Cyberattacks are on the rise while the talent to combat these is running short. Globally, there are 3.5 million open cybersecurity positions, according to Cybersecurity Ventures’ Boardroom Cybersecurity 2022 Report. And Booz Allen Hamilton, a Fortune 500 tech management consulting company, is turning a great deal of its attention to what executive vice president Brad Medairy calls a “national problem and a collective crisis”: cybersecurity.
Booz Allen has about 30,000 employees, and more than half of them are in a technical role, chief people officer Betty Thompson tells Fortune. It’s difficult to say exactly how many Booz Allen employees are part of its cybersecurity business because many of them wouldn’t necessarily fall into that explicit category, Thompson says. However, Booz Allen has one of the largest cybersecurity professional service teams in the industry, according to research from management consulting firm Frost and Sullivan.
“It’s a large part of our workforce, and it’s a really important part of our workforce,” she says. “And we are on the hunt like everyone else for the talent externally at all levels.” 
On par with national averages for cybersecurity jobs, Booz Allen pays its entry-level cybersecurity employees salaries that range from $95,000 to $150,000, while experienced nonexecutive employees earn between $140,000 and $240,000. Senior executives earn more than that and are eligible for bonuses, a Booz Allen spokesperson says.
Fortune sat down with Medairy and Thompson to learn more about the national cybersecurity threat, the challenges of the industry’s talent gap, and how the company is getting ahead of the curve.
The following interview has been edited for brevity and clarity.
Fortune: Why is cybersecurity such a hot topic now?
Medairy: The great power competition is alive and well. Our near peer adversaries have tremendous capabilities. If you look at messaging coming out from the national cybersecurity director, Chris Inglis, our nation is at risk. As a nation, we need to figure out how to protect not only the U.S. federal government, but also our critical infrastructure and other sectors. 
If you look at the evolution of technology over the past 20 years, we started with mobile and cloud. Now when you look at an enterprise, everything is connected. There’s cloud; there’s software as a service. The enterprise boundary has expanded. We look at IOT [Internet of Things] where more and more devices are connected, but the most interesting thing, I think—and frankly, probably the most alarming thing—is the emergent intersections of cyber in the physical world. 
Look at the Colonial Pipeline cyberattack. When the Colonial Pipeline was attacked with ransomware, that actually transferred from the digital world into the physical world where it shut down the pipeline and it disrupted travel on the East Coast. That was actually caused because they were worried about risk to industrial control systems, their OT [operational technology] environment, which is the facilities that actually, in that particular case, moved all the fuel and the oil across the United States.
We have a national problem and a collective crisis. We need to employ and deploy top talent to be able to build mechanisms to better secure our critical infrastructure, our federal government, and our national security systems. 
Fortune: How big is Booz’s cybersecurity business?
Medairy: Frost and Sullivan, a management consulting firm, has done an annual assessment of the cybersecurity industry, and they have identified us as the largest provider, for several years in a row, of cybersecurity professional services in North America. We have a very large—based upon their assessment—one of the largest cybersecurity professional service teams in the industry. We deploy that talent across the U.S. federal government and also the commercial sector in the United States. But what’s interesting about the cyber talent, which makes it difficult to count people, is because cybersecurity is a multidisciplinary sport.
By that I mean that when you look at a cybersecurity engagement, you’re going to need SOC analysts, you’re going to need malware analysts. You’re going to need reverse engineers. You may need folks with embedded systems experience. You may need data scientists, you may need machine learning engineers, you may need software developers. 
Thompson: We have about 30,000 employees, and more than half of them are in a job family that’s technical. And that even wouldn’t give you a full picture of the cyber talent because of what Brad said. Many of them wouldn’t necessarily fall into these very explicit categories. So it’s a large part of our workforce, and it’s a really important part of our workforce. And we are on the hunt, like everyone else, for the talent externally at all levels. We look for luminaries. We look for people with experience. We’ll look for people coming out of the schools. And then we look for people with aptitude and a desire to be in this field and to learn more about it. We have an upskilling program and we work with universities in a variety of ways.
Fortune: What type of cybersecurity upskilling does Booz offer?
Thompson: We have educational benefits that our employees take advantage of called FlexEd, and it provides up to $10,000 a year for traditional academics, certifications, licenses, even attending conferences that have an educational component to it, subscriptions. There are all kinds of ways that they can qualify or build up their skills in these fields. 
Because diversity in our population is really important to us, we look for ways to bring more diversity into that particular skill set and workforce. What’s really helpful is when we have diversity in leadership, so that people can see people like them that are successful, whether it’s the women in data science, or the women engineers, or Black women engineers. 
Fortune: What’s making it so challenging to fill cybersecurity positions?
Thompson: It has just exploded in terms of how great the need is. There’s also a marketing component to it in terms of how great and fulfilling these careers can be. I think sometimes people think you’ve got to be a computer geek, as opposed to people who like to figure out puzzles, people that are really innovative people that are creative. There’s some of what we need to work on is how to really market this field as a great and interesting place to work, not just that it’s going to pay well, and that you’re going to be on a mission that’s important because that certainly appeals to people as well. 
Medairy: Demand is high, supply is low, and there’s a gap. The other thing that I’ve seen a lot is because the demand is so high, it presents a tremendous amount of mobility for talent in the space. We see a lot of across the industry folks that will move jobs every couple years. There’s so much opportunity. One of the things that we’ve really focused on as a firm is providing a longer runway and a career journey. That’s opposed to going to this other entity to do something different. They have mobility within our firm so that they could spend a couple years on a federal engagement, they could move into the commercial sector. They could move into a different mission segment. 
We’ve seen in our national cyber platform that our attrition is well below industry average. I think what makes it so hard is there’s tremendous demand. There’s tremendous opportunity that makes it hard to find people, but it also makes it hard to retain people. We spend a tremendous amount of effort on the employee value proposition and that holistic experience for our talent.
Fortune: What does a cybersecurity career trajectory look like at Booz?
Medairy: What’s really promising is the universities now are really producing amazing talent. We tend to invest really early in their university journey. We have an amazing internship program called the Summer Games. We have hundreds of interns a year. By investing early in their careers while they’re still in the university, we give them the opportunity to really get hands-on experience in cybersecurity very early. 
The cybersecurity field requires—more so than any field that I’ve seen—continuous learning. It requires an investment in them to continue to upskill them. So upskilling is a big part of what we do. It’s apprenticeships. We do hackathons; we do hacker trivia. We invest heavily in training, in graduate programs, to continue to sharpen their skill sets. 
Thompson: We have a way of connecting individuals to future opportunities and then identifying what skills they might need to acquire in order to qualify for those. They can identify opportunities that we’re looking for that are open and internally managers can find them based on the skill sets that they’re looking for. There’s a lot of opportunity there for people to do different things and have the resources that they need with our FlexEd program.
We have more than 12,000 employees that possess cyber certifications in a variety of forms, so there’s a lot of skills that we can tap into. And in fact, about 1,500 of our externally posted positions were filled internally last year. There’s a lot of opportunity in our firm, just based on the huge amount of work that we have in this space.
Fortune: What’s next for the cybersecurity business at Booz Allen?
Medairy: Some big areas that we’re focusing on are the impacts of quantum in the cyber domain. How does that impact our client security posture? 5G is going to become pervasive worldwide. What are the security impacts of 5G as everything starts to be connected and everything starts to move out to the edge? 
The talent problem is not going to go away anytime soon, and that presents a tremendous opportunity to bring automation and machine learning to our clients. How do we apply our AI/ML [artificial intelligence/machine learning] practitioners into the cyber domain to be able to accelerate our client’s ability to automate and to use machines to help combat these emerging threads? 
There’s also a tremendous amount of investment in cyber technology. If you look at Silicon Valley, there’s north of $10 billion worth of investment in cybersecurity tools and technologies. The one thing that we’re focused on is how do we feel like we’re the best bridge between our clients and the commercial product space, and how can we apply emerging and commercial technologies in a practical way to support our client’s mission?
Thompson: On the talent front, what we’re looking at is finding those populations that are underleveraged or underutilized as it relates to this type of work. Partnering with diverse organizations, the military tech workforce initiative is a key one for us. We have a large veteran population. They have basic skills and sophisticated skills that we can leverage and then continue to invest in them in terms of their training. We also have a lot of university partnerships including HBCUs. We’ve also worked closely with and will continue to invest in the CyberPatriot, which is a national youth cyber education program created by the Air Force. It’s intended to inspire kindergarten through 12th-grade students toward careers in cybersecurity as well as other STEM disciplines.
We’re trying to get all the dimensions of the talent that’s out there, but with a particular emphasis on ensuring that we continue to have a diverse workforce by tapping into these populations.
See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in nursing, computer science, cybersecurity, psychology, public health, business analytics, and data science, as well as the best doctorate in education programs, and part-time, executive, full-time, and online MBA programs.

source

Welcome to Finextra. We use cookies to help us to deliver our services. We’ll assume you’re ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.
For Finextra’s free daily newsletter, breaking news and flashes and weekly job board.
Increasing security threats, hybrid working, uneven economic outlooks, geopolitical conflicts and ever-increasing regulatory compliance mandates have all put untold strain on the financial services industry in recent years. While organisations in this sector are typically ahead of other industries in cyber defence maturity due to their highly regulated nature, they continue to be considered high value targets by cyber criminals and nation-state attackers.
Financial services organisations are particularly impacted by security issues due to highly distributed infrastructures, high value assets, a prevalence of exploitable IoT devices, and the human factor –which continues to be the weakest link in security defences. The industry must be more proactive when it comes to future-proofing and digital transformation, to ensure that attackers are out-innovated. There is a need for collective action, international and cross industry collaboration and policy intervention moving forward.
The weakest link
A large percentage of successful cyber-attacks against financial services organisations are due to user error. Typically beginning with a successful phishing attack that provides an initial foothold into an organisation, enabling a full-scale ransomware or malware attack.
Criminals need only find one human—preferably one with high privileges—using poor password hygiene or who can be tricked into releasing information, to gain this foothold. From there ransomware, malware and other tactics can result in breaches and failed audits. Data loss from breaches continues to be problematic due to low encryption rates and overly complicated key management practices, which tend to run at odds with one another.
Mitigating this risk is difficult, while cyber resilience training is a good first step, it cannot completely remove this risk of human error. This is where digital transformation comes in, although there might be a concern that greater reliance on technology can increase risk, in this case it’s actually the opposite. By integrating technologies such as AI and automation to undertake processes prone to human error, organisations can actually strengthen their business processes and significantly bring down the risk of attack.  
Increasing attacks
According to our recent data threat report, the majority of security leaders across financial services organisations ranked malware and ransomware as the leading cause of cyber-attacks. Unsurprising, as these attacks are relatively low costs but can result in big pay-outs for threat actors. In fact, in recent years, ransomware has almost completely changed breach economics.
Given the highly regulated nature of financial services, the risks of losing highly sensitive data as well as the reputational damage as result of these attacks are extremely high. For many financial services organisations, just paying the ransom is potentially less damaging than risking any additional impacts.
For example, Flagstar Bank, a major mortgage lender in the United States, was attacked by ransomware in 2020. An initial foothold was gained through a software vulnerability in Accellion’s account software, followed by a ransomware attack which resulted in system outages due to encrypted data, plus the extraction of up to a decade of sensitive customer data. The attackers threatened to release this data as a further incentive to pay the ransom. These significant pay outs from high value organisations, further encourage similar attacks from threat actors.
Future technologies
As well as the current threat landscape and ongoing security challenges, emergent technologies including AI, Blockchain, Quantum and 5G all have the potential to change the face of cyber security in Financial Services and completely revamp current practices.
For example, a single powerful quantum computer may be able to break the current public key encryption algorithms (cryptography) used by virtually every financial institution today, threatening to compromise everything from client data to the secure websites and software they use to interact with customers, to the hardware used to authenticate, encrypt and decrypt payments.  However, it is important to say that pulling off this type of attack would still be very challenging even for the most accomplished cybercriminal.
Financial institutions are required store certain data for decades, threatening a ticking time bomb as quantum technology continues to develop. While these threats might seem years away, it’s vital organisations look at developing a robust quantum strategy now, in order to prepare for these future challenges.
Adopting a zero trust approach
Financial services organisations typically have highly distributed infrastructures that include retail storefronts, IoT devices, and a hybrid workforce that can work from literally anywhere. Adopting zero trust principles can be a key strategy by ensuring “least privilege” access to highly distributed, high-value data and assets. Not surprisingly, financial services organisations with a formal Zero Trust strategy are less likely to have been breached.
The transition of standalone devices such as ATM machines and kiosks with proprietary, dedicated connections to IoT has also greatly increased the size, complexity, and elasticity of underlying networks, while also greatly increasing the attack surface. These environments are generally well served by zero trust security strategies.
As organisations move forward, they’ll need visibility not only across their infrastructure, but throughout their organisation. Establishing a common understanding is a key part of effectively setting priorities and executing security projects. When security teams are aligned with the key parts of the business, they can work together to effectively and efficiently address whatever issues the future holds.
For Finextra’s free daily newsletter, breaking news and flashes and weekly job board.
Security Expert
Thales
Member since
25 Sep 2015
Location
London
Blog posts
8
28 Feb 0
01 Feb 2021 0 1
03 Sep 2020 0 3 2
10 Mar 2020 0 2 1
About Finextra
Community Rules
Register for news
Contact Us
Editorial
Sales
 
Sales
Register for news

Follow Us
© Finextra Research 2023
Terms of use
Privacy Policy
Cookie Centre

source

Breaking news and updates daily. Subscribe to our Newsletter!
SHARE THIS ARTICLE
Share this article on:
Cyber crime laws and fake dating profiles are being used to target LGBTI individuals in a number of Middle Eastern countries, according to a new report.
In the report, All This Terror Because of a Photo, Human Rights Watch (HRW) details 45 instances of entrapment, harassment, abuse, and arrest of queer people in Egypt, Iraq, Jordan, Tunisia, and Lebanon. The report also looked at instances of digital targeting in Kuwait, Morocco, and Saudi Arabia.
HRW found repeated instances of state authorities using fake profiles on dating apps such as Grindr or on social media sites like Facebook. These profiles were often operated in real time by police and other law enforcement officials, engaging in online chat and even video calls with suspected LGBTI people. 
In countries where same-sex conduct is criminalised, this alone would often lead to abuse and arrest, though in a number of cases, subsequent legal proceedings dismissed any charges. 
But in countries where such conduct is not explicitly prohibited, authorities would then turn to morality or cyber crime laws to justify the arrests. These vague laws cover such things as “debauchery” or “inciting debauchery”; but in Jordan, such matters are treated under its prohibition against “soliciting prostitution online”, as part of its cyber crime legislation. Egypt also makes use of its cyber crime laws in this way. In Tunisia, a broad suite of public safety laws serves a similar purpose.
In cases where individuals were found guilty, they could be subject to months or years of prison, and in many cases, had already been held in pretrial detention for many months as well.
And where there was little evidence to base a prosecution, HRW found that law enforcement would then resort to planting evidence and photos to prove their case.
The report also found that online harassment of queer communities was rife, with many social media companies falling behind on checking such behaviour. Criminal groups were also reported as using fake dating profiles, though in this case, it leads merely to extortion and blackmail of the victim.
“Most of the LGBT people targeted online said they stopped using digital platforms and deleted their social media accounts as a result of digital targeting, which only exacerbated their feeling of isolation,” the report stated.
“These abusive tactics highlight the prevalence of digital targeting and the need for digital platforms and governments to take action to ensure LGBT people’s safety online.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

Be the first to hear the latest developments in the cyber security industry.

source

View all Business
View all Cloud
View all Hardware
View all Infrastructure
View all Security
View all Software
View all Technology
Cyber crime is hard to define and even more difficult to attribute and prosecute, especially given cyber attacks strike regularly across borders. With this in mind, a United Nations (UN) committee has been in negotiations this year to flesh out a new international cyber crime treaty.
Despite multiple measures and laws aiming to tackle cyber crime, attacks of all kinds continue to surge, from ransomware to phishing. The UN's plan has been in the making for months, but the fourth meeting of the committee in January was important because a rough treaty was presented for debate. As part of the process, the committee including delegates from Russia, China and the US has been trying to define cyber crime and form a global response, which includes intelligence sharing, to make the online world a safer place for businesses and consumers.
Among proposals are the criminalisation of cyber crime including illegal access and interception, data and system interference and the misuse of devices. In theory, the treaty is positive, but it's been heavily criticised too, with experts saying its impact will be limited – especially since the 2001 Budapest Convention already in place addresses many of the issues outlined. 
Organisations including the Electronic Frontier Foundation (EFF) go even further by slamming the treaty in its current form, saying it’s not flexible enough to adapt to the changing nature of cyber crime and fails to protect the human rights of whistleblowers and journalists. The proposed convention could result in new policing powers for domestic and international criminal investigations, for example. This could include evidence sharing across borders with countries with different levels of human rights protections, says Katitza Rodriguez, EFF's policy director for global privacy. 
On its current trajectory, the treaty might even lead to people being imprisoned for legitimate online activities, Rodriguez warns. “Since the articles are drafted in a vague way – overly broad, undefined, and subjective –  it could undoubtedly sweep up and criminalise legitimate expression, news reporting, protest speeches and more,” she explains.
In a complex geopolitical cyber landscape, state-sponsored attacks on the West are growing, and they are notoriously difficult to attribute. It remains questionable whether a treaty can address these types of attacks – especially given the aims of the normally adversarial China and Russia. It’s not the end of negotiations, though. The committee will meet again in April and September, with a final draft due to be presented to the UN in early 2024. So, what can the proposed treaty really achieve and what could it mean for businesses?
Among the proposals, the international treaty aims to establish rules and regulations for state behaviour online, addressing issues such as cyber warfare and espionage. “The treaty could potentially lead to a more secure and stable online environment for businesses to operate in,” says Jake Moore, global cyber security advisor at ESET.
The treaty also outlines proposals for legal assistance between countries in the investigation and prosecution of cyber crimes. “Law enforcement agencies have notoriously incurred cross-border issues in relation to cyber crime across multiple jurisdictions,” Moore explains. “This treaty aims to establish international cooperation among countries to investigate and prosecute cyber-criminals, which could help to deter and disrupt their activities.”
This will help provide a framework for cooperation between the public and the private sector which could be useful for businesses, Steffen Friis, sales engineer at VIPRE says. He says mutual legal assistance, preservation of data and extradition between nations “will be extremely useful for businesses that operate in multiple countries”.
Take control of diverse and rapidly evolving enterprise risks
Effectively manage and report on risk and compliance
Even after the latest negotiations, the treaty is far from perfect and many experts question the impact it can have. As with most treaties, at least some of its purpose is symbolic, says Will Richmond-Coggan, data and cyber disputes expert at law firm Freeths. However, he also points out: “The various national annotations and amendments to the current draft convention demonstrate the extent to which many countries are having to temper the wide-ranging language originally proposed, in order to avoid it extending to encompass their own activities.”
At the same time, echoing issues expressed by the EFF, Mick Reynolds, director of intelligence at SecAlliance, points to the need to measure and balance any new legal powers with the erosion of human rights, particularly those relating to individual privacy.
Privacy concerns centre around the treaty’s proposed provisions on data retention and mutual legal assistance. As Friis adds, there are concerns these could be used to access personal data without sufficient legal safeguards.
The treaty also needs to take into account the nuances of security research, which sees experts using attack techniques in order to find vulnerabilities in software. “Security researchers routinely identify weaknesses and potential exploits in software systems,” Tim Mackey, head of software supply chain risk strategy at Synopsys points out. “While their intent isn’t criminal, those efforts could easily fall foul of statements covering ‘exploitation of a vulnerability’.”
Sovereignty is another problem: “Provisions on jurisdiction, mutual legal assistance and extradition could be used to infringe on the sovereignty of countries and to circumvent domestic laws,” says Friis.
The UN must certainly work to iron out issues in the proposal, but if the final treaty is to be effective, it will also be important to be able to measure its success. There are two key goals for the cyber crime treaty namely whether cyber criminals are being arrested and whether cyber attacks are decreasing, according to Michael Smith CTO of Neustar Security Services.
Moore, meanwhile, suggests the severity of attacks and the number of successful prosecutions may also be measured. “The treaty could be evaluated based on the extent to which it leads to greater international cooperation among countries in addressing cyber security issues,” he suggests, adding the success of the treaty will “depend on how well it is implemented and enforced by the countries that have ratified it”.
In a complex geopolitical arena, it’s difficult to define what a perfect treaty would look like. However, experts point to the need for a global approach despite borders and political interests; something extremely challenging to achieve. 
The ideal situation is an agreement that everyone, including China and Russia, can sign and stick to, says Will Dixon, global head of academy and community at ISTARI. “This is the fundamental flaw in the Budapest Convention. It is entirely possible such a treaty might be drafted, but in the wider geopolitical context, making the necessary concessions may prove unpalatable.”
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
What bank CIOs must know when considering bank-specific cloud solutions
Giving banks a way to evaluate industry-specific clouds' value propositions
Cost of a data breach report 2022
Discover the factors to help mitigate breach costs
Four steps to better business decisions
Determining where data can help your business
Why you need a cloud solution for your remote support
MI5 to establish new security agency to counter Chinese hacking, espionage
Why – and how – IP can be the hero in your digital transformation success story
ITPro is part of Future plc, an international media group and leading digital publisher. Visit our corporate site www.futureplc.com
© Future Publishing Limited, Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885

source

The global cybersecurity skills shortage is a well-documented challenge affecting organizations across all industries. A 35% growth in information security analyst roles is expected to occur between 2021 and 2031, according to the U.S. Bureau of Labor Statistics. As the cybersecurity jobs market continues to grow, the gap between the number of qualified security professionals and open jobs will only increase.
One effect of this long-term talent gap is a diminished security leadership pipeline. In a recent Gartner survey, 57% of respondents said they are struggling to find and hire emerging security leaders — individuals who are not currently working in a formal leadership position or role, but have demonstrated the requisite aptitude, competencies and capabilities needed to lead a cybersecurity organization in the future. Retention is a challenge, too, given the average tenure for a CISO is between 18 and 26 months.
Organizations have a short window to identify, foster and hopefully retain a pipeline of emerging security leaders to ensure the long-term sustainability and effectiveness of their security programs.
Organizations facing these challenges must look to alternative mechanisms to fill the skills gap and create a strong plan for future security leadership. Here are key steps CISOs should take to mitigate implications arising from a shortage of emerging leadership talent.
A key behavior exhibited by leading CISOs is having a formal and actionable succession plan. Another key differentiator is that leading CISOs focus their talent strategies on the future security skills needed by the enterprise. Adopting these practices is fundamental to fostering and protecting the organization’s pipeline of emerging security leadership talent to ensure the sustainability and continuous improvement of its cybersecurity risk posture.
In the near term, IT and security leadership should establish “promote from within” as a first principle when filling internal cybersecurity leadership roles. This helps establish a succession plan for team leaders, middle management and ultimately CISO-level roles, supporting the longer-term sustainability of the security program. It also helps retain top security talent by showing them there is a clear and attainable career path at the organization should they stay.
Use regular performance and career discussions to start proactively identifying, evaluating and fostering emerging cybersecurity leaders. This signals to those interested in stepping up into more senior roles that their line managers are taking an active interest in their development.
CISOs can also work with HR to define critical leadership competencies required within their organizational context. Then, conduct a skills assessment across the IT workforce that includes an evaluation of leadership competencies. This helps identify team members with the leadership attributes, aptitude and interest who could develop to take on future leadership roles. Typical competencies for emerging security leaders include adaptability, ability to coach and mentor junior staff, communication, business acumen, decisiveness and diversity of opinion.
As emerging security talent is identified, seek coaching and mentoring from business leaders for these individuals. Exposing emerging security leaders to experienced business mentors internally helps them become more familiar with the organization’s business operations, context, strategic objectives and risk appetite in a friendly and safe setting. In turn, it enables talent to begin developing these important behaviors earlier, shortening the runway to full effectiveness once appointed to leadership roles. It also helps business leadership by fostering greater familiarity within the security team, which, over time, makes for more business-centric security advice and improved information risk decision-making.
Latent security leadership talent may exist outside of the IT or security team. In the longer term, security and business leaders must employ creative strategies to discover, hire and develop talent.
Consider a security champion program, for example, where members of the business or IT teams receive additional training on security issues and act as local advocates, performing roles such as disseminating security-related messaging, answering security-related questions, promoting secure practices and interfacing with security experts. Such a program not only supports current security behavior and culture initiatives, but it can also help identify emerging business leaders considering a career change to cybersecurity who can be mentored to aid in their transition over time.
CISOs should also use a portion of any increased funding for a leadership scholarship program. The knowledge imparted via external, business-centric courses such as MBA programs will help emerging security leaders gather foundational knowledge, skills and business acumen. Awarding scholarship funds across multiple individuals not only sends positive signals about potential career development to the rest of the workforce, but also enables multiple emerging leaders to develop at the same time. These programs could become a differentiating employee value proposition, helping attract new talent to the organization in a tight labor market.
Finally, identify opportunities to free up time for leadership development. Often, there is limited time to develop emerging talent due to high demands placed on the security workforce. CISOs can find the time by identifying opportunities for creating capacity and operational efficiency. This is achievable by outsourcing more commoditized security functions to managed security service providers or using security orchestration, automation and response or AI-enabled capabilities to reduce time spent on security processes.
There is, of course, no guarantee an investment in fostering cybersecurity leadership talent will result in a high-potential individual staying until they are able to fill a future leadership vacancy. Other factors are key determinants of how long they stick around, including the prevailing corporate culture, perceptions about the quality of the organization’s leadership or the individual’s ability to secure a better role in another organization.
Any investment in an individual’s development can only make them more attractive to other organizations. CISOs need to reconcile that they may not retain their proteges or see a full return on their development investment. However, clear benefits are associated with continuing to develop emerging talent without these guarantees in place.
Emerging leaders are more productive and effective in their roles when they’re being developed. Additionally, valued employees are less likely to become disgruntled or, worse, malicious insiders — an especially important consideration for cybersecurity personnel with elevated system access.
Departing emerging leaders are also more likely to provide positive sentiments about the organization if asked by those in their professional networks applying to the organization, making it a more attractive opportunity in a high-demand skills market.
About the author
Richard Addiscott is an analyst at Gartner covering topics focused on improving security risk management maturity and outcomes, optimizing organizational security risk postures and demonstrating clear alignment between security and strategic business outcomes.
Make the case for an SD-WAN implementation, and explore the benefits and main use cases for SD-WAN in enterprises, beyond …
Rising cloud costs have prompted organizations to consider white box switches to lower costs and simplify network management. …
Hewlett Packard Enterprise also unveiled plans to acquire Athonet, an Italian company that provides cellular technology for …
While the finance and tech sectors shuddered after the sudden demise of two tech-focused banks, financial damage appears to be …
As artificial intelligence adoption increases, experts believe it’s time for Congress to enact AI regulations to safeguard …
Agility, experimentation and empathy are critical drivers to a successful digital transformation. Learn why IT leaders should …
Before organizations migrate to Windows 11, they must determine what the best options are for licensing. Learn about the choices …
UEM software is vital for helping IT manage every type of endpoint an organization uses. Explore some of the top vendors and how …
Office 365 MDM and Intune both offer the ability to manage mobile devices, but Intune provides deeper management and security. …
AWS Compute Optimizer and Cost Explorer monitor, analyze and optimize your cloud costs. Compare the two tools to choose which is …
Azure management groups, subscriptions, resource groups and resources are not mutually exclusive. Businesses can — and often do …
Amazon CodeGuru reviews code and suggests improvements to users looking to make their code more efficient as well as optimize …
QLC flash offers high density but has lifecycle limitations. But what does it really cost compared with TLC and MLC, and how are …
UK startup Deep Green has saved Exmouth Leisure Centre thousands in energy costs through deployment of mini-datacentres
There is mounting anecdotal evidence that enterprises are struggling to ensure their statements of intent on sustainability are …
All Rights Reserved, Copyright 2000 – 2023, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information

source

Haryana Police’s State Crime Branch has asked the Ministry of Home Affairs (MHA) that to curtail the rising cybercrimes across the country, it would be better if the “jurisdiction of investigating a cyber fraud is shifted to the state of the offender rather than the state of the complainant”.
“Cybercriminals execute frauds with victims of distant states for easy escape from police authorities. Hence, jurisdiction area may be shifted from state of the victim to state of the accused for instant apprehension of the cybercriminals and their organised structure,” Haryana Police state crime branch’s cyber cell has suggested to MHA in a meeting held on February 6 under the chairmanship of special secretary (internal security), MHA.
Explaining the rationale behind such a suggestion, Additional Director General of Police (State Crime Branch, Haryana) O P Singh told The Indian Express that “for instance a criminal stationed in Haryana commits a cyber fraud with a person stationed in Kerala and the amount involved is approximately Rs 40,000-50,000. As per the existing rules, the case will be registered in Kerala, which is the jurisdiction of the complainant. Police start investigating the case and find the accused’s location is in Haryana. To identify the accused’s location and come all the way to Haryana and apprehend him involves a lot of time and finances. It becomes completely unfeasible for the police to go all the way to another state and catch the accused. Even the complainants back out. But, if the jurisdiction of investigating the case is shifted to the state of the offender, it would become easier for the personnel of the police station concerned to nab the accused and bust the entire gang of such offenders. In this case, Kerala Police can simply intimate Haryana Police and we can pick up these criminals and vice-versa”.
O P Singh added, “The suggestion was appreciated by the MHA. Of course, it is a new thing and would come with other challenges too. But, we got to devise a mechanism and inter-state coordination to deal with increasing cybercrimes. If the mechanisms are not put in place at the right time, the situation would get out of our hand.”
In the meeting, the Haryana Police also suggested to the MHA that “central guidelines may be issued to all the banks, financial intermediaries, etc., to refund amount put on hold through Citizen Financial Cyber Frauds Reporting and Management System (CFCFRMS) module on police requests instead of asking court orders on every request as the state police is in receipt of approximately 1,000 calls and 200-300 complaints on a daily basis. It is not feasible to register case on each complaint. The learned courts do not issue refund orders to banks/intermediaries on basis of complaint without registration of FIR. Therefore, it is requested to issue necessary directions to all concerned at the end of Indian Cyber Crime Coordination Centre (I4C), MHA”. As per the current rules, a police officer not below the rank of an inspector can only investigate the cases pertaining to cybercrimes. “But, the number of inspector rank officers is also limited and they have to investigate other heinous crime cases as well. Thus, we made a suggestion to the MHA that – an amendment to the Information Technology Act to empower sub-inspector rank police officers to investigate cybercrime cases is necessary to improve the effectiveness of dealing with such crimes,” O P Singh told The Indian Express.
The state police force has also suggested to the MHA to issue instructions to the banks and other financial intermediaries to take timely actions on incidents reported by the police through CFCFRMS module.
In December 2022, the state crime branch had also raised a red flag on the Aadhaar-Enabled Payment System (AEPS) saying that cybercriminals were conducting financial frauds by siphoning off people’s vital data from the system and cloning the fingerprints available on documents on the government website. The cyber cell under the crime branch is currently investigating over 400 complaints pertaining to cyber frauds that are related to AEPS.
O P Singh had called it an “online fraud with silicon thumb” as criminals are quick in harnessing vulnerabilities.
“People need to be careful, although law enforcement agencies are nimble to keep up with them. AEPS fraud is the latest. During the course of investigation, fraudsters were found withdrawing money by forging biometric thumb impressions and abusing AEPS,” the ADGP told The Indian Express.
The state crime branch also advised people to deactivate the AEPS facility from their accounts if they are not using them regularly and avoid registering their fingerprints on any website. It has asked the public to immediately report any act or attempt of cybercrime to the number ‘1930’ within one hour of such an activity as it will help police stop the transfer of the defrauded fund to the cybercriminals’ accounts.
The investigators also asked the government departments of the state and intermediaries to conduct a safety audit and plug the loopholes that lead to the leakage of personal data such as thumb impressions and expose it to abuse by cybercriminals.
Explaining the modus operandi, O P Singh said that cybercriminals copy thumb impressions on butter paper from various websites to create duplicate silicon thumbs.
Daily Briefing: ‘Need to guard employees,’ says Bhupender Yadav; BJP to give Shivraj Singh Chouhan a makeover; and more


Varinder BhatiaVarinder is Deputy Resident Editor, The Indian Express, Chandigarh. Wi… read more

source

Home > Security > Cybersecurity

Soaring Levels of Cyber-crime and Fraud Prompt SBRC Rebrand

Graham Turner
20 February 2023, 12.00pm
In a bid to better reflect the rising national threat from cyber crime and fraud, the Scottish Business Resilience Centre will from today be known as Cyber and Fraud Centre – Scotland as it extends its focus to also include financial fraud.
The new brand comes as cyber-attacks and fraud are found to be on the rise: latest figures from Police Scotland show the number of cyber-crimes in 2021-22 were nearly double that of 2019-20, and fraud has increased 86% this decade.
Paul Atkinson, Chair of Cyber and Fraud Centre – Scotland, noted: “Over half of reported crime is related to fraud or cyber, but they’re both hugely underreported – so it’s likely they pose an even greater threat than the numbers indicate. As a nation, we are handling support for cyber crime victims well, but victim support around financial fraud is severely lacking.
“We need to examine how to collectively prevent and protect from this type of fraud, and the Cyber and Fraud Centre – Scotland team is well equipped to lead the conversation around this.”
Jude McCorry, CEO of Cyber and Fraud Centre – Scotland, said: “Financial fraud – including cyber crime – is set to be reclassified as a threat to national security, which will see it treated as seriously as terrorism and civil emergencies. We’ve seen a huge increase in this type of crime over the past year, and a lot of victims don’t get the support they need, which is why we’ve added fraud to our organisation’s purpose.
“Cyber-crime such as cyber attacks and financial fraud often cause businesses to pause operations; ransomware attacks prevent them from accessing their systems and financial fraud could render them unable to pay wages and suppliers. This can be devastating for small businesses and charities in particular, who may end up ceasing operations entirely.
“We’ve renamed ourselves Cyber and Fraud Centre – Scotland in recognition of our enhanced focus on empowering and educating organisations across the country on the risks caused by cyber crime and fraud. The name also clarifies what we do and means we are holding ourselves accountable and committed to tackling cyber crime and fraud to make Scotland a safer place to do business.”
Cyber and Fraud Centre – Scotland will continue its working relationships with partner organisations including the Scottish Government and Police Scotland, to ensure its members can access training progammes and have access to industry experts as needed.
In recent years, the organisation has established itself as an arguable leader in building cyber awareness and business resilience throughout Scotland. Its latest milestones include launching the CyberScotland Partnership in 2021, and upskilling more than 450 businesses across Scotland in the National Cyber Security Centre’s scenario-based cyber awareness training programme, Exercise in a Box.
The news is part of a wider organisational shift for the not-for-profit, which last month announced it had officially adopted a four-day working week.
Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.
To subscribe, click here.
Graham Turner
Sub Editor
Explore
Subscribe to
© 2023 DIGIT

source

Vector of Moving Forward
Every year I peruse emerging statistics and trends in cybersecurity and provide some perspective and analysis on the potential implications for industry and government from the data. While cybersecurity capabilities and awareness seem to be improving, unfortunately the threat and sophistication of cyber-attacks are matching that progress.
The 2023 Digital Ecosystem
Blue glowing futuristic technology, computer generated abstract background, 3D render
The emerging digital ecosystem is treacherous. In our current digital environment, every company is now a reachable target, and every company, large or small, has operations, brand, reputation, and revenue pipelines that are potentially at risk from a breach.
For 2023 and beyond the focus needs to be on the cyber-attack surface and vectors to determine what can be done to mitigate threats and enhance resiliency and recovery. As the interest greatly expands in users, so do the threats, As the Metaverse comes more online it will serve as a new vector for exploitation. Artificial intelligence and machine learning, while great for research & analytics (i.e. ChatGPT). However, AI tools can also be used by hackers for advanced attacks. Deep fakes are already being deployed and bots are continuing to run rampant. and the geopolitics of the Russian invasion of Ukraine has highlighted the vulnerabilities of critical infrastructure (CISA Shields Up) by nation-state threats, including more DDSs attacks on websites and infrastructure. Most ominous was the hacking of a Ukrainian satellite.
Here are some initial digital ecosystem statistics to consider: According to a Deloitte Center for Controllership poll. “During the past 12 months, 34.5% of polled executives report that their organizations’ accounting and financial data were targeted by cyber adversaries. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one.” And “nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahead. And yet just 20.3% of those polled say their organizations’ accounting and finance teams work closely and consistently with their peers in cybersecurity.” Nearly half of executives expect cyber-attacks targeting accounting, other systems Nearly half of executives expect cyber attacks targeting accounting, other systems (northbaybusinessjournal.com)
Cyber-Trends:
AI, Artificial Intelligence concept,3d rendering,conceptual image.
AI and ML Making Impacting the Cyber-Ecosystem in a big Way in 2023 and Beyond
International Data Corporation (IDC) says AI in the cybersecurity market is growing at a CAGR of 23.6% and will reach a market value of $46.3 billion in 2027 Please see: Experts predict how AI will energize cybersecurity in 2023 and beyond | VentureBeat
My Take: AI and ML can be valuable tools to help us navigate the cybersecurity landscape. Specifically it can (and is being) used to help protect against increasingly sophisticated and malicious malware, ransomware, and social engineering attacks. AI’s capabilities in contextual reasoning can be used for synthesizing data and predicting threats.
They enable predictive analytics to draw statistical inferences to mitigate threats with less resources. In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms.
While AI and ML can be important tools for cyber-defense, they can also be a two edged sword. While it can be used to rapidly identify threat anomalies and enhance cyber defense capabilities, it can also be used by threat actors. Adversarial Nations and criminal hackers are already using AI and MI as tools to find and exploit vulnerabilities in threat detection models.
Cyber criminals are already using AI and machine learning tools to attack and explore victims’ networks. Small business, organizations, and especially healthcare institutions who cannot afford significant investments in defensive emerging cybersecurity tech such as AI are the most vulnerable. Extortion by hackers using ransomware and demanding payment by cryptocurrencies may become and more persistent and evolving threat. The growth of the Internet of Things will create many new targets for the bad guys to exploit. There is an urgency for both industry and government to understand the implications of the emerging morphing cyber threat tools that include AI and ML and fortify against attacks.
Please also see the recent FORBES article discussing three key applications of artificial intelligence for cybersecurity including, Network Vulnerability Surveillance and Threat Detection, Incident Diagnosis and Response, and applications for Cyber Threat Intelligence Reports: Three Key Artificial Intelligence Applications For Cybersecurity by Chuck Brooks and Dr. Frederic Lemieux Three Key Artificial Intelligence Applications For Cybersecurity by Chuck Brooks and Dr. Frederic Lemieux (forbes.com)
Cyber-Crime and the Cyber Statistics to Explore so Far in 2023
A close-up on an abstract design of a display, which is warning about a cyber attack. Multiple rows … [+] of hexadecimal code are interrupted by red glowing warnings and single character exclamation marks. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, etc…
Cyber-crime is growing exponentially. According to Cybersecurity Ventures, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. Please see: eSentire | 2022 Official Cybercrime Report There are many factors for such growth and some of them will be explored in more detail below.
Programming code abstract technology background of software developer and Computer script
Open Source Vulnerabilities Found in 84% of Code Bases
It starts with open source code. Unfortunately, according to Synopsys researchers, at least one open source vulnerability was found in 84% of code bases. The vulnerability data was included in Synopsys’ 2023 Open Source Security and Risk Analysis (OSSRA) report on 2022 data. Since most software applications rely on open source code, this is still a significant cybersecurity issue to address.
The report noted: “open source was in nearly everything we examined this year; it made up the majority of the code bases across industries,” the report said, adding that the code bases contained troublingly high numbers of known vulnerabilities that organizations had failed to patch, leaving them vulnerable to exploits. All code bases examined from companies in the aerospace, aviation, automotive, transportation, and logistics sectors contained some open source code, with open source code making up 73% of total code. “
As significant as the risks from the open source code are, they can be detected by penetration testing and especially by patching. The report found that patches clearly are not being appplied. It cited that “of the 1,481 code bases examined by the researchers that included risk assessments, 91% contained outdated versions of open-source components, which means an update or patch was available but had not been applied.”
Please see: At least one open source vulnerability found in 84% of code bases: Report At least one open source vulnerability found in 84% of code bases: Report | CSO Online
On way that hackers take advantage of code vulnerabilities and open source flaws is via zero-day exploits. Recently a ransomware gang used a new zero-day flaw to steal data on 1 million hospital patients. “Community Health Systems (CHS), one of the largest healthcare providers in the United States with close to 80 hospitals in 16 states, confirmed this week that criminal hackers accessed the personal and protected health information of up to 1 million patients. The Tennessee-based healthcare giant said in a filing with government regulators that the data breach stems from its use of a popular file-transfer software called GoAnywhere MFT.” Clop claims it mass-hacked 130 organizations, including a US hospital network
My Take: as a remedy to avoid vulnerability exploits and keep open source code updated, the report suggested that organizations should use a Software Bill of Materials (SBOMS) . I agree, in addition to Pen testing, SBOMS are an important way to map systems and organize to be more cyber secure. An SBOM is basically a list of ingredients that make up software components and serves as a formal record containing the details and supply chain relationships of various components used in building the software. I wrote about this extensively in a previous FORBES article.
In the article, Dmitry Raidman. CTO, of a company called Cybeats offered insights into l specific use cases for SBOMS. They include transparency into software provenance and pedigrees, continuous security risk assessment, access control and sharing with customer who can access and what data can be seen, threat intelligence data correlation, software composition license analysis and policy enforcement, software component end of life monitoring, SCRM – Supply Chain Risk Management and supply chain screening, SBOM documents repository and orchestration, efficiency in data query and retrieval.
Clearly, SBOMS are a good path forward in discovering and correcting open source vulnerabilities in code. Please see: Bolstering Cybersecurity Risk Management With SBOMS Bolstering Cybersecurity Risk Management With SBOMS (forbes.com)
PHISHING Button on Computer Keyboard
Phishing Continues to be a preferred Method of Hackers in 2023
Phishing is still the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization, or a website you may frequent.
Advances in technology have made it easier for hackers to phish. They can use readily available digital graphics, apply social engineering data, and a vast array of phishing tools, including some automated by machine learning. Phishing is often accompanied by ransomware and a tactic for hackers is to target leadership at companies or organizations (spear-phishing) because they usually have better access to valuable data and make ready targets because of lack of training.
According to the firm Lookout, the highest rate of mobile phishing in history was observed in 2022, with half of the mobile phone owners worldwide exposed to a phishing attack every quarter. The Lookout report was based on Lookout’s data analytics from over 210 million devices, 175 million apps, and four million URLs daily. The report noted that “non-email-based phishing attacks are also proliferating, with vishing (voice phishing), smishing (SMS phishing), and quishing (QR code phishing) increasing sevenfold in the second quarter of 2022. And that “the damage can be colossal for businesses that fall victim to mobile phishing attacks: Lookout calculated that the potential annual financial impact of mobile phishing to an organization of 5000 employees is nearly $4m.
The report also noted that “Cybercriminals mostly abused Microsoft’s brand name in phishing attacks, with more than 30 million messages using its branding or mentioning products like Office or OneDrive. However, other companies were also frequently impersonated by cybercriminals, including Amazon (mentioned in 6.5 million attacks); DocuSign (3.5 million); Google (2.6 million); DHL (2 million); and Adobe (1.5 million).”
Please see: Record Number of Mobile Phishing Attacks in 2022 Record Number of Mobile Phishing Attacks in 2022 – Infosecurity Magazine (infosecurity-magazine.com)
3D rendering Glowing text Ransomware attack on Computer Chipset. spyware, malware, virus Trojan, … [+] hacker attack Concept
Ransomware and Phishing: the current state of cyber-affairs is an especially alarming one because ransomware attacks are growing not only in numbers, but also in the financial and reputational costs to businesses and organizations.
Currently, ransomware, mostly via phishing activities, is the top threat to both the public and
private sectors. Ransomware allows hackers to hold computers and even entire networks hostage for electronic cash payments. In the recent case of Colonial Pipeline, a ransomware attack disrupted energy supplies across the east coast of the United States.
“In 2022, 76% of organizations were targeted by a ransomware attack, out of which 64% were actually infected. Only 50% of these organizations managed to retrieve their data after paying the ransom. Additionally, a little over 66% of respondents reported to have had multiple, isolated infections.” Please see: New cyberattack tactics rise up as ransomware payouts increase New cyberattack tactics rise up as ransomware payouts increase | CSO Online
My Take: Since most of us are now doing our work and personal errands on smartphones, this is alarming data. But there are remedies. Training employees to identify potential phishing emails is the first step in prevention, but many of the obvious clues, such as misspelled words and poor grammar, are no longer present. Fraudsters have grown more sophisticated, and employees need to keep up with the new paradigm.
Human errors are inevitable, however, and some employees will make mistakes and accidentally fall victim to phishing. The backup system at that point should include automated systems that can silo employee access and reduce damage if a worker’s account is compromised. The best way is to establish and monitor administrative privileges for your company. You can limit employee access or require two [authentication] steps before they go there. A lot of companies will also outlaw certain sites that workers can’t go visit, so it makes it more difficult to get phished.
My additional advice to protect against phishing and ransomware, is to make sure you backup your valuable data (consider encrypting it too), preferably on another device segmented from the targeted PC or phone. If you are a small business or an individual, it is not a bad idea to invest in anti-phishing software. It adds another barrier. I also recommend monitoring your social accounts and credit accounts to see if there are any anomalies on a regular basis.
Creative abstract postal envelopes sketch on modern laptop background, e-mail and marketing concept. … [+] Double exposure
Business E-mail Compromise
Often done in coordination with phishing, business email compromise is still a serious cybersecurity issue. A research company Trellix determined 78% of business email compromise (BEC) involved fake CEO emails using common CEO phrases, resulting in a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns. Please see: Malicious actors push the limits of attack vectors Malicious actors push the limits of attack vectors – Help Net Security
“Seventy-five percent of organizations worldwide reported an attempted business email compromise (BEC) attack last year. While English remained the most common language employed, companies in a few non-English nations witnessed a higher volume of attacks in their own languages, including organizations in the Netherlands and Sweden, which reported a 92% jump in such attacks; in Spain, with a 92% jump; Germany, with an 86% increase; and France, with an 80% increase.” Please see: New cyberattack tactics rise up as ransomware payouts increase New cyberattack tactics rise up as ransomware payouts increase | CSO Online
“Business Email Compromise (BEC) attacks are no longer limited to traditional email accounts. Attackers are finding new ways to conduct their schemes — and organizations need to be prepared to defend themselves. Attackers are leveraging a new scheme called Business Communication Compromise to take advantage of large global corporations, government agencies and individuals. They are leveraging collaboration tools beyond email that include chat and mobile messaging — including popular cloud-based applications such as Slack, WhatsApp, LinkedIn, Facebook, Twitter and many more — to carry out attacks.” Please see: The evolution of business email compromise to business communication compromise The evolution of business email compromise to business communication compromise (betanews.com)
My Take: business emails have been a top target of hackers. Accordingly, organizations need to create a corporate risk management strategy and vulnerability framework that identifies digital assets and data to be protected, including sensitive emails. Such as risk management strategy should be holistic and include people, processes, and technologies. This includes protecting and backing up email data, and the business enterprise systems such as financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel and detection, Identity Access Management, firewalls, etc.) and policies. That risk management approach must also include knowing your inventory and gaps, integrating cybersecurity hygiene practices, procuring, and orchestrating an appropriate cyber-tool stack.
Fraud Alert in red keys on high-tech computer keyboard background with security engraved lock on … [+] fake credit cards. Concept of Internet security, data privacy, cybercrime prevention for online shopping transaction payments.
Fraud is Trending Digital, Especially Identity Theft
Fraud has always been a societal problem, but it is being compounded by the expansion of criminals in the digital realm. The cost is going higher as more people do their banking and buying online.
Federal Trade Commission (FTC) data shows that consumers reported losing nearly $8.8 billion to fraud in 2022, an increase of more than 30 percent over the previous year. Much of this fraud came from fake investing scams and imposter scams. Perhaps most alarming in this report was that there were over 1.1 million reports of identity theft received through the FTC’s IdentityTheft.gov website. FTC reveals alarming increase in scam activity, costing consumers billions – Help Net Security
My take: the reason for the increased rate of identity fraud is clear. As we become more and more connected, the more visible and vulnerable we become to those who want to hack our accounts and steal our identities. The surface threat landscape has expanded exponentially with smartphones, wearables, and the Internet of Things. Moreover, those mobile devices, social media applications, laptops & notebooks are not easy to secure.
There are no complete remedies to identity theft but there are actions that can enable people and companies to help deter the threats. Below is a quick list of what you can to help protect your accounts, privacy, and reputation:
1) Use strong passwords. Hackers are quite adept at guessing passwords especially when they have insights into where you lived in the past (street names), birthdays and favorite phrases. Changing your password regularly can also complicate their tasks.
2) Maintain a separate computer to do your financial transactions and use it for nothing else.
3) Consider using encryption software for valuable data that needs to be secured. Also set up Virtual Private Networks for an added layer of security when using mobile smartphones.
4) Very important; monitor your credit scores, your bank statements, and your social accounts on a regular basis. Life Lock and other reputable monitoring organizations provide account alerts that are very helpful in that awareness quest. The quicker you detect fraud the easier it is to handle the issues associated with identity theft.
5) If you get breached, if it is especially serious, do contact enforcement authorities as it might be part of a larger criminal enterprise that they should know about. In any severe breach circumstance consider looking for legal assistance on liability issues with creditors. Also consider hiring outside reputation management if necessary.
Business and technology concept. Internet of Things(IoT). Information Communication Network(ICT). … [+] Artificial Intelligence(AI).
Some Additional Resources and Compilation of Cybersecurity Trends for 2023:
There is a very good report done by the Bipartisan Policy Research Center on the top eight macro risks to watch out for in 2023. The are stated below from the article and I agree with them all.

Please see: Cyber arms race, economic headwinds among top macro cybersecurity risks for 2023 Cyber arms race, economic headwinds among top macro cybersecurity risks for 2023 | CSO Online
And for a deeper dive on cyber stats please see: 34 cybersecurity statistics to lose sleep over in 2023 34 cybersecurity statistics to lose sleep over in 2023 (techtarget.com) The article notes upfront that that we need understand the data and its immense volume used for cyber-attacks. “By 2025, humanity’s collective data will reach 175 zettabytes — the number 175 followed by 21 zeros. This data includes everything from streaming videos and dating apps to healthcare databases. Securing all this data is vital.”
Please also see Dan Lohrman’s annual analysis on cybersecurity trends: “After a year full of data breaches, ransomware attacks and real-world cyber impacts stemming from Russia’s invasion of Ukraine, what’s next? Here’s part 1 of your annual roundup of security industry forecasts for 2023 and beyond.” The Top 23 Security Predictions for 2023 (Part 1) The Top 23 Security Predictions for 2023 (Part 1) (govtech.com) and The Top 23 Security Predictions for 2023 (Part 2) The Top 23 Security Predictions for 2023 (Part 2) (govtech.com)
My Take: Of course, there are many other trends and statistics to explore as the year unfolds. It is certainly a treacherous cyber ecosystem, and it is expanding with risk and threats. Being cyber-aware is part of the process of risk management and security and hopefully looking at the cyber-threat landscape will implore both industry and government to prioritize cybersecurity from the top down and bottom up!
About The Author
Chuck Brooks
Chuck Brooks is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. Chuck is also an Adjunct Faculty at Georgetown University’s Graduate Cybersecurity Risk Management Program where he teaches courses on risk management, homeland security technologies, and cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named “Cybersecurity Person of the Year for 2022” by The Cyber Express, and as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated, as a “Top 50 Global Influencer in Risk, Compliance,” by Thompson Reuters, “Best of The Word in Security” by CISO Platform, and by IFSEC, and Thinkers 360 as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020, 2021, and 2022 Onalytica “Who’s Who in Cybersecurity” He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic, He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to Skytop Media, and to FORBES. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.
Chuck Brooks – Cybersecurity Person of The Year

source

The Biden administration today issued its vision for beefing up the nation’s collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House’s new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and it names China as the single biggest cyber threat to U.S. interests.

The strategy says the White House will work with Congress and the private sector to develop legislation that would prevent companies from disavowing responsibility for the security of their software products or services.
Coupled with this stick would be a carrot: An as-yet-undefined “safe harbor framework” that would lay out what these companies could do to demonstrate that they are making cybersecurity a central concern of their design and operations.
“Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,” the strategy explains. “To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”
Brian Fox, chief technology officer and founder of the software supply chain security firm Sonatype, called the software liability push a landmark moment for the industry.
“Market forces are leading to a race to the bottom in certain industries, while contract law allows software vendors of all kinds to shield themselves from liability,” Fox said. “Regulations for other industries went through a similar transformation, and we saw a positive result — there’s now an expectation of appropriate due care, and accountability for those who fail to comply. Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.”
In 2012 (approximately three national cyber strategies ago), then director of the U.S. National Security Agency (NSA) Keith Alexander made headlines when he remarked that years of successful cyber espionage campaigns from Chinese state-sponsored hackers represented “the greatest transfer of wealth in history.”
The document released today says the People’s Republic of China (PRC) “now presents the broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”
Many of the U.S. government’s efforts to restrain China’s technology prowess involve ongoing initiatives like the CHIPS Act, a new law signed by President Biden last year that sets aside more than $50 billion to expand U.S.-based semiconductor manufacturing and research and to make the U.S. less dependent on foreign suppliers; the National Artificial Intelligence Initiative; and the National Strategy to Secure 5G.
As the maker of most consumer gizmos with a computer chip inside, China is also the source of an incredible number of low-cost Internet of Things (IoT) devices that are not only poorly secured, but are probably more accurately described as insecure by design.
The Biden administration said it would continue its previously announced plans to develop a system of labeling that could be applied to various IoT products and give consumers some idea of how secure the products may be. But it remains unclear how those labels might apply to products made by companies outside of the United States.
One could convincingly make the case that the world has witnessed yet another historic transfer of wealth and trade secrets over the past decade — in the form of ransomware and data ransom attacks by Russia-based cybercriminal syndicates, as well as Russian intelligence agency operations like the U.S. government-wide Solar Winds compromise.

On the ransomware front, the White House strategy seems to focus heavily on building the capability to disrupt the digital infrastructure used by adversaries that are threatening vital U.S. cyber interests. The document points to the 2021 takedown of the Emotet botnet — a cybercrime machine that was heavily used by multiple Russian ransomware groups — as a model for this activity, but says those disruptive operations need to happen faster and more often.
To that end, the Biden administration says it will expand the capacity of the National Cyber Investigative Joint Task Force (NCIJTF), the primary federal agency for coordinating cyber threat investigations across law enforcement agencies, the intelligence community, and the Department of Defense.
“To increase the volume and speed of these integrated disruption campaigns, the Federal Government must further develop technological and organizational platforms that enable continuous, coordinated operations,” the strategy observes. “The NCIJTF will expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale, and frequency. Similarly, DoD and the Intelligence Community are committed to bringing to bear their full range of complementary authorities to disruption campaigns.”
The strategy anticipates the U.S. government working more closely with cloud and other Internet infrastructure providers to quickly identify malicious use of U.S.-based infrastructure, share reports of malicious use with the government, and make it easier for victims to report abuse of these systems.
“Given the interest of the cybersecurity community and digital infrastructure owners and operators in continuing this approach, we must sustain and expand upon this model so that collaborative disruption operations can be carried out on a continuous basis,” the strategy argues. “Threat specific collaboration should take the form of nimble, temporary cells, comprised of a small number of trusted operators, hosted and supported by a relevant hub. Using virtual collaboration platforms, members of the cell would share information bidirectionally and work rapidly to disrupt adversaries.”
But here, again, there is a carrot-and-stick approach: The administration said it is taking steps to implement Executive Order (EO) 13984 –issued by the Trump administration in January 2021 — which requires cloud providers to verify the identity of foreign persons using their services.
“All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior,” the strategy states. “The Administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses known methods and indicators of malicious activity including through implementation of EO 13984.”
Ted Schlein, founding partner of the cybersecurity venture capital firm Ballistic Ventures, said how this gets implemented will determine whether it can be effective.
“Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure, so they just use U.S.-based cloud infrastructure to perpetrate their attacks,” Schlein said. “We have to fix this. I believe some of this section is a bit pollyannaish, as it assumes a bad actor with a desire to do a bad thing will self-identify themselves, as the major recommendation here is around KYC (‘know your customer’).”
One brief but interesting section of the strategy titled “Explore a Federal Cyber Insurance Backdrop” contemplates the government’s liability and response to a too-big-to-fail scenario or “catastrophic cyber incident.”
“We will explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur,” the strategy reads.
When the Bush administration released the first U.S. national cybersecurity strategy 20 years ago after the 9/11 attacks, the popular term for that same scenario was a “digital Pearl Harbor,” and there was a great deal of talk then about how the cyber insurance market would soon help companies shore up their cybersecurity practices.
In the wake of countless ransomware intrusions, many companies now hold cybersecurity insurance to help cover the considerable costs of responding to such intrusions. Leaving aside the question of whether insurance coverage has helped companies improve security, what happens if every one of these companies has to make a claim at the same time?
The notion of a Digital Pearl Harbor incident struck many experts at the time as a hyperbolic justification for expanding the government’s digital surveillance capabilities, and an overstatement of the capabilities of our adversaries. But back in 2003, most of the world’s companies didn’t host their entire business in the cloud.
Today, nobody questions the capabilities, goals and outcomes of dozens of nation-state level cyber adversaries. And these days, a catastrophic cyber incident could be little more than an extended, simultaneous outage at multiple cloud providers.
The full national cybersecurity strategy is available from the White House website (PDF).
This entry was posted on Thursday 2nd of March 2023 08:33 PM
For sure, Biden had to receive permission from his Chinese controllers before taking on any US cybersecurity strategy.
And you can verify that lie?
I think you meant to post that comment over at zero hedge.
Chinese and Jewish Space Lasers! Help!!
Found the village idiot!
10% for the “Big Guy” from CEFC. Educate yourselves
Sighhh. What is wrong with you people?
It’s about time that this is looked at. What also needs to be looked at is the mad rush to AI.
For sure, you had to receive payment from your Russian controllers before making this post.
“Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure(they can’t? someone should tell Ed Snowden).
“All service providers must make _reasonable_ attempts to secure the use of their infrastructure against abuse or other criminal behavior,” “how this gets implemented will determine whether it can be effective.”
I love it when a “plan” comes together. I feel safer already.
So two comments:
1) the phrase “open, free, global, interoperable, reliable, and secure Internet” occurs 5 times, once more with the word Internet at the start, and once followed by “digital future” which I’m taking as not very subtly coded speech for “Western Values”
2) “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software, not on the open-source developer of a component that is integrated into a commercial product.”
They don’t mention what happens if it’s not a commercial product. Or if the open source is from a company that provides it as a product in some way or supports it. I hope the intent is to protect open source devs, but the actual implementation will be very complicated (Red Hat hires a lot of developers to work on open source, and not just stuff Red Hat ships, e.g. Debian developers).
Remember the Cybersecurity Strategy of the Can-The-Spam-Act, a huge failure in my opinion Cyber-Security solutions should stay in the private sector not with the government bureaucrats
I would argue that it was quite successful when compared to doing nothing, which is always what cynics offer.
Everyone hates the bureaucracies, until the private sector fails. Then they call for oversight and regulation. Only when they forget that the private sector is to blame, do they go back to blaming the government.
The private sector never fails. America has a private sector? I though we have public costs, private profits, as well as complexes such as medical, pharma, and military, along with tech gatekeepers. But yeah, keep that propaganda up with “private sector”.
Leaving it to the private sector has never ended well for any industry ever. We don’t need less regulations, we need more and we need to enforce them better.
I think the ESRB has been hugely successful in the games industry games.
“The most noteworthy aspect of this part of the strategy is the plan to strengthen the cybersecurity workforce and tackle the lack of diversity among cybersecurity professionals. Other efforts included in this pillar include accelerating the adoption of technology that secures a clean energy future and encouraging investments in robust verifiable digital identity solutions.”
So, just like our military, they’re going to worry more about genders and green energy than actually fixing the problem. Except that pesky little problem of tracking citizens: “robust verifiable digital identity solutions”.
“Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure”
Imagine being so delusional you actually believe this.
Nine comments, and all but one are pure snark ginned up over a dopey Q-Anon trope or politicial drivel. Krebs’ audience usuallly contains at least a couple of qualified commenters… usually.
As much as I’d disagree with your “hot take” there, your own would make 10.
If you have something “qualified” to say, let’s hear it. ^ This can’t be it, can it?
Avoid hypocrisy. If you think this issue demands deep technical knowledge,
or the vague wording of the “plan” proposed and reasonably in-depth coverage
by our esteemed Mr. Krebson gives you “qualified” thoughts to share on it,
what might they be? A snarky drivel response to what you see as same?
Be the change you wish to see in the world.
I was just about to leave a snark remark echoing much the same of what the person you responded to stated – until I saw your post. Thank you for that – you are absolutely correct and nothing is worse than hypocrisy.
The DoD and the Intelligence Community are equally committed to using all of their complimentary authorities to support disruption activities.
In a similar vein, disruption efforts will benefit from the complete set of complimentary powers that the DoD and the Intelligence Community are committed to using.
I can’t believe U.S. leaders were dumb enough to outsource all of this stuff — semiconductors, 5G, general supply chains — in the first place. Complete stupidity.
Short-term profits for our corporate overlords, sure. But long term it has been a disaster.
US business runs on market forces unless acted on by a more powerful force than $.
Lately they’ve been looking to in-source production after decades of degradation there,
but it’s a slow process. A 1990’s view of China as America’s benevolent manufacturer
has been debunked yet the market still rules on many fronts, as even Tiktok shows.
China’s planned system makes such major moves far easier for them than US’ does.
It’s a huge restructuring. It will take a long time, a massive restructuring in all sectors.
Meanwhile US markets are still saturated with cheap ubiquitous security-agnostic IOT
products that consumers demand – you can still buy Dahua/Hikvision camera systems.
They’re cheap. Until there’s some other driver for US consumers or outright restriction,
expect to revisit that issue a lot. The Tiktok ban legislation is a significant trial balloon,
one garnering scarce bipartisan support from those at all awake in the legislature.
It’s much more complicated than just snapping fingers at the top, in the US.
Yeah, this started as early as 1976 when I was working for a DOD MIL supplier. One of the main points was that our suppliers had to be based in the US, and on a QPL list.
One day I thought my eyes had gone bad as the QPL parts supply list said “Hitachi” for one critical part. Thinking it to be a mistake, i went to The Big Purchasing Dude (PA-Purchasing Agent) and asked if it was a mistake. He said no. Nothing else, just “No.”
I said, “Well, I sure hope they don’t get pissed at us again,” and left his office just as his coffee cup hit the wall.
Different players, same game: “Lucrum super omnia.”
Open source software drives a huge fraction of the internet. Many vulnerabilities (Hi, Equifax!) trace their root cause to sloppy updating of open source systems by site operations people. Some more recent vulns (solar winds) are due to poisoning of open-source code repositories by bad actors.
My own Ubuntu machines — running long-term-support OS versions — get several updates a week. I keep them up to date; I work on open-source software and I don’t want to be the guy whose repositories are poisoned.
If Brian chose to publish a rundown of Ubuntu updates the way he publishes a rundown of Windows updates, he’d do very little else.
My point: “Cybersecurity” initiatives need to provide funds for open-source development teams. Those teams need to be able to afford good development, test, and distribution practices. Those things are labor-intensive and require consistent vigilance. If handled only by volunteers and by people seconded to open source by the biggies (GOOG, FB, Apple, MSFT, AWS, etc) they’ll fall short.
Diversity and equity, not education and talent. Got it.
*dodges plane on the runway* x 3
*Learn how to read so you can comment on topic.*
I’m so happy it’s not what I expected of the current administration. Thought I was going to be reading about how Firewalls are like boarder walls, are racist and need to be shut down everywhere. After all, it is a very crazy world.
Wow, How we progressed we identified the problem !
The sort of content (most, much, not all) I see here in these chains regularly makes me question the value of comment threads on stories on Krebs’ stories. I kinda feel like it’s maybe a magnet for the crazies I suppose.
Great job with the story, in any case.
Brian, and all other security enthusiasts, I encourage you to check this link: http://alexbuckland.me/
I believe this is the skid ratter the government are trying to kill.
Perhaps you should do a write up about it Brian.
“the greatest transfer of wealth in history.” I’m confused. Wasn’t it the scamdemic?
You’re confused when this was said in 2012, a decade prior to the pandemic?
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website


Δ
Mailing List
Search KrebsOnSecurity
Recent Posts
Spam Nation
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Read this.
All About Skimmers
Click image for my skimmer series.
Story Categories
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Most Popular Posts
Why So Many Top Hackers Hail from Russia
Category: Web Fraud 2.0
Innovations from the Underground
ID Protection Services Examined
Is Antivirus Dead?
The reasons for its decline
The Growing Tax Fraud Menace
File ’em Before the Bad Guys Can
Inside a Carding Shop
A crash course in carding.
Beware Social Security Fraud
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.
Krebs’s 3 Rules…
…For Online Safety.

source

The authorities did not undertake the necessary activities to ensure the basic prerequisites for cyber security, although last year 24 out of 68 institutions in Bosnia and Herzegovina (BiH)were exposed to cyber attacks, and this endangers the business of public administration and can lead to the alienation of data and financial resources necessary for the functioning of the country and everyday life citizens, warn from the Office for the Audit of Institutions of BiH.
In the report on the audit of the performance of the activities of the institutions of BiH in ensuring the basic assumptions for cyber security, conducted by the Office for the Audit of the Institutions of BiH, it is recalled that last year there was a cyber attack on the institutions of BiH, which suspended the work of employees and prevented access to official websites for almost a month.
“For example, jeopardizing the security of the e-government system would cause a halt in the work of the Council of Ministers and could delay the adoption of important decisions for the public administration and citizens. An attack on the information system of the Ministry of Finance and Treasury in the Council of Ministers would threaten the records of all financial transactions of institutions BiH and could cause the suspension of all payments from the BiH budget,” the auditors state.
Pointing out that there is no official data on the number and type of cyber attacks in BiH, the auditors state that the institutions of BiH were not effective in undertaking activities with the aim of providing the basic assumptions for cyber security.
Due to the above, the Office for the Audit of BiH Institutions has defined recommendations with the aim of contributing to the provision of basic assumptions for cyber security, and the first recommendation is to the Council of Ministers to define deadlines for the preparation and responsibility for reporting on the process of preparing relevant cyber security acts.
A recommendation was sent to all institutions at the BiH level to urgently adopt information security management acts.
You must be logged in to post a comment.
© 2012 Sarajevo Times. All Rights Reserved.
Removed from reading list
Sign in to your account
Username or Email Address
Password
Remember Me

source