Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Your marching orders are simple: Come up with a clever cybersecurity-related caption for the cartoon above. Now comes the harder part: coming up with the winning caption!

Our favorite submission will win a $25 Amazon gift card. Here are four convenient ways to submit your ideas before the June 7, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading May Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

We burrowed through many great caption ideas (thank you, readers) to pick our fave for last month's contest, "Lucky Charm." And that person is ... Chris Roe, security analyst at Voxtur Analytics, whose caption appears below. Congratulations! A $25 Amazon gift card is on the way.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: One by One

Joint integration delivers effective DSPM enforcement for self-managed customers starting with credential-free access, risk-based continuous authentication, and protection from data exposure.

**SAN FRANCISCO****,** **May 16, 2023** **/PRNewswire/ --** Circle Security, a transformative cybersecurity platform purpose-built for threat prevention powered by a decentralized cryptographic architecture, is pleased to announce a joint integration with the ForgeRock Identity Platform. The pre-built on-premises integrated node will help businesses stay ahead of evolving threats and achieve their security goals by integrating identity authentication and privacy protection capabilities into customer applications as a single unified API.

The Circle Security integrated node provides a credential-free authentication API that enables developers and enterprise IT to enhance the security of identities for Circle and ForgeRock customers by minimizing their dependence on usernames and passwords, binding devices to identities, and securing data flows throughout identity journeys. Specifically, the combination of Circle and ForgeRock strengthens customer's security posture on two critical fronts:

*   Secure and frictionless data access across applications, browsers, and devices without the need for usernames/passwords with cryptographic credential free authentication.
*   Continuous risk-based delegated MFA as a step-up re-authentication or identity verification in existing user workflows for high-risk use cases, contexts, and user profiles.

"Circle Security and ForgeRock share a commitment to excellence, innovation, and customer satisfaction. By joining forces, we are bringing the best of both worlds to our clients and enhancing their digital security posture. Our foundational technology built on a patented decentralized architecture helps developers and enterprises elevate their security posture to _Prevention-first_ from _Detect & Respond_," said Phani Nagarjuna, Founder & CEO of Circle Security. "With the availability of the integrated node available on the ForgeRock Marketplace, self-managed ForgeRock and Circle Security customers can enjoy the benefits of no credential phishing or other credential-driven vulnerabilities and reduced data exposure."

"Our Trust Network technology partnership with Circle Security will provide our joint customers with faster time-to-value and reduced cybersecurity risk and costs," said Alecia Bridgwater, Director of Technology Partners at ForgeRock.

"Together, we will bring cutting-edge security technology to businesses of all types and sizes around the world," added Mr. Nagarjuna of Circle Security.

**About Circle Security** 

Circle is a cybersecurity platform powered by a patented decentralized cryptographic architecture purpose-built to deliver true prevention. Using Circle, enterprises can seamlessly enforce effective data security posture management starting with user data access, data flow tracking, and protection against data exposure.

Unlike other cybersecurity players, Circle decentralizes security orchestration from the cloud to the endpoint while eliminating the need for user credentials thus delivering the dual impact of prevention from credential-driven data breaches and protection from cloud attacks.

Enterprises can deploy Circle in minutes as a device-native service, a mobile app, or a zero-footprint browser-based solution while developers can integrate Circle's API-first technology into their apps, websites, products, and services with low/no code.

_All product and company names are trademarks™ or registered®_ _trademarks of their respective holders._

SOURCE Circle Security

Circle Security Technology Partnership With ForgeRock to Accelerate the Prevention-First Era in Digital Security

Researchers found 11 vulnerabilities in products from three industrial cellular router vendors that attackers can exploit through various vectors, bypassing all security layers.

Eleven vulnerabilities in the cloud-management platforms of three industrial cellular router vendors put operational technology (OT) networks at risk for remote code execution, even if the platform is not actively configured for cloud management, researchers have found.

The vulnerabilities are so severe that even though they affect devices from only three vendors — Sierra Wireless AirLink, Teltonika Networks RUT, and InHand Networks InRouter — they could impact thousands of industrial Internet of things (IIoT) devices and networks in a variety of sectors, warn Eran Jacob, security research team leader, and Roni Gavrilov, security researcher, from Otorio.

"Breaching of these devices can bypass all of the security layers in common deployments, as IIoT devices are commonly connected both to the Internet and the internal OT network," the researchers tell Dark Reading. "It also raises additional risk for propagation to additional sites through the built-in VPN."

If attackers achieve direct connectivity to the internal OT environment, it also may lead to impact on production and safety risks for users across the physical environment, the researchers added.

Moreover, attackers have a number of vectors from which they can exploit the vulnerabilities, including by gaining root access through a reverse-shell; compromising devices in the production network to facilitate unauthorized access and control with root privileges; and compromising devices to exfiltrate sensitive information and perform operations such as shutdown, the researchers said.

Gavrilov shared key findings and remediation tips about the flaws at Black Hat Asia 2023 last week, and the company also published a report that it shared with Dark Reading. All of the vulnerabilities were responsibly disclosed in coordination with the vendors and CISA and have been mitigated by the vendors, according to Otorio.

**Where the Issues Lie**

An industrial cellular router allows multiple devices to connect to the Internet from a cellular network. These routers are commonly used in industrial settings, such as manufacturing plants or oil rigs, where traditional wired Internet connections may not be available or reliable, the researchers said.

"Industrial cellular routers and gateways have become one of the most prevalent components in the IIoT landscape," Gavrilov wrote in the report. "They offer extensive connectivity features and can be seamlessly integrated into existing environments and solutions with minimal modifications."

Vendors of these devices employ cloud platforms to provide customers with remote management, scalability, analytics, and security across their OT networks. Specifically, researchers found various vulnerabilities that "pertain to the connection between IIoT devices and cloud-based management platforms," which, in some devices, is enabled by default, the researchers explain to Dark Reading.

"These vulnerabilities can be exploited in various scenarios, affecting devices that are both registered and unregistered with remote management platforms," they say. "Essentially, it means that there are security weaknesses in the default settings of certain devices' connectivity to cloud-based management platforms, and these weaknesses can be targeted by attackers."

The typical connectivity to these platforms relies on machine-to-machine (M2M) protocols like MQTT for device-cloud communication together with Web interfaces for user management, according to the report. MQTT operates on a publish-subscribe model, where the broker manages topics and devices can subscribe to receive published information. A specialized device API is also commonly used for initialization communication with the cloud platform, along with user API and Web interface for management of the devices.

**Attack Vectors**

Researchers identified critical issues that can be exploited by various attack vectors in three key areas of this connectivity: the asset-registration process, security configurations, and external APIs and Web interfaces, they said.

"Attackers could target specific facilities by leveraging sources like WiGLE and information-leak vulnerabilities (such as \[those\] found in InHand devices), or perform a wide attack on thousands of devices, aiming for wider impact or access," the researchers tell Dark Reading.

Moreover, exploitation of the vulnerabilities could allow attackers to interfere with operational processes, putting the safety of those working in the environment at risk, they say.

One attack vector that can be highly valuable in particular to ransomware groups — which are ramping up industrial network attacks — is to reach sites beyond the initial access point that are at risk due to built-in VPN connectivity of devices, the researchers say. This can allow attack propagation across the broader network, to control centers and SCADA (Supervisory Control and Data Acquisition) servers, they say.

**Mitigation Strategies**

Researchers outlined a number of mitigation strategies for both OT network administrators and vendors of these devices. OT network administrators should disable any unused cloud feature if they're not actively using the router for cloud management to prevent device takeovers and reduce the attack surface, the researchers advised.

They also should register devices under their own accounts in the cloud platform before connecting them to the Internet. This establishes ownership and control and prevents unauthorized access, the researchers said.

Further, administrators can limit direct access from IIoT devices to the routers, since built-in security features like VPN tunnels and firewalls are ineffective once compromised, the researchers said.

"Adding separate firewall and VPN layers can assist with delimitering and reduce risks from exposed IIoT devices used for remote connectivity," Gavrilov wrote in the report.

For their part, vendors can avoid building vulnerabilities into their devices by avoiding the use of weak identifiers and using an additional "secret" identifier during device registration and connection establishment, the researchers advised. They should also enforce initial credential setup so network operators avoid using default credentials and thus introducing security risks immediately into the network. Moreover, the security requirements of the IIoT are unique and should be considered separately to the IoT footprint because the two are not equivalent, the researchers warned.

"This may involve reducing 'high-risk' features upon demand and adding extra layers of authentication, encryption, access control, and monitor," Gavrilov wrote.

Severe RCE Bugs Open Thousands of Industrial IoT Devices to Cyberattack

What works in IT may not in an operational technology/industrial control systems environment where availability and safety of operations must be maintained.

When it comes to incident response, many organizations assume that the training and preparation they have done for the IT side of their networks extends to their operational technology/industrial control systems environments. While they may appear to share many similarities, OT security requires different protocols, objectives, analysis, forensics, and other security methods. What works successfully in an IT network may be problematic for conducting incident response (IR) in an OT/ICS environment, where availability and safety of operations must be maintained. 

Organizations must understand the key differences to navigate around gaps and pitfalls that could prevent a successful OT/ICS IR scenario. 

These are the most common areas we see organizations need some help with during our incident response simulation assessments.

**Shutting Down First, Asking Questions Later**

In an IT environment, isolating or shutting down the system to prevent further infection is a normal and relatively common practice. In an OT environment, isolation or shutting down a system has much more substantial ramifications. 

For example, in the Colonial Pipeline attack, they responded to an attack in the IT systems. To ensure it did not spread to OT systems, they shut those down as well, even though the ransomware did not reach the OT level. The move was in line with their culture of safety. But a shutdown of OT systems has a higher cost per minute of downtime and requires longer to get running again. An IT server can be taken offline and a new one created and stood up in about a day if the entire IT department works on it. In Colonial's case, it took five days _after the ransom was paid_ to stand the pipeline's OT network backup to regular operations. 

**Stopping the Attack and Starting Remediation Too Early**

IT security personnel in a security operations center (SOC) traditionally do not have intimate knowledge of the OT systems, and OT equipment is much more sensitive to data transfer. The SOC team members may get an alert of something happening in the OT system, and if they jump to conduct a scan for vulnerabilities, they can easily overwhelm the system, denial-of-service style. That means it will cease to function and cause a massive loss in productivity. It also requires the OT engineer to go in and fix the mess, which can be an unnecessary source of additional frustration during an already stressful time.

**Lack of Alignment on Ultimate Responsibility**

Because IT and OT teams are so separate, sometimes no one has responsibility for OT from a day-to-day perspective. If a SOC is responsible for the security of all IT systems in the company, does that include OT systems? OT systems aren't IT systems, so one could say no. OT systems have IT assets, though, so are those included? Are those OT assets or IT assets? There is a problem from the moment of responsibility. You have IT professionals without knowledge or experience with the OT assets, and you have OT professionals without a security mindset or understanding of cyber-risk. And neither likes being dictated to by the other. 

**Misunderstanding What the Other Side Is Trying to Accomplish**

One story told by a customer perfectly sums up this point. They talked about how their SOC used to send security reports to the OT engineers to have them patch, fix, or change something in the OT systems. Whenever the OT professionals received this report, they would promptly throw it in the trash. Whether this was from a lack of understanding on either the OT or IT side is unclear, but what is clear is that the communication between the teams was not just insufficient — it was actively opposed.

So how can organizations overcome these challenges? 

Communication and compromise are crucial to building trust. Instead of the security professionals dictating what needs to occur in an OT system, they should work with the OT professionals to find compromises that do not hinder OT goals too much while still allowing the network to maintain security. It's vital to proactively bring both groups together to work towards common security objectives. 

CISOs and security managers can implement structured training programs that simulate how cybersecurity and incident response teams from both IT and OT disciplines would work together during a real-life incident response event. By putting the right people from both sides in the right seats and creating a shared learning path, you invite communication and collaboration between the groups. The more they can practice detecting, responding, and remediating attacks on critical infrastructure together, the better they can understand how to work together better in real life. 

At the end of the day, they are both after the same thing: keeping the organization and its people safe from industrial cyberattacks.

4 Big Mistakes to Avoid in OT Incident Response

Wide use and lack of support for malware detection technologies has made VMware's virtualization technology a prime target for cyberattackers.

The widespread use of VMware's ESXi hypervisor and the fact that it does not support any third-party malware detection capabilities has made the technology an increasingly attractive target for ransomware operators.

The latest manifestation of that fashion trend is "MichaelKors," a new ransomware-as-a-service (RaaS) program that researchers at CrowdStrike found attackers recently using to target ESXi/Linux systems. MichaelKors is one of several paid services CrowdStrike is tracking — including Alpha Spider, Bitwise Spider, and Sprite Spider — that currently provide attackers with malicious binaries for locking up ESXi systems.

**A Slew of ESXi Ransomware**

Earlier this month, SentinelOne reported a similar trend involving ransomware variants based on leaked source code of the Babuk ransomware strain from 2021. Between the second half of 2022 and so far in 2023, SentinelOne has observed at least 10 ransomware families based on Babuk source code targeting the ESXi hypervisor. Among those using the Babuk ESXi variants were small groups and large ransomware operators such as Conti and REvil. SentinelOne found the attackers often taking advantage of ESXi's native tools and commands to kill guest machines and encrypt hypervisor files.

Other vendors have reported seeing multiple other major ransomware groups, including the operators of Royal ransomware, Luna, and Black Basta, all pivoting from Windows to ESXi/Linux over the past year.

A couple of factors are driving attacker interest in hypervisors and VMware's ESXi technology in particular.

**Hypervisor Jackpotting**

One of them is the fact that many organizations use ESXi to manage their virtual infrastructure. VMware environments often host hundreds of VMs running business critical applications. By compromising ESXi, attackers can potentially gain control over multiple virtual machines on the host, thereby giving them an opportunity to considerably scale up their attacks. In a ransomware scenario, an attacker can encrypt multiple virtual machines and increase their likelihood of collecting a ransom from victims.

Such "hypervisor jackpotting" is a tactic that attackers use in so-called big game hunting campaigns targeting large and high-profile enterprise organizations. "In hypervisor jackpotting, threat actors deploy Linux versions of ransomware tools specifically designed to affect VMware’s ESXi vSphere hypervisor," a CrowdStrike spokeswoman says. "By deploying ransomware on ESXi hosts, adversaries quickly increase the scope of affected systems within the victim environments, resulting in additional pressure on victims to pay a ransom demand."

**A Lack of Support for Malware Detection**

The second reason attackers are increasingly targeting ESXi environments is because they know the hypervisor doesn't support any native malware detection capabilities, according to CrowdStrike. As a hypervisor, ESXi is designed purely to provide virtualization services and services for managing virtual machines. VMware itself has described the hypervisor as not requiring any antivirus software and has not provided any support for third-party malware detection agents either. "ESXi, by design, does not support third-party agents or antivirus software and VMware states in its documentation that antivirus software is not required," CrowdStrike said in its blog post this week. This fact, combined with the popularity of ESXi has made the hypervisor a highly attractive target for modern adversaries, the security vendor said.

Others have highlighted the same problem. Recorded Future, which counted a threefold increase in ransomware targeting ESxi servers between 2021 and 2022 (from 434 to 1,188) recently noted the immaturity of antivirus and malware detection technologies for ESXi — and the difficulty in implementing them — as lowering the barrier for threat actors. "Defensive practices are difficult to implement due to the complex nature of hypervisors," Recorded Future said.

ESXi vulnerabilities are another problem. A case in point is a global ransomware attack on ESXi servers earlier this year that exploited two vulnerabilities in the hypervisor one from 2021 (CVE-2021-21974) and the other from 2020 (CVE-2020-3992) to drop a novel ransomware strain called ESXiArgs.

"Given the popularity of VMware products and the continuous adoption of cloud infrastructure, this problem appears to be getting worse," the CrowdStrike spokeswoman says. "CrowdStrike Intelligence has also observed hypervisor jackpotting becoming a dominant trend."

The larger issue at play is that there is currently no solution out there to help with the threat. Threat actors continue to target VMware as they know that the ESXi environment is vulnerable and without remedy at the moment, the CrowdStrike spokeswoman notes. "More and more threat actors are recognizing that the lack of security technology and monitoring, lack of adequate network segmentation of ESXi interfaces, and in-the-wild vulnerabilities for ESXi create a target-rich environment" for ransomware attackers.

'MichaelKors' Showcases Ransomware's Fashionable VMware ESXi Hypervisor Trend

Former Humu, Google, and Twitter security leader adds deep security experience.

**MOUNTAIN VIEW, Calif.****,** **May 15, 2023** **/PRNewswire/ --** Lacework, the data-driven cloud security company, today announced the appointment of Lea Kissner as its new Chief Information Security Officer (CISO). As CISO, Kissner will be responsible for leading the development and implementation of Lacework's overall security strategy and programs.

Kissner brings over 20 years of experience leading security, privacy, and anti-abuse efforts at global organizations to Lacework. Their experience includes serving as CISO at Twitter, Chief Privacy Officer at Humu, and Global Lead of Privacy Technology at Google. In the spring of 2020, when Zoom experienced security concerns after a massive increase in usage due to the  COVID-19 pandemic, Kissner served as a Security and Privacy consultant for the company to improve the security, privacy and anti-abuse features of Zoom's products and systems.

Kissner currently serves as a board member to the USENIX Association, a nonprofit organization dedicated to supporting the advanced computing systems communities and furthering the reach of innovative research.

"I am thrilled to join the team at Lacework and our mission to secure the cloud at a time when enterprises are increasingly expanding their cloud environments," said Kissner. "My whole career I've been passionate about helping people build respectful, secure products that just work for their users. Lacework's unique, data-driven approach to cloud security allows customers to do just that while taking advantage of all the inherent benefits of the cloud."

Kissner's appointment comes as Lacework continues to expand its presence in the cloud security market, as well as its leadership team. In November of 2022 the company announced 

"Lea brings a deep understanding of both the challenges facing modern CISOs as well as the tremendous value CISOs bring to their organizations and customers when given the chance to implement security best practices," said Jay Parikh, CEO, Lacework. "Every enterprise needs to be investing in security leadership, both at the operator and board level, and Lea's experience will help us better serve our customer CISOs as we continue to deliver a world class cloud security platform to help them do their job."

To learn more about Lacework, visit lacework.com.

**About Lacework**

Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization's cloud and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at www.lacework.com.

SOURCE Lacework

Lacework Appoints Lea Kissner as Chief Information Security Officer

Relatives are being alerted that a PharMerica compromise exposed the sensitive data of their deceased loved ones, which could be used for identity theft.

PharMerica Healthcare has disclosed that its systems were breached earlier this year by an unauthorized third party, which resulted in the leak of the personal details of more than 5.8 million deceased people.

PharMerica provides pharmacy services for patients under long-term care, including those in senior living facilities, hospice care, and using behavior health services.

A copy of a letter disclosing the data theft sent by PharMerica and addressed to the "Administrator/Executor of the Estate of...," explained the cybersecurity incident occurred from March 12-13, and exposed information including the deceased person's name address, date of birth, Social Security number, medications, and health insurance details.

PharMerica added that it has conducted a review of the incident and has "taken steps to reduce the risk of this type of incident from occurring in the future, including enhancing our technical security measures."

NextGen Healthcare similarly disclosed a data breach by a third party days before PharMerica. In NextGen's case, an unauthorized actor accessed a database with information on more than 1 million people.

**Seniors Most at Risk**

"This is a devastating data breach both in terms of size and the severity of what was leaked," Paul Bischoff, consumer privacy advocate at Comparitech, said in a statement in reaction to the PharMerica disclosure.

"The Social Security and health insurance information pose the most immediate threat," Bischoff added. "They could be used for identity theft and medical benefits fraud, respectively."

Because the victims are passed, relatives aren't likely to regularly monitor their credit reports, making any cybercrime related to the stolen data even more difficult to detect and stop, Bischoff explained.

"That puts the onus of responsibility on relatives, who could be on the hook for the deceased's debts," Bishoff added. "I suspect this attack disproportionately affects the elderly as well, who are frequently targeted by fraud."

Chris Hauk, consumer privacy advocate at Pixel Privacy, also urged in a statement those impacted by the PharMerica compromise to stay on alert for accounts and lines of credit opened in a deceased person's name, as well as phishing attempts using the stolen sensitive data.

"As senior citizens make up a large number of pharmaceutical customers, they and their caretakers will also need to stay alert for phishing attempts," Hauk added.

PharMerica Leaks 5.8M Deceased Users' PII, Health Information

The freshly minted ransomware gang is customizing leaked Babuk source code to go after cyber targets in the US and South Korea — and it's expanding its operations quickly.

A newly discovered ransomware gang dubbed RA Group is ramping up its cyberattacks — the latest in a line of threat actors leveraging the leaked Babuk source code. The group distinguishes itself from the rest of the Babuk pack, however, with a highly customized approach.

According to an analysis from Cisco Talos this week, RA Group opened shop on April 22 and has been rapidly expanding its operations ever since. So far, it's gone after organizations in the US and South Korea in the manufacturing, wealth management, insurance, and pharmaceutical industries.

By way of background, the full source code for the Babuk ransomware was leaked online in September 2021, and since then several new threat actors have used it to go into the ransomware business. In particular, several have used it to develop lockers for VMware ESXi hypervisors — over the past year, 10 different ransomware families have gone that route.

Others have customized the code in other ways, taking advantage of the fact that it is built to exploit several known vulnerabilities, including those found in Microsoft Exchange, Struts, WordPress, Atlassian Confluence, Oracle WebLogic Server, SolarWinds Orion, Liferay, and others.

"By reusing code written by others and leaked, these groups are reducing their development time significantly and possibly even incorporating features they would otherwise have been unable to create themselves," Erich Kron, security awareness advocate at KnowBe4, said in an emailed comment. 

He added, "In the last few years, especially after ransomware-as-a-service (RaaS) offerings became popular, it's become very clear that you do not have to be a technical marvel to play in the cybercrime and extortion game. Simply using other people's code, through a subscription or through leaks such as this, with minor modifications can get just about anyone equipped to carry out attacks."

**RA Group's Unique Take on Babuk**

In RA Group's case, it's using a typical double-extortion model in which it threatens to leak exfiltrated data if the victim doesn't pay the ransom; however, according to the ransom note, victims have just three days to pay up.

That's not the only tweak to known playbooks the group is employing. "In their leak site, RA Group discloses the name of the victim's organization, a list of their exfiltrated data and the total size, and the victim’s official URL, which is typical among other ransomware groups’ leak sites," according to Cisco Talos' analysis of the ransomware group. But in a twist, the "RA Group is also selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site."

Despite the RA Group's spin on ransomware, the basics remain effective when it comes to defending against the threat: Organizations should make sure their environments are patched and up to date, continually monitor their networks for any signs of malicious activity (and ensure their security tools are updated with the latest indicators of compromise), and ensure they have effective backup and recovery procedures in place in the event of a successful attack.

RA Ransomware Group Emerges With Custom Spin on Babuk

With the introduction of generative AI, even more business users are going to create low-code/no-code applications. Prepare to protect them.

In recent years low-code/no-code has been empowering business users to address their needs on their own, without waiting for IT, by intuitively building applications and automations. Generative AI, which has captured the imaginations and mindshare of the enterprise and customers, both increases that power and reduces the barrier to entry to practically zero. Embedding generative AI in low-code/no-code turbocharges the business' capability to move forward independently. Now, without a shadow of a doubt, everyone is a developer. Are we ready for the security risk that follows?

As soon as ChatGPT was released, business professionals started using it and other generative AI tools in an enterprise setting to get their jobs done quicker and better. Generative AI writes PR pitches for marketing directors, prospecting emails for sales reps, and many more use cases. While data governance and legal issues have emerged as inhibitors for official enterprise adoption, business users aren't waiting for approval and have already integrated it into their daily operations.

Meanwhile, developers have been using generative AI to write and improve code with tools like GitHub Copilot. A developer specifies a software component in natural language, and the AI generates working code that fits within the developer's context. The developer's role in this workflow is crucial: They must ask the right technical questions, be able to evaluate the generated software, and integrate it with the rest of the code base. These tasks require software engineering expertise.

Note that there's a clear distinction between the business professional and developer use cases specified above; the developer produces software that can be shared and reused, and can act on behalf of users, while the business professional answers a specific question or need, one example at a time. The limiting factor for business professionals to generate their own applications is their ability to reason about software produced by the AI without having the technical expertise of a developer. This is exactly where low-code/no-code comes into play.

**Code Generation for Business Professionals**

Low-code/no-code is, more than anything, an intuitive language that allows anyone to reason about software without having a technical background. This makes it the perfect candidate to act as a translator between generative AI and business users. Instead of generating software code that requires technical expertise to evaluate, generative AI generates low-code/no-code applications and automations that business users can easily evaluate and adjust. Low-code/no-code and AI are the perfect match to empower business professionals.

Major low-code/no-code vendors have already announced AI copilots that generate applications based on text inputs. Analysts are forecasting a five- to 10-times growth in low-code/no-code application development following the introduction of AI-assisted development. Low-code/no-code platforms also allow the AI to easily integrate across the enterprise environment, gaining access to enterprise data and operations. We are getting closer to a reality where every conversation with the AI can leave behind an application. That application would plug into business data, be shared with other business users, and get integrated into business workflows.

**Accept and Manage the Security Risk**

Security teams have traditionally focused on the applications that their development organizations create. We still often fall prey to thinking about business platforms as ready-made solutions, when in reality they have become application development platforms that power many of our business-critical applications. We have only just begun to make progress in bringing citizen developers under the security umbrella.

With the introduction of generative AI, even more business users are going to create even more applications. Business users are already making decisions about where data is stored, how it is processed by their applications, and who can gain access to it. If we leave these choices up to them without any guidance, mistakes are bound to happen.

Some organizations will try to ban citizen development or ask for business users to get approval for any application or data access. While that is a reasonable reaction, I find it difficult to believe it would succeed in face of the massive productivity payoffs for the business. A better approach would be to provide a safe way for business users to leverage generative AI with low-code/no-code, installing automated guardrails that silently handle security issues and leave business users to do what they do best: push the business forward.

Generative AI Empowers Users but Challenges Security

This Tech Tip demonstrates how security engineers can best use rate limits to mitigate distributed denial-of-service attacks.

Distributed denial-of-service (DDoS) attacks are growing in frequency and sophistication, thanks to the number of attack tools available for a couple of dollars on the Dark Web and criminal marketplaces. Numerous organizations became victims in 2022, from the Port of London Authority to Ukraine's national postal service.

Security leaders are already combating DDoS attacks by monitoring network traffic patterns, implementing firewalls, and using content delivery networks (CDNs) to distribute traffic across multiple servers. But putting more security controls in place can also result in more DDoS false positives — legitimate traffic that's not part of an attack but still requires analysts to take steps to mitigate before it causes service disruptions and brand damage.

Rate limiting is often considered the best method for efficient DDoS mitigation: URL-specific rate limiting prevents 47% of DDoS attacks, according to Indusface's "State of Application Security Q4 2022" report. However, the reality is that few engineering leaders know how to use it effectively. Here's how to employ rate limiting effectively while avoiding false positives.

**Understand Expected Network Traffic and Vulnerabilities**

Engineering leaders often find it difficult to implement rate limiting as a DDoS mitigation tool because they don't know what thresholds to set. The first step is to answer the following questions:

*   How many users visit your application every minute?
*   How many report/dashboard actions can your application handle? Is that the same for a reset password page?
*   Since server load on dashboards tends to be high, could a lower rate limit block legitimate users trying to access a cheaper resource, such as a profile page, for example?

Going over 100 requests in one minute on a login page could be enough to take the server down, while a product page might have no trouble handling 300 requests in a minute. That's why it is useful to know the threshold of network traffic for each URL within each application.

Network monitoring tools, log files, and buffer capacity can help teams develop accurate baseline network traffic models and manage incoming and outgoing data flow. Suppose you ran a Christmas holiday campaign over 30 days, and the request limit was 300 per minute. To clearly understand the expected network traffic, the security and DevOps teams need to know two things: How many requests were made each minute on average? And if there were 480 requests in one minute, does the team get an alert to check that it was legitimate traffic?

Having granular details on IP, host, domain, and URI vulnerabilities means teams can act more quickly to thwart DDoS attacks.

Numerous security teams have been surprised to receive alerts about attacks targeting their human resource management systems, not just consumer-facing business websites. It is vital to be aware of all the potential applications targeted by DDoS attacks to reduce false alarms.

**Implement Custom Rate Limits on Various Parameters**

Security teams want around-the-clock application availability and are relying on managed services to get more value from DDoS mitigation software. In-built DDoS scrubbers help security leaders go beyond static rate limits and customize rules based on the behavior of inbound traffic received by host, IP, URL, and geography.

So what should cybersecurity teams know about rate limits?

*   Never do rate limits on the domain level (e.g., acme.com). Hundreds of URLs get added to the domain, which lowers the per-page requests needed to trigger the rate limit. This can cause unnecessary blocking of legitimate requests or, if you compensate by raising the rate limits overall, allow too many malicious requests to pass through.
*   Set rate limits on the URL (e.g., acme.com/login) to control which customers can access a particular URL or set of URLs. Cybersecurity teams can set rate limits differently for each URL, and a server may block requests if the number exceeds the rate limit.
*   Customize the rate of requests on a session level (the time logged in) to detect unusual behavior that may indicate malicious activity and thus prevent servers from being overwhelmed. For example, if a user opens acme.com 100 times a minute, that's not normal behavior.
*   Monitor rate limits at an IP level to limit the number of requests or connections from a particular IP address. IP blacklisting — adding known malicious actors or sources to a blacklist — makes it easier for website owners to block traffic from IP addresses known to be involved in DDoS attacks.
*   Implement geographical rate limiting. Security leaders need to quickly examine IP address reputations and geolocation data to verify the source of traffic. As a best practice, I recommend teams implement geofencing as a standard for all local applications.

By using the above methods, application owners end up setting more granular rate limits by using system recommendations based on user behavior. This — in conjunction with using DDoS mitigation mechanisms, such as tarpitting and CAPTCHA, before blocking requests — can minimize false positives to the maximum extent possible.

Cybersecurity decision-makers must take a multilayered approach to protection by having a clear understanding of network traffic patterns and using fully managed platforms to set rate limits for threat intelligence.

Source

DARKReading