USBs have something the newest, hottest attack techniques lack: the ability to bridge air gaps.

Source: Mohammad Aaref Barahouei via Alamy Stock Photo

Industrial cyberattackers are increasingly using removable media to penetrate operational technology (OT) networks, then leveraging the same old malware and vulnerabilities to make their mark.

For whatever reason, USB devices are a la mode again with some of the world's premier threat actors. Nowhere is this more evident than in the OT space where, according to Honeywell's "2024 USB Threat Report," attackers are "clearly" turning to USBs to get a foothold in industrial networks.

With that foothold, Honeywell reports, attackers are forgoing sophisticated exploitation techniques, zero-day vulnerabilities, or novel malware. Instead, they're leveraging old tools and bugs, plus the built-in capabilities of OT control systems to achieve their end goals.

**Why USBs?**

USBs have something that none of the newest, hottest attack techniques do: the ability to bridge air gaps.

True air gaps are physical separations between OT and IT networks designed to let no malicious attacks pass through. Some also use the term to describe other kinds of setups that distinguish IT and OT systems using access controls, segmentation, and the like. Air gaps are most often used in high-risk industries — think nuclear, military, financial services, etc. — where other means of demarcating IT and OT networks won't cut it.

"A lot of operational facilities are entirely air gapped," explains Matt Wiseman, director of OT product marketing at OPSWAT. "Those more modern approaches like email-based attack — something over the network — aren't really as effective when \[the OT systems\] are disconnected from the broader Internet. You need to be more creative, think outside the box. USBs and removable media are very interesting because they're the only threat you can pick up in your pocket and carry beyond that air gap."

Interestingly, the trend seems to have been born during COVID. In 2019, only 9% of USB-carried cyber threats to industry were actually designed for USBs. By 2022 — and consistently ever since — that number exceeded 50%.

Having crossed that air gap with a USB, attackers are opting for living-off-the-land tactics to perform data collection and exfiltration (observed in 36% of Honeywell's detected USB attacks), defense evasion (29%), and escalation privileges (18%), ultimately achieving persistence in the operational network.

Clearly novel and powerful malware and vulnerabilities are not the focus, as brand name tools of yesteryear such as BlackEnergy and Industroyer (aka CrashOverride) are still making rounds. The most common vulnerabilities exploited in such attacks — such as CVE-2010-2883 and CVE-2017-11882 — are equally dated. All of the most common CVEs listed in Honeywell's report have been known since at least 2018.

In most cases, the goal of these attacks is disruption or destruction. Around 80% of USB-based threats every year now are capable of causing disruptions to OT systems, including loss of visibility or control, or worse (ransomware, wipers, etc.).

**Defending Against USB Threats**

The good news for defenders is that with such antiquated threat vectors, fancy and expensive solutions aren't necessarily the solution. "You can always go with the fundamentals," Wiseman says, meaning strict USB policies and procedures.

At many organizations, he says, "You go back a number of years, there was an honor system. 'Hey, did you scan that?' Now you have technology that can check to make sure. If you plug something in, it's not going to work unless it has been scanned and checked by some type of formal security solution."

This technology often takes the form of a kiosk or "sanitation station" for scanning removable media, placed strategically at the exterior of a sensitive site in order to make sure no malicious ones make their way through. Sometimes those stations are paired with file transfer systems to ensure that no outside device ever actually has to cross the threshold of an industrial control floor.

"We're seeing more mature conversations now. What's our mobile program? What's the process for employees? What's the process for guests? How do we manage these devices? How do we view the activity that's occurring? And how do we ensure that we're ahead of it going forward?" he says. "There's definitely a massive realization of the threat that these devices can pose."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

To Damage OT Systems, Hackers Tap USBs, Old Bugs &amp; Malware

Verizon, AT&T, and T-Mobile USA are being fined for sharing location data. They plan to appeal the decision, which is the culmination of a four-year investigation into how carriers sold customer data to third parties.

Source: Wavebreak Media ltd via Alamy Stock Photo

The Federal Communications Commission (FCC) has fined the top US wireless carriers a collective $200 million for sharing access to customers' location information without consent, the culmination of an action proposed four years ago as authorities continue to grapple with how to reel in companies' handling of sensitive personal data. For carriers, who note that the fines are based on outdated programs that no longer exist, the action represents unsettled regulatory waters as requirements for handling customer data security and privacy in the modern era continue to shake out.

Specifically, the FCC fined Sprint and T-Mobile USA, which have merged since the investigation began, more than $12 million and $80 million, respectively; AT&T more than $57 million; and Verizon almost $47 million.

The agency proposed the fines in 2020 based on an investigation that started after reports that a Missouri sheriff consistently used a "location-finding service" operated by Securus, a company that provides and monitors telecommunications service in correctional facilities, to access the location information of the wireless carriers' customers without their consent between 2014 and 2017.

The case ultimately revealed that the four telecom providers had programs in place at the time that were selling customer-location data to two data-aggregation firms, who then resold access to this data to other entities.

"This action demonstrated the carriers offloading obligations to obtain customer consent onto downstream recipients of location information," which in many instances meant customers did not actually consent to releasing their data, according to an FCC press release (PDF) on the decision. For their part, the carriers say that the data was shared with the third parties in order to enable location-based safety services such as roadside assistance.

"Our communications providers have access to some of the most sensitive information about us," said FCC Chairwoman Jessica Rosenworcel in a statement on the fines. "These carriers failed to protect the information entrusted to them."

This is likely not the end of the fines: The commission also said that it plans to continue to resolve these types of older privacy cases regarding customer data, holding "all carriers accountable and making sure they fulfill their obligations to their customers as stewards of this most private data," she said.

**Wireless Cos Push Back on FCC Privacy Fines**

All of the carriers confirmed to Dark Reading that they will go to court to appeal the decision, which was based on a provision of the Communications Act of 1934 that requires US wireless carriers to take reasonable steps to safeguard specific customer data, such as location information.

Generally, the companies claim the action by the FCC is based on outdated scenarios at the telecom providers that have since been remedied, and they no longer allow third parties to access sensitive customer location-based data.

Verizon spokesman Rich Young says the order concerns an old program at Verizon that required customers to opt in and was shut down more than five years ago. The program "was intended to support services like roadside assistance and medical alerts," he tells Dark Reading, and Verizon shuttered it when the company discovered it was being used fraudulently.

"Verizon is deeply committed to protecting customer privacy," Young says. "Unfortunately, the  FCC's order gets it wrong on both the facts and the law, and we plan to appeal this decision."

For its part, T-Mobile USA gave Dark Reading a statement to much the same effect: "This industry-wide third-party aggregator location-based services program was discontinued more than five years ago after we took steps to ensure that critical services like roadside assistance, fraud protection, and emergency response would not be disrupted. We take our responsibility to keep customer data secure very seriously and have always supported the FCC's commitment to protecting consumers, but this decision is wrong, and the fine is excessive. We intend to challenge it."

AT&T too plans to appeal the fines, which apply for a service that was discontinued in 2019.

"The FCC order lacks both legal and factual merit," a spokesperson says. "It unfairly holds us responsible for another company's violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company's failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged. We expect to appeal the order after conducting a legal review."

A spokesman for CTIA, a telecommunications industry trade association representing US carriers and resellers, also criticized the fines, citing a "broken enforcement process" on the part of the FCC that deserves examination by Congress.

"After touting the potential of location-based services to provide benefits like roadside assistance and emergency medical alerts, the FCC refused CTIA's request for guidance on how providers should run those programs, and is now penalizing providers for facilitating them," said CTIA senior vice president and chief communications officer Nick Ludlum, in a media statement.

**Carrier Uncertainly: Customer-Privacy Worries Persist**

Complaints that the FCC is behind the times may indeed be justified, as the commission is not known for moving quickly on clarifying how telecom and VoIP providers handle customer privacy.

For instance, it took the FCC 16 years to update how telecom and VoIP providers report data-breaches, issuing new rules in February of this year that they must notify customers whenever there's personally identifiable information (PII) involved in a cyber incident. The new rules — which also require carriers and service providers to report breaches to the FCC, the FBI, and the Secret Service within seven days of discovery — were the first since 2007 to be issued by the commission regarding data-breach notifications.

Meanwhile, the issue of customer privacy when it comes to carriers continues to be a worry, and the fines appear to demonstrate a heavy hand by the FCC in holding communications providers accountable when private customer data leaks. Abroad, other privacy troubles concerning how carriers handle customer data also are brewing.

For example, a huge swathe of telecom customers in Namibia recently were faced with losing their phone service if they didn't hand over sensitive biometric data to the country's premier telco, Mobile Telecommunications Ltd. The potential privacy threat occurred after a well-intentioned plan to combat mobile fraud and identity theft went astray.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Wireless Carriers Face $200M FCC Fine As Data Privacy Waters Roil

Themed "The Art of Possible," this year's conference celebrates new challenges and opportunities in the age of AI.

Liat Hayun, Co-Founder & CEO, Eureka Security

April 30, 2024

3 Min Read

Source: Aleksandr Matveev via Alamy Stock Photo

COMMENTARY

This year's RSA Conference theme, "The Art of Possible," celebrates the challenges brought about by new frontiers, broken boundaries, and promising horizons. While the shift to the cloud initially caused concern and hesitation, as data began moving through it, across environments and with very little oversight, data security professionals knew this profound shift in the modern business model would bring about not only challenges but also opportunities. As we enter the age of AI, the security community must embrace the possibilities of improved data security mechanisms, alongside — without obstructing — improved business processes. Looking ahead to this year's RSA Conference, here are six leading data security sessions we're excited to attend — and that will help us uncover AI's risks and opportunities.

**My Top Six Picks****Operational Data Governance-by-Design Techniques for a Data Practitioner**

Monday, May 6

Why you should attend: This session, led by Cisco Systems, seems like a unique opportunity to discover practical tools for implementing data governance across your organization while presenting various use cases, with attention given to all aspects of data use and management. Assess your level of data governance by engaging with other data practitioners in the audience in this live discussion.

**Bridging Theory and Practice of Privacy and Data Protection**

Monday, May 6

Why you should attend: The more data floods the industry, the more practical tools security practitioners need to ensure that privacy and data protection concerns are addressed across their organizational environments. This session will include practical examples of integrating data security and privacy guardrails and measures in real business environments, sourced from the audience.

**ChatGPT Unleashed: Solving Data Breach Puzzles With Precision**

Monday, May 6

Why you should attend: A data security challenge leveraging AI? Sign us up! This unique session challenges participants to use ChatGPT prompts to mitigate a looming data breach, with hidden malware waiting to be found and fixed. Beyond a fun experience, this session will expand the knowledge of what may be possible with the next generation of AI technology and lead us through an innovative learning experience.

**Controlling a Data Footprint — How to Build a Data Disposition Framework**

Monday, May 6

Why you should attend: Data is a goldmine for organizations, and they're constantly innovating in how they gather and leverage it to achieve business goals. This session will equip you with a step-by-step approach to building a data lifecycle management framework. This framework will empower companies to decide how long to hold onto data, and outline methods for safeguarding, transforming, or eliminating data to comply with regulations.

**Establishing a Data Perimeter on AWS**

Wednesday, May 8

Why you should attend: While it may seem like there are no boundaries in the cloud era to where data can reside, be stored, and be used, data security guardrails and mechanisms exist for this purpose exactly — to let data roam free for business use, while ensuring that security controls are set in place and visibility is maintained across all environments, at all times. This session will present some of the controls used by AWS to protect data from unauthorized access.

**Data Heist: How Stolen Information Becomes a Hot Commodity**

Thursday, May 9

Why you should attend: We're so busy preventing breaches that we don't often take the time to consider what malicious actors do with the data they steal after the crime. This session dives deeper, exploring the clandestine marketplaces where stolen information is peddled. You'll be exposed to the inner workings of these criminal data shops, with comprehensive risk assessments comparing the vulnerabilities of various data types and how to best protect them.

**Final Thoughts**

While data security has been a top-of-mind business and security concern for the past decade, the ever-evolving landscape of data innovation constantly introduces new and emerging threats for security practitioners. To stay ahead of the curve, cybersecurity professionals must remain vigilant and adapt their strategies accordingly. The upcoming RSA Conference provides a phenomenal platform to achieve just that, with a wide range of sessions on the latest data security trends and solutions. Hope to see you there!

**About the Author(s)**

Co-Founder & CEO, Eureka Security

Liat Hayun is the Co-founder and CEO of Eureka Security, a Cloud Data Security Posture Management platform that enables security teams to successfully navigate the ongoing and often chaotic expansion and growth of cloud data. Prior to co-founding Eureka Security, Liat spent a decade leading cybersecurity efforts in the Israeli Cyber Command and Palo Alto Networks. Her IDF service merited the prestigious Israel Defense Prize. As VP of Product Management at PANW, Liat led the production of Cortex XDR and PANW’s Managed Threat Hunting service. These roles have enabled Liat to pursue her greatest interests and concerns in the cybersecurity threat landscape, as well work with wonderfully talented people on their solutions. Passionate about working closely with others, she is driven to identify meaningful operational security gaps and develop exciting new technologies and strategies to help fellow security leaders tackle them.

The 6 Data Security Sessions You Shouldn't Miss at RSAC 2024

PRESS RELEASE

SAN DIEGO, April 29, 2024/PRNewswire/ -- ESET, a global leader in cybersecurity solutions, today announced the launch of two new Managed Detection and Response (MDR) subscription tiers: ESET PROTECT MDR for small and medium businesses (SMBs) and ESET PROTECT MDR Ultimate for enterprises. These offerings are built on the foundation of ESET PROTECT Elite and ESET PROTECT Enterprise, offering businesses of all sizes the most comprehensive, AI-powered threat detection and response capabilities, in combination with expert human analysis and comprehensive threat intelligence.

ESET's MDR offerings are designed to cater to the specific needs of both SMBs and Enterprises. To that end, ESET PROTECT MDR delivers a comprehensive cybersecurity package, offering 24/7/365 superior protection that addresses the most common challenges of small and medium-sized businesses. This includes modern protection for endpoints, email, and cloud applications, vulnerability detection and patching, and managed threat monitoring, hunting, and response. It addresses the cybersecurity talent shortages and ensures compliance with cyber insurance and regulations, offering a remarkable 20-minute average time to detect and respond, a comprehensive MDR dedicated dashboard and regular reporting for complete peace of mind.

For enterprises, ESET PROTECT MDR Ultimate offers continuous proactive protection and enhanced visibility, coupled with customized threat hunting and remote digital forensic incident response assistance. This comprehensive service is designed to support overstretched SOC teams, providing them with 24/7 access to world-class cybersecurity expertise. It ensures enterprises stay one step ahead of all known and emerging threats, effectively closing the cybersecurity skills gap, and facilitating expert consultations for incident management and containment in a fully managed experience.

ESET also sets itself apart with its own telemetry and unique global coverage, leveraging its detections and ESET Research to gather unique data about attacks, a competitive edge not offered by many players in the market.

"With the update of our business offering, we want to make ESET products accessible to customers without the necessary skill set or resources to operate them, but to also empower organizations to navigate the digital landscape confidently, safeguarded by our expertise and continuous, comprehensive coverage," stated Michal Jankech, Vice President of SMB and MSP segment at ESET.

Enhancements to the ESET business portfolio

Additionally, all ESET PROTECT subscription tiers, starting from ESET PROTECT Advanced, are now enhanced with ESET Mobile Threat Defense (EMTD). This new value-added, standalone module extends attack vector coverage to an organization's entire mobile fleet, seamlessly integrating into the ESET PROTECT Platform for efficient management, ensuring comprehensive protection for mobile devices. EMTD also includes a Mobile Device Management (MDM) functionality, with added support for Microsoft Entra ID.

Moreover, ESET Server Security introduces a firewall specifically designed for Windows servers, and Vulnerability & Patch Management, offering manual patch management and a 60-second delay of application process kill.

Finally, ESET LiveGuard Advanced now also offers advanced behavioral reports for our detection and response customers, providing an in-depth look into how our cloud sandboxing technology analyzes suspicious files, offering better visibility and context for security operators like cybersecurity and threat analysts, security engineers, or threat responders.

"This significant launch underscores ESET's unwavering dedication to delivering superior protection and services, effectively responding to the dynamic challenges faced by customers to stay one step ahead of threats," added Michal Jankech, Vice President of SMB and MSP segment at ESET.

For more detailed information about ESET and its updated portfolio, please visit the dedicated offering pages for SMBs and Enterprises.

About ESET  
ESET provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of known and emerging cyber threats — securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, its AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multi-factor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. An ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and X.

ESET PROTECT Portfolio Now Includes New MDR Tiers and Features

The CVE-2024-27322 security vulnerability in R's deserialization process gives attackers a way to execute arbitrary code in target environments via specially crafted files.

Source: Billion Photos via Shutterstock

A high-severity vulnerability in an R programming language process could expose organizations using the popular open source language to attacks via the software supply chain.

The vulnerability, assigned CVE-2024-27322, has a CVSS vulnerability-severity score of 8.8 out of 10. It involves R's process for deserializing data, or converting objects encoded in formats such as JSON, XML, and binary, back to their original form for use in an application or program.

R is a relatively widely used language for statistical computing and graphics applications. It is popular among developers in sectors such as financial services, healthcare, research, government and in environments involving large datasets such as AI and machine learning. The Comprehensive R Archive Network (CRAN), which is the most popular R package repository, currently hosts more than 20,000 packages, while R-Forge, a site that provides R package development tools, has more than 15,800 registered members and hosts some 2,146 projects.

**Deserialization Issue**

Researchers at HiddenLayer found a weakness in R's process that gives attackers a way to execute arbitrary code in a victim environment via a specially crafted R Data Serialization (RDS) file. Programmers commonly use RDS files to store or save objects in R for future use or for sharing with others.

"This vulnerability can be exploited through the loading of RDS files or R packages, which are often shared between developers and data scientists," HiddenLayer researchers Kasimir Schulz and Kieran Evans said in a report this week. "An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction," according to the report.

The maintainers of R have addressed the issue in R version 4.4.0 after HiddenLayer informed them of the issue.

**A Lazy Promise Allows Tinkering**

The vulnerability in R that HiddenLayer discovered relates to two fundamental concepts in R, called "lazy evaluation" and "promise objects." Lazy evaluation is a programming technique where an R program does not evaluate an expression or variable until actually required to, or when directly accessed. The goal is to improve performance by avoiding computations for expressions that might end up not being needed. A promise object is closely related to lazy evaluation and represents the object that has been delayed for evaluation.

What the researchers at HiddenLayer discovered was a way to create a promise object with a payload that would run code of their choice when the object was accessed during RDS file deserialization.

"R packages leverage the RDS format to save and load data," according to HiddenLayer. Two files that facilitate this process are an .rdb file that contains all the serialized objects to be included in a package, and an .rdx file that contains metadata about each of the objects.

"When a package is loaded, the metadata stored in the RDS format within the .rdx file is used to locate the objects within the .rdb file," according to the analysis. The objects within the .rdb files are then deserialized.

"An attacker can exploit this by creating an RDS file that contains a specially crafted promise object embedded with arbitrary code," Schulz tells Dark Reading. "Due to the way R implements lazy evaluation, the embedded arbitrary code will be executed once a user has loaded the malicious file or package." An attacker can relatively easily add a weaponized package to an R repository such as CRAN and simply wait for an unwary user to load that package.

**Potentially Vast Attack Surface: Multiple Infection Sources**

There are literally dozens of major hubs, such as R-Forget and Bioconductor, that R developers use to share and download packages. Not only are these hubs providing developers with access to thousands of packages, some, like Bioconductor, with more than 42 million downloads are being used regularly, Schulz says. "Someone just needs to take advantage of the vulnerability and the massive open source space for R packages to affect thousands of downstream users in a potentially massive supply chain attack," he says.

Schulz recommends that organizations move to the latest version of R to mitigate risk: "In addition, organizations should ensure that users of R are made aware of current and potential future vulnerabilities of this nature and make it policy to only use known trusted files and packages."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

R Programming Bug Exposes Orgs to Vast Supply Chain Risk

Okta warns users that the attack requests are made through an anonymizing service like Tor or various commercial proxy networks.

Source: Ahmed Zaggoudi via Alamy Stock Photo

Credential-stuffing attacks targeting online services are spiking due to the accessibility of residential proxy services, stolen credentials, and scripting tools, Okta is warning its users.

From April 19 through April 26, Okta's researchers observed an increase in credential-stuffing attacks against Okta accounts.

Moussa Diallo and Brett Winterford, researchers at Okta Security, note that all recent attacks share a common denominator: The requests are made largely through an anonymizing device such as Tor. 

In addition to this, the researchers found that millions of requests were routed through various residential proxies such as NSOCKS, Luminati, and Datalmpulse. These residential proxies are "networks of legitimate user devices that route traffic on behalf of a paid subscriber." The researchers recently have observed a significant number of mobile devices used in proxy networks where the user has a downloaded app on their device using compromised software developer kits (SDKs).

"Effectively, the developers of these apps have consented to or have been tricked into using an SDK that enrolls the device of any user running the app in a residential proxy network," the researchers wrote. "The net sum of this activity is that most of the traffic in these credential-stuffing attacks appear to originate from the mobile devices and browsers of everyday users."

Okta has released a capability into the Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) that blocks requests from anonymizing services. This feature can be turned on in the settings of the Okta Admin Console. Organizations that want to block access from specific anonymizers must be licensed to use Dynamic Zones, an Adaptive MFA feature.

Okta also recommends that its users shore up best-practice defense measures to prevent account takeovers from credential-stuffing attacks.

"Defense in-depth measures, such as utilizing multifactor authentication on externally available employee access portals as well as sensitive internal systems, are needed here," said Thomas Richards, principal consultant at Synopsys Software Integrity Group, in an emailed statement to Dark Reading. "Additionally, there are anomalous behavior detection systems that can identify if a user is logging in at an unusual time, physical location, or source IP address."

**About the Author(s)**

Okta: Credential-Stuffing Attacks Spike via Proxy Networks

While other professions are making up ground, cybersecurity still lags behind in female representation, thanks to a lack of respect and inclusion.

Source: Valeriy Kachaev via Alamy Stock Photo

Right now, in 2024, at least three of every four cybersecurity professionals is male.

Cybersecurity is hardly the only male-dominated industry, but even in contrast to others — like law (53%), accounting (46%), and doctors of medicine (37%) — it lags behind.

According to new research from ISC2, women make up just 20% to 25% of the cybersecurity industry. And that figure, it noted, has remained relatively consistent for some years.

It stands out even more when compared with the racial makeup of the industry. While the majority of cyber pros over the age of 40 in the US, the UK, Canada, and Ireland are white, the majority under 40 are not. ISC2 found that over the past 12 months, a full two-thirds of new entrants to the industry from those countries have been non-white.

The takeaway? Cybersecurity is fixing its diversity problem, but only halfway.

**Gender Representation in Cyber, by the Numbers**

Just 4% of ISC2 survey respondents indicated that women make up a majority of their security teams. By contrast, 11% admitted they have no women on their teams at all.

There seems to be a mild networking effect at play, too. The average woman in security works with around 8% more women (30%) on average than men do (22%).

The problem is pretty much the same across industries, as the most-diverse sectors, like cloud services, automotive, and construction (all 28% female), don't far outpace the least-diverse (military and energy, each at 20%).

There are, however, some positive trends alongside the lagging ones.

Where only around 14% or 15% of cyber pros over age 40 are women, at least 25% under age 35 are (a relative improvement).

Most interestingly, the women who do make it into the cybersecurity field tend to rise up the corporate ladder at least as high as, if not higher than, their male counterparts. Women own executive titles at a similar clip to men. A greater percentage of them possess managerial-level roles, and a lesser percentage are ranked as individual contributors. And counterintuitive though it may sound, a greater percentage of women in security are involved in the hiring process than are men (33% to 24%).

That data, however, contrasts with other recent findings.

**The Root of the Problem: Exclusion**

In its "2023 State of Inclusion Benchmark in Cybersecurity" report, Women in Cybersecurity (WiCyS) tracked the ways in which women experience exclusion in the industry. "Respect" ranked as the worst issue on its list, but just behind respect was "career and growth opportunities."

"Women are experiencing a glass ceiling at around six years," reports Lynn Dohm, executive director at WiCyS. "You could imagine the journey for a woman in cybersecurity as they're advancing in their career, not necessarily getting the stretch assignments they're anticipating, perhaps their managers aren't taking initiative and identifying the trajectory of their career within the organization, they're getting passed up for promotions and experiencing that lack of respect with microaggressions, tokenism, comments. All of that leads up to the point where an individual would likely choose to step out of the career and move into other areas."

It's a self-fulfilling cycle: Too little female representation is leading more women to steer clear of security. As Dohm puts it: "Lack of diversity in the workforce is a symptom of the lack of inclusion."

Simply hiring more women doesn't solve the problem, either, since exclusion extends far deeper than any one person or organization can account for.

"The gender gap in cybersecurity begins long before women reach the workforce," explains Jessy McDermott, partner solution architect at Aqua Security. "I know firsthand as a former engineering student that this gap existed at the college level. For example, only four other women — out of an original 15, excluding myself — completed the engineering program alongside me at UMass Dartmouth. During those four years, I experienced an ongoing prejudice and doubt and saw how women were ultimately driven out of the field before they even graduated.

"This is only exacerbated as time goes on and women begin to see that careers in information technology or cybersecurity are 'male-dominated.' If you’re somehow able to get through college without being driven out of the field, you've just started the first leg of a never-ending journey. Ultimately, this can all lead to imposter syndrome, which myself and many female friends in the industry deal with. I have days where, even now, as a cybersecurity professional with years of experience under my belt, I still get challenged to show and, more importantly, prove my knowledge to others."

So, she adds, "I love how more companies are going out of their way to hire more women into the field, but to see a difference, women need internal support to feel confident and be successful in their roles."

**Non-Diversity Consequences to Companies**

Besides the obvious consequences for people, there are also consequences for uniformity for companies.

"When retention isn't there for female talent, it costs money, because it's pulling back out recruiting dollars. And it's also a reputational risk," Dohm notes.

"Broader than cybersecurity, there's a body of research that says the more perspectives you bring to the table, the better off you will be at problem solving," says Clar Rosso, CEO of ISC2. "In cybersecurity, which is a very complex, growing threat landscape, the more perspectives that we bring to the table to solve problems, the more likely we will be able to impact our cyber defense."

Dohm puts it tersely: "It's a security risk not having the diverse perspective that women bring to the cybersecurity workforce."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Cybersecurity Is Becoming More Diverse … Except by Gender

Tracking code used for keeping tabs on how members navigated through the healthcare giant's online and mobile sites was oversharing a concerning amount of information.

Source: Wirestock, Inc. via Alamy Stock Photo

Hard on the heels of a significant data theft at UnitedHealth, fellow healthcare behemoth Kaiser Permanente publicly announced a data breach affecting 13.4 million current and former insurance members.

Kaiser's systems inadvertently shared patient data with third-party advertisers, including Google, Microsoft, and social platform X, the company said, thanks to the presence of improperly implemented tracking code that Kaiser used to see how its members navigated through its Web and mobile sites.

"Certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors," the company said in a media statement.

The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia.

Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata.

"The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome — an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."

**About the Author(s)**

13.4M Kaiser Insurance Members Affected by Data Leak to Online Advertisers

Likely China-linked adversary has blanketed the Internet with DNS mail requests over the past five years via open resolvers, furthering Great Firewall of China ambitions. But the exact nature of its activity is unclear.

Source: Mrinal Pal via Shutterstock

During an investigation into the activities of a threat group providing domain name system (DNS) infrastructure for illicit online gambling sites, threat researcher Renée Burton discovered something completely novel: Covert traffic immune to China's government-run firewall using open DNS resolvers and mail records to communicate.

The China-linked group — dubbed Muddling Meerkat — has demonstrated its ability to get specific DNS packets through the Great Firewall, one of the technologies separating China's Internet from the rest of the world, Burton, vice president of threat research at network security firm Infoblox, wrote in an analysis published this week.

While most requests for restricted domains return a seemingly random IP address, Muddling Meerkat is able to get DNS mail (MX) records with random-looking prefixes in response to certain requests, even when the domain has no mail service.

The goal of the capability remains unclear — most likely it's for reconnaissance or establishing the foundations of a DNS denial-of-service attack, Burton says — but the demonstrated expertise and ability to pierce the GFW deserves additional research, she says.

"We have a deliberate, very cunning use using very detailed knowledge of DNS — this is not your average cybercriminal; this is not your average teenager; these people are experts in DNS," Burton says. "So we have something that has been going on for four and a half years at this point, which isn't observable in any one location, but is deliberate and constant — and that combination of things, to me, is worrisome."

The threat research comes as the governments of the United States and other nations have warned that China's military has infiltrated critical infrastructure networks with a goal of pre-positioning their cyber operators for potential future conflicts. While many threat researchers have noted China-linked hacking groups' expertise in finding and exploiting zero-days in edge devices such as firewalls and virtual private network (VPN) appliances, the current research underscores their capabilities in utilizing the domain name system (DNS) for their own purposes.

**Great Chinese Firewall: "Operator on the Side"**

The Chinese Communist Party prevents its citizens from going to content that the government considers inappropriate or illegal — not by blocking the traffic, but by returning fake responses to DNS queries that prevent a user in China from connecting to the desired site. The approach, dubbed the Great Firewall (GFW), is not an inline traffic filter nor a platform that alters DNS responses on the fly, but rather an "operator on the side" that issues a response that competes with any packet from the original intended destination, says Burton.

While the Great Firewall does not intercept traffic, China does operate another system — often referred to as the Great Cannon (GC) — that takes the adversary-in-the-middle (AitM) approach, modifying packets en route to their destination, she wrote in the report.

"In combination, the GFW and GC create a lot of noise and misleading data that can hinder investigations into anomalous behavior in DNS," the report said. "Muddling Meerkat operations are complex and demonstrate that the actor has a strong understanding of DNS, as well as internet savvy."

Mail (MX) records from kb.com, even though the domain has no mail service. Source: Infoblox

Typically, researchers can see the Great Firewall in operation. When they send a DNS request to a domain considered to be out of bounds by the Chinese government, the GFW will return a seemingly random IP address. When they ask for a non-existent service for that domain, such as a mail (MX) record, the GFW still sends an IP address. However, Infoblox researchers and their industry partners instead saw mail records for domains that had no mail services, and each MX records had a seemingly random, albeit short, host name.

Kb.com, for example, has no MX records, but the researchers have seen a large number of mail responses, seemingly from the domain for servers with names such as "pq5bo\[.\]kb\[.\]com" and "uff0h\[.\]kb\[.\]com".

**Covert Widespread DNS Traffic**

The unexplained Internet traffic — which was initially detected as far back as Oct. 15, 2019 — could be some sort of reconnaissance that uses open resolvers and "super-aged" domains that foil many DNS block lists, says Burton.

"It's super under the radar, right? So that's kind of a recon-y looking thing," she says. "The other thing about it, though, is it has that DNS denial-of-service aspect. There are concerns that the Chinese are positioning themselves for operations against critical infrastructure, and here they've positioned themselves in DNS in a really weird way."

Combined with the recent announcement by the US Cybersecurity and Infrastructure Security Agency (CISA) that China is pre-positioning itself inside other organizations' infrastructures, Infoblox decide to go public with what the company and its anonymous partners had discovered.

Infoblox collaborated with other organizations, which the company declined to name due to worries of retribution and the potential loss of access to the DNS activity data. While the Muddling Meerkat operation appears similar to some "slow drip" DNS denial-of-service attacks, determining the purpose of the traffic will likely require more research participants, Burton says.

"I don't believe there's anyone who can see this operation in totality," she says. "Every single piece is seen individually, and then what we did was we brought a bunch of different pieces together, so we could see the whole thing. This is a complete mystery ... but it definitely is there."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

'Muddling Meerkat' Poses Nation-State DNS Mystery

By embracing a proactive approach to cyber-risk management, companies can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology.

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

In today's fast-paced world, most businesses are racing to incorporate the latest technology and innovations to meet the demands of customers craving convenience and accessibility. After all, who doesn't love banking from their phone 24/7 or shopping from their couch?

To meet these demands, companies rush to implement new technology as quickly as it emerges, but while enhancing business operations is undeniably lucrative, it comes with a price: Risk. As we embrace all the luxuries of innovation, cybercriminals are poised to exploit the vulnerabilities that these changes expose. Industries like healthcare and financial services are especially attractive targets, due to the valuable data and assets they are entrusted to protect, but cybercrime poses a threat to all. As a result, taking a proactive approach to managing cyber-risk, which involves pre-emptive and continuous action to assess and address risks caused by innovation, is being emphasized as a strategic necessity.

Traditional cybersecurity practices are like playing a never-ending game of whack-a-mole, because just as soon as one risk or vulnerability is addressed, another one pops up, presenting a new challenge. This can be frustrating, time-consuming, and ineffective in the rapidly evolving threat landscape. This ever-changing complexity further highlights the dynamic landscape of cybersecurity. We know that risk is an inherent part of all change — whether opening a new physical location, merging with another company, or implementing an online bill pay system, any modifications open the door to new vulnerabilities. Sounds bleak, right? Yes, the warnings about risk are ominous, but there is a way for businesses to participate in innovation successfully and prepare for the inevitable risk … and it's all about embracing a new mindset.

In the latest annual Global CEO Survey by PwC, CEOs in the financial sector and capital markets reported a significant concern over the threat to profitability due to changing consumer demands and behaviors. As a way to tackle this possible problem, CEOs invest significantly in technology such as AI and cloud solutions by automating processes and systems to improve the customer experience — a proactive measure to mitigate a possible threat to their bottom line.

However, a lack of attention to cybersecurity during the implementation of these technology solutions poses a significant risk to organizations where trust is critical. Cybersecurity is often an afterthought as companies integrate new processes and, especially, new technologies. This mindset leaves your business and your customers vulnerable to threat actors, so it’s time to substantially shift how change, risk, and strategy are perceived.

**An Action Plan**

Integrating cybersecurity defenses in tandem with new technology — not as a reactive action because a threat suddenly popped up — is the most effective route. Put the mallet down and approach cyber-risk with real-time data so your company stays ahead of emerging threats, instead of standing poised and hoping your reaction is well-timed. The development of technologies should be designed and planned with possible exposure to risk at the forefront. This proactive method simultaneously addresses both challenges, improves their performance through technology, and bolsters security measures. To implement this approach, a cyber framework that integrates with new projects at every stage can be implemented, even if it means extending the development timeline. In that way, businesses can address both challenges in a complementary manner, enhancing performance through technology while becoming more cyber secure.

This approach not only protects against cyber threats but also improves customer experience, since customers often demand seamless, convenient, and secure services. By integrating cybersecurity in tandem with technology implementation, companies across all industries can improve their customer experience while retaining trust. 

It’s important for businesses to work with a trusted partner in cyber-risk management to evaluate new technology for risk as it is created, rather than reacting to the risk that the technology triggered. This approach allows your company to identify potential vulnerabilities in new technology early on and implement appropriate security measures to mitigate the risks rather than addressing them after your business and your customers are already at risk. This assessment can identify potential vulnerabilities in the technology and determine the level of risk associated with each vulnerability. Based on this assessment, a plan is developed to mitigate the risks and ensure the security of systems and data. The information can be leveraged to create and implement policies and procedures for managing and monitoring the new technology to ensure ongoing security.

These recommendations serve as a reminder that being proactive doesn't just involve addressing risk due to a new product or service offering. It also means being proactive in defining, adopting, and measuring the effectiveness of risk assessments, as well as implementing the best practices that can mitigate these risks before they occur.

By embracing a proactive approach to cyber-risk management as a whole, companies across all industries can better detect, prevent, and mitigate cyber threats while integrating the latest state-of-the-art technology. And the best part? You can put that mallet away, because your company will detect threats before they even have a chance to pop up.

**About the Author(s)**

CEO, DefenseStorm

Steve Soukup has served as Chief Executive Officer at DefenseStorm since 2020 and in that role is responsible for leading all aspects of the company’s business. He is passionate about building a community of trust among our teams and with our customers while also enabling our customers to do the same with their account holders. Steve joined DefenseStorm as Chief Revenue Officer in May 2017 with a charge to drive growth for the business while leveraging his extensive experience serving the banking vertical. He was promoted to President in October 2019 and then to CEO in April of 2020. Under his leadership, DefenseStorm has set the standard for enabling banks and credit unions to achieve cyber risk readiness. Steve is a graduate of Boston College and earned a Master of Business Administration degree from Boston University. A native of Cleveland, Ohio, Steve and his family have called the Atlanta area home for over 10 years.

Source

DARKReading