Businesses are engaged in a constant cat-and-mouse game with hackers, attackers, and bad actors in order to stay secure.
Dominic Lombardi, VP of security and trust at Kandji believes that in order to stay ahead it’s necessary to master basic IT and security hygiene, update and communicate your risk register, and work steadily toward a zero-trust security model. We spoke to him to discover more.
BN: It’s been said the human element is the next organization versus hacker battleground, why is this and what comes next?
DL: Malicious threat actors always look for the weakest link, the chink in the armor. Last year, we saw more unique attacks focused on bypassing the weakest link within standardized security controls. The weakest link? The human element. Many of these security incidents were related to multi-factor authentication (MFA) spamming, in which MFA requests were repeatedly sent to people until a link was clicked or exploiting a misconfiguration on publicly accessible resources. Meanwhile, cybercriminals have unleashed social engineering attacks aimed to disrupt organizations across different verticals and markets. During these attacks, an individual impersonates a customer and calls the company’s support desk. In the process, the attacker obtains valid account access. The organization’s lack of organizational-level security controls served as the attacker’s entry point, allowing them to gain a foothold in these environments.
In 2023, attackers will get more creative in their pursuits. Many of the security controls we put in place earlier are at risk of being bypassed due to human error. How do we ensure our security controls are fault tolerant? This starts with basic hygiene at a people, process, and procedural level. Work to build a proactive cybersecurity culture in which you document all ongoing processes — basically, all the validation steps that ensure you properly identify and authenticate a person’s identity, information, and account ownership.
BN: Risk register has come up a lot lately as a critical tool to maintaining a secure environment, how should organizations handle this in 2023?
DL: Your organization’s risk register should serve as a ‘what if’ manual that outlines current and potential security risks and how they could impact the organization. Organizations are facing constraints at all levels — budgets, personnel, and time — in 2023. Your risk register must catalog the various risk scenarios that face your business and provide visibility for your leadership teams to make more risk informed treatment plans.
Maturing organizations will double down on best practices, perform threat analysis, and continue to populate their risk register. The more visibility (and fewer cracks) you have, the less probability of unexpected negative outcomes. This involves maintaining a running asset inventory across your organization and mapping this inventory against security controls. Meanwhile, build out project plans to have a continuous rollout to fulfill some of the gaps. Think patch management, standardized configurations across servers, and a rigorous process for building, deploying, and maintaining new software. Remember that basic IT hygiene is 99 percent of the game.
BN: What is next for the CISO role? How important has this role become for enterprises?
DL: When it comes to cybersecurity, executive-level engagement is a must. That means the CISOs must take a seat at the C-level table (if they haven’t already) and stay there. Recently, with the Joseph Sullivan/Uber case, we saw the first criminal conviction of a CISO/CSO for failure to effectively disclose a breach. To prevent miscommunication and promote total transparency, any CISO who does not report directly into the CEO should demand that they do — immediately. To set themselves up for success, they should also ensure that the general counsel at their organization is in their ‘peer set’.
At the C-level table, the CISO can also (continuously) champion the risk register to ensure they receive needed resources to remediate and reduce risk on an ongoing basis. Not to mention executive buy-in for the appropriate resources to resolve high-priority items. Keep in mind that new threats, risks, and updates will always populate your risk register. It is critical to actively work to remediate against this list; this prevents risks from escalating and becoming more complicated.
BN: IT and InfoSec continue to move following their own agendas, can security become more of a ‘team sport’?
DL: Traditionally, IT and InfoSec teams within an organization pursued their own agendas. InfoSec secured the company and its users, while IT enabled people within the organization to work efficiently and effectively. InfoSec and IT teams must work more collaboratively to reduce the gap between identifying and addressing issues.
In many organizations, IT admins are joining the security team, as today’s global, decentralized workplace has broadened IT’s responsibilities within the enterprise. IT admins have become a key part of the security organization, with 34 percent of Fortune 500 companies rolling the IT department into the CISO’s purview in 2021. This percentage was close to 80 percent in startups and emerging technology companies. As more enterprise companies follow the lead of modern SaaS and technology organizations, the next task will be creating (and using) the best tooling to bridge the gap between these two core competencies. How do you adjust for the overlap and enable bidirectional communication and collaboration?
BN: Zero trust seems to be a priority, especially as it pertains to the hybrid office, how should security organizations employ zero trust methods in the coming year?
DL: Security teams have been talking about the zero-trust cybersecurity approach for a few years. It used to be ‘trust but verify’. The new zero trust — in a workplace filled with multiple teams, multiple devices, and multiple locations — is ‘check, check again, then trust in order to verify’. Basically, organizations must validate every single device, every single transaction, every single time — always.
Only six percent of enterprise organizations have fully implemented zero trust, according to a 2022 Forrester Research study. The complex and disparate workplace environments that are so common now make it difficult to adopt zero trust — at least all at once. This does not mean organizations are not slowly rolling out zero trust across their environments and assets.
It would be easy when a company only has a limited number of environments. However, if you are using AWS, Azure, and GCP with an on-premises instance along with a private cloud where you are running virtualization through VMware — that will take some time to uniformly roll everything out. Yes, companies are working towards zero trust, but it will take a bit longer than people like. As we all continue to embark on the zero-trust journey, we will see new solutions for complex problems companies are experiencing on premise and in public and private clouds.
SAN FRANCISCO–(BUSINESS WIRE)–RiskOptics (formerly Reciprocity), a leader in information security risk and compliance, today announced the results of its first Cyber Risk Viewpoints Survey. The report reveals that while those working in information security (InfoSec) and governance, risk and compliance (GRC) have high levels of confidence in their cyber/IT risk management systems, persistent problems may be making them less effective than perceived. The top challenges when implementing an effective cyber/IT risk management program include an increase in the quantity (49%) and severity (49%) of cyber threats, a lack of funding (37%) and a lack of staffing/cyber risk talent (36%). The report also found that general misunderstandings in common cyber risk terminology could be a deterrent in developing effective strategies and communicating risk to company leadership.
Cyberattacks have been increasing for several years nowand resulting data breaches cost businesses an average of $4.35 million in 2022, according to an IBM report. Given the financial and reputational consequences of cyberattacks, corporate board rooms are putting pressure on Chief Information Security Officers (CISOs) to identify and mitigate cyber/IT risk. Yet, despite the new emphasis on risk management, business leaders still don’t have a firm grasp on how cyber risk can impact different business initiatives—or that it could be used as a strategic asset and core business differentiator.
To better understand the current cybersecurity and IT risk challenges companies are facing, as well as steps executives are taking to combat risk, RiskOptics fielded a survey of 261 U.S. InfoSec and GRC leaders. Respondents varied in job level from manager to the C-Suite and worked across various industries.
Key findings from the report include:
Perceived challenges in cyber/risk management programs vary by title and level. Directors (59%) and managers (51%) say that the increase in the quantity of cyberattacks was their biggest challenge. Alternatively, SVPs say their biggest challenge is a lack of understanding of cyber/IT risks from leadership (52%), while C-Suite respondents indicate the top challenges are a lack of funding (42%) and leadership turnover (40%).
Cyber/IT risk management tasks are taking up a lot of time. Over half of respondents find that completing a cyber/IT risk assessment is as hard or harder than signing up for health insurance (54%) or getting your license renewed at the RMV/DMV (55%)—both of which are notorious for being tedious and time-intensive.
There are general misunderstandings around common terms. Despite all of the respondents working in InfoSec or GRC, many of them define risk, threats and vulnerabilities differently, indicating major communication discrepancies between what to look for and how to develop effective strategies to protect systems. If the experts don’t understand these issues, how effective are they in communicating to company leadership?
Almost a quarter (23%) of respondents do not evaluate third-party vendors for risk. Failure to assess third-party risk exposes an organization to supply chain attacks, data breaches and reputational damage. What’s more concerning is this is happening more in highly regulated industries that have large ecosystems of suppliers and partners; 30% of respondents who work in manufacturing and 25% of those who work in healthcare say their companies do not evaluate third-party vendor risk.
Communication on cyber-risk among the C-Suite is lacking. Thirty percent of CIO and CISO respondents say they do not communicate risk around specific business initiatives to other company leaders, indicating they may not know how to share that information in a constructive way.
The healthcare and manufacturing industries need to step up their game. Out of every industry, manufacturing respondents were the highest percentage to say they do not communicate risk around specific business initiatives (36%). Meanwhile, 20% of healthcare respondents rate their risk management software as being somewhat effective or less effectivein mitigating risk (which is more than any other industry). Healthcare respondents were also more likely to express lower levels of confidence that leaders in their organization tie cyber/IT risk to strategic planning, with almost a third (29%) saying they felt somewhat or less confident.
“When it comes to strategic decision-making around business initiatives, cyber and IT risk can be an invaluable tool that not only better protects an organization but propels growth. However, to be able to use cyber risk to their advantage, company boards have to first understand it,” said Michael Maggio, CEO and Chief Product Officer of RiskOptics. “Our report indicates that there are still major hurdles teams need to overcome when communicating risk and more efficiently managing workloads. Organizations must re-assess their current processes and systems, embrace automation and put risk in the context of the business. Only then will executives be able to see the opportunity that risk can provide when proactively managed: a strategic advantage.”
RiskOptics will be holding a webinar on April 19th at 10:30 AM PT to discuss how their ROAR platform can help to tackle some of the challenges outlined in the survey. To register, follow this link.
To learn more about RiskOptics, visit the website or stop by booth #1951 in the South Expo at the RSA Conference, taking place April 24 – 27 in San Francisco.
Methodology
In partnership with Researchscape, RiskOptics conducted this research via an online survey that was fielded in March 2023. There were 261 respondents to the survey. The survey results were not weighted.
About RiskOptics
RiskOptics is the leader in IT risk management solutions, empowering organizations to convert risk into a strategic business advantage. The fully integrated and automated RiskOptics ROAR Platform provides a unified, real-time view of risk and compliance framed around business priorities, enabling CISOs and InfoSec teams to take a proactive approach to risk management. RiskOptics customers are able to quantify the impact of risk on their business, communicate that impact to key stakeholders and mitigate expensive data breaches, system failures, lost opportunities and vulnerabilities across their own and third-party data while adhering to compliance requirements.
To learn more about how to make smarter, risk-based business decisions, visit www.riskoptics.com or follow us on Twitter and LinkedIn.
Spyware Company NSO Exploits Find My iPhone Flaw In Zero-Click Hack“,”scope”:{“topStory”:{“index”:1,”title”:”Spyware Company NSO Exploits Find My iPhone Flaw In Zero-Click Hack”,”image”:”https://specials-images.forbesimg.com/imageserve/643e5d814270473de6bd6d5e/290×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 18, 2023″,”hourMinute”:”07:00″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681815656000},”uri”:”https://www.forbes.com/sites/thomasbrewster/2023/04/18/nso-hacks-apple-find-my-iphone/”}},”id”:”8hc2egegb6og00″},{“textContent”:”
Platforms Issue ‘Urgent’ Warning Against UK Online Safety Bill“,”scope”:{“topStory”:{“index”:2,”title”:”Platforms Issue ‘Urgent’ Warning Against UK Online Safety Bill”,”image”:”https://specials-images.forbesimg.com/imageserve/6317103d241b5a4cc8478fa3/290×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 18, 2023″,”hourMinute”:”05:08″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681808903197},”uri”:”https://www.forbes.com/sites/emmawoollacott/2023/04/18/platforms-issue-urgent-warning-against-uk-online-safety-bill/”}},”id”:”7328g824oamg00″},{“textContent”:”
Why Your Tech Stack Isn’t Enough To Ensure Cyber Resilience“,”scope”:{“topStory”:{“index”:3,”title”:”Why Your Tech Stack Isn’t Enough To Ensure Cyber Resilience”,”image”:”https://specials-images.forbesimg.com/imageserve/643d4d5e6f24eb25b80ab186/290×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 17, 2023″,”hourMinute”:”09:53″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681739594607},”uri”:”https://www.forbes.com/sites/jameshadley/2023/04/17/why-your-tech-stack-isnt-enough-to-ensure-cyber-resilience/”}},”id”:”2f8d2rrch8kk00″},{“textContent”:”
New iPhone Threat—What Is Reign Spyware?“,”scope”:{“topStory”:{“index”:4,”title”:”New iPhone Threat—What Is Reign Spyware?”,”image”:”https://specials-images.forbesimg.com/imageserve/64396a7c31fd8661c30ab186/290×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 14, 2023″,”hourMinute”:”11:07″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681484843421},”uri”:”https://www.forbes.com/sites/kateoflahertyuk/2023/04/14/new-iphone-threat-what-is-reign-spyware/”}},”id”:”8rnhlhfcf56o00″},{“textContent”:”
Almost Human: The Threat Of AI-Powered Phishing Attacks“,”scope”:{“topStory”:{“index”:5,”title”:”Almost Human: The Threat Of AI-Powered Phishing Attacks”,”image”:”https://specials-images.forbesimg.com/imageserve/643592f62ab2448247b0e670/290×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 11, 2023″,”hourMinute”:”01:16″,”amPm”:”pm”,”isEDT”:true,”unformattedDate”:1681233408438},”uri”:”https://www.forbes.com/sites/emilsayegh/2023/04/11/almost-human-the-threat-of-ai-powered-phishing-attacks/”}},”id”:”3n64e8j0dl0o00″},{“textContent”:”
Indian Government Starts ‘Fact Checking’ Social Media; Twitter Accused Of Caving In“,”scope”:{“topStory”:{“index”:6,”title”:”Indian Government Starts ‘Fact Checking’ Social Media; Twitter Accused Of Caving In”,”image”:”https://specials-images.forbesimg.com/imageserve/64352c81d7bd6767a2eb482a/290×0.jpg”,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 11, 2023″,”hourMinute”:”05:47″,”amPm”:”am”,”isEDT”:true,”unformattedDate”:1681206473050},”uri”:”https://www.forbes.com/sites/emmawoollacott/2023/04/11/indian-government-starts-fact-checking-social-media-twitter-accused-of-caving-in/”}},”id”:”d36qp0rmf6dk00″},{“textContent”:”
iOS 16.4.1—Update Now Warning Issued To All iPhone Users“,”scope”:{“topStory”:{“index”:7,”title”:”iOS 16.4.1—Update Now Warning Issued To All iPhone Users”,”image”:”https://specials-images.forbesimg.com/imageserve/6431aa6f2e61aa767cb0e670/290×0.jpg?cropX1=0&cropX2=1116&cropY1=2&cropY2=630″,”isHappeningNowArticle”:false,”date”:{“monthDayYear”:”Apr 8, 2023″,”hourMinute”:”02:03″,”amPm”:”pm”,”isEDT”:true,”unformattedDate”:1680977005977},”uri”:”https://www.forbes.com/sites/kateoflahertyuk/2023/04/08/ios-1641-update-now-warning-issued-to-all-iphone-users/”}},”id”:”4n6of0i41o2c00″}],”breakpoints”:[{“breakpoint”:”@media all and (max-width: 767px)”,”config”:{“enabled”:false}},{“breakpoint”:”@media all and (max-width: 768px)”,”config”:{“inView”:2,”slidesToScroll”:1}},{“breakpoint”:”@media all and (min-width: 1681px)”,”config”:{“inView”:6}}]};
A Russian flag in computer code. (Graphic by Breaking Defense, original images via Pexels)
UPDATE 4/18/23 at 6:45pm ET: This article has been updated to reflect clarifications from Mandiant regarding Russia’s purported use of ransomware.
WASHINGTON — Moscow’s military hackers may be spread thin, new research suggests. Russian cyberattacks on Ukraine and its allies surged last fall only to decline again in early 2023, said experts at cybersecurity shop Mandiant, part of Google Cloud.
What’s more, not only was the fall campaign smaller than the initial cyber onslaught before and after the ground invasion in January-April 2022, Mandiant said, it used different software, relying more on criminal-style ransomware and less on the specialized “wipers” that had characterized earlier attacks.
The research shows that the time period from October to December 2022 “was characterized by a resurgence in disruptive cyber attacks in Ukraine,” says the report.
“Though some of the attacks appeared similar to disruptive attacks seen in previous phases, this new wave of disruptive attacks appeared to deviate from the historical norm. Earlier attempts relied on quick turnaround operations using CADDYWIPER variants, but the attacks undertaken in October to December saw GRU clusters deploying ransomware variants on targeted networks,” says a Mandiant report published today, referring to Russian military intelligence. Specifically, Russian-backed hacker group IRIDIUM deployed a form of ransomware called Prestige in a series of attacks on Ukrainian and Polish networks, focusing on the transportation and logistics sectors crucial to shipping Western arms to the front line.
“GRU’s shift to using ransomware may be a sign they are undergoing tooling shifts and don’t have the resources to rely on writing or modifying custom malware,” the report says.
Mandiant Intelligence VP Sandra Joyce, however, emphasized that the appearance of ransomware could also have been an unsuccessful, one-off attempt to make the attacks look like they were coming from a criminal group rather than Russia intelligence.
Overall, Mandiant Intelligence senior manager Nick Richard was cautiously optimistic about the current threat picture.
“While ongoing and new investigations continue to be analyzed through the first quarter of 2023, to date Mandiant has not observed tracked threat actors mustering the same level of disruptive activity that was observed in the last quarter of 2022,” he said in an email to Breaking Defense. In other words, the Russian surge has subsided since the timeframe covered in the report.
Ironically, Russia’s resort to ransomware occurs as the tidal wave of ransom hacks may finally be falling back worldwide. Now, Mandiant doesn’t claim to track every attack, just those that came up in the company’s own investigations, which have increasingly focused on supporting Ukraine. But with that caveat, the report says, “Mandiant experts note a decrease in the percentage of global intrusions involving ransomware between 2021 and 2022,” from 23 percent in down to 18.
There’s probably no single cause, Richard told Breaking Defense, but rather multiple factors working together. Government agencies have systematically targeted ransomware hackers; the conflict in Ukraine has disrupted Eastern Europe-based cybercrime and consumed the energy of many Russian and Ukrainian hackers; and potential victims are getting better at preventive measures, such as disabling the mini-algorithms known as macros as a shortcut in many software programs.
In fact, the global cybersecurity picture is looking brighter overall. “Attacks are being detected faster than ever before,” the report says. The “dwell time” between a breach occurring and it being detected now averages 16 days. While that’s still plenty of time for an attacker to do damage, it’s still almost 25 percent better than the 21-day median in 2021 and almost 85 percent better than the 101-day median just five years before.
Mandiant breaks its dwell-time figures down to look separately at “internal” detections, when the victim finds the breach itself, and “external,” when the victim is notified by an outside organization, such as law enforcement or an intelligence agency. The number of external notifications is rising faster than internal discoveries, the report finds, and victims’ response time to those external warnings is getting dramatically faster. (Internal discovery timelines are improving too, but the improvement there isn’t as marked, so it’s not driving most of the overall trend.) This improvement in external notifications is especially pronounced in Europe. Richard acknowledges some of that uptick might be a fluke rather than a trend, driven in part by Mandiant and other cybersecurity companies rallying to the defense of Ukraine.
“A noted increase in external notifications for the EMEA [Europe/Middle East/Africa] region has some correlation to Mandiant’s investigative support to and significant cybersecurity industry interest in threat activity in Ukraine,” he acknowledged. “Some metrics may revert next year based on the current reporting period distinctions.”
Overall, however, the improvement suggests “improved collaboration across the public and private sectors,” Richard said. “As this cooperation and the notification framework evolves and refines, providing victim organizations timely and critical information, organizations are able to ingest information more rapidly to respond effectively to a diverse array of cyber threats.”
Experts have highlighted better cooperation between cybersecurity firms, potential targets, and government agencies as one of the biggest lessons-learned from the cyber war in Ukraine.
Cybersecurity researchers have discovered a new hacking campaign that distributes the dreaded Qbot malware.
Qbot is used by some of the world’s biggest ransomware operators, such as BlackBasta, REvil, Egregor, and others.
According to researchers ProxyLife and Cryptolaemus, cybercriminals are using hijacked email accounts to spread the malware. They would use the stolen account to reply to an email chain, in order not to look overly suspicious. In the replied message, they’d distribute a .PDF file called “CancellationLetter-[number]”. If the victim opens the file, they’d see a prompt saying “This document contains protected files, to display them, click the “open” button.”
Banking trojan evolution
Pressing the button, however, downloads a .ZIP file with a Windows Script (WSF) document. That file, as the researchers explain, is a mix of JavaScript and Visual Basic Script codes that download Qbot.
Qbot itself used to be a banking trojan, but has since evolved into full-blown malware that provides access to compromised endpoints. Large cybercriminal syndicates use Qbot to deliver stage-two malware. Most notably – ransomware.
To defend against this attack, as well as countless similar ones out there, the best way is to first use common sense – if you’re not expecting an email, especially with an attachment, be sceptical about its contents. The same goes with links in email bodies – always verify before opening any links.
Furthermore, having proper cybersecurity solutions won’t hurt – an email security solution, an antivirus, or a firewall, will help in the battle against malware and ransomware. Also, having multi-factor authentication (MFA) set up on all accounts wherever possible is a great way to protect against data and identity theft.
Finally, keeping the hardware and software up to date is crucial. By applying the latest patches and firmware updates, you’re keeping your endpoints secure from known vulnerabilities that threat actors can abuse with malware.
![How enterprises can stay ahead of risks, threats and potential attacks [Q&A]](https://flagrantmalfeasance.com/wp-content/uploads/2023/04/security_risk-600x401-1.jpg)
