When ransomware strikes, how much should you gamble on your resources and opponents' intentions? Here's how to deal yourself a rational, informed way to weigh your options after an attack.

When it comes to the ransomware game, it's worth comparing it to another high-stakes activity, poker. It's important for organizations to understand what they're gambling with when they decide whether or not to "negotiate with terrorists."

There's still a certain secrecy or even shame attached if an organization decides to pay the ransom to unlock systems and files — which can cost anywhere from thousands to millions of dollars. However, there shouldn't be, according to Brandon Clark, CEO and founder of cybersecurity consulting firm Triton Tech Consulting. 

He should know, as his security strategy and compliance practice — with expertise in business continuity and disaster recovery — often deals with clients who have to clean up the mess that ransomware attacks leave behind.

"Let's say if you have a hardware failure and a vendor comes in and says, 'We can get you back up and running for a grand total of a million dollars,'" he says, referring to ransomware negotiation services. "It would be unfortunate — and that would be bad press and nobody wants to see that — but there would also be a fair amount of, 'Yeah, that happens.'"

Ransomware also happens, to organizations both large and small. They're then faced with a complex dilemma encompassing not only practical, logistical, and business consequences, but also emotional ones — especially if reputations (or even lives, in healthcare settings) are at stake, when systems go down.

**Ransomware Response: Know When to Fold 'Em

"There is a lot of moral ambiguity," says Clark, who plans to present a session at this month's RSA Conference 2023 that lays out a rational strategy for navigating ransomware response. 

When ransomware actors target hospitals with potentially life-threatening attacks, for example, "what's the moral obligation we have to our customers to get our customers back up and running?" he asks. "If systems are down with ransomware and a patient dies, should they have paid the ransom just to have their systems back?"

    

Triton Tech's Brandon Clark will discuss ransomware response and poker at RSAC 2023.

And while poker and ransomware may not seem to have much in common, they are both activities in which a lot of money can be won or lost, Clark says. Just like each poker player and game is unique, so is every ransomware scenario, which means there is no one-size-fits-all solution for every organization.

Deciding whether or not to pay a ransom, then, must be an informed decision that takes various factors into account without the knee-jerk response of balking at giving attackers what they want purely because it's not seen as the right thing to do, he says.

****Know Who's at the Poker Table & When They Bluff**

When deciding whether or not to pay a ransom, an organization should take a similar approach to a poker player sitting at a table, Clark says. That is, it should have an idea of with whom it is playing, along with a knowledge of the typical aspects of the game, such as how much money is at stake.

"When you're at a poker table, the cards are important, but the person sitting across from you is even more important," he says. "We need to be making an informed decision about who we are playing against."

Thus, threat intelligence is a key aspect of this, he says, because you need to know if your opponent could be bluffing. For instance, if the ransomware attacker involved has a reputation for claiming to have exfiltrated data when it hasn't, or if it is known for not unlocking files even after a ransom is paid, those are things to take into consideration.

"\[Companies ask\], 'if we pay the ransom, how do I know if they're going to lock us out again?'" Clark notes. "The answer is: You don't. That's when the threat intelligence piece is super important."

Organizations also need to know what's at stake — such as knowing what your system resiliencies are, what it's going to cost if something is not available — as well as what resources they have available to recover systems on their own, such as if they have good backups and segmentation tools, he says: "All of that goes in together to help you make an informed business decision."

For example, if a ransomware attacker is asking for $5 million but it's going to cost a company $70 million or $100 million to recover its data on its own, the question becomes, "Why aren't we paying that?" Clark says. "On the flip side, if it's only going to cost us $5,000, why would we pay that $5 million?"

Ultimately, it's up to the organization involved to decide, based on multiple factors, which route to take to recover from a ransomware attack — just as a poker player can go in several directions once a hand is dealt, Clark says.

"You can say, 'do I raise,' that is, are we are going to go this alone — and that's what a lot of companies do," he says. A company can also do the poker equivalent of folding by giving in and deciding that the data kept in some lost systems is not worth the cost to recover them, and thus rebuild them from scratch, Clark says.

**Upping the Ante on Cyber Defense**

In the meantime, there are a number of ways a company can put itself in a more empowering position to negotiate — or not — before a ransomware attack even happens, Clark says. Some of the advice is obvious, such as implementing secure passwords and multifactor authentication (MFA), so systems aren't breached in the first place, he says.

And in many instances, phishing remains the primary way that attackers gain access to user credentials and thus enterprise systems, so "making sure you have strong controls around that" in the form of email filtering and security awareness "is incredibly helpful," Clark says.

One recommendation that he says many organizations don't implement very often yet is to have "some sort of Dark Web scanning or threat intelligence" in place to identify when credentials for an enterprise user have been compromised, he says.

Organizations also should engage in ransomware-impact analysis using a ransomware simulation tool that they can develop alongside security consulting experts, he explains. This can help them understand better how to react if the situation arises, as there is not a lot of time to do a risk assessment in the immediate aftermath of an attack.

Regarding backups, which organizations cite as a surefire way to recover systems on their when they lose data to ransomware, Clark advises that organizations take a cautious approach to betting too much on them, versus paying a ransom or another alternative solution.

"According to some of the research we've seen, most of the attackers are in the environment up to 10 months before they detonate," he says. This means that's there's a good chance there is already malware in an organization's backups, Clark adds.

"You need to make sure you're working with a forensics team when you restore," he advises, "so you don't end up redeploying malware from seven months ago."

High-Stakes Ransomware Response: Know What Cards You Hold

A hacktivist group working with Russia claims it breached DELTA, the Ukrainian battlefield management system (BMS).

The Joker DPR threat group has been around and functioning as an arm of the Russian state since 2019, largely focused on spreading disinformation and leaking sensitive Ukrainian government and military secrets stolen by insiders friendly to Russia. Its goal is undermining people's confidence in the country's institutions, but no one should be fooled into thinking Joker DPR is a sophisticated group of super-hackers — it's not.

In its own words, Joker DPR wants to "destroy the clowns" running Ukraine's government ("DPR" is the English acronym for a separatist group in eastern Ukraine called Donetsk People's Republic). And in November, it made a startling claim that would seem to further that agenda — that it had real-time access to DELTA, the Ukraine military's battlefield management system (BMS). If true, this would have given the group insights into military planning for the Armed Forces of Ukraine (AFU).

However, according to new analysis from Recorded Future, that claim was vastly exaggerated.

**Exaggerated Access to Ukraine's Troop Movement Data**

Recorded Future and other cybersecurity experts were dubious about the hacktivist group's allegations and found after analysis of Joker DPR's "proof" of compromise that instead of gaining full access, the threat group is far more likely to have access to an individual user account.

The distinction hardly mattered to Joker DPR, since Russian media quickly picked up the story and proclaimed that the Russians had a full backdoor into Ukraine's DELTA system.

After the claim of compromise, AFU commanders might choose not to use the sophisticated system on the battlefield — a win for Russia. The Recorded Future researchers said they have sources which show that this tactic was effective.

"Given that the breach was unlikely to have occurred in the manner Joker DPR described, in real terms, the greatest damage Joker DPR could have inflicted was through the assertion of the breach's existence," the Recorded Future researchers added. "Joker DPR was essentially claiming that it had real-time access to the BMS."

The report added that the fact that Russian media was so eager to pick up the story further signals Joker DPR didn't actually have the access to DELTA as claimed. If it had real-time intel into the AFU's movements, Russia would not be so quick to give away their advantage, Recorded Future's research explained.

**Don't Believe the Hacker Hype**

Although the group wants to give the impression of being a band of super hackers, in reality, the group hasn't displayed dazzling hacking abilities, according to Recorded Future's analysis.

"Put simply, the group does not appear to specialize in hacking, and it will 'take what it can get' to support its information agenda," a researcher who prefers to remain anonymous from Recorded Future tells Dark Reading. "Joker DPR first and foremost specializes in information operations, and any cyber activity that occurs within the umbrella of the group is only meant to support those operations."

That makes it tricky to try and predict Joker DPR's next target.

"Joker DPR's activities suggest the group is more opportunistic with its cyber activity, using its platform to amplify news of compromises in an effort to undermine the credibility of the Ukrainian government and military," Recorded Future's researcher says. "This is in contrast to groups like Killnet that display consistency in their tactics, techniques, and procedures (TTP) and targets."

The likelihood of international law enforcement reaching Joker DPR in Russia is small, but Recorded Futures' analysis hopes to raise the group's profile to help protect Ukraine's forces from Russian-aligned groups, as well as push pack against ongoing Russian disinformation campaigns.

Russia's Joker DPR Claims Access to Ukraine Troop Movement Data

Complex multicloud environments present organizations with security challenges, but also opportunities for efficiency.

Many enterprises find themselves with hybrid and multicloud environments. While the days where everything was either on-premises or in private clouds are gone, it is far from the case that enterprises have put all — or even the vast majority of — their applications and infrastructure into the cloud. Further, it is nearly never the case that an enterprise has consolidated everything into a single cloud provider; instead, businesses operate with a complex mix of diverse environments. It appears that this will be the case for quite some time.

What may be less known, or at least less considered, is the amount of complexity and the number of challenges that these environments bring. What this means for most enterprises is that they find themselves struggling to efficiently manage and secure hybrid and multicloud environments. In addition, many enterprises find themselves spinning up and maintaining multiple technology stacks within each environment, often requiring entire teams dedicated to this function. As the popular security mantra so aptly says, complexity is the enemy of security.

How so? For starters, complexity introduces the opportunity for human error and oversight. This often brings with it security holes, which in turn increase the attack surface of business-critical applications and the infrastructure they run on.

To get an idea of how complex of an environment most enterprises are faced with, let's look at a few data points from F5's "2023 State of Application Strategy" report:

*   85% of organizations operate multiple application architectures and locations.
*   90% of organizations that maintain multicloud infrastructures report challenges.
*   42% of organizations leverage four or more cloud providers.
*   37% of applications are deployed on-premises.
*   15% of applications are deployed in the cloud.
*   58% of organizations are using digital services to substantially drive the business, with those services accounting for half or more of the firm's annual revenue.

The data clearly articulates the complexity that most enterprises face, and it also shows that hybrid and multicloud environments — and the challenges they bring — are here to stay.

**Business Challenges of Multicloud Environments**

What are some of these challenges that businesses face? While not an exhaustive list, here are a few of them:

*   Managing and securing multiple complex environments.
*   Applying policy and security consistently across diverse environments.
*   Easily provisioning the required networking and security infrastructure.
*   Deploying applications easily where required across the ecosystem.
*   Ensuring the requisite connectivity and security across applications.
*   Needing a central console to manage multiple complex environments.
*   Gaining visibility into infrastructure and applications to ensure health, compliance, and security.
*   Properly monitoring for and responding to infrastructure and security issues.

Thankfully, enterprises have options when it comes to addressing these points and can leverage distributed cloud and multicloud solutions to help reduce complexity and simplify. Doing so allows enterprises to more efficiently and effectively manage and secure their hybrid and multicloud environments.

**What to Look for in Distributed Cloud**

When looking at distributed cloud solutions, enterprises should take into account a few important points:

*   Workload protection and application security (at layer 7) is a must, particularly for applications that span multiple environments.
*   While many solutions provide network security (layers 3 and 4), fewer seamlessly integrate workload protection and application security on top of network security.
*   The user layer (layer 8) is extremely important when looking to protect against automated attacks and fraud. This is mainly because differentiating between human and automated traffic and between legitimate and fraudulent traffic requires an understanding of intent that can only be gleaned from the user layer.
*   A central console that brings everything together and facilitates the management and security of both applications and infrastructure is imperative.
*   Inclusion in the architecture and design of the enterprise early on, with an ability to flexibly consume different features and grow around, is central.
*   An ability to efficiently address what the market demands — flexibility and fast pace — without introducing complexity and security holes is important.

Although it requires some investment and effort, taking control of the challenges that hybrid and multicloud environments present is essential for enterprises to remain competitive, keep costs under control, reduce complexity, and adequately manage and secure both applications and infrastructure. The sooner an enterprise begins tackling these challenges, the sooner it can efficiently and securely provide its customers the functionality they seek.

How and Why to Put Multicloud to Work

A CISO with a focused role will be better prepared to thrive in an organization and accelerate adoption and understanding of cybersecurity.

Effective cybersecurity operations are as unique as the business models and technology choices of the companies they protect. Their creation and management are constantly complicated by a lack of common terminology and set of expectations, due mainly to the chaotic path our industry has taken since its relatively recent birth.

Cybersecurity leaders are similarly difficult to measure and understand because our language and their capabilities aren't clear, with the lack of a common nomenclature further reflected in the assessment of skill sets and qualifications. The mix of cybersecurity complexity, opaqueness, and urgency creates a vague picture of who can successfully lead and hold responsibility for the operation.

The relative immaturity of the cybersecurity function leaves insufficient organizational precedent for titles and hierarchy. Some organizations default to practicality: Whoever runs IT or the help desk becomes be the security leader. Others are interested in hiring a chief information security officer (CISO) who will manage the details of security that are unfamiliar to all other business leaders. Neither of these approaches are healthy.

The popular narrative around security is dominated by images of fear, uncertainty, and doubt. We're led to believe security is terrible, that breaches are inevitable, or that the right leader can render the organization invulnerable. This kind of absolutism usually comes from those new to the space who aren't yet well-versed in security. It's pervasive, it's incorrect, and it breeds insecurity for both the organization and the individual. 

According to one report, stress (60%) and burnout (53%) were the largest personal risks CISOs face. It doesn't have to be that way. These difficulties start early, with CISO job postings that are poorly constructed, written by someone who doesn't have proficiency in security, and without clear descriptions of desired outcomes. A game-changing shift is a focus on those outcomes and the role that supporting business objectives play in evangelizing, and ultimately delivering, security. The resulting CISO is far better prepared to thrive in the organization and accelerate adoption and understanding of cybersecurity.

How does a CISO do that? Here's the advice I would offer — a guide to creating supporters, champions, and realistic expectations.

**1\. Set Expectations**

The difference between successful leaders and those who burn out is communicating the realities of cybersecurity, from current measures to potential future states. The burnouts accept and even promote the expectation that they will heroically keep an organization from getting breached. History has painfully, and repeatedly, proven that the very best CISO cannot block everything. Successful, more balanced CISOs focus on improvements in protection and in demonstrating progress.

Successful CISOs are specific and transparent about what they will do in their role. They reinforce the reality that security is a team sport. These communications and collaborations are far more important than any technology purchase or deployment. Security budgets may have tripled over the past four years in the face of increasing cyberattacks, but a bigger wallet won't solve every problem. 

When you create a common language and vision within your organization, everyone understands the topics when you evangelize security for a particular outcome. It also means that everyone knows what to do in the event of one of those fires. As a result, the stress levels will lessen, as will the frequency and pain of today's CISO burnouts.

**2\. Be a Business Executive First, Cyber Expert Second**

The ability to solve business problems using security is what turns a security practitioner into a CISO. This is especially difficult for the organization that has asked a non-security IT professional to oversee security. That person may not understand that the role isn't just about being an elevated security expert. Understanding risk, tradeoffs, costs, and enabling business objectives is what creates successful relationships and outcomes

As an example, imagine a company expanding into Europe. That expansion is subject to General Data Protection Regulation (GDPR), and this will influence priorities and investments in areas that may not be as critical to a purely security-focused program. A valuable CISO recognizes the business need and context for the controls they recommend. In this example, fines could easily outpace the financial impact of a minor breach, and communicating those tradeoffs is good for the business and good for the reputation of the CISO.

In general, successful business leaders have an area of personal expertise, but thrive by enabling macro-objectives. As CISO, your security expertise should always make cybersecurity a business accelerator, not a hindrance.

**3\. Align on a Strategy**

Long-lived and successful CISOs are intentional and calculated in their planning and decision making. Without a strategy, you're purely reactive, and you find yourself reacting to fires all day, every day.

Instead, when you design a security program, create a structure that allows you to manage by exception, not rule. This lights a torch to guide others in the organization, empowering them to excel. You'll quickly find that most people want to do the right thing. If you explain what that success looks like rather than point out their failures, you'll start building a security muscle, and security support, across the organization. Peers will know when to put their hand up and ask for help, and it will be easier for you to impact direction because you're not advocating the changes alone.

**Be That CISO**

When you've created this kind of culture, management expectations are rooted in reality, where everyone considers their effect on the organization's security posture, and CISOs aren't faced with surprises, resistance, and friction that make them want to quit. If you advocate with the clarity that most cannot find in cybersecurity, you will achieve the outcomes everyone is striving for.

Rethinking Cybersecurity's Structure & the Role of the Modern CISO

It's not hacking if organizations fail to terminate password access after employees leave.

An alarming number of organizations are not properly offboarding employees when they leave, especially in regard to passwords. In a March PasswordManager.com survey of 1,000 U.S. workers who had access to company passwords at their previous jobs, 47% admitted to using them after leaving the company.

Security teams should be terminating access to all employee accounts, such as email, cloud applications, and internal tools, after employees leave. For accounts or services where multiple employees share passwords, those passwords should be rotated to ensure that the former employees no longer have access.

According to the survey, 58% of respondents indicated they were still able to use their former company's passwords after they left. One in three respondents said they had been using the passwords for upwards of two years, which is a distressingly long time for organizations not to be aware of who is accessing those accounts and services.

“Ideally the company creates standard operating procedures or consistent schedules of updating passwords based on criticality,” says Daniel Farber Huang, head of privacy and cybersecurity at PasswordManager.com.

When asked what they use the passwords for, 64% said to access their former email accounts and 44% to access company data. Though the majority of the respondents, 56%, said they were accessing the accounts for personal use, a concerning 10% said they were trying to disrupt company activities.

A survey from Beyond Identity in 2022 had similar findings: Fifty-three percent of employee respondents admitted to using their access to harm their former employers, and 74% of business leaders reported suffering damages from former employees who exploited their digital access.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Almost Half of Former Employees Say Their Passwords Still Work

The effort aims to disrupt the use of altered Cobalt Strike software by cybercriminals in ransomware and other attacks.

Microsoft's Digital Crimes Unit (DCU), security software vendor Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC), have joined forces to remove cracked legacy copies of Cobalt Strike by way of legal and technical action.

Using dated and maliciously altered versions of the Cobalt Strike software, threat actors have targeted healthcare organizations in nearly 70 ransomware attacks in 19 countries.

Cobalt Strike, sold by Fortra, is a reputable and popular post-exploitation security tool, but its older versions have become a favorite for cybercriminals to employ in nefarious activities. Pulling these legacy copies globally is a new approach for Microsoft's DCU, and it's aimed at cutting off the threat at the source: illegal distribution of compromised, malicious software.

"While this action will impact the criminals' immediate operations, we fully anticipate they will attempt to revive their efforts. Our action is therefore not one and done," Microsoft stated in a blog post. "Through ongoing legal and technical action, Microsoft, Fortra and Health-ISAC, along with our partners, will continue to monitor and take action to disrupt further criminal operations, including the use of cracked copies of Cobalt Strike."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft, Fortra & Health-ISAC Team Up to Remove Illicit Cobalt Strike Tools

App developers are ignoring laws and guidelines regulating data protection measures aimed at minors, putting their monetization plans in jeopardy and risking user trust.

The popular and increasingly controversial social media app TikTok must pay a fine of 12.7 million pounds (equivalent to around $16 million) in the UK for disregarding data protection for children.

The British data protection authority Information Commissioner's Office (ICO) announced this week that TikTok had allowed up to 1.4 million children under the age of 13 in the country to open accounts in 2020, despite the app's own rules prohibiting it.

Children's personal data had also been used without parental consent, it said, despite UK law requiring it.

"TikTok also failed to implement adequate controls to identify and remove underage children from its platform," an ICO statement added.

While some senior TikTok executives had raised concerns internally, the company had not responded appropriately, the ICO said.

Meanwhile, a new report from Pixalate analyzing the privacy policy of every US-registered child-directed app in the Apple App Store found that the majority (54%) of those apps appear to violate the Children's Online Privacy Protection Act (COPPA).

COPPA is a US federal law enacted in 1998 to protect the privacy of children under the age of 13 on the Internet. COPPA applies to websites and online services that collect personal information from children under the age of 13, such as their name, address, email address, phone number, and other identifiable information.

They must also post a clear and comprehensive privacy policy on their website or online service and provide parents with the option to review and delete their children's personal information.

**Privacy for Kids**

Due to skyrocketing online activity by children and teens, protecting their privacy and security online has become one of the most discussed topics in 2023.

The Biden administration has called on Congress to strengthen privacy protections, ban targeted advertising to children, and demand technology companies stop collecting personal data on children.

In children’s privacy enforcement actions against publishers and advertising platforms, the FTC has imposed hefty fines, customer refunds, and lengthy compliance and auditing obligations.

**App Violations Widespread**

According to the Pixalate report, 21% of apps in the Apple Store don't even have a privacy policy, despite Apple's claim that all apps in the store are required to have a privacy policy.

Among the US-registered, child-directed apps that do have a privacy policy, 34% are missing a Children's Privacy Disclosure, and 13% are missing contact information.

Jalal Nasir, CEO of Pixalate, explains there are multiple risks for app developers who ignore the regulations and names three that stand out.

"The first involves FTC fines, settlements, oversight and other similar remedies, and the second concerns losing the ability to monetize, for example undergoing business practices scrutiny, or being dropped by ad partners as they look to shed risk," he says. "The third involves losing your customers' trust."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says the penalties for violating the COPPA Rule can be substantial.

"The FTC has the authority to bring enforcement actions against violators, and it may seek civil penalties of up to $43,280 per violation," he explains.

In addition to monetary penalties, violators may also be required to take corrective action, such as deleting the personal information of children that was collected in violation of COPPA.

"The larger issue is that it can also harm a company's reputation and lead to a loss of trust among customers and partners," Vishnubhotla says.

**Holes in Apple Oversight**

Nasir says for smaller developers, lack of awareness or lack of resources are likely two of the biggest factors when it comes to failing COPPA compliance. But the biggest factor may be Apple's failure to provide reasonable oversight.

Apple, as the gatekeeper of its app ecosystem, needs to take a much stronger stance in protecting children’s privacy, he says.

"Apple not only needs to do a much better job of giving its developers the resources necessary to be compliant with the latest privacy laws, but it also seems to need to step up monitoring and enforcement of its own app store policies," Nasir says.

He adds that if app developers work with any third parties — including any advertising partners — they must ensure that those partners also have compliant privacy policies and practices.

"It creates a complicated web," Nasir says.

The real problem concerns the vast number of apps and frequent releases, he says, which makes it difficult for the Federal Trade Commission or any organization to check for noncompliance.

"Stores must provide these regulatory organizations with a dashboard or notifications in order to make it viable," he notes. "Public stores may not allow that. It's almost impossible to accomplish this in a proactive, feasible, and structured manner."

**"Technical Debt" for App Developers**

Melissa Bischoping, director of endpoint security research at Tanium, says development of applications must balance available resources, regulatory requirements, and competing business priorities in their planning and execution.

"While almost no one would disagree that privacy and protection of children's data is always a priority, the technical debt and workload can make engineering the compliance a long and expensive process," she says.

She adds that complying with these, and other regulations and security best practices requires not only the talent to implement the solutions but also adequate staff to test and review that the designed solution meets the desired outcome.

"This is, effectively, engineering a safer airplane while it's in flight," she explains. "It takes the work of multiple teams to engineer and assure. This effort, and others like it that are centered around protecting vulnerable populations, cannot be ignored."

TikTok, Other Mobile Apps Violate Privacy Regulations

Consolidating identity management on one platform gives organizations real-time access management for all identities on hybrid and multicloud installations. (First of a two-part series.)

Did you know that more than 40,000 permissions exist across the top three leading cloud platform providers? And yet 99% of these permissions are going unused. This has created a dangerous permissions gap in which a single server admin could potentially access thousands of permissions across multiple cloud infrastructures.

As this permissions gap expands, so too does an organization's attack surface. Current identity and access management (IAM) solutions are ill-equipped to manage multicloud identity infrastructure, and many security teams are unable to enforce the zero-trust tenet of least privilege access due to the sheer volume of permissions within their organizations.

As organizations work to modernize their IAM model for multicloud environments, there are a few best practices to keep in mind. For example, single sign-on and multifactor authentication can be implemented alongside new identity governance and permissions solutions to create a comprehensive IAM model that improves security without interfering with end-user productivity.

Read on for our top tips on optimizing IAM for multicloud environments.

**Securing Identity Starts With Individual Usage Profiles**

One of the first things that security teams will need to do is audit their current IAM model. For that audit to be successful, the IT department will need to create an individual usage profile for each unique user and nonhuman workload identity within the organization.

Workload identities are a type of nonhuman or machine identity that is assigned to software workloads to authenticate and access other services and resources. Though the use of workload identities can vary from organization to organization, they’re typically used to allow software entities to authenticate with some system. Their rise in popularity represents a new kind of security risk for organizations, as workload identities currently outnumber human identities 10:1. And while human users typically have one identity that is used to access multiple resources, software workloads can use multiple credentials to access different resources.

By creating individual usage profiles for all human and nonhuman workload identities, security teams can understand how many identities exist within their organizations, who has access to what, and how those permissions are currently being used. This provides better visibility into current risks. It also allows security teams to determine whether past permissions are still necessary — for example, when a contractor's work is complete or an employee has transitioned into a new position.

Additionally, because the rising adoption of multicloud environments has led to a boom in identities, permissions, and resources, organizations need to ensure that they have visibility across all of their cloud providers. Cloud infrastructure entitlement management (CIEM) is one solution.

**What Is CIEM?**

Originally coined by Gartner, CIEM comprises seven core pillars: account and entitlements discovery, cross-cloud entitlements correlation, entitlements visualization, entitlements optimization, entitlements protection, entitlements detection, and entitlements remediation. Essentially, CIEM uses analytics and machine learning to determine whether a permission has been granted unnecessarily, is being used incorrectly, or whether a previously granted permission is going unused. From there, security teams can use CIEM to enforce least privilege access and monitor permission risks across their entire networks.

CIEM differs from security information and event management (SIEM) in that it is more focused on addressing access management risks. SIEM is used to collect and analyze event and log data from multiple sources into a single centralized platform. From there, SIEM can deliver threat detection, prioritize security alerts, offer response guidance, and more. CIEM works with SIEM to deliver that same level of security and comprehensive monitoring across hybrid and multicloud environments using zero trust principles.

When implementing CIEM or any other IAM model, organizations must ensure that they don’t interfere with end-user productivity. These access decisions must be granular enough to cover all identities and workloads within the organization while also being responsive enough to adapt to real-time risk assessments. By unifying identity management procedures within a single centralized solution, organizations can enable real-time access decisions for all identities across hybrid and multicloud environments. This, in turn, instills greater trust in every digital experience and interaction that power everyday operations.

_Part 2: How CIEM Can Improve Identity, Permissions Management for Multicloud Deployments_

Close the Permissions Gap With Identity and Access Management for Multicloud Workforces

Vulnerabilities in the device firmware and drivers underscore how printers cannot be set-and-forget technology and need to be managed.

A rash of printer-related vulnerabilities in 2023 have punctuated security expert warnings that printers continue to be a significant source of vulnerability within companies — especially as remote workers require printing resources or access to corporate printers.

So far in 2023, Lexmark advised that a publicly available remote exploit had already targeted a code execution flaw in its printers, HP warned of a vulnerable firmware version on some of its enterprise printers, and Microsoft fixed three remote code execution vulnerabilities in its printer drivers. And four months ago, security researchers at the Pwn2Own contest in Toronto showed off more than a dozen exploits against bugs in top printer brands, including Canon, HP, and Lexmark.

The spate of vulnerabilities underscores that printers remain a likely soft spot in most companies' attack surface area, says Matt Lewis, commercial research director at NCC Group, particularly because printers are not always part of company's asset management process and are often left out of security assessments.

"Many organizations don't know where their printers are, what security status or configuration they are in, and they are certainly not monitoring or logging activity on those printers," he says. "We don't typically see printers featuring as any sort of priority on organizational security plans and risk registers."

While security researchers have raised the issue of printer vulnerabilities over the past decade or more, the security of printers continues to be a major area of concern for companies. Only a quarter (26%) of information technology and cybersecurity professionals feel completely confident that their printing infrastructure is secure, according to the "Global Print Security Landscape Report 2022" published by technology-analyst firm Quocirca. In addition, 61% of CIOs and 44% of CISOs had difficulty keeping up with print-security challenges and demands, the report stated.

    

Home printers are tied for the No. 4 security concern of IT professionals. Data source: Quocirca

The digital vein of printer vulnerabilities is far from being tapped out, says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, which runs the Pwn2Own competition.

"As evidenced by the number of printer-related patches released by Microsoft every month, the attack surface is broad and poorly defended," he says. "Printers are the sort of devices people don't want to touch once they get them working. As a consequence, they rarely receive firmware updates or other routine maintenance — at least until something breaks."

**Overlooked Dangers**

The hands-off approach to managing printers — or failing to manage printers — can sometimes be a blessing, as in the case of the latest vulnerability in some enterprise HP printer models. On April 3, the company acknowledged a vulnerability in the latest FutureSmart firmware (version 5.6), pulling down the six-week-old software and directing customers to revert their printers to FutureSmart version 5.5.0.3. The devices can leak information when IPSec is enabled, the company said in an advisory.

In a statement to Dark Reading, HP noted that the vulnerability only affected its printers for about a six-week window — between mid-February and the end of March — and only those installed with a specific version of firmware. The company did not say how many customers had downloaded or installed the vulnerable firmware and stated it would patch the latest version and make it available in 90 days.

Overall, printers represent a blind spot in most company's infrastructure and an opportunity for attackers, says NCC Group's Lewis.

"Printers can still offer an easy and less-detectable method for attackers to infiltrate a network and remain stealthy via backdoors planted within compromised printers," he says. "Most modern printers lack security detection and prevention measures and are often not monitored by organizations — for these reasons, there's no concrete data on how much printer compromise might actually be occurring globally."

**Bringing the Danger Home**

A significant twist in the printer threat landscape is the expansion of hybrid work and the commensurate risks posed by employees' home printers. Nearly two-thirds of companies (67%) are worried that home printers may pose risks to their business's security, according to the Quocirca report.

Whether home printers are yet getting targeted is not clear, but they do pose a significant attack surface, says NCC Group's Lewis.

"Home printers ... typically lack any organizational configuration and policy lockdown, thus there is a need for organizations to provide useful advice and guidance for home workers on how they can secure their home printers," he says.

Companies should ensure that their printers — both managed at the office and unmanaged at employees' homes — are part of their security assessments. Overlooking those devices puts companies at risk, says Trend Micro's Childs.

"Many enterprises only look at the big printers in their offices if they look at all," he says. "They rarely consider the printers in the home office of their remote workers when threat modeling."

Less than four in ten companies have reporting and analytics (38%) or formal risk assessments that include printers (38%) in place, according to the Quocirca report. Nearly nine in 10 companies will have or plan to implement a broad range of printer security measure in 2023, with seven in 10 companies planning to increase spending on security this year, the report stated.

Printers Pose Persistent Yet Overlooked Threat

Security teams need to find the best, most effective uses of large language models for defensive purposes.

AI is dominating headlines. ChatGPT, specifically, has become the topic du jour. Everyone is taken by the novelty, the distraction. But no one is addressing the elephant in the room: how large language models (LLMs) can and will be weaponized.

The Internet has become incredibly large and complex, exposing our most precious crown jewels. Whereas a decade ago a company had a single website, today it may have dozens — filled with unknown and untracked assets and subsidiaries — that an attacker can use to exfiltrate IP and/or breach into their network and systems. Recent research we conducted provided an eye-opening glimpse into this reality:

*   Companies' attack surfaces fluctuate 9% in size each month, making security gaps harder to detect. 

*   Organizations have, on average, 104 subsidiaries (i.e., entities owned by a parent company, which might be business units, brands, or standalone companies), and the core security team is unaware of 10 to 31 of them.

*   Invisible or hard-to-detect subsidiaries contain an average of 56% of the critical and high-priority vulnerabilities affecting customer assets.

In short, companies' attack surfaces have never been larger and more vulnerable. And security leaders are in constant fear that another issue like Log4j is going to cripple their business.

And as if we didn't have enough security threats to contend with, large language models like ChatGPT have entered the mainstream, shining a light on language AI as a potential weapon for cyberattacks. Should we be worried? The short answer is yes. But there is a bright side, which I'll address later.

**Large Language Models Can and Will Be Used Against You**

There are several stages of cyberattacks where LLMs can give bad actors a major advantage of scale, scope, reach, and speed. Here are a few:

*   **Automated reconnaissance.** Map and discover any assets (devices, files, etc.) and subsidiaries, brands, and services associated with your organization. Find sensitive information such as exposed credentials in AWS directories.

*   **Vulnerability discovery.** Find weaknesses in the targeted network.

*   **Exploitation.** To begin, initial exploitation is about using a technique like phishing to gain access to a network. Then, targeted exploitation might use watering-hole attacks to develop and exploit vulnerabilities within the network. 

*   **Data theft.** Copy or exfiltrate sensitive or valuable data from the network.

Also, consumer applications based on LLMs, most notably ChatGPT, can be used both intentionally and unintentionally by employees to leak company IP, simply by using the free public version. Companies like JP Morgan caught on to this early and were swift to ban corporate use of ChatGPT.

Spear-phishing campaigns provide another use case. High-quality phishing is based on deep understanding of the target; that is precisely what large language models can do quite well, because they process large volumes of data very quickly and customize messages effectively. Emails created by a large language model can impersonate a boss, co-worker, friend, or reputable organization with increasing precision and believability. Since 82% of data breaches involve a human element, including phishing and the use of stolen credentials, this will be an area to watch as hackers use LLMs to ramp up such attacks.

**Security Teams Can Turn the Tables on Attackers**

There is good news: Security teams can also use machine learning and LLMs to do reconnaissance on their own companies and remediate vulnerabilities before attackers get to them. They can use them to quickly and cost-effectively scan and map their own attack surfaces deeply to find exposed sensitive assets, personal identifiable information (PII), files, etc. By contrast, performing the same feat with manual methods could take months and/or cost hundreds of thousands of dollars.

Knowing the business context of any given asset is the only way security teams can effectively prioritize risk — and machine learning can help. For example, machine learning could recognize a database holding PII and play a role in revenue transactions. 

Machine learning can also determine the business purpose of an asset, distinguishing between a payment mechanism, a critical database, and a random device — and classify its risk profile. This context allows exponentially better risk prioritization and a higher level of threat intelligence. Without proper prioritization, security teams confront endless lists of vulnerabilities with labels like Urgent and Critical that are often, in fact, not correct. 

**Preparing for a New Era of Attacks**

There is every reason to expect attackers will make the most of large language models to automate reconnaissance and map your attack surfaces. It is time for security teams to embark on yet another learning curve: Find the best, most effective uses of large language models for defensive purposes. Right now, someone somewhere is looking for your organization's vulnerabilities, and it's just a matter of time before they use this newly popular type of tool to find them.

Source

DARKReading