SAN FRANCISCO–(BUSINESS WIRE)–RiskOptics (formerly Reciprocity), a leader in information security risk and compliance, today announced the results of its first Cyber Risk Viewpoints Survey. The report reveals that while those working in information security (InfoSec) and governance, risk and compliance (GRC) have high levels of confidence in their cyber/IT risk management systems, persistent problems may be making them less effective than perceived. The top challenges when implementing an effective cyber/IT risk management program include an increase in the quantity (49%) and severity (49%) of cyber threats, a lack of funding (37%) and a lack of staffing/cyber risk talent (36%). The report also found that general misunderstandings in common cyber risk terminology could be a deterrent in developing effective strategies and communicating risk to company leadership.
Cyberattacks have been increasing for several years nowand resulting data breaches cost businesses an average of $4.35 million in 2022, according to an IBM report. Given the financial and reputational consequences of cyberattacks, corporate board rooms are putting pressure on Chief Information Security Officers (CISOs) to identify and mitigate cyber/IT risk. Yet, despite the new emphasis on risk management, business leaders still don’t have a firm grasp on how cyber risk can impact different business initiatives—or that it could be used as a strategic asset and core business differentiator.
To better understand the current cybersecurity and IT risk challenges companies are facing, as well as steps executives are taking to combat risk, RiskOptics fielded a survey of 261 U.S. InfoSec and GRC leaders. Respondents varied in job level from manager to the C-Suite and worked across various industries.
Key findings from the report include:
Perceived challenges in cyber/risk management programs vary by title and level. Directors (59%) and managers (51%) say that the increase in the quantity of cyberattacks was their biggest challenge. Alternatively, SVPs say their biggest challenge is a lack of understanding of cyber/IT risks from leadership (52%), while C-Suite respondents indicate the top challenges are a lack of funding (42%) and leadership turnover (40%).
Cyber/IT risk management tasks are taking up a lot of time. Over half of respondents find that completing a cyber/IT risk assessment is as hard or harder than signing up for health insurance (54%) or getting your license renewed at the RMV/DMV (55%)—both of which are notorious for being tedious and time-intensive.
There are general misunderstandings around common terms. Despite all of the respondents working in InfoSec or GRC, many of them define risk, threats and vulnerabilities differently, indicating major communication discrepancies between what to look for and how to develop effective strategies to protect systems. If the experts don’t understand these issues, how effective are they in communicating to company leadership?
Almost a quarter (23%) of respondents do not evaluate third-party vendors for risk. Failure to assess third-party risk exposes an organization to supply chain attacks, data breaches and reputational damage. What’s more concerning is this is happening more in highly regulated industries that have large ecosystems of suppliers and partners; 30% of respondents who work in manufacturing and 25% of those who work in healthcare say their companies do not evaluate third-party vendor risk.
Communication on cyber-risk among the C-Suite is lacking. Thirty percent of CIO and CISO respondents say they do not communicate risk around specific business initiatives to other company leaders, indicating they may not know how to share that information in a constructive way.
The healthcare and manufacturing industries need to step up their game. Out of every industry, manufacturing respondents were the highest percentage to say they do not communicate risk around specific business initiatives (36%). Meanwhile, 20% of healthcare respondents rate their risk management software as being somewhat effective or less effectivein mitigating risk (which is more than any other industry). Healthcare respondents were also more likely to express lower levels of confidence that leaders in their organization tie cyber/IT risk to strategic planning, with almost a third (29%) saying they felt somewhat or less confident.
“When it comes to strategic decision-making around business initiatives, cyber and IT risk can be an invaluable tool that not only better protects an organization but propels growth. However, to be able to use cyber risk to their advantage, company boards have to first understand it,” said Michael Maggio, CEO and Chief Product Officer of RiskOptics. “Our report indicates that there are still major hurdles teams need to overcome when communicating risk and more efficiently managing workloads. Organizations must re-assess their current processes and systems, embrace automation and put risk in the context of the business. Only then will executives be able to see the opportunity that risk can provide when proactively managed: a strategic advantage.”
RiskOptics will be holding a webinar on April 19th at 10:30 AM PT to discuss how their ROAR platform can help to tackle some of the challenges outlined in the survey. To register, follow this link.
To learn more about RiskOptics, visit the website or stop by booth #1951 in the South Expo at the RSA Conference, taking place April 24 – 27 in San Francisco.
Methodology
In partnership with Researchscape, RiskOptics conducted this research via an online survey that was fielded in March 2023. There were 261 respondents to the survey. The survey results were not weighted.
About RiskOptics
RiskOptics is the leader in IT risk management solutions, empowering organizations to convert risk into a strategic business advantage. The fully integrated and automated RiskOptics ROAR Platform provides a unified, real-time view of risk and compliance framed around business priorities, enabling CISOs and InfoSec teams to take a proactive approach to risk management. RiskOptics customers are able to quantify the impact of risk on their business, communicate that impact to key stakeholders and mitigate expensive data breaches, system failures, lost opportunities and vulnerabilities across their own and third-party data while adhering to compliance requirements.
To learn more about how to make smarter, risk-based business decisions, visit www.riskoptics.com or follow us on Twitter and LinkedIn.
A Russian flag in computer code. (Graphic by Breaking Defense, original images via Pexels)
UPDATE 4/18/23 at 6:45pm ET: This article has been updated to reflect clarifications from Mandiant regarding Russia’s purported use of ransomware.
WASHINGTON — Moscow’s military hackers may be spread thin, new research suggests. Russian cyberattacks on Ukraine and its allies surged last fall only to decline again in early 2023, said experts at cybersecurity shop Mandiant, part of Google Cloud.
What’s more, not only was the fall campaign smaller than the initial cyber onslaught before and after the ground invasion in January-April 2022, Mandiant said, it used different software, relying more on criminal-style ransomware and less on the specialized “wipers” that had characterized earlier attacks.
The research shows that the time period from October to December 2022 “was characterized by a resurgence in disruptive cyber attacks in Ukraine,” says the report.
“Though some of the attacks appeared similar to disruptive attacks seen in previous phases, this new wave of disruptive attacks appeared to deviate from the historical norm. Earlier attempts relied on quick turnaround operations using CADDYWIPER variants, but the attacks undertaken in October to December saw GRU clusters deploying ransomware variants on targeted networks,” says a Mandiant report published today, referring to Russian military intelligence. Specifically, Russian-backed hacker group IRIDIUM deployed a form of ransomware called Prestige in a series of attacks on Ukrainian and Polish networks, focusing on the transportation and logistics sectors crucial to shipping Western arms to the front line.
“GRU’s shift to using ransomware may be a sign they are undergoing tooling shifts and don’t have the resources to rely on writing or modifying custom malware,” the report says.
Mandiant Intelligence VP Sandra Joyce, however, emphasized that the appearance of ransomware could also have been an unsuccessful, one-off attempt to make the attacks look like they were coming from a criminal group rather than Russia intelligence.
Overall, Mandiant Intelligence senior manager Nick Richard was cautiously optimistic about the current threat picture.
“While ongoing and new investigations continue to be analyzed through the first quarter of 2023, to date Mandiant has not observed tracked threat actors mustering the same level of disruptive activity that was observed in the last quarter of 2022,” he said in an email to Breaking Defense. In other words, the Russian surge has subsided since the timeframe covered in the report.
Ironically, Russia’s resort to ransomware occurs as the tidal wave of ransom hacks may finally be falling back worldwide. Now, Mandiant doesn’t claim to track every attack, just those that came up in the company’s own investigations, which have increasingly focused on supporting Ukraine. But with that caveat, the report says, “Mandiant experts note a decrease in the percentage of global intrusions involving ransomware between 2021 and 2022,” from 23 percent in down to 18.
There’s probably no single cause, Richard told Breaking Defense, but rather multiple factors working together. Government agencies have systematically targeted ransomware hackers; the conflict in Ukraine has disrupted Eastern Europe-based cybercrime and consumed the energy of many Russian and Ukrainian hackers; and potential victims are getting better at preventive measures, such as disabling the mini-algorithms known as macros as a shortcut in many software programs.
In fact, the global cybersecurity picture is looking brighter overall. “Attacks are being detected faster than ever before,” the report says. The “dwell time” between a breach occurring and it being detected now averages 16 days. While that’s still plenty of time for an attacker to do damage, it’s still almost 25 percent better than the 21-day median in 2021 and almost 85 percent better than the 101-day median just five years before.
Mandiant breaks its dwell-time figures down to look separately at “internal” detections, when the victim finds the breach itself, and “external,” when the victim is notified by an outside organization, such as law enforcement or an intelligence agency. The number of external notifications is rising faster than internal discoveries, the report finds, and victims’ response time to those external warnings is getting dramatically faster. (Internal discovery timelines are improving too, but the improvement there isn’t as marked, so it’s not driving most of the overall trend.) This improvement in external notifications is especially pronounced in Europe. Richard acknowledges some of that uptick might be a fluke rather than a trend, driven in part by Mandiant and other cybersecurity companies rallying to the defense of Ukraine.
“A noted increase in external notifications for the EMEA [Europe/Middle East/Africa] region has some correlation to Mandiant’s investigative support to and significant cybersecurity industry interest in threat activity in Ukraine,” he acknowledged. “Some metrics may revert next year based on the current reporting period distinctions.”
Overall, however, the improvement suggests “improved collaboration across the public and private sectors,” Richard said. “As this cooperation and the notification framework evolves and refines, providing victim organizations timely and critical information, organizations are able to ingest information more rapidly to respond effectively to a diverse array of cyber threats.”
Experts have highlighted better cooperation between cybersecurity firms, potential targets, and government agencies as one of the biggest lessons-learned from the cyber war in Ukraine.
Cybersecurity researchers have discovered a new hacking campaign that distributes the dreaded Qbot malware.
Qbot is used by some of the world’s biggest ransomware operators, such as BlackBasta, REvil, Egregor, and others.
According to researchers ProxyLife and Cryptolaemus, cybercriminals are using hijacked email accounts to spread the malware. They would use the stolen account to reply to an email chain, in order not to look overly suspicious. In the replied message, they’d distribute a .PDF file called “CancellationLetter-[number]”. If the victim opens the file, they’d see a prompt saying “This document contains protected files, to display them, click the “open” button.”
Banking trojan evolution
Pressing the button, however, downloads a .ZIP file with a Windows Script (WSF) document. That file, as the researchers explain, is a mix of JavaScript and Visual Basic Script codes that download Qbot.
Qbot itself used to be a banking trojan, but has since evolved into full-blown malware that provides access to compromised endpoints. Large cybercriminal syndicates use Qbot to deliver stage-two malware. Most notably – ransomware.
To defend against this attack, as well as countless similar ones out there, the best way is to first use common sense – if you’re not expecting an email, especially with an attachment, be sceptical about its contents. The same goes with links in email bodies – always verify before opening any links.
Furthermore, having proper cybersecurity solutions won’t hurt – an email security solution, an antivirus, or a firewall, will help in the battle against malware and ransomware. Also, having multi-factor authentication (MFA) set up on all accounts wherever possible is a great way to protect against data and identity theft.
Finally, keeping the hardware and software up to date is crucial. By applying the latest patches and firmware updates, you’re keeping your endpoints secure from known vulnerabilities that threat actors can abuse with malware.
The deadline for filing your taxes is just hours away – but that is still plenty of time for scammers to pose as the IRS and demand payments from victims.
Government officials warn Americans that the IRS will never first contact taxpayers by phone or email – the initial communication is always in a written letter.
Fake texts have also become widespread, in which bad actors bombard phones with messages that demand payments or threaten legal action over unpaid taxes.
These phony messages will request immediate payment, sometimes with a gift card, or threaten people with arrest, which are actions the IRS says it will never take to collect payments.
Tax Day has come in the US, and that means scammers will pose as the IRS to demand money from victims
IRS Commissioner Danny Werfel said in a statement: ‘Scammers are coming up with new ways all the time to try to steal information from taxpayers.
‘People should be wary and avoid sharing sensitive personal data over the phone, email or social media to avoid getting caught up in these scams.
‘And people should always remember to be wary if a tax deal sounds too good to be true.’
More than 3,000 reported tax scams in 2022 resulted in $6.23 million in losses, according to data from the Federal Trade Commission (FTC).
The agency hopes to minimize these numbers for this year by making the public aware of the types of scams.
Phishing and smishing seem to be the go-to attack among scammers.
The former involves fake emails claiming to come from the IRS or another legitimate organization, including state tax organizations or a financial firm.
These communications can include a phony tax refund to trick people into handing over banking details or false charges for tax fraud.
Some phishing emails may also ask the victim to call a telephone number. In these cases, the scammer will pose as an IRS officer and take the person’s details over the phone.
Scammers are sending text messages posing as the IRS. These include numbers to call or links that direct users to a fake website that demands payments
Smishing is a text message that uses the same technique as phishing but provides a link for users to click, which is usually a fake website designed to look like an official IRS site.
Scammers often use alarming language like, ‘Your account has now been put on hold,’ or ‘Unusual Activity Report’ with a bogus ‘Solutions’ link to restore the recipient’s account. Unexpected tax refunds are another potential target for scam artists.
Beware of these scams
Phishing: Scammers will create fake emails that look like they came from the IRS.
These messages will demand payment through a link or ask people to submit their information.
Phishing schemes may also tell people they need to provide banking details to receive their refund.
Smishing: This is phishing by SMS and text message.
Messages are often threatening and claim a lawsuit has been filed against the target by the IRS. Sometimes they claim a warrant has been issued for the person’s arrest.
The text will then prompt the victim to call a number or click a link.
Phone calls: The caller will say the victim is eligible for a tax refund, then ask for personal information and bank details to make the payment.
If it seems suspicious, or you had no reason to suspect a call, dial the hotline to report a scam.
Advertisement
The crooks set up a fake phone number and then send out text messages en masse to hundreds, and sometimes thousands, of unsuspecting targets.
There are several ways scammers obtain the cell numbers of their victims – but usually, they’re scraped from huge online databases.
‘Email and text scams are relentless, and scammers frequently use tax season as a way of tricking people,’ Werfel said.
‘With people anxious to receive the latest information about a refund or other tax issue, scammers will regularly pose as the IRS, a state tax agency or others in the tax industry in emails and texts.
‘People should be incredibly wary about unexpected messages like this that can be a trap, especially during filing season.’
Taxpayers will also start to see scam calls ring in throughout the day and while it seems archaic, this method has been a very successful attack.
A voice on the other end will state they are with the IRS, demanding immediate payment through a specific method such as a credit or gift card.
These fraudsters may even go as far as to threaten arrest, driver’s license revocation and even deportation if victims do not hand over the desired payment or provide personal information.
Christopher Brown, an attorney at the FTC, told NPR that the IRS would never threaten taxpayers with arrest or demand immediate payment over the phone.
This is because citizens can appeal or question how much they owe in taxes, and payments are usually set up through written communications.
‘That newer tactic of luring people with promises of a tax refund or rebate is more often employed over email or text as a phishing or smishing scam,’ said Brown.
And officials warn not to trust Caller ID, which can also be altered to display any name or organization.
‘Individuals should never respond to tax-related phishing or smishing or click on the URL link,’ the IRS shows on its website.
‘Instead, the scams should be reported by sending the email or a copy of the text/SMS as an attachment to [email protected].
‘The report should include the caller ID (email or phone number), date, time and time zone, and the number that received the message.’
Using 2FA to protect your accounts is a lot safer than using just passwords, especially if you use a separate authenticator app.
Phishing message sent to Richard LawlerImage: Richard Lawler
This is despite the fact that Twitter now offers SMS-based two-factor authentication only to its Twitter Blue members (costs begin at $8 a month). In fact, many of The Verge staffers have moved to Mastodon and other social networks, but no matter where you’re hanging out these days, it’s not a good idea to give someone access to your account. And if you want to use 2FA to secure your social media or other services, using text messaging is not the way to go. You’re much better off using either a third-party authenticator app or a hardware security key.
What are security keys?
Security keys, such as the ones sold by Yubico, are the safest method to use. They can connect to your system using USB-A, USB-C, Lightning, or NFC, and they’re small enough to be carried on a keychain (with the exception of Yubico’s YubiKey 5C Nano, which is so small that it’s safest when kept in your computer’s USB port). They use a variety of authentication standards: FIDO2, U2F, smart card, OTP, and OpenPGP 3.
When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access (which prevents you from accidentally logging in to a phishing site). The key then cryptographically signs and allows the challenge, logging you in to the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, and others. The best thing to do is check the website of your security key of choice and see which services are supported — for example, here’s a link to the apps supported by YubiKeys.
What are authenticator apps?
But while physical security keys are the safest method, they are not the most convenient. If you don’t want to carry around (and possibly lose) a physical key, using an authentication app on your phone is the best way to go.
Authentication apps generate one-time numerical passcodes that change approximately every minute. When you log in to your service or app, it will ask for your authenticator code; you just open up the app to find the randomly generated code required to get past security.
Popular options include Authy, Google Authenticator, and Microsoft Authenticator. These apps mostly follow the same procedure when you’re adding a new account: you scan a QR code associated with your account, and it is saved in the app. The next time you log in to your service or app, it will ask for a numerical code; just open up the authenticator app to find the randomly generated code required to get past security.
Here is how to set up 2FA on some of the more popular online accounts. Not all of them allow for authenticator apps; in that case, we list what is available. (If you’re just interested in using an authenticator app for your Twitter account, you can go directly to this article, which gives you all the steps needed — however, just to be convenient, we’ve included Twitter with the others here.)
Note: most of the following directions are for websites; if you can use a mobile app, directions will be given for that as well.
Log in to your Amazon account.
Hover over Accounts & Lists (in the upper-right corner) and go to Account > Login & security. (You can also simply follow this link.)
Scroll down to 2-step verification and click the Edit button. (You may be asked to reenter your password.)
Click Get Started, and Amazon will walk you through the process of registering your preferred authenticator app by syncing it through a QR code.
If you wish, you can also register a phone number to use as a backup text 2FA. Amazon also lets you opt out of 2FA for any specific devices.
Twitter lets you use a text message, an app, or a security key for authentication.
As with other services mentioned above, you can generate a backup code to use when you’re traveling and will be without internet or cell service. You may also see an option to create a temporary app password that you can use to log in from other devices. This can be used to log in to third-party apps if you have them linked to your Twitter account. Note that the temporary password expires one hour after being generated.
Open WhatsApp and find the Settings menu under the upper-right dots icon.
Look under Account > Two-step verification > Turn on.
The app will ask you to enter a six-digit PIN to use as verification; after that, it will request it the next time you register your phone number and also every once in a while (so you don’t want to forget it). You can optionally add an email address in case you forget your PIN.
Having an email associated with your WhatsApp account is important — if you don’t have one and forget your PIN, you’ll have to wait seven days before you can reset it. In the same vein, be cautious of emails encouraging you to turn off 2FA if you didn’t request it yourself.
Did we miss your favorite apps?
For more information, check out the 2FA Directory, which categorizes and lists companies that support 2FA and gives you the option to message a company on Twitter, Facebook, or email to request that 2FA be added.
A final note: while adding 2FA is great for an extra layer of security on all your accounts, remember that you should be changing and updating your passwords regularly even with 2FA enabled just to stay in tip-top shape. If that’s not your style, you can also use a password manager to automatically take care of it for you.
Update April 18th, 2023, 4:00PM ET: This article was originally published on February 28th, 2023, and has been updated to add the fact that Apple now offers 2FA with security keys and to warn about new phishing attempts.