Category: Uncategorized

By Mary K. Pratt
Contributing writer, CSO |
Predictions on whether or when the global economy will fall into a recession continue to swirl. Even if one doesn’t hit anytime soon, economic volatility, more cautious corporate spending plans, and employee layoffs are already in play. For security chiefs, such news portends a tougher road ahead.
CISOs have never had an easy time — they’ve certainly faced inordinate challenges in recent years working to secure an ever-expanding and more distributed technology and data landscape. At the same time, they’ve had to contend with bad actors who have become more organized, better resourced, and increasingly sophisticated. Yet history has shown that a poor economy can bring on additional challenges and risks, making an already uphill battle even more difficult and security leaders should be bracing for that scenario ahead.
“There are heightened risks and hackers know how to take advantage of that,” says Matt Miller, principal of cybersecurity services at professional services firm KPMG.
Some historical statistics give a sense of what could be in store. Law enforcement around the world reported a staggering spike in cybercrimes during the COVID-19 pandemic and the subsequent economic freefall, with INTERPOL Secretary General Jürgen Stock raising the alarm in a 2020 report saying “Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”
Going back further, FBI figures from the start of the Great Recession also show a spike upward as the economy tanked. The FBI’s Internet Crime Complaint Center (IC3) logged 336,655 online crime complaints in 2009, up 22.3% from 2008. With such past trends in mind, some are issuing warnings about what could happen in the future. “Hackers are going to take advantage of any time we have a porous attack surface,” says Karen Worstell, senior cybersecurity strategist and CxO security advisor for VMware.
In a 2022 KPMG report on tech maturity and enterprise uncertainty, Prasad Jayaraman, principal of Cyber Security Services for KPMG in the US, issues an advisory about the increasing risks, saying: “From the Russian invasion of Ukraine to general COVID-19 disruption to widespread economic uncertainty, volatility — and therefore cyber risk and insecurity — has increased at the global level. Organizations have seen an increase in threats from bad actors in rogue states at a scale and complexity that can only happen through state sponsorship.”
Meanwhile, the World Economic Forum’s 2023 global cybersecurity outlook found that 93% of cyber leaders and 86% of business leaders think it is “moderately likely” or “very likely” that global geopolitical instability will lead to a far-reaching, catastrophic cyber event in the next two years. And 80% of business executives responding to a February 2023 report on the cybersecurity workforce during a recession from certification association (ISC)² said they believe a weakening economy will increase cyber threats.
Economic volatility creates a confluence of factors that can increase security risks while at the same time negatively impact defenses, according to security experts. “Do more attacks happen during a recession and difficult economic times? The short answer is yes. And the reasons why are complex,” says Sérgio Tenreiro de Magalhães, chair of cybersecurity programs at Champlain College Online.
To start with, organizations themselves may be increasing risks with their responses to economic pressures. Surveys have found CEOs globally are looking to contain costs and reduce discretionary spending which can lead to spending that is flat or failing to keep pace with inflation.
Underfunding a department can have a cascading impact: business unit workers have less time for security training and are more likely to take shortcuts to get work done. Forced to do more with less, IT may stretch the life of legacy systems even longer and require more time to implement critical patches.
Similarly, security teams may have less to invest in new technologies that could speed detection and response (which is already high, a 2022 IBM report on the cost of breaches found that it took organizations on average 207 days to identify a breach and another 70 days to contain it). “You already probably didn’t have enough budget or enough people, so you’re really forcing yourself to do more with less again than you did in years past, and that’s a real challenge,” says Forrester analyst Jeff Pollard.
Risk is typically heightened further by layoffs, and more of those are likely coming to the industry, according to the (ISC)² report, which found that 85% of responding executives believed layoffs will be necessary as the economy slows. “We know that layoffs or job losses are a predictor of insider risks, making it more likely for security events to occur. We have seen over the years that this has happened,” Pollard says.
Pollard and others say layoffs usually increase insider incidents, which already account for 20% of global data breaches, according to Verizon’s 2022 Data Breach Report for several reasons. Laid-off workers — particularly those who work remotely at least part of the time, a number that has jumped significantly — may have corporate data on personal devices. And much of that data will likely remain with them on their devices if they get pink slips. “During the pandemic, data went to a lot of places. So, you’ve got this data distribution, and you have that data on devices you might not control,” Pollard says.
At the same time, laid-off workers may be motivated by anger or their personal financial situations to strike back at their former employers. Even some remaining employees, who saw colleagues dismissed, may be motivated to take action. Furthermore, the damage they can inflict — either on their own or by selling information or access to a hacker group — can be significant, says Pete Nicoletti, field CISO for the Americas at Check Point Software. “If you want to sell out, you’re going to be able to sell out. It used to be hard, now it’s easy. In the past, you could take what you could carry in your briefcase. Today you can carry out terabytes. And if you’re in networking or [another technical role] with active directory access, you can do all kinds of crazy things,” he says.
These dynamics come on top of an already record-high number of attacks. According to Check Point Research, the “global volume of cyberattacks reached an all-time high in Q4 with an average of 1168 weekly attacks per organization.” It also found that global cyberattacks increased by 38% in 2022, compared to 2021. “If we believe that layoffs and economic downturns increase insider threats, it would seem sensible that we would see an increase in hacker activity, too,” says (ISC)² CEO Clar Rosso.
Despite expectations of heightened risk should the economy sputter, Rosso points to some hopeful signs for CISOs. She notes that the (ISC)² study of C-suite business leaders showed that executives aren’t inclined to cut cybersecurity staff. The study found that only “10% of respondents foresee reductions in cybersecurity teams, compared to an average of 20% in other areas.”
The study further found that “once staff reductions are complete and organizations get ready to rehire personnel, cybersecurity workers are at the top of the list for re-investment.” However, CISOs shouldn’t rely on such encouraging reports to navigate the current economic uncertainty or any future economic volatility. Worstell says CISOs should instead double down on security strategy fundamentals: strengthen detection and response programs as well as patching programs, increasing training and awareness efforts, and shedding technical debt.
“The difference between good security and outstanding security is ‘done’ and ‘done done,’ meaning it is tested and validated and proved. It means we have the evidence of it being done. It’s the difference between kind of locked down and proving it’s locked down,” Worstell explains.
From there, she advises CISOs to ensure they’re prioritizing based on the organization’s current risks, updating the security strategy based on any changes that the enterprise has to make in response to the economy. And focus on account management and access control, ensuring appropriate levels of access and that access exists only for current authorized employees.
Security leaders say CISOs should also lean into the high level of support for cybersecurity that the (ISC)² report indicates, by being ready to communicate the value that security delivers and devising security strategies that enable both the organization’s overall agenda as well as the plans devised by individual departments.
“That ability to communicate well,” Rosso adds, “will go really far in helping preserve the resources needed during an economic downturn.”
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

ANI | Updated: Feb 16, 2023 17:21 IST
New Delhi [India], February 16 (ANI): Advancing India’s cyber-preparedness, KAVACH-2023, a national-level hackathon was launched on Thursday to identify innovative ideas and technological solutions for addressing the cyber security and cybercrime challenges of the 21st century.

All India Council for Technical Education and the Bureau of Police Research and Development jointly launched the national-level Hackathon.

While addressing the media, TG Sitharam, Chairman, All India Council for Technical Education (AICTE), said that KAVACH-2023 is a unique kind of national hackathon to identify innovative ideas and technological solutions for addressing the cyber security and cybercrime challenges of the 21st century faced by our law enforcement agencies and common citizens.

Speaking on the occasion Balaji Srivastava, Director General, Bureau of Police Research and Development (BPR&D), said that it will be a 36-hour long event, during which youth from educational institutions across the country and registered start-ups will participate to find robust, secure and effective technological solutions for cyber security by using their technical expertise and innovative skills.

“It will advance the blockage of cyber security crimes with robust system monitoring and safety provisions,” he added. (ANI)

Kavach 2023
cyber crime and security
national-level Hackathon
Dreamtime Learning School leads the way in metro cities with enriching activities that complement online schooling
Updated: Mar 17, 2023 12:29 IST
Symbiosis Institute of Computer Studies and Research (SICSR): spearheading technical education with BCA and BCA (Honours); apply via SET 2023
Updated: Mar 17, 2023 12:19 IST
Laugh your way to happiness: Moj Comedy Universe is back with Hasna Zaruri Hai
Updated: Mar 17, 2023 12:16 IST
Spreading the devotional meaning and value of our National Anthem with Ek Bharat Abyyan
Updated: Mar 17, 2023 11:57 IST
Heritage Hospitals, in association with Smile Train Project (USA) completes 16,000 free cleft and lip surgeries
Updated: Mar 17, 2023 11:05 IST
Cambio Bikes – Redefining the premium segment
Updated: Mar 17, 2023 10:26 IST
The release of Loop Beats Records' newest banger, "Bad-Nam," creates a rage
copyrights © aninews.in | All rights Reserved

source

SPOTLIGHT –
The number of breaches dipped in the second half of the year, but the number of people affected rose sharply, according to a new report.
Nearly 50 million Americans were affected by data breaches involving health records in 2022.
That’s the disturbing figure from a new analysis released Wednesday by Critical Insight, a cybersecurity company.
The number of breaches actually dropped in the second half of 2022, the report found. There were 313 breaches from July through December, down from 345 in the first half of the year, a 9% decline.
However, even as the number of breaches dropped, more individuals were affected by those breaches in the latter part of the year.
There were 28.5 million Americans affected by breaches in the second half of 2022, compared to 21.1 million during the first six months of the year, which represents a 35% increase. In the last six months of the year, the average health data breach affected more than 91,000 individuals.
Health systems still have a lot of work to do to protect patient records from cyberattacks, said John DeLano, a co-author of the report and the vice president of ministry and support services at CHRISTUS Health.
“We feel like we've made some progress, because overall, the breach numbers are down,” he said. “But realistically, when you look at it, the number of records affected are up. And so that, to me, is the bigger problem.”
There were 658 breaches in 2022, down from 711 in 2021. The report found that 49.6 million Americans were affected by breaches in 2022, which actually represents a drop from 53.4 million in 2021.
Still, the impact of breaches has grown substantially in recent years. In 2020, 34.4 million Americans saw private information exposed in breaches. There were 662 breaches in 2020, which is virtually the same number as in 2022, but last year’s attacks and breaches affected 15 million more people.
(We talked with John Delano about the cybersecurity report in this video. The story continues below.)
More sophisticated attacks
Attackers are starting to shift some of their efforts to gain access to health records. While criminals are targeting hospitals and healthcare providers, they are also gaining access by going after the other businesses health systems rely on every day, including third-party vendors, accounting, billing and lawyers.
In the second half of the year, more records were exposed due to breaches occurring at business associates (48%) than at healthcare providers (47%).
Over the course of 2022, 71% of all health data breaches occurred in healthcare providers, while 17% of breaches were linked to business associates, and 12% of breaches came from health plans, according to the report.
Delano said healthcare organizations are paying more attention to the security of data being handled by third-party vendors and other business associates, and they are spelling out legal requirements to protect that patient information. But it’s a difficult task.
“It's hard for organizations, because we deal with a lot of third parties, we deal with a lot of business associates, and having the bandwidth to be able to periodically check in on them and make sure that they're treating your data the way you would treat it, becomes very difficult. And that's hard to maintain,” Delano said.
Attackers did their most damage by obtaining records from network servers, according to the report.
“Network servers were the jackpot for hackers,” accounting for 90% of the records that were breached, according to the report.
Attackers are apparently finding more success in gaining access to electronic medical records, the report states. While breaches involving electronic medical records were nonexistent in the past, the report said 7% of breaches involved EMRs in the first half of the year, and 4% of breaches in the last six months of 2022. For the year, 6 million patient records were exposed due to EMR-related breaches, according to the report..
“When you've got a database of records that could span 10 or 15 years, you're going to have a lot of patients that are impacted,” Delano said.
Some breaches are becoming more damaging because attackers are getting more sophisticated.
In the past, health systems built defenses against “script kiddies, people that just kind of Googled how to hack something, and they're looking for commonly known vulnerabilities, but they don't really know what they're doing,” Delano said.
Now, Delano said, “They're more sophisticated. And so, that is becoming a challenge, because it used to just be that you had to protect from some common known stuff, and now people are actually doing real hacking.”
Among the larger breaches of the year, CommonSpirit Health suffered a ransomware attack that impacted 600,000 patient records, the report noted. The system took its electronic medical records offline and had to reschedule some patient appointments.
Health systems still continue to see breaches occurring through email. In the second half of 2022, 20% of breaches occurred via email, which was down from 30% in the first half of the year.
“A lot of organizations do phishing campaigns, and I think that's helped,” Delano said. “Although phishing campaigns are getting more sophisticated as well. It used to be pretty easy to spot one now. Now it's a lot more difficult.”
‘You can’t do nothing’
Healthcare leaders need to be engaged in helping their systems improve their cybersecurity, Delano said.
“You can't make excuses,” he said. “You can't do nothing. So, start talking to your board, if you're not talking to your board, about the challenges, about the concerns. Make sure that your executives are aware of the challenges, aware of the threats. And, you know, don't sit on the sidelines.”
Ransomware attacks continue to frustrate hospitals and health systems. In a recent survey of healthcare IT professionals by the Ponemon Institute, nearly half (47%) said their organizations experienced a ransomware attack in the past two years. More IT professionals are saying the attacks led to complications in patient care, with 45% reporting complications from medical procedures due to ransomware attacks, up from 36% in 2021
Regal Medical Group, based in California, said last week that a ransomware cyberattack exposed patient information. More than 3 million people could have been affected, according to a database of breaches kept by the U.S. Department of Health & Human Services.
Delano said he was encouraged by the recent success of the FBI in disrupting the Hive ransomware gang, which has targeted hospitals and health systems. The Justice Department said last month that the FBI managed to penetrate Hive’s systems and thwart up to $130 million in ransom demands.
“Certainly a small healthcare organization’s not going to have the resources to combat that,” Delano said. “So getting the DOJ or the FBI involved, and helping to kind of work some of these gangs or criminal activity that's happening out there, is a benefit to everyone.”

RxSense CEO Rick Bates cites the value of knowing ‘when you’ve been wrong’ | Lessons for Leaders
In this new feature, we’re spotlighting the insights from leaders in the world of healthcare. Rick Bates of RxSense talks about the importance of acknowledging mistakes.
Data Book podcast: Justin Norden talks about ChatGPT and AI in healthcare
Justin teaches about digital health at Stanford Medicine and is a partner at GSR Ventures. He talks about the potential of ChatGPT, the ethical questions, and how AI will transform the industry.
These are the 10 leading threats to patient safety in 2023
ECRI, a nonprofit focused on protecting patients, releases its annual list of the most pressing concerns. Marcus Schabacker, CEO of ECRI, talked with us about the leading issues.
Data Book podcast: Ajay Khanna, Tellius CEO, talks about 'decision intelligence'
In the latest episode, Ajay Khanna explains how healthcare organizations can use artificial intelligence to gain new insights into their business.
Healthgrades announces patient safety and experience awards. These hospitals took both honors.
The organization examined thousands of hospitals but only a select group took prizes in patient safety and the patient experience. Four problems make up the bulk of safety events, the study found.
Improving hospital safety: Healthgrades' chief medical officer outlines key steps
Healthgrades has announced its recipients of patient safety awards, and Brad Bowman talks about the importance of focusing on critical problems.
2 Clarke Drive
Cranbury, NJ 08512
609-716-7777

source

The cybersecurity workforce has reached an all-time high, with an estimated 4.7 million professionals, but there’s still a global shortage of 3.4 million workers in this field, according to the 2022 (ISC)² Cybersecurity Workforce Study released Thursday. And that shortage persists, despite the addition of 464,000 more cybersecurity positions this year, the report found. In the U.S. alone, there are more than 700,000 unfilled cybersecurity jobs, data from Cybersecurity Ventures shows. 
As the need for cybersecurity talent grows, wages and other benefits should follow. Currently, the median salary for cybersecurity professionals in the U.S. is $135,000, according to (ISC)². The study also shows that 27% of cybersecurity professionals enter the industry for the potential of high salaries and strong compensation packages. 
“Cybersecurity salaries appear to be driven by several factors, including years of experience, sector employed, certifications attained and even geographic location like large concentrations of professionals in areas with high costs of living like Washington D.C. Scarcity of talent is most likely a driver as well,” Clar Rosso, CEO of (ISC)², tells Fortune. “The good news for new people entering the field is that salaries remain strong.”
In addition to the growing talent gap, there’s another dynamic at playin cybersecurity: The number of cybersecurity attacks companies are facing each year is growing. Between 2020 and 2021, the average number of cybersecurity attacks per year rose 31%, to 270 attacks, according to Accenture’s State of Cybersecurity Report 2021. Companies, on average, fell victim to 29 attacks last year. Cyber attacks have also been more prevalent recently in a year of “geo-political and macroeconomic turbulence,” according to the (ISC)² study. One of the major events was the Russian cyberattacks on the Ukrainian government at the beginning of the war.
“The modern cybersecurity landscape have galvanized passion and persistence within its workforce—which continues to change and evolve with the world around it,” reads the (ISC)² study. “The global cybersecurity workforce is growing, but so is the gap in professionals needed to carry out its critical mission.”
Cybersecurity workers know they’re in high demand. Nearly 70% of these workers feel as if their organization doesn’t have enough cybersecurity staff to be effective, the (ISC)² study shows, and more than half of the employees at organizations with workforce shortages see their company as being at moderate or extreme risk of a cyberattack.
Attracting and retaining top cybersecurity talent requires collaboration among departments, Rosso says. Frequent communication between cybersecurity managers and human resources can help when it comes to figuring out what works and what doesn’t when trying to recruit cybersecurity workers. 
“Collaboration between HR and cybersecurity hiring managers is key to attracting and retaining talent,” Rosso says. “HR professionals should have regular check-ins with cybersecurity hiring managers to discuss and co-develop job descriptions to ensure they are realistic, achievable and can attract the right talent rather than be an obstacle.”
Part of attracting and retaining top cybersecurity is finding the right amount to pay people. Reports from industry leaders show that cybersecurity wages continue to grow year-over-year. Between 2020 and 2021, some cybersecurity salaries jumped by more than 16%, to well over the six-figure mark, according to a 2021 report from Dice, a tech recruiting platform.
Another key benefit for cybersecurity workers is access to continuing education and certifications. In fact, more than 60% of cybersecurity workers seek new certifications for skills growth and stay current with security trends, the (ISC)² study shows. 
“Professionals are saying loud and clear that corporate culture, experience, training and education investment and mentorship are paramount to keeping your team motivated, engaged and effective,” Rosso says. “Team members of different ages and experience levels need different levels of support from their organizations. Success here means investing in education, professional development, mentorships, flexible work arrangements, and career pathing.”
A good starting place for organizations looking to jumpstart their cybersecurity education efforts is to encourage employees to pursue new certifications and trainings, Rosso adds. 
“In addition to helping encourage employees to invest in educational resources, organizations should recognize these achievements as it helps to keep people engaged for the long term,” he adds.
See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in data science (in-person and online), nursing, computer science, cybersecurity, psychology, public health, and business analytics, as well as doctorate in education programs and MBA programs (part-time, executive, full-time, and online).

source

An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization’s cyber posture.
Actions to take today to harden your local environment:
In 2022, CISA conducted a red team assessment (RTA) at the request of a large critical infrastructure organization with multiple geographically separated sites. The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs). Multifactor authentication (MFA) prompts prevented the team from achieving access to one SBS, and the team was unable to complete its viable plan to compromise a second SBSs within the assessment period.
Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response.
CISA is releasing this CSA detailing the red team’s tactics, techniques, and procedures (TTPs) and key findings to provide network defenders of critical infrastructure organizations proactive steps to reduce the threat of similar activity from malicious cyber actors. This CSA highlights the importance of collecting and monitoring logs for unusual activity as well as continuous testing and exercises to ensure your organization’s environment is not vulnerable to compromise, regardless of the maturity of its cyber posture.
CISA encourages critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA—including conduct regular testing within their security operations center—to ensure security processes and procedures are up to date, effective, and enable timely detection and mitigation of malicious activity.
Download the PDF version of this report:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See the appendix for a table of the red team’s activity mapped to MITRE ATT&CK tactics and techniques.
CISA has authority to, upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to Federal and non-Federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6].) After receiving a request for a red team assessment (RTA) from an organization and coordinating some high-level details of the engagement with certain personnel at the organization, CISA conducted the RTA over a three-month period in 2022.
During RTAs, a CISA red team emulates cyber threat actors to assess an organization’s cyber detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network while avoiding detection and evading defenses. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, or technology.
The “victim” for this assessment was a large organization with multiple geographically separated sites throughout the United States. For this assessment, the red team’s goal during Phase I was to gain access to certain sensitive business systems (SBSs).
The organization’s network was segmented with both logical and geographical boundaries. CISA’s red team gained initial access to two organization workstations at separate sites via spearphishing emails. After gaining access and leveraging Active Directory (AD) data, the team gained persistent access to a third host via spearphishing emails. From that host, the team moved laterally to a misconfigured server, from which they compromised the domain controller (DC). They then used forged credentials to move to multiple hosts across different sites in the environment and eventually gained root access to all workstations connected to the organization’s mobile device management (MDM) server. The team used this root access to move laterally to SBS-connected workstations. However, a multifactor authentication (MFA) prompt prevented the team from achieving access to one SBS, and Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS.
The CISA red team gained initial access [TA0001] to two workstations at geographically separated sites (Site 1 and Site 2) via spearphishing emails. The team first conducted open-source research [TA0043] to identify potential targets for spearphishing. Specifically, the team looked for email addresses [T1589.002] as well as names [T1589.003] that could be used to derive email addresses based on the team’s identification of the email naming scheme. The red team sent tailored spearphishing emails to seven targets using commercially available email platforms [T1585.002]. The team used the logging and tracking features of one of the platforms to analyze the organization’s email filtering defenses and confirm the emails had reached the target’s inbox.
The team built a rapport with some targeted individuals through emails, eventually leading these individuals to accept a virtual meeting invite. The meeting invite took them to a red team-controlled domain [T1566.002] with a button, which, when clicked, downloaded a “malicious” ISO file [T1204]. After the download, another button appeared, which, when clicked, executed the file.
Two of the seven targets responded to the phishing attempt, giving the red team access to a workstation at Site 1 (Workstation 1) and a workstation at Site 2. On Workstation 1, the team leveraged a modified SharpHound collector, ldapsearch, and command-line tool, dsquery, to query and scrape AD information, including AD users [T1087.002], computers [T1018], groups [T1069.002], access control lists (ACLs), organizational units (OU), and group policy objects (GPOs) [T1615]. Note: SharpHound is a BloodHound collector, an open-source AD reconnaissance tool. Bloodhound has multiple collectors that assist with information querying.
There were 52 hosts in the AD that had Unconstrained Delegation enabled and a lastlogon timestamp within 30 days of the query. Hosts with Unconstrained Delegation enabled store Kerberos ticket-granting tickets (TGTs) of all users that have authenticated to that host. Many of these hosts, including a Site 1 SharePoint server, were Windows Server 2012R2. The default configuration of Windows Server 2012R2 allows unprivileged users to query group membership of local administrator groups.
The red team queried parsed Bloodhound data for members of the SharePoint admin group and identified several standard user accounts with administrative access. The team initiated a second spearphishing campaign, similar to the first, to target these users. One user triggered the red team’s payload, which led to installation of a persistent beacon on the user’s workstation (Workstation 2), giving the team persistent access to Workstation 2.
The red team moved laterally [TA0008] from Workstation 2 to the Site 1 SharePoint server and had SYSTEM level access to the Site 1 SharePoint server, which had Unconstrained Delegation enabled. They used this access to obtain the cached credentials of all logged-in users—including the New Technology Local Area Network Manager (NTLM) hash for the SharePoint server account. To obtain the credentials, the team took a snapshot of lsass.exe [T1003.001] with a tool called nanodump, exported the output, and processed the output offline with Mimikatz.
The team then exploited the Unconstrained Delegation misconfiguration to steal the DC’s TGT. They ran the DFSCoerce python script (DFSCoerce.py), which prompted DC authentication to the SharePoint server using the server’s NTLM hash. The team then deployed Rubeus to capture the incoming DC TGT [T1550.002], [T1557.001]. (DFSCoerce abuses Microsoft’s Distributed File System [MS-DFSNM] protocol to relay authentication against an arbitrary server.[1])
The team then used the TGT to harvest advanced encryption standard (AES)-256 hashes via DCSync [T1003.006] for the krbtgt account and several privileged accounts—including domain admins, workstation admins, and a system center configuration management (SCCM) service account (SCCM Account 1). The team used the krbtgt account hash throughout the rest of their assessment to perform golden ticket attacks [T1558.001] in which they forged legitimate TGTs. The team also used the asktgt command to impersonate accounts they had credentials for by requesting account TGTs [T1550.003].
The team first impersonated the SCCM Account 1 and moved laterally to a Site 1 SCCM distribution point (DP) server (SCCM Server 1) that had direct network access to Workstation 2. The team then moved from SCCM Server 1 to a central SCCM server (SCCM Server 2) at a third site (Site 3). Specifically, the team:
The team also moved from SCCM Server 1 to a Site 1 workstation (Workstation 3) that housed an active server administrator. The team impersonated an administrative service account via a golden ticket attack (from SCCM Server 1); the account had administrative privileges on Workstation 3. The user employed a KeePass password manager that the team was able to use to obtain passwords for other internal websites, a kernel-based virtual machine (KVM) server, virtual private network (VPN) endpoints, firewalls, and another KeePass database with credentials. The server administrator relied on a password manager, which stored credentials in a database file. The red team pulled the decryption key from memory using KeeThief and used it to unlock the database [T1555.005].
At the organization’s request, the red team confirmed that SCCM Server 2 provided access to the organization’s sites because firewall rules allowed SMB traffic to SCCM servers at all other sites.
The team moved laterally from SCCM Server 2 to an SCCM DP server at Site 5 and from the SCCM Server 1 to hosts at two other sites (Sites 4 and 6). The team installed persistent beacons at each of these sites. Site 5 was broken into a private and a public subnet and only DCs were able to cross that boundary. To move between the subnets, the team moved through DCs. Specifically, the team moved from the Site 5 SCCM DP server to a public DC; and then they moved from the public DC to the private DC. The team was then able to move from the private DC to workstations in the private subnet.
The team leveraged access available from SCCM 2 to move around the organization’s network for post-exploitation activities (See Post-Exploitation Activity section).
See Figure 1 for a timeline of the red team’s initial access and lateral movement showing key access points.
While traversing the network, the team varied their lateral movement techniques to evade detection and because the organization had non-uniform firewalls between the sites and within the sites (within the sites, firewalls were configured by subnet). The team’s primary methods to move between sites were AppDomainManager hijacking and dynamic-link library (DLL) hijacking [T1574.001]. In some instances, they used Windows Management Instrumentation (WMI) Event Subscriptions [T1546.003].
The team impersonated several accounts to evade detection while moving. When possible, the team remotely enumerated the local administrators group on target hosts to find a valid user account. This technique relies on anonymous SMB pipe binds [T1071], which are disabled by default starting with Windows Server 2016. In other cases, the team attempted to determine valid accounts based on group name and purpose. If the team had previously acquired the credentials, they used asktgt to impersonate the account. If the team did not have the credentials, they used the golden ticket attack to forge the account.
With persistent, deep access established across the organization’s networks and subnetworks, the red team began post-exploitation activities and attempted to access SBSs. Trusted agents of the organization tasked the team with gaining access to two specialized servers (SBS 1 and SBS 2). The team achieved root access to three SBS-adjacent workstations but was unable to move laterally to the SBS servers:
However, the team assesses that by using Secure Shell (SSH) session socket files (see below), they could have accessed any hosts available to the users whose workstations were compromised.
Conducting open-source research [1591.001], the team identified that SBS 1 and 2 assets and associated management/upkeep staff were located at Sites 5 and 6, respectively. Adding previously collected AD data to this discovery, the team was able to identify a specific SBS 1 admin account. The team planned to use the organization’s mobile device management (MDM) software to move laterally to the SBS 1 administrator’s workstation and, from there, pivot to SBS 1 assets.
The team identified the organization’s MDM vendor using open-source and AD information [T1590.006] and moved laterally to an MDM distribution point server at Site 5 (MDM DP 1). This server contained backups of the MDM MySQL database on its D: drive in the Backup directory. The backups included the encryption key needed to decrypt any encrypted values, such as SSH passwords [T1552]. The database backup identified both the user of the SBS 1 administrator account (USER 2) and the user’s workstation (Workstation 4), which the MDM software remotely administered.
The team moved laterally to an MDM server (MDM 1) at Site 3, searched files on the server, and found plaintext credentials [T1552.001] to an application programming interface (API) user account stored in PowerShell scripts. The team attempted to leverage these credentials to browse to the web login page of the MDM vendor but were unable to do so because the website directed to an organization-controlled single-sign on (SSO) authentication page.
The team gained root access to workstations connected to MDM 1—specifically, the team accessed Workstation 4—by:
While interacting with Workstation 4, the team found an open SSH socket file and a corresponding netstat connection to a host that the team identified as a bastion host from architecture documentation found on Workstation 4. The team planned to move from Workstation 4 to the bastion host to SBS 1. Note: A SSH socket file allows a user to open multiple SSH sessions through a single, already authenticated SSH connection without additional authentication.
The team could not take advantage of the open SSH socket. Instead, they searched through SBS 1 architecture diagrams and documentation on Workstation 4. They found a security operations (SecOps) network diagram detailing the network boundaries between Site 5 SecOps on-premises systems, Site 5 non-SecOps on-premises systems, and Site 5 SecOps cloud infrastructure. The documentation listed the SecOps cloud infrastructure IP ranges [T1580]. These “trusted” IP addresses were a public /16 subnet; the team was able to request a public IP in that range from the same cloud provider, and Workstation 4 made successful outbound SSH connections to this cloud infrastructure. The team intended to use that connection to reverse tunnel traffic back to the workstation and then access the bastion host via the open SSH socket file. However, Phase 1 ended before they were able to implement this plan.
Conducting open-source research, the team identified an organizational branch [T1591] that likely had access to SBS 2. The team queried the AD to identify the branch’s users and administrators. The team gathered a list of potential accounts, from which they identified administrators, such as SYSTEMS ADMIN or DATA SYSTEMS ADMINISTRATOR, with technical roles. Using their access to the MDM MySQL database, the team queried potential targets to (1) determine the target’s last contact time with the MDM and (2) ensure any policy targeting the target’s workstation would run relatively quickly [T1596.005]. Using the same methodology as described by the steps in the Plan for Potential Access to SBS 1 section above, the team gained interactive root access to two Site 6 SBS 2-connected workstations: a software engineering workstation (Workstation 5) and a user administrator workstation (Workstation 6).
The Workstation 5 user had bash history files with what appeared to be SSH passwords mistyped into the bash prompt and saved in bash history [T1552.003]. The team then attempted to authenticate to SBS 2 using a similar tunnel setup as described in the Access to SBS 1 section above and the potential credentials from the user’s bash history file. However, this attempt was unsuccessful for unknown reasons.
On Workstation 6, the team found a .txt file containing plaintext credentials for the user. Using the pattern discovered in these credentials, the team was able to crack the user’s workstation account password [T1110.002]. The team also discovered potential passwords and SSH connection commands in the user’s bash history. Using a similar tunnel setup described above, the team attempted to log into SBS 2. However, a prompt for an MFA passcode blocked this attempt.
See figure 2 for a timeline of the team’s post exploitation activity that includes key points of access.
The team used third-party owned and operated infrastructure and services [T1583] throughout their assessment, including in certain cases for command and control (C2) [TA0011]. These included:
The red team executed 13 measurable events designed to provoke a response from the people, processes, and technology defending the organization’s network. See Table 1 for a description of the events, the expected network defender activity, and the organization’s actual response.
Measurable Event
Description
MITRE ATT&CK Technique(s)
Expected Detection Points
Expected Network Defender Reactions
Reported Reactions
Internal Port Scan
Launch scan from inside the network from a previously gained workstation to enumerate ports on target workstation, server, and domain controller system(s).
None
 
Comprehensive Active Directory and Host Enumeration
Perform AD enumeration by querying all domain objects from the DC; and enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer (Workstation and Server).
Collection process stopped before completion. Host isolated and sent for forensics.
Data Exfiltration—1 GB of Data
Send a large amount (1 GB) of mock sensitive information to an external system over various protocols, including ICMP, DNS, FTP, and/or HTTP/S.
None
Malicious Traffic Generation—Workstation to External Host
Establish a session that originates from a target Workstation system directly to an external host over a clear text protocol, such as HTTP.
None
Active Directory Account Lockout
Lock out several administrative AD accounts
 
Develop response plan
None
Local Admin User Account Creation (workstation)
Create a local administrator account on a target workstation system.
None
Local Admin User Account Creation (server)
Create a local administrator account on a target server system.
None
Active Directory Account Creation
Create AD accounts and add it to domain admins group
None
Workstation Admin Lateral Movement—Workstation to Workstation
Use a previously compromised workstation admin account to upload and execute a payload via SMB and Windows Service Creation, respectively, on several target Workstations.
 
None
Domain Admin Lateral Movement—Workstation to Domain Controller
Use a previously compromised domain admin account to upload and execute a payload via SMB and Windows Service Creation, respectively, on a target DC.
None
Malicious Traffic Generation—Domain Controller to External Host
Establish a session that originates from a target Domain Controller system directly to an external host over a clear text protocol, such as HTTP.
Develop response plan
None
Trigger Host-Based Protection—Domain Controller
Upload and execute a well-known (e.g., with a signature) malicious file to a target DC system to generate host-based alerts.
Malicious file was removed by antivirus
Ransomware Simulation
Execute simulated ransomware on multiple Workstation systems to simulate a ransomware attack.
Note: This technique does NOT encrypt files on the target system.
N/A
Four users reported event to defensive staff
The red team noted the following key issues relevant to the security of the organization’s network. These findings contributed to the team’s ability to gain persistent, undetected access across the organization’s sites. See the Mitigations section for recommendations on how to mitigate these issues.
The team noted the following additional issues.
The red team noted the following technical controls or defensive measures that prevented or hampered offensive actions:
CISA recommends organizations implement the recommendations in Table 2 to mitigate the issues listed in the Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
Issue
Recommendation
Insufficient host and network monitoring
Lack of monitoring on endpoint management systems
KRBTGT never changed
Excessive permissions to standard users and ineffective separation of privileged accounts
Hosts with Unconstrained Delegation enabled
Use of non-secure default configurations
Lack of server egress control
Large number of credentials in a shared vault
Inconsistent host configuration
Potentially unwanted programs
Mandatory password changes enabled
Additionally, CISA recommends organizations implement the mitigations below to improve their cybersecurity posture:
As a long-term effort, CISA recommends organizations prioritize implementing a more modern, Zero Trust network architecture that:
CISA encourages organizational IT leadership to ask their executive leadership the question: Can the organization accept the business risk of NOT implementing critical security controls such as MFA? Risks of that nature should typically be acknowledged and prioritized at the most senior levels of an organization.
In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
See CISA’s RedEye tool on CISA’s GitHub page. RedEye is an interactive open-source analytic tool used to visualize and report red team command and control activities. See CISA’s RedEye tool overview video for more information.
REFERENCES
[1] Bleeping Computer: New DFSCoerce NTLM Relay attack allows Windows domain takeover
See Table 3 for all referenced red team tactics and techniques in this advisory. Note: activity was from Phase I unless noted.
 
Technique Title
ID
Use
Gather Victim Identity Information: Email Addresses
T1589.002
 
The team found employee email addresses via open-source research.
Gather Victim Identify Information: Employee Names
 
T1589.003
 
The team identified employee names via open-source research that could be used to derive email addresses.
Gather Victim Network Information: Network Security Appliances
T1590.006
The team identified the organization’s MDM vendor and leveraged that information to move laterally to SBS-connected assets.
Gather Victim Org Information
T1591
The team conducted open-source research and identified an organizational branch that likely had access to an SBS asset.
Gather Victim Org Information: Determine Physical Locations
T1591.001
The team conducted open-source research to identify the physical locations of upkeep/management staff of selected assets.
Search Open Technical Databases: Scan Databases
 
T1596.005
The team queried an MDM SQL database to identify target administrators who recently connected with the MDM.
 
Technique Title
ID
Use
Acquire Infrastructure
T1583
The team used third-party owned and operated infrastructure throughout their assessment for C2.
Establish Accounts: Email Accounts
T1585.002
The team used commercially available email platforms for their spearphishing activity.
Obtain Capabilities: Tool
T1588.002
The team used the following tools:
 
Technique Title
ID
Use
Phishing: Spearphishing Link
T1566.002
The team sent spearphishing emails with links to a red-team-controlled domain to gain access to the organization’s systems.
 
Technique Title
ID
Use
Native API
T1106
The team created a policy via the MDM API, which downloaded and executed a payload on a workstation.
User Execution
T1204
Users downloaded and executed the team’s initial access payloads after clicking buttons to trigger download and execution.
 
Technique Title
ID
Use
 
Account Manipulation
T1098
The team elevated account privileges to administrator and modified the user’s account by adding Create Policy and Delete Policy permissions.
During Phase II, the team created local admin accounts and an AD account; they added the created AD account to a domain admins group.
Create Account: Local Account
T1136.001
During Phase II, the team created a local administrator account on a workstation and a server.
Create Account: Domain Account
T1136.002
During Phase II, the team created an AD account.
Create or Modify System Process: Windows Service
T1543.003
During Phase II, the team leveraged compromised workstation and domain admin accounts to execute a payload via Windows Service Creation on target workstations and the DC.
Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1546.003
The team used WMI Event Subscriptions to move laterally between sites.
Hijack Execution Flow: DLL Search Order Hijacking
T1574.001
The team used DLL hijacking to move laterally between sites.
 
Technique Title
ID
Use
Abuse Elevation Control Mechanism
T1548
The team elevated user account privileges to administrator by modifying the user’s account via adding Create Policy and Delete Policy permissions.
 
Technique Title
ID
Use
Valid Accounts: Domain Accounts
T1078.002
During Phase II, the team compromised a domain admin account and used it to laterally to multiple workstations and the DC.
 
Technique Title
ID
Use
OS Credential Dumping: LSASS Memory
T1003.001
The team obtained the cached credentials from a SharePoint server account by taking a snapshot of lsass.exe with a tool called nanodump, exporting the output and processing the output offline with Mimikatz.
OS Credential Dumping: DCSync
T1003.006
The team harvested AES-256 hashes via DCSync.
Brute Force: Password Cracking
T1110.002
The team cracked a user’s workstation account password after learning the user’s patterns from plaintext credentials.
Unsecured Credentials
T1552
The team found backups of a MySQL database that contained the encryption key needed to decrypt SSH passwords.
Unsecured Credentials: Credentials in Files
T1552.001
The team found plaintext credentials to an API user account stored in PowerShell scripts on an MDM server.
Unsecured Credentials: Bash History
T1552.003
The team found bash history files on a Workstation 5, and the files appeared to be SSH passwords saved in bash history.
Credentials from Password Stores: Password Managers
T1555.005
The team pulled credentials from a KeePass database.
 
Adversary-in-the-middle: LLMNR/NBT-NS Poisoning and SMB Relay
T1557.001
The team ran the DFSCoerce python script, which prompted DC authentication to a server using the server’s NTLM hash. The team then deployed Rubeus to capture the incoming DC TGT.
Steal or Forge Kerberos Tickets: Golden Ticket
T1558.001
The team used the acquired krbtgt account hash throughout their assessment to forge legitimate TGTs.
Steal or Forge Kerberos Tickets: Kerberoasting
T1558.003
The team leveraged Rubeus and DFSCoerce in a NTLM relay attack to obtain the DC’s TGT from a host with Unconstrained Delegation enabled.
 
Technique Title
ID
Use
System Network Configuration Discovery
T1016
The team queried the AD for information about the network’s sites and subnets. 
Remote System Discovery
T1018
The team queried the AD, during phase I and II, for information about computers on the network. 
System Network Connections Discovery
T1049
The team listed existing network connections on SCCM Server 1 to reveal an active SMB connection with server 2.
Permission Groups Discovery: Domain Groups
T1069.002
The team leveraged ldapsearch and dsquery to query and scrape active directory information. 
Account Discovery: Domain Account
T1087.002
The team queried AD for AD users (during Phase I and II), including for members of a SharePoint admin group and several standard user accounts with administrative access.
Cloud Infrastructure Discovery
T1580
The team found SecOps network diagrams on a host detailing cloud infrastructure boundaries.
Domain Trust Discovery
T1482
During Phase II, the team enumerated trust relationships within the AD Forest.
Group Policy Discovery
T1615
The team scraped AD information, including GPOs.
Network Service Discovery
T1046
During Phase II, the team enumerated ports on target systems from a previously compromised workstation.
System Owner/User Discovery
T1033
During Phase II, the team enumerated the AD for current session information from every domain computer (Workstation and Server).
 
Technique Title
ID
Use
Remote Services: SMB/Windows Admin Shares
T1021.002
The team moved laterally with an SMB beacon.
During Phase II, they used compromised workstation and domain admin accounts to upload a payload via SMB on several target Workstations and the DC.
Use Alternate Authentication Material: Pass the Hash
T1550.002
The team ran the DFSCoerce python script, which prompted DC authentication to a server using the server’s NTLM hash. The team then deployed Rubeus to capture the incoming DC TGT.
Pass the Ticket
T1550.003
The team used the asktgt command to impersonate accounts for which they had credentials by requesting account TGTs.
 
Technique Title
ID
Use
Application Layer Protocol
T1071
The team remotely enumerated the local administrators group on target hosts to find valid user accounts. This technique relies on anonymous SMB pipe binds, which are disabled by default starting with Server 2016.
During Phase II, the team established sessions that originated from a target Workstation and from the DC directly to an external host over a clear text protocol.
Application Layer Protocol: Web Protocols
T1071.001
The team’s C2 redirectors used HTTPS reverse proxies to redirect C2 traffic.
Application Layer Protocol: File Transfer Protocols
T1071.002
The team used HTTPS reverse proxies to redirect C2 traffic between target network and the team’s Cobalt Strike servers.
Encrypted Channel
T1573
The team’s C2 traffic was encrypted in transit using encryption keys stored on their C2 servers.
Ingress Tool Transfer
T1105
During Phase II, the team uploaded and executed well-known malicious files to the DC to generate host-based alerts.
Proxy: External Proxy
T1090.002
The team used redirectors to redirect C2 traffic between the target organization’s network and the team’s C2 servers.
Proxy: Domain Fronting
T1090.004
The team used domain fronting to disguise outbound traffic in order to diversify the domains with which the persistent beacons were communicating.
 
Technique Title
ID
Use
Account Access Removal
T1531
During Phase II, the team locked out several administrative AD accounts.
 
Please share your thoughts. We recently updated our anonymous Product Feedback Survey and we’d welcome your feedback.

source

The Sunshine Coast has been selected as the location for a new national organisation aimed at protecting the nation against cyber criminals.
The Critical Infrastructure – Information Sharing and Analysis Centre (CI-ISAC), featuring some of the nation’s best and brightest when it comes to “threat intelligence’’, has started operations from Maroochydore today (February 6).
Under the guidance of CI-ISAC’s Chief Executive Officer David Sandell, the not-for-profit industry-based organisation provides comprehensive information and analysis advice to assist its membership base protect Australia’s most critical infrastructure.
The membership will be drawn from 11 key industry sectors representing almost 11,000 entities that include everything from banking, water and power grids to supermarkets and mining.
Mr Sandell said the Sunshine Coast had been steadily building its credentials in the cyber and tech space and this had not gone unnoticed for an organisation that is focussed on addressing digital defence-in-depth across Australia’s ICT networks.
“Assets that Sunshine Coast Council has been building alone or in partnership over the years were all key drivers to locate such an important organisation to a region location,” Mr Sandell said.
“No one else in regional Australia has the assets we need, including the fastest fibre cable to Asia, diversity of data path to Sydney, a fully fibre-enabled city centre and a new international runway with rapidly growing regional aviation connections.
“The local university and TAFE are doing some great things to develop the skilled workforce we need and the future on the Sunshine Coast looks bright.”
The new organisation is being led by some of Australia’s best, brightest, and most experienced in the field of threat intelligence and response.
Chair of the CI-ISAC Board is Brigadier (retired) Steve Beaumont, who previously served as Director-General of Intelligence, Surveillance, Reconnaissance, Electronic Warfare and Cyber with the Australian Department of Defence.
Also playing a key role in the organisation is Dr Gary Waters, who has worked in the defence and national security space for more than five decades
Sunshine Coast Council Acting Mayor Rick Baberowski welcomed the news that CI-ISAC would be calling the Sunshine Coast home, joining our emerging tech eco-system that already included key corporate players like Next DC, and industry leading bodies such as the Sunshine Coast Tech Industry Alliance.
He congratulated board members and founders, Scott Flower and David Sandell, on their decision to create a base and invest on the Sunshine Coast with such an important initiative designed to combat the acceleration in cyber-threats.
“A significant part of Australia’s critical infrastructure is owned or managed by local government, and I encourage all 537 Australian local governments to consider the considerable value in becoming a community of cyber defenders,” Acting Mayor Baberowski said.
“The concept is clear-cut. If we act together and share cyber threat intelligence, we can only get better at pre-empting attacks, while contributing to defending Australia’s data highway and all of the sensitive and personal data public services and businesses collect.
“We are proud that the Sunshine Coast will host and participate in an important new sector to develop solutions that can benefit all Australians.”
For more information on how to become a member or partner of the CI-ISAC, navigate to https://ci-isac.com.au/

source

Cybersecurity continues to be a major area for investment among businesses, and today a startup building solutions for smaller enterprises is announcing a funding round to meet that demand. CyberSmart — a U.K. startup that has built an all-in-one platform providing cybersecurity technology for small and medium businesses, and cyber insurance if things go wrong regardless — has closed a Series B of £12.75 million ($15.4 million).
CyberSmart currently has 4,000 customers in the U.K., with 1,800 of them also taking the company’s insurance policies as well — the tip of the iceberg in a market with 5.5 million small and medium enterprises (SMBs) overall — but Jamie Akhtar, the co-founder and CEO, said there is a lot of interest out there and it’s about meeting that demand right now, so the plan is to use the funding to continue developing its product, to potentially make some acquisitions, and to expand its channel partners, and customers, in its home market as well as further afield in Europe, Australia and New Zealand.
The funding is being led by Oxx — the European VC that focuses on growth rounds for SaaS startups — with strategic and other interesting backers participating. They include British Patient Capital (the commercial subsidiary of the U.K. government’s British Business Bank), Legal & General Capital (affiliated with the insurance giant) and Solano Partners; previous backers IQ Capital, Eos Venture Partners, Winton Ventures and Seedcamp are also participating. The company had previously raised £8 million and it’s not disclosing its valuation with this round but Akhtar said it was oversubscribed.
Investor and customer interest for a company like CyberSmart speaks to a bigger shift we’ve been seeing in the market. Small and medium businesses used to be overlooked when it came to cybersecurity. That was for a combination of reasons: criminals typically focused attention on the biggest targets as the biggest prizes, SMBs are not known to be big spenders when it comes to any kind of IT, and for those reasons the companies building the most interesting cybersecurity tech weren’t focused on them as target use cases and customers.
That has changed significantly over time. Not only are incidents of cybercrime continuing to grow — up by 38% in 2022 globally, estimates Checkpoint Research — but SMBs have become a prime target for these attacks, accounting for 58% of them, according to 2019 research from the Global Cyber Alliance.
The small and medium business segment, as a result, has increasingly become a target for those building cybersecurity solutions. That’s included others like Cowbell and Guardz, which are mixing the propositions for security and insurance together, as well as those focused only on tech, and specifically kinds of security incidents, such as ActZero and its focus on ransomware in particular.
“SME’s are notoriously under-protected from the rising cyber threat, and existing cybersecurity and insurance propositions are neither fit for purpose nor affordable,” said Phil Edmondson-Jones, partner at Oxx, in a statement. “We have spent a long time searching for the right business model that can enact a step-change in this important & enormous market. CyberSmart’s category leading SME security product; combined with its unique ability to collect ‘inside-out’ data on real-time risk indicators, will propel the business to become a core part of the infrastructure for cyber protection and insurance. We are thrilled to support CyberSmart and its stellar team in driving urgent adoption in the market, and rapidly expanding internationally.” He’s also joining the board with this round.
A lot of activity may be new, but CyberSmart itself is not: The company is actually six years old, and is thus something of an early mover in identifying and targeting SMBs with cybersecurity technology. The startup was initially incubated at an accelerator run by GCHQ, the U.K. equivalent of the NSA, with Akhtar building the business out of his own experience after working for more than a decade in cybersecurity at other firms.
“I could see that SME security was broken,” he said. “So many of them were unaware of cyber risks, and they didn’t have the tools and resources to tackle it anyway. We approached the problem from that perspective.”
The product is aimed squarely at the “S” end of SMB (or SME as it’s commonly called in the U.K.), with average customer sizes ranging between 10 and 50 employees, and no plans to expand to much larger businesses, the mid-market or anything else. And its primary sales route speaks to the market that CyberSmart has identified and understands: It sells mainly through channel partners, which consult smaller businesses on their overall IT needs sell them packages of IT hardware and software as part of that, with CyberSmart taking on the security piece of that offering.
“As cyber-attacks grow increasingly sophisticated, the technology needed to protect against them must do so as well. For many SMEs, this is a difficult challenge to tackle, either because of financial constraints or a lack of in-house expertise,” added Catherine Lewis La Torre, CEO of British Patient Capital. “CyberSmart was created to address this problem, providing not only affordable and easy-to-use cyber protection but also training, certification and insurance. We are delighted to be supporting such a dynamic and ambitious business on its growth journey.”
That security piece comes in the form of its flagship product Active Protect, which Akhtar describes as a “baseline” security tool that can be installed and used without any need for IT experts to integrate or manage it. Active Protect is distributed to staff via a link, which can be downloaded on any device used on a company’s network, and after it’s installed it provides continuous monitoring, with proactive information and advice when it spots any kind of suspicious activity, as well as prompts for people to go through training to be more aware of and vigilant against typical attack vectors (email phishing for example being one of the most common that comes down to humans making sound calls). It describes its aim as  the “most common” vulnerabilities.
Alongside this, CyberSmart has built out an insurance product in partnership with Aviva and Superscript. It comes bundled with Active Protect but it only kicks in as a policy once a user has followed all of the instructions to secure devices, address security issues when they are identified and go through training when it is recommended.
The aim here is two-fold: Akhtar believes that a lot of SMBs might not typically take out cyber insurance because of the premiums, so offering something as a free add-on will get more people to sign up for its security product. But in addition to cost, Akhtar believes that a lot of cyber insurance aimed at the SMB market is a hard sell because of the relatively strict parameters that need to be met for support. Linking it directly to how a security policy is managed makes the most sense. (These are likely two big reasons why we are seeing a number of other companies bundling cybersecurity solutions with insurance, too.)
Notably, Akhtar tells me that since the company launched the insurance product over a year ago, there hasn’t been a single claim made against it — a sign, he believes, of his startup’s formula working as it should.
Yet there are some gaps in what CyberSmart is providing to the market — for example, if the most common vulnerabilities are being addressed, isn’t it just a matter of time before hackers start tackling SMBs with increasingly more sophisticated approaches? And if the main approach to remediation currently is providing guidance to a company’s team of human employees, is there scope for complementing that also with more automated approaches, or tech that can tackle more sophisticated attacks? These are areas where CyberSmart will either likely be building more tech itself, or bringing in additional functionality by way of acquisitions.
On the acquisitions front, Akhtar noted that his own fundraising journey this time around really laid bare the state of the market right now. “I spoke to hundreds of VCs over nine months,” he told me (and if I was asked to use an emoji to describe his expression at that moment, it would be the one of the face with the slightly uneasy smile and bead of sweat running down the side: 😅).
In the event of CyberSmart, he said part of this was also because he and his team were being selective and were looking for partners that could help with business growth, not just bank account growth. But more generally, it emphasizes how hard it is right now to close rounds for a lot of businesses, and there will be promising technologists out there who are running out of runway, or getting bad financing offers, who might be willing instead to sell at a lower price and team up with a partner to grow something together.
Even further down the line, the plan will be to raise a bigger Series C to enter the U.S., Akhtar said.

source

Cyberattacks are on the rise while the talent to combat these is running short. Globally, there are 3.5 million open cybersecurity positions, according to Cybersecurity Ventures’ Boardroom Cybersecurity 2022 Report. And Booz Allen Hamilton, a Fortune 500 tech management consulting company, is turning a great deal of its attention to what executive vice president Brad Medairy calls a “national problem and a collective crisis”: cybersecurity.
Booz Allen has about 30,000 employees, and more than half of them are in a technical role, chief people officer Betty Thompson tells Fortune. It’s difficult to say exactly how many Booz Allen employees are part of its cybersecurity business because many of them wouldn’t necessarily fall into that explicit category, Thompson says. However, Booz Allen has one of the largest cybersecurity professional service teams in the industry, according to research from management consulting firm Frost and Sullivan.
“It’s a large part of our workforce, and it’s a really important part of our workforce,” she says. “And we are on the hunt like everyone else for the talent externally at all levels.” 
On par with national averages for cybersecurity jobs, Booz Allen pays its entry-level cybersecurity employees salaries that range from $95,000 to $150,000, while experienced nonexecutive employees earn between $140,000 and $240,000. Senior executives earn more than that and are eligible for bonuses, a Booz Allen spokesperson says.
Fortune sat down with Medairy and Thompson to learn more about the national cybersecurity threat, the challenges of the industry’s talent gap, and how the company is getting ahead of the curve.
The following interview has been edited for brevity and clarity.
Fortune: Why is cybersecurity such a hot topic now?
Medairy: The great power competition is alive and well. Our near peer adversaries have tremendous capabilities. If you look at messaging coming out from the national cybersecurity director, Chris Inglis, our nation is at risk. As a nation, we need to figure out how to protect not only the U.S. federal government, but also our critical infrastructure and other sectors. 
If you look at the evolution of technology over the past 20 years, we started with mobile and cloud. Now when you look at an enterprise, everything is connected. There’s cloud; there’s software as a service. The enterprise boundary has expanded. We look at IOT [Internet of Things] where more and more devices are connected, but the most interesting thing, I think—and frankly, probably the most alarming thing—is the emergent intersections of cyber in the physical world. 
Look at the Colonial Pipeline cyberattack. When the Colonial Pipeline was attacked with ransomware, that actually transferred from the digital world into the physical world where it shut down the pipeline and it disrupted travel on the East Coast. That was actually caused because they were worried about risk to industrial control systems, their OT [operational technology] environment, which is the facilities that actually, in that particular case, moved all the fuel and the oil across the United States.
We have a national problem and a collective crisis. We need to employ and deploy top talent to be able to build mechanisms to better secure our critical infrastructure, our federal government, and our national security systems. 
Fortune: How big is Booz’s cybersecurity business?
Medairy: Frost and Sullivan, a management consulting firm, has done an annual assessment of the cybersecurity industry, and they have identified us as the largest provider, for several years in a row, of cybersecurity professional services in North America. We have a very large—based upon their assessment—one of the largest cybersecurity professional service teams in the industry. We deploy that talent across the U.S. federal government and also the commercial sector in the United States. But what’s interesting about the cyber talent, which makes it difficult to count people, is because cybersecurity is a multidisciplinary sport.
By that I mean that when you look at a cybersecurity engagement, you’re going to need SOC analysts, you’re going to need malware analysts. You’re going to need reverse engineers. You may need folks with embedded systems experience. You may need data scientists, you may need machine learning engineers, you may need software developers. 
Thompson: We have about 30,000 employees, and more than half of them are in a job family that’s technical. And that even wouldn’t give you a full picture of the cyber talent because of what Brad said. Many of them wouldn’t necessarily fall into these very explicit categories. So it’s a large part of our workforce, and it’s a really important part of our workforce. And we are on the hunt, like everyone else, for the talent externally at all levels. We look for luminaries. We look for people with experience. We’ll look for people coming out of the schools. And then we look for people with aptitude and a desire to be in this field and to learn more about it. We have an upskilling program and we work with universities in a variety of ways.
Fortune: What type of cybersecurity upskilling does Booz offer?
Thompson: We have educational benefits that our employees take advantage of called FlexEd, and it provides up to $10,000 a year for traditional academics, certifications, licenses, even attending conferences that have an educational component to it, subscriptions. There are all kinds of ways that they can qualify or build up their skills in these fields. 
Because diversity in our population is really important to us, we look for ways to bring more diversity into that particular skill set and workforce. What’s really helpful is when we have diversity in leadership, so that people can see people like them that are successful, whether it’s the women in data science, or the women engineers, or Black women engineers. 
Fortune: What’s making it so challenging to fill cybersecurity positions?
Thompson: It has just exploded in terms of how great the need is. There’s also a marketing component to it in terms of how great and fulfilling these careers can be. I think sometimes people think you’ve got to be a computer geek, as opposed to people who like to figure out puzzles, people that are really innovative people that are creative. There’s some of what we need to work on is how to really market this field as a great and interesting place to work, not just that it’s going to pay well, and that you’re going to be on a mission that’s important because that certainly appeals to people as well. 
Medairy: Demand is high, supply is low, and there’s a gap. The other thing that I’ve seen a lot is because the demand is so high, it presents a tremendous amount of mobility for talent in the space. We see a lot of across the industry folks that will move jobs every couple years. There’s so much opportunity. One of the things that we’ve really focused on as a firm is providing a longer runway and a career journey. That’s opposed to going to this other entity to do something different. They have mobility within our firm so that they could spend a couple years on a federal engagement, they could move into the commercial sector. They could move into a different mission segment. 
We’ve seen in our national cyber platform that our attrition is well below industry average. I think what makes it so hard is there’s tremendous demand. There’s tremendous opportunity that makes it hard to find people, but it also makes it hard to retain people. We spend a tremendous amount of effort on the employee value proposition and that holistic experience for our talent.
Fortune: What does a cybersecurity career trajectory look like at Booz?
Medairy: What’s really promising is the universities now are really producing amazing talent. We tend to invest really early in their university journey. We have an amazing internship program called the Summer Games. We have hundreds of interns a year. By investing early in their careers while they’re still in the university, we give them the opportunity to really get hands-on experience in cybersecurity very early. 
The cybersecurity field requires—more so than any field that I’ve seen—continuous learning. It requires an investment in them to continue to upskill them. So upskilling is a big part of what we do. It’s apprenticeships. We do hackathons; we do hacker trivia. We invest heavily in training, in graduate programs, to continue to sharpen their skill sets. 
Thompson: We have a way of connecting individuals to future opportunities and then identifying what skills they might need to acquire in order to qualify for those. They can identify opportunities that we’re looking for that are open and internally managers can find them based on the skill sets that they’re looking for. There’s a lot of opportunity there for people to do different things and have the resources that they need with our FlexEd program.
We have more than 12,000 employees that possess cyber certifications in a variety of forms, so there’s a lot of skills that we can tap into. And in fact, about 1,500 of our externally posted positions were filled internally last year. There’s a lot of opportunity in our firm, just based on the huge amount of work that we have in this space.
Fortune: What’s next for the cybersecurity business at Booz Allen?
Medairy: Some big areas that we’re focusing on are the impacts of quantum in the cyber domain. How does that impact our client security posture? 5G is going to become pervasive worldwide. What are the security impacts of 5G as everything starts to be connected and everything starts to move out to the edge? 
The talent problem is not going to go away anytime soon, and that presents a tremendous opportunity to bring automation and machine learning to our clients. How do we apply our AI/ML [artificial intelligence/machine learning] practitioners into the cyber domain to be able to accelerate our client’s ability to automate and to use machines to help combat these emerging threads? 
There’s also a tremendous amount of investment in cyber technology. If you look at Silicon Valley, there’s north of $10 billion worth of investment in cybersecurity tools and technologies. The one thing that we’re focused on is how do we feel like we’re the best bridge between our clients and the commercial product space, and how can we apply emerging and commercial technologies in a practical way to support our client’s mission?
Thompson: On the talent front, what we’re looking at is finding those populations that are underleveraged or underutilized as it relates to this type of work. Partnering with diverse organizations, the military tech workforce initiative is a key one for us. We have a large veteran population. They have basic skills and sophisticated skills that we can leverage and then continue to invest in them in terms of their training. We also have a lot of university partnerships including HBCUs. We’ve also worked closely with and will continue to invest in the CyberPatriot, which is a national youth cyber education program created by the Air Force. It’s intended to inspire kindergarten through 12th-grade students toward careers in cybersecurity as well as other STEM disciplines.
We’re trying to get all the dimensions of the talent that’s out there, but with a particular emphasis on ensuring that we continue to have a diverse workforce by tapping into these populations.
See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in nursing, computer science, cybersecurity, psychology, public health, business analytics, and data science, as well as the best doctorate in education programs, and part-time, executive, full-time, and online MBA programs.

source

Welcome to Finextra. We use cookies to help us to deliver our services. We’ll assume you’re ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.
For Finextra’s free daily newsletter, breaking news and flashes and weekly job board.
Increasing security threats, hybrid working, uneven economic outlooks, geopolitical conflicts and ever-increasing regulatory compliance mandates have all put untold strain on the financial services industry in recent years. While organisations in this sector are typically ahead of other industries in cyber defence maturity due to their highly regulated nature, they continue to be considered high value targets by cyber criminals and nation-state attackers.
Financial services organisations are particularly impacted by security issues due to highly distributed infrastructures, high value assets, a prevalence of exploitable IoT devices, and the human factor –which continues to be the weakest link in security defences. The industry must be more proactive when it comes to future-proofing and digital transformation, to ensure that attackers are out-innovated. There is a need for collective action, international and cross industry collaboration and policy intervention moving forward.
The weakest link
A large percentage of successful cyber-attacks against financial services organisations are due to user error. Typically beginning with a successful phishing attack that provides an initial foothold into an organisation, enabling a full-scale ransomware or malware attack.
Criminals need only find one human—preferably one with high privileges—using poor password hygiene or who can be tricked into releasing information, to gain this foothold. From there ransomware, malware and other tactics can result in breaches and failed audits. Data loss from breaches continues to be problematic due to low encryption rates and overly complicated key management practices, which tend to run at odds with one another.
Mitigating this risk is difficult, while cyber resilience training is a good first step, it cannot completely remove this risk of human error. This is where digital transformation comes in, although there might be a concern that greater reliance on technology can increase risk, in this case it’s actually the opposite. By integrating technologies such as AI and automation to undertake processes prone to human error, organisations can actually strengthen their business processes and significantly bring down the risk of attack.  
Increasing attacks
According to our recent data threat report, the majority of security leaders across financial services organisations ranked malware and ransomware as the leading cause of cyber-attacks. Unsurprising, as these attacks are relatively low costs but can result in big pay-outs for threat actors. In fact, in recent years, ransomware has almost completely changed breach economics.
Given the highly regulated nature of financial services, the risks of losing highly sensitive data as well as the reputational damage as result of these attacks are extremely high. For many financial services organisations, just paying the ransom is potentially less damaging than risking any additional impacts.
For example, Flagstar Bank, a major mortgage lender in the United States, was attacked by ransomware in 2020. An initial foothold was gained through a software vulnerability in Accellion’s account software, followed by a ransomware attack which resulted in system outages due to encrypted data, plus the extraction of up to a decade of sensitive customer data. The attackers threatened to release this data as a further incentive to pay the ransom. These significant pay outs from high value organisations, further encourage similar attacks from threat actors.
Future technologies
As well as the current threat landscape and ongoing security challenges, emergent technologies including AI, Blockchain, Quantum and 5G all have the potential to change the face of cyber security in Financial Services and completely revamp current practices.
For example, a single powerful quantum computer may be able to break the current public key encryption algorithms (cryptography) used by virtually every financial institution today, threatening to compromise everything from client data to the secure websites and software they use to interact with customers, to the hardware used to authenticate, encrypt and decrypt payments.  However, it is important to say that pulling off this type of attack would still be very challenging even for the most accomplished cybercriminal.
Financial institutions are required store certain data for decades, threatening a ticking time bomb as quantum technology continues to develop. While these threats might seem years away, it’s vital organisations look at developing a robust quantum strategy now, in order to prepare for these future challenges.
Adopting a zero trust approach
Financial services organisations typically have highly distributed infrastructures that include retail storefronts, IoT devices, and a hybrid workforce that can work from literally anywhere. Adopting zero trust principles can be a key strategy by ensuring “least privilege” access to highly distributed, high-value data and assets. Not surprisingly, financial services organisations with a formal Zero Trust strategy are less likely to have been breached.
The transition of standalone devices such as ATM machines and kiosks with proprietary, dedicated connections to IoT has also greatly increased the size, complexity, and elasticity of underlying networks, while also greatly increasing the attack surface. These environments are generally well served by zero trust security strategies.
As organisations move forward, they’ll need visibility not only across their infrastructure, but throughout their organisation. Establishing a common understanding is a key part of effectively setting priorities and executing security projects. When security teams are aligned with the key parts of the business, they can work together to effectively and efficiently address whatever issues the future holds.
For Finextra’s free daily newsletter, breaking news and flashes and weekly job board.
Security Expert
Thales
Member since
25 Sep 2015
Location
London
Blog posts
8
28 Feb 0
01 Feb 2021 0 1
03 Sep 2020 0 3 2
10 Mar 2020 0 2 1
About Finextra
Community Rules
Register for news
Contact Us
Editorial
Sales
 
Sales
Register for news

Follow Us
© Finextra Research 2023
Terms of use
Privacy Policy
Cookie Centre

source

Breaking news and updates daily. Subscribe to our Newsletter!
SHARE THIS ARTICLE
Share this article on:
Cyber crime laws and fake dating profiles are being used to target LGBTI individuals in a number of Middle Eastern countries, according to a new report.
In the report, All This Terror Because of a Photo, Human Rights Watch (HRW) details 45 instances of entrapment, harassment, abuse, and arrest of queer people in Egypt, Iraq, Jordan, Tunisia, and Lebanon. The report also looked at instances of digital targeting in Kuwait, Morocco, and Saudi Arabia.
HRW found repeated instances of state authorities using fake profiles on dating apps such as Grindr or on social media sites like Facebook. These profiles were often operated in real time by police and other law enforcement officials, engaging in online chat and even video calls with suspected LGBTI people. 
In countries where same-sex conduct is criminalised, this alone would often lead to abuse and arrest, though in a number of cases, subsequent legal proceedings dismissed any charges. 
But in countries where such conduct is not explicitly prohibited, authorities would then turn to morality or cyber crime laws to justify the arrests. These vague laws cover such things as “debauchery” or “inciting debauchery”; but in Jordan, such matters are treated under its prohibition against “soliciting prostitution online”, as part of its cyber crime legislation. Egypt also makes use of its cyber crime laws in this way. In Tunisia, a broad suite of public safety laws serves a similar purpose.
In cases where individuals were found guilty, they could be subject to months or years of prison, and in many cases, had already been held in pretrial detention for many months as well.
And where there was little evidence to base a prosecution, HRW found that law enforcement would then resort to planting evidence and photos to prove their case.
The report also found that online harassment of queer communities was rife, with many social media companies falling behind on checking such behaviour. Criminal groups were also reported as using fake dating profiles, though in this case, it leads merely to extortion and blackmail of the victim.
“Most of the LGBT people targeted online said they stopped using digital platforms and deleted their social media accounts as a result of digital targeting, which only exacerbated their feeling of isolation,” the report stated.
“These abusive tactics highlight the prevalence of digital targeting and the need for digital platforms and governments to take action to ensure LGBT people’s safety online.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

Be the first to hear the latest developments in the cyber security industry.

source