Researchers exploited issues in the authentication protocol to force an open redirection from the popular hotel reservations site when users used Facebook to log in to accounts.

Flaws in the authorization system of the Booking.com website could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com, researchers have found.

Researchers from Salt Security discovered the issues in the platform's implementation of OAuth, an open authorization standard designed to allow cross-application access delegation for different sites to share login credentials, according to a blog post published today. Though it was not specifically designed for this purpose, the protocol has become a standard for allowing websites to read data from Facebook profiles, or log in to a site using Google credentials, for example. Most people are familiar with the "Log in with Facebook"-type options for some online accounts that allow users to sign in without creating a new set of login credentials.

"A security breach \[via\] OAuth can lead to identity theft, financial fraud, and access to all sorts of personal information including credit card numbers, private messages, health records, and more," Yaniv Balmas, vice president of research at Salt Security, wrote in the post.

Specifically, researchers discovered an open redirection vulnerability in Booking.com and achieved log in success by accessing the site through the "log in with Facebook" option. They ultimately exploited three security issues and chained them together to gain full account takeover, according to the post.

"Once logged in, the attacker could have performed any action on behalf of the compromised users and gain full visibility into the account, including all of a user's personal information," Balmas wrote.

The issue could have caused a serious data breach for customers of the widely used hotel reservations website, which is part of the Booking Holdings Fortune 500 company and has more than 500 million visitors per month, he said. The site also allows users to rent cars and book taxis.

"An attacker could potentially make unauthorized requests on behalf of a victim, cancel existing reservations, or access sensitive personal information such as booking history, personal preferences, and future reservations," Balmas wrote in the post.

Salt Security disclosed the issues to Booking.com, which researchers lauded for responding quickly to address and completely mitigate them. Moreover, there had been no evidence of compromise to the Booking.com platform before the issues were resolved, Booking.com said in a statement provided by Salt Security.

"On receipt of the report from Salt Security, our teams immediately investigated the findings and established that there had been no compromise to the Booking.com platform, and the vulnerability was swiftly resolved," the company said. "We take the protection of customer data extremely seriously."

**How OAuth Works**

To understand how researchers compromised Booking.com's OAuth implementation, it's important to understand how the standard in a site operates and how the Booking.com's interpretation of it was flawed.

OAuth comes into play when a user logs in to a website and clicks on the "Log in with Facebook" option that many sites use to allow cross-platform authentication. The site will then open a new window to Facebook and, if it's the user's first time visiting the site, ask for permission to share details with the site. If not, Facebook automatically authenticates the user to the site.

Once the user clicks on a button to, for example, "Continue as Jane," Facebook generates a secret token that is private for the website and associated with the user's Facebook profile. Facebook then uses the token to direct the user to the website, which uses the token to communicate directly with Facebook to get the user's email address. Facebook then approves the address and its association with the user, which the site uses to log in the user successfully.

All of this communication between Facebook and the sites involves various redirections to different URLs, which is where the researchers were able to exploit the implementation of OAuth to steal the token or code of the victim, they said. Bad implementations are not uncommon; indeed, in a breach last May, attackers used OAuth tokens stolen from Salesforce subsidiary Heroku to gain access sensitive customer account data.

**Finding Means for Exploit**

Knowing this token is where the attacker opportunity lies, the researchers investigated the security of the standard's implementation by causing "unexpected behaviors of the flow" by changing various parameters to see how this would allow them to launch a successful attack, Balmas said. What they found were ways to manipulate the URL redirects that occur in the communication between the two sites to redirect users to URLs controlled by the researchers, thus creating an open redirection bug in Booking.com.

"We created a link that takes over any account on Booking.com that uses Facebook," Balmas wrote. "The link itself points to a legitimate Facebook.com or Booking.com domain, which makes it difficult to detect (manually or automatically)."

This method also allowed for account takeover on Kayak.com and affected users signing into Booking.com from Google, the researchers said.

**Wider Cyber-Risk of Poor OAuth Implementations**

While researchers only divulged how they used OAuth to compromise Booking.com in the report, they discovered other sites with risk from improperly applying the authentication protocol, Balmas tells Dark Reading.

"We have observed several other instances of OAuth flaws on popular websites and Web services," he says. "The implications of each issue vary and depends on the bug itself. In our cases, we are talking about full account takeovers across them all. And there are surely many more that are yet to be discovered."

OAuth provides an easy solution to bypass the user login process for site owners, reducing friction for which is a "long and frustrating" problem, Balmas says. However, though it seems simple, implementing the technology successfully and securely is actually very complicated in terms of proper technical implementation, and a single small wrong move can have a huge security impact, he says.

"To put it in other words — it is very easy to put a working social login functionality on a website, but it is very hard to do it correctly," Balmas tells Dark Reading.

Overall, Balmas advises site owners to treat OAuth "as a sensitive part of your service and either build the internal deep knowledge of the field, undergo continuous security testing and reviews to validate your assumptions, or, of course, both." 

He adds, "This is general advice that is relevant for any sensitive path/technology that is part of one's service."

Booking.com's OAuth Implementation Allows Full Account Takeover

It's 10 p.m. Do you know what your children are playing? In the age of remote work, hackers are actively targeting kids, with implications for enterprises.

Video games are a part of nearly every kid's life, and distributed work is increasingly a part of every adult's. According to experts, it's a recipe for small-time gaming scams to turn into larger-scale business compromises.

Hackers will leverage anything popular or good in this world, and video games are no exception. As described in a March 1 blog post from Kaspersky, financially motivated attackers are targeting children, in particular, with open-faced scams aimed at stealing in-game items, account credentials, and bank details.

The story doesn't necessarily end there, though. Even a primitive phishing attack against a kid playing Fortnite could, theoretically, turn into a wider attack not just against the parent but also the parent's workplace.

An attack that targets a business, through an employee or through an employee's child, may seem like a step too much work when phishing and business email compromise are so much simpler. But, to state the obvious: Children are easy marks, and nearly all of them play video games. That, combined with the proliferation of remote work and bring-your-own-device (BYOD) policies, makes this vector a long-tailed but fruitful one for attackers.

**How Games Get Hacked**

Last year, researchers for Avanan uncovered a surge of Trojans hidden in cheat codes for the ultrapopular online game Roblox. "The file would be downloaded by the child," explains Jeremy Fuchs, cybersecurity researcher/analyst at Avanan, "and then, most likely, mistakenly uploaded to a corporate OneDrive folder. This file installs library files (DLL) into the Windows system folder. The malicious code can be perpetually referenced by Windows and remains running."

This is just one of many forms that gaming scams can take. For example, "we've seen multiple cases in which a BYOD device was compromised via a gaming-related phishing site, which led to the compromise of the connected corporate network," says Jordan LaRose, practice director for infrastructure security at NCC Group. "Another gaming-related vector we've seen in the wild are direct exploits through users playing games. This is most common on mobile devices but can affect desktop gaming as well. Attackers will either embed an exploit directly in an attractive mobile game that users download and thereby compromise their mobile device, or target a user playing a game with a remote code execution (RCE) vulnerability to compromise the computer running it."

Mere weeks ago, such a vulnerability was being exploited in the mega-hit Grand Theft Auto V.

The potential damage caused by such a compromise is clear. "Trojans like this can break applications, corrupt or remove data, and send information to the hacker," Fuchs says.

What's less obvious but more worrisome is how this damage could extend beyond the device or even the home in question.

**How Gaming Hacks Spread to Businesses**

Fuchs puts it bluntly: "The perimeter no longer exists."

"We can access work documents on home computers and vice versa," he says, "but it also relates to game usage."

Young children, especially, often play games from their parents' PCs and mobile phones or, if nothing else, their home Wi-Fi. Parents then take their PCs and phones to work, or work remotely from their home network.

Fuchs theorizes that kids "could be playing on their parents' computer and accidentally upload it. This is an easy way for compromises and malicious files to easily infect your corporate cloud." But in most cases, a child need not go that far — attackers can make the jump from home to office on their own.

"In the era of BYOD and remote working," LaRose explains, "attackers often just need to compromise a user's personal computer to get a foothold on a corporate network. Once an attacker has a foothold on a personal device, they can often steal a VPN session or browser session, or simply find a user's corporate credentials stored in their computer."

**How Businesses Can Stop the Spread**

In their blog post, Kaspersky researchers recommended that gamers practice diligent cyber hygiene: strong passwords, two-factor authentication, antivirus, and the like. They also highlighted the utility of virtual bank cards that only fill to meet the exact amount of a particular purchase.

"By entering the numbers from your bank card," Kaspersky explained, "you risk losing all the funds you have there. And remember that a bundle of licensed games selling for a song is a reason to be wary."

LaRose stresses that "gaming is not innately any more insecure an activity than normal Web browsing." Still, because gaming can be _just as_ insecure, "businesses should do everything they can to separate a user's presence in the corporate environment and the personal one."

He recommends implementing endpoint/extended detection and response (EDR/XDR) and a security operations center (SOC) that can help respond in case of a breach.

The most important defenses of all, though, are the policies and procedures businesses that implement to address remote work and BYOD.

"If BYOD is absolutely necessary for a business to function," LaRose says, "they should limit the policy to mobile phones only and ensure they use a strong mobile device management (MDM) solution that separates work and personal data on the phone. This is an imperfect solution with some workarounds for attackers but will at the very least serve as a deterrent and give the business more visibility into any potential exposures."

Hackers Target Young Gamers: How Your Child Can Cause Business Compromise

There's never enough time or staff to scan code repositories. To avoid dependency confusion attacks, use automated CI/CD tools to make fixes in hard-to-manage software dependencies.

Software dependencies, or a piece of software that an application requires to function, are notoriously difficult to manage and constitute a major software supply chain risk. If you're not aware of what's in your software supply chain, an upstream vulnerability in one of your dependencies can be fatal.

A simple React-based Web application can have upward of 1,700 transitive NodeJS "npm" dependencies, and after a few months "npm audit" will reveal that a relatively large number of those dependencies have security vulnerabilities. The case is similar for Python, Rust, and every other programming language with a package manager.

I like to think of dependencies as decaying fruit in the unrefrigerated section of the code grocer, _especially_ npm packages, which are often written by unpaid developers who have little motivation to put in more than the bare minimum of effort. They're often written for personal use and they're open sourced by chance, not by choice. They're not written to last.

    

NodeJS dependencies, highly vulnerable, live in production! I took this from an actual, production React-Native application found on GitHub.

Recently (as of the writing of this article), PyTorch, one of the top two most popular machine learning libraries for Python, was compromised for five days via its dependency "torchitron." The attacker was able to collect system information and steal 1,000 files from each affected user's home directory. In 2021, Log4j was famously compromised and because it was bundled into basically every Web-facing Java project, DevSecOps teams were under a lot of pressure to identify where exactly they were vulnerable.

    

Too many dependencies to reliably keep track of, even if most are "mostly" secure.

Even 20 _intentional_ dependencies are too many for a development team to continually audit, much less 2,000 _transitive ones_.

**What's Been Done So Far?**

Not all hope is lost. For _known_ (reported and accepted) vulnerabilities, tools exist, such as pip-audit, which scans a developer's Python working environment for vulnerabilities. Npm-audit does the same for nodeJS packages. Similar tools exist for every major programming language and, in fact, Google recently released OSV-Scanner, which attempts to be a Swiss Army knife for software dependency vulnerabilities. Whether developers are encouraged (or forced) to run these audits regularly is beyond the scope of this analysis, as is whether they actually take action to _remediate_ these known vulnerabilities.

However, luckily for all of us, automated CI/CD tools like Dependabot exist to make these fixes as painless as possible. These tools will continually scan your code repositories for out-of-date packages and automatically submit a pull request (PR) to fix them. Searching for "dependabot\[bot\]" or "renovate\[bot\]" on GitHub and filtering to active PRs yields millions of results! However, 3 million dependency fixes versus hundreds of millions of active PRs at any given time is an impossible quantification to attempt to make outside of an in-depth analysis.

**State of the Art Isn't Quite Good Enough**

You need to keep in mind that these auditing tools do nothing to protect developers against zero-day exploits or N-days that were reported but have yet to be officially accepted. In the case of the PyTorch vulnerability previously mentioned, none of the auditing tools would have caught this _class_ of dependency vulnerability, because there was no traditional "software vulnerability" being exploited. These "dependency confusion" attacks take advantage of the fact that package managers look to their "default" repository before checking other repositories that dependencies may select for _their_ dependencies. In the case of PyTorch, the "torchitron" dependency was self-hosted by the PyTorch Foundation. When the attacker uploaded their version to PyPI, it took precedence over the official version.

How long will this continue? Forever. If there is value in exploiting these vulnerabilities, attackers will continue to take advantage of them. Luckily, in the case of PyTorch, "only" data exfiltration took place. Future victims might not be so lucky, however. A sophisticated attacker only needs one successful attempt at access to remain persistent in a victim's system (and network).

**What Does This Mean for Me?**

Did you install your packages from the command line? If so, did you type them in properly? Now that you've installed your dependencies "correctly," did you verify that the code for each dependency does exactly what you think it does? Did you verify that each dependency was installed from the expected package repository? Did you ….

Probably not, and that's OK! It's inhumane to expect developers to do this for every single dependency. The best bet for software developers, software companies, and even individual tinkerers is to have some form of runtime protection/detection. Luckily for us all, there are detection and response tools that have relatively recently been created which are now part of a healthy and competitive ecosystem! Many of them, like Falco, Sysdig Open Source, and Osquery, even have free and open source components. Most even come with a default set of rules/protections.

On Shaky Ground: Why Dependencies Will Be Your Downfall

The automated capabilities can discover misconfigurations, compliance violations, and risk or excessive privileges in Kubernetes clusters.

Ermetic has introduced new Kubernetes security posture management capabilities to its cloud-native application protection platform (CNAPP). Customers can take advantage of the automated features to discover and fix misconfigurations, compliance violations, and risk or excess privileges in Kubernetes clusters. Ermetic CNAPP provides a detailed inventory of the resources inside all Kubernetes clusters, performs continuous posture assessment and prioritization of risks, and offers remediation guidance, the company said.

The platform queries the Kubernetes API for each cluster, and uses agentless scanning and analysis of node configurations and containers. These findings are then combined with signals from the platform's cloud workload protection (CWP), infrastructure as code (IaC) scanning, cloud security posture management (CSPM), and cloud infrastructure entitlement management (CIEM) functionality to provide full visibility into threats, the company said. Customers can get a list of prioritized vulnerabilities within the context of cloud configuration, permissions, and network access. Customers can also enforce least privilege for users and services using the internal Kubernetes role-based access controls.

While Kubernetes is powerful for deploying and managing containerized applications across multiclouds, it can also be challenging for security teams to effectively track configuration changes, manage secrets, ensure proper role-based access control, and identify vulnerabilities. "Existing approaches to Kubernetes security typically provide a siloed view, which results in high false positive rates," Ermetic's chief product officer Sivan Krigsman said in a statement.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ermetic Adds Kubernetes Security to CNAPP

**NEW YORK: March 1, 2023 –** Octillo, a women-owned cybersecurity, data privacy, and technology-focused law firm, is pleased to announce the launch of their 2023 Octillo Women’s Cybersecurity Scholarship program, administered by the Center for Cyber Safety and Education.

The Octillo Women's Cybersecurity Scholarship program builds upon one of Octillo’s core missions, to promote diversity, equity, and inclusion in the cybersecurity industry and support the next generation of female cyber professionals through mentorship and education. One $4,000 scholarship will be awarded to a woman pursuing or planning to pursue a degree focusing on cybersecurity, data protection, or a similar field at the undergraduate or graduate level.

“As the technological, data security, and privacy landscapes evolve, the need for cybersecurity professionals continues to grow,” says Octillo Managing Director, Kara Hilburger. “Women are still very much underrepresented in the cybersecurity and technology industries. Octillo is proud to be on the forefront, helping to break down some of these barriers to help women obtain the resources they need to pursue in this highly specialized field.”

Applications for the 2023 Octillo Women’s Cybersecurity Scholarship open on March 1st and close on May 1st at 11:59 PM ET. The recipient will be notified in June. For more information on eligibility and application requirements, visit: https://www.iamcybersafe.org/s/octillo-womens-cybersecurity-scholarship

**About Octillo:** Octillo is a woman-owned technology law firm and one of the few firms in the United States with a recognized focus solely on data security, privacy and technology compliance, incident response, and litigation. Guided by their core values of excellence, drive, and originality, Octillo attorneys counsel clients on matters pertaining to data security and privacy compliance, litigation and class action defense, technology contracts, incident response, government investigations, technology intellectual property, and emerging technologies. Octillo is a NetDiligence® Authorized Breach Coach – a recognition offered only to firms with a proven track record of competency and experience responding to data incidents. Octillo has offices from California to New York. Learn more at www.octillolaw.com.

**About the Center for Cyber Safety and Education:**The Center for Cyber Safety and Education (Center), formerly (ISC)² Foundation, is a non-profit charitable trust committed to making the cyber world a safer place for everyone. The Center breaks down barriers in exposure and access to the cyber profession and provides opportunities for individuals, groups, and organizations with the most need to benefit from the commitment of (ISC)2 to the profession. Learn more at www.iamcybersafe.org.

Octillo Launches Women's Cybersecurity Scholarship in Partnership With the Center for Cyber Safety and Education

Volume of SaaS assets and events magnifies risks associated with manual management and remediation.

**NEW YORK****,** **March 1, 2023** **/PRNewswire/ --** DoControl, the automated Software-as-a-Service (SaaS) security company, today released its 2023 SaaS Security Threat Landscape Report, which quantifies the volume, types, and exposure risk of business assets stored within the SaaS estates of medium companies (50 to 1,000 employees) and large companies (1,001 to 6,696 employees). The report found that large and medium companies had an average of 5.5 million and 1.5 million assets stored in SaaS applications respectively, illustrating the challenge IT and SecOps teams face daily in securing the intellectual property those assets contain.

SaaS applications, while both vital and ubiquitous within business technology stacks, expose companies of all sizes to significant security risks stemming from undetected data exfiltration. With large companies averaging 2,775,000 SaaS activities per week involving nearly 55,750 SaaS assets, manually monitoring every event and asset is functionally impossible. The notable shortage of security professionals and the burnout caused by competing priorities demonstrates why security automation is the only feasible approach in this landscape.

"While we all rely on SaaS applications to improve productivity and collaboration, few have stopped to consider the sheer number of assets that flow in and out of these tools each day," said Adam Gavish, CEO and Co-founder, DoControl. "Enterprises increasingly consider security when entering business transactions and engagements, which means the risks of a poor SaaS security posture can act as a spoiler for business outcomes. The goal of this report is to quantify and illustrate the chaos so businesses can better understand their risk exposure and act accordingly to regain control of their SaaS estate."

The vulnerabilities covered in the SaaS Security Threat Landscape Report are broken out into five different categories:

**Insider Threats** 

Whether accidentally or deliberately, insiders can exfiltrate confidential intellectual property and customer information, exposing companies to financial extortion and devastating brand damage. DoControl found that 81% of medium-sized companies and 78% of large companies have encryption files stored in Google Drive/Workspace. An organization may feel secure storing assets in various apps, but they need to be vigilant of assets leaving those domains. As 61% of companies have employees who have shared company-owned assets with their personal email, manually tracking sensitive assets may be more difficult than previously imagined.

**External Actors & Access** 

Control of a company's data or intellectual property can become tenuous when collaboration extends beyond the company's security perimeter and files are shared with external parties via SaaS applications. Medium-sized companies in DoControl's study had on average nearly 224k assets in SaaS applications that have been shared externally, with nine external actors per employee on average.

Compounding this issue is that over-provisioning access to SaaS files can result in those assets being distributed to external collaborators beyond those which they were originally intended. DoControl found large companies had an average of 94,455 publicly-shared assets stored in SaaS applications. Companies need to limit external sharing by implementing least privilege permissioning and by removing access when assets are no longer needed by the parties with whom they were shared.

**Third-Party to Fourth-Party Sharing**

One of the ramifications of not adequately limiting the data access granted to external parties is third-party to fourth-party sharing. Over the course of the first nine months of 2022, DoControl identified over 1,189 events within large companies where third-party actors shared assets with fourth-party actors. In many instances, trusted third-parties have legitimate reasons for sharing SaaS assets with fourth parties. These situations, however, should be managed by the originator of the SaaS assets. At large companies, 241 fourth-party domains on average have access to its SaaS assets. Without adequate SaaS data access controls, the originators often lose sight of assets shared externally, introducing an unacceptable level of risk.

**Outdated Permissions**

There are two manifestations of outdated permissions. The first is ongoing access to SaaS assets that are no longer supporting current business objectives. DoControl found 67% of all companies have employees with lingering access to assets stored in Google Workplace that are more than 5 years old.

The second form of outdated permission is access that persists after employees have parted ways with their employer. Out of all companies, 31% have former employees who have accessed assets stored in SaaS applications after they have parted ways with their employer. Unsurprisingly, large companies tend to have more former employees with access (20 on average) than medium companies (slightly more than six on average), but even one former employee – especially a disgruntled one – can present an unacceptable risk.

**Third-Party OAuth Applications**

Applications often allow integrations with third parties to make workflows more efficient, convenient, or productive. However, third-party applications can also pose a threat to companies, especially when given unnecessary read-write permissions. Granting unnecessary read/write access to applications that may not have strong enough native security controls can open the door to data exfiltration and supply chain-based attacks. The major collaboration application companies often support numerous third-party application integrations. Unfortunately, it's not uncommon for some of these third-party applications to be overprivileged.

At large companies, Google has an average of 81 third-party application integrations. On average, 27 of those Google integrations have data access and nine are overprivileged.

DoControl helps avoid the devastating consequences of data exfiltration and leakage. Its unique approach to managing SaaS data access remediates any situations highlighted in the SaaS Security Threat Landscape Report by providing centralized, automated, granular data access controls over the SaaS applications in companies' technology stacks. DoControl's no-code, automated workflows help IT and security teams manage their SaaS data access so companies can move forward with SaaS deployments confidently, and in a secure manner.

According to Gartner, 60% of organizations will use cybersecurity risk as a significant determinant in conducting third-party transactions and business engagements by 2025. To view more insights and begin your own enterprise audit across the five SaaS security benchmarks, download the full 2023 SaaS Security Threat Landscape Report.

**Additional Resources:**

*   Download the SaaS Security Threat Landscape Full Report
*   Download the SaaS Security Threat Landscape Executive Summary
*   Register for the Webinar
*   Read the Blog 

To learn more about DoControl, visit the website or request a demo.

**Methodology**

This report aggregates findings across a subset of companies for which DoControl performed an audit of SaaS data access control and exposure. We have compiled the findings from audits of a cross-section of companies ranging in size from 11 to 6,696 employees. In situations where DoControl saw significant differences in the findings by company size, it broke those results out into two groups — medium-sized companies (50 to 1,000 employees) and large enterprises (1,001 to 6,696 employees). In situations where the difference between the two groups was insignificant, DoControl reported just one overall statistic.

**About DoControl**

Founded in 2020 and headquartered in New York, DoControl is an automated data access controls platform for SaaS applications, improving security and operational efficiency with ease for enterprises. DoControl is backed by investors Insight Partners, StageOne Ventures, Cardumen Capital, RTP Global and global cybersecurity leader CrowdStrike's early stage investment fund, the CrowdStrike Falcon Fund. The company's leadership team combines product, engineering and sales experience across cybersecurity, enterprise and SaaS innovators. For more information, please visit www.docontrol.io. Follow us on Twitter and LinkedIn.

DoControl's 2023 SaaS Security Threat Landscape Report Finds Enterprises and Mid-Market Organizations Have Exposed Public SaaS Assets

New eXtended Detection and Response Solution is 450X more efficient than typical SOCs at converting telemetry and logs into actionable alerts.

**SAN JOSE, Calif. March 1, 2023** **–** Forescout Technologies Inc., the global leader in automated cybersecurity, today unveiled Forescout XDR, to help enterprises better detect, investigate, and respond to the broadest range of advanced threats, across the extended enterprise.

A typical SOC is flooded with 450 alerts per hour1, and analysts waste precious time trying to correlate low fidelity alerts and chasing false positives, often at the expense of focusing on legitimate attacks. Until now, a security operations center’s (SOC) field of view for threat detection and response has excluded critical devices that are increasingly common points of attack, including operational technology (OT), industrial control systems (ICS), building management systems (BMS), and medical and IoT devices. In addition, the technology stack that SecOps teams have had to rely on has made it difficult to respond to these threats in a rapid and comprehensive manner.

"The true value of an XDR solution lies in its ability to ingest telemetry and data from across the entire enterprise: cloud, campus, remote and datacenter environments, and every managed and unmanaged connected device. This is what the X in XDR is all about, after all," said **Justin Foster, CTO, Forescout.** "Traditional XDR products lack this capability, or they only leverage data from the vendor’s own EDR or a few other security tools. This significantly limits the flexibility, scalability and effectiveness that an XDR solution must provide."

Through the advanced application of data science and automation, Forescout XDR generates one high-fidelity alert that truly warrants analyst investigation, from every 50 million logs ingested, per hour2. Because Forescout XDR is vendor- and EDR-agnostic, this ingestion includes data from over 170 security, infrastructure, application, cloud/SaaS and enrichment sources, and dozens of leading vendors. And with over 70 sources of threat intelligence and 1500 verified detection rules and models, and data onboarding included, Forescout XDR customers can be operational within hours, actively detecting, investigating, and responding to threats.

"Forescout XDR, with the breadth and richness of its capabilities, particularly its dashboards and reporting, provides an out-of-the-box solution to SOC challenges that we spent 18-24 months trying to address," said **Samer Mansour, CISO, Panasonic Corporation of North America**. "It was easy to deploy, and fully operational in a matter of weeks. And with its tight integration to Forescout’s network security and visibility solutions, and our broader security tech stack, it gives us the ability to exert a lot more control across our IT and OT environments, and further elevate our overall security."

Seamless integration with Forescout’s industry-leading network access control solution, helps ensure that customers can:

1\.   Reduce the attack surface, and the risk of an attack in the first place, by preventing compromised or non-compliant devices from connecting to their networks. This proactive approach to XDR further elevates the effectiveness and performance of a modern SOC.

2.  Automate response workflows that can immediately touch every managed and unmanaged connected device, across the enterprise. This reduces an attack's blast radius in real-time, allowing proper mitigation or remediation measures to be completed. 

Because Forescout XDR has a multi-tenant architecture and supports local data storage while also being able to provide an aggregated global view of threats and SOC performance, it is ideally suited to large enterprises, multi-nationals, organizations with regional SOCs and managed security service providers (MSSPs).

**Pricing**

SaaS licensing is based on the total number of endpoints in the enterprise. As such, customers have the flexibility to leverage the data sources needed to fully support the use cases important to them, and help ensure better detection, without concern for escalating or fluctuating costs associated with cloud log storage.

**About Forescout**

Forescout Technologies, Inc. delivers automated cybersecurity across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types- IT, IoT, OT, IoMT, and cloud environments. The Forescout Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets. www.forescout.com

Forescout Addresses Modern SecOps Challenges With Launch of Forescout XDR

By authenticating and authorizing every application, and by maintaining data lineage for auditing, enterprises can reduce the chances of data exfiltration.

Ten or more years ago, most databases were on-premises only. There was no exposure outside the perimeter, and the only people who had access in an average company were a few database administrators. Then, enterprises and internal development teams began connecting them to a few applications, hardcoding the credentials into the software for convenience. But that handful kept growing. And now, no-code and low-code is essentially backing up the truck loaded with applications that have database access — and we're not always sure about the qualifications of the driver.

Low-code and no-code (LCNC) frameworks are speeding application development and enabling even non-technical users to quickly create software to suit their business needs. LCNC platforms have the potential to slash costs, reduce time-to-market, and disrupt industries; however, they could also be unwittingly laying the groundwork for future data disasters.

The first concern when it comes to LCNC platforms is a lack of visibility. There's often no knowledge about code quality, its vulnerabilities, or how well it's been tested. The non-IT pros who develop these applications aren't trained to maintain them, often create misconfigurations, and don't know the best practices on how to keep them from opening up security vulnerabilities such as data exfiltration.

**Why Zero Trust Alone Isn't Enough**

Increasingly, organizations are turning to the zero trust model to mitigate security risk. With this model, the goal is to enforce least privilege to users and applications. This calls for all users and applications to be authenticated, authorized, and continuously validated before being granted access to data.

Many enterprises rely upon privileged access management tools, which are important to helping achieve zero trust across much of the IT infrastructure. But these tools are blind to the context of the database. They are not equipped to grant privileges based on who or what is accessing the data, what they are accessing, and for what purpose. Because these controls only provide all-or-nothing access, no-code and low-code applications could end up exposing sensitive data.

The most under-discussed security issue around LCNC may be that even the apps IT has sanctioned often don't maintain a record of data lineage. There's often no knowledge of when these apps accessed databases, how much data was accessed, and what happened to that data. But every time an application accesses data, it needs to read and write data somewhere — even if it's temporary. And it often isn't, and the data pulled from a database for an app's use ends up living somewhere else too.

**Restoring Visibility to Reduce Risk**

These days, rather than on premises, data could reside in a database, data warehouse, or data pipeline. But without a framework to apply controls, there's no history or record — data is essentially in the enterprise wild.

This lack of data lineage records partially explains why it can take so long for organizations to notify affected parties after a data breach. It can take weeks, even months, to assess the impact of data exfiltration because today most organizations cannot tell you exactly which of their people and applications have access to their databases. Even fewer can point at which data within the databases those applications can access. It's becoming clear that unless organizations worldwide put a new level of data security governance in place, the LCNC paradigm will only accelerate the trend of data exfiltration.

However, security teams can have both LCNC and database security by following a few design principles:

*   Create a governance model that works across databases, data lakes, and data services
*   Enforce least privilege
*   Provide real-time visibility into which applications are accessing which data for what reason

By making sure every application is authenticated and authorized before it is provided fine-grained access, and by keeping a record of data lineage for future auditing, enterprises can reduce the risk of LCNC frameworks.

In the end, today's enterprises don't need to shrink away from using no-code and low-code technologies, but they do need to put data security governance controls in place. As each new app potentially gives rise to new vulnerabilities, rather than investing only in security tools that protect the perimeter or the vector, every company — whether a startup or a global enterprise — should invest in protecting the key source of value for the business operations: the data layer.

Visibility Is as Vital as Zero Trust for Low-Code/No-Code Security

**SAN FRANCISCO – March 1, 2023 –** Fastly, Inc. (NYSE: FSLY), the world’s fastest global edge cloud platform, today launched Fastly Managed Security Service, a premier 24/7 threat detection and response service dedicated to helping organizations significantly reduce the risk  of web application attacks and associated business costs due to lost transactions. Available to Fastly’s global Next-Gen WAF customers, Fastly Managed Security Service further demonstrates the company’s commitment to helping global marquee customers deliver innovative, secure digital experiences to their users.

Web applications continue to be popular targets for today’s attackers. In fact, according to the Verizon 2022 DBIR, web applications are the number one vector, and not surprisingly, they are also connected to the high number of Denial of Service attacks. This pairing, along with the growing use of stolen credentials (commonly targeting some form of web application) is consistent with what we’ve seen for the past few years. Existing security teams are spread thin and don’t always have the expertise or time to continuously monitor and detect these types of threats. Organizations can deploy Fastly Next-Gen WAF for accurate protection, and now they can further enhance this protection with Fastly’s Managed Security Service.

“Today’s defenders face an uphill battle against cyber adversaries due to an exploding attack surface and increasing volumetric attacks, particularly DDoS attacks. At the same time, security teams want to reduce complexity and prioritize their resources,”said Gino Lang, Vice President of Customer Security, Fastly. “By providing global 24/7 proactive protection, Fastly Managed Security Service delivers comprehensive visibility and the expert staff needed to quickly identify and mitigate potential threats. This frees up organizations to focus their security staff on other business priorities.” 

This latest announcement builds on the success of Fastly’s Response Security Service and other security offerings. “Fastly’s decision to extend its next-generation security capabilities to offer a managed security service is a natural evolution and reconfirms the company’s commitment to protecting organizations from today’s agile and persistent adversaries,” said Christopher Rodriguez, IDC Research Director, Security & Trust.

IDC recently recognized Fastly as a leader in the "IDC MarketScape: Worldwide Commercial CDN Services 2022 Vendor assessment", highlighting the company's ability to create fast, dynamic, and secure digital experiences.   

**About Fastly Managed Security Service**

Fastly Managed Security Service is a premium offering that provides Fastly Next-Gen WAF customers with continuous monitoring and proactive mitigation of web-application attacks, all backed by a 15-minute response time SLA for critical security incidents. We combine this with robust post-event reporting and regular, strategic security consultation in order to ensure the highest level of application protection to strengthen an organization’s overall security posture. 

Staffed 24/7 by Fastly’s global Customer Security Operations Center (CSOC), this service enables in-house teams to improve their overall security posture and focus on their core competencies, strategic initiatives, and high-impact projects.

Fastly’s Managed Security Service is now available to Fastly Next-Gen WAF customers. To learn more about how your organization can add this white glove experience to your security program, please contact \[email protected\]. For additional information about the new service, please visit here. 

**About Fastly**

Fastly’s powerful and programmable edge cloud platform helps the world’s top brands deliver the fastest online experiences possible, while improving site performance, enhancing security, and empowering innovation at global scale. With world-class support that achieves 95%+ average annual customer satisfaction ratings, Fastly’s beloved suite of edge compute, delivery, security and observability offerings has been recognized as a leader by industry analysts such as IDC, Forrester and Gartner. Compared to legacy providers, Fastly’s powerful and modern network architecture is the fastest on the planet, empowering developers to deliver secure websites and apps at global scale with rapid time-to-market and industry-leading cost savings. Thousands of the world’s most prominent organizations trust Fastly to help them upgrade the internet experience, including Reddit, Pinterest, Stripe, Neiman Marcus, The New York Times, Epic Games, and GitHub. Learn more about Fastly at https://www.fastly.com, and follow us @fastly.

Source: Fastly, Inc.

Fastly Launches Managed Security Service to Protect Enterprises From Rising Web Application Attacks

The cyberattackers might have potentially accessed customer information, the service provider warns.

A Feb. 23 ransomware attack is to blame for a disruption to Dish Network's internal communications capabilities, customer call centers, and Internet sites, the satellite service provider said in an SEC filing this week.

The threat actor behind the attack also accessed Dish Networks' IT systems and extracted data from it that could potentially include personal information, the company said — without clarifying whether that meant employee information, customer information, or both.

**Broad Impact on Dish Customers**

Dish TV and its streaming subsidiary Sling's services remain operational, as do its wireless and data networks. But the incident has affected the ability for customers to access their accounts, make payments, and reach the company's service desks, Dish said. 

"We're making progress on the customer service front every day, including ramping up our call capacity," Dish said in a note to customers on its main website, which earlier this week was inaccessible to many. "But it will take a little time before things are fully restored."

Dish has hired outside cybersecurity experts and advisers to help evaluate the situation and conduct a forensic investigation of the incident. If that analysis shows the breach impacted customer information. Dish said it will notify affected customers and take appropriate action.

Dish's disclosure about the ransomware attack comes days after the company first reported a cybersecurity incident as causing a systems issue. The service disruptions that the attack caused added to already broader Wall Street concerns about the company's ability to take advantage of 5G opportunities and other issues. It at least partially contributed to a 8% decline in Dish Network's share prices this week after a Wall Street analyst double downgraded the company's stock.

**Six Service Providers Hit So Far, and Counting**

At least six other major Internet services and utilities provides have experienced similar attacks since the beginning of 2023 according to Comparitech, which maintains a running tracker of ransomware attacks around the world. Rebecca Moody, head of data research at Comparitech, says that in addition to Dish, her company has confirmed ransomware attacks on South African ISP RSAWeb, Tonga Communications Corp., Águas e Energia do Porto in Portugal, Grupo Albanesi in Argentina, and US-based Encino Energy.

The attacks in 2023 come after a rash of hits on telecom service providers in the last few months. However, ransomware attacks on utilities providers of all types actually dropped last year — from 49 in 2021 to 38 in 2022, and the average ransom demand dropped from $27.2 million in 2021 to $14 million last year, according to Comparitech data. However, the average number of customer records impacted in these attacks saw a staggering surge — from 192,888 in 2021 to 9.8 million in 2022.

Moody says it's difficult to know for sure what the ransomware attacks on services firms in January and February 2023 portend for the rest of the year. "But if we compare these six attacks throughout January and February of this year to last year's figures \[of\] two attacks in total, it would suggest hackers have started this year with a renewed focus on utilities companies," she says.

**Network Segmentation & Damage Containment**

Moody says one fact that could be driving the trend is the huge effect these attacks can have on the victim company and the vast number of customers and businesses that rely on their services. "Regaining control of systems as quickly as possible will be a key priority, which hackers may see as an opportunity to secure a ransom demand," Moody says.

Neil Jones, director of cybersecurity evangelism at Egnyte, says the scope of the attack on Dish Networks suggests the threat actors behind it had broad access to its systems. "Generally, there's a strong correlation between the number of systems that are taken down in a cyberattack and the level of access that cyberattackers may have attained," Jones says.

In this instance, Dish's Internet sites, internal communications systems, customer call centers, and customers' bill payment systems were all affected. And early reports suggested that the attack also affected systems subsidiary Boost Mobile, he says. "This suggests that cyberattackers may have gained broad access to the conglomerate's systems and may have compromised their environment some time ago," Jones says.

A research-based report that Ivanti released earlier this year showed that in most ransomware attacks, threat actors exploited old bugs to gain initial access and maintain persistence on them.

Jones adds that the seemingly broad impact of the Dish Network breach shows why network segmentation is crucial to breach containment. Most organizations don't segment their networks as meticulously as they should resulting in many recent situations where a single breach impacted the victim's source code, financial data, and their customer data. "So, I'm confident that network segmentation will be more of an industry focus going forward," Jones says.

Source

DARKReading