Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Have a few minutes to spare? Come up with a clever cybersecurity-related caption for the cartoon above. If it strikes our fancy, you could win a $25 Amazon gift card!

Here are four convenient ways to submit your ideas before the July 12, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading June Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Dark Reading reader David is having a great month! He already won The Edge's "Spring Chickens" May cartoon caption contest, and now he's done it again with the main site's "One by One" May contest. Congratulations, David, and a big thanks to all who played.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Time to Spare?

The threat organizations face with GenAI is not new, but it could speed how quickly private data reaches a wider audience.

Generative artificial intelligence (GenAI) and large language models (LLMs) are the disruptive technologies _du jour_, redefining how enterprises do business and spurring the debate on just how much AI will change the way civilization interacts with computers in the future. The hyperbole is reaching epic proportions as social scientists and pundits debate the End Times facing civilization due to smarter and potentially proactive computing. Perhaps some perspective is in order.

A recent report from Israeli venture firm Team8, "Generative AI and ChatGPT Enterprise Risk," addresses some of the realistic technical, compliance, and legal risks GenAI and LLMs place on corporate boards, C-suites, and cybersecurity personnel. The report underscored the potential operational and regulatory vulnerabilities of GenAI, but cautioned that some concerns might be premature. One concern — that exposing private data submitted to a GenAI application such as ChatGPT might make that data available to others in near real time — is discredited in the report.

"As of this writing, Large Language Models (LLMs) cannot update themselves in real-time and therefore cannot return one's inputs to another's response, effectively debunking this concern," the report states. "However, this is not necessarily true for the training of future versions of these models."

The report identifies several potential threats by risk category. Among the high risks are:

*   Data privacy and confidentiality of nonpublic enterprise and private data.
*   Enterprise, software-as-a-service (SaaS), and third-party security of nonpublic and enterprise data.
*   AI behavioral vulnerabilities, such as prompt interjection, of enterprise data.
*   Legal and regulatory compliance.

Among the threats that fall into the medium risk category are:

*   Threat actor evolution for attacks, such as phishing, fraud, and social engineering.
*   Copyright and ownership vulnerabilities leading to an organization's legal exposure.
*   Insecure code generation.
*   Bias and discrimination.
*   Trust and corporate reputation.

"The CISO is in a position to have the technical knowledge to support processes not necessarily under their umbrella, which might affect their role," says Gadi Evron, CISO-in-residence at Team8 and one of the report's authors. "Some interpretations of upcoming European Union regulation may push the CISO into a position of responsibility when it comes to AI. This may elevate the CISO to a position of responsibility where they are 'ambassadors of trust,' and this is a positive thing for the CISO role."

Chris Hetner, cybersecurity advisor at Nasdaq and chair of Panzura's Customer Security Advisory Council, says an initial risk assessment would identify potential issues with who has access, what can be done, and how the technology will interact with existing applications and data stores.

"You need to determine who has access to the platform, what level of data and code are they going to introduce, \[and does\] that data and code introduce any proprietary exposure to the enterprise," he notes. "Once those decisions are made, there's a process to proceed forward."

The threat organizations face with GenAI is not new, but it could speed how quickly private data reaches a wider audience.

"When it comes to security, it is clear that most companies are in much worse condition to mitigate the risks of their corporate and customer being stolen or leaked than they were just six months ago," opines Richard Bird, chief security officer at Traceable AI. "If we're being intellectually and historically honest with ourselves, the vast majority of companies were already struggling to keep that same data safe before the rise of generative AI.

"The ease of use and access that employees are already taking advantage of with AI technologies with little to no security controls is already showing the increased risk to companies."

**The Human Element**

Bird takes a pragmatic approach to GenAI, adding that companies are going to move fast and not wait on compliance demands to protect their data, customers, supply chains, and technologies. Users have shown "a complete lack of restraint combined with no awareness of the unintended security consequences of using AI," he notes. "This toxic combination is what companies must work quickly to address. AI isn't the key threat here. Human behavior is."

One issue that has yet to be fully analyzed is how users interact with GenAI based on their existing habits and experience. Andrew Obadiaru, CISO for Cobalt Labs, notes that iPhone users, for example, already have native experience with AI through Siri and thus will adapt quicker than users who do not have that experience. Like Bird, Obadiaru thinks those habits might make those users more susceptible to misusing the applications by inputting data that should not get out of an organization's direct control.

"The concerns are, 'What are the additional risks?' Everyone has the ability to tap into \[GenAI technology\] without necessarily going through a security review," he says. "And you can just do that on their personal device."

If employees use personal devices outside of the IT department's control to conduct business, or if employees use GenAI as they use Siri or similar applications, this could pose a security risk, Obadiaru adds. Using GenAI like a personal digital assistant potentially could put confidential data at risk.

**Network Risks**

Sagar Samtani, assistant professor in the Data Science and Artificial Intelligence Lab at the Indiana University Kelley School of Business, cautions that AI models are extensively shared via the open source software landscape. These models contain significant quantities of vulnerabilities within them, some of which CISOs need to be aware of.

"These vulnerabilities place an impetus on organizations to understand what models they are using that are open source, what vulnerabilities they contain, and how their software development workflows should be updated to reflect these vulnerabilities," Samtani says.

Asset management is a critical aspect to any strong cybersecurity program, he adds.

"\[It's\] not the exciting answer, but an essential ingredient," Samtani says. "Automated tools for detecting and categorizing data and assets can play a pivotal role in mapping out corporate networks. ... Generative AI could help provide layouts of corporate networks for possible asset management and vulnerability management tasks. Creating inventory lists, priority lists, vulnerability management strategies, \[and\] incident response plans can all be more \[easily\] done with LLMs in particular."

Generative AI Has Its Risks, but the Sky Isn't Falling

Pressure mounts on the NSO Group's business viability as Khashoggi widow joins group of plaintiffs suing the Israeli firm for Pegasus spyware abuse.

NSO Group is facing a number of existential crises at the moment, and it appears there's a group of enterprising investors — including, reportedly, a Wrigley chewing gum magnate — ready to take advantage, lassoing control of arguably the most destructive and powerful spyware tool known to-date, i.e., Pegasus.

The Israeli firm was blacklisted by the US government in November 2021 for creating and selling its powerful zero-click spyware tool Pegasus, which has been used by its customers to target and track government officials, human rights workers, journalists, activists, academics, embassy workers, and businesspeople across the world. 

The designation placed severe restrictions on the firm's ability to operate by banning any transfer of US technology to NSO Group. Then, in December 2021 NSO Group's spyware was found on the phones of at least nine US State Department employees, which didn't help thaw the firm's relationship with Biden administration either.

There's also the problem of the mounting number of lawsuits.

**NSO Group's Lawsuit Docket Grows**

A new lawsuit filed by Hanan Elatr, widow of murdered Washington Post journalist Jamal Khashoggi, accuses NSO Group's Pegasus spyware of violating US hacking laws to track the couple leading up to the 2018 killing of the vocal Saudi dissident.

Elatr says in the lawsuit that the Pegasus spyware "caused her immense harm, both through the tragic loss of her husband and through her own loss of safety, privacy, and autonomy, as well as the loss of her financial stability and career."

In addition to Elatr, there are other, far more deep-pocketed legal foes for NSO Group to worry about. Apple filed suit in November 2021 against the organization for targeting its users with Pegasus spyware (attacks that are ongoing). And in January, the US Supreme Court denied a petition to block a suit to proceed against NSO Group filed by Meta-owned WhatsApp for spyware damages.

**Juicy Fruit Heir, Sandler Movie Producer Float NSO Purchase**

Despite the legal, business, and brand challenges, NSO Group reportedly continued to hone and improve Pegasus spyware. A recent report from research organization Citizen Lab, which has been at the forefront of working to expose Pegasus abuse, said it discovered at least three new exploit chains against human rights activists as recently as 2022.

Perhaps because of that, investors have begun to sniff out a potential opportunity. Reportedly, a motley gang of investors including Robert Simonds, a US investor whose background includes producing Adam Sandler movies, and his buddy, cannabis industry investor and chewing-gum fortune heir William "Beau" Wrigley, are looking at buying up NSO Group's assets, according to new reporting from The Guardian.

The report adds a spokesperson for Wrigley denied he is in discussions to buy NSO Group assets, while a source close to Simonds said he was "deep" in talks about a sale but aware it would be a steep climb to get the deal done. 

"Placing such powerful surveillance technology in the hands of individuals who may not have deep expertise in the cyber industry or a history of involvement in the sector raises questions about the potential ramifications," Callie Guenther, cyber threat research manager with Critical Start tells Dark Reading about the potential NSO sell-off. "It is essential to ensure that any potential acquirer of NSO's assets possesses the necessary expertise to handle the technology responsibly, maintain appropriate safeguards, and prevent potential misuse."

It should be noted that other attempts at buying control of Pegasus haven't worked out. Last year L3Harris, an American company and US defense contractor was looking into a possible purchase of NSO Group's technology, but the White House objected over "serious counter-intelligence and security concerns," the Guardian added.

Then there is the Israeli government, which closely regulates NSO Group and could potentially intervene in any sell off of its technology, the Guardian points out.

"NSO operates under close regulation by Israel's Ministry of Defense, and any potential sale of its assets would likely face scrutiny from Israeli authorities," Guenther says. "It remains to be seen how such a transaction could proceed and whether it would comply with relevant regulatory requirements and national security considerations."

Perhaps there's a pot-sweetener here though: The Guardian added a juicy rumor to its reporting that Simonds has privately pledged to hand over the surveillance technology to the so called "Five Eyes" alliance between the intelligence agencies of Australia, Canada, New Zealand, the UK, and the US.

Even so, a pledge is not a guarantee. Guenther outlines a number of potential problems with NSO Group's assets falling into the wrong hands, including giving the new owners the power to improve upon its existing capabilities for exploitation, targeting, as well as slow down future potential vulnerability disclosures.

"The acquisition could impact the overall cyber threat landscape. If NSO's spyware technology becomes more accessible or proliferates in unauthorized hands, it could lead to an increase in targeted attacks, surveillance activities, and potential abuse," Guenther warns. "This would necessitate heightened vigilance and strengthened defensive measures from organizations, governments, and cybersecurity communities to mitigate the associated risks."

**Has Pegasus Already Peaked?**

Many may question the power a tool like Pegasus could have when flying on behalf of someone rich enough to buy it, but the true value of NSO Group, and its dominance in the spyware space, might have already peaked.

JT Keating, senior vice president of mobile security firm Zimperium, explained to Dark Reading that the trend is decidedly moving toward open source spyware, making the surveillance tools available to almost anyone and driving down the value of NSOs proprietary Pegasus product.

"Spyware is now mainstream, including the shift from sole reliance on the Dark Web for distribution to seeing the same kits and tools being found on online repositories like GitHub or online communities like Reddit," Keating says. "Regardless of what happens to organizations like NSO, mobile spyware will only continue to proliferate."

Meanwhile though, the squeeze on NSO Group's business continues.

US Investors Sniffing Around Blacklisted NSO Group Assets

Workforce IAM and consumer IAM are not interchangeable — they serve different purposes and constituencies.

The world is increasingly becoming more interconnected, and digital identity is evolving to address the unique needs of organizations and consumers. While the two types of identity and access management — workforce IAM and consumer IAM — share some commonalities, they are designed for distinct use cases and fit different requirements.

"The obvious difference between the two use cases is the user constituencies," says Henrique Teixeira, senior research director at Gartner.

Vendors and buyers often separate the use cases into internal identities (workforce) and external identities (consumer) because there may be requirements that apply to one group but not the other. For example, consent and preference management to protect the privacy of customer data is an important part of consumer IAM, but not so much in workforce IAM, Teixeira says.

Many organizations believe that they can use workforce IAM solutions to solve identity issues around securing consumer identities, says David Mahdi, CIO of Transmit Security.

"As organizations deploy more customer-facing digital services \[via mobile and/or Web\], they now need to invest in CIAM solutions to help establish and maintain trust and privacy," he says.

**Securing the Digital Workforce**

Workforce IAM, also known as employee IAM or corporate IAM, is designed to manage and secure the digital identities of an organization's employees, contractors, and partners. The primary goal of workforce IAM is to protect sensitive corporate data and resources by ensuring that the right people have access to the right information, at the right time, and in compliance with regulatory requirements.

Workforce IAM solutions provide strong, multifactor authentication (MFA) to ensure that users are who they claim to be. This often involves a combination of passwords, one-time passcodes, and biometric factors, such as fingerprint or facial recognition. MFA helps organizations prevent unauthorized access to their systems, thereby reducing the risk of data breaches and cyberattacks.

Role-based access control (RBAC) and attribute-based access control (ABAC) are employed to grant users access to specific resources based on their job function, seniority, department, or other attributes. This fine-grained access control helps organizations maintain the principle of least privilege, which minimizes the potential for insider threats and data leakage. These features allow users to access multiple applications within the organization using a single set of credentials, simplifying the login process and improving user experience. Federation extends single sign-on (SSO) across organizational boundaries, enabling seamless collaboration between partners, suppliers, and customers.

Workforce IAM systems manage user accounts from onboarding to offboarding, including provisioning and deprovisioning access, password resets, and profile updates. Automating these processes not only saves time and effort but also reduces the risk of human error and ensures that access rights remain up to date.

Workforce IAM solutions track and monitor user activities, generating audit trails and reports that help organizations maintain compliance with industry regulations, such as the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley Act (SOX). These tools also facilitate the identification of suspicious behavior or potential security incidents, allowing for prompt investigation and remediation.

"Employees that make up the workforce sign employee agreements, which essentially means that they must adhere to any and all access policies. This absolutely shapes the UX and security requirements of workforce IAM solutions," Transmit Security's Mahdi says. "That is simply not the case when dealing with consumer security and identities. If they suffer a poor UX, they can and will go elsewhere, especially when it's an online digital service — where competitors are a simple click away."

**Enhancing the Consumer Experience**

Consumer IAM, or customer IAM, focuses on managing the identities of an organization's customers or end users. The main objectives of consumer IAM are to create seamless and secure user experiences across digital touch points, while safeguarding customer data and maintaining compliance with privacy regulations.

Consumer IAM solutions often allow users to register and log in using their social media accounts or other trusted identity providers, streamlining the authentication process and reducing the need for multiple sets of credentials. This convenience helps organizations attract and retain customers, especially in industries with high levels of competition.

Customers can manage their profiles, preferences, and consent settings through self-service portals, giving them more control over their data and interactions with the organization. This empowers customers to update their information, adjust privacy settings, and manage their communication preferences without relying on customer support, thereby reducing operational costs for the organization.

Consumer IAM systems are designed to handle millions of users and to scale rapidly to accommodate growth in user base or increased traffic during peak times. High-performance IAM solutions ensure that customer-facing applications remain responsive and reliable, even under heavy loads, which is crucial for maintaining customer satisfaction and minimizing churn.

Such solutions collect and analyze customer data, enabling organizations to deliver personalized content, offers, and recommendations based on individual preferences, browsing history, and purchase patterns. This level of personalization can enhance customer loyalty, drive repeat business, and increase conversion rates. Additionally, customer analytics can provide valuable insights into user behavior, helping organizations identify trends, opportunities, and areas for improvement.

Consumer IAM plays a critical role in complying with data protection and privacy regulations, such as GDPR and the California Consumer Privacy Act (CCPA). These solutions help organizations manage customer consent for data processing, store and transmit customer data securely, and respond to data subject access requests. By ensuring compliance, consumer IAM can help organizations avoid costly fines and reputational damage.

These systems use advanced techniques, such as machine learning and behavioral analytics, to identify potentially fraudulent activities and assess the risk level of each login attempt. Based on the risk score, the IAM solution may require additional authentication factors or block access altogether. This helps protect customers' accounts from unauthorized access and reduces the organization's exposure to fraud-related losses.

**Picking the Right IAM**

Workforce IAM emphasizes the protection of corporate resources and data, ensuring that employees and partners have appropriate access to systems and information. In contrast, consumer IAM prioritizes the customer experience, personalization, and privacy, aiming to foster trust and loyalty among end users.

As organizations continue to adapt to the ever-changing digital landscape, understanding these distinctions is crucial for selecting the right IAM solution to meet their specific needs. By implementing the appropriate workforce or consumer IAM system, organizations not only improve security and compliance, but they also enhance user experience, drive customer satisfaction, and, ultimately, achieve business success.

Decoding Identity and Access Management for Organizations and Consumers

To properly secure DNS infrastructure, organizations need strong security hygiene and records management, as well as DNS traffic monitoring and filtering.

As a core backbone of the infrastructure, Domain Name Service (DNS) acts as the phone book of the Internet. It helps route users hunting for a specific domain name and connects them to the resources of the IP address connected to that domain. When it runs the way it is supposed to, it is nearly invisible to the typical user — and even to many technical administrators. This lends an air of obscure simplicity that leads many organizations to assume that DNS is a background service that doesn't require more than basic protection and is covered by other Web and email defenses.

That couldn't be further from the truth. A new report from Dark Reading outlines the threats against DNS and what organizations should do to secure DNS infrastructure.

Some of the most common DNS attacks include:

*   Denial of service, which overwhelms DNS services with traffic to disrupt or disable DNS service at an organization.
*   DNS cache poisoning, which manipulates the DNS cache to redirect users trying to go to a legitimate domain to a malicious IP address.
*   DNS hijacking, which changes the DNS records of a domain to redirect users to a malicious IP.
*   DNS tunneling, which leverages outbound DNS traffic to smuggle malicious data from malware exploitation back to attackers' C2 infrastructure.
*   Dangling DNS, which takes over an unused subdomain on cloud and other infrastructure to impersonate a brand or use as a foothold for other attacks.

To ensure the proper security of DNS infrastructure, organizations need a solid combination of strong security hygiene around DNS infrastructure and records management, close monitoring of DNS traffic, effective filtering, and deployment of more advanced protocols, like DNSSEC. The cost of not employing these measures can be high. The average cost of a successful DNS attack is upward of $1 million.

When attacks happen, sometimes the best that many organizations can do is to literally pull the plug on their DNS or network infrastructure.

The Dark Reading report, "Everything You Need to Know About DNS Attacks," explores the nuances of the DNS security awareness gap, including why organizations are struggling to implement a full slate of DNS security measures and what it will take to combat these common DNS attacks. The report examines how to harden DNS infrastructure from attacks, the importance of creating more visibility around DNS, and how DNS protection measures can actually be used to improve other areas of cybersecurity awareness.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Getting Over the DNS Security Awareness Gap

This first-ever event, hosted by the Security Industry Association and ASIS International and designed to advance, connect, and empower women in security, gathered hundreds of industry leaders in Nashville June 12-13, 2023.

**ALEXANDRIA, Va. & SILVER SPRING, Md. –** ASIS International and the Security Industry Association (SIA) closed out the inaugural Security LeadHER conference this week, celebrating a successful and groundbreaking first event held June 12-13 in Nashville, Tennessee. The event was dedicated to advancing, connecting and empowering women in the security profession.

Approximately 300 current and future "LeadHERs" and attendees of all backgrounds and genders gathered for Security LeadHER 2023. This year's Security LeadHER program kicked off on June 12 with a variety of fun and engaging activities, including a behind-the-scenes security tour of Nashville's famed Ryman Auditorium, a tour of the National Museum of African American Music and a women's self-defense class, and wrapped up with a lively networking reception at Johnny Cash’s Bar & BBQ.

On June 13, the Security LeadHER conference programming began with a motivating keynote from author, renowned speaker and sought-after consultant Eliza VanCort on how to "Claim Your Success – Stand Tall, Raise Your Voice and Be Heard." In this dynamic presentation, VanCort shared her personal journey from childhood kidnappings to a near-fatal head injury to becoming a No. 1 bestselling author, addressed some of today's most important women’s leadership issues and offer participants valuable communication and presentation guidance and concrete skills to achieve their goals professionally and in every aspect of their lives.

Additional programming focused on two tracks – Leadership and Security & Innovation – featuring presentations from industry-leading subject matter experts. Track sessions gave actionable guidance on topics such as confidently saying no and setting boundaries, addressing virtual threats and harassment, mitigating our unconscious biases against women in security, anonymizing your digital footprint, protecting data in the cloud, leading by influence and the science of sex and its impact on the industry.

The conference closed with a moving keynote from diversity, equity and inclusion practitioner, spoken word artist, emcee and poetry specialist Charity Blackwell. Attendees enjoyed the immersive spoken word performance and keynote address exploring the meaning of owning your legacy through your work.

"The inaugural Security LeadHER event is a wrap, and what a success it was! My mind is full of new ideas, my LinkedIn account is full of new connections and my heart is full of gratitude for all the hard work done by the SIA and ASIS communities to make this event something to remember," said Elaine Palome, director of human resources, Americas, at Axis Communications and event co-chair for Security LeadHER. "It was so inspiring to see more than 300 women and their allies gathered together to share stories, ideas and knowledge. We are already thinking about next year’s event and hope you will join us."

"Our inaugural Security LeadHER event was a smashing success. The energy in the room was palpable," said Antoinette King, founder of Credo Cyber Consulting LLC and event co-chair for Security LeadHER. "Our opening keynote was delivered by Eliza VanCort. Eliza's insights on communication were incredibly helpful, and I walked away with many new communication tools. The education sessions were super insightful. Our closing keynote, Charity Blackwell, was simply masterful. I left the conference with so much excitement for the future of our industry!"

Security LeadHER 2023 was made possible in part thanks to the generous support of Featured Sponsor Apple; Premier Sponsors dormakaba, Intel and Wesco; Executive Sponsors Axis Communications and Securitas; and Partner Sponsors Allegion, Altronix, Boon Edam, Brivo, GSA Schedules, Inc., IDEMIA, Prosegur and SAGE Integration.

**About ASIS International**

Founded in 1955, ASIS International is the world’s largest membership organization for security management professionals. With 34,000 members hundreds of chapters across the globe, ASIS is recognized as the premier source for learning, networking, standards, and research. Through its board certifications, award-winning Security Management magazine, and Global Security Exchange (GSX) – the most influential event in the profession – ASIS ensures its members and the security community have access to the intelligence and resources necessary to protect their people, property, and information assets.

**About the Security Industry Association**

SIA is the leading trade association for global security solution providers, with over 1,400 innovative member companies representing thousands of security leaders and experts who shape the future of the security industry. SIA protects and advances its members' interests by advocating pro-industry policies and legislation at the federal and state levels, creating open industry standards that enable integration, advancing industry professionalism through education and training, opening global market opportunities, and collaborating with other like-minded organizations. As the premier sponsor of ISC Events expos and conferences, SIA ensures its members have access to top-level buyers and influencers, as well as unparalleled learning and network opportunities. SIA also enhances the position of its members in the security marketplace through SIA GovSummit, which brings together private industry with government decision makers, and Securing New Ground, the security industry's top executive conference for peer-to-peer networking.

Security LeadHER Wraps Groundbreaking Inaugural Conference for Women in Security

This new role of safeguarding cloud deployments requires an exceedingly rare set of technical and soft skills.

A team at a recent cloud-native industry event laughed out loud when they told us, "We just got out of a talk, and apparently we are now infrastructure security engineers." With the rampant layoffs in the tech industry, underlying the amusement of job titles is real uncertainty around expectations for thriving in that new role and associated ecosystem.

In the age of Kubernetes and cloud native application deployment, the infrastructure security engineer is a prize hire. But across dozens of job descriptions and practitioner interviews, we found that this role reflects an exceedingly difficult challenge: to be the best at both indirect influence and hard technical skills.

So what is infrastructure security engineering, anyway? The infrastructure or cloud security team sits at (no surprise) the infrastructure layer, versus the application layer. They are primarily concerned with deployment and the running cloud environment.

The first thing to understand about this role is how much the cloud security shared responsibility model requires of them. In the case of managed Kubernetes platforms, we can assume a general platform-as-a-service (PaaS) model. This implies a shared responsibility model that puts nearly the entire configuration of the cloud in the infrastructure security role's hands. In Google's own words, "For \[Google Kubernetes Engine\], you're responsible for protecting your worker nodes, including deploying patches to the OS, runtime and Kubernetes components, and of course securing your own workload."

But the shared responsibility model is just the start. No role exists in a vacuum, and the third most common requirement in this role, apart from vulnerability management and staying up to date on trends in the space, is imbuing best practices across other teams in the org. As one hiring manager put it, "Your primary responsibility will be to ensure that our engineering teams integrate security best practices into their workflows and deliver secure products and services."

There is an inherent friction in asking a development team to do anything that might slow down the flow of new features into production, even if it has been shown that teams baking security into their DevOps processes actually do deliver more quickly.

**What Infrastructure Security Engineers Need to Succeed**

What do hiring managers think will make candidates successful in the kind of role just described? Not surprisingly, the third most common requirement for this role — behind hands-on experience with cloud platforms and networking — is proficiency in scripting languages, combined with hands-on experience around any combination of infrastructure-as-code (IaC), HashiCorp's Terraform, and the continuous integration/continuous delivery (CI/CD) pipeline. Why? Because if you have never automated deployments with code, it will be impossible to share security best practices with the developers doing it on a daily basis.

The last common requirement in an infrastructure security role is an in-depth understanding of the end-to-end development pipeline. If a security engineer expects to keep up to speed on the latest in the cloud, influence development, and manage cloud vulnerabilities on a day-to-day basis, they need an understanding of efficiency, how it all works together, and how to prioritize.

Here are some more tips from our interviewees:

*   "If you are just looking at the cloud, don't forget Kubernetes. While it is deployed through managed cloud services more often than not these days, it cannot be addressed in the same way one would address vulnerabilities for cloud environments." — Director of cloud security
*   "Triage is critical. When my teams have failed in the past, it was usually because we kept chasing shiny things. By being disciplined and methodical about prioritization, we maintain confidence that we're working on the right problems at \[almost\] any given time." — Manager, infrastructure and IT security
*   "Don't underestimate engineering teams' interest in solving security problems. Empower them with data and context, and see how hungry they are to use it." — Manager, infrastructure and IT security

**Why This Could Be the Hardest Job**

Interestingly, in our research only one job description had a line item for "security reviews," where the role allowed the security team to say yes or no to development changes. This is telling in the context of other observations on the role of direct versus indirect influence over engineering and development; for example, the IaC knowledge is needed not for using it directly, but for being able to tell others how to use it.

Also, communication and mentoring were not listed among the most common job prerequisites, but half of the roles still had high expectations for this soft skill. This was especially true for the more senior positions.

Between the requirement to influence the development teams, the required knowledge of IaC tooling and automation, the need for communication and mentoring, and the near complete absence of formal security reviews, a view of the most successful infrastructure security professional begins to emerge. This person will have broad hands-on experience in the cloud ecosystem, as well as skills to influence and build credibility across skilled teams who are managing highly new, cutting-edge GitOps tools on a daily basis. That is a high bar, indeed!

The Infrastructure Security Engineer Is a Unicorn Among Thoroughbreds

The DDoS collective claims to be teaming up with ReVIL and Anonymous Sudan for destructive financial attacks in retaliation for US aid in Ukraine, but the partnerships (and danger) are far from verified.

The pro-Russian hacktivist collective known as Killnet claims to be working in concert with a resurgent form of the notorious ReVIL ransomware gang. The goal? To mount an attack on the Western financial system.

The group is warning that attacks are imminent, as in the next day or so; but it's unclear whether the threats amount to anything more than bluster and saber-rattling, particularly given Killnet's past track record of, at most, carrying out mildly disruptive distributed denial of service (DDoS) attacks.

Even so, in a video posted on a Russian Telegram channel on June 16, Killnet made ominous threats against the SWIFT banking system (famously targeted by Lazarus in 2018); the Wise international wire transfer system; the SEPA intra-Europe payments service; central banks in Europe and the US (i.e., the Federal Reserve); and other institutions.

"The post claims that threat actors from Killnet, REvil, and Anonymous Sudan will unite for the campaign," according to ZeroFox researchers, writing in a flash alert on the threat. "Killnet indicates that the attack is motivated by the US providing weapons to aid Ukraine, stating: 'repel the maniacs according to the formula, no money — no weapons — no Kiev regime.'"

**Killnet's New Besties: Real or Imaginary?**

When it comes to the claimed partnerships, Anonymous Sudan is an emergent DDoS player that targeted entities in France, Germany, the Netherlands, and Sweden earlier this year, ostensibly in retaliation for perceived anti-Islamic activity in each of these countries. However, despite this religious persona, Trustwave researchers in the past have tied Anonymous Sudan to Killnet, noting it could simply be a masked subsidiary.

As for ReVIL, which imploded in 2022 after a Russian takedown, evidence of a re-emergence is one day old: On June 15, a Telegram channel called, fittingly, "REvil," was created. It was used to circulate a shout-out ("Hello Killnet") that went on to be heavily re-posted in a Killnet-affiliated Telegram channel, according to ZeroFox.

"This is the only post in channel to date and no additional evidence substantiating the partnership has been observed," the researchers noted.

A previous whiff of ReVIL's resurrection came more than a year ago, when rumors surfaced that some members were regrouping — but nothing more came of it.

Killnet could be fabricating the ReVIL partnership to lend some heft and gravitas to its threats against some tough targets. While Killnet has successfully gone after big game before, such as the White House and SpaceX satellite comms in Ukraine, these had "limited impact, causing short service outages and disrupting access to information," ZeroFox researchers said. A ReVIL partnership that's more than a flight of fancy "would allow them greater access to vulnerability exploitation, network intrusion, and data exfiltration."

Absent that, "the \[threatened attacks\], if legitimate, are unlikely to result in mass or prolonged outages to Western banking infrastructure, despite the newly claimed relationships with REvil and Anonymous Sudan," they added.

Even so, the publicity push around a supposedly imminent financial catastrophe could be simply an effort to harry Western governments and financial institutions, ZeroFox concluded — or, given Killnet's penchant for shenanigans, just an attempt to garner attention and notoriety.

Killnet Threatens Imminent SWIFT, World Banking Attacks

MOVEit has created a patch to fix the issue and urges customers to take action to protect their environments, as Cl0p attacks continue to mount, including on government targets.

Yet another MOVEit Transfer vulnerability, CVE-2023-35708, was discovered this week by Progress Software, the third that the company has disclosed, alongside CVE-2023-34362 and CVE-2023-35036.

The issue itself, detailed in an advisory released June 15 by the company, is another SQL injection vulnerability that could potentially allow unauthenticated attackers to gain access into MOVEit's database. Should attackers present a payload into the MOVEit Transfer application endpoint, they could ultimately modify the database content. Progress Software is encouraging MOVEit Transfer customers to take immediate action to help harden their MOVEit Transfer environments, noting that it is "extremely important" that users act as quickly as possible. 

"As we continue to investigate the issue related to MOVEit Cloud and MOVEit Transfer that we previously reported, an independent source has disclosed a new vulnerability that could be exploited by a bad actor," according to a press statement.  

**Government Agencies Under Cl0P Attack**

The release of the advisory detailing the latest vulnerability comes on the heels of CISA disclosing that federal agencies were impacted by the transfer tool at the hands of the Cl0p ransomware gang — part of the ongoing glut of attacks using what was once a zero-day bug in the platform (the first issue patched). In a statement to CNN, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said that CISA “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.”

Two Department of Energy victims have been named: 1) Oak Ridge Associated Universities, a not-for-profit research center, and 2) Waste Isolation Pilot Plant - a contractor which disposes atomic energy waste.

Cyberattacks involving the use of the MOVEit Transfer program have now affected several US government agencies, alongside many other companies and organizations, who are now dealing with the loss of stolen information, disrupted systems, and sometimes even the demands of ransom payments. The victim count could reach into the hundreds. 

Though there haven't been any indications that threat actors have yet exploited the new vulnerability, MOVEit has asserted that it is communicating with customers to protect and create safer environments. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Third MOVEit Transfer Vulnerability Disclosed by Progress Software

Mobile users in the Middle East and Africa often download moneylending apps that ask for excessive permissions — an all too common issue in an area where mobile-only is the norm and cyber awareness is low.

Research emerged this week showing that mobile users in the Middle East and Africa are the third most-likely to install suspicious financial mobile apps — mainly in the form of apps purporting to offer microlending services, a popular practice in a region where many residents lack access to mainstream credit markets.

These "seemingly legitimate" financial mobile apps were found to request access to text messages, contacts and photos/videos before a loan can be provided. They then go on to collect personal data from users' smartphones as collateral in the case that the user delays a debt payment.

Unlike more legitimate microfinance options, these apps' operators ask permission to use the data collected from the smartphone in order to force the user to return the debt in various unscrupulous ways, according to Kaspersky's research. For instance, information can be dispatched to all the user's contacts informing them of the user's debt, accompanied by photos from the gallery.

"While users should certainly report any suspicious apps to Google, they also need to stay alert for apps that may ask for a little too much access to the device's resources. For example, why would a loan app need access to your camera, your photos, or other documents on your device? Always think carefully before giving permission to any app you've downloaded," says Chris Hauk, consumer privacy champion at Pixel Privacy.

**Cyber Maturity in Transition**

According to research by Kaspersky, throughout 2022 and the first quarter of 2023, 14% of installs of potentially unwanted mobile financial apps on Android phones were made by users in the Middle East, Turkey, Africa (META) region. Therefore, this region ranks third behind APAC and LATAM in terms of the number of installs of such apps.

There are several reasons that apps like these are making headway in the region. Paul Bischoff, consumer privacy advocate at Comparitech, points out that it's an emerging technology market, where mobile infrastructure an important and necessary tool that enables basic needs, and many users "are not prepared for the barrage of scams and malware on the Internet." For many, their mobile phone is their only computing device, their only banking outlet, their only communications link, and even their only TV.

In the case of the shady microlending apps, the fact that they're being used by people with few traditional financial options could translate to users more concerned with life goals than giving 100% attention to the apps' legitimacy and permissions. 

Another contributing factor is the lack of technology protections typically found elsewhere. For instance, even though Android holds a dominant market share of 78% in the Middle East and 80% in Africa, according to Kaspersky, Bischoff suspects some phones sold in the region may not come with access to standard Google services like the Play Store, leaving users to the vagaries of less-reputable app stores that are more likely to contain malware and other unwanted apps.

Meanwhile, Hauk says while Google does vet the apps it allows into the Google Play Store, the system is not specifically designed to check for apps like these over-permissioned lending apps, anyway.

**A Multifaceted Mobile Problem**

Tom Davison, senior director of engineering international at Lookout, notes that the challenge with mobile apps in the META region is multi-faceted, beyond just fully functioning apps being overzealous with the permissions they request, exposing user data. 

All the other mobile issues are present as well: Outdated versions of apps may contain known software vulnerabilities that can be exploited; and outright malicious versions of apps exist which may impersonate well-known brands, again putting users at risk. But the usual best practices, like only using trusted app stores, scrutinizing permissions requested by apps, and always applying software updates, are for now aspirational goals for many META users.

Davison notes, "The reality is, for most users, without some additional help, it can be very challenging to spot what is legitimate and what is not," especially if apps such as microlending offerings are potentially downloaded in a state of desperation, he adds.

To boot, awareness of bugs can be scattered, at best, especially given that in the Android ecosystem, it's up to every OEM to deploy its own patches, and the schedules can vary wildly between device-makers — it's a lot for a mobile-only, non-cyber-savvy person to keep up with. 

All of this underscores the need for a more institutional, private-sector, and security-company emphasis on boosting cyber fluency and maturity, awareness training, and vendor safety efforts in the region.

Source

DARKReading