View all Business
View all Cloud
View all Hardware
View all Infrastructure
View all Security
View all Software
View all Technology
Cyber crime is hard to define and even more difficult to attribute and prosecute, especially given cyber attacks strike regularly across borders. With this in mind, a United Nations (UN) committee has been in negotiations this year to flesh out a new international cyber crime treaty.
Despite multiple measures and laws aiming to tackle cyber crime, attacks of all kinds continue to surge, from ransomware to phishing. The UN's plan has been in the making for months, but the fourth meeting of the committee in January was important because a rough treaty was presented for debate. As part of the process, the committee including delegates from Russia, China and the US has been trying to define cyber crime and form a global response, which includes intelligence sharing, to make the online world a safer place for businesses and consumers.
Among proposals are the criminalisation of cyber crime including illegal access and interception, data and system interference and the misuse of devices. In theory, the treaty is positive, but it's been heavily criticised too, with experts saying its impact will be limited – especially since the 2001 Budapest Convention already in place addresses many of the issues outlined. 
Organisations including the Electronic Frontier Foundation (EFF) go even further by slamming the treaty in its current form, saying it’s not flexible enough to adapt to the changing nature of cyber crime and fails to protect the human rights of whistleblowers and journalists. The proposed convention could result in new policing powers for domestic and international criminal investigations, for example. This could include evidence sharing across borders with countries with different levels of human rights protections, says Katitza Rodriguez, EFF's policy director for global privacy. 
On its current trajectory, the treaty might even lead to people being imprisoned for legitimate online activities, Rodriguez warns. “Since the articles are drafted in a vague way – overly broad, undefined, and subjective –  it could undoubtedly sweep up and criminalise legitimate expression, news reporting, protest speeches and more,” she explains.
In a complex geopolitical cyber landscape, state-sponsored attacks on the West are growing, and they are notoriously difficult to attribute. It remains questionable whether a treaty can address these types of attacks – especially given the aims of the normally adversarial China and Russia. It’s not the end of negotiations, though. The committee will meet again in April and September, with a final draft due to be presented to the UN in early 2024. So, what can the proposed treaty really achieve and what could it mean for businesses?
Among the proposals, the international treaty aims to establish rules and regulations for state behaviour online, addressing issues such as cyber warfare and espionage. “The treaty could potentially lead to a more secure and stable online environment for businesses to operate in,” says Jake Moore, global cyber security advisor at ESET.
The treaty also outlines proposals for legal assistance between countries in the investigation and prosecution of cyber crimes. “Law enforcement agencies have notoriously incurred cross-border issues in relation to cyber crime across multiple jurisdictions,” Moore explains. “This treaty aims to establish international cooperation among countries to investigate and prosecute cyber-criminals, which could help to deter and disrupt their activities.”
This will help provide a framework for cooperation between the public and the private sector which could be useful for businesses, Steffen Friis, sales engineer at VIPRE says. He says mutual legal assistance, preservation of data and extradition between nations “will be extremely useful for businesses that operate in multiple countries”.
Take control of diverse and rapidly evolving enterprise risks
Effectively manage and report on risk and compliance
Even after the latest negotiations, the treaty is far from perfect and many experts question the impact it can have. As with most treaties, at least some of its purpose is symbolic, says Will Richmond-Coggan, data and cyber disputes expert at law firm Freeths. However, he also points out: “The various national annotations and amendments to the current draft convention demonstrate the extent to which many countries are having to temper the wide-ranging language originally proposed, in order to avoid it extending to encompass their own activities.”
At the same time, echoing issues expressed by the EFF, Mick Reynolds, director of intelligence at SecAlliance, points to the need to measure and balance any new legal powers with the erosion of human rights, particularly those relating to individual privacy.
Privacy concerns centre around the treaty’s proposed provisions on data retention and mutual legal assistance. As Friis adds, there are concerns these could be used to access personal data without sufficient legal safeguards.
The treaty also needs to take into account the nuances of security research, which sees experts using attack techniques in order to find vulnerabilities in software. “Security researchers routinely identify weaknesses and potential exploits in software systems,” Tim Mackey, head of software supply chain risk strategy at Synopsys points out. “While their intent isn’t criminal, those efforts could easily fall foul of statements covering ‘exploitation of a vulnerability’.”
Sovereignty is another problem: “Provisions on jurisdiction, mutual legal assistance and extradition could be used to infringe on the sovereignty of countries and to circumvent domestic laws,” says Friis.
The UN must certainly work to iron out issues in the proposal, but if the final treaty is to be effective, it will also be important to be able to measure its success. There are two key goals for the cyber crime treaty namely whether cyber criminals are being arrested and whether cyber attacks are decreasing, according to Michael Smith CTO of Neustar Security Services.
Moore, meanwhile, suggests the severity of attacks and the number of successful prosecutions may also be measured. “The treaty could be evaluated based on the extent to which it leads to greater international cooperation among countries in addressing cyber security issues,” he suggests, adding the success of the treaty will “depend on how well it is implemented and enforced by the countries that have ratified it”.
In a complex geopolitical arena, it’s difficult to define what a perfect treaty would look like. However, experts point to the need for a global approach despite borders and political interests; something extremely challenging to achieve. 
The ideal situation is an agreement that everyone, including China and Russia, can sign and stick to, says Will Dixon, global head of academy and community at ISTARI. “This is the fundamental flaw in the Budapest Convention. It is entirely possible such a treaty might be drafted, but in the wider geopolitical context, making the necessary concessions may prove unpalatable.”
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
What bank CIOs must know when considering bank-specific cloud solutions
Giving banks a way to evaluate industry-specific clouds' value propositions
Cost of a data breach report 2022
Discover the factors to help mitigate breach costs
Four steps to better business decisions
Determining where data can help your business
Why you need a cloud solution for your remote support
MI5 to establish new security agency to counter Chinese hacking, espionage
Why – and how – IP can be the hero in your digital transformation success story
ITPro is part of Future plc, an international media group and leading digital publisher. Visit our corporate site www.futureplc.com
© Future Publishing Limited, Quay House, The Ambury, Bath BA1 1UA. All rights reserved. England and Wales company registration number 2008885

source

The global cybersecurity skills shortage is a well-documented challenge affecting organizations across all industries. A 35% growth in information security analyst roles is expected to occur between 2021 and 2031, according to the U.S. Bureau of Labor Statistics. As the cybersecurity jobs market continues to grow, the gap between the number of qualified security professionals and open jobs will only increase.
One effect of this long-term talent gap is a diminished security leadership pipeline. In a recent Gartner survey, 57% of respondents said they are struggling to find and hire emerging security leaders — individuals who are not currently working in a formal leadership position or role, but have demonstrated the requisite aptitude, competencies and capabilities needed to lead a cybersecurity organization in the future. Retention is a challenge, too, given the average tenure for a CISO is between 18 and 26 months.
Organizations have a short window to identify, foster and hopefully retain a pipeline of emerging security leaders to ensure the long-term sustainability and effectiveness of their security programs.
Organizations facing these challenges must look to alternative mechanisms to fill the skills gap and create a strong plan for future security leadership. Here are key steps CISOs should take to mitigate implications arising from a shortage of emerging leadership talent.
A key behavior exhibited by leading CISOs is having a formal and actionable succession plan. Another key differentiator is that leading CISOs focus their talent strategies on the future security skills needed by the enterprise. Adopting these practices is fundamental to fostering and protecting the organization’s pipeline of emerging security leadership talent to ensure the sustainability and continuous improvement of its cybersecurity risk posture.
In the near term, IT and security leadership should establish “promote from within” as a first principle when filling internal cybersecurity leadership roles. This helps establish a succession plan for team leaders, middle management and ultimately CISO-level roles, supporting the longer-term sustainability of the security program. It also helps retain top security talent by showing them there is a clear and attainable career path at the organization should they stay.
Use regular performance and career discussions to start proactively identifying, evaluating and fostering emerging cybersecurity leaders. This signals to those interested in stepping up into more senior roles that their line managers are taking an active interest in their development.
CISOs can also work with HR to define critical leadership competencies required within their organizational context. Then, conduct a skills assessment across the IT workforce that includes an evaluation of leadership competencies. This helps identify team members with the leadership attributes, aptitude and interest who could develop to take on future leadership roles. Typical competencies for emerging security leaders include adaptability, ability to coach and mentor junior staff, communication, business acumen, decisiveness and diversity of opinion.
As emerging security talent is identified, seek coaching and mentoring from business leaders for these individuals. Exposing emerging security leaders to experienced business mentors internally helps them become more familiar with the organization’s business operations, context, strategic objectives and risk appetite in a friendly and safe setting. In turn, it enables talent to begin developing these important behaviors earlier, shortening the runway to full effectiveness once appointed to leadership roles. It also helps business leadership by fostering greater familiarity within the security team, which, over time, makes for more business-centric security advice and improved information risk decision-making.
Latent security leadership talent may exist outside of the IT or security team. In the longer term, security and business leaders must employ creative strategies to discover, hire and develop talent.
Consider a security champion program, for example, where members of the business or IT teams receive additional training on security issues and act as local advocates, performing roles such as disseminating security-related messaging, answering security-related questions, promoting secure practices and interfacing with security experts. Such a program not only supports current security behavior and culture initiatives, but it can also help identify emerging business leaders considering a career change to cybersecurity who can be mentored to aid in their transition over time.
CISOs should also use a portion of any increased funding for a leadership scholarship program. The knowledge imparted via external, business-centric courses such as MBA programs will help emerging security leaders gather foundational knowledge, skills and business acumen. Awarding scholarship funds across multiple individuals not only sends positive signals about potential career development to the rest of the workforce, but also enables multiple emerging leaders to develop at the same time. These programs could become a differentiating employee value proposition, helping attract new talent to the organization in a tight labor market.
Finally, identify opportunities to free up time for leadership development. Often, there is limited time to develop emerging talent due to high demands placed on the security workforce. CISOs can find the time by identifying opportunities for creating capacity and operational efficiency. This is achievable by outsourcing more commoditized security functions to managed security service providers or using security orchestration, automation and response or AI-enabled capabilities to reduce time spent on security processes.
There is, of course, no guarantee an investment in fostering cybersecurity leadership talent will result in a high-potential individual staying until they are able to fill a future leadership vacancy. Other factors are key determinants of how long they stick around, including the prevailing corporate culture, perceptions about the quality of the organization’s leadership or the individual’s ability to secure a better role in another organization.
Any investment in an individual’s development can only make them more attractive to other organizations. CISOs need to reconcile that they may not retain their proteges or see a full return on their development investment. However, clear benefits are associated with continuing to develop emerging talent without these guarantees in place.
Emerging leaders are more productive and effective in their roles when they’re being developed. Additionally, valued employees are less likely to become disgruntled or, worse, malicious insiders — an especially important consideration for cybersecurity personnel with elevated system access.
Departing emerging leaders are also more likely to provide positive sentiments about the organization if asked by those in their professional networks applying to the organization, making it a more attractive opportunity in a high-demand skills market.
About the author
Richard Addiscott is an analyst at Gartner covering topics focused on improving security risk management maturity and outcomes, optimizing organizational security risk postures and demonstrating clear alignment between security and strategic business outcomes.
Make the case for an SD-WAN implementation, and explore the benefits and main use cases for SD-WAN in enterprises, beyond …
Rising cloud costs have prompted organizations to consider white box switches to lower costs and simplify network management. …
Hewlett Packard Enterprise also unveiled plans to acquire Athonet, an Italian company that provides cellular technology for …
While the finance and tech sectors shuddered after the sudden demise of two tech-focused banks, financial damage appears to be …
As artificial intelligence adoption increases, experts believe it’s time for Congress to enact AI regulations to safeguard …
Agility, experimentation and empathy are critical drivers to a successful digital transformation. Learn why IT leaders should …
Before organizations migrate to Windows 11, they must determine what the best options are for licensing. Learn about the choices …
UEM software is vital for helping IT manage every type of endpoint an organization uses. Explore some of the top vendors and how …
Office 365 MDM and Intune both offer the ability to manage mobile devices, but Intune provides deeper management and security. …
AWS Compute Optimizer and Cost Explorer monitor, analyze and optimize your cloud costs. Compare the two tools to choose which is …
Azure management groups, subscriptions, resource groups and resources are not mutually exclusive. Businesses can — and often do …
Amazon CodeGuru reviews code and suggests improvements to users looking to make their code more efficient as well as optimize …
QLC flash offers high density but has lifecycle limitations. But what does it really cost compared with TLC and MLC, and how are …
UK startup Deep Green has saved Exmouth Leisure Centre thousands in energy costs through deployment of mini-datacentres
There is mounting anecdotal evidence that enterprises are struggling to ensure their statements of intent on sustainability are …
All Rights Reserved, Copyright 2000 – 2023, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information

source

Haryana Police’s State Crime Branch has asked the Ministry of Home Affairs (MHA) that to curtail the rising cybercrimes across the country, it would be better if the “jurisdiction of investigating a cyber fraud is shifted to the state of the offender rather than the state of the complainant”.
“Cybercriminals execute frauds with victims of distant states for easy escape from police authorities. Hence, jurisdiction area may be shifted from state of the victim to state of the accused for instant apprehension of the cybercriminals and their organised structure,” Haryana Police state crime branch’s cyber cell has suggested to MHA in a meeting held on February 6 under the chairmanship of special secretary (internal security), MHA.
Explaining the rationale behind such a suggestion, Additional Director General of Police (State Crime Branch, Haryana) O P Singh told The Indian Express that “for instance a criminal stationed in Haryana commits a cyber fraud with a person stationed in Kerala and the amount involved is approximately Rs 40,000-50,000. As per the existing rules, the case will be registered in Kerala, which is the jurisdiction of the complainant. Police start investigating the case and find the accused’s location is in Haryana. To identify the accused’s location and come all the way to Haryana and apprehend him involves a lot of time and finances. It becomes completely unfeasible for the police to go all the way to another state and catch the accused. Even the complainants back out. But, if the jurisdiction of investigating the case is shifted to the state of the offender, it would become easier for the personnel of the police station concerned to nab the accused and bust the entire gang of such offenders. In this case, Kerala Police can simply intimate Haryana Police and we can pick up these criminals and vice-versa”.
O P Singh added, “The suggestion was appreciated by the MHA. Of course, it is a new thing and would come with other challenges too. But, we got to devise a mechanism and inter-state coordination to deal with increasing cybercrimes. If the mechanisms are not put in place at the right time, the situation would get out of our hand.”
In the meeting, the Haryana Police also suggested to the MHA that “central guidelines may be issued to all the banks, financial intermediaries, etc., to refund amount put on hold through Citizen Financial Cyber Frauds Reporting and Management System (CFCFRMS) module on police requests instead of asking court orders on every request as the state police is in receipt of approximately 1,000 calls and 200-300 complaints on a daily basis. It is not feasible to register case on each complaint. The learned courts do not issue refund orders to banks/intermediaries on basis of complaint without registration of FIR. Therefore, it is requested to issue necessary directions to all concerned at the end of Indian Cyber Crime Coordination Centre (I4C), MHA”. As per the current rules, a police officer not below the rank of an inspector can only investigate the cases pertaining to cybercrimes. “But, the number of inspector rank officers is also limited and they have to investigate other heinous crime cases as well. Thus, we made a suggestion to the MHA that – an amendment to the Information Technology Act to empower sub-inspector rank police officers to investigate cybercrime cases is necessary to improve the effectiveness of dealing with such crimes,” O P Singh told The Indian Express.
The state police force has also suggested to the MHA to issue instructions to the banks and other financial intermediaries to take timely actions on incidents reported by the police through CFCFRMS module.
In December 2022, the state crime branch had also raised a red flag on the Aadhaar-Enabled Payment System (AEPS) saying that cybercriminals were conducting financial frauds by siphoning off people’s vital data from the system and cloning the fingerprints available on documents on the government website. The cyber cell under the crime branch is currently investigating over 400 complaints pertaining to cyber frauds that are related to AEPS.
O P Singh had called it an “online fraud with silicon thumb” as criminals are quick in harnessing vulnerabilities.
“People need to be careful, although law enforcement agencies are nimble to keep up with them. AEPS fraud is the latest. During the course of investigation, fraudsters were found withdrawing money by forging biometric thumb impressions and abusing AEPS,” the ADGP told The Indian Express.
The state crime branch also advised people to deactivate the AEPS facility from their accounts if they are not using them regularly and avoid registering their fingerprints on any website. It has asked the public to immediately report any act or attempt of cybercrime to the number ‘1930’ within one hour of such an activity as it will help police stop the transfer of the defrauded fund to the cybercriminals’ accounts.
The investigators also asked the government departments of the state and intermediaries to conduct a safety audit and plug the loopholes that lead to the leakage of personal data such as thumb impressions and expose it to abuse by cybercriminals.
Explaining the modus operandi, O P Singh said that cybercriminals copy thumb impressions on butter paper from various websites to create duplicate silicon thumbs.
Daily Briefing: ‘Need to guard employees,’ says Bhupender Yadav; BJP to give Shivraj Singh Chouhan a makeover; and more


Varinder BhatiaVarinder is Deputy Resident Editor, The Indian Express, Chandigarh. Wi… read more

source

Home > Security > Cybersecurity

Soaring Levels of Cyber-crime and Fraud Prompt SBRC Rebrand

Graham Turner
20 February 2023, 12.00pm
In a bid to better reflect the rising national threat from cyber crime and fraud, the Scottish Business Resilience Centre will from today be known as Cyber and Fraud Centre – Scotland as it extends its focus to also include financial fraud.
The new brand comes as cyber-attacks and fraud are found to be on the rise: latest figures from Police Scotland show the number of cyber-crimes in 2021-22 were nearly double that of 2019-20, and fraud has increased 86% this decade.
Paul Atkinson, Chair of Cyber and Fraud Centre – Scotland, noted: “Over half of reported crime is related to fraud or cyber, but they’re both hugely underreported – so it’s likely they pose an even greater threat than the numbers indicate. As a nation, we are handling support for cyber crime victims well, but victim support around financial fraud is severely lacking.
“We need to examine how to collectively prevent and protect from this type of fraud, and the Cyber and Fraud Centre – Scotland team is well equipped to lead the conversation around this.”
Jude McCorry, CEO of Cyber and Fraud Centre – Scotland, said: “Financial fraud – including cyber crime – is set to be reclassified as a threat to national security, which will see it treated as seriously as terrorism and civil emergencies. We’ve seen a huge increase in this type of crime over the past year, and a lot of victims don’t get the support they need, which is why we’ve added fraud to our organisation’s purpose.
“Cyber-crime such as cyber attacks and financial fraud often cause businesses to pause operations; ransomware attacks prevent them from accessing their systems and financial fraud could render them unable to pay wages and suppliers. This can be devastating for small businesses and charities in particular, who may end up ceasing operations entirely.
“We’ve renamed ourselves Cyber and Fraud Centre – Scotland in recognition of our enhanced focus on empowering and educating organisations across the country on the risks caused by cyber crime and fraud. The name also clarifies what we do and means we are holding ourselves accountable and committed to tackling cyber crime and fraud to make Scotland a safer place to do business.”
Cyber and Fraud Centre – Scotland will continue its working relationships with partner organisations including the Scottish Government and Police Scotland, to ensure its members can access training progammes and have access to industry experts as needed.
In recent years, the organisation has established itself as an arguable leader in building cyber awareness and business resilience throughout Scotland. Its latest milestones include launching the CyberScotland Partnership in 2021, and upskilling more than 450 businesses across Scotland in the National Cyber Security Centre’s scenario-based cyber awareness training programme, Exercise in a Box.
The news is part of a wider organisational shift for the not-for-profit, which last month announced it had officially adopted a four-day working week.
Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.
To subscribe, click here.
Graham Turner
Sub Editor
Explore
Subscribe to
© 2023 DIGIT

source

Vector of Moving Forward
Every year I peruse emerging statistics and trends in cybersecurity and provide some perspective and analysis on the potential implications for industry and government from the data. While cybersecurity capabilities and awareness seem to be improving, unfortunately the threat and sophistication of cyber-attacks are matching that progress.
The 2023 Digital Ecosystem
Blue glowing futuristic technology, computer generated abstract background, 3D render
The emerging digital ecosystem is treacherous. In our current digital environment, every company is now a reachable target, and every company, large or small, has operations, brand, reputation, and revenue pipelines that are potentially at risk from a breach.
For 2023 and beyond the focus needs to be on the cyber-attack surface and vectors to determine what can be done to mitigate threats and enhance resiliency and recovery. As the interest greatly expands in users, so do the threats, As the Metaverse comes more online it will serve as a new vector for exploitation. Artificial intelligence and machine learning, while great for research & analytics (i.e. ChatGPT). However, AI tools can also be used by hackers for advanced attacks. Deep fakes are already being deployed and bots are continuing to run rampant. and the geopolitics of the Russian invasion of Ukraine has highlighted the vulnerabilities of critical infrastructure (CISA Shields Up) by nation-state threats, including more DDSs attacks on websites and infrastructure. Most ominous was the hacking of a Ukrainian satellite.
Here are some initial digital ecosystem statistics to consider: According to a Deloitte Center for Controllership poll. “During the past 12 months, 34.5% of polled executives report that their organizations’ accounting and financial data were targeted by cyber adversaries. Within that group, 22% experienced at least one such cyber event and 12.5% experienced more than one.” And “nearly half (48.8%) of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahead. And yet just 20.3% of those polled say their organizations’ accounting and finance teams work closely and consistently with their peers in cybersecurity.” Nearly half of executives expect cyber-attacks targeting accounting, other systems Nearly half of executives expect cyber attacks targeting accounting, other systems (northbaybusinessjournal.com)
Cyber-Trends:
AI, Artificial Intelligence concept,3d rendering,conceptual image.
AI and ML Making Impacting the Cyber-Ecosystem in a big Way in 2023 and Beyond
International Data Corporation (IDC) says AI in the cybersecurity market is growing at a CAGR of 23.6% and will reach a market value of $46.3 billion in 2027 Please see: Experts predict how AI will energize cybersecurity in 2023 and beyond | VentureBeat
My Take: AI and ML can be valuable tools to help us navigate the cybersecurity landscape. Specifically it can (and is being) used to help protect against increasingly sophisticated and malicious malware, ransomware, and social engineering attacks. AI’s capabilities in contextual reasoning can be used for synthesizing data and predicting threats.
They enable predictive analytics to draw statistical inferences to mitigate threats with less resources. In a cybersecurity context, AI and ML can provide a faster means to identify new attacks, draw statistical inferences and push that information to endpoint security platforms.
While AI and ML can be important tools for cyber-defense, they can also be a two edged sword. While it can be used to rapidly identify threat anomalies and enhance cyber defense capabilities, it can also be used by threat actors. Adversarial Nations and criminal hackers are already using AI and MI as tools to find and exploit vulnerabilities in threat detection models.
Cyber criminals are already using AI and machine learning tools to attack and explore victims’ networks. Small business, organizations, and especially healthcare institutions who cannot afford significant investments in defensive emerging cybersecurity tech such as AI are the most vulnerable. Extortion by hackers using ransomware and demanding payment by cryptocurrencies may become and more persistent and evolving threat. The growth of the Internet of Things will create many new targets for the bad guys to exploit. There is an urgency for both industry and government to understand the implications of the emerging morphing cyber threat tools that include AI and ML and fortify against attacks.
Please also see the recent FORBES article discussing three key applications of artificial intelligence for cybersecurity including, Network Vulnerability Surveillance and Threat Detection, Incident Diagnosis and Response, and applications for Cyber Threat Intelligence Reports: Three Key Artificial Intelligence Applications For Cybersecurity by Chuck Brooks and Dr. Frederic Lemieux Three Key Artificial Intelligence Applications For Cybersecurity by Chuck Brooks and Dr. Frederic Lemieux (forbes.com)
Cyber-Crime and the Cyber Statistics to Explore so Far in 2023
A close-up on an abstract design of a display, which is warning about a cyber attack. Multiple rows … [+] of hexadecimal code are interrupted by red glowing warnings and single character exclamation marks. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, etc…
Cyber-crime is growing exponentially. According to Cybersecurity Ventures, the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. Please see: eSentire | 2022 Official Cybercrime Report There are many factors for such growth and some of them will be explored in more detail below.
Programming code abstract technology background of software developer and Computer script
Open Source Vulnerabilities Found in 84% of Code Bases
It starts with open source code. Unfortunately, according to Synopsys researchers, at least one open source vulnerability was found in 84% of code bases. The vulnerability data was included in Synopsys’ 2023 Open Source Security and Risk Analysis (OSSRA) report on 2022 data. Since most software applications rely on open source code, this is still a significant cybersecurity issue to address.
The report noted: “open source was in nearly everything we examined this year; it made up the majority of the code bases across industries,” the report said, adding that the code bases contained troublingly high numbers of known vulnerabilities that organizations had failed to patch, leaving them vulnerable to exploits. All code bases examined from companies in the aerospace, aviation, automotive, transportation, and logistics sectors contained some open source code, with open source code making up 73% of total code. “
As significant as the risks from the open source code are, they can be detected by penetration testing and especially by patching. The report found that patches clearly are not being appplied. It cited that “of the 1,481 code bases examined by the researchers that included risk assessments, 91% contained outdated versions of open-source components, which means an update or patch was available but had not been applied.”
Please see: At least one open source vulnerability found in 84% of code bases: Report At least one open source vulnerability found in 84% of code bases: Report | CSO Online
On way that hackers take advantage of code vulnerabilities and open source flaws is via zero-day exploits. Recently a ransomware gang used a new zero-day flaw to steal data on 1 million hospital patients. “Community Health Systems (CHS), one of the largest healthcare providers in the United States with close to 80 hospitals in 16 states, confirmed this week that criminal hackers accessed the personal and protected health information of up to 1 million patients. The Tennessee-based healthcare giant said in a filing with government regulators that the data breach stems from its use of a popular file-transfer software called GoAnywhere MFT.” Clop claims it mass-hacked 130 organizations, including a US hospital network
My Take: as a remedy to avoid vulnerability exploits and keep open source code updated, the report suggested that organizations should use a Software Bill of Materials (SBOMS) . I agree, in addition to Pen testing, SBOMS are an important way to map systems and organize to be more cyber secure. An SBOM is basically a list of ingredients that make up software components and serves as a formal record containing the details and supply chain relationships of various components used in building the software. I wrote about this extensively in a previous FORBES article.
In the article, Dmitry Raidman. CTO, of a company called Cybeats offered insights into l specific use cases for SBOMS. They include transparency into software provenance and pedigrees, continuous security risk assessment, access control and sharing with customer who can access and what data can be seen, threat intelligence data correlation, software composition license analysis and policy enforcement, software component end of life monitoring, SCRM – Supply Chain Risk Management and supply chain screening, SBOM documents repository and orchestration, efficiency in data query and retrieval.
Clearly, SBOMS are a good path forward in discovering and correcting open source vulnerabilities in code. Please see: Bolstering Cybersecurity Risk Management With SBOMS Bolstering Cybersecurity Risk Management With SBOMS (forbes.com)
PHISHING Button on Computer Keyboard
Phishing Continues to be a preferred Method of Hackers in 2023
Phishing is still the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization, or a website you may frequent.
Advances in technology have made it easier for hackers to phish. They can use readily available digital graphics, apply social engineering data, and a vast array of phishing tools, including some automated by machine learning. Phishing is often accompanied by ransomware and a tactic for hackers is to target leadership at companies or organizations (spear-phishing) because they usually have better access to valuable data and make ready targets because of lack of training.
According to the firm Lookout, the highest rate of mobile phishing in history was observed in 2022, with half of the mobile phone owners worldwide exposed to a phishing attack every quarter. The Lookout report was based on Lookout’s data analytics from over 210 million devices, 175 million apps, and four million URLs daily. The report noted that “non-email-based phishing attacks are also proliferating, with vishing (voice phishing), smishing (SMS phishing), and quishing (QR code phishing) increasing sevenfold in the second quarter of 2022. And that “the damage can be colossal for businesses that fall victim to mobile phishing attacks: Lookout calculated that the potential annual financial impact of mobile phishing to an organization of 5000 employees is nearly $4m.
The report also noted that “Cybercriminals mostly abused Microsoft’s brand name in phishing attacks, with more than 30 million messages using its branding or mentioning products like Office or OneDrive. However, other companies were also frequently impersonated by cybercriminals, including Amazon (mentioned in 6.5 million attacks); DocuSign (3.5 million); Google (2.6 million); DHL (2 million); and Adobe (1.5 million).”
Please see: Record Number of Mobile Phishing Attacks in 2022 Record Number of Mobile Phishing Attacks in 2022 – Infosecurity Magazine (infosecurity-magazine.com)
3D rendering Glowing text Ransomware attack on Computer Chipset. spyware, malware, virus Trojan, … [+] hacker attack Concept
Ransomware and Phishing: the current state of cyber-affairs is an especially alarming one because ransomware attacks are growing not only in numbers, but also in the financial and reputational costs to businesses and organizations.
Currently, ransomware, mostly via phishing activities, is the top threat to both the public and
private sectors. Ransomware allows hackers to hold computers and even entire networks hostage for electronic cash payments. In the recent case of Colonial Pipeline, a ransomware attack disrupted energy supplies across the east coast of the United States.
“In 2022, 76% of organizations were targeted by a ransomware attack, out of which 64% were actually infected. Only 50% of these organizations managed to retrieve their data after paying the ransom. Additionally, a little over 66% of respondents reported to have had multiple, isolated infections.” Please see: New cyberattack tactics rise up as ransomware payouts increase New cyberattack tactics rise up as ransomware payouts increase | CSO Online
My Take: Since most of us are now doing our work and personal errands on smartphones, this is alarming data. But there are remedies. Training employees to identify potential phishing emails is the first step in prevention, but many of the obvious clues, such as misspelled words and poor grammar, are no longer present. Fraudsters have grown more sophisticated, and employees need to keep up with the new paradigm.
Human errors are inevitable, however, and some employees will make mistakes and accidentally fall victim to phishing. The backup system at that point should include automated systems that can silo employee access and reduce damage if a worker’s account is compromised. The best way is to establish and monitor administrative privileges for your company. You can limit employee access or require two [authentication] steps before they go there. A lot of companies will also outlaw certain sites that workers can’t go visit, so it makes it more difficult to get phished.
My additional advice to protect against phishing and ransomware, is to make sure you backup your valuable data (consider encrypting it too), preferably on another device segmented from the targeted PC or phone. If you are a small business or an individual, it is not a bad idea to invest in anti-phishing software. It adds another barrier. I also recommend monitoring your social accounts and credit accounts to see if there are any anomalies on a regular basis.
Creative abstract postal envelopes sketch on modern laptop background, e-mail and marketing concept. … [+] Double exposure
Business E-mail Compromise
Often done in coordination with phishing, business email compromise is still a serious cybersecurity issue. A research company Trellix determined 78% of business email compromise (BEC) involved fake CEO emails using common CEO phrases, resulting in a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns. Please see: Malicious actors push the limits of attack vectors Malicious actors push the limits of attack vectors – Help Net Security
“Seventy-five percent of organizations worldwide reported an attempted business email compromise (BEC) attack last year. While English remained the most common language employed, companies in a few non-English nations witnessed a higher volume of attacks in their own languages, including organizations in the Netherlands and Sweden, which reported a 92% jump in such attacks; in Spain, with a 92% jump; Germany, with an 86% increase; and France, with an 80% increase.” Please see: New cyberattack tactics rise up as ransomware payouts increase New cyberattack tactics rise up as ransomware payouts increase | CSO Online
“Business Email Compromise (BEC) attacks are no longer limited to traditional email accounts. Attackers are finding new ways to conduct their schemes — and organizations need to be prepared to defend themselves. Attackers are leveraging a new scheme called Business Communication Compromise to take advantage of large global corporations, government agencies and individuals. They are leveraging collaboration tools beyond email that include chat and mobile messaging — including popular cloud-based applications such as Slack, WhatsApp, LinkedIn, Facebook, Twitter and many more — to carry out attacks.” Please see: The evolution of business email compromise to business communication compromise The evolution of business email compromise to business communication compromise (betanews.com)
My Take: business emails have been a top target of hackers. Accordingly, organizations need to create a corporate risk management strategy and vulnerability framework that identifies digital assets and data to be protected, including sensitive emails. Such as risk management strategy should be holistic and include people, processes, and technologies. This includes protecting and backing up email data, and the business enterprise systems such as financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel and detection, Identity Access Management, firewalls, etc.) and policies. That risk management approach must also include knowing your inventory and gaps, integrating cybersecurity hygiene practices, procuring, and orchestrating an appropriate cyber-tool stack.
Fraud Alert in red keys on high-tech computer keyboard background with security engraved lock on … [+] fake credit cards. Concept of Internet security, data privacy, cybercrime prevention for online shopping transaction payments.
Fraud is Trending Digital, Especially Identity Theft
Fraud has always been a societal problem, but it is being compounded by the expansion of criminals in the digital realm. The cost is going higher as more people do their banking and buying online.
Federal Trade Commission (FTC) data shows that consumers reported losing nearly $8.8 billion to fraud in 2022, an increase of more than 30 percent over the previous year. Much of this fraud came from fake investing scams and imposter scams. Perhaps most alarming in this report was that there were over 1.1 million reports of identity theft received through the FTC’s IdentityTheft.gov website. FTC reveals alarming increase in scam activity, costing consumers billions – Help Net Security
My take: the reason for the increased rate of identity fraud is clear. As we become more and more connected, the more visible and vulnerable we become to those who want to hack our accounts and steal our identities. The surface threat landscape has expanded exponentially with smartphones, wearables, and the Internet of Things. Moreover, those mobile devices, social media applications, laptops & notebooks are not easy to secure.
There are no complete remedies to identity theft but there are actions that can enable people and companies to help deter the threats. Below is a quick list of what you can to help protect your accounts, privacy, and reputation:
1) Use strong passwords. Hackers are quite adept at guessing passwords especially when they have insights into where you lived in the past (street names), birthdays and favorite phrases. Changing your password regularly can also complicate their tasks.
2) Maintain a separate computer to do your financial transactions and use it for nothing else.
3) Consider using encryption software for valuable data that needs to be secured. Also set up Virtual Private Networks for an added layer of security when using mobile smartphones.
4) Very important; monitor your credit scores, your bank statements, and your social accounts on a regular basis. Life Lock and other reputable monitoring organizations provide account alerts that are very helpful in that awareness quest. The quicker you detect fraud the easier it is to handle the issues associated with identity theft.
5) If you get breached, if it is especially serious, do contact enforcement authorities as it might be part of a larger criminal enterprise that they should know about. In any severe breach circumstance consider looking for legal assistance on liability issues with creditors. Also consider hiring outside reputation management if necessary.
Business and technology concept. Internet of Things(IoT). Information Communication Network(ICT). … [+] Artificial Intelligence(AI).
Some Additional Resources and Compilation of Cybersecurity Trends for 2023:
There is a very good report done by the Bipartisan Policy Research Center on the top eight macro risks to watch out for in 2023. The are stated below from the article and I agree with them all.

Please see: Cyber arms race, economic headwinds among top macro cybersecurity risks for 2023 Cyber arms race, economic headwinds among top macro cybersecurity risks for 2023 | CSO Online
And for a deeper dive on cyber stats please see: 34 cybersecurity statistics to lose sleep over in 2023 34 cybersecurity statistics to lose sleep over in 2023 (techtarget.com) The article notes upfront that that we need understand the data and its immense volume used for cyber-attacks. “By 2025, humanity’s collective data will reach 175 zettabytes — the number 175 followed by 21 zeros. This data includes everything from streaming videos and dating apps to healthcare databases. Securing all this data is vital.”
Please also see Dan Lohrman’s annual analysis on cybersecurity trends: “After a year full of data breaches, ransomware attacks and real-world cyber impacts stemming from Russia’s invasion of Ukraine, what’s next? Here’s part 1 of your annual roundup of security industry forecasts for 2023 and beyond.” The Top 23 Security Predictions for 2023 (Part 1) The Top 23 Security Predictions for 2023 (Part 1) (govtech.com) and The Top 23 Security Predictions for 2023 (Part 2) The Top 23 Security Predictions for 2023 (Part 2) (govtech.com)
My Take: Of course, there are many other trends and statistics to explore as the year unfolds. It is certainly a treacherous cyber ecosystem, and it is expanding with risk and threats. Being cyber-aware is part of the process of risk management and security and hopefully looking at the cyber-threat landscape will implore both industry and government to prioritize cybersecurity from the top down and bottom up!
About The Author
Chuck Brooks
Chuck Brooks is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. Chuck is also an Adjunct Faculty at Georgetown University’s Graduate Cybersecurity Risk Management Program where he teaches courses on risk management, homeland security technologies, and cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named “Cybersecurity Person of the Year for 2022” by The Cyber Express, and as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated, as a “Top 50 Global Influencer in Risk, Compliance,” by Thompson Reuters, “Best of The Word in Security” by CISO Platform, and by IFSEC, and Thinkers 360 as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020, 2021, and 2022 Onalytica “Who’s Who in Cybersecurity” He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic, He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to Skytop Media, and to FORBES. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.
Chuck Brooks – Cybersecurity Person of The Year

source

The Biden administration today issued its vision for beefing up the nation’s collective cybersecurity posture, including calls for legislation establishing liability for software products and services that are sold with little regard for security. The White House’s new national cybersecurity strategy also envisions a more active role by cloud providers and the U.S. military in disrupting cybercriminal infrastructure, and it names China as the single biggest cyber threat to U.S. interests.

The strategy says the White House will work with Congress and the private sector to develop legislation that would prevent companies from disavowing responsibility for the security of their software products or services.
Coupled with this stick would be a carrot: An as-yet-undefined “safe harbor framework” that would lay out what these companies could do to demonstrate that they are making cybersecurity a central concern of their design and operations.
“Any such legislation should prevent manufacturers and software publishers with market power from fully disclaiming liability by contract, and establish higher standards of care for software in specific high-risk scenarios,” the strategy explains. “To begin to shape standards of care for secure software development, the Administration will drive the development of an adaptable safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.”
Brian Fox, chief technology officer and founder of the software supply chain security firm Sonatype, called the software liability push a landmark moment for the industry.
“Market forces are leading to a race to the bottom in certain industries, while contract law allows software vendors of all kinds to shield themselves from liability,” Fox said. “Regulations for other industries went through a similar transformation, and we saw a positive result — there’s now an expectation of appropriate due care, and accountability for those who fail to comply. Establishing the concept of safe harbors allows the industry to mature incrementally, leveling up security best practices in order to retain a liability shield, versus calling for sweeping reform and unrealistic outcomes as previous regulatory attempts have.”
In 2012 (approximately three national cyber strategies ago), then director of the U.S. National Security Agency (NSA) Keith Alexander made headlines when he remarked that years of successful cyber espionage campaigns from Chinese state-sponsored hackers represented “the greatest transfer of wealth in history.”
The document released today says the People’s Republic of China (PRC) “now presents the broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”
Many of the U.S. government’s efforts to restrain China’s technology prowess involve ongoing initiatives like the CHIPS Act, a new law signed by President Biden last year that sets aside more than $50 billion to expand U.S.-based semiconductor manufacturing and research and to make the U.S. less dependent on foreign suppliers; the National Artificial Intelligence Initiative; and the National Strategy to Secure 5G.
As the maker of most consumer gizmos with a computer chip inside, China is also the source of an incredible number of low-cost Internet of Things (IoT) devices that are not only poorly secured, but are probably more accurately described as insecure by design.
The Biden administration said it would continue its previously announced plans to develop a system of labeling that could be applied to various IoT products and give consumers some idea of how secure the products may be. But it remains unclear how those labels might apply to products made by companies outside of the United States.
One could convincingly make the case that the world has witnessed yet another historic transfer of wealth and trade secrets over the past decade — in the form of ransomware and data ransom attacks by Russia-based cybercriminal syndicates, as well as Russian intelligence agency operations like the U.S. government-wide Solar Winds compromise.

On the ransomware front, the White House strategy seems to focus heavily on building the capability to disrupt the digital infrastructure used by adversaries that are threatening vital U.S. cyber interests. The document points to the 2021 takedown of the Emotet botnet — a cybercrime machine that was heavily used by multiple Russian ransomware groups — as a model for this activity, but says those disruptive operations need to happen faster and more often.
To that end, the Biden administration says it will expand the capacity of the National Cyber Investigative Joint Task Force (NCIJTF), the primary federal agency for coordinating cyber threat investigations across law enforcement agencies, the intelligence community, and the Department of Defense.
“To increase the volume and speed of these integrated disruption campaigns, the Federal Government must further develop technological and organizational platforms that enable continuous, coordinated operations,” the strategy observes. “The NCIJTF will expand its capacity to coordinate takedown and disruption campaigns with greater speed, scale, and frequency. Similarly, DoD and the Intelligence Community are committed to bringing to bear their full range of complementary authorities to disruption campaigns.”
The strategy anticipates the U.S. government working more closely with cloud and other Internet infrastructure providers to quickly identify malicious use of U.S.-based infrastructure, share reports of malicious use with the government, and make it easier for victims to report abuse of these systems.
“Given the interest of the cybersecurity community and digital infrastructure owners and operators in continuing this approach, we must sustain and expand upon this model so that collaborative disruption operations can be carried out on a continuous basis,” the strategy argues. “Threat specific collaboration should take the form of nimble, temporary cells, comprised of a small number of trusted operators, hosted and supported by a relevant hub. Using virtual collaboration platforms, members of the cell would share information bidirectionally and work rapidly to disrupt adversaries.”
But here, again, there is a carrot-and-stick approach: The administration said it is taking steps to implement Executive Order (EO) 13984 –issued by the Trump administration in January 2021 — which requires cloud providers to verify the identity of foreign persons using their services.
“All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior,” the strategy states. “The Administration will prioritize adoption and enforcement of a risk-based approach to cybersecurity across Infrastructure-as-a-Service providers that addresses known methods and indicators of malicious activity including through implementation of EO 13984.”
Ted Schlein, founding partner of the cybersecurity venture capital firm Ballistic Ventures, said how this gets implemented will determine whether it can be effective.
“Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure, so they just use U.S.-based cloud infrastructure to perpetrate their attacks,” Schlein said. “We have to fix this. I believe some of this section is a bit pollyannaish, as it assumes a bad actor with a desire to do a bad thing will self-identify themselves, as the major recommendation here is around KYC (‘know your customer’).”
One brief but interesting section of the strategy titled “Explore a Federal Cyber Insurance Backdrop” contemplates the government’s liability and response to a too-big-to-fail scenario or “catastrophic cyber incident.”
“We will explore how the government can stabilize insurance markets against catastrophic risk to drive better cybersecurity practices and to provide market certainty when catastrophic events do occur,” the strategy reads.
When the Bush administration released the first U.S. national cybersecurity strategy 20 years ago after the 9/11 attacks, the popular term for that same scenario was a “digital Pearl Harbor,” and there was a great deal of talk then about how the cyber insurance market would soon help companies shore up their cybersecurity practices.
In the wake of countless ransomware intrusions, many companies now hold cybersecurity insurance to help cover the considerable costs of responding to such intrusions. Leaving aside the question of whether insurance coverage has helped companies improve security, what happens if every one of these companies has to make a claim at the same time?
The notion of a Digital Pearl Harbor incident struck many experts at the time as a hyperbolic justification for expanding the government’s digital surveillance capabilities, and an overstatement of the capabilities of our adversaries. But back in 2003, most of the world’s companies didn’t host their entire business in the cloud.
Today, nobody questions the capabilities, goals and outcomes of dozens of nation-state level cyber adversaries. And these days, a catastrophic cyber incident could be little more than an extended, simultaneous outage at multiple cloud providers.
The full national cybersecurity strategy is available from the White House website (PDF).
This entry was posted on Thursday 2nd of March 2023 08:33 PM
For sure, Biden had to receive permission from his Chinese controllers before taking on any US cybersecurity strategy.
And you can verify that lie?
I think you meant to post that comment over at zero hedge.
Chinese and Jewish Space Lasers! Help!!
Found the village idiot!
10% for the “Big Guy” from CEFC. Educate yourselves
Sighhh. What is wrong with you people?
It’s about time that this is looked at. What also needs to be looked at is the mad rush to AI.
For sure, you had to receive payment from your Russian controllers before making this post.
“Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure(they can’t? someone should tell Ed Snowden).
“All service providers must make _reasonable_ attempts to secure the use of their infrastructure against abuse or other criminal behavior,” “how this gets implemented will determine whether it can be effective.”
I love it when a “plan” comes together. I feel safer already.
So two comments:
1) the phrase “open, free, global, interoperable, reliable, and secure Internet” occurs 5 times, once more with the word Internet at the start, and once followed by “digital future” which I’m taking as not very subtly coded speech for “Western Values”
2) “Responsibility must be placed on the stakeholders most capable of taking action to prevent bad outcomes, not on the end-users that often bear the consequences of insecure software, not on the open-source developer of a component that is integrated into a commercial product.”
They don’t mention what happens if it’s not a commercial product. Or if the open source is from a company that provides it as a product in some way or supports it. I hope the intent is to protect open source devs, but the actual implementation will be very complicated (Red Hat hires a lot of developers to work on open source, and not just stuff Red Hat ships, e.g. Debian developers).
Remember the Cybersecurity Strategy of the Can-The-Spam-Act, a huge failure in my opinion Cyber-Security solutions should stay in the private sector not with the government bureaucrats
I would argue that it was quite successful when compared to doing nothing, which is always what cynics offer.
Everyone hates the bureaucracies, until the private sector fails. Then they call for oversight and regulation. Only when they forget that the private sector is to blame, do they go back to blaming the government.
The private sector never fails. America has a private sector? I though we have public costs, private profits, as well as complexes such as medical, pharma, and military, along with tech gatekeepers. But yeah, keep that propaganda up with “private sector”.
Leaving it to the private sector has never ended well for any industry ever. We don’t need less regulations, we need more and we need to enforce them better.
I think the ESRB has been hugely successful in the games industry games.
“The most noteworthy aspect of this part of the strategy is the plan to strengthen the cybersecurity workforce and tackle the lack of diversity among cybersecurity professionals. Other efforts included in this pillar include accelerating the adoption of technology that secures a clean energy future and encouraging investments in robust verifiable digital identity solutions.”
So, just like our military, they’re going to worry more about genders and green energy than actually fixing the problem. Except that pesky little problem of tracking citizens: “robust verifiable digital identity solutions”.
“Adversaries know the NSA, which is the elite portion of the nation’s cyber defense, cannot monitor U.S.-based infrastructure”
Imagine being so delusional you actually believe this.
Nine comments, and all but one are pure snark ginned up over a dopey Q-Anon trope or politicial drivel. Krebs’ audience usuallly contains at least a couple of qualified commenters… usually.
As much as I’d disagree with your “hot take” there, your own would make 10.
If you have something “qualified” to say, let’s hear it. ^ This can’t be it, can it?
Avoid hypocrisy. If you think this issue demands deep technical knowledge,
or the vague wording of the “plan” proposed and reasonably in-depth coverage
by our esteemed Mr. Krebson gives you “qualified” thoughts to share on it,
what might they be? A snarky drivel response to what you see as same?
Be the change you wish to see in the world.
I was just about to leave a snark remark echoing much the same of what the person you responded to stated – until I saw your post. Thank you for that – you are absolutely correct and nothing is worse than hypocrisy.
The DoD and the Intelligence Community are equally committed to using all of their complimentary authorities to support disruption activities.
In a similar vein, disruption efforts will benefit from the complete set of complimentary powers that the DoD and the Intelligence Community are committed to using.
I can’t believe U.S. leaders were dumb enough to outsource all of this stuff — semiconductors, 5G, general supply chains — in the first place. Complete stupidity.
Short-term profits for our corporate overlords, sure. But long term it has been a disaster.
US business runs on market forces unless acted on by a more powerful force than $.
Lately they’ve been looking to in-source production after decades of degradation there,
but it’s a slow process. A 1990’s view of China as America’s benevolent manufacturer
has been debunked yet the market still rules on many fronts, as even Tiktok shows.
China’s planned system makes such major moves far easier for them than US’ does.
It’s a huge restructuring. It will take a long time, a massive restructuring in all sectors.
Meanwhile US markets are still saturated with cheap ubiquitous security-agnostic IOT
products that consumers demand – you can still buy Dahua/Hikvision camera systems.
They’re cheap. Until there’s some other driver for US consumers or outright restriction,
expect to revisit that issue a lot. The Tiktok ban legislation is a significant trial balloon,
one garnering scarce bipartisan support from those at all awake in the legislature.
It’s much more complicated than just snapping fingers at the top, in the US.
Yeah, this started as early as 1976 when I was working for a DOD MIL supplier. One of the main points was that our suppliers had to be based in the US, and on a QPL list.
One day I thought my eyes had gone bad as the QPL parts supply list said “Hitachi” for one critical part. Thinking it to be a mistake, i went to The Big Purchasing Dude (PA-Purchasing Agent) and asked if it was a mistake. He said no. Nothing else, just “No.”
I said, “Well, I sure hope they don’t get pissed at us again,” and left his office just as his coffee cup hit the wall.
Different players, same game: “Lucrum super omnia.”
Open source software drives a huge fraction of the internet. Many vulnerabilities (Hi, Equifax!) trace their root cause to sloppy updating of open source systems by site operations people. Some more recent vulns (solar winds) are due to poisoning of open-source code repositories by bad actors.
My own Ubuntu machines — running long-term-support OS versions — get several updates a week. I keep them up to date; I work on open-source software and I don’t want to be the guy whose repositories are poisoned.
If Brian chose to publish a rundown of Ubuntu updates the way he publishes a rundown of Windows updates, he’d do very little else.
My point: “Cybersecurity” initiatives need to provide funds for open-source development teams. Those teams need to be able to afford good development, test, and distribution practices. Those things are labor-intensive and require consistent vigilance. If handled only by volunteers and by people seconded to open source by the biggies (GOOG, FB, Apple, MSFT, AWS, etc) they’ll fall short.
Diversity and equity, not education and talent. Got it.
*dodges plane on the runway* x 3
*Learn how to read so you can comment on topic.*
I’m so happy it’s not what I expected of the current administration. Thought I was going to be reading about how Firewalls are like boarder walls, are racist and need to be shut down everywhere. After all, it is a very crazy world.
Wow, How we progressed we identified the problem !
The sort of content (most, much, not all) I see here in these chains regularly makes me question the value of comment threads on stories on Krebs’ stories. I kinda feel like it’s maybe a magnet for the crazies I suppose.
Great job with the story, in any case.
Brian, and all other security enthusiasts, I encourage you to check this link: http://alexbuckland.me/
I believe this is the skid ratter the government are trying to kill.
Perhaps you should do a write up about it Brian.
“the greatest transfer of wealth in history.” I’m confused. Wasn’t it the scamdemic?
You’re confused when this was said in 2012, a decade prior to the pandemic?
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website


Δ
Mailing List
Search KrebsOnSecurity
Recent Posts
Spam Nation
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Read this.
All About Skimmers
Click image for my skimmer series.
Story Categories
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Most Popular Posts
Why So Many Top Hackers Hail from Russia
Category: Web Fraud 2.0
Innovations from the Underground
ID Protection Services Examined
Is Antivirus Dead?
The reasons for its decline
The Growing Tax Fraud Menace
File ’em Before the Bad Guys Can
Inside a Carding Shop
A crash course in carding.
Beware Social Security Fraud
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.
Krebs’s 3 Rules…
…For Online Safety.

source

The authorities did not undertake the necessary activities to ensure the basic prerequisites for cyber security, although last year 24 out of 68 institutions in Bosnia and Herzegovina (BiH)were exposed to cyber attacks, and this endangers the business of public administration and can lead to the alienation of data and financial resources necessary for the functioning of the country and everyday life citizens, warn from the Office for the Audit of Institutions of BiH.
In the report on the audit of the performance of the activities of the institutions of BiH in ensuring the basic assumptions for cyber security, conducted by the Office for the Audit of the Institutions of BiH, it is recalled that last year there was a cyber attack on the institutions of BiH, which suspended the work of employees and prevented access to official websites for almost a month.
“For example, jeopardizing the security of the e-government system would cause a halt in the work of the Council of Ministers and could delay the adoption of important decisions for the public administration and citizens. An attack on the information system of the Ministry of Finance and Treasury in the Council of Ministers would threaten the records of all financial transactions of institutions BiH and could cause the suspension of all payments from the BiH budget,” the auditors state.
Pointing out that there is no official data on the number and type of cyber attacks in BiH, the auditors state that the institutions of BiH were not effective in undertaking activities with the aim of providing the basic assumptions for cyber security.
Due to the above, the Office for the Audit of BiH Institutions has defined recommendations with the aim of contributing to the provision of basic assumptions for cyber security, and the first recommendation is to the Council of Ministers to define deadlines for the preparation and responsibility for reporting on the process of preparing relevant cyber security acts.
A recommendation was sent to all institutions at the BiH level to urgently adopt information security management acts.
You must be logged in to post a comment.
© 2012 Sarajevo Times. All Rights Reserved.
Removed from reading list
Sign in to your account
Username or Email Address
Password
Remember Me

source

Cybersecurity experts have long said that attackers need only to get lucky only once, while organizations have to be lucky every time there’s an attack.
Evidence of that maxim was demonstrated in the explanation by Reddit of its recent data breach.
On Feb. 5, an unknown attacker launched what the discussion site called a  “sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”
As a result of the incident, the statement said, Reddit is working to “fortify” employees’ security skills. “As we all know, the human is often the weakest part of the security chain,” the statement added.
To this employee’s credit, however, they reported their mistake, allowing Reddit’s security team to quickly remove the infiltrator’s access.
There is no evidence the site’s primary production systems — the parts of the stack that run Reddit and store the majority of its data — were accessed, the statement said.  Reddit user passwords and accounts are safe, it added.
However, the site admitted the attacker accessed “some internal documents, code, and some internal business systems.”
Exposed data included what the statement called “limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”
The statement also urges Reddit users to enable multifactor authentication to protect their login credentials, and to use a password manager.
Johannes Ullrich, dean of research at the SANS Technology Institute, noted in an email that there is a lot of technology to detect website impersonation. “For example, companies like Google have invested a lot of effort to clean up the TLS [transport layer security, which encrypts data] infrastructure to produce reliable certificates identifying the identity of websites a browser connects to, and to prevent machine-in-the-middle attacks,” he wrote. “But at the same time, little progress has been made to find better ways to communicate to users which organization they interact with.
“Instead of relying on users to decide if a website is legit or not, we need to leverage phishing-resistant authentication schemes like FIDO2. These systems leverage existing technology like TLS to prevent the use of authentication secrets across different sites.”
Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.
©
IT World Canada. All Rights Reserved.

source

Get the best experience and stay connected to your community with our Spectrum News app. Learn More
Continue in Browser
Get hyperlocal forecasts, radar and weather alerts.
Please enter a valid zipcode.
Save
SAN ANTONIO — Isaiah Flores is finding his way through school as a first generation college student.
 “I was going to be an electrician, but then my dad was like, ‘Go to college, invest in yourself.’ So I took it to heart, and I did,” Flores said.
He’s a freshman at St. Phillips College majoring in cyber security, a fast-growing industry.
“Anywhere I go, I’ll have a job,” Flores said. “I won’t have to worry. Everybody needs a cyber-security worker. Ever since COVID, they really, really need us.”
Sophomore Kenneth Grissett loves computers, but says he didn’t realize there were so many career paths in the technology field.
“To fix issues that businesses have or even governments,” Grissett said. “You can go into different fields: medical, chemistry, network security.”
Caroline Mora spent years in the cyber workforce before becoming a professor.
“To educate students and let them know that there’s a pathway that’s not well sought out,” Mora said.
St. Phillips is a historically Black college and a Hispanic Serving Institution. They’ve partnered with the national cyber alliance to give minority students the skills they need to fill the gaps in the cyber workforce.
“Because there’s a big need to have students, especially from our population, who can make a difference,” Mora said. “Being an ethnicity myself, it’s very hard for students from different cultures to get into their field.”
Statistics show there isn’t much diversity in cyber security. Only 25% of cyber professionals are women, 9% are Black and just 4% are Hispanic.
“The field is taking off,” Grissett said. “They have so many job opportunities in it. Seats that need to be filled.”
There’s about 715,000 cyber security job openings nationwide. Although Isaiah is just getting started, he expects to secure one of those high-paying jobs after graduation.
“Even my dad is like, ‘Shoot for the stars,’” Flores said. “Why can’t I have that job or make that type of money? Or live that type of life that these people are living.”

source

Topics
Cybercrime | SIM cards on fake IDs | Haryana
BS Web Team  |  New Delhi 
Last Updated at February 20, 2023 12:47 IST
https://mybs.in/2cCQHri

Haryana Police's Cyber Crime Cell has blocked over 5 lakh Sim cards since January 2022, that were being used in the Mewat region to commit cyber fraud, a report by The Indian Express (IE) said. The police have also identified 402 criminals allegedly involved in cyber fraud. Mewat is located in the Nuh district of Haryana.
In 2022, the police has acted upon 66,784 complaints amounting to total frauds worth Rs 301.48 crore. A total of 2,165 cases have been registered so far and 1,065 people have been arrested. Moreover, transactions worth Rs 46.91 crore have been put on hold or the money has been recovered in such transactions.
"We used cell tower dump analysis in Mewat to identify 496,562 mobile numbers issued from other states but used exclusively in this region. We have identified 15,672 more numbers and blocked 1,959. Eleven suo moto cases have been registered. Suspicious links with other states were found in six of these cases. The details have been shared with the states concerned," an official told IE.
The report added that fraudulent calls and Sim cards have been identified using Artificial Intelligence and Facial Recognition Powered Solution for Telecom Sim Subscriber Verification (ASTR), a tool developed by the Department of Telecommunications (DoT).
The fraudsters were making a call using a Sim card, then switching off the phone, removing the Sim and putting a new Sim in the same phone to place the next call. The authorities added that six Sim cards can be issued on a single identity proof but here even a dozen were issued.
"One person arranges for SIM cards using fake documents, the second gets bank accounts and payment applications linked to these SIM cards, the third one uses another SIM card to call and dupe potential targets, while the fourth withdraws the money. The offenders mostly target people living far away to evade arrest," another official told IE.
The report added that the Ministry of Home Affairs (MHA) has also raised concerns over cybercrimes in Mewat.
Exclusive Stories, Curated Newsletters, 26 years of Archives, E-paper, and more!
Insightful news, sharp views, newsletters, e-paper, and more! Unlock incisive commentary only on Business Standard.
Download the Business Standard App for latest Business News and Market News .
First Published: Mon, February 20 2023. 12:47 IST

source