Tag

Security

Browsing

A new phishing-as-a-service offering on the dark web poses a threat to online accounts protected by multi-factor authentication, according to a blog posted Monday by an endpoint security company.

Called EvilProxy, the service allows threat actors to launch phishing campaigns, with the ability to largely bypass MFAs without the need to hack upstream services, the Resecurity researchers noted in the blog. .

The service uses methods supported by APT and cyber espionage groups to compromise accounts protected by MFA. According to the researchers, such attacks have been discovered against Google and Microsoft customers whose accounts have MFA enabled via SMS text messages or application tokens.

Phishing links produced by EvilProxy lead to cloned web pages that have been compromised by accounts associated with multiple services, including Apple iCloud, Facebook, GoDaddy, GitHub, Dropbox, Instagram, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex. has been prepared to do.

Threat actors using EvilProxy to gain access to their repositories are targeting software developers and IT engineers with the ultimate goal of hacking “downstream” targets, the researchers wrote.

He explained that these tactics allow cybercriminals to capitalize on end users who believe they are downloading software packages from secure resources and do not expect them to be compromised.

faster, faster, better

“This incident poses a threat to software supply chains because it targets developers by giving the service’s cybercriminal customers the ability to launch campaigns against GitHub, PyPI and NPM,” said Avid Gershon, leader of the security research team at Checkmarks. Said, an application security company, in Tel Aviv, Israel.

“Just two weeks ago,” he told TechNewsWorld, “we saw the first phishing attack against PyPI contributors, and now we see the service take it a few steps further by making these attacks accessible to less tech operators and adding capability. To bypass the MFA.”

Checkmarx’s head of supply chain security Tzachi Zorenstein said the nature of supply chain attacks increases the reach and impact of cyber attacks.

“Abusing the open-source ecosystem represents an easy way for attackers to increase the effectiveness of their attacks,” he told TechNewsWorld. “We believe this is the beginning of a trend that will increase in the coming months.”

A phishing-as-a-service platform can also increase attacker effectiveness. “Since PhaS can operate at scale, it enables adversaries to be more efficient at stealing and defrauding identities,” said Resecurity CEO Jean Yu.

“Old-fashioned phishing campaigns require money and resources, which can be overwhelming for one person,” he told TechNewsWorld. “Fas is just faster, faster, better.”

“It’s something that’s very unique,” he said. “It’s very rare to produce a phishing service on this scale.”

well packed

Many illegal services, hacking and malicious intent are solution products, explained Alon Nachmani, field CISO at AppviewX, a certificate lifecycle management and network automation company in New York City.

“By using a PhaS solution malicious actors have less overhead and less to spring an attack,” he told TechNewsWorld.

“Quite honestly,” he continued, “I’m surprised it took so long to become a thing. There are so many marketplaces where you can buy ransomware software and link it to your wallet. Once deployed , you can collect the ransom. The only difference here is that it is completely hosted for the attacker.”

While phishing is often considered a low effort activity in the hacking world, it still requires some work, said Monia Deng, director of product marketing at Bolster, a provider of automated digital risk protection in Los Altos, Calif. You’ll need it to do things like stand up to a phishing site, create emails, automate managers, and nowadays, steal 2FA credentials on top of primary credentials, she explained.

“With Faas,” she continued, “everything is neatly packaged on a subscription basis for criminals who do not require any hacking or even social engineering experience. It Opens the ground for many more threat actors who want to exploit organizations for their own gain.”

bad actors, great software

Security researchers explained that payment for EvilProxy is conducted manually through an operator on Telegram. Once the subscription funds are received, they will be credited to the account in the customer portal hosted on TOR. The kit is available for $400 per month.

EvilProxy’s portal has many tutorials and interactive videos on using the service and configuration tips. “To be clear,” the researchers wrote, “the bad actors did a great job in terms of service usability, and configuration of new campaigns, traffic flow, and data collection.”

“This attack just shows the maturity of the bad actor community,” said George Gerchow, CSO and senior vice president of IT at Sumo Logic, an analytics company focused on security, operations and business information in Redwood City, Calif.

“They are packing these kits nicely with detailed documentation and videos to make it easier,” he told TechNewsWorld.

The service uses a “reverse proxy” principle, the researchers noted. It works like this: Bad actors lead victims to a phishing page, use a reverse proxy to get all the legitimate content the user expects to see, and sniff their traffic through the proxy.

“This attack highlights how low the barrier of entry is for unsophisticated actors,” said Heather Iannucci, a CTI analyst at Tanium, creator of an endpoint management and security platform in Kirkland, Wash.

“With EvilProxy, a proxy server sits between the legitimate platform’s server and the phishing page, which steals the victim’s session cookie,” she told TechNewsWorld. “This can then be used by the threat actor to login to a legitimate site as a user without an MFA.”

“Defending against EvilProxy is a challenge because it combines cheating a victim and MFA bypass,” Yu said. “The real compromise is invisible to the victim. Everything sounds good, but it’s not.”

still in effect

Nachmany warned that users should be concerned about the effectiveness of MFAs that use text messaging or application tokens. “Fas is designed to use them, and this is a trend that will grow in our market,” he said.

“The use of certificates as an additional factor is what I expect to see an increase in use soon,” he said.

While users should be careful when using an MFA, it is still an effective mitigation against phishing, said Patrick Harr, CEO of SlashNext, a network security company in Pleasanton, Calif.

“It increases the difficulty of leveraging compromised credentials to disband an organization, but it is not foolproof,” he said. “If a link leads the user to a counterfeit replica of a legitimate site—which is nearly impossible to identify as not legitimate—the user may be the victim of an adversary-in-the-middle attack, such as this one by EvilProxy.” is used to .”

The next generation of the Web – Web 3 – has been touted as more secure than the current incarnation of cyberspace, but a report released Tuesday warned that may not be the case.

According to a report by Forrester, a national technology research company, Web3 can be difficult to break into at the infrastructure level, but there are other points of attack that could provide threat actors with more opportunities for mischief than those found in legacy Web. can go.

Web3 applications, including NFTs, are not only vulnerable to attack; Forrester explained that they often offer a wider attack surface than traditional applications due to the distributed nature of blockchains.

Furthermore, it said, Web3 apps are desirable targets as tokens can be worth substantial amounts of money.

The openness of Web3, which is considered one of its main advantages, can also be a disadvantage. Martha Bennett, Vice President and Principal Analyst, Forrester, said, “The code that runs on a public blockchain is easily accessible by anyone with the necessary technical skills, from anywhere in the world – no need to enter corporate security to achieve this. Not there.” He is also a co-author of the report.

“Source code is generally readily available, because the focus is not on running closed source ‘smart contracts’. The Web3 ethos is, after all, ‘open code,'” she told TechNewsWorld.

unwanted complication

David Ricard, CTO of North America at Cipher, a division of Prosegur, a multinational security company, explained that Web3 is based on distributed control of data and identity by its users.

“This broadens the attack surface for individuals who may be unwilling or simply unable to handle the management of their own data and identities, bringing technical complexity to an area that is ‘above anything’ in use.” ‘easy’,” he told TechNewsWorld.

“Scrolling through personal, text messaging, email and social media and shopping apps is a real challenge for them,” he said.

He said the idea of ​​making Web3 code transparent and publicly available is unlikely to gain real traction. “There is a lot of money at stake between capital investors and users of blockchain financial systems and NFTs,” he said.

He further added that making the code transparent and public can also broaden the attack surface in a clear way. “Safe coding practices that predict how someone might abuse a system for nefarious gains are generally not practiced,” he explained. “It is not easy to predict how people might use the system for purposes other than those intended.”

“Most of the financial losses associated with blockchain and NFTs do not exploit immutable objects themselves, but rather manipulate them by exploiting applications that can affect them,” he said.

Furthermore, while legacy systems may be outdated, they may also be robust. “What’s new is also the most vulnerable,” said Matt Chiodi, chief trust officer at Cerby, creator of a platform to manage Shadow IT in San Francisco.

“While time is not always a friend of security, it allows an application to become battle tested,” he told TechNewsWorld. “Web 3 is no different. It’s new and not much tested. Legacy applications have a time advantage. Web3 doesn’t.”

NFT becoming popular target

Even if the code is visible and accessible, the report said, attackers will find weak points. This makes it clear that while attacks on smart contracts and cryptocurrency wallets are confined to the Wild West of decentralized finance, increasingly, NFT projects have become a favorite target.

“Why go for more difficult hacks if there are easier ways to get what you want?” asked Bennett. “Like any other venue where value is traded, [NFT] Markets and communication tools attract people who want to steal or otherwise break the rules.”

“For anything to do with Web3, speed is of the essence, and many of the people involved do not have the necessary expertise to assess a potential security issue,” she said. “Sometimes, startups don’t even advertise for a security chief until something bad happens.”

One of the biggest breaches of the NFT marketplace occurred in June at OpenC, which exposed nearly 1.8 million email addresses. “There was an inside threat involved in that particular case, but the applications that handle the transactions can be quite vulnerable,” Ricard said.

“There may be hundreds of thousands of ways this can be abused, which coders have to try to account for, yet a hacker only needs to discover a vector, once for a breach to occur. ,” They said.

Hangout for Scammers

Forrester also pointed out that social media network Discord has become a major weak point in NFTs and other public blockchain projects. Successful phishing attacks on Discord are at the root of many, if not most, NFT thefts, it continued.

It clarified that attacks are usually targeted at community managers and administrators. Once an administrator account is successfully taken over, attackers have the opportunity to steal extensively, as users rely on messages from community administrators.

Bennett noted that Discord was primarily designed as a communication platform for gamers, not for holding and exchanging value, and that it has mechanisms to mitigate risk. “But these mechanisms can only help if they are implemented, and it is clear that often, they are not,” she said.

“Furthermore,” she said, “Discord attracts a similar share of phishing attacks and scam messages, being the preferred communication mechanism for token projects.”

Ricard said the Discord communities provide a rich source of information for scammers, as well as investors. “The harvesting of participants’ contact information leads to phishing,” he said. “Hacks in digital wallets are not uncommon.”

“The Discord bot has been hacked, so threatening actors can post fake mining offers, resulting in the theft of cryptocurrencies,” he said.

Better security than legacy web?

Forrester’s report notes that in a fast-moving Web 3 world, it’s tempting to ignore security in favor of innovating quickly, but public safety issues can easily derail a major launch or product team. to analyze and mitigate critical security flaws.

Firms can identify risks and protect both the decentralized and centralized components of their Web3 applications by engaging their security teams not only in the software development lifecycle but throughout the product lifecycle.

“Web3 needs to shift its focus to the left, which means getting as much security as possible for developers and making prevention the ultimate goal,” Chiodi said. “Without this focus, Web3 would be indistinguishable from Web2. It would be a shame given its tremendous potential, especially around decentralized identity.”

“Web3’s distributed approach provides a variety of security capabilities, but the fundamental problems remain the same,” said Mark Bower, vice president of product at Anjuna, a confidential computing company in Palo Alto, Calif.

“If an attacker gains credentials, root-level privileges or access to keys — especially private keys that run throughout the ecosystem,” he told TechNewsWorld, “then it’s game over, as if this one in a centralized platform.”

Cyber ​​security professionals want the computer industry to emphasize vendor consolidation and open standards.

This major change in the security networks of IT professionals is long overdue, according to new research from the Information Systems Security Association (ISSA) International and the independent industry analyst firm Enterprise Strategy Group (ESG), a division of TechTarget.

Seller consolidation and the push toward open standards is driven by buyers themselves, who are challenged by increasing complexity, cost, and the promotion of best-of-breed technology “equipment sprawl”.

Nearly half (46%) organizations consolidate or plan to consolidate the number of vendors they do business with. Concerned by the growing complexities of security operations, 77% of InfoSec professionals would like to see greater industry collaboration and support for open standards that promote interoperability.

Thousands of cyber security technology vendors compete against each other in multiple security product categories. Organizations want to optimize all the security technologies in their stack at once.

According to the research report, vendors supporting open standards for technology integration will be best positioned to meet this shift in the industry.

“Given that nearly three-quarters (73%) of cybersecurity professionals feel that vendors are engaging in promotions on substance, vendors who demonstrate a genuine commitment to supporting open standards are more likely to engage industry-wide. would be in the best position to avoid consolidation,” he said. Candy Alexander, Board President, ISSA International.

He said CISO vendors have become so burdened with noise and security “equipment dispersion” that for many, the wave of vendor consolidation is like a breath of fresh air.

Shift to security platform

ESG studied 280 cyber security professionals, most of whom are ISSA members. The results, released last month, focused on security processes and technologies, and show that 83% of security professionals believe the technology interoperability of the future depends on setting industry standards.

The report’s details demonstrate a cybersecurity landscape that looks favorably toward a security product suite (or platform) as it moves away from a defense-intensive strategy based on deploying best-of-breed cybersecurity products. This approach is based on historical precedent that has consistently increased organizational complexity and contributed to substantial operations.

“The report shows that massive changes are taking place within the industry in what many believe is a long time to come,” said John Oltsik, Senior Principal Analyst and ESG Fellow.

“The fact that 36% of organizations may be willing to purchase most security technologies from a single vendor speaks volumes for a change in buying behavior as CISOs are openly considering security platforms in lieu of best-of-breed point of view devices. are,” he said.

Why Jump from Best-of-Breed

The number of competing security suites has skyrocketed with many organizations managing 25 or more independent security tools. It follows that security professionals are now stressing the need to juggle so many independent security products to do their job.

Managing an assortment of security products from different vendors has increased training requirements, makes it difficult to get an overall picture of safety, and requires manual intervention to fill in the gaps between products. As a result, 21% of organizations are consolidating the number of cybersecurity vendors they do business with, and another 25% are considering consolidating.

“In general, buying, implementing, configuring and operating too many different tools has become very difficult, let alone ongoing support relationships with vendors. Consolidation management/operations makes sense,” says Oltsik told TechNewsWorld.

This ongoing complication is prompting 53% of cybersecurity professionals to purchase security technology platforms instead of best-of-breed products. The study showed that 84% of respondents believe a product’s integration capabilities are important, and 86% consider it important or important that integration with other products create best-of-breed products.

According to 60% of IT teams, strict integration between already separate security controls is a primary requirement rather than a best buy. Improved threat detection efficiency such as accurate high-fidelity alerts and improved cyber-threat detection were on the wish list for 51%.

generalized government mandate

Cybersecurity products cover the basics, noted Oltsik. This includes antivirus software, firewalls, some sort of identity management system, and a range of products for endpoint encryption.

“In many cases, these technologies are mandated by government and industry regulations,” he said. “The biggest influencer in cybersecurity protections is the US federal government which can and does mandate certain standards.

For example, the Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community considerations. The In-Process Cyber ​​Security Maturity Model Certification (CMMC) standard mandates certain security certifications for DoD vendors.

“We have also seen standards from industry, such as the activity of the Organization for the Advancement of Structured Information Standards (OASIS) and other OASIS standards. This week, we introduced the Open Cyber ​​Security Framework (OCSF), a standard data schema for security data. Saw the beginning. There are also many identity management standards,” he said.

Finding a shared security base

After reviewing this data, ESG and ISSA recommend that organizations encourage their security vendors to adopt open industry standards, possibly in collaboration with the Industry Information Sharing and Analysis Center (ISAC). In addition, there are some established security standards available from MITER, OASIS and Open Cyber ​​Security Alliance (OCA).

Many vendors speak in favor of open standards, but most do not actively participate or contribute to them. However, this lukewarm behavior can change quickly.

For this to happen, cybersecurity professionals – especially large organizations big enough to send signals to the market – establish best practices for vendor qualification.

In addition, they need to emphasize process requirements that include adoption and development of open standards for technology integration as part of a broader process for all security technology procurement, according to the report.

expected result

Cyber ​​security standards and vendor integration will strengthen the cyber security landscape against the continuing increase in cyber threats by easing product development and integration. Oltsik explained that this will allow industry and security teams to focus more on innovation and security fundamentals and less on building connectors for interoperability.

He sees an opportunity within the industry to support these efforts.

“It seems that some industry leaders are collaborating. I point to OCSF where 18 vendors agreed to support it,” he said.

This group includes a number of leaders – AWS, CrowdStrike, IBM, Okta and Splunk, for starters. He said another potential driver would be the support of large security technology customers.

Oltsik concluded, “If Goldman Sachs, GM, Walmart and the US federal government said they would only buy from vendors that support OCSF, it would really hit the industry.”


The full ESG-ISSA report titled “Technology Perspectives from Cyber ​​Security Professionals” is available here. No form filling is required.

According to a new report from Parks Associates, the home security systems market continues to grow despite concerns about false alerts.

The report noted that security system ownership is at an all-time high in many areas, with more than a third of US broadband households (36%) having home security systems and 41% of multi-dwelling unit managers with systems in their common areas. are installed. and parking garage.

“The market was stagnant, making about 20% penetration for decades,” said Yaniv Amir, president of Essence USA, which is part of the Essence Group, a global technology company.

“Over the past five to seven years, we’ve seen significant growth as security has become a part of home automation,” he told TechNewsWorld. “It reached the mid-thirties.”

The report noted that the past several years have been good for selling systems in the small and medium business market. With the COVID-19 pandemic, it explained that the spring and summer of 2020 were characterized by social and political unrest, resulting in increased concerns about safety and security.

false alert problem

According to the report, despite promising growth, accurate detection of security threats remains a problem. False alarms are a threat to user satisfaction with their systems, it maintained, with two out of three security system owners paying fines for false alarms with an average cost of about $150.

“In America, false alarms are a really big deal,” Amir said. “It causes a lot of people to turn off their alarm systems, making them nonfunctional.”

He said one way to avoid false alarms is to use artificial intelligence to trigger the alarm from a single detector. “If you have multiple sensors, an intruder is likely to hit more than one sensor, so an alert from a single sensor is likely to be a false alert,” he explained.

“More advanced systems can use facial recognition to determine whether a face belongs to someone living in a household,” he said. “More advanced technologies can also identify unusual behavior – for example the owner of the house was being attacked.”

Chris White, senior analyst at Parks, told TechNewsWorld that effective monitoring is the best way to avoid false alarms. In addition, he continued, new video and audio analytics will help.

“Device makers are increasingly using AI powered by the cloud or more powerful EDGE to analyze video and audio data collected by cameras and microphones around the residence and verify that the detected event Instead of a pet walking on the porch or branch, there is a danger in the strong wind,” he said.

AI to the rescue

Believing that better analysis will help eliminate false alerts, Mark N. Venna, president and principal analyst at SmartTech Research in San Jose, Calif., said AI will ultimately do the best job of reducing false alerts. “This would allow the cameras to ‘learn’ about a homeowner’s specific environment,” he explained.

“This technology may be integrated at the device level, but it may also surface in Wi-Fi 6e or Wi-Fi 7e routers which can contribute by dramatically reducing latency along with improved bandwidth,” They said.

IDC senior analyst Adam Wright said vendors can do things to improve smart security systems, but it is the user’s responsibility to configure the system appropriately.

“This is one of the drawbacks of adopting a do-it-yourself approach to building a home security system – setting up, setting up and configuring all the necessary rules and sequences can be cumbersome,” he told TechNewsWorld.

“An advantage of professional installers is that they can customize the security solution to the needs of the home and help the user set up the correct configuration to ensure that the system works as intended and avoid false alerts and Minimizes other disruptions,” he said.

integration headache

False warnings aren’t the only problem with home security systems. “Reliable connectivity is a big limitation,” argued Wright. Often network-connected devices become unresponsive or offline, and troubleshooting isn’t always straightforward or easy.

“Furthermore,” he added, “integration with third-party devices remains problematic. For example, dragging a video feed onto a smart display can cause a number of errors and delays that can disrupt the experience.”

Vena agreed that it’s difficult to integrate multiple brands of appliances with many existing home security systems.

“Some of the better home security systems, though not all, do a fair job of integrating devices from different manufacturers, playing an agnostic role,” he said, “but user frustrations can be high when they determine a device that needs to be installed.” He has bought. Do not operate within the home security system’s ecosystem or integrate with your Master Control app.”

He sees future security systems departing from the use of video. “I’m most optimistic about ‘Wi-Fi Sensing’ technology, which allows every Wi-Fi device in your home to use the Wi-Fi signal to determine fall detection, break-ins, and so forth. is,” he observed.

“Acoustic sensing technology can also help detect glass breaks or screams that can be used to send alerts,” he said. “These latter capabilities also have privacy benefits because they don’t use video to make these determinations, something that’s as appealing as an indoor sensor.”

DIY Monitoring

The Parks report also noted that an important new factor in the security sector is the increase in self-monitoring security systems. These self-monitoring systems send alerts to users’ phones for a low monthly fee.

“Self-monitoring has the benefit of lower monthly costs, but it also requires the homeowner to act on alert and contact authorities if a break-in or intruder is detected,” Venna said. Vena said. “It’s a significant disadvantage, because most people don’t want or can’t have their homes monitored.”

Wright said one of the biggest benefits of self-monitoring is the peace of mind that the system won’t falsely trigger a response from emergency services, which can be disruptive or costly.

“However, the disadvantage is if an alert or alarm goes undetected,” he continued. “For example, if the user is not near their phone at all times, or there is a connectivity issue with the phone that does not receive alerts. Then the incident will go unanswered which could mean that emergency services are not dispatched in time.” Huh. “

According to the report, 33% of self-monitoring security system owners told park researchers that they intended to switch to a professional monitoring service because they were not available when a security incident occurred, and that they could not take appropriate action.

A new report from a privileged management firm (PAM) warns that IT security is getting worse as corporations become stuck deciding what to do and what it will cost.

Delinea, formerly Thycotic and Centrify, on Tuesday released research based on 2,100 security decision makers internationally, revealing that 84% of organizations have experienced an identity-related security breach in the past 18 months.

This revelation comes as enterprises are grappling with expanding entry points and more frequent and advanced attack methods from cybercriminals. It also highlights the gap between the perceived and actual effectiveness of security strategies. Despite the high percentage of accepted breaches, 40% of respondents believe they have the right strategy.

Several studies found that credentials are the most common attack vector. Delinia wanted to know what IT security leaders were doing to reduce the risk of attack. This study focused on learning about the adoption of privileged access management by organizations as a security strategy.

Key findings of the report include:

  • 60% of IT security decision-makers have been put off working on an IT security strategy due to multiple concerns;
  • Identity security is a priority for security teams, but 63% believe it is not understood by executive leaders;
  • 75% of organizations will fail to protect privileged identities because they refuse to receive the support they need.

ID security is a priority, but board purchases are critical

Leaving behind corporate commitment to actually take action is a growing policy many executives are following in relation to IT efforts to provide better breach prevention.

Many organizations are hungry to make change, but three quarters (75%) of IT and security professionals believe that promises of change will fail to protect privileged identities due to a lack of corporate support, according to researchers. .

The report noted that 90% of the respondents said that their organizations fully recognize the importance of identity security in enabling them to achieve their business goals. Nearly the same percentage (87%) said it was one of the most important security priorities for the next 12 months.

However, a lack of budget commitment and executive alignment resulted in a constant stall on improving IT security. Some 63% of respondents said that their company’s board still does not fully understand identity security and its role in enabling better business operations.

Chief Security Scientist and Advisor CISO Joseph Carson said, “While the importance of identity security is acknowledged by business leaders, most security teams will not receive the support and budget they need to provide critical security controls and resources to mitigate key risks.” A solution is needed.” in Delinia.

“This means that most organizations will be deprived of protecting privileges, leaving them vulnerable to cybercriminals searching for and abusing privileged accounts,” he said.

Lack of policies puts machine ID at great risk

Despite the good intentions of corporate leaders, companies have a long road ahead when it comes to protecting privileged identities and access. According to the report, less than half (44%) of organizations surveyed have implemented ongoing security policies and procedures for privileged access management.

These missing security protections include password rotation or approval, time-based or context-based security, and privileged behavior monitoring such as recording and auditing. Even more worrying, more than half (52%) of all respondents allow privileged users to access sensitive systems and data without the need for multifactor authentication (MFA).

Another alarming lapse has come to the fore in the research. Privileged identities include humans, such as domain and local administrators. It also includes non-humans, such as service accounts, application accounts, codes, and other types of machine identities that automatically connect to and share privileged information.

However, only 44% of organizations manage and secure machine identities. The majority leave them open and come under attack.

Graph: Delinea benchmarking security gaps and privileged access

Source: Delinia Global Survey of Cyber ​​Security Leaders


Cybercriminals look for the weakest link, Carson noted. Ignoring ‘non-human’ identities – especially when these are growing at a faster rate than human users – greatly increases the risk of privilege-based identity attacks.

“When attackers target machine and application identities, they can easily eavesdrop,” he told TechNewsWorld.

They move around the network to determine the best place to strike and inflict the most damage. He advised that organizations need to ensure that machine identity is incorporated into their security strategies and follow best practices when it comes to protecting all of their IT ‘superuser’ accounts, which could be compromised if , then the entire business could be put on hold, he advised.

The security gap is widening

Perhaps the most important finding from this latest research is that the security gap continues to widen. Many organizations are on the right track to secure and reduce cyber risk for business. They face the challenge that there still exist large security gaps for attackers to gain. This includes securing a privileged identity.

An attacker only needs to find a privileged account. When businesses still have many privileged identities left vulnerable, such as application and machine identities, attackers will continue to exploit and influence businesses’ operations in exchange for ransom payments.

The good news is that organizations realize the high priority of protecting privileged identities. The sad news is that many privileged identities are still exposed because it is simply not enough to secure a human privileged identity, Carson explained.

Not only is the security gap widening between business and attackers but also the security gap between IT leaders and business executives. While this is improving in some industries, the problem still exists.

“Until we address the challenge of communicating the importance of cyber security to the executive board and business, IT leaders will continue to struggle to obtain the resources and budget needed to close the security gap,” he said. warned.

cloud whack-a-mole

One of the main challenges to achieving identity is that mobility and the identity of the cloud environment are everywhere. According to Carson, this increases the complexity of securing identity.

Businesses are still trying to secure them with the current security technologies they already have in place today. But this results in many security gaps and limitations. He said some businesses fall short even by trying to check security identity with simple password managers.

“However, this still means relying on business users to make good security decisions. To secure identities, you must first have a good strategy and plan in place. This means knowing the types of privileged identities that exist in business. Understanding and using security technology that is designed to find and protect them,” he concluded.

A recent gathering of global cybersecurity professionals has unearthed the latest attack scenarios that hackers use to infiltrate corporate networks. But contrary to the hopes of misguided potential victims, no silver bullet or software guarantee will completely protect them.

RSA Conference (RSAC) presenters focused on increasing demand for implementing the zero-trust philosophy. Presenters urged network managers to educate their employees about digital identity proofing. This includes securing the data points needed to practically spread digital ID proofing solutions.

Another major cause of network breaches is organizations integrating their on-premises environments into their cloud environments. This makes the cloud prone to various on-premise generated attacks.

“The RSA Conference plays a vital role in bringing the cyber security industry closer together. As cyber attacks grow in frequency and sophistication, it is imperative that public and private sector practitioners and experts are able to address today’s greatest challenges. Be called upon to hear unique perspectives to help,” commented RSA Conference Vice President Linda Gray Martin.

RSAC provides a year-round platform for the community to engage with, learn from and access cyber security content. That process is available online and at in-person events.

According to the RSAC, better cyber security will come only with a greater focus on threat hunting activities along with authentication, identity and access management.

head in charge

RSA Federal President Kevin Orr oversees the deployment of security, specifically identity access management tools, for federal and commercial customers. His company has its roots in the early days of cybersecurity security.

At this year’s RSA conference and related Public Sector Day, he had the opportunity to speak with leaders in the government and enterprise cybersecurity sector. He discussed his comments on the state of cyber security with TechNewsWorld.

RSA Federal is an identity and access management (IAM) solutions firm that began as a cybersecurity section within Dell Computer Company. Today, it has contracts with some of the most security-sensitive organizations in the world.

Important among the tech firm now known as RSA Federal LLC and the name of one of the leading encryption technology algorithms. RSA provides security services and solutions to customers throughout the federal public sector ecosystem.

RSA is a public-key encryption technology developed by RSA Data Security, which was founded in 1982 to commercialize the technology. The acronym Rivest stands for Shamir and Edelman, the three MIT cryptographers who developed RSA public key cryptography.

long-standing convention roots

A series of RSA company sales have positioned it to capitalize on a growing need for cybersecurity specialists. Security Dynamics bought the company in 1982. Dell later acquired RSA from EMC in 2006. A consortium of private equity investors led by Symphony Technology Group bought RSA from Dell in 2020.

The sales reflected both RSA’s and Dell’s corporate strategies. This allowed RSA to focus on security-first organizations, while Dell pursued its product strategy, according to Orr.

The annual RSAC event is an important gathering for the computer security community. It is considered the world’s leading information security conference and exhibition. Originally scheduled for February 7–10, world events led to it being rescheduled for June 6–9 at The Moscone Center in San Francisco.

RSA Federal is not a conference sponsor. However, its representatives participate in panels, showcases and speeches throughout the event.

This year’s 31st annual conference was the first to be held as a standalone, independent business since the investment from Crosspoint Capital Partners in March. The event was attended by over 26,000 attendees, including over 26,000 speakers, 400 exhibitors and over 400 members of the media.

notable takeaway

According to Orr, the biggest takeaways for cybersecurity were placed in key addresses. Security was impacted by a rapid digital transformation.

This change happened rapidly due to the pandemic. This forced it to accelerate partnerships with people working away from home.

The disruption of change in the physical world is now creating a digital ripple across the entire supply chain. Better supply chain security is needed to prevent tampering within its technology.

“Another major theme was the role played by massive propaganda. We are in a hyper-connected world. The propaganda blurs how people separate fact from fiction,” Orr said. This continues to influence the use of technology.

Perhaps one of the most damaging effects is a lack of deteriorating talent. He said that not enough people are skilled to deal with cyber security threats and what needs to be done within the cyber security domain.

Attacks are on the rise now with many different factors. In a previous world, we were all sitting behind a firewall in a corporation, Orr noted. Security teams can keep tabs on the good guys and the bad guys, except maybe insiders.

“The firewalls disappeared as soon as we went mobile from the pandemic. Your personal limit of security has disappeared. Some of that boundary needs to be built around identity,” he urged.

Identity border protection

From Orr’s catbird seat in the world of cybersecurity, he sees how preventing identity breaches is now necessary. Organizations must know who is connecting to their network. Security teams need to know what the detection does, where they are in the network, and what access they should have to see. In this globalized world, those derailments really changed things.

“The attack vectors also became realised. The attack vectors have really changed,” Orr said.

Network managers must now look at the danger areas and figure out how and where to spend the money. They also need to learn the techniques available and more importantly know that the attack surface is large.

“That means they need additional sets of people or different sets of skills to come across these open issues and address them,” Orr said.

Those decisions also include ROI factors. He further added that what is really driving the security question is that generally a corporate expense should have a return on investment.

Ransomware Gone Rogue

The rise of ransomware attacks sucks money from businesses. Initially the strategy was not to pay the ransom demand. From Orr’s point of view the better strategy now depends on the circumstances.

Either way, the victims of the ransom pay and hope for the best. Or they refuse to pay and still hope for the best. There must be a plan for the worst in the game.

“I think it is a personal decision depending on the situation. Now one size does not fit all. You have to see what the bad guys have and what they value. The big question is how to stop it from happening all the time,” he said.

lack of software options

The cyber security industry is not only facing a shortage of talent. Advanced equipment may be lacking.

“I think there’s a lot of basic technologies. I’ll start with the stuff first. Take a look at the truth. For some types of organizations cybersecurity products aren’t really something you can buy. First Step Click on Phishing Attempts Have to learn not to do,” Orr advised.

The solution starts with education. Then it continues with placing some parameters. Determine what your most valuable data is. Next research how to keep it safe. How do you monitor it?

“Cyber ​​security is really a layered approach,” Orr warned.

never trust, always challenge

That was a big topic of the security conference, he continued. Part of the big change is not being able to trust network visitors.

“It was the kind of thing that has really changed now, not to be trusted. There is always the essential approach to verify. Now you are looking at things differently,” he observed.

We are making good progress. The difference is that we are now preparing for a cyberattack, he concluded.

Misconceptions about embedded SIM cards (eSIM) for IoT are preventing companies from adopting this new technology. This is harmful, as eSIM patching is critical to successful secure IoT deployment.

eSIMs are slowly replacing standard SIMs in IoT devices and products such as smartwatches. They are also making their way into the machine-to-machine world.

However, the rollout has been slowed by unresolved conflicts between competing technical standards and tighter restrictions on data management rules globally. Despite the need for better IoT device security, removing barriers to adoption is less than likely any time soon.

Machine-to-machine, or M2M, is a broad label that can be used to describe any technology that enables network devices to exchange information and take actions without the manual assistance of humans. .

controversial technology

Mostly led by the automotive and transportation industries, eSIMS also contributes to tracking operations in healthcare, smart mobility, utilities and other sectors. But eSIM technology remains controversial so far, noted Noam Lando, CEO and co-founder of global connectivity provider Webbing.

Webbing provides enterprise-grade solutions for Fortune 500 and IoT/M2M companies, as well as an embedded solution for a variety of manufacturers worldwide. The deployment is part of a phased process to ensure a secure and continuous Internet connection for all devices, no matter where in the world they are.

Lando said that “eSIM technology is a game-changer in telecommunications. It completely digitizes the cellular subscription provisioning process. As with any technology that is disruptive, it is important to better understand its benefits, clear up misconceptions, and help with IoT usage.” There are a lot of debates and discussions around it for its effect on expediting matters.”

Why all the commotion?

We asked Lando to go down the circuit boards to find out why eSIM technology is causing such an industry-wide uproar.

TechNewsWorld: Is the technology upgraded in eSIMS worth the current turmoil?

Noam Lando: eSIM technology promises cost-effective connectivity establishment and maintenance that is accessible anywhere in the world, regardless of device manufacturing or deployment as well as ultimate control. With the promise of eSIM technology, enterprises can scale their IoT deployments globally, reducing total ownership and business process management costs and shortening time to market.

This generates a lot of hype, especially when you have device makers like Apple, Microsoft, and Google that have eSIM as a standard feature in their new devices.

I understand a “BUT” here. It always takes BUT in the works. So what is the big but around eSIM development?

Lando: However, when companies look deeper into implementing eSIM technology, they realize that there are two standards: consumer and machine-to-machine (M2M). They are not sure which standard to use and often feel that the implementation of eSIM technology is not as easy for their IoT devices as it is for smartphones, laptops and tablets.

Therefore, there is a lot of discussion about the two standards and their pros and cons, especially around M2M.

What are the drawbacks of standard sim?

Lando: For traditional SIM cards, carrier provisioning is done at the manufacturing level. They can only host one profile and are not reprogrammable. That’s why you need a new SIM when switching cellular providers. It is not ideal for IoT deployment. Especially the global ones.

Noam Lando, CEO and Co-Founder of Webbing
Noam Lando, CEO of Webbing

Once the SIM is implemented, you have vendor lock-in. With thousands and even millions of devices in IoT deployments, it is impractical to change SIM cards when you want to change wireless carriers. This requires site visits, and it can be physically difficult to access the card.

In addition, issues complying with the global trend to impose regulatory requirements on communication services and data management. These include restrictions on data leaving countries and global enterprises requiring localized deployment with local wireless carriers.

This requires the storage, management and deployment of multiple wireless carrier-specific product SKUs that increase production and logistics costs.

The attraction towards eSIM seems to be evident. What are the main benefits?

Lando: eSIM technology provides a robust, scalable solution to the limitations of traditional SIMs. What makes eSIM unique is the technological advancement made in UICC, the SIM’s software, now called eUICC.

That new technology follows a new standard developed by GSMA. It is remotely programmable and reprogrammable, can host multiple cellular carrier subscriptions, and simplifies the selection, contracting, and onboarding of cellular providers with over-the-air (OTA) provision.

I think another but works here. What are the unresolved issues with eSIM replacement?

Lando: Consumer and M2M are implemented differently. Consumer Standard targets consumer devices such as mobile phones, tablets and laptops, wearables, and other IoT devices with end-user interactive environments. It is secure by design, can host multiple wireless carrier profiles, and features carrier swap. However, it is designed for private consumer use.

How suitable are eSIMs for other uses?

Lando: The M2M standard targets industrial M2M and IoT devices such as cars, water meters, trackers, smart factories, and other components used in industrial, non-end-user interactive environments.

The M2M eSIM standard is also secure by design. It facilitates carrier migration and, in theory, provides remote centralized management and provision of carrier profiles. However, it is not as cut and dry as it seems.

That said, why isn’t the upgrade so promising yet?

Lando: M2M eSIM implementation is cumbersome, time consuming, and has long capital investment cycles. Implementing this requires collaboration between the enterprise, eSIM manufacturers and wireless carriers during the manufacturing process.

What are the biggest misconceptions about eSIM for IoT?

Lando: The biggest misconception about eSIM for IoT is that the benefits it provides to consumer devices can be implemented on IoT. Enterprises quickly realize that they have to implement a separate standard for IoT/M2M, which requires SM-DP (Subscription Manager – Data Preparation) and SM-SR (Subscription Manager – Data Preparation) to provision and manage carrier subscriptions remotely. Subscription Manager – Secure Routing). The M2M standard is cumbersome, requiring a substantial investment of money and time to organize the implementation of a wireless carrier.

Where do you see the fight between competing standards headed?

Lando: When looking at mobile data connectivity, there is no big difference between M2M and IoT device requirements when it comes to remote SIM provisioning. If anything, the benefits of eSIM (eUICC) technology are greater for M2M devices as they usually have a longer life cycle, and the demand for changing carriers at some point is high.

This can be for commercial or technical reasons. Hence, M2M devices are also likely to get eSIM instead of standard SIM.

Developers support eSIM to solve IoT and embedded firmware patch issues. eSIM hardware and eUICC components are certified in accordance with GSMA’s Security Accreditation Scheme (SAS). This guarantees a very high level of security. In addition, cellular connectivity is secure by design: data is encrypted, and users are securely identified.

What are the most important problems facing IoT and embedded technologies?

Lando: One of the most important problems facing IoT deployments is dealing with carrier lock-in and various global regulatory requirements. In such cases, enterprises require local deployment and local wireless carriers. Enterprises with global deployments need the flexibility to easily and efficiently change carriers to meet local regulations.

Why are companies not actively adopting eSIM technology?

Lando: From our experience, companies want the promise of eSIM technology, but the current ecosystem fails to provide it. The two eSIM standards disregard the need for enterprises to manage their own fleet of devices.

On the one hand, enterprise-based devices such as mobile phones, laptops, tablets, scanners, and so on are covered under the consumer standard. Hence companies do not have complete control over setting up and managing career profiles with centralized eSIM management. The consumer standard requires the end user with the device to consent to the carrier profile being installed.

Meanwhile, the M2M standards for IoT deployments are cumbersome. They require a substantial investment of money and time to organize the implementation of wireless carriers.

It also limits the choice of customers due to a complex implementation to switch between carriers.

This is why we have developed WebbingCTRL, an eSIM, with a management platform that can be easily and remotely configured as the profile of any wireless carrier, paving the way for the adoption of eSIM technology in the IoT space. does.

Scalable cloud-based solutions are widely popular among IT professionals these days. The cost, convenience and reliability of ready-to-use software as a service make this disruptive technology a favorable choice.

Still, the market needs some reassurance that backing up to the cloud is a smart and secure thing to do, as suggested by Paul Evans, CEO of UK-headquartered data management provider RedStore.

Redstor has over 40,000 customers globally, over 400 partners, and over 100 million restores a year. Last month in London, RedStore was named Hosted Cloud Vendor of the Year at the 2022 Technology Reseller Awards.

“Companies should not only say goodbye to on-premises boxes, they should celebrate because their removal reduces the risk of ransomware or the effects of fire or flooding in the data center,” Evans told TechNewsWorld.

SaaS is a software delivery model that provides great agility and cost-effectiveness for companies. This makes it a reliable choice for many business models and industries. It is also popular among businesses due to its simplicity, user accessibility, security and wide connectivity.

According to Evans, SaaS trends are disrupting the industry this year. Spiceworks Jiff Davis predicts that next year half of all workloads will be in the cloud.

Many organizations are undertaking cloud-first migration projects. Of particular interest are hard-hit businesses that are looking for infrastructure through operational excellence (OpEx) models and frameworks to avoid huge upfront investments.

“Data will become increasingly cloud-native in the coming year, especially with the continued growth of Kubernetes, Microsoft 365, Google Workspace and Salesforce,” he said.

Danger Landscape Driving Factor

Grand View Research recently reported that the global managed services market, which was valued at US$ 239.71 billion in 2021, is expected to grow at a compound annual growth rate (CAGR) of 13.4 percent from this year to 2030. Many Managed Service Providers (MSPs) are looking to become more service driven.

At the same time, value-added resellers are looking to become cloud service providers. Evans said other distributors are trying to figure out which way they might be the best fit.

“The backdrop of this is a threat landscape that has changed dramatically, especially after Russia’s invasion of Ukraine. State-sponsored malware and cyber warfare are coming to the fore in opposition to renegade shrewd criminals,” he said. .

US President Joe Biden has called for the private sector to step in and close its “digital doors” to protect critical infrastructure. Sir Jeremy Fleming, director of the UK’s intelligence, cyber and security agency GCHQ, warned that the Russian regime is identifying institutions and organizations to bring down, making it only a matter of time before the attacks come.

“Threats are not only increasing in scale and complexity. The range of ransomware attacks makes it abundantly clear that companies of all shapes and sizes will increasingly become targets. As a result, we will see more businesses increase their IT, cyber security and compliance Enlisting MSPs to run the programs,” predicted Evans.

During our conversation, I discussed further with Evans how RedStore and other providers can strengthen digital security.

TechNewsWorld: What’s unique about Redstor technology compared to other solutions for data management and disaster recovery?

Paul Evans: Our approach focuses on the concerns of businesses regarding their risk position, resource constraints and profitability challenges while IT skills are lacking. Redstor offers what we believe is the smartest and simplest backup platform for MSP.

One factor is the ease associated with onboarding. With three clicks and a password, users are up and running and can scale easily. In addition, it requires lightweight support for multiple data connectors and is purpose-built from the ground up for MSPs that manage multiple accounts.

It’s not a monster of some Frankenstein’s hastily achieved solutions bolted together.

What makes Redstor’s platform technically smart?

Evans: Whether MSPs are protecting data on-premises or in the cloud – Microsoft 365, Google Workspace, or cloud-native Kubernetes – they can do it easily and all with one app. By being able to span the on-premises cloud and SaaS worlds from a single location, rather than moving to several different interfaces, MSPs save time and money.

Redstor is smart because we enable user-driven recovery by streaming backup data on demand, so organizations have everything they need to get straight up and running in the event of data loss.

You don’t need to mirror everything, copy everything, or recover everything before it starts working again. During an outage, InstantData technology restores critical data back in seconds, while less critical recovery continues in the background.

This platform is also smart because it offers more than just backup. You also get archive and disaster recovery with high-end search and insights – all from one app.

Redstor is influenced by AI, and our machine learning model automatically detects and isolates suspicious files in backups so that they can be removed for malware-free recovery. MSP can do data classification with tagging. In the future, we will introduce anomaly detection.

How do cloud-based SaaS data protection and recovery systems compare to other solutions?

Evans: Organizations find that they need multiple boxes onsite to quickly pull data down to get a faster experience with the cloud. But on-premises Frankenstein solutions, coupled with technology from multiple acquisitions, aren’t going to meet today’s challenges.

Paul Evans, Redstor .  CEO of
Redstore CEO Paul Evans

Also, with hardware, there can be supply-chain issues and the lack of critical components such as semiconductors. Moving your data security to the cloud eliminates both these issues and the responsibility rests entirely on the MSP.

Without cloud-based security, you lack the best means of securing data. SaaS security is constantly updated and built in. Free updates are provided on a regular release cycle to keep customers ahead of the risks. MSP ensures reliable and secure connectors for many sources and popular applications now and in the future.

Also, storing backups securely in geographically separated data centers creates an air gap between live data and backups to enhance security.

What is driving the popularity of SaaS data protection?

Evans: The most important reason was when being onsite became problematic during the pandemic. Those with hardware-connected data security faced challenges fixing and swapping out the box. Many organizations also do not want boxes onsite because they are hard to come by because of supply-chain issues. Furthermore, the devices are known to be ransomware magnets.

SaaS overcomes these issues and more. MSPs are open to data portability requests and enable tools and services designed for today’s challenges. They can also complete the services digitally and distributors appreciate the value of SaaS made to channel supplied through online marketplaces.

Most SaaS applications now stress the need for a separate backup. More people are realizing that just because you have Microsoft doesn’t mean you can’t be compromised. You may have an internal user that destroys the data, or you may not have enough retention. Backing up SaaS applications is now the fastest growing part of our business.

What should an MSP look for from a vendor besides good technical support?

Evans: Technology built for MSPs should be partner-friendly from the start and include deep sales and marketing support. It should offer attractive margins with clear, transparent pricing so that MSPs can easily sell services.

The software should rapidly enhance data security, and by the end of the first negotiation, MSPs should be able to offer a proof of concept by deploying backups and performing rapid recovery to close deals faster.

Vendors are required to provide MSPs with the ability to purchase whatever they need from a single source, whether it’s protection for a Kubernetes environment, malware detection for backup, or data classification.

The key is also an interface to eliminate the complexity of switching between different solutions and consoles. Plus, having the ability to view and manage data from a single interface saves valuable time.

A vendor’s platform should be designed for multi-tenancy and provide a high-level view of MSP’s own usage and customer consumption. It also requires that the types of data protected and where it resides. The vendor must have a history of using new advances, particularly AI, to detect and remove malware, data classification and cyberattack predictions.

How should businesses assess seller suitability?

Evans: Many vendors make a bold claim to be the best solution to the challenges in the market. MSPs should receive direct feedback from their peers and adequately field-test the solutions.

Top 20 Backup Software, Top 20 . Check the rankings for the G2 lists online backup software, and other user-supported reviews. Focus on reports based on user satisfaction and review data. For example, Redstor ranks first with the G2.

Also look for vendors that provide a clear road map of future growth that the MSP should be able to influence. Lastly, MSPs should focus on smart solutions that provide simplified security.

As criminal activity on the Internet continues to intensify, hunting bugs for cash is attracting more and more security researchers.

In its latest annual report, bug bounty platform Integrity revealed that there was a 43% increase in the number of analysts signing up for its services from April 2021 to April 2022. For Integrity alone, this means adding 50,000 researchers.

For the most part, it has been noted, bug bounty hunting is part-time work for the majority of researchers, with 54% holding full-time jobs and another 34% being full-time students.

“Bug bounty programs are tremendously successful for both organizations and security researchers,” said Ray Kelly, a fellow at WhiteHat Security, an application security provider in San Jose, Calif., which was recently acquired by Synopsis.

“Effective bug bounty programs limit the impact of serious security vulnerabilities that could easily have put an organization’s customer base at risk,” he told TechNewsWorld.

“Payments for bug reports can sometimes exceed six-figure amounts, which may seem like a lot,” he said. “However, the cost of fixing and recovering a zero-day vulnerability for an organization can total millions of dollars in lost revenue.”

‘Good faith’ rewarded

As if that weren’t incentive enough to become a bug bounty hunter, the US Department of Justice recently sweetened the career path by adopting a policy that said it would not enforce the federal Computer Fraud and Abuse Act against hackers, Who starred in “Good”. trust” when attempting to discover flaws in software and systems.

“The recent policy change to prevent prosecuting researchers is welcome and long-awaited,” said Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk prevention in Tel Aviv, Israel.

“The fact that researchers have, over the years, tried to help and find the right security flaws under a regime that amounted to ‘doing no good’ suggests that it takes them to do the right thing.” There was dedication, even if doing the right thing meant risky fines and jail time,” he told TechNewsWorld.

“This policy change removes a fairly significant obstacle to vulnerability research, and we can expect it to pay dividends quickly and without the risk of jail time for doing it for bug discoverers in good faith.” Will pay dividends with more people.”

Today, ferreting out bugs in other people’s software is considered a respectable business, but it isn’t always the case. “Basically there were a lot of issues with when bug bounty hunters would find vulnerabilities,” said James McQuigan, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“Organizations will take a lot of offense to this, and they will try to accuse the researcher of finding it when, in fact, the researcher wanted to help,” he told TechNewsWorld. “The industry has recognized this and now email addresses have been established to receive such information.”

benefits of multiple eyes

Over the years, companies have come to realize what bug bounty programs can bring to the table. “The task of discovering and prioritizing weak, unintended consequences is not, and should not be, the focus of the organization’s resources or efforts,” explained Casey Ellis, CTO and founder of BugCrowd, which operates a crowdsourced bug bounty platform. Is.

“As a result, a more scalable and effective answer to the question ‘where am I most likely to settle’ is no longer considered a good one, but should be one,” he told TechNewsWorld. “This is where bug bounty programs come into play.”

“Bug bounty programs are a proactive way to spot vulnerabilities and reward one’s good work and discretion,” said Davis McCarthy, a lead security researcher at Valtix, a provider of cloud-native network security services in Santa Clara, Calif.

“The old adage, ‘Many eyes make all the bugs shallow,’ is true, because there is a dearth of talent in the field,” he told TechNewsWorld.

Parkin agreed. “With the sheer complexity of modern code and the myriad interactions between applications, it’s important to have a more responsible eye on looking for flaws,” he said.

“Threat actors are always working to find new vulnerabilities they can exploit, and the threats scene in cyber security has only gotten more hostile,” he continued. “The rise of bug bounties is a way for organizations to bring some of the independent researchers into the game on their side. It’s a natural response to an increase in sophisticated attacks.”

Bad Actor Reward Program

Although bug bounty programs have gained greater acceptance among businesses, they can still cause friction within organizations.

“Researchers often complain that even when firms have a coordinated disclosure or bug bounty program, a lot of pushback or friction exists. Archie Agarwal, founder and CEO of ThreatModeler, an automated threat modeling provider in Jersey City, NJ “They often feel slighted or pushy,” he said.

“Organizations, for their part, often get stuck when presented with a disclosure because the researcher found a fatal design flaw that would require months of concerted effort to rectify,” he told TechNewsWorld. “Maybe some prefer that these kinds of flaws will be out of sight.”

“The effort and expense of fixing design flaws after a system has been deployed is a significant challenge,” he continued. “The surest way to avoid this is by creating threat model systems, and as their design evolves. It provides organizations with the ability to plan for and deal with these flaws in their potential form, proactively.” does.”

Perhaps the biggest proof of the effectiveness of bug bounty programs is that malicious actors have begun to adopt the practice. The Lockbit ransomware gang is offering payments to those who discover vulnerabilities in their leaked website and their code.

“This development is novel, however, I suspect they will get many takers,” predicts John Bumbaneck, principle threat hunter at Netenrich, a San Jose, Calif.-based IT and digital security operations company.

“I know that if I find a vulnerability, I’m going to use it to jail them,” he told TechNewsWorld. “If a criminal finds someone, it must be stealing from them because there is no respect among ransomware operators.”

“Ethical hacking programs have been hugely successful. It is no surprise to see ransomware groups refining their methods and services in the face of that competition,” said Casey Bisson, head of product and developer relations at BlueBracket, Menlo Park, Calif. A cyber security services company in India.

He warned that attackers are increasingly aware that they can buy access to the companies and systems they want to attack.

“It involves looking at the security of their internal supply chains every enterprise has, including who has access to their code, and any secrets therein,” he told TechNewsWorld. “Unethical bounty programs like these turn passwords and keys into code for whoever has access to your code.”

The first plan of its kind to comprehensively address open source and software supply chain security is awaiting White House support.

The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) on Thursday brought together more than 90 executives from 37 companies and government leaders from the NSC, ONCD, CISA, NIST, DOE and OMB to reach a consensus on key actions. Improving the flexibility and security of open-source software.

A subset of the participating organizations have collectively pledged an initial tranche of funds for the implementation of the scheme. Those companies are Amazon, Ericsson, Google, Intel, Microsoft, and VMWare, with more than $30 million in pledges. As the plan progresses, more funds will be identified and work will begin as agreed upon individual streams.

The Open Source Software Security Summit II, led by the National Security Council of the White House, is a follow-up to the first summit held in January. That meeting, convened by the Linux Foundation and OpenSSF, came on the one-year anniversary of President Biden’s executive order on improving the nation’s cyber security.

As part of this second White House Open Source Security Summit, open source leaders called on the software industry to standardize on SigStore developer tools and upgrade the collective cyber security resilience of open source and improve trust in software. called upon to support the plan. Dan Lorenc, CEO and co-founder of Chainguard, co-creator of Sigstore.

“On the one-year anniversary of President Biden’s executive order, we’re here today to respond with a plan that’s actionable, because open source is a critical component of our national security, and it’s driving billions of dollars in software innovation. is fundamental to investing today,” Jim Zemlin, executive director of the Linux Foundation, announced Thursday during his organization’s press conference.

push the support envelope

Most major software packages contain elements of open source software, including code and critical infrastructure used by the national security community. Open-source software supports billions of dollars in innovation, but with it comes the unique challenges of managing cybersecurity across its software supply chains.

“This plan represents our unified voice and our common call to action. The most important task ahead of us is leadership,” said Zemlin. “This is the first time I’ve seen a plan and the industry will promote a plan that will work.”

The Summit II plan outlines funding of approximately $150 million over two years to rapidly advance well-tested solutions to the 10 key problems identified by the plan. The 10 streams of investment include concrete action steps to build a strong foundation for more immediate improvements and a more secure future.

“What we are doing together here is converting a bunch of ideas and principles that are broken there and what we can do to fix it. What we have planned is the basis to get started. As represented by 10 flags in the ground, we look forward to receiving further input and commitments that lead us from plan to action,” said Brian Behldorf, executive director of the Open Source Security Foundation.

Open Source Software Security Summit II in Washington DC, May 12, 2022.

Open Source Software Security Summit II in Washington DC, May 12, 2022. [L/R] Sarah Novotny, Open Source Lead at Microsoft; Jamie Thomas, enterprise security executive at IBM; Brian Behldorf, executive director of the Open Source Security Foundation; Jim Zemlin, executive director of The Linux Foundation.


highlight the plan

The proposed plan is based on three primary goals:

  • Securing open source security production
  • Improve vulnerability discovery and treatment
  • shortened ecosystem patching response time

The whole plan includes elements to achieve those goals. These include security education which provides a baseline for software development education and certification. Another element is the establishment of a public, vendor-neutral objective-matrix-based risk assessment dashboard for the top 10,000 (or more) OSS components.

The plan proposes the adoption of digital signatures on software releases and the establishment of the OpenSSF Open Source Security Incident Response Team to assist open source projects during critical times.

Another plan detail focuses on improved code scanning to accelerate the discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.

Code audits conducted by third-party code reviews and any necessary remedial work will detect up to 200 of the most critical OSS components once per year.

Coordinated data sharing will improve industry-wide research that helps determine the most important OSS components. Providing Software Bill of Materials (SBOM) everywhere will improve tooling and training to drive adoption and provide build systems, package managers and distribution systems with better supply chain security tools and best practices.

stock factor

Chainguard, who co-created the Sigstore repository, is committed to financial resources for the public infrastructure and network offered by OpenSSF and to ensure that SigStore’s impact is felt in every corner of the software supply chain and Will collaborate with industry peers to deepen work on interoperability. software ecosystem. This commitment includes at least $1 million per year in support of Sigstore and a pledge to run it on its own node.

Designed and built with maintainers for maintainers, it has already been widely adopted by millions of developers around the world. Lorenc said now is the time to formalize its role as the de facto standard for digital signatures in software development.

“We know the importance of interoperability in the adoption of these critical tools because of our work on the SLSA framework and SBOM. Interoperability is the linchpin in securing software across the supply chain,” he said.

Related Support

Google announced Thursday that it is creating an “open-source maintenance crew” tasked with improving the security of critical open-source projects.

Google also unveiled the Google Cloud Dataset and open-source Insights projects to help developers better understand the structure and security of the software they use.

According to Google, “This dataset provides access to critical software supply chain information for developers, maintainers, and consumers of open-source software.”

“Security risks will continue to plague all software companies and open-source projects and only an industry-wide commitment that includes a global community of developers, governments and businesses can make real progress. Basic in Google Cloud and Google Fellows at Security Summit “Google will continue to play our part to make an impact,” said Eric Brewer, vice president of infrastructure.