A large text-message phishing attack campaign attributed to the China-based Smishing Triad employs malicious iMessages.

Image Source: dbtravel via Alamy Stock Photo

A China-based hacking group known as Smishing Triad has waged text message-borne phishing attacks against individuals in India, using the country's government-operated postal system as a lure.

The threat actors are targeting iPhone users with text messages falsely claiming that a package is awaiting collection at an India Post warehouse. The deceptive messages contain URLs leading to fraudulent websites.

According to a new Fortinet FortiGuard Labs report, between January and July 2024, more than 470 domain registrations were mimicking India Post's official domain, with the majority registered via Chinese and American domain registrars.

Researchers at FortiGuard Labs discovered phishing emails sent via iMessage using third-party email addresses like Hotmail, Gmail, and Yahoo. Apple ID accounts configured with these third-party emails send the malicious messages containing short URLs that direct recipients to the fraudulent websites.

**Text Phishing Goes Postal**

India Post is just the latest mail service to face mobile phishing attacks. The US Postal Service (USPS) recently found its name abused in smishing attacks orchestrated by a single threat actor based in Tehran. Another recent smishing attack aimed at US citizens informed them they had unpaid road tolls, with the aim of coercing targets into giving up their bank information.

Stephen Kowski, field CTO at SlashNext Email Security+, says the India Post phishing campaign highlights the evolving tactics of threat actors.

"They are now leveraging trusted communication channels like iMessage to deceive victims, underscoring the need for comprehensive mobile Web threat protection that can detect and block malicious URLs, even when wrapped in encrypted messages," he says.

As SMS- and other text-based attacks become increasingly sophisticated, organizations must prioritize educating their users on how to identify and report suspicious messages, he notes. "They must also implement robust security measures that can inspect and mitigate threats in real-time, regardless of the communication channel used."

By extending security controls to the mobile Web, organizations can better protect their users from these types of attacks, even when they occur outside of traditional network perimeters.

**"Mobile First" Attacks Rise**

Mobile devices are a prime target for phishing campaigns, given the amount of phishing vectors available to attackers, be it SMS, QR codes, third-party communication apps, or personal email.

This, combined with a relative false sense of security most users and organizations have on mobile, and a lack of active security controls, make mobile phishing campaigns a low risk, high reward for attackers for both personal and corporate information.

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says this type of "mobile first" attack is something that is occurring more and more every day.

"Cybercriminals and hackers have begun to realize that there's a false sense of security with mobile devices, particularly those on iOS," he says.

Users tend to be less careful on their mobile devices than on a standard computer or laptop, and they rarely have proper security controls in place on their mobile devices.

"Our own research has shown a significant rise recently in mobile-targeted phishing attacks that only fully execute the attack when the link is clicked from a mobile device," he says. "Users must be on guard for anything that appears unusual, especially related to a text message or SMS."

He advises companies to have strong mobile endpoint protection defenses on employee phones to protect against exactly this type of attack, or worse.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

China-Backed Phishing Attack Targets India Postal System Users

Several vendors for consumer and enterprise PCs share a compromised crypto key that should never have been on the devices in the first place.

Source: Lim Yong Hian via Shutterstock

Attackers can bypass the Secure Boot process on millions of Intel and ARM microprocessor-based computing systems from multiple vendors, because they all share a previously leaked cryptographic key used in the device startup process.

The so-called Platform Key (PK) from American Megatrends International (AMI) serves as the root of trust during the Secure Boot PC startup chain, and verifies the authenticity and integrity of a device's firmware and boot software.

Unfortunately, researchers from firmware security vendor Binarly discovered that the key had been publicly exposed in a data leak back in 2018. "This key was likely included in \[AMI's\] reference implementation with the expectation that it would be replaced with another safely generated key by downstream entities in the supply chain," Binarly said in a posting on the issue this week.

**The PKFail Secure Boot Issue**

What appears to have happened is that an original equipment manufacturer (OEM) used the AMI test key for firmware it produced for different Intel and ARM-based device makers. The result is there are potentially millions of consumer and enterprise devices around the world that are currently using the same compromised AMI PK during the secure bootup process, says Alex Matrosov, CEO and founder of Binarly. Affected vendors include Lenovo, HP, Asus and SuperMicro.

"An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database," says Matrosov, who has dubbed the issue as "PKFail." The issue makes it easier for attackers to, among other things, deploy Unified Extensible Firmware Interface (UEFI) bootkits like last year's BlackLotus, which offer persistent kernel access and privileges.

"The fix is easy: the compromised key needs to be replaced, and device vendors need to ship a firmware update," Matrosov says. Several have already done so, he notes. However, in many cases — as with data center servers, for instance, or for systems used in critical applications — the firmware updates could take some time to be deployed.

"Exploitation of this issue is trivial in the case that the device is impacted," he says, pointing to a proof-of-concept exploit (PoC) that Binarly developed for PKFail. Matrosov recommends that organizations disconnect devices with the leaked AMI PK from critical networks until they are able to deploy a firmware upgrade.

**A Master Key and a Really Big Deal**

The PKfail issue is a big deal because it makes it easy for hackers to bypass Secure Boot, which is like having a master key that unlocks many houses, said Rogier Fischer, CEO of Netherlands-based Hadrian in an emailed comment. "Since the same keys are used across different devices, one breach can affect many systems, making the problem widespread," he said.

PKFail is the only the latest manifestation of a problem that has been around for more than a decade, which is the tendency by OEMs and device-makers to use non-production and test cryptographic keys in production firmware and devices, Matrosov says. The AMI PK for instance was clearly meant to be treated as completely untrusted, and yet it ended up in devices from multiple vendors.

Binarly's report pointed to an incident in 2016 tracked as CVE-2016-5247, where security researchers discovered multiple Lenovo devices that shared the same AMI test PK. At the time, the National Vulnerability Database described the issue as allowing "local users or physically proximate attackers to bypass the Secure Boot protection mechanism by leveraging an AMI test key."

Ultimately, PKFail is a manifestation of poor cryptographic key management practices in the device supply chain, Binarly said in its report.

"This is a huge problem," Matrosov says. "If you think about an apartment complex where all the door locks have the same keys. If one key goes missing, it could create problems for everyone."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Millions of Devices Vulnerable to 'PKFail' Secure Boot Bypass Issue

Researchers track the healthcare sector as experiencing the biggest financial losses, with banking and transportation following close behind.

Source: SOPA Images Limited via Alamy Stock Photo

As the CrowdStrike Falcon outage story continues to unfold, the monetary losses to businesses from the global incident continue to rise: The volume is likely to reach $5.4 billion in costs for Fortune 500 companies, according to a report from Parametrix.

Parametrix researchers have found that roughly 25% of Fortune 500 companies experienced disruptions due to the incident, the most heavily affected industries financially being healthcare ($1.94 billion in estimated losses) and banking ($1.15 billion). In addition, a shocking 100% of the transportation and airlines sector was affected, and the group will rack up an estimated $0.86 billion in losses, according to the forecast. The $5.4 billion estimate excludes Microsoft.

The researchers noted that the outage impact to some industries, like software and IT-related services, is more likely to cause a "ripple effect beyond Fortune 500 companies," though hard numbers were not quantified in the report.

Parametrix previously detailed how the cloud acted as the catalyst for the widespread impact of the outage, and said that "the event highlights the critical dependency of major corporations on cloud services, and the systemic risks posed by such disruptions." To prevent future losses, the new report encourages cyber insurers and risk-assessors to concentrate on mapping, managing, and assessing cloud-based service provider exposure; and stressed that it's important to take a broad view, and not rely solely on the CrowdStrike event as a primary reference for "modeling future system failures involving cloud-based service providers."

**About the Author(s)**

CrowdStrike Outage Losses Estimated at a Staggering $5.4B

The campaign is laser-targeted, bucking the trend of "spray-and-pray" malicious open source packages turning up in code repositories seemingly every other day.

Source: Penta Springs Limited via Alamy Stock Photo

Researchers have come across a rather odd Python code package online that aims to steal Google Cloud Platform credentials from a very limited set of macOS victims.

The package, "lr-utils-lib," was uploaded to the Python Package Index (PyPi) early in June, and conceals its malicious code in the setup file, Checkmarx explained in a blog post on July 26 — thus allowing it to execute right away upon installation. Then, the code checks that it's running on a macOS system, and if so, checks the system's IOPlatformUUID, which is the value used to identify a particular Mac computer.

It turns out that the malware is highly targeted, only looking to infect a predetermined list of 64 specific machines. Further information about those machines, and the attacker targeting them, is unknown at this point, but it's worth noting that the package's name is very close to that of a legitimate package called "lr-utils," which is widely used in deep learning and neural networks applications, and to download large data sets. Dark Reading has sent a request for comment to Checkmarx to see if this could give a sense of the possible targets of the campaign.

In any event, from those machines, lr-utils-lib attempts to exfiltrate Google Cloud Platform credentials to a remote server, with the potential for follow-on attacks on cloud assets, including data theft, malware implantation, and the introduction of vulnerable components into the environment that can be exploited for lateral movement. As Ross Bryant, head of research at Phylum, explains, "The risk is obvious. Anyone who has your digital credentials effectively has all your rights and privileges."

Another interesting aspect of the campaign involves social engineering. The package owner goes by the name "Lucid Zenith," and apparently claims to be the CEO of a legitimate organization — Apex Companies LLC — on LinkedIn. There is also another LinkedIn profile belonging to the real CEO of the company, but the fake page is apparently so convincing that some AI platforms, including Perplexity, incorrectly stated that Lucid Zenith is the true CEO of the company, Checkmarx noted.

"We queried various AI-powered search engines and chatbots to learn more about Lucid Zenith’s position," according to the post. "What we found was a variety of inconsistent responses."

It added, "This was quite shocking since the AI-powered search engine could have easily confirmed the fact by checking the official company page, or even noticing that there were two LinkedIn profiles claiming the same title."

**Targeted Package Attacks: A Rare Phenomenon**

Malicious packages are utterly commonplace, masquerading as legitimate and useful software components while hiding their true nature. And more often than not, that true nature involves data theft. And because open source software (OSS) is, by definition, open to anyone, it's typically a good way to breach a wide variety of targets across regions.

This campaign stands out, Bryant explains, because OSS is being used in a highly targeted manner; however, there is limited precedent for the approach. For instance, "the malicious npm packages that we have seen associated with North Korean activity appear to be highly targeted," he says. Each package has unique identifiers which we attribute to individual targets. Once the victim has been compromised, the attacker immediately unpublishes the package, leaving behind almost no trace. This has been effective enough to steal billions of dollars worth of cryptocurrency."

Dark Reading has reached out to Checkmarx for more information about lr-utils-lib, including its current status. At the time of writing, a search for it on PyPi yielded no results, but it can still threaten those who have already imported it into their projects.

To mitigate the risk that your organization unwittingly accepts one of these laser-targeted packages, "Vigilance is required at every upgrade for every package and all its dependencies in an organization's software supply chain," says Bryant. "Developers should also be wary of social engineering attacks that have been very effective lately."

For its part, Checkmarx stressed that critical thinking is an invaluable asset when it comes to defending against this kind of attack. "Users should ensure they are installing packages from trusted sources and verify the contents of the setup scripts," according to the post. "The associated fake LinkedIn profile and inconsistent handling of this false information by AI-powered search engines ... serves as a reminder of the limitations of AI-powered tools for information verification, drawing parallels to issues like package hallucinations. It underscores the critical need for strict vetting processes, multi-source verification, and fostering a culture of critical thinking."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Targeted PyPi Package Steals Google Cloud Credentials from macOS Devs

The cybersecurity firm says that 97% of sensors are back online, but some organizations continue to recover, with costs tallied at $5.4 billion for the Fortune 500 alone.

Source: Sashkin via Shutterstock

A week after an ill-fated update from cybersecurity giant CrowdStrike knocked out an estimated 8.5 million Windows computers, causing problems ranging from downed medical systems at healthcare facilities to delayed flights for many airlines, organizations are still trying to restore access to their remaining affected systems.

Healthcare companies are among the most impacted organizations, with the corrupt file affecting about half of the members of the Health Information Sharing and Analysis Center (Health-ISAC), says chief security officer Errol Weiss. As of July 25, only 18% of affected organizations had fully recovered their systems, while three-quarters of companies still had as many as 25% of their systems still needing attention, Weiss says.

Many organizations had Windows-based medical devices, and now they are likely looking at a long-tailed recovery, says Weiss.

"My guess is that a lot of automated remediation was shared on Friday and Saturday — those methods probably helped a lot to get to the majority of completion," he says, referring to tools and scripts provided by Microsoft, CrowdStrike, and other companies. "But some of those scripts and automated fixes probably won't work on the kinds of devices that we're talking about, and now healthcare organizations have to take a manual look."

Microsoft released a USB Recovery Tool that gives administrators the option to use a USB drive to recover impacted systems from WinPE or safe mode. The tool may recover from safe mode even if BitLocker is enabled on a device and a recovery key is unavailable. There are also detailed recovery steps for Windows clients, servers, and operating systems hosted on Hyper-V, as well as affected Windows 365 Cloud PCs and Azure virtual machines.

**Measuring Impact of the Outage**

On July 25, CrowdStrike estimated that 97% of affected computers had returned to active status, as measured by the state of its Falcon software at the center of the outage. Managed security services provider Quest Software, whose customers span a gamut of sizes, is still offering aid to those working through the issue. The remaining companies likely represent a few hard-to-patch systems at larger firms and a large number of smaller firms that do not have the technical expertise to easily recover, says Kent Feid, senior director of product management at Quest Software.

"That 3% really represents the number of devices, and so that would equate to likely a substantial amount of small businesses still being impacted that are still somewhat unsure how to attack this," he says. "Smaller businesses tend to leverage more IT generalists or don't staff IT experts in-house."

The vast impact of the outage has still not been tallied, but insurance services firm Parametrix estimates that the event impacted a quarter of the Fortune 500 companies, with losses reaching $5.4 billion. That includes nearly $2 billion in losses for healthcare and more than $1.1 billion for the banking sector.

**Even With Tools, Many Companies Worked the Weekend**

While the recovery process is, for the most part, fairly simple, technical experts have gauged that each system requires an average of 15 minutes to recover because an administrator is required to physically access each system. In addition, companies that used BitLocker to encrypt the hard drive — a cybersecurity best practice, especially on laptop systems — would have to find the encryption key and input that key at the beginning of the process.

"There's no way to do this remotely because it has to be done in safe mode, where networking isn't working, so you can't connect to the machine remotely," says Vadim Vladimirskiy, CEO of Nerdio, a virtual desktop management firm.

At least 700 outages coincided with the bad update from CrowdStrike, with 39% of outages rated Critical. Source: Parametrix

Nerdio, which provides virtual desktops for its customers, said its customers were only minimally impacted by the failed update and its cloud desktop systems were easily repaired by recovering to a previous image. While many customers connect to Nerdio's service using a Windows computer, only the systems left on during the 78-minute window — during which the bad CrowdStrike update was distributed — were impacted. Affected customers could just switch to a different system to access their virtual desktops, limiting any impact, Vladimirskiy says.

Ironically, healthcare firms recovered by falling back on measures implemented to protect them from a threat CrowdStrike is deployed to prevent: ransomware. Health-ISAC's Weiss compiled a list of systems affected by the attack, and it includes patient services, lab collections, secure file transfers, dictation and transcription services, shipments, electronic medical records, and Medicaid and insurance billing.

"I started hearing about the impacts to these organizations and looking at the list, and it's like, 'My gosh, this sounds just like another ransomware incident,'" he says. "So that's what was going on inside healthcare on Friday for those organizations that were impacted by this. They just went, 'OK, systems are down, we're going to the manual backup procedures, we're going to paper,' and they knew what to do because they were drilling \[their response to ransomware\] in the past."

**Preventing the Next Big Failure**

The bad update also came after a significant outage of Azure services affected an above average number of companies, according to Parametrix. (On average, about 300 service disruptions occur among the Fortune 500 every day, the firm said. On Thursday, July 18, 419 coincided with the Azure outage, and on Friday, at least 700 occurred as the company dealt with the bad update from CrowdStrike.)

While CrowdStrike is feeling the market's wrath right now, the company is unlikely to be down for long because businesses need the type of services the company — and others like it — provide, says Quest Software's Feid.

"No software development company — I include ourselves in that — is perfect, right?" he says. "What's hard, I think, especially in the security industry and specifically for a company like CrowdStrike, they are being looked at and relied upon across a large part of the market to protect endpoints. ... The product is specifically designed to be ahead of the curve as much as it can, which means you can't have it both ways, consumers. There's always going to be inherent risk."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Companies Struggle to Recover From CrowdStrike's Crippling Falcon Update

The individual is part of a DPRK-backed group known as Andariel, which is known for using the 'Maui' ransomware strain to target and extort healthcare entities.

Source: Panther Media GmbH via Alamy Stock Photo

The US Department of Justice has unsealed an indictment of a North Korean military intelligence operative targeting US critical infrastructure.

The individual, Rom Jong Hyok, allegedly carried out ransomware attacks against healthcare facilities and funneled the ransom payments to arrange other breaches into defense, technology, and government organizations globally, in violation of the Computer Fraud and Abuse Act, according to the indictment.

The ransom payments were laundered through Hong Kong, where they were converted into Chinese yuan, withdrawn from an ATM, and then used to purchase virtual private servers in order to exfiltrate sensitive defense and technology information. 

Hyok is part of a hacking crew known as Andariel (aka APT45, Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2) and is allegedly behind cyberattacks involving a ransomware strain coined "Maui," which was targeting organizations in the US and Japan as far back as 2022. The group uses this ransomware against healthcare providers' systems and servers used for medical testing or electronic medical records.

Andariel is controlled by DPRK's military intelligence agency, the Reconnaissance General Bureau, which is involved in the DPRK's illicit arms trade and responsible for its malicious cyber acts.

"This group poses an ongoing threat to various industry sectors worldwide, including, but not limited to, entities in the United States, South Korea, Japan, and India," said the National Security Agency. 

The US Department of State's Rewards for Justice (RFJ) announced a reward of up to $10 million for information that could lead to the whereabouts of Rim Jong Hyok, Andariel, or co-conspirators.

**About the Author(s)**

US Offers $10M Reward for Information on North Korean Hacker

Nvidia doesn't just make the chips that accelerate a lot of AI applications — the company regularly creates and uses its own large language models, too.

Source: The KonG via Shutterstock

As the builder of the processors used to train the latest AI models, Nvidia has embraced the generative AI (GenAI) revolution. It runs its own proprietary large language models (LLMs), and several internal AI applications; the latter include the company's NeMo platform for building and deploying LLMs, and a variety of AI-based applications, such as object simulation and the reconstruction of DNA from extinct species.

At Black Hat USA next month in a session entitled "Practical LLM Security: Takeaways From a Year in the Trenches," Richard Harang, principal security architect for AI/ML at the chip giant, plans to talk about lessons the Nvidia team has learned in red-teaming these systems, and how cyberattack tactics against LLMs are continuing to evolve. The good news, he says, is that existing security practices don't have to shift that much in order to meet this new class of threats, even though they do pose an outsized enterprise risk because of how privileged they are.

"We've learned a lot over the past year or so about how to secure them and how to build security in from first principles, as opposed to trying to tack it on after the fact," Harang says. "We have a lot of valuable practical experience to share as a result of that."

**AIs Pose Recognizable Issues, With a Twist**

Businesses are increasingly creating applications that rely on next-generation AI, often in the form of integrated AI agents capable of taking privileged actions. Meanwhile, security and AI researchers have both already pointed out potential weaknesses in these environments, from AI-generated code expanding the resulting application's attack surface to overly helpful chatbots that give away sensitive corporate data. Yet, attackers often do not need specialized techniques to exploit these, Harang says, because they're just new iterations of already known threats.

"A lot of the issues that we're seeing with LLMs are issues we have seen before, in other systems," he says. "What's new is the attack surface and what that attack surface looks like — so once you wrap your head around how LLMs actually work, how inputs get into the model, and how outputs come out of the model ... once you think that through and map it out, securing these systems is not intrinsically more difficult than securing any other system."

GenAI applications still require the same essential triad of security attributes that other apps do — confidentiality, integrity, and availability, he says. So software engineers need to perform standard security architecting due-diligence processes, such as drawing out the security boundaries, drawing out the trust boundaries, and looking at how data flows through the system.

In the defenders favor: Because randomness is often injected into AI systems to make them "creative," they tend to be less deterministic. In other words, because the same input does not always produce the same output, attacks do not always succeed in the same way either.

"For some exploits in a conventional information security setting, you can get close to 100% reliability when you inject this payload," Harang says. "When \[an attacker\] introduces information to try to manipulate the behavior of the LLM, the reliability of LLM exploits in general is lower than conventional exploits."

**With Great Agency Comes Great Risks**

One thing that sets AI environments apart from their more traditional IT counterparts is their ability for autonomous agency. Companies do not just want AI applications that can automate the creation of content or analyze data, they want models that can take action. As such, those so-called agentic AI systems do pose even greater potential risks. If an attacker can cause an LLM to do something unexpected, and the AI systems has the ability to take action in another application, the results can be dramatic, Harang says.

"We've seen, even recently, examples in other systems of how tool use can sometimes lead to unexpected activity from the LLM or unexpected information disclosure," he says, adding: "As we develop increasing capabilities — including tool use — I think it's still going to be an ongoing learning process for the industry."

Harang notes that even with the greater risk, it's important to realize that it's a solvable issue. He himself avoids the "sky is falling" hyperbole around the risk of GenAI use, and often taps it to hunt down specific information, such as the grammar of a specific programming function, and to summarize academic papers.

"We've made significant improvements in our understanding of how LLM-integrated applications behave, and I think we've learned a lot over the past year or so about how to secure them and how to build security in from first principles," he says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nvidia Embraces LLMs &amp; Commonsense Cybersecurity Strategy

Outlining the wider organization's proactive role in fortifying the security program allows the security team to focus on the most pressing issues that only they can solve.

Lenny Zeltser, Chief Information Security Officer, Axonius

July 26, 2024

4 Min Read

Source: Andrii Yalanskyi via Alamy Stock Photo

COMMENTARY

Love it or hate it, cybersecurity compliance continues to be top of mind across private organizations and federal bodies alike. With new regulations on emerging technology continuing to be developed and introduced, even the US Senate is proposing legislation to streamline federal cybersecurity regulations. 

Regulations offer security leaders leverage for improving processes and strengthening accountability for cybersecurity throughout the organization. However, new compliance requirements also increase the burden of making sure the security program meets the requirements of all external stakeholders. Many chief information security officers (CISOs) must simultaneously navigate the need to contain costs, increase trust, improve security, and support the business while maintaining compliance. 

Supporting cybersecurity compliance requirements is particularly challenging for today's security leaders because they don't control all aspects of security in the organization. Employees across all departments make decisions each day that impact the security of the organization's data. CISOs can harness a distributed responsibility model to address security and compliance needs, but they must do this in an intentional way. The key is to make sure all internal stakeholders understand the role they play in the organization's security program and hold them accountable for their responsibilities.

**Clarifying Expectations Beyond the Security Team**

It's true that security teams have the specialized knowledge that colleagues in other parts of the organization lack. That's why such groups monitor for suspicious activities, identify and track vulnerabilities, ensure that the necessary security measures are enforced, and provide security guidance.

When designing security programs, however, CISOs must also document the expectation that all employees across an organization must do their part in safeguarding the company's systems, applications, and data. This goes beyond the employees merely maintaining the vague sense of awareness emphasized by the requisite security awareness training. 

The CISO should lead the effort to clarify the security responsibilities that extend past the security team. Methodologies such as the RACI matrix help capture who should be responsible, accountable, consulted, and informed for specific security-related tasks. Even if the resulting matrix isn't perfect, the discussions that lead to its creation surface responsibility gaps so organizations can address them. 

**Enforcing Accountability Across an Organization**

It's unreasonable to expect that employees — especially those without security training and expertise — will always make the right decisions when it comes to data protection. CISOs can mitigate this risk by deploying technologies that make it easier for employees to perform their work securely. For instance, security leaders can define configuration templates that disable unnecessary features or enable security capabilities. Another example is automatically enrolling accounts with multifactor authentication (MFA), rather than requesting that each employee elect to apply these safeguards. 

While mandating MFA minimizes the opportunity for noncompliance with security expectations, automatic opt-ins like this aren't always possible. Security leaders should also establish guardrails against severe risks resulting from decisions that are outside the boundaries the organization considers reasonable. The use of network security measures like DNS filtering, for example, restricts access to dangerous website categories, in turn decreasing the likelihood that an employee unknowingly interacts with a malicious online resource. 

In addition, the security team must monitor for gaps in security and take action when issues arise. Security event aggregation and continuous compliance monitoring, which automates the tracking of security controls, along with modern asset management approaches, are pieces to this puzzle. 

**Making Security Responsibilities Personal**

To ensure that people outside the security team pay attention to their security responsibilities, security leaders should look for ways to establish a personal connection between the individual and the data or system they help protect. For example, employees typically feel a sense of ownership over the laptops and files they use on a daily basis. Therefore, the CISO can highlight that connection when discussing endpoint-related security measures that depend on the employee, such as manually updating software that isn't centrally managed by the organization. 

Just like personnel outside of security should understand how their security responsibilities apply to the work they do, the people on the security team need to understand how their responsibilities aid the organization as a whole. What business initiatives are supported by the work that the security team is doing? Understanding this connection will not only motivate the security personnel but also allow the security leaders to have the business context when collaborating with colleagues throughout the organization. 

Security leaders will amplify their powers and motivate others to do their part in securing the organization by aligning security responsibilities with the personal interests, affiliations, and objectives of all stakeholders.

**Empowering Everyone to Do Their Part**

There is power in numbers; outlining the wider organization's proactive role in fortifying the security program allows the security team to focus on the most pressing issues that only they can solve. Helping employees understand the role they play in the security program will prevent coverage gaps, avoid misunderstandings, and ensure that the right processes are in place for a security program that supports the relevant compliance requirements. 

Security teams play a key role in safeguarding their organizations. This includes empowering colleagues in the wider organization to do their part and making sure they understand their roles.

**About the Author(s)**

Chief Information Security Officer, Axonius

Lenny Zeltser is the CISO at Axonius, a leader in cybersecurity asset management. Prior to Axonius, he led security product management at Minerva Labs and NCR. Before that, he spearheaded the US security consulting practice at a leading cloud services provider acquired by CenturyLink. He also helps shape global cybersecurity practices by teaching at SANS Institute and sharing knowledge through writing, public speaking, and community projects. He has earned the prestigious GIAC Security Expert designation and developed the Linux malware analysis toolkit REMnux. He is also on the Board of Directors of the SANS Technology Institute.

Distributing Security Responsibilities (Responsibly)

Intel works closely with academic researchers on hardware flaws and coordinates efforts with other vendors to roll out fixes for emerging vulnerabilities. That wasn't always the case.

Source: Mentor58 via Alamy Stock Photo

The Spectre and Meltdown chip vulnerabilities could have been resolved much earlier had chip makers taken reports from academic researchers more seriously, says one researcher who helped unveiled the hardware bug.

Daniel Gruss, a researcher at Graz University of Technology, hasn't had a break since Meltdown and Spectre came to light. Chip vulnerabilities are multiplying with increasingly complex chip designs and the emergence of new technologies, such as graphics processing units (GPUs) and confidential computing.

"I think the number of bugs that we have in our systems will not get less over time," Gruss says.

Gruss and Intel fellow Anders Fogh will reflect on past chip vulnerabilities and explore emerging threats during their Black Hat USA 2024 on Thursday, Aug. 8. The presentation, "Microarchitecture Vulnerabilities: Past, Present, and Future," will cover recent side-channel attack techniques as exposed by Hertzbleed, Platypus, and Zenbleed. Gruss and Fogh will also explore how academic researchers and chip makers are collaborating to counter vulnerabilities and discuss top-line mitigation and patching strategies.

Gruss, now a professor in information security, says the chip makers hadn't been as responsive as the companies are now. His team reported the prefetch side-channel at the center of Spectre to Intel in 2016, but the chip maker dragged its feet.

"Intel could have had Spectre two years earlier than they had it ... if they would just have looked at our report a bit more closely and tried it out for a longer time on different machines and then investigated, but they didn't," Gruss says.

But that has changed, and Intel takes every security flaw reported very seriously, Gruss says.

**Communication Is Key**

Intel is in lockstep with researchers and also keeps communication lines open with rivals, such as AMD and Nvidia, as hardware bugs could affect multiple vendors, says Suzy Greenberg, vice president for Intel Product Assurance and Security Group.

Spectre and Meltdown used side-channel attacks to leak sensitive data that could include usernames and passwords. Hackers can conduct side-channel attacks by using system functions, such as frequency scaling and power consumption patterns.

Hundreds of papers on side-channel attacks have come out since the bugs were initially reported. However, no real-world break-ins based on the bugs have been reported, yet, according to Gruss and Intel. Side-channel attacks will always be there, and chip vendors won't be able to solve the bugs, Gruss says.

"The question is ... how can we keep them restricted enough so that attackers cannot exploit them for valuable information," Gruss says.

**Researchers Shift Focus to GPUs**

Researchers are also shifting their attention to exploring security bugs in GPUs, which are chips being used to serve artificial intelligence (AI).

A team of researchers including Gruss recently published research about a side-channel attack on Nvidia's GPUs. Nvidia last month issued 10 security alerts related to its GPU drivers and virtualization software.

"As we understand more and more about the microarchitecture on GPUs, and as they get more complex, we will also see more complex and more impactful attacks," Gruss says.

Side-channel attacks may also increase in the realm of confidential computing, which involves creating a secure enclave within hardware to run protected applications. Top chip makers Intel and AMD offer confidential computing chips for AI applications.

"Confidential computing adds attack surface from an academic perspective ... there is more to attack there than if you would be an unprivileged attacker," Gruss says.

Privileged users can get access to interfaces, instructions, and model-specific registers, which widens the attack surface.

Many new use cases and exploits are going to start coming with AI, Intel's Greenberg said.

"We're really trying to encourage that community to start looking at poking there because that's the big unknown," Greenberg says.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Could Intel Have Fixed Spectre &amp; Meltdown Bugs Earlier?

Mimecast's acquisition of Code42 helps the company move into insider risk management, joining key rival Proofpoint and others in the space.

Source: Panther Media GmbH via Alamy Stock Photo

Email security providers are increasingly adding human risk management (HRM) tools to their portfolios to broaden their data loss prevention (DLP) capabilities. The latest to sharpen its focus on HRM is Mimecast, which acquired insider risk tool provider Code42 for undisclosed terms this week.

The deal marks Mimecast's second acquisition of an HRM company this year. In January, it made its foray into human risk management with the acquisition of Elevate Security, which resulted in last week's release of Mimecast's Engage risk management platform.

Omdia senior principal analyst Fernando Montenegro says Mimecast's competitors, such as Proofpoint, Sophos, ESET, OpenText (Webroot), and Barracuda Networks, have made similar moves into HRM.

"We have seen similar packaging of messaging security with user training and human factors in many vendors," Montenegro says. "This makes sense as we think there is a long-standing evolutionary pattern to cybersecurity to be better aligned to business outcomes and concerns, and this fits well into this narrative."

Mimecast is playing catch-up to Proofpoint, its most formidable competitor, which released its Proofpoint Nexus People Risk Explorer in 2021. Earlier, Proofpoint made its foray into insider threat management by acquiring ObserveIT, known for its insider threat management platform.

**Insider Risk Tied to Data Breaches**

According to Verizon's "2024 Data Breach Investigations Report" (DBIR), insiders were involved in 68% of all breaches in 2023. Forrester Research forecasts that figure could rise to 90% in 2024, according to its "Predictions 2024" report.

"HRM solutions and programs have surfaced to help CISOs evaluate their firm's human risk, determine whether they are getting a return on their training investment, whether their training is really changing anyone's behavior and improving the firm's cybersecurity posture, and determine what to manage human risk in addition to training people," the report's authors noted.

Weeks after closing the Elevate acquisition in January, Marc van Zadelhoff was tapped as Mimecast's new CEO, replacing co-founder Peter Bauer. Tasked with expanding Mimecast's emerging HRM portfolio, Zadelhoff inked a partnership with Code42 to integrate Code42 Incydr with the Mimecast platform.

By integrating Code42 Incydr's Watchlists for employees with a history of engaging in risky behavior (such as those who frequently fall for phishing attempts) with Mimecast's Profile Groups, organizations can automate the formation, management and policy enforcement among user groups. Likewise, Incydr can be used to manage Mimecast Profile Groups. The integration also lets Mimecast administrators detect and manage exfiltration activity.

Mimecast CEO Marc van Zadelhoff tells Dark Reading that the plan was to leverage that capability to emphasize Mimecast's human risk detection and management capabilities.

"We had been talking to Code42 for a while, and we did the partnership," van Zadelhoff says. "One thing led to another in terms of strengthening it."

Van Zadelhoff says the two acquisitions mark the company's entry into HRM.

"The partnership exposed to us that we had a lot of joint customer interest," he says. "In fact, during that time, we saw an increasing number of our customers adopt Code42 in a fairly short amount of time. As we started leveraging the human risk dashboard and the human risk platform, we started to see that when you add Code42 into the score, it really adds a lot of value on identifying the riskiest segment of the population out there.

**Product Portfolios to Remain Intact With Common Dashboard**

According to van Zadelhoff, there is no overlap between the products Mimecast now offers and Code42's portfolio.

"We tested the product around scalability and how it would work with our technology stack," he says. "It is incredibly compatible. There's zero overlap."

Further, van Zadelhoff insists no products from either company will be deprecated in the wake of the acquisition; the Code42 products will be rebranded Mimecast. Also, in the coming months, Mimecast will create a common human risk dashboard tied to its distinct offerings.

At next month's Black Hat USA Conference in Las Vegas, the company will demonstrate and roll out new artificial intelligence (AI) tools to detect exfiltration risk when employees upload files into generative AI platforms, such as Chat GPT.

"What we're really focused on is understanding when someone takes data from their corporate organizations or from a key repository and exfiltrates that to a public generative AI location," says Rob Juncker, Code42's CTO. "AI is something that we all have to deal with now. So it will be in our base product for all customers effective immediately."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Source

DARKReading