Index (FXBYCYBR). One of the key tentpole investment thesis underlying the Cybersecurity & Digital Privacy index should once again be confirmed – as our lives become increasingly connected with accelerating 5G deployments, the expanded scope of connected devices and the internet of things will fuel demand for cybersecurity solutions. The groundwork for what we will hear in the coming weeks reflects the number of high-profile attacks early in the March quarter, the quarterly results and commentary from the handful of index constituents that have recently reported their quarterly results, and newly published reports discussing developments in the cybersecurity market.

10 major attacks during the March 2021 quarter

The COVID-19 pandemic accelerated the digital transformation that was underway for many companies as the adoption of work and learn from home, greater interconnectivity, and the shift to the cloud, all led to a surge in cyberattacks. Findings from Forrester consulting revealed companies felt they “had become more vulnerable” to cyberattacks since the start of the pandemic as total cyber losses among the affected firms rose to $1.8 billion, a 50% increase compared to the prior year. [1] A separate report from Hiscox found companies in the UK and Europe doubled cybersecurity spending to combat the increase in cyberattacks during 2020[2] but a finding published in the 24th Annual Global CEO Survey from PwC shows 47% of CEOs are concerned with cyber threats, up from 46% in 2020.

That increase in concern is understandable given the number of high-profile attacks that occurred during the March 2021 quarter:[3]

  • Threat actors actively exploited four zero-day vulnerabilities in Microsoft’s (MSFT) Exchange Server that resulted in at least nine government agencies and 60,000 private companies in the US alone being affected by the attack.
  • Computer giant Acer Inc. (ACEYY) suffered a ransomware attack and was told to pay a ransom of $50 million.
  • A data breach at aircraft company Bombardier (BDRBF) resulted in the compromise of the confidential data of suppliers, customers, and around 130 employees located in Costa Rica.
  • A cyber-attack disrupted US cyber insurance firm CNA Financial Corp.’s (CNA) customer and employee services for three days with the company forced to shut down to prevent further compromise.
  • London-based Harris Federation suffered a ransomware attack and was forced to “temporarily” disable the devices and email systems of all the 50 secondary and primary academies that it manages.
  • Australian broadcaster Channel Nine was attacked, leaving the company unable to air its Sunday news bulletin and several other shows.
  • A ransomware attack against the internal IT systems at IoT device manufacturer Sierra Wireless (SWIR) led to the company halting production at its manufacturing sites.
  • Cybercriminals engineered an attack on a Florida water treatment facility seeking to poison the plant’s water supply by increasing the amount of sodium hydroxide to a potentially dangerous level.

And while those and other high-profile attacks garner media attention, 30,000 websites were hacked per day in 2020 and every 39 seconds there is a new attack somewhere on the web.[4] To combat the “growing cyber challenge” as the scale of the problem “continues to both change and grow,” businesses are allocating more resources, including a 39% increase in cybersecurity spending.[5] That increase is leading to favorable year-over-year revenue and earnings metrics that have already reported their March quarter results and is poised to do the same at those that have yet to do so.

March quarter earnings

According to Zacks, during April, more than 1,500 companies reported their quarterly results and among there were several favorable reports from index constituents. Several key themes were had including:

  • Revenue and EPS for the March quarter came in ahead of consensus expectations;
  • Upward revisions were had to financial guidance;
  • Warnings that the number of attacks continue to grow even as bad actors continue to innovate new attack strategies.

Check Point Technologies (CHKP) reported a March quarter beat with revenue up 5% year-over-year to $508 million, while EPS for the quarter rose 9% to $1.54. Deferred revenue for the quarter climbed 8% compared to the March 2020 quarter, reaching $1.458 billion.

Per the company: “As hackers continue to find new ways to exploit the pandemic’s disruption, Check Point Research warned organizations about a global surge in ransomware attacks, alongside increases in cyber-attacks targeting Microsoft Exchange Server vulnerabilities. This uptick included a 57% increase in organizations affected by ransomware during a 6-month period.”

March quarter results at F5 Networks (FFIV) topped expectations with revenue for the quarter up 10% year over year to $645 million. According to the company, it is seeing stronger than anticipated demand across the board as “Business and consumers increasing reliance on applications has accelerated all prior expectations about the pace of digital transformation… customers across the globe are scaling their digital assets faster, resulting in a growing demand for F5’s application security and delivery solutions.”

During the quarter, F5’s transition to a subscription-based model continued with record subscription volume leading subscriptions to account for 79% of its software revenue in the quarter vs. 73% in the year-ago period. Meanwhile, Systems revenue rose 17% year-over-year due to increases in “application traffic, the continued growth of systems-based security use cases as well as the emergence of 5G-driven service provider demand.”

When it reported its March quarter results, FireEye (FEYE) bested consensus expectations with $246.3 million in revenue, a 10% increase vs. the year-ago period, and boosted its 2021 guidance to $1.01-$1.03 billion vs. $941 million in 2020 and $889 million in 2019. During the quarter, the company’s annual recurring revenue climbed 9% to $643 million. Leading that charge was the company’s platform cloud subscription, managed services professional services that amounted to 69% of total billings in the quarter, up from 56% a year ago.

The March quarter also showed FireEye making progress on bagging larger deals as the number of products per customer continued to grow. During the quarter, the company closed 30 transactions greater than $1 million and more than 70% of those transactions included three or more products or solutions, and 60% included consulting services.

On the company’s earnings conference call, it shared its findings that “actors continue to innovate faster than the technologies customers are deploying to protect their networks and organizations are deploying to protect their networks. The attackers are learning new ways to circumvent conventional safeguards that cannot or do not learn from the frontlines in a timely manner.”

Later on in the call, FireEye added the following: “Nearly half of the 294 distinct malware families we observed in investigations last year were new and never seen before. More than 80% of these new malware families were not publicly available, meaning they were privately developed, and availability was restricted in some way. And 70% of all the malware families we observed were only found in a single intrusion set.”

Fortinet (FTNT) reported March quarter revenue that climbed 23.1% compared to the year-ago quarter reaching $710.3 million, nicely ahead of the consensus forecast. EPS for the quarter cruised past consensus expectations as well hitting $0.81 per share. Billings for the quarter jumped 27% year over year to $850.6 million while total deferred revenue exiting the quarter rose roughly 25% to $2.75 billion.

Cloud security solutions were a driving force in the company’s Service revenue, growing to $460 million during the quarter. Support and professional services revenue increased 21% to $210 million, while Fortinet’s subscription revenue grew 21% year-over-year and low-single-digit quarter-over-quarter gains to $255 million. For the current quarter, the company sees revenue of $733-$747 million, up 19%-21% year over year, and ahead of the $732 million consensus.

Upcoming constituent earnings reports

As the pace of quarterly earnings accelerates further in the coming weeks, with roughly 2,540 such reports to be had in May vs. 1,507 in April, a greater number of index constituents are slated to issue their latest quarterly results:

  • Tuesday, May 4: Commvault (CVLT), McAfee (MCFE)
  • Wednesday, May 5: CyberArk (CYBR), Radware (RDWR), Ping Identity (PING)
  • Thursday, May 6: NetScout Systems (NTCT), Cloudflare (NET)
  • Monday, May 10: Norton Lifelock (NLOK), SailPoint (SAIL)
  • Tuesday, May 11: Mimecast (MIME)
  • Thursday, May 13: Nice Ltd. (NICE), Tufin Software (TUFN)
  • Wednesday, May 19: Cisco Systems (CSCO)
  • Thursday, May 20: Palo Alto Networks (PANW), Splunk (SPLK)
  • Thursday, May 27: Okta (OKTA), Zscaler (ZS)

When we held the last webinar at the end of March, before the current earnings season got underway, we commented that the constituents of the Cybersecurity and Digital Privacy Index were poised to grow their aggregate revenue and EPS by more than 20% over the 2020-2022 period. As we tally the upcoming earnings reports, we’ll have a much better sense for the degree to which 2021 cybersecurity industry spending forecasts calling for year over year growth of 10% are conservative and how translates into even faster revenue and earnings growth for the basket of constituents. We continue to see consensus expectations for that basket moving higher over the coming quarters as the increasingly pervasive nature of attacks is once again realized while the combination of new technologies, new business models, and sadly new types of attacks expands the addressable market even further.

==============================================================

[1] “Firms are Spending More on Cybersecurity To Combat Growing Threats” available at https://digit.fyi/firms-are-spending-more-on-cybersecurity-to-combat-growing-threats/

[2] IBID

[3] “10 Major Cyber Attacks Witnessed Globally in Q1 2021” available at https://securityboulevard.com/2021/04/10-major-cyber-attacks-witnessed-globally-in-q1-2021/

[4] “How Many Cyber Attacks Happen Per Day in 2020?” available at https://techjury.net/blog/how-many-cyber-attacks-per-day/

[5] “Firms are Spending More on Cybersecurity To Combat Growing Threats” available at https://digit.fyi/firms-are-spending-more-on-cybersecurity-to-combat-growing-threats/

California voters approved California Privacy Rights and Enforcement Act. Now what?

California voters approved California Privacy Rights and Enforcement Act. Now what?

On November 3, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), a comprehensive privacy law that expands the California Consumer Privacy Act (CCPA). Of note, the CPRA creates more stringent requirements for companies that collect and share sensitive personal information and creates the California Privacy Protection Agency, which will be responsible for enforcing CPRA violations once the CPRA becomes effective on January 1, 2023. Most privacy experts believe the CPRA moves California closer to the European Union’s General Data Protection Regulation (GDPR).

The CPRA defines “sensitive personal information” as a wide range of data points that includes things like account and login information, precise geolocation data, contents of mail, email and text messages, genetic data, Social Security numbers, drivers licenses, passports, financial accounts, race, ethnicity, religion, union membership, personal communications, genetic and biometric data, health information, and anything about sex life or sexual orientation.

CPRA sets limits on the collection and retention of personal information, requiring a business to retain only that which is reasonably necessary to achieve the purposes for which the personal information was collected or processed. In addition, the CPRA requires businesses to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.

The CPRA also expands the private right of action for consumers to bring claims against a business for the unauthorized access or disclosure of an email address and password or security question that would permit access to an account, along with access to a consumer’s non-encrypted and non-redacted personal information. It creates triple damages for violations relating to consumers who are minors under the age of 16.

One key change in the CCPA requirements in the CPRA is an extension of an exemption for businesses in terms of their employees’ data. The CPRA gives businesses the exemption from meeting the consumer privacy requirements’ tough standards for their employees until January 1, 2023. However, businesses will have to comply with certain aspects of employee privacy protection between now and then.

Source: California voters approved a new and even tougher data privacy act.  What happens now?

Cloudflare and Apple design a new privacy-friendly internet protocol

Cloudflare and Apple design a new privacy-friendly internet protocol

Engineers at Cloudflare (NET) and Apple (AAPL) say they’ve developed a new internet protocol that will shore up against “one of the biggest holes in internet privacy.” Dubbed Oblivious DNS-over-HTTPS (ODoH), as Nick Sullivan, Cloudflare’s head of research explains, it is meant to “separate the information about who is making the query and what the query is.”

Every time you go to visit a website, your browser uses a DNS resolver to convert web addresses to machine-readable IP addresses to locate where a web page is located on the internet. But this process is not encrypted, meaning that every time you load a website the DNS query is sent in the clear. That means the DNS resolver — which might be your internet provider unless you’ve changed it — knows which websites you visit. That’s not great for your privacy, especially since your internet provider can also sell your browsing history to advertisers.

Enter ODoH, which decouples DNS queries from the internet user, preventing the DNS resolver from knowing which sites you visit.

ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.

Cloudflare (NET) is a constituent in the Foxberry Tematica Research Cybersecurity & Data Privacy Index.

 

Source: Cloudflare and Apple design a new privacy-friendly internet protocol | TechCrunch

Almost one-third of top online shopping domains are vulnerable to a cyber attack

Almost one-third of top online shopping domains are vulnerable to a cyber attack

It’s extremely important for digital shopping and e-commerce platform websites that handle sensitive customer information to ensure the communication between servers and users is encrypted. As we move in the 2020 holiday shopping season, one that is widely expected to shift considerably to digital shopping given the resurgence in the coronavirus, this is more critical than ever. However, new report from CyberNews found that nearly one-third of analyzed web servers were vulnerable.

CyberNews decided to see if popular online shops take their encryption hygiene seriously. To do this, our Investigation team analyzed the web servers of 2,620 popular online shopping domains for SSL configuration security, as well as their susceptibility to known vulnerabilities related to the Secure Sockets Layer (SSL) encryption protocol.

…to carry out this investigation, we gathered a list of the top 2,620 online shop domains on Google search. We then tested them for their SSL web server configuration security and their susceptibility to six known high-severity SSL vulnerabilities by using the Qualys SSL Server Test service.

We found that even though the absolute majority of online shops follow excellent to good SSL configuration practices in general, almost a third of the web servers we analyzed are susceptible to known SSL vulnerabilities, with the BEAST vulnerability being the most widespread among online shops.

BEAST (short for Browser Exploit Against SSL/TLS) is an attack that allows a threat actor to access the data exchanged between a web server and the user’s web browser.

Source: 30% of top online shopping domains are vulnerable to BEAST SSL attack | CyberNews

How The Pandemic Has Increased The Need for Cybersecurity

How The Pandemic Has Increased The Need for Cybersecurity

The first known cyberattack hit in 1988, when what became known as the Morris Worm installed itself on a computer every one out of seven times, even if the computer claimed it already had the program. With each installation, the infected computers would become further debilitated until they finally crashed. The worm damaged approximately 6,000 computers, which represented 10% of the entire internet at the time, and we have never looked back.

Over the ensuing three decades, computing and connectivity would become increasingly ubiquitous as more of how we work, play, and live becomes digital, and the combination of chips and sensors have become the fabric of our lives.

The dark side of this increasingly digital lifestyle is the voluminous growth in the number of attack vectors by cybercriminals and other bad actors. While driven primarily by financial motives, one of the more lucrative areas for cybercriminals today is data theft. Early in 2020, the Department of Homeland Security warned of an increase in cyber threats due to heightened tensions with Iran. Later in 2020, a little thing known as the coronavirus accelerated the adoption of digital technologies and solutions, leaving us and our data increasingly vulnerable as companies were forced to go virtual nearly overnight.

Read more here…

GAO report warns of aviation cybersecurity risks

GAO report warns of aviation cybersecurity risks

We at Tematica are unfortunately firm believers that the new connective technologies and applications associated with our Digital Lifestyle and Digital Infrastructure investing themes will create new attack vectors for cyberattackers and other bad actors. A new report  describes the connected entrainment we enjoy while traveling on aircraft as an example of just that. Another market that will help drive cybersecurity and data privacy spending that is captured by the Foxberry Tematica Research Cybersecurity & Data Privacy USD PR Index and the Rize Cybersecurity and Data Privacy UCITS EFT (CYBR).

The Government Accountability Office (GAO) noted in a report Friday (Oct. 9) that the Federal Aviation Administration (FAA) has not held testing of possibly susceptible technology, prioritized digital risks or created a digital security instruction program.

Entertainment systems, wireless networks, technologies that send information back to earth without intervention and position broadcasts are some of the complex digital infrastructure on commercial airliners.

According to the report, as noted by Bloomberg, “Until FAA strengthens its oversight program, based on assessed risks, it may not be able to ensure it is providing sufficient oversight to guard against evolving cybersecurity risks facing avionics systems in commercial airplane.”

Source: GAO Warns Of Aviation Cybersecurity Risks | PYMNTS.com

Data breach exposes data of more than 100K patients at Utah Pathology Services

Data breach exposes data of more than 100K patients at Utah Pathology Services

A number of reports have named healthcare facilities and services as a prime target for cyber attacks, no surprise given the amount of personal data contained in their patient records. What the below report shows, however, is it took the identification of a different problem to reveal the the scope of data that was being made available, including in some cases social security numbers.

As one might expect, Utah Pathology has updated its security measures but it has also offered one year of free identity monitoring services to individuals affected by the incident.

 

The company wrote it discovered on June 30 that an unknown third party hacked into one of its email accounts in an attempt to redirect funds from the business. After discovering the attempted fraud, Utah Pathology secured the email account and launched an investigation.

Approximately 112,000 patients had their personal information exposed by a data breach at Utah Pathology Services.

The breach was discovered when the organization discovered “an unknown party attempted to redirect funds from within Utah Pathology,” according to a press release from the company. The attempted fraud led to the discovered of that patient information was accessible and included one or more of the following:

    • Date of birth
    • Gender
    • Phone number
    • Mailing address
    • Email address
    • Insurance information including ID and group numbers and clinical and diagnostic information related to pathology services
    • And, for a smaller percentage of patients, Social Security number

 

Source: Breach exposes data of more than 100K patients at Utah Pathology Services | KUTV

Emerging Technology Trend: Data Privacy Compliance Becomes Part of a New Normal

Emerging Technology Trend: Data Privacy Compliance Becomes Part of a New Normal

Data privacy compliance will spur corporate spending, leading to an investing opportunity to those that recognize it.

The General Data Protection Regulation (GDPR) was adopted in April of 2016 by the European Union and became effective in May of 2018. At a high level, these regulations are fairly straightforward in their requirement to “Protect User Data,” but we see that, like any regulation worth its salt, compliance may not be as straightforward as advertised. As you’ll see, despite the complexities and sea of acronyms to be had, the bottom line is data privacy compliance will spur corporate spending, leading to an investing opportunity to those that recognize it. With that said, here’s a look at GDPR’s set of regulations affecting companies that collect data on citizens of countries within the European Union.

This legislation looks to lay out a framework that protects “fundamental rights and freedoms of natural persons and in particular their right to protection of personal data.” From the get-go, this is strong stuff. This is targeted at information that users have already provided (knowingly or unknowingly) to companies they interact with online.

READ MORE HERE: Emerging Technology Trend: Data Privacy Compliance Becomes Part of a New Normal | Nasdaq

Alexa hack showcases vulnerabilities in connected IoT devices

Alexa hack showcases vulnerabilities in connected IoT devices

A recent report from Check Point Security (CHKP) revealed a number of Amazon (AMZN) and Alexa subdomains were vulnerable to a Cross-Origin Resource Sharing (CORS) misconfiguration and Cross Site Scripting (XSS). The report goes on to say that by using XSS, an attacker would be able to acquire a CSRF token that would provide them access to elements of the smart home installation. Another reminder of the dark side to our increasingly connected Digital Lifestyle and one that also bodes well for those constituents inside the Foxberry Tematica Research Cybersecurity & Data Privacy Index

According to the researchers, these could include automatically installing Alexa skills without the knowledge of the user, acquiring a list of all installed skills, silently removing installed skills, acquiring the victim’s voice history with Alexa, and to even gain personal information.

This skill manipulation can allow for a modified version of an existing skill to be installed and then used by the user, one that could allow actions to be performed by the attacker, or for further acquisition of data from the user. It could even be possible for an attacker to install a skill to eavesdrop into conversations near an Echo device.

“Internet of Things devices are inherently vulnerable and still lack adequate security, which makes them attractive targets to threat actors,” Check Point writes. “Cybercriminals are continually looking for new ways to breach devices, or use them to infect other critical systems. This research presented a weak point in what is a bridge to such IoT appliances. Both the bridge and the devices serve as entry points. They must be kept secured at all times to keep hackers from infiltrating our smart homes.”

Source: Alexa hack granted attackers access to an Echo user’s smart home network | Appleinsider