Guy Tytunovich, founder and CEO of CHEQ, says the days of a one-size-fits-all consent strategy are gone. Consider a two-pronged approach and use smart consent management technology to adapt to differing regulations.

Source: Formatoriginal via Alamy Stock Photo

COMMENTARY

Five years since the European Union's General Data Protection Regulation (GDPR) took effect, its fingerprints are everywhere: from proliferating privacy laws worldwide to the now-ubiquitous consent banners seen across websites of every kind. For multinational businesses, the GDPR isn't the only compliance hurdle on the horizon. Take, for example, the forthcoming enforcement of new privacy regulations like the California Privacy Rights Act (CPRA).

Businesses weren't ready for GDPR, and many still aren't. So, what now?

**The Consent-Compliance Gap: How Businesses Are Falling Short**

Data privacy awareness has increased among businesses since 2018, but many still struggle with compliance. The issue isn't just understanding the law but also enforcing it effectively. Many companies assume that simply using consent banners or consent management platforms (CMPs) ensures compliance. But all too often, these tools only provide an illusion of compliance, lacking crucial technical capabilities such as consent and preference enforcement.

The rapidly evolving patchwork of global and local privacy laws can also create confusing contradictions. Different jurisdictions have different requirements for obtaining and documenting consent. They may require different technical capabilities, such as real-time preference enforcement or the recognition of global opt-out preference signals. For example, the GDPR requires explicit consent, while other laws, such as the upcoming CPRA, accept implied consent in certain instances.

This leads to the consent-compliance gap. In this situation, businesses invest in and set up a consent tool, thinking they've fulfilled their compliance duties, yet they remain noncompliant in the eyes of the law.

**It's About to Get More Complicated**

In the five years since GDPR arrived, it's served as a model for data protection laws worldwide, inspiring legislation such as the California Consumer Privacy Act (CCPA), Brazil's General Data Protection Law, and China's Personal Information Protection Law (PIPL). Today, more than 130 nations have enacted privacy legislation, and in the United States, 12 states have enacted privacy laws, with six more in various stages of legislation.

In 2023 alone, four US privacy laws entered enforcement including The Virginia Consumer Data Protection Act (VCDPA), the Utah Consumer Privacy Act (UCPA), the Colorado Privacy Act (CPA), and the Connecticut Data Privacy Act (CTDPA). CPRA, an updated version of the CCPA, also entered partial enforcement this year. State-level privacy laws also passed in Delaware Indiana, Iowa, Montana, Oregon, and Texas.

These laws, while similar in many ways, have distinct requirements that make managing consent across jurisdictions even more complicated.

Here's where things get tricky. GDPR requires clear, affirmative consent. But the CPRA, CPA, and CTDPA don't necessarily need that "yes" from users before collecting data. Instead, it's enough to offer users an easy way to say "no." This "opt-out" model changes the game and makes crafting a one-size-fits-all consent strategy near impossible.

What does this mean for businesses that operate in multiple locations? They need to play by the toughest rules — the GDPR's "opt-in" — while also offering California users the "opt-out" choice. And let's not forget, it's not just about these two laws. With over 130 countries having their own privacy laws, businesses could face a whirlwind of different, sometimes conflicting, rules to follow.

This situation calls for a two-pronged solution. On the technical side, businesses need smart consent management technology that can adapt to different regulations. It should be able to serve specific consent banners based on user location, catering to the unique requirements of each region.

On the organizational side, there's a need for constant vigilance and updating. Privacy laws are evolving creatures, with changes and new regulations popping up regularly. Businesses must keep their fingers on the pulse of these changes and adapt their consent management practices accordingly.

In essence, navigating the maze of global privacy laws isn't just about knowing the rules. It's about having the right tools to applying these rules and the commitment to staying updated on the ever-changing landscape of data privacy laws.

**Compliance Is a Constant Effort in an Evolving Global Privacy Landscape**

For the first few years of the GDPR, enforcement actions were few and far between as regulators established precedents in the courts and codified the rules of the regulation. This led many businesses to take a "wait and see" approach to consent and cookie compliance or to do the bare minimum necessary to appear compliant. Today, that approach won't cut it.

As of June 2023, the EU regulators have handed out billions in fines, which relate directly to consent management. One of the largest GDPR fines to date, a €746 million (US$786 million) judgment against Amazon in July 2021, was brought down because the tech company had been using an implied consent model on its EU properties.

Meanwhile, consumer awareness and expectations around data privacy are on the rise. Some 62% of European consumers consider privacy a concern, according to an IAPP survey. Privacy is no longer a mere compliance issue; it's a cornerstone of brand reputation and customer trust. Businesses demonstrating a commitment to privacy can leverage it as a competitive advantage, attracting privacy-conscious consumers and fostering stronger customer relationships.

But to gain that trust, privacy and consent management cannot be a "set it and forget it" initiative; businesses must make a constant, conscious effort to meet evolving requirements and new technologies such as global privacy signals. Five years on, GDPR plays a key role in shaping this landscape, but it's just one piece of an increasingly complex puzzle.

**About the Author(s)**

Founder & CEO, CHEQ

Guy Tytunovich is the founder and CEO of CHEQ, the leader in Go-to-Market Security. Guy is a veteran of the Israeli Military cybersecurity and intelligence units and a founder of numerous tech companies in the space.

Thought GDPR Compliance Was Hard? Buckle Up

Organizations from the Middle East and Africa have typically escaped public ransoms, but that's changing amid heightened geopolitical conflicts and digitalization initiatives.

Source: Jne Valokuvaus via Shutterstock

Cybercrime — and especially ransomware — traditionally have had an uneven impact across the Middle East and Africa (ME&A), yet recent data suggests that ongoing geopolitical conflicts will likely raise the overall level of cyberattacks across the regions.

South Africa saw a significant surge in attacks, with 78% of companies hit by ransomware in 2023, compared to 51% in 2022, according to the State of Ransomware 2023 report published by Sophos earlier this year.

However, the United Arab Emirates (UAE), for example, saw 70% fewer ransomware attacks in 2022, compared to the previous year, following greater international cooperation, according to statements by UAE government officials.

Cyber operations, including ransomware, will likely expand, as the ongoing conflict between Israel and Palestinians raises tensions in the region, much in the same way that Russia's invasion of Ukraine spurred greater attacks, says Jens Monrad, head of threat intelligence for the Europe, ME&A region at Google Mandiant.

"Cyber is now playing a role in any sort of geopolitical conflict, because it's a domain that ... comes with less cost and brings uncertainty, in terms of attribution," he says, adding that activity will likely continue to escalate. "We haven't really figured out how to draw a clear red line in the cyber domain. The line keeps being pushed, rather than somebody saying, now you've crossed the line."

Ransomware data continues to be scarce in the region. In its Digital Defense Report 2023, Microsoft noted that the top four ransomware families — Magniber, Lockbit, Hive, and Blackcat — accounted for two-thirds (65%) of all ransomware encounters and, of the four groups, only a single one, Blackcat, had extensive targets in a ME&A nation — in this case, Israel, which ranked fifth in that malware's targeted regions.

Two-thirds of attacks target Israel, the UAE, Saudi Arabia, or Jordan. Source: Microsoft Digital Defense Report 2023

The trend in the more general category of cyberattacks is clearer: two-thirds of cyberattacks in ME&A targeted either Israel, United Arab Emirates, Saudi Arabia, or Jordan, according to Microsoft's data collected prior to the current Israeli-Palestinian conflict. More than half of the attacks (52%) targeting the region focused on the education, government, information technology, and communications sectors — typical espionage targets.

**Regional Conflicts Spur Cyberattacks**

Surges in cyberattacks typically follow geopolitical conflict. The ME&A is experiencing that trend as well: Attacks conducted by Iran-linked actors, for example, focused on Israel between July 2022 and June 2023, a shift from the previous 12 months in which Iranian actors focused on the United States. The shift followed a highly sophisticated campaign of cyberattacks in 2021 and 2022 by an Israel-linked group, dubbed Predatory Sparrow, which had targeted Iran's critical infrastructure, including steel factories, state broadcasters, gas stations, and trains, Microsoft stated in its report.

"Iran's cyber-enabled influence operations have pushed narratives that seek to bolster Palestinian resistance, sow panic among Israeli citizens, foment Shi'ite unrest in Gulf Arab countries, and counter the normalization of Arab-Israeli ties," Microsoft stated in the report. "While specific narratives varied, the underlying goal was often the same. Tehran likely sought to retaliate against what it perceived were efforts by foreign actors to foment unrest in Iran."

Some of Iran's claimed attacks, however, have been exaggerated, according to Microsoft. And, while Iran-linked groups are some of the most active, the Palestinian-linked Molerats group recently used an improved downloader as part of its initial access operations.

Russian interests in ME&A may have a dampening effect on ransomware activity, since many ransomware groups operate out of Russia, says Mandiant's Monrad.

"I think it's a fair argument to say that these groups are also carefully vetting their victims to ensure that they don't endanger or put themselves at risk," he says. "If they engage in extortion schemes in countries where there are stronger diplomatic and trade relations ... you could potentially expect a political response to \[the victims\] asking Russia to do something."

**Manage Devices, Basic Hygiene**

Overall, companies in the region need to improve their cybersecurity maturity, says Brian Honan, CEO of BH Consulting, an independent cybersecurity and data-protection consulting firm based in Dublin that has clients in the Middle East.

"Where the Middle Eastern area struggles is their cybersecurity may not be as mature or have as much investment as in other regions," he says. "Many of the bigger organizations will have good cybersecurity in place, but in general, \[they are\] more vulnerable than their western counterparts."

Overall, 65% of CISOs in the Kingdom of Saudi Arabia and 47% in the UAE had a material loss of sensitive information in the past 12 months, according to the 2023 Voice of the CISO report published by security firm Proofpoint earlier this year.

Companies in the ME&A region are aiming to improve, however. Attacks on connected devices and cloud-related threats are the top cyberthreats for companies in the Middle East, according to a regional survey conducted for PricewaterhouseCoopers' Digital Trust Insights 2024 report. The worries are leading more than three-quarters of firms (77%) to increase their cyber budgets in 2024, according to the consultancy.

"Increasing digitization means companies are exposed to new digital vulnerabilities, making an effective approach to cybersecurity and digital trust more important than ever," PwC stated in the report, adding: "Middle East respondents revealed that loss of revenue — in terms of lost contracts, lost business opportunities — was the top concern for the outcomes of potential cyber attack in the next 12 months."

Companies still have to strive to do the cybersecurity basics. More than 80% of all compromised started with an unmanaged devices, Microsoft stated in its Digital Defense Report 2023.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Why Ransomware Could Surge in the Middle East & Africa

In a rare instance of an overseas arrest of ransomware perpetrators, four other high-profile gang members were also seized.

Source: ADragan via Shutterstock

European cyber police last week arrested a 32-year-old suspect they believe to be the leader of a Ukrainian ransomware affiliate gang.

According to Europol, authorities searched 30 properties in Kyiv, Cherkasy, Rivne, and Vinnytsia before locating the suspect. More than 20 investigators from a variety of countries were in Kyiv to assist with the operations. Authorities also seized four other individuals from locations across the country, as well as "technological devices." These suspects, whose nationalities weren't released, were identified after 12 other individuals were arrested in Ukraine and Switzerland in 2021. 

This particular ransomware gang, which doesn't have a specific moniker, is suspected of extorting hundreds of millions of euros from victims in 71 countries and encrypting more than a thousand servers worldwide. The group is known for targeting large corporations, and has deployed LockerGoga, MegaCortex, Hive, and Dharma ransomware to perform its attacks. 

According to a spokesperson, more details will be released later, as the operation is ongoing and more arrests will be made in the future.

**About the Author(s)**

Ringleader of Prolific Ransomware Gang Arrested in Ukraine

Dropping the ball on chemical security has precipitated "a national security gap too great to ignore," CISA warns.

Source: TTstudio via Alamy Stock Photo

CISA warned this week that facilities maintaining dangerous chemicals across the US are no longer receiving adequate security support.

Compared with such industries as energy, water, and telecoms, cybersecurity professionals tend to be less au courant with the chemicals sector, despite the physical and cybersecurity threats it faces.

CISA used to plug that gap with its Chemical Facility Anti-Terrorism Standards (CFATS). In CISA's own words, CFATS "identifies and regulates high-risk facilities to ensure security measures are in place to reduce the risk that certain dangerous chemicals are weaponized by terrorists." But on July 28, Congress allowed the statutory authority of the CFATS program to expire.

Yesterday, in a blog marking the fourth monthiversary of that decision, CISA associate director for chemical security Kelly Murray warned that "the absence of the CFATS program is a national security gap too great to ignore," likely leading to security gaps, unsafe conditions, and possibly even access by a terrorist.

**Terrorist Threats to the Chemicals Industry**

There are four primary pillars to CFATS, each with an important security function.

Firstly, CISA has screened over 40,000 chemical facilities through the program, identifying 3,200 of them as high-risk. With four months of downtime, the agency estimates that at least 200 new facilities have likely acquired dangerous chemicals, and that "facilities could be stockpiling these chemicals in excess of their existing security precautions, increasing the risk of terrorist exploitation."

Equally, through CFATS, CISA worked with facilities to identify risks to them and their surroundings, and develop cyber and physical safety plans to mitigate those risks, improving their security postures by around 60%. As Murray explained, approximately one third of CISA's site visits historically tended to reveal security gaps, thus "we can safely estimate that hundreds of security gaps have gone unidentified since July."

Perhaps most importantly, chemical facilities used CFATS to run personnel against a Terrorist Screening Database. CISA used to vet an average of 9,000 names per month, flagging in all more than 10 individuals with terrorist ties. At these rates, Murray estimated, its missed screenings "likely would have identified an individual with or seeking access to dangerous chemicals as a known or suspected terrorist at some point over the past four months."

Lastly, CFATS was designed to help the chemical industry stay ahead of the evolving threat landscape, both from a physical and cyber standpoint. "Prior to the lapse in authority, this process was going to be further enhanced by a proposed rulemaking effort to enhance the physical and cybersecurity standards required of CFATS," Murray explained, though now no longer.

Murray ended the letter with a call to Congress to reinstate CFATS. "This is a resolution we cannot afford to break," she concluded.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

CISA to Congress: US Under Threat of Chemical Attacks

Anyscale has dismissed the vulnerabilities as non-issues, according to researchers who reported the bugs to the company.

Source: Ken stocker via Shutterstock

Organizations using Ray, the open source framework for scaling artificial intelligence and machine learning workloads, are exposed to attacks via a trio of as yet unpatched vulnerabilities in the technology, researchers said this week.

**Potentially Heavy Damage**

The vulnerabilities give attackers a way to, among other things, gain operating system access to all nodes in a Ray cluster, enable remote code execution, and escalate privileges. The flaws present a threat to organizations that expose their Ray instances to the Internet or even a local network.

Researchers from Bishop Fox discovered the vulnerabilities and reported them to Anyscale — which sells a fully managed version of the technology — in August. Researchers from security vendor Protect AI also privately reported two of the same vulnerabilities to Anyscale previously.

But so far, Anyscale has not addressed the flaws, says Berenice Flores Garcia, senior security consultant at Bishop Fox. "Their position is that the vulnerabilities are irrelevant because Ray is not intended for use outside of a strictly controlled network environment and claims to have this stated in their documentation," Garcia says.

Anyscale did not immediately respond to a Dark Reading request for comment.

Ray is a technology that organizations can use to distribute the execution of complex, infrastructure-intensive AI and machine learning workloads. Many large organizations (including OpenAI, Spotify, Uber, Netflix, and Instacart) currently use the technology for building scalable new AI and machine learning applications. Amazon's AWS has integrated Ray into many of its cloud services and has positioned it as technology that organizations can use to accelerate the scaling of AI and ML apps.

**Easy to Find and Exploit**

The vulnerabilities that Bishop Fox reported to Anyscale pertain to improper authentication and input validation in Ray Dashboard, Ray Client, and potentially other components. The vulnerabilities affect Ray versions 2.6.3 and 2.8.0 and allow attackers a way to obtain any data, scripts, or files stored in a Ray cluster. "If the Ray framework is installed in the cloud (i.e., AWS), it is possible to retrieve highly privileged IAM credentials that allow privilege escalation," Bishop Fox said in its report.

The three vulnerabilities that Bishop Fox reported to Anyscale are CVE-2023-48023, a remote code execution (RCE) vulnerability tied to missing authentication for a critical function; CVE-2023-48022, a server-side request forgery vulnerability in the Ray Dashboard API that enables RCE; and CVE-2023-6021, an insecure input validation error that also enables a remote attacker to execute malicious code on an affected system.

Bishop Fox's report on the three vulnerabilities included details on how an attacker could potentially exploit the flaws to execute arbitrary code.

The vulnerabilities are easy to exploit, and attackers do not require a high level of technical skills to take advantage of them, Garcia says. "An attacker only requires remote access to the vulnerable component ports — ports 8265 and 10001 by default — from the Internet or from a local network," and some basic Python knowledge, she says.

"The vulnerable components are very easy to find if the Ray Dashboard UI is exposed. This is the gate to exploit the three vulnerabilities included in the advisory," she adds. According to Garcia, if the Ray Dashboard is not detected, a more specific fingerprint of the service ports would be required to identify the vulnerable ports. "Once the vulnerable components are identified, they are very easy to exploit following the steps from the advisory," Garcia says.

Bishop Fox's advisory shows how an attacker could exploit the vulnerabilities to obtain a private key and highly privileged credentials from an AWS cloud account where Ray is installed. But the flaws affect all organizations that expose the software to the Internet or local network.

**Controlled Network Environment**

Though Anycase did not respond to Dark Reading, the company's documentation states the need for organizations to deploy Ray clusters in a controlled network environment. "Ray expects to run in a safe network environment and to act upon trusted code," the documentation states. It mentions the need for organizations to ensure that network traffic between Ray components happens in an isolated environment and to have strict network controls and authentication mechanisms when accessing additional services.

"Ray faithfully executes code that is passed to it — Ray doesn’t differentiate between a tuning experiment, a rootkit install, or an S3 bucket inspection," the company noted. "Ray developers are responsible for building their applications with this understanding in mind."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Critical Vulns Found in Ray Open Source Framework for AI/ML Workloads

Check out our new look — it's crisp, fast, and more reader-friendly.

Source: ronstik via Alamy Stock Photo

Here are some adjectives the Dark Reading team used to describe our revamped site that went live today: Elegant. Slick. Seamless. Clean. Modern.

Change is never easy or comfortable. But the process almost always winds up injecting new life and fresh purpose into your mission, and that's what we've accomplished with Dark Reading's latest look.

The journey to our new look began in August with the quiet rollout of an updated Dark Reading logo that gave our beloved brand a more contemporary design.

Today we've wrapped that logo in a new website platform that improves the overall reader experience, and our hope is that it makes your visit to the site more pleasant, efficient, and productive.

We've streamlined and updated our section names so the site is easier to navigate by topics (check out the Cybersecurity Topics button at the top of the black navigation bar). There's also more context about the type of content that's here, and how to find it on the Dark Reading site.

We enhanced our featured news section at the top of the fold and added a special feed of the latest news from around the globe via Dark Reading Global. As we announced this spring, DR Global initially is focused on the rapidly growing cybersecurity industry in the Middle East and Africa, but stay tuned as we expand our scope to other regions as well.

Scroll further down the homepage and you'll see our Latest News and Commentary sections, packed with our traditional mix of informed, unique, and relevant content. You'll also see a new space titled Deep Reading, which showcases Dark Reading's vast library of digital reports and original research. You can read summaries of our reports as well as download them for free.

Underneath our dedicated features section The Edge, and DR Technology, our section dedicated to cybersecurity technology trends and products, you will find our newest section, DR Global, now with a homepage presence and its own special section within the site.

That's just a quick tour of some of the new features and functions on the updated Dark Reading site. There will be more landing on the site in the coming months as we evolve to match our readers' needs. No matter how much our look changes, we are committed to serving up comprehensive and informed reporting, analysis, and other content that long has set Dark Reading apart as one of the top cybersecurity media sites in the industry.

In the meantime, we want to hear from you on what you think about the site redesign and its features. Drop us an email at \[email protected\] with your feedback — good or bad, we can take it.

**About the Author(s)**

Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Dark Reading Debuts Fresh New Site Design

The company's power production remains in operation, and authorities have been notified of the attack.

Source: Brian Guest via Alamy Stock Photo

Holding Slovenske Elektrarne (HSE), a Slovenian power generation company, fell victim to a ransomware attack on Nov. 22 that compromised its systems but didn't disrupt power production.

The company regained control and was able to contain the attack on Nov. 24. 

The National Office for Cyber Incidents at Si-CERT and the Ljubljana Police Administration were notified of the attack. The power company also worked with third-party experts to mitigate the effects of the attack and prevent the spread of the malware to other critical infrastructure systems in Slovenia. 

No ransom has been demanded yet. The attack is believed to be the work of Rhysida ransomware gang, which offers its victims an email address to connect with the threat actors without making any financial demands. It's still unclear if HSE has made contact with Rhysida.

Disruption is limited to the Šoštanj Thermal Power Plants and the Velenje Coal Mine websites, according to a spokesperson, and HSE officials have claimed that the situation is under control. 

**About the Author(s)**

Slovenian Electrical Utility HSE Suffers Ransomware Attack

Joe Sullivan, spared prison time, weighs in on the lessons learned from the 2016 Uber breach and the import of the SolarWinds CISO case.

Source: MOZCO Mateusz Szymanski via Shutterstock

Joe Sullivan arrived at his sentencing hearing on May 4 this year, prepared to go to jail had the judge not gone with a parole board's recommendation of probation. A federal jury convicted the former Uber CISO months earlier on two charges of fraud for failing to alert regulators of a 2016 cybersecurity breach, but Sullivan was spared having to serve any prison time.

Instead, Judge William Orrick of the US District Court for the Northern District of California sentenced Sullivan to three years of probation, 200 hours of community service, and a $50,000 fine. Prosecutors were seeking 15 months of prison time for the charges alleged by the Federal Trade Commission (FTC) that Sullivan failed to report the breach that affected more than 50 million records for customers and Uber drivers.

"I went to my sentencing hearing fully prepared to go to jail with a specific penitentiary area that we were going to request," Sullivan tells Dark Reading. "I had to research all the different federal facilities and figure out which one would be the one that my family would be able to most visit and that I would be the safest. And I had to think about who would take care of my kids and who would pay my bills on my house and manage everything else."

**Joe Sullivan, Post-Uber Breach**

Now that the matter has been decided, Sullivan is free to speak out, and he plans to share his story in a keynote address at Black Hat Europe 2023 on Dec. 7. Sullivan says biting his tongue for over six years wasn't easy. "My lawyers wouldn't let me say a word," Sullivan laments.

"If somebody labels what you're doing a coverup, it's really easy for people to buy into that idea," he says. "For six years, I had to listen to and see my name in the media saying things about me that I knew weren't true. And my kids had to be subjected to everybody they know asking them what they saw about their dad on the news."

In getting the minimum sentence, Sullivan says he was vindicated. "The judge said we did an amazing job on the investigation," he says. "We followed our playbook. What people don't understand is the company had D&O \[directors and officers\] insurance policies. We had a data-breach response policy that designated a specific lawyer we were supposed to call. The team called in that lawyer and called in PR. I looped in the CEO and kept him up-to-date."

**Transparency Is the Most Significant Lesson**

Sullivan says the key mistake he made was not bringing in third-party investigators and counsel to review how his team handled the breach. "The thing we didn't do was insist that we bring in a third party to validate all of the decisions that were made," he says. "I hate to say it, but it's more CYA."

Now, Sullivan advises other CISOs and companies about navigating their responsibilities in disclosing breaches, especially as the new Securities & Exchange Commission (SEC) incident reporting requirements are set to take effect. Sullivan says he welcomes the new regulations. "I think anything that pushes towards more transparency is a good thing," he says. He recalls that when he was on former President Barack Obama's Commission on Enhancing National Cybersecurity, Sullivan was pushing to give companies immunity if they are transparent early on during security incidents.

That hasn't happened until now, according to Sullivan, who says the jury is still out on the new regulations, which will require action starting in December.

"Right now, too many companies think it's not in their best interest to be transparent," Sullivan says. "I think the SEC is trying to change the incentives through sticks rather than carrots. But that's the tool that they have, which is better than nothing."

**SolarWinds Sends Mixed Signals from the SEC**

Meanwhile, the SEC is signaling a zero-tolerance focus when it comes to data beach mishandling, with its recent charge of fraud in the US District Court in the Southern District of New York against SolarWinds Corp. and its CISO Tim Brown, regarding the software supply chain attack on the company's Orion platform in October 2020.

But Sullivan says the SEC's decision to charge SolarWinds and Brown contradicts the agency's approach in rolling out its new disclosure rules just months earlier.

"On the one hand, they are engaged with the community and have set some new expectations, which I think is great because they're trying to set some rules for the road, and they got feedback from the public," Sullivan says. "But if you look at the Solar Winds and Tim Brown enforcement action, you see a very different approach, which is not so collaborative, and a lot of commentators have suggested that maybe they don't seem to fully understand what life is really like doing security inside of a corporation."

It's too early to predict how the case will play out since only the parties involved know what evidence will be presented, Sullivan says. But based on the SEC's charges, he sees similarities to his own situation.

"The government, the FTC in my case, felt that my company wasn't sufficiently transparent, and they sought to hold me personally accountable for that, even though it wasn't my job to be the communicator of our security posture or answer any of their questions," Sullivan says. "In fact, I hadn't seen a lot of the documents. And so, their case was about me being held personally responsible for the company's approach to communication. Tim Brown's case is the exact same thing."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Former Uber CISO Speaks Out, After 6 Years, on Data Breach, SolarWinds

As industries around the world act to mitigate the increase in cyber threats, the aviation sector should be leading the cybersecurity uprising, explains William "Hutch" Hutchison, CEO of SimSpace.

Source: Allen Creative/Steve Allen via Alamy Stock Photo

COMMENTARY

Over the last three years, the global aviation industry has been left reeling by a post-pandemic sucker punch that hit the sector with over $185 billion in losses. Once a bastion of American prosperity, airlines were forced into survival mode, cutting staff from their workforce and flights from their schedules.

Capital preservation was the default setting for boards across the country, but as the sector emerges from economic instability, CEOs and CISOs want to know where to invest to ensure long-term growth. The North Star of success in aviation continues to be the safety of passengers, systems, and the data they house. For decades, this safety was only challenged by spilled coffee, crosswinds, and external market forces.

The cybersecurity of airlines and manufacturers has opened a new domain of safety crucial for the continuity of flight systems, servers, and communication equipment. Security has become an integral component of an economic powerhouse that has contributed to American transportation, trade, and commerce for over 100 years.

To ensure the security of the industry for the next century, protecting critical infrastructure from increasingly complex and frequent cyberattacks should be the No. 1 priority for large organizations across the US. The new litmus test for investors and insurers will be how prepared airlines and manufacturers are for the potentially debilitating consequences of a cyberattack.

**The Rising Tide of Accountability**

Of all cyberattacks against the aviation industry in 2021, 55% resulted in financial loss, and over one-third resulted in the leaking or theft of personal data. The improving success rate of hackers compelled them to go bigger and better, as the average ransomware demand skyrocketed to $2.2m in 2022, although payouts often were less.  Ransomware responses continue to evolve as regulations tighten.

In light of this, regulatory bodies and lawmakers have sounded the alarm, placing a spotlight on securing systems and networks against rising threats. In March 2023, the Transportation Security Administration (TSA) issued an "emergency amendment" to airports and aircraft operators' security programs. The amendment mandates TSA-regulated entities develop implementation plans to improve their cybersecurity resilience, aiming to prevent disruption and degradation to their infrastructure.

At the same time, the US government's new National Cybersecurity Strategy this year has reinforced the necessity of defending critical infrastructure by shifting responsibility from individuals to large organizations. This coordinated governmental strategy has, in part, been a response to the abundance of attacks against targets in the aviation sector. Canadian low-cost airline SunWing faced four days of flight delays last year after third-party software systems breached the check-in process. Indian carrier SpiceJet was also hit by a ransomware attack that left hundreds stranded at airports nationwide, showing that these events are occurring in all corners of the world.

The International Air Transportation Association (IATA) is the foremost authority of global aviation best practice. They made the responsibility of civil aviation cybersecurity clear, stating that "people, processes, and technology" (PDF) are the three main components dependent upon each other to create a unified cyber strategy. We are in an age where nation-state tactics and techniques are accelerating beyond the ability of the commercial sector to defend themselves. However, traditional General Data Protection Regulation (GDPR) approaches to assessing and reducing cyber-risk have simply become obsolete.

If pilots navigated planes only using their knowledge of flight controls, this would not prepare them for the demands of neutralizing an engine failure at 30,000 feet. This is why they test and train their skill set in simulators designed to mimic real-world scenarios, so their knowledge and reactions are robustly exercised for maximum performance. The next generation of cybersecurity is now taking this concept and applying it to the defense of critical assets in the aviation industry.

**One Small Step for Tech, One Giant Leap for Cybersecurity**

Cyber-ranges are the government-grade flight simulators of cybersecurity. By battle-testing defenses in real-world conditions, airlines' IT and OT environments can experience the equivalent of three years' worth of attacks in just 24 hours. However, many airlines use data collection and storage software seen in most industries, making lateral movement through networks relatively straightforward.

Decision-makers in the halls of aviation titans around the country are now deciding how to implement precautions to secure these systems and bolster their company's investment strategy for the next stage of growth. Prioritizing government-grade cybersecurity can help them refine their incident response plans, train employees, and comply with the latest groundswell of regulation. By implementing a "train to failure" mindset, companies can test their defenses against phishing, DDoS attacks and data-breach techniques that contribute to around two-thirds of all cyber threats in the industry today.

If an aviation organization loses less than 1% of its customers as a result of a data breach, millions of dollars in revenue could be lost. Carriers and manufacturers need the data and insight into their IT and OT environments to see what is working, and what isn't.

By implementing a proactive approach to cybersecurity, effective mitigation of threats can be achieved, reducing the dwell time of attackers. By removing the "unknown unknowns" of cyber threats, businesses can achieve the maximum levels of protection needed to keep their company safe.

**About the Author(s)**

CEO & Co-Founder, SimSpace

William "Hutch" Hutchison is the CEO and Co-Founder of SimSpace. He had extensive experience working in the NSA as a senior officer with US Cyber Command. US Cyber Command and the National Security Agency (NSA) are the premier organizations of the US Department of Defense and Intelligence Community, responsible for conducting military and intelligence operations in the cyber domain. Hutch was appointed through presidential order to create a team focused on defending US national infrastructure against state cyberthreats. In 2015 Hutch started the cyber readiness platform to deliver military-grade cybersecurity protection against advanced cyber threats for governments and organisations worldwide.

As a former F-15 fighter pilot, Hutch went on to lead cyber exercises at the US Cyber Command, and created numerous Department of Defense (DoD) cybersecurity training, testing and assessment programs. Hutch helped create a "Special Forces" approach to testing cyber defense teams and continues to serve as the Test Director for cyber operational assessments at the DoD.

At SimSpace, Hutch spearheaded multiple deployments in financial and other commercial sectors. Hutch holds a Bachelor’s degree from Duke University, a Master’s degree in aerospace engineering from University of Texas at Austin, and a master's degree from the MIT Sloan School of Management.

Fight or Flight: How to Keep Cyberattacks From Taking Off

Online shopping websites often lack basic security protections when it comes to PII, allowing malicious actors to capitalize on consumer data or perpetuate retail and hospitality scams.

Source: Valentin Valkov via Alamy Stock Photo

The post-Thanksgiving e-commerce shopping event known as Cyber Monday draws millions of consumers each year seeking out bargains online — to the tune of $11 billion in 2022.

However, amid the purchasing spree, consumers routinely share sensitive personally identifiable information (PII) on e-commerce platforms, including credit card details and addresses, and a recent survey by CyCognito explores the question of whether these sites prioritize security and compliance.

The report unveiled concerning insights on the risk of compromised PII, of which many remain unaware – and discovered substantial pitfalls in the security landscape of Cyber Monday e-commerce platforms.

Even though more than half (52%) of e-commerce Web apps exist in the cloud, the research indicated they aren't immune to security vulnerabilities.

The study revealed 2% HTTPS, the the secure version of HTTP and a protocol for secure data transmission. This poses a risk to around 520,000 of the estimated 26 million global e-commerce stores.

Researchers discovered more than a quarter (28%) of these platforms operate without a Web application firewall (WAF), and nearly one in four (24%) e-commerce Web apps that collect PII are missing a WAF.

Additionally, nearly six in ten (58%) e-commerce Web apps collect user PII, raising concerns about data handling. Equally worrisome is that 78% of these platforms don't seek user consent for cookies, a compliance red flag.

The array of security issues doesn't stop there, with 13% of ecommerce Web apps throwing up certificate validity issues, and just under half (48%) of platforms have one or more cryptographic vulnerabilities.

The report also found that 2% of ecommerce Web apps carry critical security issues, half of which involve PII, and more than three quarters (76%) of these critical issues are easily exploitable.

Rounding out the research findings was the discovery that 7% of all e-commerce Web apps monitored had at least one issue from the OWASP Top Ten list, a commonly used awareness document for developers and Web application security.

**Threats Rise As Holiday Shopping Season Kicks Off**

On the individual shopper front, it's worth a reminder that Holiday spending perennially catches the eye of threat actors, who exploit consumer behaviors and prey on the surge of online payments and digital activities during the holidays.

This has risks for organizations, too: Companies continually battle credential harvesting, phishing, bots, and various malware variants, with a recent Malwarebytes Labs report warning of a 50% uptick in credit card skimming in 2023 — and that's only set to get worse during the holiday shopping season.

Vandan Pathak, senior application security consultant at Optiv, says scammers are going to activate their plexus network of techniques to entice victims with fake promotions.

"Individuals are highly advised not to entertain any messages or calls they receive which offer them direct holiday discounts," he says. "In the past, we have seen individuals fall for these traps frequently and the number is going to increase during the holiday season."

He notes that individuals must be aware of scammers and fake gift card offers — often, these "offers" come with the light lift of filling out a survey.

"Only, the survey is fake, and the sole result is your personal information is now in the hands of a bad actor," he explains. "These have historically been quite successful tactics during the holiday months."

He adds security front liners, such as network security engineers or analysts, should be attentive to upticks in unusual activity in company environments.

"Attacks on organizations during this time of the year are successful often due to teams' guards being down," Pathak cautions.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Source

DARKReading