A survey of 1,600 chief information security officers found that more than two-thirds of them (68%) expect a “physical cyberattack” on their organizations in the next 12 months.

The survey, which forms the basis of the annual “Voice of the CISO report” by Proofpoint, an enterprise security company, showed a clear shift among security chiefs in attitudes toward future threats to their organizations. Just 12 months ago, less than half of CISOs (48%) saw a cyber attack on their horizon.

This apparent change suggests that security professionals see the threat landscape as heating up once again, the report noted, and they have readjusted their concern levels to match.

“As we emerged from the pandemic, security leaders realized they were able to implement more long-term controls to protect their work environment, so there was a sense of peace,” said Lucia Milica Stacey, Global Resident CISO at Proofpoint.

“However, as the volume of attacks continues to rise, along with geopolitical tensions and global economic uncertainty, a lot of the optimism is gone,” he told TechNewsWorld.

reasons for pessimism

According to security experts, several factors may be contributing to CISOs’ concerns about rising cyber attacks.

“New vectors of attack continue to emerge – software supply chain compromise, third party and SaaS systems involving APIs, AI-related security risks – each requiring new defensive strategies and skills,” said Carl Mattson, CISO of Nonum Security , a provider in Palo Alto, Calif., of a cloud-native API security platform.

“Meanwhile, traditional threats like ransomware or web application attacks are never going away,” he told TechNewsWorld. “With security budgets and staffing levels remaining largely flat, the stage is set for greater risk exposure this coming year.”

The proliferation of endpoints in the enterprise also gives CISOs increased cause for alarm.

Darren Guccione, CEO of Keeper Security, a password management and online storage company, said, “IT leaders are finding it increasingly difficult to gain comprehensive visibility, security, compliance and control to protect every employee, on every device, from every location. ” in Chicago.

“The expanding attack surface specifically related to cyberattacks is on the rise and IT security teams are competing for talent as macroeconomic conditions tighten budgets,” he told TechNewsWorld.

Adoption of the model as a service by threat actors increases the likelihood of an organization being attacked over the next 12 months. “Phishing as a service and ransomware as a service enable a significant increase in the number and scale of cyber attacks,” explained Avishai Avivi, CISO of SafeBreach in Tel Aviv. , Israel.

“At that point, it becomes a statistical reality,” he told TechNewsWorld. “The more attacks, the more likely an attack is to succeed.”

insider threat to data

Proofpoint also reported that CISOs believe employee turnover poses a risk to data security. More than eight out of 10 security chiefs (82%) told researchers that employees leaving their organization contributed to a data loss incident.

“Resource constraints and large staff turnover are likely underlying reasons for the high percentage of CISOs concerned about the loss of sensitive data due to employee turnover,” Stacey said.

The report said the two sectors most affected by turnover were retail (90 per cent) and IT, technology and telecommunications (88 per cent).

These trends leave security teams with a nearly impossible challenge, it continued. When people are gone, it’s hard to stop them from taking data.

Some organizations require written guarantees from former employees that they will delete all company data. Others threaten potential employers with potential liability if an employee shares any data from their old job. But none are even close to being a satisfactory solution.

“Many employees, upon their departure, try to take some aspect of their job with them,” said Daniel Kennedy, research director of information security and networking at 451 Research, which is part of S&P Global Market Intelligence, a global market research company. Is.

“For vendors, this could be contact or customer account information. For other employees, it could be a form of intellectual property, models they worked on or code, for example,” he told TechNewsWorld.

“When I was a CISO,” he recalled, “I was definitely concerned with the hits on our various data loss platforms and departing employees. I could usually predict when someone was going to resign based on their behavior. going to give

changing narratives

The growing concern of CISOs about insiders contributing to data loss represents a departure from previous thinking on the subject.

“The recent shift from ‘it is wrong to distrust employees’ or ‘we hire the best people’ to ‘we have to expose ourselves to all kinds of threats’,” said Saurya Biswas, technical director of risk management and governance. There is a change in the thinking of ‘to be protected from’.” At NCC Group, a global cyber security consultant.

“Recent US defense leaks by insiders Jack Teixeira, Chelsea Manning and Edward Snowden may have helped shape this narrative,” he told TechNewsWorld. “It’s not the prevalence of malicious insider trading that has changed, but the awareness around it.”

The level of employee mistrust displayed in the survey probably says something more about a company’s overall culture, maintained Daniel Schwalbe, CISO of DomainTools, an Internet intelligence company in Seattle.

“But it can also be attributed to the rise in remote working, which makes some CISOs feel like they are losing visibility into where their data ends up,” he told TechNewsWorld. “The current realities of a remote workforce have thrown pre-pandemic corporate networks out the window.”

Call for Cyber ​​Resilience

Proofpoint’s report also found that most organizations are likely to pay the ransom when affected by ransomware. Three out of five CISOs (62%) surveyed believed their organization would pay to restore systems and prevent data release if attacked by ransomware in the next 12 months.

CISOs’ organizations were increasingly relying on insurance to shift the cost of their cyber risks, the report said, with 61% saying they would claim cyber insurance to recover losses incurred in various types of attacks .

“Over the past five years, there has been a general incentive for cyber insurers to pay the ransom and have the cost covered by their premiums,” said Chris Cooper, CISO and a member at Six Degrees, a cyber security consultancy in London. ISACA Emerging Trends Working Group.

“Fortunately, this is changing, as paying the ransom only instigates incidents,” he told TechNewsWorld.

“There is also growing evidence that some groups are coming back for a second bite at the cherry,” he added.

Ryan Kalumber, executive vice president of cyber security strategy at Proofpoint, urged security chiefs to remain steadfast in protecting their people and data despite the challenges they face.

“If the recent devastating attacks are any indication, CISOs have an even more difficult road ahead, especially given uncertain security budgets and new job pressures,” he said in a news release. “Now that they have returned to a higher level of concern, CISOs must ensure they focus on the right priorities to lead their organizations toward cyber resilience.”

Like a persistent piece of malware that your antivirus product can’t wipe out, the annual RSA Cyber ​​Security Conference was back with a vengeance this year. But while the malware example is inherently malicious, the industry event seemed to stir goodwill and a positive message for the cybersecurity industry, starting with its theme for the year: “Stronger Together.”

Similar to many face-to-face industry events, RSA languished during the height of the pandemic, turning to an online-only presence as the Covid outbreak spread. But from April 24 to 27, San Francisco’s Moscone convention complex reignited again as the center of the cyber security universe. The sponsoring organization reported that this year’s conclave — its 32nd annual event — attracted “more than 40,000 attendees, including 650+ speakers, 500+ exhibitors and 500+ members of the media.”

This year’s event featured a host of distinguished speakers, including current and former elected and appointed officials from numerous foreign and domestic government agencies, as well as highly respected academics and researchers, and representatives from dozens of commercial and non-profit security organizations.

There were also some celebrity guests on hand, including comedian and actor Eric Idle, best known as co-creator of the famed comedy troupe Monty Python, and eight-time Grammy Award-winning country western star Chris Stapleton.

Rising Cybercrime Affects Security Industry Outlook

The mood was decidedly more upbeat than last year’s RSA conference, which scaled back to in-person attendance but drew just 26,000 visitors and saw layoffs among tech companies both in and around the cybersecurity field. And was impressed with the cut report.

What a difference a year makes. Describing the 2023 event, RSA Conference Senior Vice President Linda Gray Martin said, “The excitement and enthusiasm was felt in and around the RSA Conference throughout the week.” Given the enthusiasm of the crowded press and exhibitors, the exaggeration seems justified.

Driving the resurgence of attendance and interest in this quintessential security event was increased awareness of increasingly sophisticated threats, including new forms of ransomware and malware, and the nascent challenges and opportunities presented by generative AI and open source.

As always, RSA provided a convenient milestone for the release of new security products and services, as well as reports and insights focusing on the evolving threat landscape. Several reports published during the event highlighted vertical industries that are particularly at risk, including manufacturing, healthcare and finance.

AT&T Business released its 12th annual Cyber ​​Security Insights Report on RSA, filled with findings from its survey of 1,400 security practitioners in North and South America, Europe and Asia. Respondents were limited to organizations that have implemented “edge use cases” that include the integration of new technologies such as 5G, robotics, virtual reality and/or IoT devices. Not surprisingly, they found these respondents to be under constant threat of attack.

However, with the notable exception of the US SLED (state and local government and education) market, most of those surveyed were more concerned about incidents of distributed denial of service (DDoS) attacks and business email compromise (BEC) fraud rather than ransomware. . and other types of malware, or advanced persistent attacks (APTs).

The results may indicate that security professionals in edge-intensive industries, many of which are considered part of the critical infrastructure of their respective nations, are clearly out of touch with the magnitude of the threats they pose, including state-sponsored attacks. they are facing.

As the report’s authors conclude, “The use of cyber as a geopolitical weapon has forced government regulators and security leaders to become increasingly aware of the potentially devastating nation-state cyberattack. Yet the U.S. Construction management in SLED, and fleet tracking in transportation, are just the use cases for which nation-state cyberattacks crack the top three in perceived likelihood.

Another report released at the RSA event by cybersecurity vendor BlackBerry, its second quarter Global Threat Intelligence report, also showcased a number of specific industries that are drawing heavy fire from cybercriminals. These include healthcare, which encounters an average of 59 new malicious samples per day, including a growing number of new Emotet variants, according to the report.

BlackBerry also found that attacks against government entities, manufacturing and critical infrastructure were targeted by “sophisticated and sometimes state-sponsored threat actors, engaging in espionage and intellectual property operations”.

The company’s newly named CylanceIntelligence cyberthreat intelligence (CTI) subscription service, formally announced during RSA, reported that “crimeware and commodity malware are also frequently found in these critical industries.”

For a more in-depth look at BlackBerry’s findings, please watch the video interview with Ismael Valenzuela, the company’s Vice President of Threat Research, that I conducted during RSA. (Note: In addition to reporting for TechNewsWorld and other media outlets, I also serve as editorial director for BlackBerry.)

AI gets VIP treatment

Much of the discussion and subsequent coverage surrounding RSA 2023 involved the use of artificial intelligence (AI) as an increasingly powerful tool in the hands of both attackers and defenders.

While AI has been around in various forms for decades, its most notable success has been at the box office, usually playing Hollywood villains. Ever since the murderous HAL 9000 debuted in Stanley Kubrick’s 1968 screen adaptation of Sir Arthur C. Clarke’s “2001: A Space Odyssey”, AI has been largely typecast as a homicidal bogeyman in popular fiction. Is.

IBM’s Watson has worked hard to demonstrate more benign uses and behaviors of the technology, even to the extent of appearing as a contestant on “Jeopardy” in 2011. But the most recent and rewarding commercial acceptance of AI has come at the hands of leading cyber security vendors. CrowdStrike and Silence (acquired by BlackBerry in 2018).

Today, AI is practically a checklist item for endpoint security solutions, rapidly displacing older signature-based malware detection. However, the commercialization of generative AI tools using large language models (LLMs) such as ChatGPT in the past year has brought AI into the mainstream in ways Watson only dreamed of, impacting the technology’s usefulness across many fields of endeavor. Precisely exposed and fast tracked.

As predicted by many, one of the first malicious uses of these widely available AI tools has been to improvise phishing lures. Another report released in RSA, Zscaler’s 2023 ThreatLabz Phishing Report, confirms that AI tools like ChatGPT can improve phishing hit rates, ultimately making it easier to steal credentials. But those use cases may represent only the low-hanging fruit of AI for threat actors.

The report states, “New AI techniques and the emergence of large language models such as ChatGPT have made it easier for cybercriminals to generate malicious code, conduct Business Email Compromise (BEC) attacks, and develop polymorphic malware, making it easier for victims to Identify phishing.

As Forbes contributor Will Townsend pointed out in his RSA roundup article, discussions in and around tradeshows highlighted that AI has quickly become “a double-edged sword that will need constant sharpening” because it Rapidly deployed by both attackers and defenders.

Despite recent high-profile tech industry layoffs, demand for cybersecurity professionals is still very high. With so many tech industry workers looking for their next job, why aren’t these displaced workers being recruited?

Better matching candidates less likely to retrain as cyber security techs may hold the answer. Demand for cyber workers is set to increase by 25% in 2022, and much commentary exists about the need to hire cyber security talent from non-traditional backgrounds, such as bartenders or school teachers.

According to data released in late January from the Cyber ​​Security Workforce Analysis site developed by NIST, CompTIA and the National Initiative for Cyber ​​Security Education at Lightcast, the total number of employed cyber security workers is expected to remain fairly stable in 2022 at about 1.1 million. The number of online job postings declined from 769,736 to 755,743 in the 12 months ending December 2022.

“Despite concerns about a slowing economy, the demand for cybersecurity employees remains historically high. Companies know cybercrime won’t stop for a downturn in the market, so employers don’t want to risk stopping their cybersecurity hiring. Can,” said Lightcast Vice President of Applied Research – Talent Will Marko.

According to Lightcast data, each of the first nine months of 2022 set records for the highest monthly cyber security demand since 2012 but cooled off in November and December. A key indicator is the ratio of currently employed cyber security employees to new openings, which indicates how significant the workforce shortage is.

The supply-demand ratio is currently 68 workers per 100 job openings, up from the ratio of 65 workers per 100 jobs in the previous period. Based on these numbers, approximately 530,000 more cybersecurity workers are needed in the US to close current supply gaps.

Some industry researchers suggest that hiring cybersecurity talent from non-traditional backgrounds, such as bartenders or schoolteachers, is an ideal out-of-the-box solution.

unrealistic idea given the technical constraints

Other cyber professionals argue that such a solution is not in line with the reality of the industry. Mainly, the barriers to entry remain high, with many organizations still using outdated recruitment methods, such as requiring certification that is impossible to obtain without work experience.

Lenny Zeltser, CISO at cybersecurity asset management company Axonius and instructor at cybersecurity training, certification and research firm SANS Institute, also finds it surprising that no one is talking about what happens once you land one. How difficult it is to move up the hierarchy. Cyber ​​situation in the first place.

There is little or no guidance on how to go from cyber practitioner to chief information security officer, or CISO. Many organizations lack standards and structure regarding how to pay cyber therapists, and many employees know the only way to advance is to move to other companies, he argued.

People are simply starting the conversation in the wrong place, Zeltser offered. Companies must first address the “cyber security career gap” before they can begin closing the cyber industry skills gap.

He said that learning computer security skills is not the primary issue. Many avenues exist for those motivated to acquire the necessary skills. The problem is the expectation of what skills are needed.

“I believe there are a lot of opportunities out there for people to acquire security skills. So it leads me to consider that maybe there is more to it,” Zeltser told TechNewsWorld.

“Maybe we have unrealistic expectations for what we’re looking for.”

Forget Ideal Candidates

Perhaps the typical unicorn situation where companies want one security professional who can do everything is the culprit, he said. It is such a specialized field that includes many specialized subsets, and it is difficult to be an expert on everything within cyber security.

“We’re not open enough to let people with unusual non-technical backgrounds enter the field,” Zeltser said.

He offered an example from his previous roles within the industry. With a slight variation, hiring managers want their recruiters to do X, Y, and Z. Not seeing those abilities on a resume puts job applicants in the skills gap category.

What is the solution? Take cyber applicants with a few skills and train them for the rest.

Zeltser recalled the employees looking for some security experts who would provide customer support. The company needed entry-level security personnel, but they were not available.

The company recruited tech-savvy bartenders who were interested in computers and could set up their own Wi-Fi. But he only did this at home, he explained.

“We found that we were able to train them in the right safety skills in the office. But we didn’t need to train them and it’s very hard to teach them how to multitask and how to think on their feet and how to interact with humans.” Do it,” Zeltser said. It turns out the bartenders are really nice.

need a positive end result

Zeltser found many options where he could have been more open, and it became a necessity. Being more open means changing your mindset to accept people from non-technical, non-traditional backgrounds,” he offered.

“I wish we could stop telling people in the industry that if they enter the field as a security professional, they should work at the pinnacle of a career in cyber security, which is the CISO role. The thing is, there aren’t enough of these roles,” he said.

According to Zeltser, the industry does not require as many security officers as other types of security professionals, resulting in people being set up for failure.

“We’re asking them to work in that direction, and that’s how we define success. But instead, we can talk about other ways in which people can be successful because not everyone has to be an executive.” Should be, not everyone should be a manager,” he said.

skill gap meets security gap

Even with a shortage of trained cyber security personnel, many organizations are on the right track in securing and mitigating cyber risks to their business. The challenge, according to Joseph Carson, chief security scientist and consultant CISO at Delinia, is that large security gaps still exist for attackers to abuse.

“The security gap is widening not only between business and attackers, but also between IT leaders and business executives,” he told TechNewsWorld.

Carson acknowledged that some industries are showing improvement. But the issue still exists.

“Unless we solve the challenge of communicating the importance of cybersecurity to executive boards and the business, IT leaders will continue to struggle to obtain the resources and budget needed to close security gaps,” He warned.

need a better career path

Organizations need to continue expanding their recruiting pools, account for bias that may currently exist in cyber recruiting, and provide in-depth training through apprenticeships, internships, and on-the-job training. It helps build the next generation of cyber talent, introduced Dave Geary, CEO of crowdsourced cybersecurity platform BugCrowd.

“By creating opportunities for career development and rallying behind our mission to help protect our customers, their customers and the wider digital community from cyberattacks, employees feel they have a greater say in themselves and the wider community,” he told TechNewsWorld. There is an opportunity to improve.”

Gerry said that over the years, we have been led to believe that there is a significant gap between the number of open jobs and the candidates qualified to fill those jobs. While this is partially true, it does not provide an accurate view of the current state of the market.

“Employers need to take a more proactive approach to recruiting from non-traditional backgrounds, which, in turn, broadens the candidate pool from those with only formal degrees to individuals who have incredibly high potential with the right training.” ,” They said.

maybe a better option

The recent release of the National Cyber ​​Security Strategy will demand more than it can offer. This could slow down processes massively, predicted Guillaume Ross, deputy CISO at cyber asset management firm JupiterOne.

It will be necessary to prioritize and reduce the attack surface as much as possible. Also, security measures should ensure that developers, IT, and even business/process management people integrate security into their daily work routines.

“Improving the security skills of a million developers and IT workers will have a much better impact than training a million new “security people” from scratch,” Ross countered with TechNewsWorld.

large scale universal solution

The skills and cyber security shortage is not just a problem for US industry. Ravi Pattabhi, vice president of cloud security at ColorTokens, an autonomous zero-trust cyber security solutions firm, said there is a severe shortage of skilled cyber security experts across the globe.

Some universities have started teaching students some basic cyber security skills, such as vulnerability management and system security hardening. Meanwhile, cyber security is undergoing a transformation.

“The industry is increasingly incorporating cyber security into the design phase and building it into product development, code integration and deployment. This means that software developers also need basic cyber security skills, including the use of the Mater Attack Framework and using pen test tools,” Pattabhi told TechNewsWorld.

Microsoft announced last week that, as it did with .NET years ago, it will be putting generative AI into everything, including security.

Back in the .NET days, I joked that Microsoft was so over the top with .Net that the bathrooms were renamed Men.net and Women.net. Many of those efforts didn’t make sense. However, given that generative AI affects most functions at Microsoft (except the bathroom), it makes more sense for the company to do so now.

Let’s take a look at how generative AI will impact security. Then we’ll end with our product of the week: the BAC Mono custom-built, street-legal track car.

Biggest Security Exposure… You Are

We often get overly excited about all the technology we have at our disposal to reduce breaches. But after layer upon layer of security software to identify and fix breaches, one constant is that the most common cause of a breach is a person. Ransomware attacks, identity theft, data theft, and many additional problems mostly track back to someone who was tricked into providing information that could be used to cause harm.

The industry talks about regular employee training, safety drills and audits, and excessive penalties, all of which have had minimal impact on the problem because companies do not practice any of these consistently and effectively. I include security companies, especially their executives, in that group who often think the rules they helped create don’t apply to them.

Back when I was doing a security audit (at a company not known for security) on a CEO who often bragged that he knew more about security than anyone else in my division, I would go over his most sensitive information. which was in a locked vault in 10 minutes. Not by using some super-secret James Bond hacking technique, but by looking in his secretary’s drawer where all the keys were stored, which were unlocked.

Human error is the most important and prevalent cause of some of our most painful security problems, and it’s been that way for decades.

HP PC Security Solutions

I’m writing this at HP’s Amplify partner event, where HP just kicked off its security solution. HP’s Wolf Security is arguably the best PC security solution on the market.

HP highlighted that the security business generates $8 trillion in revenue, which is a fraction of the money it protects. Yet all this technology is useless if you can’t stop an employee from doing something stupid.

The HP tech includes VMs, BIOs, security and some of the most impressive security solutions I’ve seen, but it only addresses someone who accidentally drops or loses a PC. It does not deal with an employee who voluntarily or accidentally breaches his safety.

One exception is HP Sure Click which helps prevent the user from clicking on a link they shouldn’t. Sure Click isolates risky tasks in a virtualized environment so that damage does not escape from harming a separate VM. This effort goes a long way. However, while HP does the most, it’s still not enough.

Examples of Why We Need AI Security

One of the biggest problems I’ve ever covered was a CIO who got fired via email. He was so enraged that he used his credentials to effectively put all of his ex-company hard drives out of business. Yes, he was prosecuted for poverty and went to jail, but that didn’t help the company he shut down.

In another large-scale breach, an attacker with uncontested access to a company’s HR system used alleged credentials and crafted a global email that went out to every non-management employee telling them that the firm had been sold and that they were about to be fired. To receive the check, employees were required to provide their banking information.

Almost every employee gave their information before anyone even thought to ask the manager about it. By the time the attempt was called off, the attacker’s servers were offline, and the thieves had moved away.

These examples show successful exploits that would have bypassed HP’s Wolf Security. One because it was a physical breach with no laptop involved and the other was caused by a phishing attack that resulted in access and compromise of an HR system that Wolfe Security would not protect.

I’m not picking on HP here because neither HP nor any other tech company can effectively solve an employee-sourcing problem. But that “yet” is where AI potentially comes in.

AI to the Rescue: Blackberry to Microsoft

Microsoft’s Security Co-Pilot is initially focused on providing security professionals with information on current and potential breaches in real time so that they can be rapidly mitigated. This should help address the ongoing problem of understaffed and under-resourced security. This is the initial focus of most of these generative AI efforts: to increase productivity and reduce workforce burden.

However, the real promise for generative AI is that it can learn from employee behavior, and reduce it by learning from that behavior. Largely, one company that has moved aggressively against this employee risk with older AI technology is BlackBerry’s Silence unit.

BlackBerry’s technology monitors employees and will move to block anyone behaving abnormally, such as a service professional who suddenly starts downloading the firm’s employee or product development files—a sign that a The attacker was using his own credentials.

Generative AI can go much further and potentially more quickly. Using massive models, generative AI can predict future behavior, identifying employees who routinely violate company policies (indicating that they are more likely to act inappropriately). likely), and can recommend remedies ranging from recurring automated training to dismissal for those employees most likely to be the cause. of violations, eliminating potential problems before an incident occurs.

Now, before you fret about the “termination” part, realize that if these employees cause a breach, the remedies may include not only termination but also financial costs to the employee or even depending on the nature of the breach and Jail time is also included, depending on the size. Therefore, even for the dismissed employee, this remedy is better than what would otherwise have been the case.

Wrapping Up: Generative AI and the Future of Security

AI is being brought to security, starting with BlackBerry and ending with Microsoft’s most recent effort. The result is the potentially ultimate elimination of our most important security risk: people. As generative AI and other future forms of AI advance in security, we will finally have the opportunity to mitigate the one security problem that keeps biting us in the butt: ourselves.

As with other technologies, I expect IT to be slow to adopt these tools and that avoidable breaches will forever change our career paths and financial security.

AI will not only help keep our companies safe, but those we love, including ourselves. Note that the individuals who most need this protection are our aging population, who bad actors often trick into giving up their retirement funds because of such breaches.

The only question is whether AI defenses will be deployed before this same technology can be used against us. AI is neither good nor bad; It is a tool. Sadly, in cyber security, new technologies are increasingly used against us than for us.

tech product of the week

BAC Mono custom-built, street-legal track car

Since we’re talking about AI this week, two weeks ago, Nvidia held its GTC conference, where I looked at Nvidia’s idea of ​​a car that would be built first virtually and then customized to your specific needs and tastes. Custom-made for.

The BAC Mono car is an early example of how the rest of the car market would develop. Using advanced workstation tools from HP, Bac has created a process that Nvidia talks about.

I sold my track car a few years back, and I miss it. But generally, a track car is some old sports car or hot hatch that you drive on a track. These cars are designed for day-to-day driving and are not ideal for the track – and dedicated track cars require you to trailer them.

Dedicated track cars that are also road-legal are rare and very expensive, and customization is limited. Using the Metaverse and VR technologies, this last one can be changed. Not only can the car be more customized, but it can be built more quickly, tested virtually, and better able to pass the changing rules of driving on public roads.

With a price tag of $151,000, the BAC Mono is not for the faint of heart, but it will outperform supercars on the track that cost a lot more. It’s designed to help you hit your corners efficiently and a supercar can draw similar crowds for a fraction of the price.

bac mono car

Bac Mono | Image credit: Briggs Automotive Company

This might not impress your date, since it has a seat, but in most supercars, once she tries to get into the car, she’ll inadvertently stop being impressed without providing a photo opportunity.

Plus, since it’s a track car, you’ll be less motivated to do the stupid things that often define supercar drivers (there are thousands of videos of supercar drivers doing expensive, stupid things on YouTube).

The BAC Mono is not only the harbinger of how we’ll buy cars in the future, but I also lust for one, so it’s my product of the week.

The opinions expressed in this article are those of the author and do not necessarily reflect the views of ECT News Network.

Is it worth exposing your personal data in exchange for the convenience of using pet apps on your smartphone?

Pet apps leaking your sensitive information has probably been a no-brainer for you. But it may now, thanks to two recent studies presented at the 2022 IEEE European Symposium on Security and Privacy Workshop conference.

On 28 February computer scientists from Newcastle University and Royal Holloway, University of London exposed a number of security and privacy issues. Researchers from both universities evaluated popular Android apps for pets and other companion animals, as well as farm animals. They found that 40 users are leaking information.

Dubbed pet tech, pet industry developers use technology to improve the health, well-being and overall quality of life of pets. Obviously, they also use it as a source of data acquisition which puts users’ security at risk.

Pet tech is expanding and includes a wide range of products including GPS trackers, automatic feeders and pet cameras, according to a written statement from Newcastle University. Other examples of pet technology include wearable devices that monitor pets’ activity levels, heart rates, and sleep patterns.

Some of these pet apps control smart feeding systems that dispense food at a set time or in response to the animal’s behavior. These apps and platforms also allow owners to track and manage their pet’s health records and connect with veterinary professionals.

According to Ashish Patel, general manager/EMEA at mobile security solutions firm Zimperium, the leaky apps problem is widespread, going far beyond just pet apps.

The problem is evident across all markets, countries and applications. This includes sharing unencrypted information in clear text and sharing data on open cloud-based servers.

“It’s a problem that’s coming to the forefront now, but we see more organizations implementing security from development, with scanning techniques in app development to create more secure apps, to ensure app keys are encrypted and it is equally important that it is running on a secure [non-breached] With device run-time protection, Patel told TechNewsWorld

What researchers discovered at Pet Apps

The researchers did not disclose the names of the pet apps analyzed. Nor did he clarify what type of content was leaked from specific apps.

However, they verified that the apps sent developers sensitive user information, including email addresses, location data and pet details, without encryption or user consent.

Many of these apps put users at risk by exposing their login or location details.

According to the Newcastle University statement, the three applications had users’ login details visible in plain text within non-secure HTTP traffic, meaning anyone using one of these apps could inspect anyone’s internet traffic. and get their login information.

Furthermore, the two apps also showed user details, such as their location. This allows someone to gain access to their devices and expose them to a cyber attack.

The tracking software embedded in the four apps raised another concern: the trackers could collect user data related to how the app or smartphone was used.

The analysis revealed that 21 apps track users without their consent, violating current data protection rules.

Researchers’ privacy and security warnings

Scott Harper, a Ph.D. student at Newcastle University’s School of Computing and lead author of the study, said pet tech products such as smart collars and GPS trackers are a fast-growing industry. This brings with it new security, privacy and security risks for pet owners.

“While owners may use these apps for peace of mind about their dog’s health or where their cat is, they may not be happy to learn about the risks they pose,” he said in the university statement. Apps that keep for cyber security.

Harper urged users to make sure they set up unique passwords, check settings and consider how much data they want to share.

Dr. Maryam Mehranzad, co-author of the report from the Department of Information Security at Royal Holloway, University of London, said that using modern technologies to improve many aspects of our lives often involves cheap technologies that compromise users’ privacy, security and privacy. comes at a cost of , and safety.

“Animal technologies can pose complex risks and harms that are not easy to identify and trace. In this interdisciplinary project, we are working on solutions to reduce such risks and enable animal owners to use such technologies without risk or fear. allowed to use.”

Second study shows user complacency

The research team conducted a second study which surveyed 600 participants from the UK, US and Germany. They questioned the technologies used, the events that occurred, and the methods used to protect their online security and privacy in general and pet apps in particular. The researchers published the survey findings in the journal Proceedings of the 12th International Conference on the Internet of Things. Their results revealed that participants believed there were a variety of attacks likely to target their pet technology.

Despite this concern, respondents said they take some precautions to protect themselves and their pets from the potential risks and harms of these technologies. The university statement did not disclose the numerical results.

Co-author Dr Matt Leach, Director of the Center for Comparative Biology, Newcastle University, said: “We would urge those developing these technologies to enhance the security of these tools and applications to prevent their personal information or location from being shared. risk can be reduced.”

Cyber ​​Security Insider Responses

According to Casey Ellis, founder and CTO of crowdsourced cybersecurity firm BugCrowd, application developers, especially for apps that are not “security first” in their nature, often prioritize features and usability over security to differentiate in-market. give priority. Speed ​​is the natural enemy of security, so these kinds of issues are often seen in fast-to-market areas like mobile applications.

“At the end, [vulnerabilities vary and] Come down to risk to the individual user. For example, to some people, a breach of privacy may not seem like such a big deal. For others, it could create an immediate personal safety issue,” Ellis told TechNewsWorld.

Regardless, app developers must ensure that security and privacy controls are behaving as users expect, which is clearly not a consistent theme here, he said.

App users should realize that if they are not paying for an app or service, then they are the product. Zane Bond, head of product at cybersecurity software firm Keeper Security, warned that your data and usage is how the company will make money.

“Be aware and understand that most services are not free. You just have no idea of ​​the cost. Even with many paid services, your data is still for sale,” Bond told TechNewsWorld.

Most contractors hired by the Department of Defense over the past five years failed to meet required minimum cyber security standards, posing a significant risk to US national security.

Managed services vendor CyberSheth released a report on November 30 showing that 87% of the Pentagon supply chain fails to meet basic cybersecurity minimums. Those security gaps are subjecting major defense contractors and their subcontractors to massive cyberattacks, putting US national security at risk.

Those risks have been well known for some time without efforts to fix them. According to CyberSheth, this independent study of the Defense Industrial Base (DIB) is the first to show that federal contractors are not properly protecting military secrets.

DIB is a complex supply chain consisting of 300,000 primes and subcontractors. The government allows these approved companies to share sensitive files and communicate securely to get their jobs done.

To keep those secrets safe, defense contractors will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance. Meanwhile, the report warns that nation-state hackers are actively and specifically targeting these contractors with sophisticated cyberattack campaigns.

“Awarding contracts to federal contractors without first validating their cybersecurity controls is a complete failure,” Eric Noonan, CEO of CyberSheth, told TechNewsWorld.

Defense contractors have been mandated to meet cyber security compliance requirements for more than five years. Those terms are embedded in more than a million contracts, he said.

alarming details

The Merrill Research Report 2022, commissioned by CyberSheth, revealed that 87% of federal contractors have a sub-70 Supplier Performance Risk System (SPRS) score. The metric shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

DFARS has been in law since 2017 and requires a score of 110 for full compliance. Critics of the system considered the 70 to be “good enough”. Yet, the overwhelming majority of contractors still come up short.

Eric Noonan said, “The report’s findings show a clear and present threat to our national security.” “We often hear about threats to supply chains that are more susceptible to cyberattacks.”

The DIB is the Pentagon’s supply chain, and we see how poorly prepared contractors are despite being in the crosshairs of risk actors.

“Our military secrets are not secure, and there is an urgent need to improve the cyber security posture for this group, which often does not meet even the most basic cyber security requirements,” Noonan warned.

more report findings

Survey data came from 300 US-based DOD contractors, with accuracy tested at the 95% confidence level. The study is completed in July and August 2022, with CMMC 2.0 on the horizon.

Roughly 80% of DIB users failed to monitor their computer systems around the clock and lacked US-based security monitoring services. Other deficiencies were evident in the following categories that would be required to achieve CMMC compliance:

  • 80% lack a vulnerability management solution
  • 79% lack a comprehensive multi-factor authentication (MFA) system
  • 73% lack an endpoint detection and response (EDR) solution
  • 70% have not deployed Security Information and Event Management (SIEM)

These security controls are legally required of the DIB, and since they are not met, there is a significant risk to the DoD and its ability to conduct armed defense. In addition to widespread non-compliance, 82% of contractors find it “moderately to extremely difficult to understand government regulations on cyber security”.

Confusion prevails among contractors

As per reports, some of the DIB’s defense contractors focused on cyber security have only been halted by roadblocks.

When asked to rate DFARS reporting challenges on a scale of one to 10 (with 10 being extremely challenging), about 60% of all respondents rated “understanding requirements” a seven out of 10 or more. Also regular documentation and reporting were on top of the list of challenges.

The primary barriers listed include challenges in understanding the steps required to achieve compliance, difficulty in implementing sustainable CMMC policies and procedures, and the overall cost involved.

Unfortunately, these results are in line with what CyberSheth expected, Noonan acknowledged. He said the research confirmed that even fundamental cyber security measures such as multi-factor authentication were largely ignored.

Noonan said, “This research, combined with the False Claims Act case against defense giant Aerojet Rocketdyne, shows that defense contractors both large and small are not meeting contractual obligations for cyber security and that the DoD has access to their supplies.” There is systemic risk in the series.”

no big surprise

Noonan believes the Defense Department has known for a long time that the defense industry is not addressing cyber security. News reporting of never-ending nation-state violations by defense contractors, including large-scale incidents like the SolarWinds and False Claims Act cases, prove that point.

“I also believe that the DoD has run out of patience after giving contractors years to fix the problem. Only now is the DoD going to make cyber security a pillar of contract acquisition,” Noonan said.

He noted that the planned new DoD doctrine would be “no cyber security, no contract”.

Noonan acknowledged that there is merit to some of the conflicts raised by contractors about difficulties in understanding and meeting cyber requirements.

“It is a fair point as some of the messaging from the government has been inconsistent. In fact, however, the requirements have not changed since 2017,” he offered.

what will happen next

Perhaps the DoD will adopt a stricter policy with contractors. If contractors complied with the legislation required in 2017, the entire supply chain would be in a much better shape today. Despite some communication challenges, the DoD has been incredibly consistent on what is required of defense contractor cybersecurity, Noonan said.

The current research now sits on top of a mountain of evidence that proves federal contractors have a lot of work to do in improving cyber security. It is clear that without enforcement from the federal government the work will not get done.

“Trust without verification failed, and now DoD is moving to enforce verification,” he said.

DoD response still pending

TechNewsWorld submitted written questions to the DoD about the supply chain criticism in the CyberSheath report. A spokesperson for the Cyber/IT/DOD CIO for the Department of Defense responded, adding that it would take a few days to investigate the issues. We’ll update this story with any response we get.

The sentencing of former Uber chief security officer Joseph Sullivan could lead to a quiet re-evaluation of how the chief information security officer (CISO) and the security community handle network breaches going forward.

A San Francisco federal jury indicted Sullivan on October 5 for failing to tell US officials about the 2016 hack of Uber’s database. Judge William H. Orrick did not set a date for sentencing.

Sullivan’s lawyer, David Angeli, said after the verdict was announced that his client’s sole focus was to ensure the security of people’s personal digital data.

Federal prosecutors noted that the case should serve as a warning to companies about how to comply with federal regulations when handling their network breaches.

Officials accused Sullivan of working to hide the data breach from US regulators and the Federal Trade Commission, and attempting to link his actions to prevent hackers from being caught.

At the time, the FTC was already investigating Uber after the 2014 hack. Two years later, hackers in Uber’s network repeatedly emailed Sullivan about the theft of large amounts of data. According to the US Justice Department, they promised they would delete the data if Uber paid the ransom.

The conviction is a significant precedent that has already sent shock waves through the CISO community. This dynamic policy highlights the personal liability involved in being a CISO in a legal and attacking environment, noted Casey Ellis, founder and CTO of Bugcrowd, a crowded cybersecurity platform.

“This calls for clear policy at the federal level around privacy protection and treatment of user data in the United States, and it emphasizes the fact that here a proactive approach to handling vulnerability information rather than a reactive approach is an important The component is flexibility for organizations, their security teams and their shareholders,” he told TechNewsWorld.

problem description

There is a growing tendency for companies afflicted with ransomware to interact with hackers. But the trial discourse showed prosecutors reminding the companies to “do the right thing,” according to media accounts.

According to published test accounts, Sullivan’s employees confirmed widespread data theft. This included theft records and 600,000 driver’s license numbers of 57 million Uber users.

The DOJ reported that Sullivan sought the hackers’ agreement to pay out US$100,000 in bitcoin. That agreement included the hackers signing a non-disclosure agreement to keep the hack from public knowledge. Uber reportedly hid the true nature of the payment as a bug bounty.

Only the jury had access to the evidence in the case, so it’s counterproductive to testify to specific details of the case, said Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, a provider of digital risk management solutions.

“There are some general conclusions to draw. I am concerned by the unintended consequences of this case,” Holland told TechNewsWorld. “CISO already has a daunting task, and the outcome of the case has made CISO a scapegoat. Have given.”

important unanswered questions

Holland’s concerns include how the results of this trial could affect the number of leaders willing to take on the potential personal liability of the CISO role. He is also concerned about dismissing more whistleblower cases such as the escalating cases from Twitter.

He expects more CISOs to negotiate the insurance of directors and officers into their employment contracts. That type of policy provides personal liability coverage for decisions and actions a CISO may take, he explained.

“Furthermore, given the way both the CEO and CFO became responsible for corruption on the heels of the Sarbanes Oxley and Enron scandals, the CISO should not be the only culpable role in the case of wrongdoing around intrusions and breaches,” He suggested.

The Sarbanes-Oxley Act of 2002 is a federal law that established comprehensive auditing and financial regulations for public companies. The Enron scandal, a series of events involving questionable accounting practices, resulted in the bankruptcy of energy, goods and services company Enron Corporation and the dissolution of accounting firm Arthur Andersen.

“CISOs should effectively communicate risks to the company’s leadership team, but should not be solely responsible for cybersecurity risks,” he said.

twisted conditions

Sullivan’s conviction is a kind of ironic role reversal. Earlier in his legal career, he prosecuted cybercrime cases for the United States Attorney’s Office in San Francisco.

The DOJ’s case against Sullivan hinged on obstructing justice and acting to conceal a felony from officers. The resulting conviction can have a long-term impact on how organizations and individual authorities approach cyber incident response, particularly where it involves extortion.

Prosecutors argued that Sullivan actively concealed the massive data breach. The jury unanimously agreed with the allegation beyond a reasonable doubt.

Instead of reporting the breach, the jury found that Sullivan, backed by the knowledge and approval of Uber’s then CEO, paid the hackers and signed a non-disclosure agreement with them, falsely claiming that he had stolen data from Uber. did not do.

A new chief executive who later joined the company reported the incident to the FTC. Current and former Uber executives, lawyers and others testified for the government.

Edward McAndrew, an attorney for Bakerhostetler and former DoJ cybercrime prosecutor and national security cyber expert, told TechNewsWorld that “Sullivan’s prosecution and now conviction is unprecedented, but it needs to be understood in its proper factual and legal context.”

He said that the government has recently adopted a very aggressive policy towards cyber security. This affects white-collar compliance, where organizations and officials are increasingly cast in the simultaneous and separate roles of crime victim and enforcement target.

“Organizations need to understand how the actions of individual employees can expose them and others to the criminal justice process. And information security professionals need to understand the actions they take in response to criminal cyberattacks. How to avoid becoming personally liable for that,” warned McAndrew.

A new phishing-as-a-service offering on the dark web poses a threat to online accounts protected by multi-factor authentication, according to a blog posted Monday by an endpoint security company.

Called EvilProxy, the service allows threat actors to launch phishing campaigns, with the ability to largely bypass MFAs without the need to hack upstream services, the Resecurity researchers noted in the blog. .

The service uses methods supported by APT and cyber espionage groups to compromise accounts protected by MFA. According to the researchers, such attacks have been discovered against Google and Microsoft customers whose accounts have MFA enabled via SMS text messages or application tokens.

Phishing links produced by EvilProxy lead to cloned web pages that have been compromised by accounts associated with multiple services, including Apple iCloud, Facebook, GoDaddy, GitHub, Dropbox, Instagram, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex. has been prepared to do.

Threat actors using EvilProxy to gain access to their repositories are targeting software developers and IT engineers with the ultimate goal of hacking “downstream” targets, the researchers wrote.

He explained that these tactics allow cybercriminals to capitalize on end users who believe they are downloading software packages from secure resources and do not expect them to be compromised.

faster, faster, better

“This incident poses a threat to software supply chains because it targets developers by giving the service’s cybercriminal customers the ability to launch campaigns against GitHub, PyPI and NPM,” said Avid Gershon, leader of the security research team at Checkmarks. Said, an application security company, in Tel Aviv, Israel.

“Just two weeks ago,” he told TechNewsWorld, “we saw the first phishing attack against PyPI contributors, and now we see the service take it a few steps further by making these attacks accessible to less tech operators and adding capability. To bypass the MFA.”

Checkmarx’s head of supply chain security Tzachi Zorenstein said the nature of supply chain attacks increases the reach and impact of cyber attacks.

“Abusing the open-source ecosystem represents an easy way for attackers to increase the effectiveness of their attacks,” he told TechNewsWorld. “We believe this is the beginning of a trend that will increase in the coming months.”

A phishing-as-a-service platform can also increase attacker effectiveness. “Since PhaS can operate at scale, it enables adversaries to be more efficient at stealing and defrauding identities,” said Resecurity CEO Jean Yu.

“Old-fashioned phishing campaigns require money and resources, which can be overwhelming for one person,” he told TechNewsWorld. “Fas is just faster, faster, better.”

“It’s something that’s very unique,” he said. “It’s very rare to produce a phishing service on this scale.”

well packed

Many illegal services, hacking and malicious intent are solution products, explained Alon Nachmani, field CISO at AppviewX, a certificate lifecycle management and network automation company in New York City.

“By using a PhaS solution malicious actors have less overhead and less to spring an attack,” he told TechNewsWorld.

“Quite honestly,” he continued, “I’m surprised it took so long to become a thing. There are so many marketplaces where you can buy ransomware software and link it to your wallet. Once deployed , you can collect the ransom. The only difference here is that it is completely hosted for the attacker.”

While phishing is often considered a low effort activity in the hacking world, it still requires some work, said Monia Deng, director of product marketing at Bolster, a provider of automated digital risk protection in Los Altos, Calif. You’ll need it to do things like stand up to a phishing site, create emails, automate managers, and nowadays, steal 2FA credentials on top of primary credentials, she explained.

“With Faas,” she continued, “everything is neatly packaged on a subscription basis for criminals who do not require any hacking or even social engineering experience. It Opens the ground for many more threat actors who want to exploit organizations for their own gain.”

bad actors, great software

Security researchers explained that payment for EvilProxy is conducted manually through an operator on Telegram. Once the subscription funds are received, they will be credited to the account in the customer portal hosted on TOR. The kit is available for $400 per month.

EvilProxy’s portal has many tutorials and interactive videos on using the service and configuration tips. “To be clear,” the researchers wrote, “the bad actors did a great job in terms of service usability, and configuration of new campaigns, traffic flow, and data collection.”

“This attack just shows the maturity of the bad actor community,” said George Gerchow, CSO and senior vice president of IT at Sumo Logic, an analytics company focused on security, operations and business information in Redwood City, Calif.

“They are packing these kits nicely with detailed documentation and videos to make it easier,” he told TechNewsWorld.

The service uses a “reverse proxy” principle, the researchers noted. It works like this: Bad actors lead victims to a phishing page, use a reverse proxy to get all the legitimate content the user expects to see, and sniff their traffic through the proxy.

“This attack highlights how low the barrier of entry is for unsophisticated actors,” said Heather Iannucci, a CTI analyst at Tanium, creator of an endpoint management and security platform in Kirkland, Wash.

“With EvilProxy, a proxy server sits between the legitimate platform’s server and the phishing page, which steals the victim’s session cookie,” she told TechNewsWorld. “This can then be used by the threat actor to login to a legitimate site as a user without an MFA.”

“Defending against EvilProxy is a challenge because it combines cheating a victim and MFA bypass,” Yu said. “The real compromise is invisible to the victim. Everything sounds good, but it’s not.”

still in effect

Nachmany warned that users should be concerned about the effectiveness of MFAs that use text messaging or application tokens. “Fas is designed to use them, and this is a trend that will grow in our market,” he said.

“The use of certificates as an additional factor is what I expect to see an increase in use soon,” he said.

While users should be careful when using an MFA, it is still an effective mitigation against phishing, said Patrick Harr, CEO of SlashNext, a network security company in Pleasanton, Calif.

“It increases the difficulty of leveraging compromised credentials to disband an organization, but it is not foolproof,” he said. “If a link leads the user to a counterfeit replica of a legitimate site—which is nearly impossible to identify as not legitimate—the user may be the victim of an adversary-in-the-middle attack, such as this one by EvilProxy.” is used to .”

The next generation of the Web – Web 3 – has been touted as more secure than the current incarnation of cyberspace, but a report released Tuesday warned that may not be the case.

According to a report by Forrester, a national technology research company, Web3 can be difficult to break into at the infrastructure level, but there are other points of attack that could provide threat actors with more opportunities for mischief than those found in legacy Web. can go.

Web3 applications, including NFTs, are not only vulnerable to attack; Forrester explained that they often offer a wider attack surface than traditional applications due to the distributed nature of blockchains.

Furthermore, it said, Web3 apps are desirable targets as tokens can be worth substantial amounts of money.

The openness of Web3, which is considered one of its main advantages, can also be a disadvantage. Martha Bennett, Vice President and Principal Analyst, Forrester, said, “The code that runs on a public blockchain is easily accessible by anyone with the necessary technical skills, from anywhere in the world – no need to enter corporate security to achieve this. Not there.” He is also a co-author of the report.

“Source code is generally readily available, because the focus is not on running closed source ‘smart contracts’. The Web3 ethos is, after all, ‘open code,'” she told TechNewsWorld.

unwanted complication

David Ricard, CTO of North America at Cipher, a division of Prosegur, a multinational security company, explained that Web3 is based on distributed control of data and identity by its users.

“This broadens the attack surface for individuals who may be unwilling or simply unable to handle the management of their own data and identities, bringing technical complexity to an area that is ‘above anything’ in use.” ‘easy’,” he told TechNewsWorld.

“Scrolling through personal, text messaging, email and social media and shopping apps is a real challenge for them,” he said.

He said the idea of ​​making Web3 code transparent and publicly available is unlikely to gain real traction. “There is a lot of money at stake between capital investors and users of blockchain financial systems and NFTs,” he said.

He further added that making the code transparent and public can also broaden the attack surface in a clear way. “Safe coding practices that predict how someone might abuse a system for nefarious gains are generally not practiced,” he explained. “It is not easy to predict how people might use the system for purposes other than those intended.”

“Most of the financial losses associated with blockchain and NFTs do not exploit immutable objects themselves, but rather manipulate them by exploiting applications that can affect them,” he said.

Furthermore, while legacy systems may be outdated, they may also be robust. “What’s new is also the most vulnerable,” said Matt Chiodi, chief trust officer at Cerby, creator of a platform to manage Shadow IT in San Francisco.

“While time is not always a friend of security, it allows an application to become battle tested,” he told TechNewsWorld. “Web 3 is no different. It’s new and not much tested. Legacy applications have a time advantage. Web3 doesn’t.”

NFT becoming popular target

Even if the code is visible and accessible, the report said, attackers will find weak points. This makes it clear that while attacks on smart contracts and cryptocurrency wallets are confined to the Wild West of decentralized finance, increasingly, NFT projects have become a favorite target.

“Why go for more difficult hacks if there are easier ways to get what you want?” asked Bennett. “Like any other venue where value is traded, [NFT] Markets and communication tools attract people who want to steal or otherwise break the rules.”

“For anything to do with Web3, speed is of the essence, and many of the people involved do not have the necessary expertise to assess a potential security issue,” she said. “Sometimes, startups don’t even advertise for a security chief until something bad happens.”

One of the biggest breaches of the NFT marketplace occurred in June at OpenC, which exposed nearly 1.8 million email addresses. “There was an inside threat involved in that particular case, but the applications that handle the transactions can be quite vulnerable,” Ricard said.

“There may be hundreds of thousands of ways this can be abused, which coders have to try to account for, yet a hacker only needs to discover a vector, once for a breach to occur. ,” They said.

Hangout for Scammers

Forrester also pointed out that social media network Discord has become a major weak point in NFTs and other public blockchain projects. Successful phishing attacks on Discord are at the root of many, if not most, NFT thefts, it continued.

It clarified that attacks are usually targeted at community managers and administrators. Once an administrator account is successfully taken over, attackers have the opportunity to steal extensively, as users rely on messages from community administrators.

Bennett noted that Discord was primarily designed as a communication platform for gamers, not for holding and exchanging value, and that it has mechanisms to mitigate risk. “But these mechanisms can only help if they are implemented, and it is clear that often, they are not,” she said.

“Furthermore,” she said, “Discord attracts a similar share of phishing attacks and scam messages, being the preferred communication mechanism for token projects.”

Ricard said the Discord communities provide a rich source of information for scammers, as well as investors. “The harvesting of participants’ contact information leads to phishing,” he said. “Hacks in digital wallets are not uncommon.”

“The Discord bot has been hacked, so threatening actors can post fake mining offers, resulting in the theft of cryptocurrencies,” he said.

Better security than legacy web?

Forrester’s report notes that in a fast-moving Web 3 world, it’s tempting to ignore security in favor of innovating quickly, but public safety issues can easily derail a major launch or product team. to analyze and mitigate critical security flaws.

Firms can identify risks and protect both the decentralized and centralized components of their Web3 applications by engaging their security teams not only in the software development lifecycle but throughout the product lifecycle.

“Web3 needs to shift its focus to the left, which means getting as much security as possible for developers and making prevention the ultimate goal,” Chiodi said. “Without this focus, Web3 would be indistinguishable from Web2. It would be a shame given its tremendous potential, especially around decentralized identity.”

“Web3’s distributed approach provides a variety of security capabilities, but the fundamental problems remain the same,” said Mark Bower, vice president of product at Anjuna, a confidential computing company in Palo Alto, Calif.

“If an attacker gains credentials, root-level privileges or access to keys — especially private keys that run throughout the ecosystem,” he told TechNewsWorld, “then it’s game over, as if this one in a centralized platform.”

Cyber ​​security professionals want the computer industry to emphasize vendor consolidation and open standards.

This major change in the security networks of IT professionals is long overdue, according to new research from the Information Systems Security Association (ISSA) International and the independent industry analyst firm Enterprise Strategy Group (ESG), a division of TechTarget.

Seller consolidation and the push toward open standards is driven by buyers themselves, who are challenged by increasing complexity, cost, and the promotion of best-of-breed technology “equipment sprawl”.

Nearly half (46%) organizations consolidate or plan to consolidate the number of vendors they do business with. Concerned by the growing complexities of security operations, 77% of InfoSec professionals would like to see greater industry collaboration and support for open standards that promote interoperability.

Thousands of cyber security technology vendors compete against each other in multiple security product categories. Organizations want to optimize all the security technologies in their stack at once.

According to the research report, vendors supporting open standards for technology integration will be best positioned to meet this shift in the industry.

“Given that nearly three-quarters (73%) of cybersecurity professionals feel that vendors are engaging in promotions on substance, vendors who demonstrate a genuine commitment to supporting open standards are more likely to engage industry-wide. would be in the best position to avoid consolidation,” he said. Candy Alexander, Board President, ISSA International.

He said CISO vendors have become so burdened with noise and security “equipment dispersion” that for many, the wave of vendor consolidation is like a breath of fresh air.

Shift to security platform

ESG studied 280 cyber security professionals, most of whom are ISSA members. The results, released last month, focused on security processes and technologies, and show that 83% of security professionals believe the technology interoperability of the future depends on setting industry standards.

The report’s details demonstrate a cybersecurity landscape that looks favorably toward a security product suite (or platform) as it moves away from a defense-intensive strategy based on deploying best-of-breed cybersecurity products. This approach is based on historical precedent that has consistently increased organizational complexity and contributed to substantial operations.

“The report shows that massive changes are taking place within the industry in what many believe is a long time to come,” said John Oltsik, Senior Principal Analyst and ESG Fellow.

“The fact that 36% of organizations may be willing to purchase most security technologies from a single vendor speaks volumes for a change in buying behavior as CISOs are openly considering security platforms in lieu of best-of-breed point of view devices. are,” he said.

Why Jump from Best-of-Breed

The number of competing security suites has skyrocketed with many organizations managing 25 or more independent security tools. It follows that security professionals are now stressing the need to juggle so many independent security products to do their job.

Managing an assortment of security products from different vendors has increased training requirements, makes it difficult to get an overall picture of safety, and requires manual intervention to fill in the gaps between products. As a result, 21% of organizations are consolidating the number of cybersecurity vendors they do business with, and another 25% are considering consolidating.

“In general, buying, implementing, configuring and operating too many different tools has become very difficult, let alone ongoing support relationships with vendors. Consolidation management/operations makes sense,” says Oltsik told TechNewsWorld.

This ongoing complication is prompting 53% of cybersecurity professionals to purchase security technology platforms instead of best-of-breed products. The study showed that 84% of respondents believe a product’s integration capabilities are important, and 86% consider it important or important that integration with other products create best-of-breed products.

According to 60% of IT teams, strict integration between already separate security controls is a primary requirement rather than a best buy. Improved threat detection efficiency such as accurate high-fidelity alerts and improved cyber-threat detection were on the wish list for 51%.

generalized government mandate

Cybersecurity products cover the basics, noted Oltsik. This includes antivirus software, firewalls, some sort of identity management system, and a range of products for endpoint encryption.

“In many cases, these technologies are mandated by government and industry regulations,” he said. “The biggest influencer in cybersecurity protections is the US federal government which can and does mandate certain standards.

For example, the Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community considerations. The In-Process Cyber ​​Security Maturity Model Certification (CMMC) standard mandates certain security certifications for DoD vendors.

“We have also seen standards from industry, such as the activity of the Organization for the Advancement of Structured Information Standards (OASIS) and other OASIS standards. This week, we introduced the Open Cyber ​​Security Framework (OCSF), a standard data schema for security data. Saw the beginning. There are also many identity management standards,” he said.

Finding a shared security base

After reviewing this data, ESG and ISSA recommend that organizations encourage their security vendors to adopt open industry standards, possibly in collaboration with the Industry Information Sharing and Analysis Center (ISAC). In addition, there are some established security standards available from MITER, OASIS and Open Cyber ​​Security Alliance (OCA).

Many vendors speak in favor of open standards, but most do not actively participate or contribute to them. However, this lukewarm behavior can change quickly.

For this to happen, cybersecurity professionals – especially large organizations big enough to send signals to the market – establish best practices for vendor qualification.

In addition, they need to emphasize process requirements that include adoption and development of open standards for technology integration as part of a broader process for all security technology procurement, according to the report.

expected result

Cyber ​​security standards and vendor integration will strengthen the cyber security landscape against the continuing increase in cyber threats by easing product development and integration. Oltsik explained that this will allow industry and security teams to focus more on innovation and security fundamentals and less on building connectors for interoperability.

He sees an opportunity within the industry to support these efforts.

“It seems that some industry leaders are collaborating. I point to OCSF where 18 vendors agreed to support it,” he said.

This group includes a number of leaders – AWS, CrowdStrike, IBM, Okta and Splunk, for starters. He said another potential driver would be the support of large security technology customers.

Oltsik concluded, “If Goldman Sachs, GM, Walmart and the US federal government said they would only buy from vendors that support OCSF, it would really hit the industry.”

The full ESG-ISSA report titled “Technology Perspectives from Cyber ​​Security Professionals” is available here. No form filling is required.