FEED Validator

for Atom and RSS and KML

Congratulations!

This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 110, column 3: Use of unknown namespace: com-wordpress:feed-additions:1 (20 occurrences) [help]
```
			<post-id xmlns="com-wordpress:feed-additions:1">2120918</post-id><categor ...
   ^
```

line 402, column 0: description should not contain loading attribute [help]

<div class="extendedBlock-wrapper block-coreImage undefined"><figure class=" ...

line 402, column 0: description should not contain decoding attribute [help]

<div class="extendedBlock-wrapper block-coreImage undefined"><figure class=" ...

line 402, column 0: description should not contain sizes attribute [help]

<div class="extendedBlock-wrapper block-coreImage undefined"><figure class=" ...

line 1906, column 0: description should not contain data-type attribute (2 occurrences) [help]
```
<p>The proposed <a href="https://www.cisa.gov/topics/cyber-threats-and-advis ...
```
line 1906, column 0: description should not contain data-id attribute (2 occurrences) [help]
```
<p>The proposed <a href="https://www.cisa.gov/topics/cyber-threats-and-advis ...
```

Source: https://www.csoonline.com/feed/

<?xml version="1.0" encoding="UTF-8"?><rss version="0.92">
<channel>
<title>CSO Online</title>
<link>https://www.csoonline.com</link>
<description>Security at the speed of business</description>
<lastBuildDate>Thu, 23 May 2024 08:59:50 +0000</lastBuildDate>
<docs>http://backend.userland.com/rss092</docs>
<copyright>Copyright (c) 2024 IDG Communications, Inc.</copyright>
<language>en-US</language>

<item>
<title>Critical flaw found in Fluent Bit cloud services monitoring component</title>
<pubDate>Thu, 23 May 2024 08:59:50 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Security researchers at Tenable have discovered a potentially critical memory corruption vulnerability in Fluent Bit, a core component in the monitoring infrastructure of many cloud services.</p>
<p>The vulnerability, dubbed Linguistic Lumberjack and tracked as <a href="https://www.tenable.com/cve/CVE-2024-4323">CVE-2024-4323</a>, stems from coding flaws within Fluent Bit’s built-in HTTP server. Left unresolved the vulnerability could lead to denial of service, information disclosure, or (in the most severe but unlikely case) remote code execution attacks.</p>
<p>Fluent Bit versions 2.0.7 through 3.0.3 are all vulnerable. Fluent Bit version 3.0.4 closes this vulnerability and its associated threats, according to the component’s developers.</p>
<h2 class="wp-block-heading" id="fluent-bit">Fluent Bit</h2>
<p>Fluent Bit is an open-source data collector and processor that can parse log data from various sources. Its scalability makes it suitable for cloud-based environments.</p>
<p>Listed users include AWS, Microsoft Azure and Google Cloud. All three hyperscalers rely heavily on the technology, according to Tenable.</p>
<p>The technology also features in monitoring applications from Cisco, Splunk and others. Other software developers also make use of Fluent Bit, which recorded 3 billion downloads as of 2022 and continues to be deployed more than 10 million times per day.</p>
<p>Tenable reported the issue to the project’s maintainers on April 30, and they responded by developing a patched version of the technology, Fluent Bit 3.0.4, released May 21.</p>
<p>Fluent Bit’s developers <a href="https://fluentbit.io/blog/2024/05/21/statement-on-cve-2024-4323-and-its-fix/">urged technology providers to update</a> “immediately to keep your systems stable and secure” in a statement on their website.</p>
<p>Vulnerabilities in cloud-based systems are normally patched promptly and without user intervention. CSOonline approached hyperscaler cloud providers for comment, with one responding that it had not been impacted by the issue and criticising Tenable’s research as somewhat sensationalised.</p>
<p>Other technology providers that make use of the log monitoring tool have the vulnerability in hand.</p>
<p>CrowdStrike, for example, said it had updated to the patched version of Fluent Bit within its environment, and there was no direct impact to customers running the patched version of Fluent Bit.</p>
<p>However, it warned, “Customers using the LogScale Kubernetes Logging package should redeploy and update to the patched version of Fluent Bit immediately. We further recommend that customers running their own instances of Fluent Bit verify their versions and apply the necessary updates to mitigate any potential risks.”</p>
<p>CSOonline also approached firms that offer enterprise services for Fluent Bit (Calyptia, Fluentd and Clear Code) asking what advice they had for their customers, although none of them immediately responded.</p>
<h2 class="wp-block-heading" id="learning-experience">Learning experience</h2>
<p>In a <a href="https://www.tenable.com/blog/linguistic-lumberjack-attacking-cloud-services-via-logging-endpoints-fluent-bit-cve-2024-4323">technical blog post, Tenable explained how it came across the vulnerability</a> while investigating a separate (as yet undisclosed) flaw in an (unnamed) cloud service, after realising it was able to access a variety of metrics and logging endpoints internal to the cloud service itself, including a number of Fluent Bit instances.</p>
<p>Further testing of Fluent Bit in an isolated environment led to the discovery of the memory corruption issue.</p>
<p>More specifically, the embedded http server within Fluent Bit was vulnerable because it failed to sanitize trace requests.</p>
<p>This set up a mechanism for attackers to pass unexpected or invalid input to either crash a system or to use memory corruption to expose secret information. A remote code execution attack might also be possible, as least in theory.</p>
<p>Both the developers and Tenable stress that such an attack would be highly dependent on architecture, host OS, and other environmental factors and otherwise difficult to pull off successfully.</p>
<p>Fluent Bit’s developers are treating the whole episode as a learning experience.</p>
<p>“Even though nobody’s excited to receive a critical security notice right before they step out to lunch, this issue still provided us with a helpful nudge to assess our vulnerability prevention practices within the Fluent Bit project,” they wrote. “For example, it was a reminder that some measures we already have in place, like our participation in the <a href="https://bughunters.google.com/open-source-security/oss-fuzz">Google OSS-Fuzz</a> program, are in place for a reason. It also gave us a chance to strengthen other aspects of our incident response and ensure that they’re maximally effective for the future of Fluent Bit.”</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2120918/critical-flaw-found-in-fluent-bit-cloud-services-monitoring-component.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2120918</post-id><category>Cloud Security, Vulnerabilities</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_2136788461.jpg?quality=50&strip=all" length="4549806" type="image/jpeg" />
</item>
<item>
<title>Hijack of monitoring devices highlights cyber threat to solar power infrastructure</title>
<pubDate>Thu, 23 May 2024 06:00:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>In what might be the first publicly confirmed cyberattack on the solar power grid infrastructure, Japanese media recently <a href="https://www.sankei.com/article/20240501-ZSOLVFVJZZL6BLQJR6S6SJ23GM/">reported</a> that malicious actors hijacked 800 SolarView Compact remote monitoring devices made by industrial control electronics manufacturer Contec at solar power generation facilities to engage in bank account thefts.</p>
<p>The attackers presumably exploited systems that had not patched a flaw, <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-29303">CVE-2022-29303</a>, that Palo Alto Networks <a href="https://unit42.paloaltonetworks.jp/mirai-variant-targets-iot-exploits/" target="_blank" rel="noreferrer noopener">discovered</a> in June 2023. The cybersecurity company said that the flaw was under active exploitation to spread the <a href="https://www.csoonline.com/article/564711/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html">Mirai botnet</a>. The attackers even posted a <a href="https://www.youtube.com/watch?v=vFo1XETreCs&ab_channel=FlashBrutal">YouTube video</a> demonstrating their exploit on a SolarView system. Contec subsequently patched the flaw on July 18, 2023.</p>
<p>On May 7, 2024, Contec <a href="https://www.contec.com/jp/info/2024/2024050700/">confirmed</a> the most recent attacks on the remote monitoring devices and apologized for the inconvenience. The company alerted power generation facility operators of the problem and urged them to update the device’s software to the latest version.</p>
<h2 class="wp-block-heading" id="the-group-hacker-cn-was-likely-responsible-for-the-attack">The group Hacker CN was likely responsible for the attack</h2>
<p>In an analyst <a href="https://piyolog.hatenadiary.jp/entry/2024/05/03/015043#f-9606543d">interview</a>, South Korean security company S2W said that the group responsible for the attack was Arsenal Depository, which appears to be referring to a hacker group also known as Hacker CN.</p>
<p>In January 2024, S2W <a href="https://medium-com.translate.goog/s2wblog/detailed-analysis-of-operation-japan-campaign-14834a14a684?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp&_x_tr_hist=true">identified</a> Hacker CN as Chinese or Russian, indicating it was involved in hacktivist attacks targeting Japanese infrastructure after the Japanese government discharged contaminated water from the Fukushima nuclear power plant in what S2W called the “Operation Japan” campaign. (Neither Contec nor S2W responded to requests for interviews.)</p>
<p>Although concerning, the exploitation of the remote monitoring devices did not threaten power system operations. However, experts say that in highly capable hands, the intrusion into the exploited devices could have proved even more dangerous. They stress that inverters used in solar installations are a more likely vector through which damaging solar attacks might occur.</p>
<h2 class="wp-block-heading" id="the-attack-didnt-target-grid-operations-but-could-have">The attack didn’t target grid operations but could have</h2>
<p>Experts say the apparent financial motivation leads them to believe the attackers were not targeting grid operations. “Those bad guys were looking for compute devices that they could use to do computer internet-related types of extortion,” Thomas Tansy, CEO of DER Security, tells CSO. “From that standpoint, the fact that they hijacked a contact would be no different than bad guys hijacking industrial cameras, home routers, or other devices that are connected to the internet. The intent of the attack was not to compromise the power grid. It was to extort money.”</p>
<p>But, if the hackers were motivated to disrupt the power grid, they could have exploited these unpatched devices for more malevolent purposes, Tansy says. “Could an adversary pivot and say, ‘We’re no longer interested in extorting people today, we’re interested in interrupting power on the grid?’ Sure. If they had the expertise to do that, the fact that they’re inside the system gives them the opportunity. Of course, they’d have to have the skills and the know-how to pull off, but at that point, the barbarians are inside the gates.”</p>
<p>Access to monitoring systems will grant some level of access to the actual photovoltaic installation, Willem Westerhof, team manager at Secura, tells CSO. “You effectively have local network access. You could try, instead of doing what they did, you could try to leverage that access to attack anything that is in the same network.”</p>
<h2 class="wp-block-heading" id="attackers-could-gain-access-to-a-central-control-system">Attackers could gain access to a central control system</h2>
<p>Such networks typically have a central control system, which, if infiltrated could allow attackers to take over more than a single solar park. “Based on what I’ve seen, this specific monitoring equipment also has the option to, for example, shut down the photovoltaic installation,” Westerhof says. “So, you could shut down and start up a solar park this way. I don’t think the grid will get completely shut down, given the scale of the attack and available countermeasures, but it’ll probably make some people in charge of grid balancing very nervous if you start shutting those down or repeatedly cycling them off and on.”</p>
<p>However, grid-scale solar installations, such as those that utilities increasingly use to fuel their power supply, likely have sufficient protections built into their networks to thwart this kind of attack.</p>
<p>Mandatory security safeguards such as “<a href="https://www.nerc.com/pa/Stand/Pages/Cyber-Security-Permanent.aspx">NERC-CIP</a> starts to apply depending on how big it is and how impactful the installation is,” Andrew Ginter, VP of industrial security at Waterfall Security Systems, tells CSO. “And you tend to see more rigorous cybersecurity being applied just because it makes good business sense. If you have a dozen solar farms, each of which is producing 300 megawatts of power, a utility is monitoring those things.”</p>
<h2 class="wp-block-heading" id="the-more-severe-cybersecurity-risks-to-power-grids-stem-from-inverters">The more severe cybersecurity risks to power grids stem from inverters</h2>
<p>As unsettling as the attack on the Contec was, experts point to a more severe cybersecurity risk to distributed energy resources (DER) composed of solar panels, a critical component called the inverter, part of a class of power electronics that regulate the flow of electric power. An inverter is <a href="https://www.energy.gov/eere/solar/solar-integration-inverters-and-grid-services-basics">a device</a> that converts direct current (DC) electricity, which is what a solar panel generates, to alternating current (AC) electricity, which the electrical grid uses.</p>
<p>The North American Electric Reliability Corporation (NERC) has warned that <a href="https://www.nerc.com/pa/Documents/2023_NERC_Guide_Inverter-Based-Resources.pdf">the deficiencies</a> in inverters pose “a significant risk to BPS [bulk power supply] reliability” and could potentially cause “widespread outages.” The US Department of Energy <a href="https://www.energy.gov/sites/default/files/2022-10/Cybersecurity%20Considerations%20for%20Distributed%20Energy%20Resources%20on%20the%20U.S.%20Electric%20Grid.pdf">warned</a> in 2022 that a cyberattack on inverters could reduce the grid’s reliability and stability.</p>
<p>In May 2023, a team of researchers for the Dutch National Digital Infrastructure Inspectorate (RDI) <a href="https://www.rdi.nl/documenten/rapporten/2023/05/30/onderzoek-storingsproblematiek-en-cyberveiligheid-omvormers-voor-zonnepanelen">reported</a> that of the nine types of inverter from eight manufacturers they examined, none met the RDI’s security standards. The researchers concluded that “this makes solar panel installations, for example, easy to hack and can then be switched off or used for DDoS attacks. Or personal and usage data can be intercepted.”</p>
<p>“The key component is the inverter,” Ginter says. “The inverter is the interface to the grid, it’s the interface to the grid control systems. The newest inverters have communications; they’re connected to the grid, or they’re connected communications-wise to a cloud service. It’s those devices that are at risk of being compromised.”</p>
<h2 class="wp-block-heading" id="hacked-inverters-could-imperil-household-solar-installations-even-start-fires">Hacked inverters could imperil household solar installations, even start fires</h2>
<p>The real risk to inverter exploitation lies in the growing number of household solar installations. According to the Solar Energy Association, the number of US homes with solar installations <a href="https://www.seia.org/news/5million#:~:text=SEIA%20forecasts%20that%20solar%20installations,of%20the%20last%2012%20years.">is expected</a> to double to 10 million by 2030. The number of households with solar installations <a href="https://www.iea.org/reports/approximately-100-million-households-rely-on-rooftop-solar-pv-by-2030">is expected</a> to top 100 million by 2030.</p>
<p>“Typically, those inverters have a voltage and a frequency set,” Westerhof says. “So those are just the electric parameters, but those are configured either through firmware or through set points. If you get to a point where you can influence that, you can get those systems to send out a very significantly different voltage and a different frequency, which basically messes with all connected devices.”</p>
<p>Inverters themselves are usually capable of dealing with voltage or frequency changes, short-circuiting or breaking down. But, Westerhof says, in some rare circumstances, “some attached devices might in certain context slowly, yet steadily start to go ablaze. The chances of a fire starting will definitely increase.”</p>
<h2 class="wp-block-heading" id="some-solutions-to-solar-cybersecurity-problems">Some solutions to solar cybersecurity problems</h2>
<p>The attack on the Contec devices, the threats to DER inverters, and other threats to the solar component of the power grid stem not from solar panels themselves, which are basically passive devices, but from the communications elements that connect the panels to electrical power systems. Because of this bifurcation, solar panel users can take steps to protect themselves from threats embedded in the communications software.</p>
<p>The standards-setting body IEEE has established <a href="https://innovationatwork.ieee.org/what-is-ieee-standard-1547/#:~:text=Created%20in%202003%2C%20IEEE%20Standard,experienced%20increased%20levels%20of%20penetration.">Standard 1547</a> for interconnecting solar panels to the systems and recently updated that standard in 2018 to, among other things, improve reliability and support the grid under abnormal circumstances.</p>
<p>“Because there’s a standard, you can buy the hard goods, the batteries, the solar panels from one party out of China, and you can implement a control system and a security system that’s 100% homegrown American made,” Tansy says. “And you have bought yourself a pretty significant measure of protection in doing that.”</p>
<p>According to Westerhof, another step to help protect the solar component of the grid is to ensure local installers are adequately trained in cybersecurity, particularly when it comes to insecure inverters.</p>
<p>“Installers, for example, sometimes install models that have been out of vendor support for several years, just because that’s the inverter they still have in stock,” he says. “PV-park [solar farm] owners are quite concerned with cybersecurity, but they can’t really control it for the PV installations because they are dependent on the vendors and the people who can install it.”</p>
<p>The US Department of Energy <a href="https://www.energy.gov/sites/default/files/2022-10/Cybersecurity%20Considerations%20for%20Distributed%20Energy%20Resources%20on%20the%20U.S.%20Electric%20Grid.pdf">advocates</a> for futureproofing the distributed energy resource industry now before it reaches maturity and NIST is developing <a href="https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8498.ipd.pdf">guidelines</a> for residential and light commercial solar energy systems based on a review of known smart inverter vulnerabilities documented in the National Vulnerability Database (NVD) and information about known smart inverter cyberattacks. It is also testing five example smart inverters.</p>
<p>Ginter thinks that the NIST draft guidelines underscore the kinds of questions all organizations should be asking when they implement basic cybersecurity protections. “NIST is saying we should have some cybersecurity standards, do some basics. I think the standards are going to have to become more stringent as time goes by, and we wind up with software carrying out safety-critical functions in these physical devices,” he says.</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2119281/hijack-of-monitoring-devices-highlights-cyber-threat-to-solar-power-infrastructure.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2119281</post-id><category>Critical Infrastructure, Energy Industry, Utilities Industry</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_2037991496.jpg?quality=50&strip=all" length="998873" type="image/jpeg" />
</item>
<item>
<title>Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud</title>
<pubDate>Thu, 23 May 2024 05:57:24 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Memcyco Inc., provider of digital trust technology designed to protect companies and their customers from digital impersonation fraud, released its inaugural 2024 State of Website Impersonation Scams report. Notably, Memcyco’s research indicates that the majority of companies do not have adequate solutions to counter digital impersonation fraud, and that most only learn about attacks from their customers.</p>
<p>More than half of all respondents (53%) said their existing cybersecurity solutions do not effectively address website impersonation attacks, and 41% said their existing solutions only protect them and their customers “partially.” Just 6% of brands claimed to have a solution that effectively addresses these attacks despite 87% of companies recognizing website impersonation as a major issue and 69% admitting to having had these attacks carried out against their own website.</p>
<p>The creation of fake websites used for phishing-related attacks (which are a top cause of account takeover (ATO)) is a growing problem that has earned cybercriminals an <a href="https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2024/04/impersonation-scams-not-what-they-used-be" target="_blank" rel="noreferrer noopener">astonishing $1 billion+</a> in 2023 alone, according to data from the U.S. Federal Trade Commission. That’s more than three times the amount reported stolen in 2020. </p>
<p>The report found that 72% of companies have a monitoring system in place to detect fake versions of their website, but still, 66% said that they primarily learn about digital impersonation attacks when they are flagged by customers.. More alarmingly, 37% of respondents learn about website impersonation attacks as a result of “brand shaming” by impacted customers on social media.</p>
<p>The inability to adequately protect against digital impersonation fraud raises a question about companies’ responsibility to reimburse their customers. 48% of survey respondents are already aware of upcoming regulations likely to enforce customer reimbursements, making effective protection against digital impersonation fraud a ‘must-have’ for avoiding revenue loss.</p>
<p>“One of the most alarming takeaways from the report is that website impersonation scams are growing because attackers rely on companies having limited visibility into these kinds of attacks,” said Israel Mazin, Chairman and CEO of Memcyco. “This creates a glaring blindspot in cybersecurity — the inability of companies to protect their customers online.”</p>
<p>The State of Website Impersonation Scams report was conducted together with Global Surveyz Research, based on the responses of 200 full-time employees ranging from Director to C-level executives at organizations in the security, fraud, digital, and web industries, operating transactional websites with traffic of more than 10,000 monthly visits.</p>
<p>Memcyco’s solution suite addresses the rising tide of website impersonation scams by using real-time alerts to secure end-users on every website visit and provides organizations with unparalleled insights into the scope and impact of all attacks on their sites. </p>
<p>The full report can be found <a href="https://www.memcyco.com/home/library/state-of-digital-impersonation-fraud-resilience-report/" target="_blank" rel="noreferrer noopener">here</a>.</p>
<p><strong>About Memcyo</strong></p>
<p><a href="https://www.memcyco.com/home" target="_blank" rel="noreferrer noopener">Memcyco</a> offers a suite of AI-based, real-time digital risk protection solutions for combating website impersonation scams, protecting companies and their customers from the moment a fake site goes live until it is taken down. Memcyco’s groundbreaking external threat intelligence platform provides companies with complete visibility into the attack, attacker, and each individual victim, helping to prevent ATO fraud, ransomware, and data breaches before they occur. Memcyco’s “nano defender” technology detects, protects, and responds to attacks as they unfold, securing tens of millions of customer accounts and reducing the negative impact of attacks on workload, compliance, customer churn, and reputation.</p>
<p><strong>About Global Surveyz</strong></p>
<p><a href="https://surveyz.io/" target="_blank" rel="noreferrer noopener">Global Surveyz</a> is a global research company providing survey report-as-a-service that covers the whole process of creating an insightful and impactful B2B or B2C report for any target market. Global Surveyz was established in 2020 and is the brain-child of Ramel Levin.</p>
<h5 class="wp-block-heading" id="contact">Contact</h5>
<p><strong>Sheena Kretzmer</strong></p>
<p><strong>sheena@memcyco.com</strong></p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2119678/memcyco-report-reveals-only-6-percent-of-brands-can-protect-their-customers-from-digital-impersonation-fraud.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2119678</post-id><category>Cyberattacks, Security</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/Memcyco_State-fo-digital-impersonation-7.png" length="572149" type="image/png" />
</item>
<item>
<title>US government could mandate quantum-resistant encryption from July</title>
<pubDate>Wed, 22 May 2024 21:25:07 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Companies working on sensitive projects for the US government may soon be required to use encryption algorithms that protect their data and technology from quantum computer attacks. In July, the National Institute for Standards and Technology (NIST), an agency of the Department of Commerce, will specify three encryption algorithms it considers sufficient to safeguard against quantum computer threats, <a href="https://www.bloomberg.com/news/articles/2024-05-21/us-government-urges-federal-contractors-to-strengthen-encryption">according to a Bloomberg report</a>.</p>
<p>These algorithms, marking a critical step towards “post-quantum cryptography” for US government contractors, will establish an international standard for protecting everything from national secrets to online transactions, the report added.</p>
<p>“Breaking encryption not only threatens national security secrets but also the way we secure the internet, online payments and bank transactions,” White House deputy national security adviser Anne Neuberger was quoted as saying in the report. “The rollout of the standards will kick off the transition to the next generation of cryptography.”</p>
<h2 class="wp-block-heading" id="quantum-threat-looms-large">Quantum threat looms large</h2>
<p>Quantum computers, harnessing the principles of quantum mechanics, promise significantly greater processing power for certain types of calculation, potentially rendering present-day encryption methods vulnerable.</p>
<p>Although quantum computers capable of such attacks do not yet exist, the threat of their future existence is taken seriously by governments, including the US and the UK. One of the biggest risks is that well-equipped enemies might adopt a “harvest now, decrypt later” approach, gathering confidential information in the hope that they will one day be able to decrypt it while it still has some strategic value.</p>
<p>In 2022, the US Senate unanimously passed a bill addressing quantum threats to cryptography, empowering government agencies to mandate that contractors adhere to the encryption standards defined by NIST.</p>
<p>In July that year, NIST selected four encryption algorithms to become part of the agency’s post-quantum cryptographic standard. At the time, <a href="https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms">Secretary of Commerce Gina M. Raimondo welcomed</a> the announcement, hailing it is “an important milestone in securing our sensitive data against the possibility of future cyberattacks from quantum computers,” and saying, “Thanks to NIST’s expertise and commitment to cutting-edge technology, we are able to take the necessary steps to secure electronic information so US businesses can continue innovating while maintaining the trust and confidence of their customers.”</p>
<p>Three of the four algorithms — CRYSTALS-Khyber, CRYSTALS Dilithium, and SPHINCX+ — have already been standardized and are expected to be ready for use this year 2024, <a href="https://www.nist.gov/news-events/news/2023/08/nist-standardize-encryption-algorithms-can-resist-attack-quantum-computers">a NIST announcement last year said.</a> That now looks set to happen by July. A draft standard for FALCON, the fourth algorithm, will be released in about a year, the announcement had added.</p>
<p>Companies seeking or holding federal contracts will need to comply with these standards by 2035, with those working in the most sensitive areas required to adopt them earlier, the Bloomberg report said. “It’s in companies’ own interests to be leading the way there,” Neuberger was quoted as saying in the report.</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2119505/us-government-could-mandate-quantum-resistant-encryption-from-july.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2119505</post-id><category>Encryption, Government IT, Regulation</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/quantum-computing-digital-communication-network-security-100938358-orig-100961447-orig.jpg?quality=50&strip=all" length="184346" type="image/jpeg" />
</item>
<item>
<title>Microsoft Azure’s Russinovich sheds light on key generative AI threats</title>
<pubDate>Wed, 22 May 2024 18:25:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Generative AI-based threats operate over a huge landscape, and CISOs must look at it from a variety of perspectives, said Microsoft Azure CTO Mark Russinovich <a href="https://build.microsoft.com/en-US/sessions/d29a16d5-f9ea-4f5b-9adf-fae0bd688ff3?source=/schedule">during Microsoft Build</a> conference this week in Seattle.</p>
<p>“We take a multidisciplinary approach when it comes to AI security, and so should you,” Russinovich said of the rising issue confronting CISOs today.</p>
<p>That means examining AI threats from the AI apps and underlying model code to their various API requests, to the training data used by machine learning algorithms, to potential backdoors that could poison your models, inject malware into user prompts to steal your data, or take control over the AI systems themselves. Russinovich, originator of the popular Winternals utilities, laid these out in a generative AI threat map that shows the relationship among all these elements.</p>
<div class="extendedBlock-wrapper block-coreImage undefined"><figure class="wp-block-image size-large"><img loading="lazy" decoding="async" src="https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?w=1024" alt="Microsoft Build conference 2024 Mark Russinovich " class="wp-image-2119359" srcset="https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?quality=50&strip=all 1800w, https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?resize=300%2C154&quality=50&strip=all 300w, https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?resize=768%2C395&quality=50&strip=all 768w, https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?resize=1024%2C526&quality=50&strip=all 1024w, https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?resize=1536%2C789&quality=50&strip=all 1536w, https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?resize=1240%2C637&quality=50&strip=all 1240w, https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?resize=150%2C77&quality=50&strip=all 150w, https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?resize=854%2C439&quality=50&strip=all 854w, https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?resize=640%2C329&quality=50&strip=all 640w, https://b2b-contenthub.com/wp-content/uploads/2024/05/David-Strom_news_Mark-R-Build-AI-security-stack.png?resize=444%2C228&quality=50&strip=all 444w" width="1024" height="526" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><p><em>Russinovich showed this comprehensive threat map diagram, classifying the different types of potential exploits that generative AI could experience.</em></p> </figcaption></figure><p class="imageCredit">Microsoft</p></div>
<p>One key issue Russinovich shed light on was data poisoning. With this type of cyberattack, adversaries <a href="https://www.csoonline.com/article/570555/how-data-poisoning-attacks-corrupt-machine-learning-models.html">attempt to compromise an organization’s data set</a> used to train their AI or machine learning models. Doing so can significantly corrupt the output.</p>
<p>“Someone could have access to your training data,” he said, and that could produce harmful responses, leak data, or insert backdoors for subsequent control and to introduce exploits down the road.</p>
<p>Russinovich used the example of planting poisoned data on a Wikipedia page that was known as a data source by the attacker. Once this data was scraped by the model, it didn’t matter if the Wikipedia editors caught the problem and deleted the bad data. “This makes it a lot harder to track down, because the poisoned data no longer exists.”</p>
<p>The Microsoft Azure CTO revealed that just by changing 1% of the data set — for example, using a backdoor — an attacker could cause a model to misclassify items or produce malware. Some of these data poisoning efforts are easily demonstrated, such as the effect of adding just a small amount of digital noise to a picture by appending data at the end of a JPEG file, which can cause models to misclassify images. He showed one example of a photograph of a panda that, when enough digital noise was added to the file, was classified as a monkey.</p>
<p>Not all backdoors are evil, Russinovich took pains to mention. They could be used to fingerprint a model which can be examined by software to ensure its authenticity and integrity. This could be oddball questions that are added to the code and unlikely to be asked by real users. </p>
<p>Probably the <a href="https://www.csoonline.com/article/1294996/top-4-llm-threats-to-the-enterprise.html">most infamous generative AI attacks</a> are concerned with prompt injection techniques. These are “really insidious because someone can influence just more than the current dialog with a single user,” he said.</p>
<p>Russinovich demonstrated how this works, with a piece of hidden text that was injected into a dialog that could result in leaking private data, and what he calls a “cross prompt injection attack,” harking back to the processes used in creating web <a href="https://www.csoonline.com/article/565192/what-is-xss-cross-site-scripting-attacks-explained.html">cross site scripting exploits</a>. This means users, sessions, and content all need to be isolated from one another. </p>
<h2 class="wp-block-heading" id="the-top-of-the-threat-stack-according-to-microsoft">The top of the threat stack, according to Microsoft</h2>
<p>The top of the threat stack and various user-related threats, according to Russinovich, includes disclosing sensitive data, using jailbreaking techniques to take control over AI models, and have third-party apps and model plug-ins forced into leaking data or getting around restrictions on offensive or inappropriate content.</p>
<p>One of these attacks <a href="https://arxiv.org/pdf/2404.01833">he wrote about last month, calling it Crescendo</a>. This attack can bypass various content safety filters and essentially turn the model on itself to generate malicious content through a series of carefully crafted prompts. He showed how ChatGPT could be used to divulge the ingredients of a Molotov Cocktail, even though its first response was to deny this information. </p>
<p>“AI LLMs have inherent security risks,” Russinovich said. “AI models are just like really smart but junior or naive employees. They have no real-world experience, they can be influenced, are persuadable and exploitable and can be convinced to do things that are against corporate policy. They are potentially loose cannons and need guardrails.”</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2119355/microsoft-azures-russinovich-sheds-light-on-key-generative-ai-threats.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2119355</post-id><category>Data and Information Security, Generative AI</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_2284126663-100943536-orig-100962531-orig-1.jpg?quality=50&strip=all" length="1236255" type="image/jpeg" />
</item>
<item>
<title>Rise of zero-day exploits reshape security recommendations</title>
<pubDate>Wed, 22 May 2024 06:00:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>With zero-day attacks rapidly eclipsing exploits of known flaws, CISOs face the specter of having to switch up their security strategies in favor of post-exploitation response.</p>
<p>That’s the key takeaway from security firm Rapid7’s newly released <a href="https://www.rapid7.com/research/report/2024-attack-intelligence-report/">2024 Attack Intelligence Report</a>: With less time to react and deploy patches and mitigations when they learn of a new flaw that’s being actively exploited, CISOs must put post-exploitation controls and detections in place to limit the damage should attackers gain access to their network.</p>
<p>Over the past year mass attacks perpetrated through unpatched vulnerabilities (zero-days) exceeded those exploiting known flaws with patches available, according to Rapid7 researchers. Exploits against network edge devices, such as VPN appliances and security gateways, played a big role in that explosion, accounting for over a third of attacks.<br><br></p>
<p>Moreover, unlike most n-day exploits for known flaws, which are typically used by multiple threat actors once an exploit becomes available, zero-day exploits have been used mostly by single sophisticated adversaries that targeted dozens or hundreds of organizations in their attack campaigns, according to the researchers.</p>
<p>“These aren’t our grandparents’ cyberthreats — this is a mature, well-organized cybercrime ecosystem at work, with increasingly sophisticated mechanisms to gain access, establish persistence, and evade detection,” the researchers wrote in their report.</p>
<p>In response, CISOs would be wise to reassess their IT security strategies with shorter exploit cycles and post-incident response top of mind.</p>
<h2 class="wp-block-heading" id="the-shift-to-incident-response">The shift to incident response</h2>
<p>Rapid7 researchers tracked more than 60 vulnerabilities that saw widespread exploitation in 2023 and the beginning of this year. Of those, more than half were new flaws discovered during this period; of these new flaws, 53% were zero-days when initially found.</p>
<p>It’s worth noting that Rapid7 researchers consider a vulnerability to see mass or widespread exploitation when it is used in real-world attacks to target many organizations across different industry verticals and geolocations. The researchers note that they did not include zero-day flaws for which only a proof-of-concept exploit was published on the internet in their tracking.</p>
<p>They also didn’t count exploitation attempts against the thousands of honeypots put up by security companies around the world as actual attacks because doing so would skew the perception of how widespread a threat is, potentially distracting organizations from prioritizing where to direct their limited resources.</p>
<p>“Organizations should expect to conduct incident response investigations that look for indicators of compromise (IOCs) and post-exploitation activity during widespread threat events in addition to activating emergency patching protocols,” the researchers advised.</p>
<h2 class="wp-block-heading" id="shorter-exploit-cycles-more-security-strain">Shorter exploit cycles, more security strain</h2>
<p>The number of zero-day exploits has exploded since 2021 and the type of threat actors using them is not limited to state-sponsored cyberespionage groups, but also cybercrime gangs pushing ransomware and crypto mining malware. In 2020, n-day exploits outnumbered 0-days 3 to 1; by 2021, 0-days accounted for over half of widespread attacks, never to return back to previous levels.</p>
<p>“Since 2021, Rapid7 researchers have tracked the time between when vulnerabilities become known to the public and when they are (reliably) reported as exploited in the wild,” the researchers said. “This window, which we call ‘Time to Known Exploitation,’ or TTKE, has narrowed considerably in the past three years, largely as a result of prevalent zero-day attacks.”</p>
<p>Zero-day attacks have a TTKE of 0, because the flaws get exploited before they’re publicly known. As such, it’s hard to draw a relevant conclusion by calculating average TTKEs, but the researchers point out that of all flaws (0-day and n-day) tracked since 2021, 55% were exploited within the first week after public disclosure and 60% within the first two weeks. This is a big difference to 2020 when 30% were exploited during the first week and 32% in the first two weeks.</p>
<p>The conclusion is clear: With attack cycles shortening, IT security professionals have less time to rely on patches and mitigations, and now must spend more time attempting to limit the damage attackers can do by focusing on post-exploitation controls and detections.</p>
<p>This shift and subsequent scramble are leading to additional strain on security teams.</p>
<p>“Technologies like endpoint detection and response (EDR) are key components of a defense-in-depth strategy, but we believe that business leaders should be aware that combating and preventing modern cyberthreats continues to require human expertise in addition to technology,” the researchers warn. “More than ever, burnout and brain drain on security teams compound risk from well-resourced, motivated adversary operations.”</p>
<h2 class="wp-block-heading" id="mfa-can-make-a-big-difference">MFA can make a big difference</h2>
<p>During the reporting period, Rapid7’s managed detection and response (MDR) team tracked over 5,600 ransomware incidents from public reporting and its own investigations, noting that this is a very conservative number, as many such incidents continue to go unreported. Some ransomware groups have used zero-day exploits, particularly against managed file transfer (MFT) applications, but also collaboration tools and network perimeter devices.</p>
<p>The known exploited vulnerabilities (KEV) maintained by the US Cybersecurity and Infrastructure Security Agency (CISA) currently includes 219 CVEs — vulnerability identifiers —known to have been used in ransomware attacks.</p>
<p>That said, Rapid7’s MDR team concluded that 41% of ransomware incidents were the result of missing multi-factor authentication (MFA) on virtual desktop or enterprise VPN systems. As such, these attacks could have been easily avoided by enforcing one relatively simple additional authentication control.</p>
<h2 class="wp-block-heading" id="attackers-go-for-simpler-exploits">Attackers go for simpler exploits</h2>
<p>While most remote code execution vulnerabilities have historically been the result of memory corruption issues in software, there is a new trend that Rapid7 has observed in its dataset: Attackers are predominately choosing classes of vulnerabilities for which it’s easier to develop stable and reliable exploits.</p>
<p>Memory corruption flaws, for example, are hard to exploit due to the various anti-exploitation technologies added in software over the years at the operating system and application levels. Exploiting a memory corruption often requires chaining additional vulnerabilities that disclose memory locations or relying on various complicated techniques. Getting one exploit to work reliably across different versions of the same operating system is a challenge in itself as well.</p>
<p>Therefore, it’s not a huge surprise that 75% of the CVEs included in Rapid7’s dataset of widespread exploits over the past four years have been either caused by improper access controls — authentication bypasses, improper cryptographic implementations, and remotely accessible APIs — or injection issues such as server-side request forgery (SSRF), SQL injection, and command injection. Even deserialization flaws have been more prevalent than memory corruption ones.</p>
<h2 class="wp-block-heading" id="defense-in-depth-recommendations">Defense-in-depth recommendations</h2>
<p>Having a solid vulnerability management program that ensures timely patching of critical and widely exploited vulnerabilities is essential, both in the cloud and on premises. But other controls can make a big difference, too. For example, implementing MFA for all systems and applications should be a top priority, as well as applying the principle of least privilege when creating accounts and roles.</p>
<p>Reducing the internet-exposed attack surface can make a big change. Companies should regularly review their internet-exposed devices, network appliances, applications, ports, and interfaces. Anything that can be walled off, should be walled off.</p>
<p>Ensuring an efficient backup strategy with multiple backup locations, both online and offline, onsite and offsite, can be very effective against ransomware attacks. Companies should also put measures in place to detect and prevent attempts to exfiltrate large quantities of data, which is one of the main extortion techniques used by ransomware groups.</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2117846/rise-of-zero-day-exploits-reshape-security-recommendations.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2117846</post-id><category>Incident Response, Security Practices, Zero-day vulnerability</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_1590824917.jpg?quality=50&strip=all" length="4111874" type="image/jpeg" />
</item>
<item>
<title>Reducing CSO-CIO tension requires recognizing the signs</title>
<pubDate>Wed, 22 May 2024 05:59:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
</div></div></div></div>]]></description>
<link>https://www.cio.com/article/2112584/reducing-cio-ciso-tension-requires-recognizing-the-signs.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2117849</post-id><category>CIO, CSO and CISO, IT Leadership</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_390500185.jpg?quality=50&strip=all" length="5749715" type="image/jpeg" />
</item>
<item>
<title>Employee discontent: Insider threat No. 1</title>
<pubDate>Tue, 21 May 2024 06:00:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>In the world of <a href="https://www.csoonline.com/article/1312569/data-breaches-caused-by-insiders-can-cost-you-over-15-million.html">insider risk management</a> (IRM), how an employee views their relationship with their company is as important as how the company views its relationship with the employee.</p>
<p>This might sound like a simple equation, in which mutual back-scratching and support equal success, comfort, and tranquility. But from this set of jaded eyes, it’s not simple at all — and it’s an area CISOs should pay increasing attention to today.</p>
<p>The employee-employer relationship involves a number of people — executives, managers, supervisors, colleagues — all of whom influence how any given employee (or contractor) may view their position in the corporate ecosystem, and all of whom may be “grading” the individual contribution of the employee.</p>
<p>This tends to make the actual equation more complex than any polynomial algebraic equation. Yet like most algebraic equations, a solution exists.</p>
<p>Last year Pew Research <a href="https://www.pewresearch.org/social-trends/2023/03/30/how-americans-view-their-jobs/">issued a report</a> that has not percolated to the top of the discussion on insiders and their behaviors. The report found that only half of US workers are very or extremely satisfied with their jobs. More pointedly, those who received regular feedback from their managers were much happier than those who didn’t.</p>
<p>These factors must be part of every CISO’s IRM strategy.</p>
<h2 class="wp-block-heading" id="watch-for-discontent-in-the-shadows">Watch for discontent in the shadows</h2>
<p>When it comes to IRM, CISOs focus predominantly on technologies: user entity behavior analytics (UEBA), <a href="https://www.csoonline.com/article/524286/what-is-siem-security-information-and-event-management-explained.html">security information and event management</a> (SIEM), data loss prevention, and the like. There isn’t as much emphasis on stepping outside the view of their colleagues as streams of user data, to instead see them as people with complex lives and various pressures placed upon them.</p>
<p>But discontent can brew in dark places, some of which may manifest into a risk and then morph into a threat. If CISOs pay no attention to the human side of the equation, they are exposing their organizations to risks that might otherwise be avoided with a little work.</p>
<p>CISOs themselves are no strangers to discontent. Indeed, a 2024 IANS/Artico report highlighted that <a href="https://www.csoonline.com/article/1293456/three-of-four-cisos-ready-for-job-change.html">three of four CISOs are ready to exit their current role</a>. No bones about it, the cybersecurity field is tough and can take a toll on people. If that’s not a signal to pay more attention to people throughout the organization, I don’t know what is. A good leader should know that if they’re stressed and struggling, their teams are most likely in the same boat.</p>
<h2 class="wp-block-heading" id="lack-of-feedback-can-lead-to-dissatisfaction">Lack of feedback can lead to dissatisfaction</h2>
<p>The Pew report, which followed the years cataloged as the “great resignation,” breaks down employee satisfaction along a variety of vectors. No surprise, lower levels of satisfaction surround compensation, benefits, opportunity for promotion, training/development, and feedback on performance.</p>
<p>Higher scores came in with respect to day-to-day tasks, colleagues, and relationships with supervisors or managers. Where the Pew data diverges is along generational divides, with those who are my age, 65-plus, tending to be more satisfied (we are on the right side of the ground after all) than those in the 30-49 bracket.</p>
<p>Sadly, over 55% of respondents say they don’t have someone at work whom they consider a mentor. And 28% are of the opinion that their employer doesn’t really care much about them at all.</p>
<p>Let that sink in. If the employee thinks their employer doesn’t care, that lack of interest might very well be reflected as if in a mirror — the employee won’t care and as such, we have an unnecessary and preventable risk to the entity.</p>
<p>The report gives the solution to the reader: More engagement between workers and their management/supervisor and more feedback given/received equates to greater satisfaction (lower risk).</p>
<h2 class="wp-block-heading" id="where-dissatisfaction-meets-opportunity">Where dissatisfaction meets opportunity</h2>
<p>The recent DTEX Systems <a href="https://www.dtexsystems.com/resource-insider-risk-investigations-report-2024/">Insider Risk Investigations Report (Foreign Interference: Special Edition)</a> found that 70% of DTEX’s customers had reported approaches from foreign entities, including nation-state actors.</p>
<p>As a long-in-the-tooth former intelligence officer, I am not surprised by this data point, as such activity has been ongoing for years. Only now are entities understanding how the world of nation-state espionage works, and how hostile intelligence entities seek out vulnerabilities in their target group.</p>
<p>This is where it is important for CISOs to be part of the entity-wide team involved in such issues. They should not be operating in a vacuum, relying only on the “data produced” persona. An anomalous behavior reported to human resources, for example, may not manifest itself in online or device behavior.</p>
<p>For example, in the mid-1980s CIA officer Edward Howard prepared for a sensitive assignment in Moscow. As part of the routine processing for the assignment, a polygraph was administered. During this polygraph, it is alleged Howard confessed to an incident of petty theft — stealing cash out of individuals’ purses. He was terminated but went on to do tremendous national security damage. His behavior wasn’t seen, wasn’t suspected, yet when it became known action was taken.</p>
<p>Howard took steps to avoid detection and successfully defected to the Soviet Union and was resettled. Some years later, he accidentally fell down the stairs in his cottage, broke his neck, and died.</p>
<p>The steps he took to breach security employed his operational acumen in evading notice, and indeed, the DTEX report shows us that 77% of malicious insiders took steps to conceal their activities.</p>
<h2 class="wp-block-heading" id="staying-safe-from-insider-threats-hinges-on-human-engagement">Staying safe from insider threats hinges on human engagement</h2>
<p>This is not unusual. The civilian US Navy nuclear engineer, Jonathan Toebbe, <a href="https://www.csoonline.com/article/571643/what-cisos-can-learn-from-the-navy-insider-who-went-undetected-stealing-us-nuclear-secrets.html">who tried to sell secrets to Brazil</a> (who wanted nothing to do with him and brought the FBI into the mix), revealed in his effort to volunteer the sensitive and highly classified information he had received training.</p>
<p>“I was extremely careful to gather the files I possess slowly and naturally in the routine of my job, so nobody would suspect my plan,” Toebbe later said. “We received training on warning signs to spot insider threats. We made very sure not to display even a single one. I do not believe any of my former colleagues would suspect me if there is a future investigation.”</p>
<p>And they didn’t. Had he chosen a country other than Brazil, one may speculate that he would have never been discovered.</p>
<p>Yet, in hindsight, with both Toebbe and Howard, there were other signals, human signals that may have been detectable but weren’t detected. That would be reason enough to look at your team, identify anomalous behavior, and see whether there is a risk manifesting or if the individual is simply quirky.</p>
<h2 class="wp-block-heading" id="promote-a-culture-of-see-something-say-something">Promote a culture of see something, say something</h2>
<p>No one likes to be a snitch. But we all should keep in mind that highlighting a violation of policy, procedure, or odd behavior outside the norms isn’t snitching; it is proactively taking action to resolve a possible risk.</p>
<p>This is where the good news exists. Again, pulling from the DTEX report, 72% of investigation requests in which the company (DTEX) was asked to assist their customer in resolving a problem — that is, determine whether there was a risk, a threat, or the situation was benign — were initiated by their customer’s human resource department.</p>
<p>A culture of see something, say something is necessary for every entity and absent such, the CISO and others holding the responsibility and accountability of protecting the entity’s assets will be operating in the dark.</p>
<p>Insider risk management is a team effort, with the CISO holding key technological ingredients to successful implementation. Yet not all the key ingredients are to be found in data — the human is in the mix as well, and it is wise to remember that a human problem requires a human solution.</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2112460/employee-discontent-brewing-in-darkness-theres-the-source-of-your-insider-threat.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2112460</post-id><category>CSO and CISO, Human Resources, Risk Management, Threat and Vulnerability Management</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_1451794184-100952664-orig.jpg?quality=50&strip=all" length="1414320" type="image/jpeg" />
</item>
<item>
<title>Download the hybrid cloud data protection enterprise buyer’s guide</title>
<pubDate>Mon, 20 May 2024 15:00:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>To safeguard your data in hybrid cloud environments, organizations need to apply basic data security techniques such as encryption, data-loss prevention, secure web gateways, and cloud-access security brokers.<br>But such security is just the start.</p>
</div></div></div></div>]]></description>
<link>https://us.resources.csoonline.com/resources/download-the-hybrid-cloud-data-protection-buyers-guide-pdf/</link>
<post-id xmlns="com-wordpress:feed-additions:1">2098357</post-id><category>Cloud Security, Data and Information Security, Enterprise Buyer’s Guides</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/hybrid-cloud-data-protection-buyers-guide-primary.png" length="259413" type="image/png" />
</item>
<item>
<title>Global stability issues alter cyber threat landscape, ESET reports</title>
<pubDate>Mon, 20 May 2024 09:30:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Threat actors are boosting attacks across the globe, with geographic events influencing which regions are being hit the hardest, according to a new report from threat intel researchers ESET.</p>
<p>Although the report’s lead author said no new attack methods have been found, he advises CISOs to double-down on their defense strategies given the activity.</p>
<p>Current attack techniques “still work well,” Jean-Ian Boutin, ESET’s director of threat research, told CSO. As such, novel vectors aren’t entirely necessary for attackers. CISOs are doing the right things to combat these attacks, Boutin said; they just need to harden further.</p>
<p>Regional stability issues are spilling over into the cybersphere, according to the researchers, as the main global attack trends ESET has uncovered have been directly influenced by them. </p>
<p>“After the Hamas-led attack on Israel in October 2023, and throughout the ongoing war in Gaza, ESET has detected a significant increase in activity from Iran-aligned threat groups,” <a href="https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2023-q1-2024.pdf">the researchers wrote in the report</a>, which focuses on activities of selected advanced persistent threat (APT) groups from October 2023 to March 2024.</p>
<p>ESET researchers also noted Russia-aligned groups focusing their attention on espionage throughout the European Union, along with attacks against Ukraine.</p>
<p>“On the other hand, several China-aligned threat actors exploited vulnerabilities in public-facing appliances, such as VPNs and firewalls, and software, such as Confluence and Microsoft Exchange Server, for initial access to targets in multiple verticals,” the researchers wrote. “North Korea-aligned groups continued to target aerospace and defense companies and the cryptocurrency industry.”</p>
<p>Russia-aligned APT groups topped the list of attack sources, according to ESET, at 33% of attacks tracked. China-aligned threat actors comprised 25% of attack sources, with APT groups aligned with Iran (14%), North Korea (13%), and other Middle East countries (7%) rounding out the top five.</p>
<p>Government entities were the top targets across Europe, Asia, Middle East, and the Americas. Other notable verticals under increased pressure have been energy and defense firms in Europe, engineering and manufacturing firms in Asia and the Middle East, and education, healthcare, and retail companies in the Americas.</p>
<p>CISOs working in those industry and region pairs should be extra vigilant.</p>
<h2 class="wp-block-heading" id="attack-analysis">Attack analysis</h2>
<p>One of the newer tactics ESET is seeing in North Korea leverages emotions to prevent the attack from being reported, which will likely extend its use and effectiveness. The technique itself, Boutin said, has been around for years, but North Korean APT groups are making a minor tweak. </p>
<p>The attack is sent to programmers and other technical talent, masquerading as a job application with several major US companies. The attacker claims to be a recruiter for those businesses, and when victims are asked to prove their technical skills with an online test, they are exposed to the malware and the trap is complete.</p>
<p>The emotional twist is that victims are hesitant to report the attack to their security or IT teams because doing so would include having to admit to trying to get another job, Boutin said. </p>
<p>ESET researches also noted increased supply-chain compromises and trojanized software installers coming from North Korean threat actors, including an <a href="https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/">attack on Taiwan-based multimedia software company CyberLink</a>, which resulted in malicious code being inserted into the company’s software build and delivery process.</p>
<p>Other regional changes noted in the report include:</p>
<ul>
<li><strong>China:</strong> A new China-aligned APT group, CeranaKeeper, has been identified with specific traits connected to the digital footprint of Mustang Panda. The two groups use similar DLL hijacking targets and some shared tooling, according to ESET, but organizational and technical differences suggest they act independently.</li>
<li><strong>Iran:</strong> Threat actors MuddyWater and Agrius have shifted their focus to “more aggressive strategies involving access brokering and impact attacks,” the researchers wrote. Previously, the groups were more involved with cyberespionage (MuddyWater) and ransomware (Agrius). OilRig and Ballistic Bobcat eased up on activities, “suggesting a strategic shift toward more noticeable operations aimed at Israel,” according to ESET.</li>
<li><strong>Russia</strong>: “Operation Texonto, a disinformation and psychological operation (PSYOP), has been spreading false information about Russian election-related protests and the situation in the eastern Ukrainian metropolis Kharkiv, fostering uncertainty among Ukrainians domestically and abroad,” the researchers wrote.</li>
<li><strong>Elsewhere:</strong> A zero-day vulnerability Roundcube by Winter Vivern, a group ESET assesses to be aligned with the interests of Belarus, was also noted. Additionally, a campaign in the Middle East has been carried out by SturgeonPhisher, a group believed to be aligned with the interests of Kazakhstan.</li>
</ul>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2112546/global-stability-issues-alter-cyber-threat-landscape-eset-reports.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2112546</post-id><category>Advanced Persistent Threats, Cyberattacks, Cybercrime, Data and Information Security, Threat and Vulnerability Management</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_2212948463.jpg?quality=50&strip=all" length="7439639" type="image/jpeg" />
</item>
<item>
<title>The inside story of Cyber Command’s creation</title>
<pubDate>Mon, 20 May 2024 06:00:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>In June 2009, the Department of Defense created US Cyber Command to address the rapid recognition among military brass that the computer systems they used were increasingly vulnerable to cyberattacks.</p>
<p>Possibly the world’s most powerful cybersecurity command, Cybercom took some rather unconventional means to get up and running — including the use of Hollywood-style cartoon storyboards to sell it to stakeholders and a whole lot of “I’m sorry” Starbucks gift cards.</p>
<p>Since its establishment, Cybercom, which was sub-unified under the US Strategic Command, has emerged as a pivotal hub for US military operations, with the goal of safeguarding national security from foreign adversarial threats. Operating under a “dual-hat” structure, its commander also serves as the head of the National Security Agency (NSA).</p>
<p>Appearing together for this first time in public at the 2024 RSA Conference, the so-called “Four Horsemen of Cyber” — the key architects behind the plan to form the command — shared their personal journeys of turning the concept of Cybercom into a reality.</p>
<h2 class="wp-block-heading" id="cybercoms-complicated-origins">Cybercom’s complicated origins</h2>
<p>Cybercom was born of the need to create a data mining system for the NSA during the Iraq and Afghanistan conflicts in 2007. It culminated in the elevation of Cybercom to a full and independent unified combatant command in 2017.</p>
<p>“It’s an important story,” said Paul Nakasone, who until recently was the head of Cybercom and the NSA and was recently named founding director of the Institute for National Defense and Global Security at Vanderbilt University.</p>
<p>“It’s 2008, and the Department of Defense realizes that there is malware on both unclassified and classified networks. These are the warfighting networks that we’re using for US Central Command. So, the ideas that [former NSA chief] Keith Alexander [had] in terms of where do we need to go as a Department of Defense with cyber forces start to take place,” Nakasone said.</p>
<p>To grasp the scope of the problem, “it was very, very senior people asking very, very basic questions like, well, how many computers are impacted or where did it come from? Or what do we do about it?” he said.</p>
<p>“We could not answer the question of how many computers were on the SIPRNet [the secret component of the Defense Information Systems Network],” said Lt. Gen. S.L. Davis, the inspector general of the Department of the Air Force. “So, there were those basic questions. I think there was a realization that we didn’t really understand the system as well as we should.”</p>
<p>For commanders, this was obvious, “and everyone woke up relying on this network — four stars [generals], senior civilians,” said retired US Navy Vice Admiral T.J. White, now nonresident senior fellow of the Atlantic Council’s Scowcroft Center for Strategy and Security. “That’s unsettling in the minimum.”</p>
<h2 class="wp-block-heading" id="making-the-nsa-relevant-to-combat-troops-on-the-ground">Making the NSA relevant to combat troops on the ground</h2>
<p>Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), said Alexander “really wanted to take NSA from behind the green door and make us relevant to the warfighter.”</p>
<p>NSA officers, military and civilian, were deployed into the field to support combat teams with cryptologic support teams. “And this is what Paul was doing. He was training those teams and deploying them out,” Easterly said.</p>
<p>The other thing they were asked to work on was implementing this capability in the form of the data mining system Real-Time Regional Gateway (RT-RG) used in Iran and Afghanistan.</p>
<p>The gateway was intended to take all the communications in the theater that insurgents in particular were using to plan and operationalize attacks. That included satellite or cellphone communications and reporting from troops on the ground. These would be integrated, enriched, and correlated to illuminate terrorist networks “not in days or weeks but in hours and minutes.”</p>
<p>“It sparked a lot of energy around how we actually support the troops on the ground” and saved lives, Easterly said, “but it also brought home the lessons to a combatant commander, to General Petraeus at the time, how important cyber and communications were becoming.”</p>
<h2 class="wp-block-heading" id="using-cartoons-to-sell-the-idea-of-cybercom">Using cartoons to sell the idea of Cybercom</h2>
<p>Moving Cyber Command from concept to reality happened rapidly but was no easy feat.</p>
<p>“The first task was just really combining these two existing organizations [the defense-oriented Joint Task Force-Global Network Operations and relevant offense operations] that would grow over time and become a much larger task that would become building us Cybercom,” Davis said.</p>
<p>Educating the top brass and policymakers was one hurdle the team faced in a relatively early cybersecurity era. “I remember seeing a lot of superiors and high-ranking folks who would never read their email — in fact, they’d get it printed and then read it. And you had to begin with just level-setting on the education in terms of what this is all about,” Davis said.</p>
<p>“We started with a narrative, and we said, ‘Let’s educate senior members of the Department of Defense and anyone else,’” Nakasone said. “We came up with what was functionally known as the cyber storyboard. And it was literally a story that we took senior folks from the Department of Defense and other elements of our government through in terms of what we wanted to do.”</p>
<p>“We had occasion in early stages to go to California, come to Hollywood, talk to the movie industry,” White said. When they asked how writers and producers would build a narrative, they were introduced to the concept of the storyboard.</p>
<p>“So that’s what we tried to do, and we had some incredible talent. It was very, very dynamic. I think probably 100-plus versions of that brief were given over 100 times in probably a nine-month period,” White said.</p>
<p>“Literally telling it at the basic level using cartoons actually helped them to really understand it,” Davis said. “I think it was one of the big keys to our success.”</p>
<h2 class="wp-block-heading" id="soothing-ruffled-feathers-with-starbucks-cards">Soothing ruffled feathers with Starbucks cards</h2>
<p>Another hurdle the team had to overcome was institutional mistrust. “There were naysayers and NSA felt as though Cybercom was going to eat us,” Nakasone said.</p>
<p>At the same time, “everyone at Cybercom thought that NSA was going to eat up Cybercom and take it over. So, there was distrust on both sides,” Davis added.</p>
<p>“When you go to the combatant commands, they’re, of course, worried that you’re standing up a new combatant command with separate authorities, and how will that work? A big part of our outreach was going to those combatant commands and talking about how Cybercom would support them as opposed to how Cybercom would be supported. And I think that was key,” Davis said.</p>
<p>“The interest in cyber was across the board,” Nakasone said. “Everyone wanted to see what these folks were doing and what are you creating.”</p>
<p>“So, we thought we’d have a little gathering of 30 people, and there were 90 people in this room, and NSA protocols were overwhelmed, and someone then says, ‘They just let these people in without checking their clearances,’” Nakasone said. “Well, you can imagine that was gasoline on the fire. And so, it was a very, very interesting day.”</p>
<p>“T.J. [White] and I went to the protocol office and brought a lot of Starbucks gift cards” as an apology for overcrowding the meeting and running afoul of NSA clearance policies, Easterly said.</p>
<h2 class="wp-block-heading" id="creating-the-dual-hat-structure-won-the-day">Creating the ‘dual-hat’ structure won the day</h2>
<p>Easterly pointed out that one of the things the group was “trying to get across was how important it was to build this new combatant command on [NSA’s] cryptologic platform, which was something that was super different.”</p>
<p>“And that led to the dual-hat structure where the director of NSA was also the commander of US Cybercom,” Easterly said. “Part of the cyber storyboard had to bring in all of these exquisite NSA capabilities that were so key to being successful in cyberspace, both defensively and offensively.”</p>
<p>“And that’s where we brought in some fantastic NSA people to brief on technical capabilities, to brief on computer network operations and hunting capabilities and defensive stuff,” she added. “I think that was the secret sauce.”</p>
<p>Nakasone said, “Clearly, this was the piece that was different. We said, ‘Hey, this is how we’re going to hunt in the future, and this is how we’re going to use data in the future, and this is how we’re going to look at the way the intelligence community has done intelligence operations on that.’”</p>
<p>Easterly said that the Four Horsemen of Cyber successfully took Cybercom from conception to reality in about 15 months. “I don’t recall a lot of days off, maybe Christmas and New Year’s,” she said.</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2110982/cartoons-starbucks-cards-and-hollywood-storyboards-how-us-cyber-command-came-to-be.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2110982</post-id><category>Aerospace and Defense Industry, CSO and CISO, IT Leadership, Military, Security Practices</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/US-Cyber-Command.jpg?quality=50&strip=all" length="547297" type="image/jpeg" />
</item>
<item>
<title>SEC rule for finance firms boosts disclosure requirements</title>
<pubDate>Fri, 17 May 2024 13:01:48 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>The SEC announced rule changes for some financial companies that will require more customer disclosures when security incidents impact their personal information as well as mandate incident response programs. The new rule, however, is unlikely to change anything for enterprise financial companies as they were either already required to make such disclosures or already had incident response programs in place.</p>
<p>“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC chair Gary Gensler <a href="https://www.sec.gov/news/press-release/2024-58">in a statement</a>. “These amendments will help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”</p>
<p>The <a href="https://www.sec.gov/files/rules/final/2024/34-100155.pdf">new rules</a> are amendments to Regulation S-P and only apply to broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.</p>
<p>The disclosure standard has nothing to do with whether the security incident was material or not. It “would provide notices to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization as soon as practicable, but not later than 30 days, after becoming aware that the incident occurred or is reasonably likely to have occurred,” the SEC said.</p>
<p>Mark Rasch, an attorney specializing in cybersecurity issues who used to head the US Justice Department’s high-tech crimes group, told CSO that the new rule instructs companies “to secure that which they have been securing for decades. But the SEC is saying ‘Now you really have to do it.’ This is the toddler bedtime rule: ‘Now this time, I really mean that you have to go to bed.’”</p>
<p>Rasch, who also does legal work for threat intel firm Unit221B, said that the new rule requires an incident response program, but it doesn’t in any way specify what such a program needs to look like. It does require that such programs be reasonably calculated to be effective, he said. “How do we when it’s ineffective? We only know that when it doesn’t work” and a security problem happens. </p>
<p>He suggests CISOs continue to do what they have historically always done: Examine the NIST guidelines to develop an appropriate incident response program.</p>
<h2 class="wp-block-heading" id="new-rules-raise-questions">New rules raise questions</h2>
<p>Rasch also expressed concerns that the new rule focuses on personal information and not the many other types of sensitive financial data, such as evidence of insider trading. “By focusing narrowly on personal information, many companies will take their eyes off the ball and focus only on PII. And that’s a mistake,” Rasch said. </p>
<p>He also complained that the new rule limited disclosure requirements to the financial institutions and not to their many third-parties. “This is a significant oversight given that third-party service providers often play a crucial role in data management and can be a weak link in the security chain. Without mandatory protections at the third-party level, overall system security might be compromised.”</p>
<p>One SEC Commissioner, Hester Peirce, voted for the new rule, but expressed concerns it might generate notification fatigue, which could lead to people eventually ignoring all security notifications. “My greatest concern about the rule is that its breadth could undermine the value of the customer notifications by making them so commonplace that people ignore them. At some point, the notifications will stop having the intended effect. If covered institutions fear being second-guessed after making a reasonable judgment not to send a notice, they will err on the side of sending a notice, even if one might not be necessary?” Peirce asked <a href="https://www.sec.gov/news/statement/peirce-statement-reg-s-p-051624">in a statement</a>. “How does your behavior change if you start getting a notice every few months? Or every month? Or every week? What if you get notifications from multiple entities related to the same breach?”</p>
<p>Peirce also said that the new rule may only aggravate today’s two-tier breach disclosure rules, with different states mandating different rules than various federal agencies. “The industry still will contend with an array of different and sometimes conflicting state and federal requirements. Further consolidation and harmonization of these requirements is a worthy goal on which federal and state regulators should continue to work,” Peirce said. </p>
<p>Brian Levine, an attorney who is the Ernst & Young managing director for cybersecurity, appreciates Peirce’s position but strongly disagrees with her conclusion. “They need to be reducing the underlying breaches and not worry about whether their customers are getting desensitized to them,” Levine told CSO. “Notification fatigue is a very real thing, but the solution is to have fewer breaches, not fewer notifications.”</p>
<p>The SEC’s documentation maintains the regulations are being changed. The problem is that a myriad of other federal and industry requirements covers the same or similar ground.</p>
<p>“Currently, Regulation S-P’s protections under the safeguards rule and disposal rule apply to different, and at times overlapping, sets of information. Specifically, as required under the GLBA, the safeguards rule requires broker-dealers, investment companies, and registered investment advisers, but not transfer agents, to maintain written policies and procedures to protect customer records and information, which is not defined in the GLBA or in Regulation S-P,” the SEC filing stated. </p>
<p>“Currently, the safeguards rule addresses protecting customer information against unauthorized access or use, but it does not include a requirement to notify affected individuals in the event of a data breach. In assessing firm and industry compliance with these requirements, Commission staff typically focus on information security controls, including whether firms have taken appropriate measures to safeguard customer accounts and to respond to data breaches.”<br></p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2112440/sec-rule-for-finance-firms-boosts-disclosure-requirements.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2112440</post-id><category>Data Breach, Data Privacy, Financial Services Industry</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/calculations_budget_finance_one_person_uses_a_calculator_another_reviews_finacial_data_money_spend_save_by_tktk_shutterstock_1209747433_creative_digital-only-100892901-orig.jpg?quality=50&strip=all" length="767735" type="image/jpeg" />
</item>
<item>
<title>DDoS attacks: Definition, examples, and techniques</title>
<pubDate>Fri, 17 May 2024 10:00:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<h2 class="wp-block-heading" id="what-is-a-ddos-attack">What is a DDoS attack?</h2>
<p>A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is that available internet bandwidth, CPU and RAM capacity becomes overwhelmed.</p>
<p>The impact could range from a minor annoyance from disrupted services to experiencing entire websites, applications, or even entire business taken offline.</p>
<p>This type of attack has been around for a long time and continues to grow and evolve. <a href="https://www.netscout.com/threatreport">Netscout reports</a> that it observed 13,142,840 DDoS attacks in 2023 alone. </p>
<h2 class="wp-block-heading" id="what-is-dos">What is DoS</h2>
<p>Denial of service (DoS) is what it sounds like: Thwarting access to virtually anything from servers, devices, and services to networks, applications, and even specific transactions within applications.</p>
<h3 class="wp-block-heading" id="what-is-the-difference-between-dos-and-ddos">What is the difference between DoS and DDoS?</h3>
<p>The difference between DoS and DDoS is a matter of scale. In both cases, the aim is to knock the target system offline with more requests for data than the system can handle, but in a DoS attack it’s one system that is sending the malicious data or requests, whereas a DDoS attack comes from multiple systems.</p>
<p>Distributed attacks can cause much more damage than an attack originating from a single machine, as the defending company needs to block large numbers of IP addresses.</p>
<h2 class="wp-block-heading" id="common-motives-behind-ddos-attacks">Common motives behind DDoS attacks?</h2>
<p>A DDoS is a blunt instrument of an attack. Unlike a successful infiltration, it doesn’t net you any private data or get you control over your target’s infrastructure. It just knocks their cyber infrastructure offline. Still, in a world where having a web presence is a must for just about any business, a DDoS attack can be a destructive weapon aimed at an enemy. </p>
<p>There are three main motives behind DDoS attacks:</p>
<p><strong>Taking rivals offline — </strong>The Mirai botnet, which was used in the DDoS attack against DNS provider Dyn, was designed as a weapon in a war among Minecraft server providers. And, today, the gaming industry remains a primary target of DDoS attacks. As Netscout put it in its most recent <a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.netscout.com%2Fthreatreport&data=05%7C02%7Camy_bennett%40idg.com%7Ca09df46966e949edc68908dc694e8640%7C6b18947b63e74323b637418f02655a69%7C0%7C0%7C638501033199180036%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=mY7cyCB2zTA9lcjqiL%2FWOAyd19Fn6DqeBkhEbqGg5W8%3D&reserved=0">DDoS Threat Intelligence Report</a>, “The allure of attacking the gaming industry lies in its substantial financial value and the goal of disrupting competitors.”</p>
<p><strong>Geopolitics</strong> — The Netscout report also noted that politically motivated groups are “increasingly are using DDoS as a tool to target those ideologically opposed to them.” In Peru, for example, DDoS attacks spiked after nationwide protests in December. And, these groups are “executing attacks that seamlessly transcend national borders.” The pro-Russia hacktivist group NoName057(16), for example, <a href="https://www.csoonline.com/article/1270051/how-russias-noname05716-could-be-a-new-model-for-hacking-groups.html">targeted not just Ukraine</a>, but countries that support Ukraine. </p>
<p><strong>Financial gain</strong> — While a DDoS attack isn’t the same thing as a <a href="https://www.csoonline.com/article/563507/what-is-ransomware-how-it-works-and-how-to-remove-it.html">ransomware attack</a>, DDoS attackers sometimes will contact their victims and promise to turn off the firehose of packets in exchange for some Bitcoin. </p>
<p>And, sometimes, DDoS attackers are just in it for the money—not money from you, but from someone who wants to take your website out. Tools called <em>booters </em>and <em>stressers </em>are available on <a href="https://www.csoonline.com/article/564313/what-is-the-dark-web-how-to-access-it-and-what-youll-find.html">the dark web</a> that essentially provide <a href="https://www.csoonline.com/article/560901/report-criminals-find-profit-rates-of-up-to-95-percent-with-ddos-attacks.html">DDoS-as-a-Service</a> to interested customers, offering access to ready-made botnets at the click of a button, for a price.</p>
<h2 class="wp-block-heading" id="how-do-ddos-attacks-work">How do DDoS attacks work?</h2>
<p><strong>DDoS botnets</strong> are the core of any DDoS attack. A <a href="https://www.csoonline.com/article/563821/what-is-a-botnet.html">botnet</a> consists of hundreds or thousands of machines, called <em>zombies </em>or <em>bots,</em> that a malicious hacker has gained control over. The attackers will harvest these systems by identifying vulnerable systems that they can infect with <a href="https://www.csoonline.com/article/565999/what-is-malware-viruses-worms-trojans-and-beyond.html">malware</a> through <a href="https://www.csoonline.com/article/514515/what-is-phishing-examples-types-and-techniques.html">phishing</a> attacks, <a href="https://www.csoonline.com/article/567045/what-is-malvertising-and-how-you-can-protect-against-it.html">malvertising</a> attacks, and other mass infection techniques. The infected machines can range from ordinary home or office PCs to DDoS devices—the <a href="https://www.csoonline.com/article/564711/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html">Mirai botnet</a> famously marshalled an army of hacked CCTV cameras—and their owners almost certainly don’t know they’ve been compromised, as they continue to function normally in most respects.</p>
<p>The infected machines await a remote command from a so-called command-and-control server, which serves as a command center for the attack and is often itself a hacked machine. Once unleashed, the bots all attempt to access some resource or service that the victim makes available online. Individually, the requests and network traffic directed by each bot towards the victim would be harmless and normal. But because there are so many of them, the requests often overwhelm the target system’s capacities—and because the bots are generally ordinary computers widely distributed across the internet, it can be difficult or impossible to block out their traffic without cutting off legitimate users at the same time.</p>
<h3 class="wp-block-heading" id="types-of-ddos-attacks">Types of DDoS attacks</h3>
<p>There are three primary classes of DDoS attacks, distinguished mainly by the type of traffic they lob at victims’ systems:</p>
<ol>
<li><strong>Volume-based attacks</strong> use massive amounts of bogus traffic to overwhelm a resource such as a website or server. They include ICMP, UDP and spoofed-packet flood attacks. The size of a volume-based attack is measured in bits per second (bps).</li>
<li><strong>Protocol or network-layer DDoS attacks</strong> send large numbers of packets to targeted network infrastructures and infrastructure management tools. These protocol attacks include SYN floods and Smurf DDoS, among others, and their size is measured in packets per second (PPS).</li>
<li><strong>Application-layer attacks</strong> are conducted by flooding applications with maliciously crafted requests. The size of application-layer attacks is measured in requests per second (RPS).</li>
</ol>
<h3 class="wp-block-heading" id="techniques-used-in-ddos-attacks">Techniques used in DDoS attacks</h3>
<p>Techniques common to all types of DDoS attacks include:</p>
<ul>
<li><strong>Spoofing: </strong>We say that an attacker <em>spoofs</em> an IP packet when they change or obfuscate information in its header that should tell you where it’s coming from. Because the victim can’t see the packet’s real source, it can’t block attacks coming from that source.</li>
<li><strong>Reflection: </strong>The attacker may craft an IP address that’s spoofed so it looks like it actually originated with the intended victim, then send that packet to a third-party system, which “replies” back to the victim. This makes it even harder for the target to understand where an attack is truly coming from.</li>
<li><strong>Amplification: </strong>Certain online services can be tricked into replying to packets with very large packets, or with multiple packets.</li>
</ul>
<p>All three of these techniques can be combined into what’s known as a <a href="https://www.csoonline.com/article/571193/what-is-a-reflection-amplification-ddos-attack.html">reflection or amplification DDoS attack</a>, which has become increasingly common.</p>
<h2 class="wp-block-heading" id="how-to-identify-ddos-attacks">How to identify DDoS attacks</h2>
<p>DDoS attacks can be difficult to diagnose. Afterall, the attacks superficially resemble a flood of traffic from legitimate requests from legitimate users. But there are ways you can distinguish the artificial traffic from a DDoS attack from the more “natural” traffic you’d expect to get from real users. </p>
<p><strong>DDoS attack symptoms to watch for</strong>:</p>
<ul>
<li>Despite spoofing or distribution techniques, many DDoS attacks will originate from a restricted range of IP addresses or from a single country or region—perhaps a region that you don’t ordinarily see much traffic from.</li>
<li>Similarly, you might notice that all the traffic is coming from the same kind of client, with the same OS and web browser showing up in its HTTP requests, instead of showing the diversity you’d expect from real visitors.</li>
<li>The traffic might hammer away at a single server, network port, or web page, rather than be evenly distributed across your site.</li>
<li>The traffic could come in regularly timed waves or patterns.</li>
</ul>
<h2 class="wp-block-heading" id="how-to-stop-a-ddos-attack">How to stop a DDoS attack</h2>
<p>Mitigating a DDoS attack is difficult because, as previously noted, the attack takes the form of web traffic of the same kind that your legitimate customers use. It would be easy to “stop” a DDoS attack on your website simply by blocking all HTTP requests, and indeed doing so may be necessary to keep your server from crashing. But doing that also blocks anyone else from visiting your website, which means your attackers have achieved their goals.</p>
<p>If you can distinguish DDoS traffic from legitimate traffic as described in the previous section, that can help mitigate the attack while keeping your services at least partially online: for instance, if you know the attack traffic is coming from Eastern European sources, you can block IP addresses from that geographic region. A good preventative technique is to shut down any publicly exposed services that you aren’t using. Services that might be vulnerable to application-layer attacks can be turned off without affecting your ability to serve web pages.</p>
<p>In general, though, the best way to mitigate against DDoS attacks is to simply have the capacity to withstand large amounts of inbound traffic. Depending on your situation, that might mean beefing up your own network, or making use of a <em>content delivery network (CDN),</em> a service designed to accommodate huge amounts of traffic. Your network service provider might have their own mitigation services you can make use of.</p>
<h2 class="wp-block-heading" id="is-ddos-illegal">Is DDoS illegal?</h2>
<p>Yes, DDoS is illegal. Most anti-cybercrime laws, in the <a href="https://www.upguard.com/blog/is-ddosing-illegal">U.S.</a>, the <a href="https://www.nationalcrimeagency.gov.uk/?view=article&id=243:ddos-attacks-are-illegal&catid=2">U.K.</a>, and elsewhere, are fairly broadly drawn and criminalize any act that impairs the operation of a computer or online service, rather than specifying particular techniques. And the act of hacking into a computer to make it part of a botnet is itself illegal. </p>
<p>You might see a counterargument that goes something like this: it’s not illegal to send web traffic or requests over the internet to a server, and so therefore DDoS attacks, which are just aggregating an overwhelming amount of web traffic, cannot be deemed a crime. This is a fundamental misunderstanding of the law, however. </p>
<p>Simulating a DDoS attack with the consent of the target organization for the purposes of stress-testing their network is legal, however.</p>
<h2 class="wp-block-heading" id="ddos-attack-examples">DDoS attack examples</h2>
<p>March, 2024 — a group of Russia-aligned hacktivists <a href="https://www.csoonline.com/article/1313027/russia-aligned-hackers-take-down-french-state-services-in-massive-ddos-attack.html">disrupted several French government services</a> with a series of DDoS attacks. </p>
<p>June 2022 — <a href="https://www.csoonline.com/article/573469/google-cloud-blocks-largest-https-ddos-attack-ever.html">Google disrupts the largest DDoS attack to date</a>, which over the course of a couple of minutes reached 46 million requests per second.</p>
<p>October 2016 — A <a href="https://www.csoonline.com/article/558603/ddos-attack-against-overwhelmed-despite-mitigation-efforts.html">DDoS attack on DNS provider Dyn</a> knocked out internet access to most of the US East Coast and almost took down the internet. This remains one of the most infamous DDoS attacks of all time.</p>
<p>March 2014 — Project management software provider Basecamp was <a href="https://www.csoonline.com/article/510599/network-security-after-refusing-to-pay-ransom-basecamp-hit-with-ddos.html">taken offline by a DDoS attack</a> after refusing to pay a ransom.</p>
<p>February 2004 — A DDoS attack famously took the SCO Group’s website offline. At the time, the company was much in the news for lawsuits relating to its <a href="https://www.infoworld.com/article/2658169/judge-tosses-200-sco-claims-vs--ibm.html">claiming to own the rights to Linux</a>, leading to speculation that open source advocates were responsible for the attack.</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/571981/ddos-attacks-definition-examples-and-techniques.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">571981</post-id><category>Cyberattacks, DDoS</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_1068375200.jpg?quality=50&strip=all" length="1522881" type="image/jpeg" />
</item>
<item>
<title>FCC proposes BGP security measures</title>
<pubDate>Fri, 17 May 2024 07:38:54 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Jessica Rosenworcel wants ISPs to tell her how they’re securing BGP (Border Gateway Protocol) , a critical system for routing internet traffic.</p>
<p>The chairwoman of the US Federal Communications Commission has proposed that the FCC require large broadband service providers to submit confidential reports on their plans to manage security risks associated with their use of BGP. The proposal aims to protect against bad actors who could pose a threat to national security and disrupt critical Internet infrastructure by exploiting BGP vulnerabilities, the <a href="https://docs.fcc.gov/public/attachments/DOC-402579A1.pdf">FCC said Wednesday</a>.</p>
<p>The FCC began taking a close interest in BGP security in 2022, in response to the <a href="https://www.networkworld.com/article/970744/fcc-looks-into-bgp-vulnerabilities-in-light-of-russian-hacking-threat.html">threat posed by Russian hackers</a> following the invasion of Ukraine. “Russian network operators have been suspected of exploiting BGP’s vulnerability for hijacking in the past,” the FCC statement said, adding, “BGP hijacks can expose Americans’ personal information, enable theft, extortion, state-level espionage, and disrupt otherwise-secure transactions.”</p>
</div></div></div></div>]]></description>
<link>https://www.networkworld.com/article/2111862/fcc-proposes-bgp-security-measures.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2111869</post-id><category>Network Security, Regulation</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/border_43250812.jpg?quality=50&strip=all" length="5218462" type="image/jpeg" />
</item>
<item>
<title>US AI experts targeted in cyberespionage campaign using SugarGh0st RAT</title>
<pubDate>Thu, 16 May 2024 21:47:03 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Security researchers have warned about a new cyberespionage campaign that targets artificial intelligence experts working in private industry, government and academia. The attackers, likely of Chinese origin, are using a remote access trojan (RAT) called SugarGh0st.</p>
<p>“The timing of the recent campaign coincides with an 8 May 2024 report from Reuters, revealing that the US government was furthering efforts to limit Chinese access to generative artificial intelligence,” researchers from security firm <a href="https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american">Proofpoint found in their analysis</a>. “It is possible that if Chinese entities are restricted from accessing technologies underpinning AI development, then Chinese-aligned cyber actors may target those with access to that information to further Chinese development goals.”</p>
<p>It’s worth noting though that Proofpoint has not confidently linked this to a known threat actor, much less a state-aligned one, and for now it attributes the activity to a temporary UNK_SweetSpecter alias.</p>
<p>SugarGh0st is a customized version of a commodity trojan program called Gh0stRAT that has historically been used in attacks by many Chinese groups. SugarGh0st itself was first <a href="https://blog.talosintelligence.com/new-sugargh0st-rat/">documented by researchers</a> from Cisco Talos in November 2023 when it was used against government targets in Uzbekistan and South Korea.</p>
<p>At the time, the Talos team attributed the attacks with low confidence to a Chinese-speaking threat actor due to Chinese language artifacts present in the trojan’s code. According to Proofpoint, those artifacts still exist in the samples used in this new campaign against AI experts and the infection chain is similar to that used in the November attack.</p>
<h2 class="wp-block-heading" id="phishing-used-as-initial-access-point">Phishing used as initial access point</h2>
<p>The victims are targeted via email phishing with an AI-themed lure where the attackers presented themselves as users of a tool the victims would be familiar with and asking for help with a problem. The emails carried a malicious ZIP attachment with a .LNK (Windows shortcut) file inside.</p>
<p>LNK files are a common distribution mechanism for malware because they can be used to execute shell commands. In this case, the rogue LNK file contained command line parameters to execute JavaScript code that acted as a malware dropper.</p>
<p>Malware dropper is a program or script used to “drop” additional payloads on a system, either by decrypting their code stored in an existing file or by downloading the payloads from a remote location.</p>
<p>“The JavaScript dropper contained a decoy document, an ActiveX tool that was registered then abused for sideloading, and an encrypted binary, all encoded in base64,” the Proofpoint researchers said. “While the decoy document was displayed to the recipient, the JavaScript dropper installed the library, which was used to run Windows APIs directly from the JavaScript.”</p>
<p>The JavaScript dropper leverages the ActiveX library to execute shellcode on the system to create a registry startup entry called CTFM0N.exe and reflectively load the SugarGh0st binary in memory.</p>
<h2 class="wp-block-heading" id="sugargh0st-rat-used-in-highly-targeted-attacks">SugarGh0st RAT used in highly targeted attacks</h2>
<p>The SugarGh0st RAT connects to a remote command-and-control (C2) server that’s different from the one used in November. Its functionality includes collecting information about the infected system and launching a reverse shell through which attackers can access the system and execute commands.</p>
<p>Proofpoint has monitored several attack campaigns that have used SugarGh0st since November and all of them can be described as highly targeted. Targets included a US telecommunications company, an international media organization, a South Asian government organization and now around 10 individuals that have connections to a leading US-based artificial intelligence organization. </p>
<p>“While Proofpoint cannot attribute the campaigns with high confidence to a specific state objective, the lure theme specifically referencing an AI tool, targeting of AI experts, interest in being connected with ‘technical personnel,’ interest in a specific software, and highly targeted nature of this campaign is notable,” the researchers said. “It is likely the actor’s objective was to obtain non-public information about generative artificial intelligence.”</p>
<p>The Proofpoint report includes indicators of compromise in the form of file hashes, URLs and IP addresses used in the campaign, as well as detection signatures.</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2111003/us-ai-experts-targeted-in-cyberespionage-campaign-using-sugargh0st-rat.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2111003</post-id><category>Data and Information Security, Phishing</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_2287185545.jpg?quality=50&strip=all" length="10414217" type="image/jpeg" />
</item>
<item>
<title>Cycode rolls out ASPM connector marketplace, analysts see it as bare minimum</title>
<pubDate>Thu, 16 May 2024 15:26:41 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Cycode has announced what it called the first marketplace devoted to the application security posture management (ASPM) space, touting the availability of more than 100 connectors and integrations to link its ASPM platform with other tools.</p>
<p>But some analysts said the move was unimpressive, labeling it as merely “table stakes” for the ASPM space.</p>
<p>“Cycode now enables customers to seamlessly integrate and ingest findings from relevant third-party security tools, complement and contextualize those findings with native scanners and eliminate gaps within supply chain security,” Cycode said in its <a href="https://www.globenewswire.com/news-release/2024/05/15/2882477/0/en/Cycode-Launches-Industry-s-First-ASPM-Marketplace.html">news release</a>. “This is a significant milestone that delivers economic optionality for businesses and reinforces Cycode’s position as the industry’s only complete ASPM.”</p>
<p>Sandra Carielli, a Forrester Research principal analyst, said that she thought it was a fine move that would likely make sense for Cycode’s installed base, but was otherwise unimpressed. </p>
<p>“For any stand-alone ASPM vendor to get traction, it’s going to have to integrate easily with a large number of third-party scanning tools. There are some application security testing vendors like Synopsys and Snyk that have also added an ASPM component. They can focus first on working with their own testing tools, but even they may eventually benefit from integrations with some of their competitors,” Carielli said. “So announcing a lot of out-of-the-box integrations seems like a table-stakes, necessary feature. Having them in a marketplace may help customers with ease of integration, speed of deployment and overall time to value — maybe. But a quick Google search shows that ArmorCode has <a href="https://www.armorcode.com/integrations">more than 200 integrations</a> and Legit Security <a href="https://www.legitsecurity.com/integrations">has around 75</a>. Just because there isn’t a marketplace doesn’t mean the integrations aren’t easily accessible. So I’m inclined to say this isn’t that interesting an announcement.”</p>
<p>Carielli questioned whether Cycode currently has the marketplace to make enough of an impact with its own marketplace. “Cycode is still pretty small. Are people going to be flocking to the Cycode marketplace?”</p>
<p>The move is still good news for CSOs looking to better manage application security, she stressed, just not necessarily industry-moving. “They are absolutely solving a problem but I don’t think the marketplace aspect of it is that interesting. I think they wanted to highlight 100 integrations out of the box. That is solid and it is what a vendor like that needs to do to go out to market. But the interesting thing about integration is that (enterprise IT managers) don’t care about the number. They only care if they have the ones they want and need.”</p>
<h2 class="wp-block-heading" id="a-core-feature">A core feature</h2>
<p>Dale Gardner, a Gartner senior director analyst who tracks application and software supply chain security, reacted similarly to Carielli.</p>
<p>“This type of integration is considered a core, required feature for an ASPM solution,” he said. “One of the primary reasons organizations look at these tools is to help integrate information from a variety of application security tools across the SDLC to gain visibility into the security status of an application, help with prioritization, and better understand risks posed by an application,” Gardner said. “In the space, I see a couple of different types of vendors: those who focus on integration of existing tools, and those who also incorporate their own tooling as either a replacement for someone’s existing tools or to augment gaps. Cycode falls into the latter category and in looking at the product, their third-party integrations have been quite broad, covering many different aspects of the lifecycle. But not necessarily deep, with an emphasis on more popular products.”</p>
<p>Gardner added that Cycode “is trying to expand the scope of their integrations to better address the needs of buyers who are not looking to replace their existing tools. I don’t think this breaks new ground. Competitively, they talk about more than one hundred integrations, which is average, while some vendors support more than 200 tools. This is more of a way to improve their competitive standing.”</p>
<p>Cycode’s statement characterized the marketplace as quite significant. “The launch of our ASPM marketplace is a major leap in building a comprehensive security ecosystem and we’re proud to be first,” said Seth Robbins, chief revenue officer at Cycode. “Unlike competitors, Cycode’s singular focus on application security and our integrated Risk Intelligence Graph give customers unparalleled precision in their threat prioritization — table stakes for any effective ASPM.”</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2110876/cycode-rolls-out-aspm-connector-marketplace-analysts-see-it-as-bare-minimum.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2110876</post-id><category>Application Security</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_2329333325-3.jpg?quality=50&strip=all" length="9646040" type="image/jpeg" />
</item>
<item>
<title>BreachForums seized by law enforcement, admin Baphomet arrested</title>
<pubDate>Thu, 16 May 2024 14:25:36 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Global law enforcement authorities have seized BreachForums, a notorious hacker forum threat actors used to sell stolen data, and related messaging channels in the Telegram app in a coordinated takeover.</p>
<p>The US Federal Bureau of Investigation (FBI) has seized control of various Telegram and other channels belonging to BreachForums site administrators Baphomet and ShinyHunters. The Telegram channel previously owned by Baphomet, BaphometOfficial, now has a seizure message pinned on it.</p>
<p>The message, posted by Baphomet’s own account, reads: “This Telegram channel is under the control of the FBI. The BreachForums website has been taken down by the FBI and DOJ with assistance from international partners. We are reviewing the site’s backend data. If you have information to report about cyber-criminal activity on BreachForums, please contact us,” followed by details of how to do so.</p>
<p>To root out additional details about the forum and its activities, the FBI is operating a dedicated subdomain, <a href="https://breachforums.ic3.gov/" target="_blank" rel="noreferrer noopener">breachforums.ic3.gov</a>, and is receiving queries and responses via Telegram at <a href="http://t.me/fbi_breachforums" target="_blank" rel="noreferrer noopener">t.me/fbi_breachforums</a> or email via <a href="mailto:breachforums@fbi.gov" target="_blank" rel="noreferrer noopener">breachforums@fbi.gov</a>.</p>
<p>A banner on the seized websites reportedly carried a similar message, although at the time of publishing this article all BreachForums domains were found to be defunct, some with redirects.</p>
<p>The takeover, led by the FBI, was a collaborative effort with authorities of the US, the UK, Australia, New Zealand, Iceland, Switzerland, and Ukraine.</p>
<p>The seizure comes two days after IntelBroker, a prominent hacker on BreachForums, <a href="https://www.csoonline.com/article/2104251/intelbroker-steals-classified-data-from-the-europol-website.html" target="_blank">put up for sale</a> some classified data stolen from one of Europol’s websites.</p>
<p>The FBI’s claim that it is reviewing the hacking forum’s backend data is raising speculation regarding its possession of forum members’ email addresses, IP addresses, and private messages.</p>
<p>“While details are sparse at this time, users of the site will likely have significant concerns over their own operational safety, with the FBI likely in possession of material that could be used to provide attribution of members,” said Michael McPherson, a former FBI special agent and now senior vice president of security operations at ReliaQuest. “Organizations named on BreachForums also may be provided with additional context over material breached on the forum,” he said.</p>
<h2 class="wp-block-heading" id="seized-for-the-second-time">Seized for the second time</h2>
<p>This is BreachForums’ second takedown within a year, the first being in June 2023 following the <a href="https://www.justice.gov/opa/pr/justice-department-announces-arrest-founder-one-world-s-largest-hacker-forums-and-disruption" target="_blank" rel="noreferrer noopener">arrest of then admin Conor Brian</a> Fitzpatrick (aka Pompompurin) in March 2023.</p>
<p>After the arrest, the forum went into full ownership of the second admin at the time, Baphomet, who shut it down shortly after on suspicions that it had been compromised by authorities. That same month Baphomet partnered with the hacking group ShinyHunters, to reopen BreachForums on a different domain.</p>
<p>“While it is possible that the ShinyHunters group — who have facilitated the restoration of BreachForums after its initial takedown in 2023 — may attempt to restore their services, there will naturally be suspicions over law enforcement compromise; this was a sentiment observed on many cybercriminal sites in the aftermath of LE ops targeting ransomware groups, including Lockbit,” McPherson said.</p>
<p>The law enforcement operation has apparently involved the arrest of Baphomet too. IntelBroker, through a telegram post, confirmed his arrest also forwarding a message from Shinyhunters, confirming the same.</p>
<p>“Exactly what comes next is unclear, however the operation should be seen as a success, continuing the tempo of law enforcement operations that have surged in recent months,” McPherson said of the takedown.</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2110830/breachforums-seized-by-law-enforcement-admin-baphomet-arrested.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2110830</post-id><category>Cybercrime, Data Breach</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/BreachForums_FBI_03c614.jpg?quality=50&strip=all" length="325233" type="image/jpeg" />
</item>
<item>
<title>Cyber resilience: A business imperative CISOs must get right</title>
<pubDate>Thu, 16 May 2024 10:00:00 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>In May 2021, when Colonial Pipeline was <a href="https://www.csoonline.com/article/570705/colonial-pipeline-shutdown-highlights-need-for-better-ot-cybersecurity-practices.html">targeted by the DarkSide hackers</a>, CEO Joseph Blount made the highly controversial decision to pay the $4.4 million ransom. The attack put critical US infrastructure in jeopardy, resulting in daily briefings to President Joe Biden, and Blount justified the ransomware payment as necessary for the country, describing this decision as one of the most challenging in his career. </p>
<p>“We were in a harrowing situation and had to make difficult choices that no company ever wants to face,” Blount told the US Senate Homeland Security and Governmental Affairs Committee.</p>
<p>With ransomware payments hitting <a href="https://www.chainalysis.com/blog/ransomware-2024/">a record $1.1 billion</a> in 2023, such difficult choices have become frequent for corporate leaders. More CSOs and CEOs understand that it’s not a question of <em>if </em>an attack will occur, but <em>when</em>. </p>
<p>“The biggest change for me is that I now totally accept it can happen,” the CEO of a $4 billion European company said, according to a <a href="https://istari-global.com/insights/articles/ceo-report/">report published by ISTARI and Oxford University</a>. “Trust me, there is a fundamental difference in approach between organizations that accept it could happen and those that think they can repel it.”</p>
<p>That mindset — accepting the inevitability of breach — could help companies become more cyber resilient than they are today. All too often, organizations view resilience as a box-ticking exercise for regulators, failing to equip their CISOs with everything they need to truly bounce back after an attack.</p>
<p>As RapidFort CEO Mehran Farimani says, the ability to withstand and recover from a cybersecurity incident requires a shift in thinking that goes beyond compliance.</p>
<p>“Yes, you’ve always ticked that box off indicating that you’ve backed up all of your critical software and data, but can you recover quickly in response to an adverse event, or will it take you two weeks? Do you consistently make sure that all such systems are in check?” Farimani tells CSO.</p>
<p>When asked to rate their confidence in handling cyber risks on a scale from 1 to 10, most IT security leaders express pessimism, according to a <a href="https://www.barracuda.com/reports/cyber-resilience-report">Barracuda report</a> on resilience published in April. Financial services organizations appear to be the most prepared, with 55% rating their security posture as highly effective. By comparison, only 32% of companies operating in the industrial and manufacturing sectors expressed optimism, while for retail, that number was 39%. Generally, smaller companies felt less confident in coping with cyber threats.</p>
<p>And with geopolitical instability, AI, and wealth inequality on the rise, CISOs must not only further strengthen their organization’s cyber defenses but also help them prepare for worst-case scenarios to ensure they can bounce back quickly in the event that a cyber event strikes.</p>
<h2 class="wp-block-heading" id="cyber-resilience-takes-center-stage">Cyber resilience takes center stage</h2>
<p>The concept of cyber resilience has evolved to be a crucial element of overall business strategy today. In fact, as Trustwave CISO Kory Daniels tells CSO, “Boards have begun asking the question: Is it important to have a formally titled chief resilience officer?”</p>
<p>In light of recent high-profile cyber attacks, such as the one Colonial Pipeline experienced, the emphasis on the availability component of the classic <a href="https://www.csoonline.com/article/568917/the-cia-triad-definition-components-and-examples.html">CIA (confidentiality, integrity, and availability) triad</a> has increased. This is because disruptions not only affect operational continuity but also impact customer trust and the overall market perception of a company.</p>
<p>Daniels says that adopting “a holistic approach” to cyber resilience is essential, considering all aspects of the business and all teams, from employees and partners to the board of directors.</p>
<p>Often, organizations have more capabilities than they realize, but these resources can be scattered throughout different departments. And each group responsible for establishing cyber resilience might lack full visibility into the existing capabilities within the organization.</p>
<p>“Network and security operations have an incredible wealth of intelligence that others would benefit from,” Daniels says.</p>
<p>Many companies are integrating cyber resilience into their enterprise risk management processes. They have started taking proactive measures to identify vulnerabilities, assess risks, and implement appropriate controls.</p>
<p>“This includes exposure assessment, regular validation such as penetration testing, and continuous monitoring to detect and respond to threats in real-time,” says Angela Zhao, director analyst at Gartner. </p>
<p>These proactive measures often expand beyond the immediate boundaries of the organization to vendors and partners, says Cameron Dicker, FS-ISAC’s director of global business resilience.</p>
<p>“Firms should conduct an in-depth analysis of their service providers and software supply chains, identify where security risks lie, and develop incident response plans in accordance,” he says.</p>
<h2 class="wp-block-heading" id="software-supply-chain-a-critical-part-of-the-resilience-equation">Software supply chain: A critical part of the resilience equation</h2>
<p>Unfortunately, as Trustwave’s Daniels points out, analyzing the software supply chain remains an underdiscussed aspect of cyber resilience.</p>
<p>“Organizations should conduct thorough penetration tests and risk assessments of their supply chains, implement cybersecurity requirements for suppliers, and establish contingency plans to mitigate the impact of supply chain disruptions on their operations,” he says.</p>
<p>When looking at a potential vendor, especially one that will be connecting to a company’s private network, security leaders must ensure that contracts or master service agreements (MSAs) are very specific about overall resilience, both cyber and business, says Bobby Williams, business continuity team lead at GuidePoint Security.</p>
<p>“A vendor should be contractually responsible for defined business continuity, disaster recovery, and information security programs,” Williams adds. “A defined testing program to demonstrate the vendor’s resilience should be in the contract, and the test results should be available for the company to review.”</p>
<p>If the vendor is supplying software services or applications, there should be a defined recovery time objective (RTO) and a defined recovery point objective (RPO) in the contract. </p>
<p>“The vendor should be able to demonstrate the RTO and RPO by the required tests,” Williams says. “The vendor should also be contractually required to demonstrate how they back up the customer’s data and provide a data retention schedule.” Williams adds that data mirroring should not be accepted as a substitute for backing up a customer’s data.</p>
<p>Risks associated with the software supply chain should not be taken lightly.</p>
<p>“There have been several recent cases of cyber attacks against these,” says Aaron Shaha, CISO at CyberMaxx. “It’s an area that continues to need critical oversight.”</p>
<h2 class="wp-block-heading" id="ai-adds-complexity">AI adds complexity</h2>
<p>The rise of generative AI as a tool for hackers further complicates organization’s resilience strategies. That’s because generative AI equips even low-skilled individuals with the means to execute complex cyber attacks. As a result, the frequency and severity of attacks might increase, forcing businesses to up their game. </p>
<p>On the flipside, though, generative AI tools are not that effective for defensive purposes. Organizations mostly use them in an assistant role. Some of the areas in which AI has proved effective are threat detection and analysis, anomaly detection, behavior monitoring, and automated response systems. Artificial intelligence is also used in risk management and code review.</p>
<p>“AI algorithms can quickly analyze vast amounts of data, identify patterns, and detect potential threats or vulnerabilities that may go unnoticed by human operators,” Valerie Abend, global strategy lead at Accenture Security, tells CSO.</p>
<p>There are also benefits to using AI in building and maintaining cyber resilience programs. “From developing tailored AI security policies to deploying advanced AI technologies and providing continuous operations support, organizations’ solutions should ensure reliability, transparency, and compliance throughout your AI journey,” says Tamara Nolan, cyber and operational resilience lead at MorganFranklin Consulting.</p>
<p>For now, however, AI in cybersecurity remains an aid rather than a substitute for human oversight. “While AI can assist with certain instrumental aspects, its contribution to risk management remains limited at this stage of AI evolution,” says Anastasiia Voitova, head of security engineering at Cossack Labs. “It’s a tool for security professionals, not a security professional itself.”</p>
<p>RapidFort’s Farimani agrees, adding that AI tools can certainly help with formulating and communicating resilience plans but are far from being reliable enough to be put on autopilot and assume they’re protecting a system.</p>
<p>The role of AI in cybersecurity resilience will likely expand in the coming years because AI-powered tools will become better at detecting and responding to threats in real-time. Additionally, AI will likely be leveraged to enhance user authentication and access control mechanisms and improve the overall resilience of critical infrastructure systems, according to Abend.</p>
<h2 class="wp-block-heading" id="how-regulations-complicate-cyber-resilience">How regulations complicate cyber resilience</h2>
<p>The evolving regulatory landscape across the globe can make it challenging for security leaders to remain up to date with everything they must comply with. But adhering to these legal requirements can help mitigate risks and maintain the organization’s reputation.</p>
<p>“Regulations can and do help organizations increase their focus on enterprise risk management efforts and do a great job of making organizations more accountable for their resilience strategies, among other benefits,” says Trevin Edgeworth, red team practice director at Bishop Fox. Following these rules will help increase transparency around breaches and security practices, he says.</p>
<p>Regulations related to the <a href="https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en">Digital Operational Resilience Act (DORA)</a> in the European Union and those issued by the Security and Exchange Commission (SEC) in the United States are changing how companies approach cyber resilience.</p>
<p>DORA will take effect on January 17, 2025, and is designed to bolster the security of financial entities such as banks, insurance companies, and investment firms. Financial entities and information and communication technology service providers outside the EU must also comply with DORA if they deliver critical tech services to EU-based financial institutions.</p>
<p>“Given this new regulation and general concerns about ongoing cyberattacks, advisory firms are spending less time on all-hazards resilience planning, and more time on IT resilience — specifically the connection between business processes and supporting applications and infrastructure,” MorganFranklin’s Nolan tells CSO.</p>
<p>She advises companies to go beyond merely ticking the boxes required by regulations such as DORA and instead make efforts to cover all aspects of resilience because “the regulation assumes that foundational operational resilience elements are already in place before trying to meet DORA requirements.”</p>
<p>Companies operating in the US market also need to be vigilant and ensure compliance with evolving regulations. In July 2023, the <a href="https://www.csoonline.com/article/647692/new-sec-reporting-rules-give-companies-four-days-to-report-cyber-incidents.html">Securities and Exchange Commission (SEC) introduced new reporting requirements</a> for publicly traded companies. These rules mandate an 8-K disclosure of material cybersecurity incidents and require companies to annually provide material information regarding their cybersecurity risk management, strategy, and governance.</p>
<p>To meet the requirements, most public companies take proactive measures to ensure they have systems in place to assess, evaluate, and respond to incidents.</p>
<p>“Unfortunately, in many cases, these processes are established outside of the operational resilience framework, and as a result, they are not integrated with the company’s crisis management program,” says Nolan, who recommends that organizations proactively engage with legal and regulatory frameworks and integrate them into their cyber resilience strategies. This approach can help minimize penalties and strengthen their overall cyber resilience posture.</p>
<p>DORA and the regulations issued by the SEC tend to create ripples across the world, according to Gartner’s Zhao.</p>
<p>“Regulatory changes in one jurisdiction often have cross-border implications, as multinational companies operating globally need to comply with multiple regulatory frameworks,” she says. “This has led to the need for organizations to harmonize their cyber resilience strategies across different markets, ensuring consistent security practices and compliance with various regulations.”</p>
<p>Regulations have also played a key role in raising awareness of the importance of cyber resilience. They encourage companies to assess their security posture as well as their board’s oversight and governance, according to Accenture Security’s Abend.</p>
<p>“However, we are witnessing a growing awareness among CEOs, the C-suite, and boards regarding these risks, driven not solely because of regulations but by genuine business concern,” she says.</p>
<p>But while regulations help, compliance alone does not necessarily mean resilience.</p>
<p>Organizations could “run the risk of falling into a false sense of security that their strong compliance posture equates to a strong security posture,” Bishop Fox’s Edgeworth says.</p>
<h2 class="wp-block-heading" id="the-importance-of-people">The importance of people</h2>
<p>While many organizations invest in technical solutions for cyber resilience, they often overlook the importance of having the right people on board and fostering a culture of security awareness among them.</p>
<p>“The ability to rapidly find cyber talent at an affordable rate is creating vulnerabilities within the industry,” says CyberMaxx’s Shaha.</p>
<p>As such, security leaders must develop robust, diverse sourcing strategies to ensure evolving talent needs are met.</p>
<p>Moreover, they should also invest in training programs that go beyond basic awareness of phishing emails and password security, Trustwave’s Daniels says. Training should instead “encompass a deeper understanding of cyber threats, the importance of data protection, and the role of everyone in maintaining cyber resilience,” he adds.</p>
<p>Exercises and <a href="https://www.csoonline.com/article/570871/tabletop-exercises-explained-definition-examples-and-objectives.html">crisis simulations</a> help, too. “Companies should ensure that their exercises use a variety of scenarios to guarantee that response plans can handle unexpected events,” says GuidePoint’s Williams. “These black swan events can be handled with confidence if the planning process is kept relevant and up to date.”</p>
<p>Such exercises should be conducted regularly and should be difficult. “Only by conducting challenging exercises that push the limits of teams, policies, and procedures will an organization know where its limits are and where it needs to improve,” FS-ISAC’s Dicker says. “An incident should never be the first time you test your response plan.”</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2111061/cyber-resilience-a-business-imperative-cisos-must-get-right.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2111061</post-id><category>CSO and CISO, Data and Information Security, Incident Response, Regulation</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/teamwork_collaboration_discussion_analysis_management_BY_Jacob_Lund_Shutterstock_1281259951_CREATIVE_DIGITAL-ONLY_72dpi-6.jpg?quality=50&strip=all" length="1296409" type="image/jpeg" />
</item>
<item>
<title>Microsoft fixes three zero-day vulnerabilities, two actively exploited</title>
<pubDate>Wed, 15 May 2024 23:17:06 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Microsoft released its monthly batch of security fixes on Tuesday, which included patches for three vulnerabilities that already had exploits available. Two of those vulnerabilities are being actively exploited, with one being used by multiple groups to deliver malware, including the QakBot trojan.</p>
<p>Microsoft’s updates addressed 61 vulnerabilities across its products, but only one was rated critical: a remote code execution flaw in SharePoint Server (<a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-30044">CVE-2024-30044</a>). However, successful exploitation of this flaw requires attackers to take additional steps in order to prepare the target environment.</p>
<p>Despite not being rated critical, two other vulnerabilities should definitely be prioritized by organizations: a privilege escalation flaw in the Windows Desktop Window Manager (DWM) core library tracked as <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30051">CVE-2024-30051</a> and a security feature bypass in the Windows MSHTML platform (<a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-30040">CVE-2024-30040</a>). Both flaws are currently exploited in the wild.</p>
<h2 class="wp-block-heading" id="exploit-discovered-by-chance">Exploit discovered by chance</h2>
<p>The DWM vulnerability was discovered by researchers from antivirus vendor Kaspersky Lab while they were searching for exploits for an older vulnerability in the same Windows component that was patched last year. That vulnerability, tracked as <a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36033">CVE-2023-36033</a>, was also disclosed as a zero-day and was used in attacks.</p>
<p>When searching for different patterns related to that exploit to identify new samples and attacks it might have been used in, the Kaspersky researchers found a document uploaded to the Virus Total online scanning engine on April 1. That document, written in broken English, seemed to describe a new DWM vulnerability for which the exploitation steps were nearly identical to those for the older CVE-2023-36033 flaw.</p>
<p>“Judging by the quality of the writing and the fact that the document was missing some important details about how to actually trigger the vulnerability, there was a high chance that the described vulnerability was completely made up or was present in code that could not be accessed or controlled by attackers,” Kaspersky’s researchers wrote in <a href="https://securelist.com/cve-2024-30051/112618/">a blog post</a>. “But we still decided to investigate it, and a quick check showed that this is a real zero-day vulnerability that can be used to escalate privileges.”<br><br>After reporting their findings to Microsoft and confirming that it was a real exploit for a new vulnerability, the Kaspersky researchers started looking through its telemetry for signs that it might have been used in attacks and it wasn’t long until they found some.<br><br>In mid-April they started seeing the exploit used in attacks that deployed QakBot, aka Qbot, a trojan program and botnet that has long been used as a malware distribution platform by many cybercriminal groups, including ransomware gangs. FBI and CISA issued an alert last week <a href="https://www.csoonline.com/article/2106269/fbi-warns-black-basta-ransomware-impacted-over-500-organizations-worldwide.html">about the Black Basta ransomware group</a> targeting healthcare and critical infrastructure organizations; QakBot is one of the methods used by Black Basta affiliates to gain access to corporate networks.</p>
<p>In addition to QakBot, the Kaspersky researchers have seen other payloads deployed with the exploit for the new CVE-2024-30051 vulnerability, including the Cobalt Strike beacon. As a result, Kaspersky has concluded that the exploit is currently known and being used by multiple groups.</p>
<p>It’s worth noting that CVE-2024-30051 cannot be used to gain initial access. It is a privilege escalation flaw that enables attackers to gain full system control (SYSTEM privileges) once they’re already able to execute malware on a computer.</p>
<h2 class="wp-block-heading" id="ole-security-bypass">OLE security bypass</h2>
<p>The second vulnerability exploited in the wild affects the Windows MSHTML platform, enabling attackers to bypass Microsoft Object Linking & Embedding (OLE) defenses in Microsoft 365 and Microsoft Office.</p>
<p>OLE allows Office documents to embed links to external objects and documents that could call other programs. Attackers have long been known to exploit this feature with techniques such as OLE template injection to execute malicious code from custom-crafted files. For this reason, Microsoft Office now has Protected View mode for files downloaded from the internet.</p>
<p>“An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” Microsoft wrote in its advisory for CVE-2024-30040.</p>
<p>The vulnerability is flagged as “exploited” by Microsoft and is also included in the Known Exploited Vulnerabilities catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA).</p>
<h2 class="wp-block-heading" id="third-publicly-known-vulnerability">Third publicly known vulnerability</h2>
<p>A third vulnerability for which an exploit is publicly available is CVE-2024-30046. This denial-of-service vulnerability in Visual Studio, which hasn’t been exploited in the wild yet, is rated important. But, according to Microsoft, exploitation is not trivial because it’s dependent on a race condition.</p>
<p>“Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data,” the company wrote in its advisory.</p>
<h2 class="wp-block-heading" id="other-flaws-notable-for-fixing">Other flaws notable for fixing</h2>
<p>According to researchers from the Zero Day Initiative (ZDI) program at Trend Micro, organizations should also prioritize the fix for a privilege escalation in Windows Search that’s tracked as <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30033">CVE-2024-30033</a>. This vulnerability was reported via ZDI to Microsoft and has a similar impact to the privilege escalation flaw that’s currently being exploited in the wild, the researchers told CSO via email.</p>
<p> <br>“By creating a pseudo-symlink, an attacker could redirect a delete call to delete a different file or folder as SYSTEM,” the researchers said. “We discussed how this could be used to elevate privileges <a href="https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks">here</a>.”</p>
<p>Another interesting flaw is <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30050">CVE-2024-30050</a>, which allows attackers to craft files that would bypass the so-called Mark-of-the-Web (MOTW) flag that Windows automatically assigns to files downloaded from the internet. This mark is an indication for other Windows features or programs to enforce additional protections when users open those files, such as SmartScreen in the browser or Protected View in Microsoft Office.</p>
<p>“While we have no indication this bug is being actively used, we see the technique used often enough to call it out,” the ZDI researchers said. “Bugs like this show why Moderate-rated bugs shouldn’t be ignored or deprioritized.”</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2108583/microsoft-fixes-three-zero-day-vulnerabilities-two-actively-exploited.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2108583</post-id><category>Windows Security, Zero-day vulnerability</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/shutterstock_editorial_370707185.jpg?quality=50&strip=all" length="10806408" type="image/jpeg" />
</item>
<item>
<title>How you may be affected by the new proposed Critical Infrastructure Cyber Incident Reporting Rule</title>
<pubDate>Wed, 15 May 2024 21:36:59 +0000</pubDate>
<description><![CDATA[<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Creating a world that is safer and more secure is core to our vision at Palo Alto Networks, but this only can be achieved if we’re collectively making the internet, as a whole, safer. To do this requires more widespread awareness of cyber threats and information sharing, and a newly proposed cyber incident reporting rule from the Cybersecurity and Infrastructure Security Agency (“CISA”) is intended to meet this goal.</p>
<p>The proposed <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia" data-type="link" data-id="https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia">Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements</a> would require covered companies to report certain cyber incidents within 72 hours of discovery and ransomware attack payments within 24 hours. It marks a major shift in the US cyber ecosystem because of how expansive the proposed rule is, extending reporting obligations to previously non-regulated entities.</p>
<p>While the rule applies to companies deemed “critical infrastructure”– many companies may be surprised to learn that this designation extends beyond traditional “owners and operators” – such as shipping ports, dams, water treatment facilities, and power plants. In fact, CISA’s proposed rule actually includes any entity that is not a “small business” operating within <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors" data-type="link" data-id="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors">16 different sectors</a>, encompassing a range of industries across the entire economy – from communications to healthcare, food and agriculture, and beyond. Additional organizations are also covered under certain criteria listed in the proposed rule. This new rule will affect a vast number of companies; in fact, CISA estimates the proposed rule would cover more than 316,000 organizations across the economy. Given this massive proposed scope, it may affect your business, meaning you will have new responsibilities to report incidents related to your cybersecurity operations.<br></p>
<p>The proposed new guidelines would require companies to report these “covered cyber incidents” within 72 hours (or 24 hours after a ransomware payment). Covered cyber incidents must be “substantial” and reflect certain scenarios affecting data integrity, confidentiality, or availability – such as a data breach where lots of customer data is stolen or a ransomware attack where corporate systems are locked up until a payment is made. Those are just two examples of situations subject to the proposed rule.<br></p>
<p>Part of the goal of this proposal is to find patterns, inform others of possible risks, and help affected businesses in a timely manner. The proposed rule also calls for certain protections for those who comply and consequences for those who don’t.<br></p>
<p>It’s still early days for the proposal, and it’s likely to evolve in some ways before it’s finalized. As it stands, the proposed rule is incredibly broad and will impact a major swath of organizations. The cybersecurity regulatory landscape continues to evolve and CIRCIA’s incident reporting requirements are just one of the many new and emerging regulations organizations will need to comply with. We anticipate this increased pressure could evolve into demand for cybersecurity solutions that can better enable compliance by helping to simplify cyber incident identification and response processes.<br></p>
<h3 class="wp-block-heading" id="protecting-critical-infrastructure">Protecting Critical Infrastructure</h3>
<p>This stresses the importance of now more than ever investing in an advanced security platform to help address security challenges while meeting evolving regulatory requirements quickly and efficiently. This could include:</p>
<ul>
<li>Implementing comprehensive security measures to ensure you have strong visibility of your assets and risk exposure. Use this for continuous monitoring and inspection against malicious activities and anomalies. </li>
<li>Utilizing AI-driven automation tools to help with security operations for threat investigation, response, and remediation. These tools also exist for data classification to automate the classification of documents to include levels of sensitivity and better protect against data leakage. </li>
<li>Considering where you can decrease operational complexity to build in more capacity for reporting. This can include streamlining the cybersecurity tooling used and supercharging your team’s efforts with AI technology. </li>
<li>Considering how you can build cybersecurity into your business by design instead of patching solutions on as an afterthought. A clear view of your vulnerabilities and weaknesses can help you uncover where to prioritize those efforts. </li>
<li>Being ready to address your business’s cyber risk with transparency as more information becomes public about incidents.</li>
</ul>
<p>As governments around the world continue to put in place regulatory requirements covering cybersecurity protections, as well as incident reporting, the best way to be prepared is through a platform approach. It simplifies efforts by creating an integrated user experience, supercharged with AI giving you an “All Access backstage pass” to see your whole cybersecurity ecosystem in one place. It creates interoperability between security solutions, leading to improved visibility and control over the security infrastructure. It also allows for unified management and operations, so you can write policy from one place and enforce it everywhere, consistently, through quick cloud-based deployment. In essence, it’s a comprehensive solution that pulls together all of your data with a unified approach to reporting so you can meet whatever rules come next.</p>
<p><br>This level of integration is also the key to creating better security outcomes. With the growing mismatch between the speed of an attack and the speed of resolution, the industry standard should be near real-time resolution. This is difficult if not impossible for companies with many security products stitched together. As you reduce the complexity of your operations by streamlining the number of tools and vendors, it makes it easier to manage the environment, remain in compliance with regulations, quickly identify and respond to risks, and create better security outcomes.</p>
<p>One thing is for sure – Cybersecurity is not static, and neither are regulatory requirements. The companies that are most innovative and adaptable will be set up for success in this environment.</p>
<p>To learn more, visit us <a href="https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fnetwork-security%2Findustrial-ot-security&data=05%7C02%7Cmorris_barrett%40foundryco.com%7C91d3cb0931bb4d6f8cc808dc752efa1a%7C6b18947b63e74323b637418f02655a69%7C0%7C0%7C638514091829180739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=xIBiqUHNm9n2KGyC26gqho9T%2BYZsHlpa8XzQ%2F%2Bix4ro%3D&reserved=0">here</a>.</p>
</div></div></div></div>]]></description>
<link>https://www.csoonline.com/article/2108533/how-you-may-be-affected-by-the-new-proposed-critical-infrastructure-cyber-incident-reporting-rule.html</link>
<post-id xmlns="com-wordpress:feed-additions:1">2108533</post-id><category>Security</category><enclosure url="https://www.csoonline.com/wp-content/uploads/2024/05/iStock-1588365071-2.jpg?quality=50&strip=all" length="1066100" type="image/jpeg" />
</item>
</channel>
</rss>

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):

<a href="http://www.feedvalidator.org/check.cgi?url=https%3A//www.csoonline.com/feed/"><img src="valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//www.csoonline.com/feed/

Home · About · News · Docs · Terms