Author: Jane Devry

According to the United Nations, the world witnessed a significant rise in violent conflicts in 2023 that reached unprecedented levels not seen since World War II. This trend will likely continue into 2024 as technology will enable nation state-level cyber operations to surge — further fracturing the geopolitical landscape. The increase in global tensions continues to impact the cyber security landscape profoundly. Three of the ‘Big Four’ nation-states, namely Russia, China, and Iran, are paving the way toward a new level of worldwide cyber tensions. We have seen evolving cyber threats from these regions throughout the first couple of months of the calendar year. January 2024 will likely be the harbinger of a particularly challenging year for almost any organisation with an internet-connected device.  

From Russia with love 

Since Russia’s military engagement with Ukraine, we have witnessed an unparalleled surge in cyber operations. These activities continue to target Ukrainian civilian and military infrastructure to gather intelligence and undermine the nation’s resistance. In 2023, Moscow-aligned cyber operations also extended beyond the borders of Ukraine, targeting NATO member states as well as other nations sympathetic to the cause of Kyiv. Russia likely conducted these activities via proxies such as cybercriminal groups and hacktivist collectives. It’s interesting to note that these attacks were most prominent during periods of Western support initiatives for the Ukrainian war efforts.  

Moscow will likely continue to employ proxies to implement destructive cyber-attacks involving the deployment of wiper malware, information operations (IO), and intellectual property (IP) theft to inhibit cooperation between entities involved in providing Ukrainian support. Fluctuating periods of targeting against the transportation and logistics sectors will likely occur during the delivery of support packages to Ukraine, as Russia will seek to disrupt their supply.  

As 2024 rolls out, we have assessed that Russia’s cyber operations will likely continue targeting Ukraine’s critical national infrastructure (CNI), the scope and duration of which are expected to widen, with likely expanded economic espionage targeting of sub-Saharan Africa. 

Made in China 

Offensive cyber operations conducted by The People’s Republic of China (PRC) remained extensive throughout 2023. Beijing’s operations focused heavily on IO and intelligence gathering, almost certainly due to the strategic objectives regarding the ‘Made in China 2025’ initiative, the national strategic plan to secure China’s position as a global leader in high-tech industries. The initiative aims to reduce Beijing’s reliance on foreign technology imports and invest in its own technology advances to establish Chinese organisations that can compete domestically and globally.  

In addition, Beijing’s cyber espionage efforts against the Taiwanese semiconductor industry is a significant concern. This year will likely see China escalating its cyber operations to advance its geopolitical objectives in the South China Sea, with expanded efforts including more direct sabotage aimed towards rival states in conjunction with concentrated cyber-attacks on Taiwan’s technology sectors. Chinese IO will likely continue to expand in scope and diversification, leveraging social media and enhanced artificial intelligence (AI) capabilities to influence the outcome of crucial elections and to undermine democratic integrity in favour of leaders that better suit Chinese interests. Finally, there is a realistic possibility that there will be an uptick in People’s Liberation Army Strategic Support Force (PLASSF) sponsored cyber espionage aggression aimed towards Ukraine with recent intelligence indicating that Pakistan, a Chinese rival, has imported Ukrainian-produced unmanned aerial vehicles (UAVs), which have been added to their armed forces’ inventory and will likely be utilised to counteract Chinese military threats.  

The Iranian Sandstorm 

Throughout 2023, Iranian cyber capabilities became increasingly sophisticated, allowing state-sponsored threat actors to expand beyond their traditional Western targets to include regions such as Asia, Africa, and Latin America. Their initiatives ranged from aggressive IO to support Palestinian causes to sophisticated espionage campaigns targeting various Middle Eastern states. Case-in-point: a highly sophisticated espionage campaign launched by the Tehran-aligned Advanced Persistent Threat (APT) unit, tracked as ‘Hazel Sandstorm,’ targeted multiple states across the Middle East, including the United Arab Emirates (UAE), Israel, Iraq, Jordan, Kuwait, Oman, and Saudi Arabia. Sectors of interest for this campaign are reported to have been government agencies, military branches, and telecommunications sectors, in addition to financial organisations and non-governmental organisations (NGOs).  

Extreme caution should be exercised regarding Iran. Following the ‘Transition Day’ of the Joint Comprehensive Plan of Action (JCPoA) on 18th October 2023, certain restrictions on Iran’s nuclear and missile programmes have been lifted. However, with Iran’s increasing non-compliance since 2019, the UN Security Council Resolution 2231 decided to maintain restrictions, denying nuclear weapons testing or ballistic missile activities. There is a realistic possibility that this will result in retaliatory Iranian cyber operations being aimed towards Western government, military, financial and higher education industry verticals, as the UK, with the support of fellow E3 member states France and Germany, continues to apply restrictive measures against Tehran.  

A pivotal year for global politics   

The beginning of every year has the potential to be pivotal on the global stage — and 2024 is shaping up to be no exception. The Paris Summer Olympic Games, the 75th anniversary of the PRC, and the US presidential elections present opportunities for nefarious cyber activities. However, unlike in previous years, 2024 will likely witness the tightest culmination of geopolitics and cybercrimes that the world has ever seen.  

Cyber security has become the responsibility of businesses, governments, and individuals around the globe. Each entity must therefore become aware of evolving cyber threats, adopt strategies to deflect attacks, and, most importantly, share information learned to develop and implement robust defensive measures. The unity of a collective and diligent mindset to cyber security will become paramount to safeguard the integrity and stability of all digital assets. 

Craig Watt is a Threat Intelligence Consultant at Quorum Cyber, specializing in strategic and geopolitical intelligence.

The post An Analysis of the Rising Cyber Crime Levels Across the Globe appeared first on Cybersecurity Insiders.

Progress, a company known for their expertise in infrastructure management software, recently introduced a new tool called Progress® Chef® Courier™. This tool is a component of the latest cloud-native platform, Progress® Chef 360™, designed to simplify the management of intricate workflows. 

According to Progress, Chef Courier can aid IT professionals in consolidating and automating important IT tasks, ensuring they adhere to security and compliance standards. Moreover, it facilitates the convergence of application development with security operations and can handle various software environments. Users can employ Chef Courier to tailor node lists for job orchestration—scheduling and setting conditions—thereby cutting down on the effort required for identifying and resolving large-scale issues. The product also aims to centralize tools, lessen the need for a varied skill set and, alongside, reduce the costs associated with the recruitment and retention of specialized IT personnel. 

“In today’s competitive landscape, rapidly delivering critical applications without compromising on security and compliance is essential for every organization,” Sundar Subramanian, EVP & General Manager of Infrastructure Management at Progress, stated in a press release. “With the release of Chef Courier, we enhance our customers’ capacity to achieve this while streamlining IT processes and integrating people, tools, and workflows. As part of our augmented focus on the existing Chef collection, Chef 360 and Chef Courier represent an advancement in our commitment, complementing our strong suite in infrastructure, security, compliance, application rollout, and edge management.” 

Henk Keuris, Senior DevOps Engineer at a major South African medical insurance company and one of Chef Courier’s beta testers, shared his approval of the software, noting its user-friendliness and efficiency, allowing him to monitor all necessary components within a single interface. 

Chef Courier is neutral to vendors and continues to support a range of technologies. It maintains engagement with the open-source community and offers straightforward licensing conditions, positioning itself as an alternative amidst ongoing shifts made by other competitors. 

A report by Gartner predicts that the IA&O (Infrastructure Automation & Orchestration) market will gain increased significance, as infrastructure delivery teams must meet the needs of quickly evolving business and technological demands, embracing IPE (Infrastructure Platform Engineering) for superior, adaptable infrastructure delivery. 

Chef Courier is offered as both SaaS and marketplace products, reducing the overhead of task management like routine system updates and incident handling in the Chef ecosystem. 

The post Progress Introduces Chef Courier for Simplified Job Management Across Corporate Software Ecosystems appeared first on Cybersecurity Insiders.

The appetite for food delivery apps has grown exponentially—more than 2.85 billion people used them globally last year. In the United States alone, the $350 billion industry expanded by roughly 50% during the pandemic. 

With rising popularity has come rising fraud as bad actors identify new ways to exploit weaknesses in these platforms, well-known food delivery companies are seeing as much as $1.5 million in losses every month as a result of fraud.

In order to combat today’s sophisticated scams, companies need to know what to look for and how to identify and address the gaps in their fraud prevention stack. Here are the top three:

1.Promotion Abuse: Everyone likes a good deal, and we have all at one time or another, created a second account on a website to take advantage of a promotional offer – like 15% off your first order or free shipping as a new member. While an individual occasionally doing this won’t make a big impact in the long run, organized bad actors are exploiting apps at scale and causing significant loss. 

Multi-accounting is a fraud technique used to exploit a service for financial or personal gain. Multi-accounters use promotions by creating multiple accounts with different names, email addresses, and/or phone numbers. Additionally, they have tools like Parallel Space and App Cloner at their disposal to scale their schemes by enabling fraudsters to sign into different accounts simultaneously and change certain features in the source code, allowing them to abuse exponentially faster. With multi-accounting, fraudsters can not only abuse promotions for their own gain but can also sell these promotions to others or the services they received at a discounted rate for more than face value. 

This wide-scale promotional abuse causes companies to lose money on initiatives meant to increase revenue and also interferes with marketing campaigns. Additionally, companies often interpret these accounts as churn and as a result, spend more money on customer acquisition. 

Reliable data is the first step in protecting a promotional campaign from fraud. Using tamper-resistant signals enables companies to understand the full scale of their fraud problem and not misinterpret it as a lost customer. It’s important that companies consistently monitor their data to identify promo abuse signs, which may be less obvious. 

Promotional campaigns are a crucial part of any company’s growth strategy, but it’s important to recognize the vulnerabilities to combat them. Remember, organized fraudsters treat promo abuse as a business and take into account their return on investment. If the promotion doesn’t leave for fraudsters to make money, it isn’t worth it to them to commit the fraud. 

2.Driver Fraud: Driver fraud on food delivery apps is more common than one might think. Account sharing is a workaround technique drivers use to rent out their accounts so others can use them for a cut of the unverified driver’s earnings. This naturally presents a trust and safety issue while also leaving the food delivery company open to liability issues if the driver were in an accident or committed a crime while pretending to be someone else.

Location spoofing or a driver manipulating the location signals their device gives off, is another way drivers commit fraud on food delivery apps. On most apps, a driver has a delivery radius based on their location. When drivers trick the app with a different radius through location spoofing, they can sometimes make more money because different locations have different fees. However, this can mean longer wait times for customers and reduced efficiency of the logistics algorithm. Drivers can also use location spoofing to make it look like they’re delivering orders when they actually aren’t. These “Superman” drivers are in one location one minute and, the next, appear miles away.

Device identifiers with tamper-detection capabilities and location intelligence are emerging as a tool to fight against driver fraud on food delivery apps. Identity verification uses a combination of signals to provide a comprehensive picture of a device’s real-time location. Each person creates a unique location fingerprint on their device through their daily activities. Now, apps can compare that device location identity with the driver’s location to identify if someone other than the account owner is signed in. 

3.Collusion: Collusion is harder to spot because much of the fraud occurs outside the app or by a single person. Companies are most likely to encounter courier-customer collusion. In this scenario, a customer orders food, a driver delivers it, and the customer cancels the order, resulting in a refund and free food. Another example of collusion is restaurant-courier collusion. In this case, a restaurant maintains multiple fake accounts, using one to order food and another to give the illusion that it was delivered. From there, the restaurant leaves positive reviews to encourage more orders. 

Device ID, the unique identifier linked to a particular device, has emerged as a way to fight collusion on food delivery apps. When paired with location, it becomes even stronger because traditional device ID spoofing measures like factory resets won’t be enough to hide the phone’s true identity. Using device ID and location, platforms can tie multiple accounts to the same device or location, eliminating one tool fraudsters use to collude against platforms. 

Food delivery fraud is happening and growing, just like using these apps. To get ahead of it, the first step is to identify it to ensure businesses have the right processes and technology in place to protect against it. It is critical to deploy agile solutions to enable your company to evolve with the fraudsters. This means deploying sophisticated fraud prevention solutions that can combat more sophisticated attacks, and ensure companies can protect their brand reputation, decrease losses and thrive with their industry. 

The post Food Fraud: The Top Three Scams Impacting the Food Delivery Industry appeared first on Cybersecurity Insiders.

Service Helps Organizations Better Prepare and Respond to Cyber Attacks

Proficio®, a leading Managed Detection and Response (MDR) provider, today announced the roll out of its ProBAS Breach and Attack Simulation service. By rigorously testing an organization’s security defenses, ProBAS ensures they can prevent compromise events and detect attacks throughout the entire threat detection and response process. From device alert logs to SIEM, SOC detection, and containment response actions, ProBAS covers every aspect.

“Cyber criminals only need to be lucky once, but cyber defenders must be vigilant and successful at countering attacks every time in order to protect their environment. ProBAS embodies this relentless vigilance by not only identifying potential threats, but also implementing mitigation strategies to ensure continuous and comprehensive defenses,” says Brad Taylor, co-founder and CEO, Proficio. “Our service simulates a diverse array of cyber threats such as malware, phishing, or ransomware which are tailored to specific business context, ensuring realistic testing environments that help organizations better prepare to counter cyber events.”

ProBAS delves deep into the realm of cyber warfare with detailed simulations of MITRE ATT&CK techniques. From credential theft to sophisticated data exfiltration, ProBAS immerses security systems in the crucible of real-world cyber battles. Leveraging cutting-edge simulation technology to perform deep and comprehensive vulnerability security assessments, ProBAS uncovers and addresses critical vulnerabilities in an organization’s cyber defenses before they can be exploited.

Additionally, ProBAS’s elite cybersecurity experts adopt adversarial roles for red team evaluations, rigorously testing and honing an organization’s defense mechanisms against advanced threats and enhancing internal team readiness against sophisticated cyberattacks. Following the simulations, ProBAS provides immediate feedback and insights, proposes strategic enhancements, and imparts actionable recommendations to bolster cybersecurity frameworks.

“With ProBAS, cybersecurity management can rest easy, confident that attacks will be detected and contained, whether by their own internal security team or SOC partner, like Proficio, after testing thousands of scenarios,” adds Taylor.

As the inventor of SOC-as-a-Service, automated threat response and cybersecurity business intelligence, Proficio was created with the sole purpose of advancing the global mission of MDR. Recently, Proficio was named a winner of the 2024 Cybersecurity Excellence Awards in the Managed Detection and Response (MDR) category. The company was also named a Representative Vendor in the 2024 Gartner Market Guide for Co-Managed Security Monitoring Services. https://www.proficio.com/press-release/proficio-recognized-in-the-2024-gartner-market-guide/.

For more information on Proficio and ProBAS visit: https://www.proficio.com/services/probas-breach-attack-and-simulation/

 

The post Proficio Launches New ProBAS Breach and Attack Simulation Service appeared first on Cybersecurity Insiders.

Global cybercrime costs are projected to soar from $9.22 trillion in 2024 to $13.82 trillion by 2028.1 In the United States alone, these costs are forecasted to exceed $452 billion in 2024.2 Alarmingly, in 2023, three in four companies in the United States were at risk of a material cyberattack, according to chief information security officers (CISO).

With this in mind, cybersecurity and compliance expert Kiteworks sought to identify the U.S. states where businesses are most at risk of cyberattacks. To do so, the company created a points-based index which analyzed a variety of factors such as annual victim counts, financial losses from cyberattacks, increases in both victims and losses, and the types of cyberattacks experienced.

Key findings:

  • Colorado is the state where businesses are most at risk of cyberattacks, with a risk score of 7.96. Colorado has seen a 58.7% increase in victim losses since 2017
  • With the highest population of 38 million, California’s annual cyberattack losses amount to over $656 million (656,847,391)
  • The state of Missouri has the biggest four-year moving increase in financial losses attributed to cyberattacks, with a 136% increase since 2017
  • Virginia is the only state to see a decrease in cyberattack victims since 2017, with a decrease of 10.8%

The results:

Colorado is Most at Risk From Cyberattacks

Colorado is the state where businesses are most at risk of cyberattacks, with a risk score of 7.96 out of 10. Despite its mid-sized population of 5,877,610, Colorado experienced the highest rate of cyberattacks since 2017 and has reported 10,776 annual victims from 2020. Despite Colorado only seeing a moving increase of 3.8% in victims since 2017, the state has faced significant financial losses due to cyberattacks, with a 58.7% increase in losses since 2017, amounting to $104,476,603. This is 65% higher than in the neighboring state of Utah ($53,047,234). This could be due to Colorado’s aging population, as reports show people over the age of 75 are most likely to report repeat cybercrime victimization.3

New York is in second place, with a risk score of 7.84 out of 10. As the fourth most populous state with 19,571,216 residents, New York reported 27,205 annual victims between 2020-2023. By contrast, Massachusetts reported one third the number of victims (8,749) over the same period as New York. New York has seen a 14.4% increase in victims over four years, with reports showing cyberattack complaints up 53% since 2022.4 The financial losses from cyberattacks in the state have also surged by 75.7%, totaling a staggering $440,673,485 lost. 

Nevada ranks third with a risk score of 7.62 out of 10, reflecting the state’s growing vulnerability to cyberattacks. With a population of 3,194,176, Nevada reported 10,551 annual victims from 2020 to 2023. The state has experienced a significant 27.6% increase in victim counts over four years, indicating a rapid rise in cybercrime incidents. Just earlier this year, the state’s Gaming Control Board’s website was hit with a cyberattack, resulting in the site being offline for several days.5 The financial losses from cyberattacks have risen in Nevada by 25.2% since 2017, totaling to $44,994,168, 72% more than the neighboring state of Idaho ($12,427,049).

The Most Costly Cyberattacks

BEC Cyberattacks Have the Highest Financial Impact

Business Email Compromise (BEC) is the cyberattack in the United States with the highest financial impact, with losses exceeding $1 billion ($1,747,924,931) since 2020 and an average loss of $88,350 per incident. BEC attacks involve fraudsters impersonating business executives or employees to deceive victims into transferring funds or revealing sensitive information. Credit card and check fraud rank second, causing $516,046,155 in total losses and an average loss of $27,039 per incident. This fraud typically involves unauthorized use of payment information. 

Malware attacks, in third place, have resulted in losses of $237,469,021 with an average loss of $83,235 per incident.

The Most Common Cyberattacks

Non-payment/Non-delivery Cyberattacks are the Most Common

Non-payment/non-delivery attacks are the most common US cyber threat since 2020 with 60,113 incidents, which involves fraudsters tricking victims into paying for undelivered goods or services. The second most prevalent is personal data breaches, with 40,523 incidents, which can involve unauthorized access to sensitive information often leading to identity theft and fraud.

Patrick Spencer, spokesperson at Kiteworks, commented on the results:

“Our study reveals a concerning trend: cyberattacks are on the rise, both in frequency and financial impact. As cyber threats continue to evolve, proactive investment in advanced security technologies and employee training can significantly enhance a company’s resilience against cybercrime, as well as a greater focus on data security.

Businesses should adopt a content-defined zero trust approach to secure their sensitive communications. By consolidating email, file sharing, SFTP, managed file transfer, and web forms into a private content network protected by a hardened virtual appliance, organizations can ensure that sensitive content is only accessed by authorized users. This approach provides advanced security, comprehensive governance, and regulatory compliance, ensuring the protection of sensitive content.”

We kindly ask that if you choose to use the information in this release, you include a link to: https://kiteworks.com/. A linked credit allows us to continue providing you with future content that you may find useful.If you have any questions, please don’t hesitate to get in touch! 

 

 

 

 

The post The US States Most at Risk of Cyberattacks appeared first on Cybersecurity Insiders.

Students Provided Training Opportunities and Help Meet Maryland’s Cybersecurity Talent Gap

Allegany College of Maryland, Garrett College, and Hagerstown Community College have received a $617,400 grant from the Senator George C. Edwards Fund toward a $686,000 project to implement two cyber ranges through the Cyber Workforce Accelerator program to assist cybersecurity students to prepare for careers, using real-world, cutting-edge simulation.

Created by the Maryland Association of Community Colleges (MACC) and BCR Cyber, the Cyber Workforce Accelerator program is designed to dramatically expand Maryland workforce development efforts and provide the state’s community colleges with BCR Cyber Series 3000 Cyber Ranges, offering access to advanced experiential training and education technology to train and certify thousands of entry level IT and cyber practitioners.

The Senator George C. Edwards Fund grant facilitates the procurement, configuration, and deployment of the cyber ranges, as well as required infrastructure upgrades, enhancements, and staff training. Delivery of the cyber ranges and training commencement is expected by April 1, 2025.

“This is going to be a game changer for our students,” says Hagerstown Community College president, Jim Klauber. “Our cybersecurity students will learn how to effectively identify and address cyber threats. Employers will be able to watch students as they work through the simulations, giving the students the opportunity to showcase their skills and employability.”

The Senator George C. Edwards Fund is a four-year, $50 million program aimed to spur economic growth in Washington, Allegany, and Garrett Counties.  

“This cyber range project will help our competitiveness in Western Maryland and will yield return on investment in this fast-growing industry. It is a great partnership between our three community colleges,” says Jake Shade, executive director of the Senator Edwards Fund.

BCR Cyber created a public-private consortium of more than 35 cybersecurity companies and government agencies that will steer course content development and recruit entry-level employees trained at the community college cyber ranges. Each school will have a center with five workstations in which the students will complete approximately 40 hours of training for their capstone work, followed by a live experience with up to 10 hours of testing in simulated cyber threats. BCR Cyber has trained thousands of people to work in the cybersecurity industry.

“There are not enough skilled professionals to meet the talent gap in cybersecurity here in Maryland and across the country,” says Michael Spector, president of BCR Cyber. “Partnering with these community colleges through the accelerator program is an effective way not only to create well-paid career opportunities, but also bring more students into an industry that desperately needs them.”

Recently, MACC – in partnership with BCR Cyber – was awarded $935,680 through the Maryland Department of Commerce’s “Build Our Future Grant Pilot Program” to fund the Cybersecurity Workforce Accelerator. This award leverages $2 million of Congressionally Directed Spending obtained by U.S. Senators Ben Cardin and Chris van Hollen that was allocated for the Accelerator earlier this year in the Federal FY25 Budget as matching funds. The total amount awarded year to date for the accelerator is $3.6 million.

For more information about the program visit www.bcrcyber.com

The post Western Maryland Community Colleges Receive Edwards Fund Grant for Cyber Ranges appeared first on Cybersecurity Insiders.

Salvador Technologies has disclosed that the company is experiencing demand for its cyber-attack recovery platform from organizations in the maritime sector and shipping industry. 

The company reports that an increasing number of port authorities, terminal operators and shipping companies are using its cyber-attack recovery platform

According to the company, there are two main factors driving the demand for its platform. The first is the need to automate backup and recovery processes, which can improve operational continuity for critical infrastructures. And the second is compliance with a range of cybersecurity regulations and mandates related to on-ship and offshore restore capabilities.

Maritime increasingly targeted

Whether for financial gain or geopolitical considerations, cyber-terrorists and other malicious actors are increasingly targeting the maritime sector and shipping industry. 

Last year, for example, crippling ransomware attacks in Australia and Japan shut down the operations of major ports, severely disrupting the flow of goods into and out of these countries. 

More recently, the United States government urged the port authorities and operators across the country to improve their preparedness for increased cyber-attacks on key US infrastructure. Top US cybersecurity officials encouraged port authorities and operators to rapidly encrypt data, patch vulnerabilities in critical systems, maintain a well-trained cyber team and improve the backup of their critical systems. 

 “Over the years, the maritime industry has been facing a rising threat rate of cyber-attacks that results in downtime, causing damages to the efficient operations, competitiveness and reputations of ports around the world,” said Gadi Benmoshe, Managing Director of Marinnovators and Vice Chair of the International Association of Ports and Harbors (IAPH) Data Collaboration Committee. 

“As these issues are becoming more and more critical, an incident recovery solution is now an essential proactive measure that should be taken by port authorities and terminal operators worldwide,” he added.

Strategic Partnership

Salvador recently established a strategic business partnership with the Port of Ashdod, the largest seaport in terms of cargo volume in Israel. 

Through this partnership, Salvador is engaging port authorities and terminal operators that have signed cooperation agreements with the Innovation Center at the Port of Ashdod. These include the Port of New York & New Jersey and the Port of Corpus Christi in the United States, the Port of Rotterdam in the Netherlands and the Port of Singapore. 

The company further reports that it is currently migrating successful trials of its cyber-attack recovery platform into full deployments for several port authorities and terminal operators in the United States, Europe and Southeast Asia engaged through its strategic partnership with the Port of Ashdod. 

Salvador cyber-attack recovery platform consists of hardware connected to the HMI or SCADA, an agent software and a monitoring system. The platform protects customer data from being attacked and, in case of an incident, bypasses standard recovery protocols to enable a full recovery from cyber-attacks and any malfunction within only 30 seconds.

“We are tremendously pleased with our growth in the maritime sector and our expanding footprint across the shipping industry,” said Alex Yevtushenko, Co-Founder and CEO of Salvador. 

“The market drivers pushing the demand for our cyber-attack recovery platform are clear and we have strong expectations for continued growth in this and other verticals,” concluded Yevtushenko.

 

 

 

The post Salvador Technologies sees growth in maritime cybersecurity appeared first on Cybersecurity Insiders.

Crowdstrike have now published their preliminary post incident report (PIR) into the issue that brought 8.5m Windows hosts, and a lot of the world, to a halt. Their preliminary report is available in full on the CrowdStrike website (here: https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/) but here are initial thoughts after reviewing the report and considering against the backdrop of what we’ve observed within our affected customer base.

With such a wide scale, and brand affecting, incident, the recovery for CrowdStrike was always going to be rooted in transparency. No software company will ever be 100% bug free, that’s just not reality, and issues, outages and vulnerabilities will occur. But we can judge a software organisation on two things; how robust their development & testing processes are to limit the frequency of issues and, when an incident occurs, how they respond to it.

The scrutiny placed on CrowdStrike is derived from their position in the IT stack. As an endpoint security platform, and specifically an Endpoint Detection & Response (EDR) solution, it operates in kernel mode via kernel drivers that permit access to lower-level internals of the Windows operating system. Operating in kernel mode gives an EDR great power to gain visibility into system processes and activity, and provides the ability to act and prevent malicious actions. But, as with Spiderman, with great power comes great responsibility. Kernel drivers must be developed to be completely robust and stable. Unlike in user mode, where a runtime issue can fail gracefully and only affect that application, failure of a kernel driver will lead to the type of exception that ends with a Blue Screen of Death (BSOD).

At the very tail of the preliminary report CrowdStrike have promised a future root cause analysis (RCA) once they have completed their investigation in full. Even with the promise of a full root & branch RCA, there’s a fair amount of detail in preliminary report. The transparency we need seems to be coming. If we look at how CrowdStrike have reacted in the face of adversity they’ve done a reasonably good job. They’ve held their hands up, they rolled back the faulty Channel File reasonably quickly, on the whole they’ve communicated with customers and partners regularly and often with updates, have provided fixes and recovery steps, and now we’re seeing some of the transparency required to rebuild that trust.

What does the report say?

We can fully test that last point once the full RCA is available as the preliminary report still leaves questions unanswered and niggling doubts. So, what does the preliminary report say? Within the report CrowdStrike detail their security content configuration update architecture, along with what happened and how these components had the affect they did.

CrowdStrike’s security content configuration architecture, as laid out in the PIR, is broken down into two component parts; the Sensor Content and the Rapid Response Content. The former is shipped only with the CrowdStrike Falcon agent updates, which are fully controllable by end users through the Sensor Update Policy settings and provides a wide range of security capabilities – either introduced or updated as part of Sensor Content updates. This includes new Template Types that allow threat detection engineers to define threat content. Rapid Response Content, on the other hand, are the security definitions and IOCs, that utilise capabilities and Template Types available in the Sensor Content updates, in order to instruct the Falcon agent on how to detect current and emerging threats. These are pushed globally to customers by CrowdStrike when available, regardless of and Sensor Update Policies.

In terms of what happened on the 19th July, CrowdStrike have outlined the series of events that led to the global outage as part of the preliminary report. Firstly, as part of a Sensor Content Update released 28th Feb 2024 (Falcon agent v7.11), a new IPC Template Type was introduced to detect novel attack techniques that abuse Named Pipes. Releases of Sensor Content is rigorously tested through unit testing, integration testing, performance testing and stress testing, and then further tested internally and with early adopters prior to being made generally available. This was the case with this update and the new IPC Template Type, with stress testing completed on the 5th March 2024 and successful deployments to production completed on the 8th & 24th April 2024.

The problem is when we look at the testing of the IPC Template Instances that make up the Rapid Response Content. It appears, from the information available in the preliminary report, that these are only tested by a Content Validator tool that performs validation checks on content prior to being released. Unfortunately, in this instance, a bug in this tool allowed the invalid content to pass muster and, along with the confidence in the stress testing and success of the previous releases, ended up with the corrupt file being pushed to all online Falcon agents.

So clearly there was a deficiency in the testing process when it came to Rapid Response Content, and probably down to the fact this was never considered an issue, or the impact of an issue with it never fully considered. That, and the level of vigorous testing carried out on Sensor Content Updates. The other issue was the deployment strategy. Deploying globally meant the issue was that much more impactful, and the rollback and recovery that much more difficult once the error had been identified.

Lesson learnt. CrowdStrike are implementing steps to make sure this doesn’t happen again:

Software Resiliency and Testing

•Improve Rapid Response Content testing by using testing types such as:

  • Local developer testing
  • Content update and rollback testing
  • Stress testing, fuzzing and fault injection
  • Stability testing
  • Content interface testing

•Add additional validation checks to the Content Validator for Rapid Response Content. A new check is in process to guard against this type of problematic content from being deployed in the future.

•Enhance existing error handling in the Content Interpreter.

Rapid Response Content Deployment

•Implement a staggered deployment strategy for Rapid Response Content in which updates are gradually deployed to larger portions of the sensor base, starting with a canary deployment.

•Improve monitoring for both sensor and system performance, collecting feedback during Rapid Response Content deployment to guide a phased rollout.

•Provide customers with greater control over the delivery of Rapid Response Content updates by allowing granular selection of when and where these updates are deployed.

•Provide content update details via release notes, which customers can subscribe to.

There are still some questions that need to be answered, and I’m sure will come out once the full RCA is released. One of the core questions is not how the Content Validator missed the invalid file but how did that file become invalid in the first place?

As we get closer to the end of this incident, I think it’s clear that we will look back on it, and the way it was handled by CrowdStrike, as an example of what good can look like in the face of adversity. They’ve been transparent, they’ve quickly implemented the immediate fix and identified the long-term solution to prevent it from happening again and they actively engaged with customer and partners to recover. There are valuable lessons to learn and implement across the industry.

The post Crowdstrike preliminary report as sourced from Richard Ford appeared first on Cybersecurity Insiders.

On June 23, 2024, the LockBit cybercriminal group that offers ransomware as a service (RaaS) announced that it had infiltrated the systems of the Federal Reserve, compromising thirty-three terabytes of sensitive banking information. The notorious ransomware group gave the Federal Reserve just two days to pay up. To prove its claims, the group posted files that looked like parent directories, torrents, and compressed archive files, sharing a sample of stolen data from Evolve Bank & Trust. If true, this breach could have posed a serious threat to the entire banking system. Fortunately for the world economy, the Federal Reserve breach was a publicity stunt.

A Lie with a Kernel of Truth

Just before LockBit’s stunt, the Federal Reserve issued an enforcement action against Evolve for “deficiencies in the bank’s anti-money laundering, risk management, and consumer compliance programs.” This assessment was unfortunately proven accurate when Evolve confirmed that it was the victim of a ransomware attack by LockBit in July.

Data belonging to more than 7.6 million customers was stolen during a break-in using the LockBit ransomware software in late May. The breach notification also confirmed that the data theft affected at least three of its partners and Evolve expects the number of persons affected to rise as investigations continue. While the attackers don’t appear to have accessed any company funds, they were able to download customer information from databases and a file share.

When LockBit first announced the Federal Reserve breach, opinions were divided on the threat, highlighting the difficulty of assessing the credibility of a threat by such groups. In May 2024 alone, LockBit claimed responsibility for over 150 out of the 450 ransomware attacks reported, highlighting its aggressive activity despite international efforts by law enforcement agencies to disrupt it earlier in the year by seizing control of darknet websites that belonged to the gang. Recently identified targets include Saint Anthony Hospital in Chicago, specialized machinery supplier Grimme in Denmark, Manchester Fertility Services in the UK, and electromechanical and marine engineering services firm Semesco in Cyprus, illustrating LockBit’s wide reach. These attacks demonstrate the ongoing threat the group poses to diverse industries worldwide; they are a credible threat and have the capabilities required to carry out a successful attack.

Reacting to Ransomware

Despite a demand for payment, neither the Federal Reserve nor Evolve Bank & Trust chose to pay the ransom. Doing so comes with significant risks; attackers may not provide a decryption key (or at least a working one), they may still release the stolen data or retain it for future use, and payment can become an incentive for future attacks, either by the same group or other malicious actors.

In fact, paying ransoms to some groups or individuals may in itself be illegal. The federal government lacks laws specifically regarding ransomware, but ransom payments are considered a type of transaction; the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) both include rules prohibiting foreign financial engagement. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) handles most of these violations, which may result in civil penalties or even prison time if individual people’s actions are considered criminal or criminally negligent. Similarly, the UK government advises against making or facilitating ransomware payments and warns that those who do so will be subject to financial sanctions.

While all parties acknowledge the difficulties involved for organizations undergoing a ransomware attack, paying the ransom is never the right answer. Payment funds these gangs, encourages them to continue their criminal activities, and in any case does not provide a viable remedy. It is not a reliable way to recover or decrypt stolen data, does not protect customers from having sensitive information released, and does nothing to repair the loss of trust incurred by such an incident.

Mitigating the LockBit Threat

While the Federal Reserve remains safe, for now, financial institutions must strengthen their cybersecurity measures to mitigate the threats LockBit and others like them continue to present.

The Cybersecurity and Infrastructure Security Agency (CISA) created the Ransomware Vulnerability Warning Pilot (RVWP) “to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks” and notify system owners of these security vulnerabilities. This effort enables financial institutions and others to address vulnerabilities before they are used to carry out an attack.

In addition to awareness about and mitigation of known vulnerabilities used by ransomware groups, organizations must harden their environments in other ways. This includes implementing email security solutions to defend against phishing and other email-based attacks, which are common entry points for ransomware. Additionally, financial institutions can use advanced threat protection capable of defending against zero-day vulnerabilities and unknown malware as well as segregate operational networks where possible. These measures can help organizations prevent data leakage and limit the impact of any potential breach.

The post LockBit Lies Prove Another Reason to Never Pay the Ransom appeared first on Cybersecurity Insiders.

The primary cause of the majority of data breaches today is human error. Verizon’s 2024 Data Breach Investigations Report (DBIR) found that 68% of all breaches involved a non-malicious human element in 2023. This data highlights the critical need for enterprises to mitigate the human element of cyber risk to keep digital assets safe and secure.

As cyber threats continue to grow in frequency and sophistication and the human factor remains a threat to cybersecurity, more CISOs than ever (80%) see human risk, in particular negligent employees, as a key cybersecurity concern over the next two years.

Cybercriminals are also well aware that the human element can be a gateway to infiltrating systems and accessing sensitive business information. Bad actors are targeting employees with a barrage of malware, phishing, social engineering, and password attacks designed to exploit human vulnerabilities. Research by Fortinet found that 81% of organizations faced malware, phishing, and password attacks last year which were mainly targeted at users.

There is no doubt that people are critical to the cybersecurity of enterprises. As such, organizations must integrate the human element into data security strategies to transform employees from a cybersecurity vulnerability to a cybersecurity strength. 

To mitigate the human element of cyber risk, enterprises must take a proactive, human-centric approach to cybersecurity that includes:

Investing in employee awareness training

Providing regular cybersecurity training that educates employees on common threats such as phishing, malware and social engineering and teaches cybersecurity best practices reduces the risk of human error, helping employees take proactive steps to protect sensitive company data and information. Investing in this training is also the cheapest, easiest way to boost cybersecurity, according to the National Cybersecurity Alliance.

Regular training sessions should equip employees with the tools and knowledge they need to spot and combat cyber threats. Training should address topics such as how to identify suspicious links and attachments, the necessity of creating strong passwords, the importance of adhering to security policies, and the proper procedures for promptly reporting security incidents.

To increase the effectiveness of cybersecurity training, enterprises should also make training role-specific so that it is more relevant and impactful, conduct phishing simulations to help users recognize what real-world attacks look like, and reinforce that everyone plays a critical role in keeping the organization cyber secure.

Setting and enforcing clear policies

Employees can become one of the most effective security controls in an organization when clear cybersecurity policies are established, communicated, and enforced. These policies should prohibit the use of shadow IT (the use of unsanctioned applications that are not monitored and managed by the enterprise IT department) and define acceptable use for BYOD (bring your own device).

Policies prohibiting the use of shadow IT are particularly important for employees to be aware of and understand. The danger of employee use of shadow IT such as unsecure messaging apps lies in lack of IT control. IT teams can’t control what they don’t know about which can lead to unauthorized access to an organization’s IT infrastructure. Setting and enforcing policies that prohibit the use of shadow IT means employees will avoid using apps and tools that can increase enterprise risk exposure to data breaches and compliance violations.

To combat the cyber risks introduced by BYOD, security leaders should establish and enforce BYOD policies that define acceptable use including what devices and apps are permissible. This policy should also outline the security protocols that must be followed such as creating strong passwords, enabling multi-factor authentication, avoiding public Wi-Fi, and never leaving devices unattended.

Implementing a zero trust architecture

Enterprises should also adopt zero trust, a framework that mandates identity verification and authentication for all users and devices, to help reduce the human cyber risk factor and enhance data protection, usability, and governance in the digital workplace. As part of zero trust, enterprises should implement strong identity and access management including multifactor authentication and biometric technologies such as facial recognition. By implementing a zero trust approach, organizations can minimize the risk of unauthorized access, strengthen data protection, and enhance overall security.

Building a strong security culture

Building a strong security culture is critical for mitigating the human element of cyber risk, yet many organizations are lacking in this area. According to a survey of IT and cybersecurity professionals by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA), more than one-quarter (27%) of respondents rate their organization’s cybersecurity culture as fair or poor. A weak security culture is a significant problem for organizations that can lead to the exposure of sensitive business information.

Building a strong security culture in an organization involves not only training but also fostering an environment where employees understand that security is a shared responsibility across the enterprise and where all employees understand their role in reducing cyber risk. Fostering a culture that makes employees partners in safeguarding enterprise data and information goes a long way toward minimizing the human element of cyber risk.

Providing employees with secure by design collaboration tools

When employees are provided with secure collaboration tools, they will not turn to unsecure messaging and collaboration apps that expand the cyberattack surface in organizations. Today, CISO’s are increasingly concerned about the widening attack surface created by the proliferation of these tools in the enterprise. According to data from Proofpoint, 39% of CISOs view Slack/Teams/Zoom/other collaboration tools as one of the top three systems introducing risk to their organizations.

Using secure by design mobile messaging technology closes security gaps created by employee use of unsecure communication and collaboration apps that leave enterprises vulnerable to cyberattacks and data breaches. Mobile messaging platforms designed for the enterprise feature end-to-end encryption (E2EE), protecting data at rest and in transit, ensuring that only the sender and receiver can read messages. The E2EE built into these platforms coupled with robust administrative controls that embed data security and compliance into business communication across every channel reduce the attack surface, providing no point of entry for malicious hackers intent on accessing sensitive enterprise data.

Encouraging reporting of security incidents

To be human is to make mistakes and cybersecurity errors will happen. When employees do err by clicking on a suspicious link or becoming the victim of social engineering, it is important for them to understand how to report security incidents like these. Enterprises should establish procedures and clear channels of communication for reporting potential security incidents or suspicious activities. This allows organizations to initiate the response process more quickly and raise awareness of reported incidents or suspicious activities so other employees do not fall victim to these attacks.

Wrapping up

There is no question that the human element is critical for effectively preventing cyber intrusions. To mitigate the human error behind 68% of the cyber breaches occurring today, enterprises should take a proactive, human-centric approach to cybersecurity. That approach should include investing in employee awareness training, setting and enforcing clear policies, implementing a zero trust architecture, building a strong security culture, providing employees with secure by design collaboration tools and encouraging reporting of security incidents.

 

The post Strategies for Mitigating the Human Element of Cyber Risk appeared first on Cybersecurity Insiders.