Author: Jane Devry

The primary cause of the majority of data breaches today is human error. Verizon’s 2024 Data Breach Investigations Report (DBIR) found that 68% of all breaches involved a non-malicious human element in 2023. This data highlights the critical need for enterprises to mitigate the human element of cyber risk to keep digital assets safe and secure.

As cyber threats continue to grow in frequency and sophistication and the human factor remains a threat to cybersecurity, more CISOs than ever (80%) see human risk, in particular negligent employees, as a key cybersecurity concern over the next two years.

Cybercriminals are also well aware that the human element can be a gateway to infiltrating systems and accessing sensitive business information. Bad actors are targeting employees with a barrage of malware, phishing, social engineering, and password attacks designed to exploit human vulnerabilities. Research by Fortinet found that 81% of organizations faced malware, phishing, and password attacks last year which were mainly targeted at users.

There is no doubt that people are critical to the cybersecurity of enterprises. As such, organizations must integrate the human element into data security strategies to transform employees from a cybersecurity vulnerability to a cybersecurity strength. 

To mitigate the human element of cyber risk, enterprises must take a proactive, human-centric approach to cybersecurity that includes:

Investing in employee awareness training

Providing regular cybersecurity training that educates employees on common threats such as phishing, malware and social engineering and teaches cybersecurity best practices reduces the risk of human error, helping employees take proactive steps to protect sensitive company data and information. Investing in this training is also the cheapest, easiest way to boost cybersecurity, according to the National Cybersecurity Alliance.

Regular training sessions should equip employees with the tools and knowledge they need to spot and combat cyber threats. Training should address topics such as how to identify suspicious links and attachments, the necessity of creating strong passwords, the importance of adhering to security policies, and the proper procedures for promptly reporting security incidents.

To increase the effectiveness of cybersecurity training, enterprises should also make training role-specific so that it is more relevant and impactful, conduct phishing simulations to help users recognize what real-world attacks look like, and reinforce that everyone plays a critical role in keeping the organization cyber secure.

Setting and enforcing clear policies

Employees can become one of the most effective security controls in an organization when clear cybersecurity policies are established, communicated, and enforced. These policies should prohibit the use of shadow IT (the use of unsanctioned applications that are not monitored and managed by the enterprise IT department) and define acceptable use for BYOD (bring your own device).

Policies prohibiting the use of shadow IT are particularly important for employees to be aware of and understand. The danger of employee use of shadow IT such as unsecure messaging apps lies in lack of IT control. IT teams can’t control what they don’t know about which can lead to unauthorized access to an organization’s IT infrastructure. Setting and enforcing policies that prohibit the use of shadow IT means employees will avoid using apps and tools that can increase enterprise risk exposure to data breaches and compliance violations.

To combat the cyber risks introduced by BYOD, security leaders should establish and enforce BYOD policies that define acceptable use including what devices and apps are permissible. This policy should also outline the security protocols that must be followed such as creating strong passwords, enabling multi-factor authentication, avoiding public Wi-Fi, and never leaving devices unattended.

Implementing a zero trust architecture

Enterprises should also adopt zero trust, a framework that mandates identity verification and authentication for all users and devices, to help reduce the human cyber risk factor and enhance data protection, usability, and governance in the digital workplace. As part of zero trust, enterprises should implement strong identity and access management including multifactor authentication and biometric technologies such as facial recognition. By implementing a zero trust approach, organizations can minimize the risk of unauthorized access, strengthen data protection, and enhance overall security.

Building a strong security culture

Building a strong security culture is critical for mitigating the human element of cyber risk, yet many organizations are lacking in this area. According to a survey of IT and cybersecurity professionals by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA), more than one-quarter (27%) of respondents rate their organization’s cybersecurity culture as fair or poor. A weak security culture is a significant problem for organizations that can lead to the exposure of sensitive business information.

Building a strong security culture in an organization involves not only training but also fostering an environment where employees understand that security is a shared responsibility across the enterprise and where all employees understand their role in reducing cyber risk. Fostering a culture that makes employees partners in safeguarding enterprise data and information goes a long way toward minimizing the human element of cyber risk.

Providing employees with secure by design collaboration tools

When employees are provided with secure collaboration tools, they will not turn to unsecure messaging and collaboration apps that expand the cyberattack surface in organizations. Today, CISO’s are increasingly concerned about the widening attack surface created by the proliferation of these tools in the enterprise. According to data from Proofpoint, 39% of CISOs view Slack/Teams/Zoom/other collaboration tools as one of the top three systems introducing risk to their organizations.

Using secure by design mobile messaging technology closes security gaps created by employee use of unsecure communication and collaboration apps that leave enterprises vulnerable to cyberattacks and data breaches. Mobile messaging platforms designed for the enterprise feature end-to-end encryption (E2EE), protecting data at rest and in transit, ensuring that only the sender and receiver can read messages. The E2EE built into these platforms coupled with robust administrative controls that embed data security and compliance into business communication across every channel reduce the attack surface, providing no point of entry for malicious hackers intent on accessing sensitive enterprise data.

Encouraging reporting of security incidents

To be human is to make mistakes and cybersecurity errors will happen. When employees do err by clicking on a suspicious link or becoming the victim of social engineering, it is important for them to understand how to report security incidents like these. Enterprises should establish procedures and clear channels of communication for reporting potential security incidents or suspicious activities. This allows organizations to initiate the response process more quickly and raise awareness of reported incidents or suspicious activities so other employees do not fall victim to these attacks.

Wrapping up

There is no question that the human element is critical for effectively preventing cyber intrusions. To mitigate the human error behind 68% of the cyber breaches occurring today, enterprises should take a proactive, human-centric approach to cybersecurity. That approach should include investing in employee awareness training, setting and enforcing clear policies, implementing a zero trust architecture, building a strong security culture, providing employees with secure by design collaboration tools and encouraging reporting of security incidents.

 

The post Strategies for Mitigating the Human Element of Cyber Risk appeared first on Cybersecurity Insiders.

Identity security has become increasingly complex, presenting a formidable challenge for CISOs, security operations (SecOps), and identity and access management (IAM) teams worldwide. It’s not surprising then that a staggering 80% of today’s cyber attacks begin with compromised identities, making them everyone’s business as the most critical attack vector to protect. 

Unfortunately, many organizations are struggling to effectively get ahead and stay ahead of malicious attackers and compliance demands. Many times, awareness of an attack comes too late. Even when teams know they’re under attack, response times are too slow, and teams can’t get to the root of the problem fast enough or understand the potential areas of impact.  

The Identity Security Complexity Challenge 

Complexity makes it nearly impossible to detect and respond to identity threats effectively. Getting to the source of the breach and mapping the blast radius across a complex identity fabric takes too long, leaving organizations more vulnerable than ever.  

What makes it so hard? The answer centers around complexity caused by 3 main challenges:

1. Scale: The sheer number of identities, human and machine, to manage across an ever-expanding cloud landscape with hundreds of SaaS applications, internal users, third parties, and non-human identities is growing constantly. According to Gartner, non-human identities outnumber human identities by as much as 10 to 45 times.
2. Speed: The pace of change for identities operating in this dynamic environment is faster than any human could ever tackle manually. While the adoption of automated IAM tools has made it possible to provision and de-provision automatically, there is a tremendous amount of risk introduced in the “messy middle” of the user’s lifecycle, and access permissions must continuously adapt to risk levels. 
3. Blind Spots: Organizations operate in silos across disparate systems, processes, and teams. And, many are managing identities in siloes. This leads to a lack of situational awareness, leaving teams unable to see every identity, and its corresponding risk in real-time creates a lack of situational awareness.  

When an identity has been compromised, SecOps and IAM teams quickly must work together to identify and respond to the threat by answering these questions: 

• Which identities are impacted?
• Where are we vulnerable?
• Which of those impacted are privileged users?
• What stage of attack are we in?
• How can we stop the attack without disrupting the flow of business?

In the recent attacks on MGM and Okta, we saw that being unable to quickly answer these questions resulted in financial and reputational damage. Organizations must find a way to achieve always-on visibility, superhuman precision, speed, and intelligent insights. This is where AI for identity security can help.

AI – The Newest Ally on the Identity Security Battleground

AI offers hope for SecOps and IAM teams to jointly navigate the intricacies of identity security. From proactive identity threat detection to adaptive identity and access security, AI can revolutionize how organizations defend against these identity-driven attacks and manage the dynamic nature of digital identities by providing them with unparalleled capabilities that transcend human limitations in speed, scalability, and predictive accuracy. Here are some key ways AI can empower SecOps and IAM teams:

1.Reduce the Time of Exposure and Risk: AI-based systems can detect and analyze threats before human analysts are aware of their existence. By continuously verifying and cross-referencing data patterns, AI identifies deviations indicative of potential cyber threats. This early detection is crucial during cyberattacks, enabling SecOps teams to initiate swift response measures to contain and neutralize threats before they inflict significant damage.

2.Operate a Burnout-Free Zone: Unlike humans who require rest and downtime, AI operates continuously without fatigue. This perpetual vigilance allows AI to monitor systems around the clock, detecting threats and anomalies even during non-business hours. Consistent monitoring and response capabilities can reduce the risk of oversight due to human limitations. Cybercriminals are relentless, making slight modifications to their methods with great frequency and even using AI themselves. Hiring someone to take on this defense can become monotonous, leading to fatigue and an increase in human error. AI takes the redundancy out of the equation, deploying a system that doesn’t understand the concept of burnout. It goes above and beyond, handling repetitive tasks while also learning from all data that enters the system.

3.Achieve Faster Response Times: AI-based cybersecurity systems can respond immediately to threats compared to human analysts. Machines process and analyze vast amounts of data at incredible speeds, enabling them to detect and respond to anomalies in real time. While human intuition is invaluable, AI often identifies and addresses potential issues before they escalate, minimizing response times and mitigating risks quickly.

4.Stay Ahead of the Attackers: AI learns and improves continuously through algorithms, enhancing its ability to identify and mitigate risks over time. By analyzing historical data and current patterns, AI-powered solutions evolve to recognize new threat vectors and adapt defenses accordingly. This proactive approach ensures that SecOps and IAM teams stay ahead of emerging threats, leveraging AI’s evolving capabilities to bolster cybersecurity postures.  

5.Bridge the SecOps and IAM Gaps: One of the primary challenges in identity-centric security is the disparate nature of data and tools used by CISOs, IAM, and SecOps teams. AI bridges these gaps by integrating data from diverse sources and presenting unified insights into identity-related risks. By establishing a common language of risk assessment and threat detection, AI can enable seamless collaboration and coordination across functional boundaries. Identity security AI assistants can help with natural language processing in complex queries and threat-hunting efforts so that everyone can participate using the terms they regularly use and are comfortable using with AI responding with clear guidance for how to remediate risks most efficiently. 

Leverage AI for Identity-Centric Security Now

By harnessing AI’s superhuman abilities, organizations can bolster their cybersecurity defenses, respond swiftly to threats, and maintain a proactive security posture that adapts to the complexities of today’s digital landscape. 

As AI continues to evolve, its role in enhancing cybersecurity resilience and mitigating risks will become increasingly indispensable in safeguarding critical assets and maintaining trust in an interconnected world.

The post AI for Identity Security: 5 Ways AI Augments SecOps and IAM Teams Today appeared first on Cybersecurity Insiders.

Recent cybersecurity incidents affecting auto dealerships nationwide have underscored the growing importance of strong security measures. United States government organizations have emphasized that entities handling sensitive customer financial information must establish data protection protocols. Given auto dealerships fall into this category, they are expected to comply with the FTC Safeguards Rule. 

The FTC’s rule requires entities to “develop, implement and maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.” This rule presents an opportunity for the industry to come together, share best practices and ultimately enhance individual organizations’ cybersecurity posture.

For auto dealership decision-makers wondering where to start when implementing robust security measures, here are four industry-wide best practices to consider.

#1: Identify Critical Vendors and Systems

Conduct an inventory of all third-party systems used in your dealership by cataloging every third-party application, software and service utilized across operations. Systems include your dealership management system (DMS), customer relationship management (CRM) software, and even smaller, less conspicuous tools like service scheduling platforms. Create a comprehensive list that details each system’s purpose, usage frequency and access points. Conducting an inventory will serve as the foundation for understanding where your critical dependencies lie.

Determine which systems are essential for your dealership’s smooth functioning. Systems such as your DMS, CRM and inventory management platforms are often at the top of this list due to their central role in managing sales, customer interactions and vehicle inventory. Evaluate the impact of each system’s potential downtime or breach. Prioritize these systems based on their importance and the severity of the consequences should they be compromised. For instance, a breach in your DMS could lead to significant financial losses and operational disruptions, while issues in your CRM could affect customer trust and satisfaction.

#2: Assess Security Measures

Check if critical vendors have basic cybersecurity measures in place. Ask them about their security practices and if they have any certifications (like ISO 27001) that demonstrate a commitment to maintaining high-security standards. Other questions to consider asking include:

• How do they manage data encryption? 
• What are their access control measures? 
• Do they perform regular security audits?
• Can you provide reports from security audits or assessments?

Additional security steps your teams can take include:

• Ensure you protect critical systems with strong passwords, regular updates and antivirus software.
• To add an extra layer of security, consider using multi-factor authentication (MFA) where possible.
• Regular updates are crucial for fixing vulnerabilities that cyber attackers could exploit. Establish automatic updates where possible and have a process for manually applying critical patches. 
• When choosing antivirus software, prioritize those that perform regular scans and are updated frequently to recognize the latest threats. Antivirus software can help detect and neutralize malicious activities before they cause significant damage.

#3: Limit the Blast Radius

Divide your network into separate segments. For example, keep your sales and financial systems separate. This way, if one part of your network is compromised, the others remain safe. Ensure that each segment has strict access controls, allowing only authorized personnel to access specific segments. For instance, sales personnel should not have access to financial data, and vice versa.

Use the principle of least privilege for vendor access to your systems. Grant vendors the minimum level of access necessary to perform their tasks. By limiting their access to only the systems and data they need, you can effectively reduce the potential impact of a compromised vendor account. Implement continuous monitoring of vendor systems to detect any unusual or suspicious activity. One helpful tool is a security information and event management (SIEM) tool, which collects and analyzes log data from various sources, providing real-time visibility into potential threats.

#4: Backup and Recovery

Establish a schedule for regular backups of all critical data, including customer information, financial records, sales data and inventory details. Determine the frequency of backups based on the data volume and the information’s criticality. Daily or weekly backups are common practices for maintaining up-to-date records.

Consider having redundant systems or alternative vendors for critical functions. For example, have backup servers or alternative systems ready to take over if the primary system fails. Redundant systems minimize downtime and ensure business continuity. 

Create detailed business continuity plans for each critical vendor system. These plans should include step-by-step procedures for recovering critical systems, restoring data and resuming normal business activities. Identify and document alternative processes or manual workarounds for critical functions. For instance, if your digital sales system goes down, have a plan in place for processing sales manually.

Test and update these backup processes annually. Perform scenario-based drills that simulate different types of disruptions. These drills help identify potential weaknesses in your recovery plans and provide opportunities for improvement. Update your backup and recovery plans based on lessons learned from actual and simulated events, and communicate changes to team members so they have the most current version of the plan.

Embracing Collective Progress 

As you adapt your business to these policies, it’s crucial to view them through a lens of collective progress. Each new security measure implemented, each lesson learned from a simulation and each collaborative effort between dealerships contribute to the overall resilience of the automotive industry.

Looking ahead, the true measure of success will not be avoiding every possible threat—an unrealistic goal in today’s digital world—but how swiftly and effectively you respond when challenges arise. By fostering a culture of openness, continuous learning and mutual support, auto dealership decision-makers can protect individual businesses and strengthen the entire automotive ecosystem. In doing so, industry leaders can safeguard operations and reinforce customer trust.

 

The post Navigating the FTC Safeguards Rule: A Guide for Auto Dealerships appeared first on Cybersecurity Insiders.

Business Email Compromise (BEC) is a social engineering scam where attackers impersonate legitimate business emails to defraud employees, partners, and potentially even customers. While deceptively simple, these attacks can cause significant financial damage. 

BEC scams, like most cyber-attacks, are global. They’ve been reported in all fifty states and 177 countries, with the financial harm now exceeding $50 billion. According to the FBI, BEC is one of the most financially damaging online crimes and exploits because so many of us rely on email to conduct personal and professional business. In March, the FBI Internet Crime Complaint Center (IC3) released its 2023 Internet Crime Report, highlighting BEC as a significant business threat, resulting in losses of nearly $3 billion – a 7% increase over 2022’s $2.7 billion total. 

Simple to Execute with Increased Sophistication 

To carry out a BEC scam, attackers need only an email service to create convincing emails targeting unsuspecting victims. According to Arctic Wolf Network’s State of Cybersecurity: 2024 Trends Report, almost three quarters (70%) of organizations were the target of attempted BEC attacks in the past year, with nearly a third (29%) of these targets victims of one or more successful BEC occurrences.

Using email for cyber fraud that targets businesses is not new, but the growth of AI is making BEC more widespread and dangerous. Today, AI tools can generate highly personalized, and legitimate-looking emails that can easily mislead recipients. Attackers can combine usernames, email addresses, passwords and use email templates to automate the process. Through APIs, attackers can also scale their operations, targeting a vast number of victims at one time. The criminals also have the ability to buy email servers and domains in bulk allowing them to target multiple organizations simultaneously.

Common BEC Business Scams 

BEC attacks can be very specific in nature but with the same end goal, to steal data for financial gain. Four common BEC scams that are built to deceive employees include:

CEO Fraud. In this attack, malicious actors impersonate a high-level executive, often a corporate CEO. They create a mirror image email address and target employees, frequently those new to the organization, or those unfamiliar with approval processes, who may be the least suspicious. The emails will often contain a request asking that the recipient act urgently to complete a task, such as transferring funds to a fraudulent account.

Business Data Theft. Here, attackers target the HR or accounting departments to steal sensitive information. This information could include personal identifiable information (PII) of employees, intellectual property, or corporate financial data. 

Fake Invoices. This type of scam was recently used to defraud a Massachusetts town and school district out of nearly half a million dollars. The criminals impersonated a legitimate vendor using email and sent invoices to town employees requesting payment. These invoices directed electronic payments to a fraudulent account. Employees then inadvertently sent town funds to the criminals.

Employee Account Compromise. In this scenario, all employees are at risk of becoming targets. Threat actors attempt to gain access to an employee’s email account. Once compromised, they can use the account to launch further BEC attacks or steal credentials for more critical systems.

BEC scams over the years have proven that no business, government, or organization is immune – whether it be tech giants, government bodies or even charities. We’ve seen Facebook and Google become victims when a phishing attack conducted by attackers impersonating a known vendor emailed authentic-looking invoices to employees asking for payment. A BEC scam successfully set a fraudulent transfer in action, costing the government of Puerto Rico $2.6 million. Even Save the Children has not escaped a BEC Scam, losing $1 million when scammers compromised an employee’s email after posing as a staff member.

Stealing Email Login Information: Another Means to Data Theft 

BEC attacks do not only center on email impersonation. Threat actors also create fraudulent websites designed to obtain employee login credentials. These websites can mimic legitimate login pages for widely used email services such as Microsoft Exchange and Gmail. 

Here’s how it may happen. Attackers send emails containing links to fake website domains. Employees click the link and are redirected to what appears to be a legitimate login page, but instead is the fake domain. Unaware of the deception, the employee enters their login credentials, which are then captured by the cybercriminal. This gives them the ability to move through the organization’s network, potentially compromising additional accounts and stealing data.

Early Detection of BEC Attacks through a Multi-Layered Security Approach

Most current security solutions rely on a reactive approach, identifying emails already targeting users within an organization’s network. These solutions use techniques like machine learning to detect user behavior and patterns, then flag suspicious emails that fall outside the known patterns. Security Operations Centers (SOCs) play a role by shutting down these threats.

In addition to analyzing emails at the user level to recognize and quarantine threats, organizations typically identify potential BEC scam domains and block them. They also engage policy enforcement through Domain-Based Message Authentication (DMARC) which helps detect domains spoofing their business. 

While a reactive approach provides many benefits, it doesn’t take into account potential threats from internet tools that haven’t yet been weaponized. Many potential attacks are not currently in use, but exist in an unarmed state, at the ready when needed. For example, attackers often purchase domains resembling legitimate companies and leave them dormant for extended periods of time until they can be useful in launching an attack. 

The mitigation answer lies in a multi-layered security approach that combines both contextual threat detection and takedown measures with steps to stop the source of the attack, which can include identification and takedown of domains suspected to become hosts for email servers and phishing attacks. This allows organizations to proactively identify and disrupt BEC attacks before they inflict damage. A layered defense can also significantly improve overall security posture by using automation to take some of the burden off of already taxed security and SecOps teams.

While no security approach is a guarantee against BEC attacks, the best defense is a good offense. The benefits of early threat detection enable businesses to reduce the likelihood of financial loss or operational disruption from the increasing cyber threats weaponizing email.

 

The post Business Email Compromise (BEC) Attacks are Deceptively Simple and Destructive: Protecting your Business appeared first on Cybersecurity Insiders.

If you work in the security industry, you have likely heard about the polyfill.io incident that came into the public light a couple of weeks ago. We don’t know exactly how many websites were affected, but it seems we have a large window of between 110,000 and several million, according to a tweet by Cloudflare’s CEO, Matthew Prince. 

Affected users were being taken to a sporting bets website, and what’s clear is that it could have been a lot worse. That’s because when an attacker gets their code running on any website without restriction, they can do a mass collection of any sensitive data. This includes Personal Identifiable Information (PII), payment data, Protected Health Information (PHI), etc. – normally manipulated by the website. But that’s not all. Attackers can tamper with the webpage DOM, changing what the user sees, asking the user for more information, or redirecting them to phishing websites where their credentials and money can be stolen.

Now, multiply that by the number of users across hundreds of thousands or millions of websites. Luckily, in this latest instance, Namecheap decided to take the domain down after people and public pressure demanded it. And, now, everyone is safe from this particular incident (yes, you can still visit that sports betting website if you really want to!). As I mentioned earlier, it could have been way more damaging when you consider the time it took to uncover this attack would have given the skimmer a big enough window to skim thousands or even millions of credit cards. Or enough time to leak personal data from millions of people. All of which would have returned the attacker’s investment many times fold (the word on the street is that the domain and the GitHub repo were transacted for $1M).

Despite the mild actual consequences, if you think about the potential scope of the attack, it was bad. Not because it was new, but because it wasn’t. Almost every year we have a major node.js package that is compromised with malware. For example, in 2021: attackers managed to hijack the developer’s account and injected malicious code into ua-parser-js NPM package. This included a crypto-miner and password stealing code. In another 2018 instance, a widely used NPM package, event-stream, was compromised, and in this case, emptied specific Bitcoin wallets that were using that dependency. It was bad because, once more, it showed how vulnerable the web is right now to supply chain attacks. 

The polyfill.io incident, as the XZ lib, or like defunct-domain-based attacks, shows us a trend where attackers are intentionally going after getting control of third-party components to get malware running on thousands of apps without too much hassle. They are, respectively, offering to buy these projects, tricking current maintainers into passing them the control or exploiting the lack of proper code hygiene that is plaguing the web today.

At first glance, we could argue that one way to address the problem would be to dramatically improve visibility over who owns these projects and provide warnings on ownership changes. Or, we could make it even simpler by doing that just for the corresponding domain names, assuming who owns the domain owns the project. This could begin with banning anonymized WHOIS records on these domains, and ending with proper validation of the domain owner’s identity. But, at the end of the day, we will still be vulnerable because we don’t know the agenda of the new owners, and, as many security people know, security based only on reputation is bound to fail (as recently made evident by the XZ incident). The problem with the polyfill.io incident also cannot be solved by asking people not to sell components used by thousands of websites because more of that will happen. 

The problem needs to be solved individually by every website developer. Developers must select a good security architecture, carefully picking what software components they want to be exposed to, and make sure that any impact coming from those components is attenuated with proper security isolation.

We have talked about this in the past, first revisiting the last 20 years of web isolation features. From there, we concluded that the web does offer native isolation mechanisms. But knowing how to use them properly is not always simple. In fact, more often than not, people relax these mechanisms to make things work, sacrificing tighter security. We then addressed the elephant in the room by telling people what they already know: patching alone isn’t working and that it should be complemented with good security architecture, attack surface reduction, and proper isolation mechanisms. 

So, if we have the tools and knowledge to do it, why do we continue to fail? It’s because, despite how many times we have said this, security is still an afterthought, and the only way to get it right is to plan for it right from the beginning. Web applications became the standard way to offer software to people, not just because they are portable, but mainly because they are the quickest and cheapest to build. And the main reason behind this is that, intentionally or not, their nature is to be highly composable. Whoever came up with <script src> and the Same Origin Policy that allows for the embedding of scripts was on to something. Just not something with security in mind.

We don’t believe people made a conscious decision to choose higher composability and higher exposure to supply chain attacks over less composability and less exposure to supply chain attacks. It is just how things happened, and now that higher exposure to supply chain attacks is knocking on our door, the payment is due. So where does that leave us? Rather than crossing our fingers and hoping not to be using the next polyfill.io when it hits you, the community needs to start figuring out how future web applications should be secured.

The good news is that the community has started taking action and here is what we determined–unless you decide to stop using third-party software that you don’t control, your best option is to stop trusting your dependency stack and start properly isolating each component. 

Today’s browsers already offer a number of mechanisms like the Same Origin Police (leveraged by Cross-origin iframes) or the Content Security Policy (CSP). These things are great, but if you try to build a defense based solely on what the browser provides, it will soon feel like you are working on a patchwork quilt. Web security standards seemingly grew in a semi-chaotic way, with small, incremental improvements getting picked over complete redesigns of security and isolation mechanisms. It makes sense since the web is a living standard, and keeping things working is critical. Even when keeping things working equates to poking holes into browser isolation mechanisms and making them bypassable. 

So, people came up with other mechanisms to provide stronger, more resilient solutions to defend against third-party components. These solutions are split into those that require you to adapt your code and the ones that are transparent and do not require any changes. The former, like approaches based on Secure EcmaScript (SES), follow the object-capability (ocap) principle and can be quite secure. However, the integration work and the not-so-easy debuggability can be intimidating. The latter approaches were developed with visibility and transparency as one of the main design principles, resulting in a more friendly adoption. 

Both approaches offer ways to sandbox scripts, specifying in fine-grained detail what capability (or code behaviors) dependencies should be given access (unlike browser native features that lack granularity). Ultimately, this is what protects applications from the issues that inevitably will arise with some of the components that they use. It prevents compromised components from touching sensitive data or from compromising the integrity of the other parts of the application.

 

The post What is the Polyfill incident trying to tell us, if we bother to listen appeared first on Cybersecurity Insiders.

New independent research commissioned by Six Degrees has found that, over the last 12 months, 40% of IT decision-makers at SMEs felt rushed while undertaking public cloud migration projects. 

Out of all the sectors covered in the report, those working in finance and insurance were most likely to experience these feelings. Indeed, close to 60% confirmed they felt pressure to deliver quickly on cloud transformation project outcomes.

With 80% of Heads of Infrastructure feeling rushed compared to just 20% of CTOs, data from Six Degrees’ UK SME Cloud Intelligence Report 2024 suggests these stresses are more likely to impact junior IT decision-makers. 

Perhaps this illustrates that, while CTOs are generally responsible for setting public cloud adoption objectives, the pressure falls on more junior IT decision-makers to deliver — even if those outcomes may take longer than anticipated to produce or the objectives are not clearly thought through.  

A short-term view and poor planning mean pressure from the offset 

Despite growing evidence of more mature public cloud adoption strategies, our research shows that many businesses are still migrating to the cloud primarily to save money and realise cost savings quickly. 

Our data suggests that almost 30% are looking to reduce capital investment, 25% hope to reduce operational costs, and 32% are aiming for improved flexibility (which is often a euphemism for cost savings). 

This is a serious mistake: If a business case for cloud migration is predicated primarily on savings benefits, then those implementing the project will feel almost immediate pressure. 

They’ll soon discover that the application modernisation needed to realise savings is harder to achieve and takes far longer than initially anticipated. With project delivery deadlines starting to slide and no cost savings on the horizon, they’ll feel compelled to make up time, which is when costly mistakes can be made. 

Forget savings! Brace for unexpected costs

It’s not just an inability to achieve cost savings; poorly planned and executed public cloud migration projects based solely on delivering cost savings may actually incur unexpected costs, especially (and ironically) if organisations take a DIY approach to cloud migration to keep costs down. 

By taking a basic ‘lift-and-shift’ approach, IT decision-makers will typically push all their applications into their new public cloud environment rather than considering a cloud-native strategy. In addition, they probably won’t change their operating model or necessarily know how to review the architecture, automate critical processes, adapt their applications, or maintain a strong security posture. 

Today, of course, they’d also need to consider how to navigate AI implementation, long-term hybrid working, and ESG best practices in a cloud-first environment. It’s quite a task to take on in-house with no support, which might explain why half of respondents said that migrating to the cloud was a much bigger task than expected.

According to our research, almost eight out of 10 UK SMEs have experienced unexpected costs or budget overruns related to their cloud usage. We can also reveal that overspending on cloud usage is more common in the public than private sector—and most common of all in government cloud projects. An incredible 93% of government sector-related SMEs experienced unexpected costs or budget overruns related to their cloud usage. That’s followed by 84% of SMEs operating in the education sector.

This almost universal propensity to overspend demonstrates the need for a clear cloud adoption strategy from the outset. It also highlights a need among SMEs for ongoing cloud management, governance, and FinOps integration as their cloud migration journey evolves. 

Align your cloud and business strategy 

To be successful, an organisation’s cloud adoption strategy should be an extension of its business strategy. So, it’s reassuring that our research shows some alignment between the top objective for the next 12 months (improving security) and the top driver for cloud adoption (security). 

Our data also indicates that some respondents are migrating to public cloud to access innovative technology and adopt new applications that require a hosted environment. These are mature and rational cloud adoption drivers with realistic outcomes—and will play a major part in improving business efficiency, customer experience, and staff productivity.

Public cloud migration projects of this nature will likely have well-thought-out long-term goals. As a result, IT decision-makers will probably experience less pressure to deliver immediate short-term outcomes since everyone will understand the timeframe at the outset, and the ultimate goal should be achievable. 

It’s not too late to change course 

Many organisations that migrated to public cloud environments primarily as a cost-saving exercise are rethinking their move because they’re not getting the expected commercial benefits — often because applications in their public cloud environments don’t or can’t scale. In fact, a lot of them are considering if some of their applications might be better suited to a different environment — perhaps returning them to on-premises infrastructure and/or private or managed data centres. 

This could explain the rise in hybrid cloud adoption and why, according to our research, most (37%) SMEs now operate a predominantly hybrid cloud environment — more than double the number that operate a predominantly public cloud environment (16%).   

Whichever strategy you decide to take, remember that we’re experiencing a considerable shortage of cloud engineers and security staff, so it’s wise to find a trusted IT partner that you can work with right from the outset. Although it may look more expensive on paper, taking this route will ultimately save money, help align your business strategy with your cloud strategy, maintain a strong security posture, and generally enhance the IT skills and experience across your business.  

To download a full copy of the Six Degrees UK SME Cloud Intelligence Report 2024, please visit: https://www.6dg.co.uk/whitepaper/uk-sme-cloud-intelligence-report-2024/ 

 

 

The post Why Do So Many IT Decision-Makers Feel Rushed During Public Cloud Adoption Projects? appeared first on Cybersecurity Insiders.

One of the most effective tools in our cybersecurity arsenal at Exabeam is the regular deployment of phishing simulations. These exercises are not just routine checks but essential components of our defense strategy, especially during significant organizational change and public announcements.

Phishing attacks are among the most common and effective methods cyberattackers use to infiltrate organizations. These malicious actors are constantly on the lookout for any opportunity to exploit vulnerabilities and are particularly adept at capitalizing on periods of heightened emotions and uncertainty. Public announcements, such as new product launches, leadership changes, or significant partnerships, can create an environment ripe for exploitation. During these times, employees may be more distracted and anxious, making them prime targets for sophisticated phishing attempts.

It’s time to wake up. Attackers have no regard for internal company dynamics or the stress levels within your teams. Their sole focus is on finding and exploiting any weakness to disrupt your business. They will prey on any situation, no matter how sensitive or challenging it may be for the individuals involved. They do not care how anyone feels. This ruthless opportunism is precisely why phishing simulations are so important — they prepare us for the worst-case scenarios by exposing potential vulnerabilities before real attackers can.

The Benefits of Phishing Simulations 

Phishing simulations provide invaluable insights into the effectiveness of security training programs. By simulating real-world attacks, organizations can identify gaps in knowledge and behavior that might otherwise go unnoticed. This allows security teams to tailor training efforts to address specific weaknesses, ensuring that employees are better equipped to recognize and respond to actual threats. The data collected from these simulations can also inform broader security policies and strategies, helping organizations stay ahead of emerging threats.

Moreover, these simulations foster a culture of continuous learning and improvement. When employees understand that phishing simulations are not punitive but educational, they are more likely to engage with the training material and take security seriously. This proactive mindset is crucial in creating an environment where everyone feels responsible for the organization’s cybersecurity, not just the IT or security teams.

While one must strive to be mindful of the stress and concerns of employees, it is essential to balance this with the necessity of maintaining robust security measures. The goal should be not to add to the anxiety but to ensure that every member of the organization is better prepared to recognize and respond to potential threats.

It is critical that security vendors not only talk the talk but walk the walk, and are committed to continuous improvement in their security posture. This means not only addressing the technical aspects of cybersecurity but also fostering a culture of awareness and vigilance among employees. By understanding the importance of these simulations and the nature of the threats we face, we can collectively strengthen our defenses and protect our organization from harm.

The stakes are too high to allow complacency. As cyberthreats continue to evolve, so must our defenses. Phishing simulations are a critical tool in our ongoing battle against cyber attackers, helping us ensure that we are always prepared for whatever challenges may come our way. By embracing these exercises and the lessons they provide, we can build a more resilient and secure organization, capable of withstanding even the most determined adversaries.

 

 

The post Navigating Cybersecurity in Times of Change: The Unyielding Importance of Phishing Simulations appeared first on Cybersecurity Insiders.