Author: rescue@crimefire.in

The data breaches LastPass suffered in August and November 2022 resulted in confidential customer information being compromised.
In a statement, LastPass explained that the August breach saw a malicious actor steal source code and technical information from LastPass’ development environment that was then used to target an employee. This allowed the hacker to gain access to credentials and keys, which they then used to access LastPass’ third-party cloud storage service in November 2022. Using the keys, the malicious party was able to decrypt some storage volumes within the storage service.
After the information was decrypted, the hacker accessed and copied information stored on a backup stored on the cloud that included “basic customer account information and related metadata” including “company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing the LastPass service”. The number of customers affected has not yet been shared.
LastPass explained that the hacker was also able to “copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs”, as well as “fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data”.
The password management company reassured their customers about the safety of their encrypted data, noting that all encrypted files remain “secured with 256-bit AES encryption”, meaning they need a unique encryption key derived from each user’s password to decrypt it. As LastPass does not know, store or maintain user master passwords, this reduces the chance of compromise. 
LastPass warned its customers to be wary of social engineering or phishing attacks in the wake of the attack. It also noted that while the company uses hashing and encryption methods to protect customer data, the malicious actors may use “brute force” in an attempt to guess customers’ master passwords and decrypt the copies of the vault data they stole.  
The company noted that if customers follow its default settings and best practices for master passwords, it would “take millions of years to guess [a] master password using generally-available password-cracking technology”. It recommended that those who do not follow these best practices change passwords for the websites they currently have stored in their LastPass account.
LastPass told customers that “sensitive vault data, such as usernames and passwords, secure notes, attachments and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture”, adding that there were no recommended further actions for its customers to take.
Learn more about the breach here. 
08 – 09 March 2023
Free CS Hub Online Event
08 March, 2023
Online
15 March, 2023
Online
15 March, 2023
Online
March 21, 2023
Free CS Hub Online Event
22 March, 2023

Insights from the world’s foremost thought leaders delivered to your inbox.
2023-04-20
10:00 AM – 11:00 AM EST
2023-04-12
10:00 AM – 11:00 AM EST
2023-04-05
10:00 AM – 11:00 AM SGT
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.
Uber hired Sullivan as its first Chief Security Officer (“CSO”) following a data breach in September 2014 related to the unauthorized access of approximately 50,000 consumers’ personal information, including their names and drivers’ license numbers. In the wake of the 2014 breach, the Federal Trade Commission (“FTC”) initiated an investigation into Uber’s data security program and practices. As CSO, Sullivan oversaw Uber’s response to federal regulators and provided testimony regarding Uber’s data security practices. During this testimony, Sullivan made specific representations about steps he claimed Uber had taken to keep customer data secure. However, in November 2016—mere days after testifying before the FTC in its ongoing investigation of the 2014 breach—hackers contacted Sullivan to inform him of a vulnerability they had discovered that permitted the extraction of a large volume of Uber’s data. The Company did not disclose the 2016 incident to FTC investigators, and entered into a consent decree with the FTC in August 2016.
According to the Complaint, while conducting an investigation into the incident two years later, Uber’s outside lawyers discovered Sullivan’s misconduct. In response, Uber disclosed the breach publicly, and to the FTC, in November 2017.
The failure to disclose the incident to the FTC during the FTC’s investigation was a critical fact, but perhaps not the most important fact, leading to the prosecution in this case. As properly stated in the jury instruction used in this case for the misprision offense: the “[m]ere failure to report a federal felony is not a crime. The defendant must also commit some affirmative act designed to conceal the fact that a federal felony has been committed. Such an act does not need to be made directly to an authority.” In a Complaint filed in August 2020, federal prosecutors alleged that instead of initiating steps to notify the affected users and relevant authorities as may be required by certain state data breach notification laws, and as Uber had done in 2014 when similar data had been impacted, Sullivan “instructed his team to keep knowledge of the 2016 Data Breach tightly controlled” while he quietly engaged in weeks-long backchanneling with the hackers responsible for it. The negotiations enabled Sullivan to secure nondisclosure agreements from the hackers—including a promise to destroy the data and attestations that they “did not take or store any data” in the first place—in exchange for $100,000. But, as prosecutors alleged, those attestations were false. The government charged that Sullivan improperly made the payment to hackers under a “bug bounty” program intended to incent white-hat hackers to identify security vulnerabilities proactively and in good faith, not to repay those who had in fact accessed and obtained large volumes of personal data in an attempt at extortion. Moreover, the government charged that Sullivan concealed certain details about the incident resulting in affirmative misrepresentations and misleading omissions when Sullivan briefed the new CEO about the incident. Not only did Sullivan’s actions conceal the data breach, the affirmative steps to cover up the crime by the hackers contributed to the ability of the hackers to potentially commit other hacks. 
Sullivan’s prosecution and trial are notable given that the government put on evidence from one of the very hackers who initially had breached Uber’s systems along with testimony from Uber executives. Prosecutors from the U.S. Attorney’s Office for the Northern District of California charged two individuals, Vasile Mereacre and Brandon Glover, with conspiring to commit extortion involving computers. Both pled guilty in 2019, and Mereacre testified at trial, confirming that he and Glover had downloaded data including the names, email addresses, and phone numbers of 57 million users of the Uber application, along with 600,000 drivers’ license numbers.
In July 2022, the government also entered into a non-prosecution agreement with Uber for a term tied to entry of a final judgment in the prosecution against Sullivan, citing several factors weighing against corporate prosecution:
As noted in the DOJ’s press release, Uber’s full cooperation played an important role in this decision. According to Deputy Attorney General Lisa Monaco’s September 2022 revision to DOJ’s Corporate Enforcement Policy, a company is eligible to receive “full cooperation credit” from the DOJ when it has not only “promptly notified prosecutors of particularly relevant information once it was discovered,” but also “prioritized” the production of that information deemed “most relevant for assessing individual culpability.” The Monaco Memo emphasizes that a company may lose its “eligibility for cooperation credit”—in whole or in part—if it “delays its disclosure” of significant facts once it identifies them. 
The failure to disclose the 2016 incident amidst the FTC’s investigation of Uber’s privacy and cybersecurity practices for a similar incident also lead to a revision of the FTC’s consent order to require Uber to notify the FTC of certain incidents involving unauthorized access to consumer information in the future. This revision also could subject the Company to civil penalties if it fails to notify the FTC of incidents in the future in accordance with the terms of the settlement.   
This case serves as a cautionary tale for any corporation that runs a bug bounty program, and provides critical lessons for data breach response and cybersecurity governance. For example, companies may want to review their bug bounty programs to ensure proper governance and controls are in place. Companies should also consider their data breach notification obligations following any bug bounty report or cyber incident.
Senior managing associate Alexander J. Kellermann and associate Connor G. Boehm contributed to this Sidley Update.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.
Attorney Advertising—Sidley Austin LLP, One South Dearborn, Chicago, IL 60603. +1 312 853 7000. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships, as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.
You have successfully set your edition to Global. Would you like to make this selection your default edition?
*Selecting a default edition will set a cookie.
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.

source

First, what is Cyber Security authentication?

The process of authenticating the identity of a user or device seeking to access a system, network, or application is known as cyber security authentication. Authentication is an important aspect of cyber security since it ensures that only authorized people and devices have access to sensitive resources and data.
Cyber security is all about closing gaps. The best place to start is by authenticating access points. This is a function done on many different levels, all depending on the security requirements put in place.
Let us dive deeper into what authentication is and what it is not, so you can determine how well secure is your organization and where your cyber security is lagging behind.

Authentication vs. Authorization

Authorization is the process of deciding whether a previously authenticated person or device is permitted to execute a certain activity or access a specific resource. This is often determined by the user’s system role, permissions, or privileges. A user, for example, may be authenticated to access a system but only permitted to view specific data or execute specific activities inside that system.
As you see, the two are not the same and they work together to secure organizations, identities, devices, and networks.
One prominent system of granting privileged access to privileged users is known as Privileged Access Management (PAM).
Authentication is the process of validating a person’s or device’s identity, whereas authorization is the process of determining what that authenticated user or device is permitted to do or access. Authentication and authorization are both key components of cybersecurity, and they are frequently used in tandem to guarantee that only authorized people and devices have access to sensitive resources and data.
Learn more about the difference between Authentication vs Authorization.

5 types of cyber security authentication

1. Password-Based Authentication

This is the most common type of authentication, which involves users entering a username and password to access a system or application. Password-based authentication is easy to implement, but it can be vulnerable to password theft, social engineering attacks, and brute force attacks.
When it comes to password protection, it is impossible to discuss this authentication method without mentioning Password vaults.
A password vault, sometimes known as a password manager, is a piece of software that securely saves and manages passwords and other confidential data, such as credit card numbers and personal identification numbers (PINs). A password vault allows users to generate and save complex, unique passwords for many accounts and websites, removing the need to recall them all.
Password vaults function by encrypting user passwords and other private data and storing it in a secure database. Users may access their password vault with a single master password, providing an additional degree of protection.

2. Multi-Factor Authentication (MFA)

Multi factor authentication (MFA) requires users to provide two or more forms of authentication before being granted access to a system or application. This can include something the user knows (such as a password), something the user has (such as a security token or smart card), or something the user is (such as biometric data). MFA is more secure than password-based authentication, as it requires attackers to compromise multiple factors in order to gain access.

3. Certificate-Based Authentication

Certificate-based authentication involves the use of digital certificates to authenticate users and devices. Digital certificates are issued by trusted authorities and can be used to verify the identity of users and devices. Certificate-based authentication is more secure than password-based authentication, as it is difficult to forge or steal digital certificates.

4. Biometric Authentication

Biometric authentication involves the use of physical characteristics, such as fingerprints, facial recognition, or iris scans, to verify the identity of users. Biometric authentication is more secure than password-based authentication, as it is difficult to fake or steal physical characteristics. However, it can be vulnerable to spoofing attacks, where attackers use fake fingerprints or facial images to gain access.
There are hundreds of different biometric authentication methods. This depends on what level of security is required. On-prem, network, cloud, device, etc. All these different attack points would entail a different security method.
We could deep dive further into each case. On-prem laboratory conditions may require fingerprint authentication, or even visual (eyeball) authentication. It all depends on the level of security.
Other methods, similar to the aforementioned are fingerprints, facial recognition, or voice recognition, to verify the identity of a user.

5. Behavioral Authentication

This method involves analyzing the behavior of users, such as keystroke dynamics, mouse movements, or device usage patterns, to verify their identity. Behavioral authentication is more secure than password-based authentication, as it is difficult for attackers to replicate user behavior. However, it can be vulnerable to false positives, where legitimate users are denied access due to changes in their behavior.
A modern type of this authentication is the behavioral driven governance (BDG).
Proud Members of:
Top 100 Events in New York City:
 

source

Industry Overview
Digital & Trend Reports
Overview and forecasts on trending topics
Industry & Market Reports
Industry and market insights and forecasts
Companies & Products Reports
Key figures and rankings about companies and products
Consumer & Brand Reports
Consumer and brand insights and preferences in various industries
Politics & Society Reports
Detailed information about political and social topics
Country & Region Reports
All key figures about countries and regions
Market forecast and expert KPIs for 600+ segments in 150+ countries
Insights on consumer attitudes and behavior worldwide
Business information on 60m+ public and private companies
Explore Company Insights
Detailed information for 35,000+ online stores and marketplaces
Directly accessible data for 170 industries from 50 countries and over 1 million facts:
Customized Research & Analysis projects:
Get quick analyses with our professional research service
The best of the best: the portal for top lists & rankings:
Transforming Data into Design:
Statista Content & Design
Strategy and business building for the data-driven economy:

According to estimates from Statista’s Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027. Cybercrime is defined by Cyber Crime Magazine as the “damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”
As more and more people turn online, whether for work or their personal lives, there are more potential opportunities for cyber criminals to exploit. At the same time, attacker techniques are becoming more advanced, with more tools available to help scammers. The coronavirus pandemic saw a particular shift in cyber attacks, as Statista’s Outlook analysts explain: “The COVID-19 crisis led to many organizations facing more cyberattacks due to the security vulnerability of remote work as well as the shift to virtualized IT environments, such as the infrastructure, data, and network of cloud computing.”
Read more on the costliest cyber attacks here.

Description
This chart shows the expected cost of cybercrime until 2027.
Report
Can I integrate infographics into my blog or website?
Yes, Statista allows the easy integration of many infographics on other websites. Simply copy the HTML code that is shown for the relevant statistic in order to integrate it. Our standard is 660 pixels, but you can customize how the statistic is displayed to suit your site by setting the width and the display size. Please note that the code must be integrated into the HTML code (not only the text) for WordPress pages and other CMS sites.
Statista offers daily infographics about trending topics, covering:
Economy & Finance, Politics & Society, Tech & Media, Health & Environment, Consumer, Sports and many more.
Feel free to contact us anytime using our contact form or visit our FAQ page.

Need infographics, animated videos, presentations, data research or social media charts?
More Information

source

From reaching customers that are buying security solutions in new ways, to fighting cybercrime and emerging threats alongside their trusted channel partners, here’s what some of the world’s biggest security CEOs are prioritizing this year.
Winning With The Channel
It’s not an understatement to say that cybersecurity CEOs in 2023 have their hands full. The world is coming off of three years of disruption, new demands on IT infrastructure, and oftentimes, geographically distributed end users. While it’s been challenging for the cybersecurity sector, it’s also been a time of unprecedented growth.
The increased attack surface across enterprises and SMBs alike presents a heightened risk of cyber-attacks, breaches, and bad actors looking to take advantage of the trends that have emerged in recent years, such as teleworking and hybrid work. But security vendors are used to both staying ahead of the threats and playing defense. Locking down their clients’ valuable assets, blocking ransomware attacks and boosting privacy are just some of the challenges that these companies have been handling right along. But they aren’t on the battlefield alone – these companies are working alongside their channel partners to take on emerging threats and to serve up security solutions in the new ways that customers are looking to buy.
As part of CRN’s CEO Outlook 2023 report, we asked the CEOs at some of the world’s biggest security companies to fill in the blank: My top priority for 2023 is…
Here’s what they had to say.
Gina Narcisi is a senior editor covering the networking and telecom markets for CRN.com. Prior to joining CRN, she covered the networking, unified communications and cloud space for TechTarget. She can be reached at gnarcisi@thechannelcompany.com.

source

The United States is under siege and many threats originate from the same place, even if the day’s headlines don’t make it obvious.
Russia is certainly the threat du jour because of its rampant use of cyberattacks, invasion of Ukraine, and energy extortion on much of Europe. The Cybersecurity & Infrastructure Security Agency (CISA) even launched a “Shields Up” campaign that centers around cyber threats originating from Russia. Add the threat of nuclear war to the equation, and it’s easy to understand why Russia captures so much of our attention.
But there is a greater threat that is so pervasive and omnipresent that it has infiltrated your teenager’s social media, breached both federal and state agencies and much of the supply chain supporting our defense industrial base.
Military, intelligence, and economic advantages are made in America and then quickly stolen by China.
China is simultaneously influencing hours of your children’s time every day on TikTok, breaching federal agencies to compromise the personal information of tens of millions of Americans, and very recently at least six state government networks. And let’s not forget the vast supply chain that enables the world’s greatest fighting force. Our defense industrial base is routinely attacked by China, in parallel to their assault on the rest of American citizens, government, and business.
Many Americans now understand that TikTok is more than just viral videos; it’s a data harvester. Seven governors (so far) have banned the use of TikTok on state devices: Kay Ivey of Alabama, Bill Lee of Tennessee, Spencer Cox of Utah, Kevin Stitt of Oklahoma, Larry Hogan of Maryland, Kristi Noem of South Dakota, and Henry McMaster of South Carolina. 
The Chinese Communist Party reportedly is using companies like ByteDance, TikTok’s parent company, and telecom provider Huawei as levers to run a longstanding espionage program.
TikTok has already started paying out after settling a $92 million class action lawsuit that claimed the app violated privacy rights. CNN reported that the FBI determined Huawei equipment — currently deployed on cell phone towers near military bases — is capable of “capturing and disrupting highly restricted” Defense Department (DOD) communications. The Federal Communications Commission (FCC) designated Huawei as a national security risk last year.
These are not isolated incidents.
China doesn’t always use private businesses to do its dirty work, and it isn’t just after data. Chinese officials reportedly have targeted Federal Reserve employees for a decade to gain influence and undermine monetary policy. A report from Sen. Rob Portman of Ohio says that unless action is taken, China has “an open avenue to disrupt the integrity of the American financial system, jeopardizing U.S. national security.” Even more brazen, hackers linked to the Chinese government stole millions in COVID-19 benefits, according to the Secret Service.
Between its motivations, pervasiveness, and coordination in stealing American data and attempting to use it against us, China is clearly the largest threat to the U.S. — the Pentagon certainly sees it that way.
Is China ready to leapfrog the United States from a military dominance perspective? What about the political, economic, and intelligence advantages that the U.S. holds? Gaining supremacy in those areas is China’s goal, and it’s closer to reality than hyperbole.
China has been breaking into computer networks of government contractors for the better part of two decades. This means organizations from defense to critical infrastructure have had schematics, research and development, and other sensitive data all being fed to the Chinese government.
The call to action on stopping China came way back in 2008. Deputy Secretary of Defense Gordon England gathered top eight aerospace and defense CEOs to the Pentagon and told them to “stop the bleeding” of data that was occurring on their networks. Nearly 15 years later, action hasn’t been swift enough.
In July 2020, FBI director Christopher Wray called this Chinese theft “on a scale so massive that it represents one of the largest transfers of wealth in human history. If you are an American adult, it is more likely than not that China has stolen your personal data.”
Only in March 2022 did Congress pass the Cyber Incident Reporting for Critical Infrastructure Act, which requires breach victims to notify CISA within 72 hours of a significant cyber incident and within 24 hours of paying a ransom. The legislation also gives CISA up to two years to issue proposed rules and even longer for a final rule.
As CNN’s reporting indicates, the U.S. government has known about China’s targeting of critical communication networks near military bases, but still hasn’t fully funded a program to rip and replace the equipment. To do so would be a burdensome and expensive endeavor, but losing our military, technical, and intelligence advantages is far more costly and difficult to swallow.
Our government is getting much better at responding to threats like Chinese talent plans, but we have to increase the speed with which we act. We’ve known about these threats for nearly two decades, yet no mandatory cybersecurity minimums are in place for defense contractors to do business with the U.S. government.
In August 2020, the Trump administration issued an executive order that sought to ban TikTok in the U.S. over its data collection practices. Ten months later, the Biden administration rescinded it and replaced it with one of its own.
Too often, Chinese threats are intentionally minimized because so many U.S. organizations have business there. In October 2019 Daryl Morey, then the general manager of the NBA’s Houston Rockets, published a tweet in support of Hong Kong protesters. That tweet alone reportedly cost the NBA between $150 million and $200 million.
With so much profit to be made in China, there is financial incentive to look the other way as the heist of American data and intellectual property continues.
It might be tempting to compare this hostility to the Cold War, but Soviet Russia didn’t have the kind of reach, manufacturing capacity, or economic power that China has now. China is pervasive in its ability to produce goods and services that Americans want and need, from apps like TikTok to semiconductors and cellular communication equipment. China can weaponize and distribute its data collection efforts in ways that can be devastating to America.
Federal agencies like the FCC, DOD, and Securities and Exchange Commission (SEC) each have a regulatory lever they can pull. Acting in unison would provide some consistency in those efforts. However, our best shot at meaningful progress in shunning China’s ongoing threat is growing public-private partnerships.
Instead of a naming-and-shaming reactive culture, we need to double down on a proactive, information-sharing, forward-defending posture.
Victims shouldn’t be penalized for sharing breach information or indicators of compromise. That intel should be distributed through the appropriate public-private partnerships to better protect our critical infrastructure.
Creating mandatory cybersecurity minimums certainly has an associated cost, but we are getting to a point where we can either pay now or pay later. The cost of inaction is likely unbearable, an erosion of democracy that we probably can’t even fully grasp.
Eric Noonan is CEO of CyberSheath.
THE HILL 1625 K STREET, NW SUITE 900 WASHINGTON DC 20006 | 202-628-8500 TEL | 202-628-8503 FAX
© 1998 – 2023 Nexstar Media Inc. | All Rights Reserved.

source

Let Cybersecurity Dive’s free newsletter keep you informed, straight from your inbox.

The report, conducted by the market research firm of Vanson Bourne, examines the value and implementation of threat intelligence across global organizations. The respondents span 13 countries and 18 industries, including financial services to healthcare and government. 
Effective threat intelligence can impact detections, inform incident response and help guide network defenders proactively hunt for threats, according to Luke McNamara, Mandiant principal analyst, Google Cloud. Threat intelligence can also help the C-suite and board members gain a better understanding of the threat landscape and how that may impact operations. 
“Ultimately, threat intelligence is an input into the security function of an organization, that when properly used and disseminated to the right stakeholders within the organization, helps mitigate business risk,” McNamara said via email. 
Oftentimes threat actors are hiding for weeks and months within an organization’s computer systems and if their techniques and behavior patterns are unknown, they can often do tremendous damage before a security team even understands what has taken place. 
For example, the SolarWinds supply chain attacks were first disclosed in December 2020, however subsequent research found the threat actors were quietly lurking inside the systems of government agencies and private organizations for more than a year before the attack was officially discovered. 
The Mandiant report indicates companies may not always have regular communication with their leadership about current developments.
Cybersecurity is discussed on average every four to five weeks within organizations, including with the C-suite, board members and other senior stakeholders. Cybersecurity discussions are less frequent with other groups, such as investors, taking place on average every seven weeks. 
Correction: This article has been updated to reflect the supply chain attacks targeting SolarWinds took place in 2020.
 
Get the free daily newsletter read by industry experts
The scale of cyberthreats are growing, spilling into the mainstream. In 2023, expect the spotlight to add pressure to businesses that have underinvested in security. 
CISOs are up against talent shortages and retention concerns amid an increasingly sophisticated threat landscape.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
The scale of cyberthreats are growing, spilling into the mainstream. In 2023, expect the spotlight to add pressure to businesses that have underinvested in security. 
CISOs are up against talent shortages and retention concerns amid an increasingly sophisticated threat landscape.
The free newsletter covering the top industry headlines

source

Today’s columnist, Shmuel Gihon of Cyberint, says the continued proliferation of ransomware has forced companies to take a more proactive approach to cybersecurity awareness. (Credit: Stock Photo, Getty Images)
Ransomware attacks mushroomed during the pandemic and now continue to grow. Before March 2020, there were four major ransomware groups operating at any one time and today there are around 20. Competition has become fierce among ransomware groups and there’s a high mortality rate. Just as LockBit 3.0 replaced Conti in 2022, newcomers such as BlackBasta, BianLian, and new-kid-on-the-block Royal are now all seriously vying for LockBit’s crown in 2023.
They bring with them new threats and fresh tactics, techniques, and procedures (TTPs), such as BianLian’s use of hard-to-crack GoLang to write its malware. The increased use of cloud services that enabled efficient WFH practices, plus a significant rise in the number of third-party services and suppliers being integrated into the corporate infrastructure has also considerably extended the attack surface.
Organizations should strengthen their cybersecurity in several important areas. Start by understanding that most breaches occur as a result of employee error. This can involve anything from opening an email attachments from an unknown source to downloading a dodgy app onto a personal smartphone.
Although major breaches such as Colonial Pipeline in the U.S. and, more recently, the UK’s Royal Mail breach grab the headlines, it’s generally more modestly-sized organizations which offer the most tempting targets for ransomware groups. In addition to generally weaker security, targeting firms with $20-$100 million in annual revenue means a successful cyber-attack won’t get widely reported and investigated. Major breaches that are perceived to affect national security and infrastructure are taken extremely seriously not only by the investigating authorities, but also by unpaid armies of hackers, such as those who deposed top 2021’s top ransomware gang, the Conti Group. Ideal targets are businesses with about 50 employees and $30 million in revenue.
The suddenness of the epidemic and the speed of national lockdowns meant that companies, even the biggest and best organized, had no time to prepare for the mass exodus from the workplace in 2020. For some years, bring-your-own-device (BYOD) strategies had been used by many SMEs to save cash by encouraging staff to use their own smartphones and tablets for work communications. But WFH exposed the weaknesses in this strategy from a security standpoint and it has already resulted in a recent rapid growth in identity theft. A single employee will frequently log onto scores of external websites every day, submitting personal and log-in details that criminals can steal and sell in large batches on the dark web and then used in subsequent  attacks.
It’s therefore essential that given the growing ransomware threat, organizations raise cybersecurity awareness across the entire organization, particularly among those staff who have opted to continue to work from home in the post-pandemic era.
The regular emails that some companies send staff warning them of the dangers are insufficient, as they are frequently ignored. Engage with staff where possible. For instance, the intelligence gathered from a questionnaire designed to highlight ongoing security issues and dangerous behaviours can then get relayed back to the staff to inform them that, for example, 30% of employees may leave themselves open to spear-phishing attacks.
But raised awareness must also go hand-in-hand with basic precautions, including updating the system regularly, rather than every couple of months as is the case at many companies. Failing to prioritize system updates needlessly leaves the organization playing Russian roulette with the ransomware gangs for weeks on end.
We also recommend using a virtual private network (VPN) for staff working from home accessing the corporate network. Organizations should ideally have insisted on this at the beginning of WFH. Most staff returning home continued to use their own personal devices and ill-secured home Wi-Fi networks. Many homes also use technology to control and monitor domestic appliances, which then also present tempting attack vectors for determined criminals.
But while insisting staff use VPNs to access the corporate network and supplying them with dedicated devices for work use may offer the best solution in theory, companies also need to consider time and money concerns. It’s expensive to buy and maintain workstations and other devices for all the staff. Companies may also find it impractical to use multiple communications devices for those working in certain sectors, such as finance and tech where they need to contact important staff 24×7.
So businesses need to update security protocols and install safeguards, and also educate the staff with access to the corporate network as to the true nature and pace of the ongoing war they are fighting with fast-growing ransomware groups in 2023.
Shmuel Gihon, threat intelligence researcher, Cyberint
February 27, 2023
Steve ZurierMarch 3, 2023
Fintech Hatch Bank was the second of the 130 companies reportedly compromised by Clop ransomware group; more are expected to come forward as reporting deadlines near.
Jessica DavisMarch 3, 2023
A CISA alert on Royal ransomware warns threat actors are using the variant to target critical infrastructure sectors like healthcare and manufacturing in force, detailing the latest tactics.
On-Demand Event
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.

source

Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.
In this report, the last in a series of four, we cover the 2 actions related to Protecting Privacy and Sensitive Data:
We’ve made 236 public recommendations in this area since 2010. Nearly 60% of those recommendations had not been implemented as of December 2022.

Overview
We have made 236 recommendations in public reports since 2010 with respect to protecting cyber critical infrastructure. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them. For more information on this report, visit https://www.gao.gov/cybersecurity.
Improve Federal Efforts to Protect Privacy and Sensitive Data
In September 2022, our review of 24 agencies found that most had generally established policies and procedures for key privacy program activities. These activities included, among other things, developing system-of-records notices that identify types of personal data collected, conducting privacy impact assessments, and documenting privacy program plans. Agencies varied in establishing policies and procedures for coordinating privacy programs with other agency functions. Further, many agencies did not fully incorporate privacy into their risk management strategies, provide for privacy officials’ input into the authorization of systems containing PII, or develop a continuous monitoring strategy for privacy. Without fully establishing these elements of their privacy programs, agencies have less assurance that they are consistently implementing privacy protections.
Extent to Which 24 Chief Financial Officers Act of 1990 Agencies Addressed Key Practices for Establishing a Privacy Program

➢ We recommended that Congress consider legislation to designate a dedicated, senior-level privacy official at agencies that lacked one. We also made recommendations to the Office of Management and Budget to facilitate information sharing to help agencies address selected challenges and better implement privacy impact assessments. Finally, we made recommendations to 23 of the 24 agencies we reviewed to fully implement all of the key practices for their privacy programs.
Appropriately Limit the Collection and Use of Personal Information and Ensure that it is Obtained with Appropriate Knowledge or Consent
In June 2021, we reported on the results of our survey of 42 federal agencies that employ law enforcement officers about their use of facial recognition technology. Twenty reported owning systems with facial recognition technology or using systems owned by other entities, such as other federal, tribal, state, local, and territorial governments and non-government entities.
Types of Photos Used by Federal Agencies That Employ Law Enforcement Officers

Agencies reported using the technology to support several activities (e.g., criminal investigations) and in response to COVID-19 (e.g., to verify an individual’s identity remotely). All 14 agencies that we reviewed reported using the technology to support criminal investigations also reported using systems owned by non-federal entities. However, only one of those 14 was aware of what non-federal systems employees used. By having a mechanism to track what non-federal systems employees use and assessing privacy and accuracy-related risks, agencies can better mitigate risks to themselves and the public.
➢ We recommended that 13 federal agencies implement a mechanism to track what non-federal systems with facial recognition technology employees use and assess the risks of using these systems.
In January 2022, we reported that the five federal financial regulators we reviewed had built more than 100 information system applications that regularly collect and use extensive amounts of PII to fulfill their regulatory missions. These regulators collect PII directly from individuals and financial institutions and share it with entities such as banks or service providers, contractors and other third parties, and other federal and state regulators. Regulators use the PII to conduct supervisory examinations of financial institutions and to receive and respond to complaints or inquiries from customers.
Collection, Use, and Sharing of Personally Identifiable Information (PII) at Selected Federal Financial Regulators

We reported that the financial regulators we reviewed created privacy programs that generally take steps to protect PII in accordance with key practices in federal guidance. However, four of the regulators did not fully implement key practices in other privacy protection areas. For example, these regulators did not document steps taken to minimize the collection and use of PII. Until these regulators take steps to mitigate these weaknesses, the PII they collect, use, and share could be at increased risk of compromise.
➢ We made several recommendations that federal financial regulators better ensure the privacy of the PII that they collect, use, and share.
For more information about this Snapshot, contact: Marisol Cruz Cain, Director, Information Technology & Cybersecurity, cruzcainm@gao.gov, (202) 512-5017.
Stay informed as we add new reports & testimonies.

source

ChatGPT has answers for almost everything, but there is one answer we may not know for a while: will its unintended consequences for cyber security turn this tool into a genie that its creators regret taking out of the bottle?
BlackBerry surveyed 1,500 IT decision makers across North America, the UK and Australia and half (51 percent) predicted we are less than a year away from a cyber attack credited to ChatGPT. Three-quarters of respondents believe foreign states are already using ChatGPT for malicious purposes against other nations.
The survey also exposed a perception that, while respondents see ChatGPT as being used for ‘good’ purposes, 73 percent acknowledge its potential threat to cyber security and are either ‘very’ or ‘fairly’ concerned, proving artificial intelligence (AI) is a double-edged sword.  
The emergence of chatbots and AI-powered tools presents new challenges in cyber security, especially when such tools end up in the wrong hands. There are plenty of benefits to using this kind of advanced technology and we are just scratching the surface of its potential, but we also cannot ignore the ramifications. As the platform matures and hackers become more experienced, it will become more difficult to defend without also using AI to level the playing field.
It is no surprise people with malicious intent are testing the waters, but over the course of this year I expect we shall see hackers get a better handle on how to use ChatGPT successfully for nefarious purposes.
AI is fast-tracking practical knowledge mining, but the same is true for malware coders, with the ever-evolving cyber security industry often likened to a never-ending whack-a-mole game where the bad guys emerge as quickly as they have been mitigated. In the past, these bad actors would rely on their own experience, forums and security researcher blog posts to understand different malicious techniques then convert them into code. Programs like ChatGPT, however, have given them another arrow in their quiver to test out its efficacy to wreak digital havoc.
AI can be used in several ways to carry out cyber attacks, for example automated scanning for vulnerabilities and trying out new attack techniques. Through AI, advanced persistent threats (APTs) can carry out highly targeted attacks to steal sensitive data or disrupt operations. APTs typically involve a sustained attack on a single organization and are often launched by nation-states or highly sophisticated threat actors.
AI can also be used to create convincing phishing emails, text messages and social media posts to trick people into providing sensitive information or installing malware. AI generated deepfake videos can be used to impersonate officials or organizations in phishing attacks. It can be used to launch distributed denial of service (DDoS) attacks, which involve overwhelming an organization’s systems with traffic to disrupt operations, or be used to gain control over critical infrastructure, causing real-world damage.
The growing use of AI in developing threats makes it even more critical to stay one step ahead by also using AI to proactively fight threats.
Organizations need to continue to focus on improving prevention and detection, and this is a good opportunity to look at how to include more AI in different threat classification processes and cyber security strategies. 
One of the key advantages of using AI in cyber security is its ability to analyze vast amounts of data in real time. The sheer volume of data generated by modern networks makes it impossible for humans to keep up. AI can process data much faster, making it more efficient at identifying threats.
As cyber attacks become more severe and sophisticated and threat actors evolve their tactics, techniques, and procedures (TTP), traditional security measures become obsolete. AI can learn from previous attacks and adapt its defenses, making it more resilient against future threats.
AI can also be used to mitigate APTs, which are highly targeted and often difficult to detect, allowing organizations to identify threats before they cause significant damage. Using AI to automate repetitive tasks when it comes to security management also allows cyber security professionals to focus more on strategic tasks, such as threat hunting and incident response.
In security AI matters more than ever now that cyber criminals are using it to up their game. Blackberry’s research reveals that the majority (82 percent) of IT decision-makers plan to invest in AI-driven cyber security in the next two years and almost half (48 percent) plan to invest before the end of 2023. This reflects the growing concern that signature-based protection solutions are no longer effective in providing cyber protection against an increasingly sophisticated threat.  
IT decision makers are positive ChatGPT will enhance cyber security for business, but our survey also shows 85 percent of respondents believe governments have a moderate-to-high responsibility to regulate advanced technologies. 
Both cyber professionals and hackers will continue to investigate how they can best use this technology and only time will tell whose is more effective. In the meantime, for those wishing to get ahead before it is too late it is time to put AI at the top of your cyber technology tools wish list and learn to fight fire with fire.  
 

08 – 09 March 2023
Free CS Hub Online Event
08 March, 2023
Online
15 March, 2023
Online
15 March, 2023
Online
March 21, 2023
Free CS Hub Online Event
22 March, 2023

Insights from the world’s foremost thought leaders delivered to your inbox.
2023-04-20
10:00 AM – 11:00 AM EST
2023-04-12
10:00 AM – 11:00 AM EST
2023-04-05
10:00 AM – 11:00 AM SGT
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source