Sharing attestations on software supply chain data that are formed into a policy will give us a framework to interpret risk and develop compliance directives.

Companies are facing two major truths this year: More cybersecurity regulation and fewer resources.

For the former, it's about time. Cybersecurity needs baseline requirements and government regulations can be a useful forcing function. It's encouraging to see a renewed focus on areas that need real attention, especially software supply chain security. Considering the latter, it means companies are facing a steep climb ahead to implement these new regulations in a year of economic uncertainty. Nonetheless, regulations are here, more regulations are coming, and companies need to adapt.

In a recent article, I discussed a few issues with the software bill of materials (SBOM) format as a standard, which includes:

*   Requirements vs. optional fields

*   Complete lack of provenance consideration

But this year, the biggest hurdle will be adoption.

**The Software Vendor Adoption Problem**

ACMECorp is an example of a company that produces software products. We'll refer to one of its products as "Anvil" and its customers as "Clients."

Clients want ACMECorp to release its SBOMs for Anvil so Clients can understand if they're affected by software supply chain issues, vulnerabilities, or license risks. Clients also want to be able to understand quickly if they're affected as new issues arise.

Regulatory bodies want to require ACMECorp to release SBOMs so Clients can be better informed. ACMECorp may very well _want_ to provide this information to Clients as well, but this is a massive undertaking.

For all software products, ACMECorp will now need to:

1.  Identify all software components used as dependencies. This is at minimum dozens and at most tens of thousands of individual software components.
2.  Identify all the _potential_ security issues. This includes a security audit of a product and all of its dependencies.
3.  Investigate each potential security issue and determine ACMECorp's response, which will range somewhere between "we have to fix this now" and "not applicable." The resulting analysis from the software security team charged with performing this work will inevitably meander through teams of lawyers to determine exposure and risk. This is crucial, because ACMECorp will need this information to:
4.  Stand up a new department to handle the barrage of inevitable questions and challenges from Clients to the responses developed.
5.  Release SBOMs to Clients with as little detail as possible to protect intellectual property and limit exposure.
6.  Do the entire process again for every version that is released, in perpetuity, and keep historical records.

It's a heavy lift, but ACMECorp will need to have a version of the above (or at least a start to it) that it expects Clients to accept.

**The Client Adoption Problem**

Clients that wish to consume Anvil's SBOM (and hundreds or thousands of other SBOMs) now have a huge additional workload to adopt any technology.

Companies already have a vulnerability management problem, and this will multiply the burden. As SBOM is a self-reporting mechanism, Clients will not be inclined to simply rely on an SBOM as an authoritative source of truth. Instead, they will require their already overburdened application, product security, and legal teams to find ways to validate ACMECorp's SBOMs after each release.

**Let's Aim for the Better**

I'm bullish on the goals of SBOMs. We must have a complete, up-to-date inventory of components used in a software product. We must understand the implications of security events and issues and how they affect companies, governments, and users. My hope is that we can work together to build a far better process than we have with the current iteration of SBOM.

First, we must release ourselves from the idea that simply sharing data from vendor to customer will solve the challenges SBOM hopes to address. As I outlined above, it is guaranteed only to make additional work. Instead, we should think about how we can share _attestations_ on software supply chain data.

Vendors want to show customers their products' security posture is well-defended. Customers want to have assurance that the security posture of third-party products and services aligns with their threat model and risk tolerance. These goals are achieved by interpreting the software supply chain data and answering questions relevant to the goals. The context around the data is key to these outcomes.

A huge amount of the security goals vendors and customers hope to answer can be codified, then constructed into policies that can be agreed upon by vendor-to-consumer relationships. The tests or attestations for these policies can be open source, with collaboration from both the security and development industries. This will allow open understanding of the value of the attestations, and their weaknesses that can be improved upon. It can give us a shared framework to interpret software supply chain risk.

Groups of attestations in the form of a policy can be quickly tested as vendors develop software to plan for the end-state requirements. Customers can use this to rapidly understand the software supply chain risk of a vendor's product. That might mean opting for an on-premises version hosted in a controlled environment, or contract requirements to better meet the needs of the customer, but it gives vendors and customers a common taxonomy to better align with each other.

Attestations and policies allow us to effectively build compliance directives in a way that vendors can manage through the product and software development life cycle. Changes to attestations can be scheduled and road-mapped without piles of meetings to coordinate individual issues. These compliance directives can be rapidly evaluated to understand regulatory impact, which we know to be on the horizon anyway. These attestations can extend to show transparency and provenance of the vendor data provided as input. Overall, this gives us the required common ground to build trust.

Finally, an enormous part of this process can be automated. We can much more effectively focus the time of our security and development teams where it's needed, instead of preparing and consuming a never-ending stream of SBOM data dumps.

Cheers to the year of the SBOM. We're all in this together.

This Will Be the Year of the SBOM, for Better or for Worse

A combined team of UL Solutions safety science experts will address automotive cybersecurity, functional safety, automated driving and software development processes to help customers bring safer, more secure innovations to market.

**NORTHBROOK, Ill., Feb. 22, 2023 /PRNewswire/ --** UL Solutions, a global leader in applied safety science, today announced that it is leveraging its collective expertise to drive innovation in automotive safety by combining members of its functional safety and cybersecurity teams to enable a more holistic approach to testing, inspection and certification for automotive safety. This new interdisciplinary team provides a well-rounded approach to addressing advanced mobility technologies.

As safety, security and quality are highly interrelated and a vital part of the automotive industry, original equipment manufacturers (OEM) and automotive component and system suppliers are increasingly looking for a sole provider with holistic solutions that support multiple standards, regulations and other technical requirements.

"Our newly combined team provides OEMs and suppliers with end-to-end thinking to address evolving challenges in cybersecurity, functional safety, automated driving and Automotive Software Process Improvement Capability Determination, or Automotive SPICE," said Jody Nelson, managing director of functional safety and cybersecurity in the Identity Management and Security group at UL Solutions. "This broad expertise proves critical when developing control systems for safety-related applications as vehicles become more interconnected with numerous external devices, networks and systems."

In a future where most vehicles are fully electric, dependency shifts from gas stations and fossil fuels to charging stations and electricity. The resiliency of electric vehicle charging systems and the electric power grid becomes increasingly essential for transportation amid the rising popularity of electric vehicles (EV) and the potential for cyberattacks. Combining automotive cybersecurity and functional safety expertise better prepares UL Solutions to address these emerging challenges in electrification.

The team's integrated expertise also helps automotive OEMs and suppliers to navigate new and evolving requirements from the U.S. Federal Motor Vehicle Safety Standards (FMVSS), China Compulsory Certification (CCC), United Nations (UN) Economic Commission for Europe (ECE), and other applicable standards and regulations for new mobility technologies, including:

*   The Cyber Resilience Act
*   The Radio Equipment Directive (RED)
*   ISO/SAE 21434, Road vehicles – Cybersecurity engineering
*   ISO 24089, Road vehicles – Software update engineering
*   UN Regulation No. 155 – Cyber security and cyber security management system
*   UN Regulation No. 156 – Software update and software update management system
*   ISA/IEC 62443, Security for Industrial Automation and Control Systems
*   ETSI EN 303 645, Cybersecurity Standard for Consumer IoT Devices

Launching this team further builds on UL Solutions' commitment to the automotive industry. The company recently took another significant step to help advance automotive safety and better serve OEMs and suppliers by acquiring Kugler Maag Cie, a German-based provider of process excellence, assessment and training solutions supporting the automotive industry. With this acquisition, UL Solutions enhances its services to provide customers with testing and certification of automotive processes and safety-critical system services.

**About UL** **Solutions**  
A global leader in applied safety science, UL Solutions transforms safety, security and sustainability challenges into opportunities for customers in more than 100 countries. UL Solutions delivers testing, inspection and certification services, together with software products and advisory offerings, that support our customers' product innovation and business growth. The UL Certification Marks serve as a recognized symbol of trust in our customers' products and reflect an unwavering commitment to advancing our safety mission. We help our customers innovate, launch new products and services, navigate global markets and complex supply chains, and grow sustainably and responsibly into the future. Our science is your advantage.

UL Solutions Advances Automotive Safety and Security

Hackers will take anything newsworthy and turn it against you, including the world's most advanced AI-enabled chatbot.

Scammers are capitalizing on the runaway popularity of and interest in ChatGPT, the natural language processing AI — impersonating it in order to infect victims with a Trojan malware called Fobo, in order to steal login credentials for business accounts.

ChatGPT is the world's most advanced chatbot, published by developers OpenAI back in November. It’s been a resounding success: It's regularly overloaded with users demanding that it write marketing copy, or poems, or answer questions about philosophy. (In fact, OpenAI has developed a $20-per-month subscription plan for users who want to bypass these slowdowns.) And a meme has been making the Internet rounds recently, about how long it took the world's biggest apps to reach 1 million users. Netflix, for example, took 3.5 years. Facebook, 10 months. Spotify, five months. ChatGPT? Five days.

In the same way they do any big news item — COVID-19, the Ukraine war, take your pick — hackers have twisted the popularity of ChatGPT into phishing bait. And now, according to a blog post from Kaspersky, a fresh campaign is utilizing social media impersonation to lead unsuspecting victims to a fake ChatGPT landing page, where "signing up" means downloading an info-stealing Trojan called Fobo. The Trojan seeks out business account credentials, which could be used for follow-on attacks of a greater scale.

According to the report, this blatant scam has already spread to Africa, the Americas, Asia, and Europe.

**Faking ChatGPT to Hack Business Accounts**

The researchers at Kaspersky have observed grifters running social media accounts that either impersonate the OpenAI/ChatGPT brand directly or pretend to be communities for fans of the program.

Sometimes, the accounts post neutral content relating to ChatGPT, with a malicious link at the bottom. Other times, according to the blog post, they post "fake credentials for the pre-created accounts that are said to provide access to ChatGPT. To motivate potential users even further, the attackers say that each account already has US $50 on its balance, which can be spent on using the chatbot."

The real program has an entirely optional subscription plan but is otherwise free to use for the general public.

Unwitting social media users who follow the malicious links in these posts land on a ChatGPT homepage, which is like for like with the real thing in almost every way.

A convincing fake ChatGPT. Source: Kaspersky

Clicking the "download" button — suspicious in itself, as ChatGPT has no desktop client — triggers the installation of an executable file.

"If this archive is unpacked and the executable file run," according to Kaspersky researchers, "then, depending on the version of Windows, the user sees either a message saying installation failed for some reason, or no message at all — at which point the process seems to end."

Behind the scenes, however, a Trojan horse has been unleashed. The Trojan looks for login credentials for apps like Google, Facebook, and TikTok, stored in the victim's browser. But in particular, Kaspersky explained, it's looking for usernames and passwords for business accounts.

With employee usernames and passwords, the attackers could possibly perform more significant follow-on attacks against enterprises.

"On finding a business account in one of these services," the researchers explained, "it tries to get additional information, such as how much money was spent on advertising from the account and what its current balance is."

**How to Avoid ChatGPT Scams**

That the perpetrators of this campaign chose ChatGPT as their vehicle is no coincidence. Among its many more frivolous uses, the chatbot has proven popular in business settings. Employees are using it to write emails, copy, and marketing materials faster, support interviews and research projects, and much more.

To avoid engaging with a malicious fake, though, Kaspersky recommended avoiding "offers" like those from this story, utilizing security software, and not clicking on links — better to go through a search engine or type the URL straight into your browser.

As of this writing, Kaspersky has not responded to a direct request for comment by Dark Reading. So, in substitute, we asked the ChatGPT bot to provide insight on the matter. It had this to say:

_"In conclusion, the rise of hackers impersonating ChatGPT to steal login credentials is a serious threat that should not be underestimated. The implications of such attacks are far-reaching and potentially devastating for individuals, organizations, and even entire industries. As technology continues to evolve, we can expect these types of attacks to become more sophisticated and difficult to detect. It is, therefore, imperative that individuals and organizations take proactive measures to protect themselves, such as regularly changing passwords, enabling two-factor authentication, and staying vigilant for signs of phishing attacks. Only by working together and taking these steps can we hope to mitigate the risks posed by hackers impersonating ChatGPT and other forms of cybercrime in the future."_

Scammers Mimic ChatGPT to Steal Business Credentials

Open source software dependencies are affecting the software security of different industries in different ways, with mature industries becoming more selective in their open source usage.

The proportion of open source codebases with vulnerabilities has continued to remain level over the past two years, but the number of applications with high-risk vulnerabilities has dropped to its lowest level in four years.

That's according to the "2023 Open Source Security and Risk Analysis" (OSSRA) report, published by Synopsys on Feb. 22. The annual study, based on audits of more than 1,700 applications, found that almost every software program (96%) included some kind of open source software component, with the average codebase consisting of 76% open source code. While the number of codebases with at least one vulnerability remained mostly stable over the past three years at slightly more than 80% — 84% in 2022 — the number of applications with high-risk vulnerabilities has dropped to about half (48%) of all applications tested, from a peak of about 60% in 2020.

Overall, the data shows some bright spots in the struggle against vulnerable dependencies, of which the average application has 595, but there's no broad trend toward greater application security, says Mike McGuire, a senior software solutions manager at Synopsys Software Integrity Group.

"Organizations are struggling to keep up with the scale of open source usage," he says. "If you take those almost 600 components per application on average, and multiply that by the number of vulnerabilities that are disclosed on an annual basis, then you can really, really start to drown in the work."

    

Overall open source usage remained mostly level, as did overall vulnerable codebases. Source: Synopsys

Open source components, and the dependencies on which popular application frameworks rely, continue to pose security problems for software makers and application developers. The ubiquity of some components — such as Log4j in the Java ecosystem — continues to cause security issues for many applications based on open source frameworks.

**Outdated Dependencies Are Common**

Applications that include a lot of components — and by extension, those components' dependencies — can have deep dependency trees that make it hard to find every vulnerability. Nearly all applications (91%), for example, included at least one open source component that has no development in the past two years, a likely sign that the project is no longer being maintained and, therefore, represents a security risk.

Nearly one in eight applications also had more than 10 different versions of a specific codebase, with each likely imported from a different component and that component's dependencies.

Failing to eliminate those older codebases represents a risk, Synopsys stated in the OSSRA report.

"Open source was in nearly everything we examined this year; it made up the majority of the codebases across industries, and it contained troublingly high numbers of known vulnerabilities that organizations had failed to patch, leaving them vulnerable to exploit," the report stated. "It is crucial to understand that while open source itself does not pose any inherent level of risk, failing to manage it does."

Whether more dependencies means more vulnerabilities is still a relationship under investigation. JavaScript frameworks, for example, tend to have the greatest number of dependencies, but JavaScript applications tend to be less vulnerable than Java and .NET applications, according to a report released by software-security firm Veracode in January.

**Don't Fall Behind With Open Source Dependencies**

The impact of open source code on security varies by industry, according to the OSSRA report. Some industries have increased their open source usage, while others have consolidated their portfolio. Depending on their level of maturity, the impact on security can be different.

Education technology companies, for example, have adopted open source components to drive new features and applications required by schools during the push for online teaching during the pandemic. In that industry, open source software accounted for more than 80% of codebases in 2022, up from about a third in 2018. Other sectors also saw dramatic, if not so stark, increases in usage. The aerospace, aviation, automotive, transportation, and logistics sector, for example, also nearly doubled its usage of open source components over five years.

The significant increase in adoption has led to many companies losing visibility into what is making up their software and what needs patching, McGuire says.

"More organizations are using more open source components, but they just don't have the programs in place to track those \[patches\] down," he says. "Once you get underwater with those updates — it's just like any other technical debt or debt in general, right? — it's really tough to claw your way back."

Other industries have reduced their usage of open source software, likely by consolidating on fewer projects as dependencies, according to the report. Both the Internet and software infrastructure sector, and the telecommunications and wireless sector, have reduced the contribution of open source software to their codebases to under 60%. Both industries also saw fewer high-severity vulnerabilities.

Half of Apps Have High-Risk Vulnerabilities Due to Open Source

The platform uses no-code policy workflows to automate the provisioning and revoking of permissions.

To keep businesses running smoothly in a multicloud environment, people and applications both need a web of permissions to access all the tools required to complete their tasks. Getting the balance right, however, is a perennial challenge at which most companies fail. A startup named Entitle aims to change that.

The company is debuting a permissioning system that the company says spreads decision-making responsibility beyond the IT department, to the business unit leaders who actually know who the users are and what they need in the way of permissions.

The fundamental problem has been around for years. In 2021, CloudKnox revealed that nearly all of the identities on the major cloud platforms (90% to 95%, depending on platform) used no more than 5% of the permissions granted. And a 2022 year-end wrap-up from Permiso showed that the average user and role still only uses 5.3% of their permissions. 

The more lax the permission situation, the more likely it is that a bad actor will leverage their way into the network via an insecure account that has more access than it needs.

Entitle works to remedy that risk by issuing just-in-time permissions that can be revoked after a certain period or when a task has been completed. It also makes it easy to grant, change, and revoke permissions in bulk for people — employees or third parties — who are joining, leaving, or changing jobs, with what the startup calls "one-click on/offboarding." An access review panel collects the details of all permissions each human or machine identity has for overview, auditing, and compliance purposes.

    

Entitle's Workflows function. Source: Entitle

Perhaps the most unusual aspect of the Entitle platform is its Workflows function, shown above, which is where a company can set rules to automatically approve permissions requests or send them to the proper role (for instance, direct manager or app admin) for approval. That should cut down on manual work and improve the ability of programs and people to get emergency access in order to reduce bottlenecks — a serious consideration when balancing productivity and security.

Of course, Entitle is not the first or only company to embrace the principle of least privilege. Authomize, for example, launched in 2020 with its own version of automated permissioning, and Delinea created a way for users to execute a privileged action without having to expand their role. But considering the security and business risks posed by access creep, ensuring that every user gets only the access they need is an important function.

Entitle Brings Fine-Grained Cloud Permissions Management Out of Stealth

Thanks to burnout and stress, Gartner predicts churn and even departure from profession among half of today's security leaders by 2025.

Enterprises can expect to see some pretty dramatic churn in their cybersecurity departments in the next two years if they're not proactive about countering security burnout. A prediction out today by Gartner estimates that almost half of cybersecurity leaders will change jobs by 2025. More startling, the analyst firm predicts that one in four leaders will exit the security stage completely.

According to Deepti Gopal, director analyst for Gartner, cybersecurity professionals are generally facing "unsustainable levels of stress." For CISOs and other security managers, the mental and emotional fallout from occupying the scapegoat role is not only spurring many them to look outside of their current jobs or their professions, it's also impacting their effectiveness when they stay.

"CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do," Gopal says. "The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams."

**Negative Unemployment & Burnout Persist in Cybersecurity**

For a long time now, the need for cybersecurity expertise has gone unfilled across the entire industry. Per last year's (ISC)2 estimates, by 2025 there will be a shortfall of 3.5 million cybersecurity experts. Even as other jobs in the tech industry begin to evaporate in the face of tech sector layoffs, cybersecurity appears to be immune to this. A report earlier this month from (ISC)2 showed that only 10% of corporate executives expect to lay off members of their cybersecurity teams this year.

However, these seemingly positive numbers about job security in the cybersecurity world could actually be a red flag for what's currently ailing the profession. That is, burnout and job dissatisfaction are making it tough to recruit and retain talent. A different survey out this week from Magnet Forensics shows this phenomenon within the rank-and-file population of security analysts and investigators: More that half of these security pros reported feeling burned out in their jobs.

Often, the discussion of cybersecurity burnout revolves around topics like alert fatigue and workload imbalances, particularly among security operations center (SOC) workers. For example, the Magnet report showed that 64% of those workers cited alert fatigue as playing a role in their burnout. However, the news that one in four CISOs will leave their profession altogether hints at even deeper issues.

**The Trouble With CISO Satisfaction**

CISOs aren't necessarily running down alerts constantly the way their employees are, but they're overloaded with other career fatigue factors.

"CISOs are constantly trying to balance high expectations against an absence of the tools needed to meet those expectations," Gartner analysts wrote in the prediction piece. "Compliance-centric cybersecurity programs, significantly low executive support, and subpar industry-level maturity are all indicators of an organization that does not view security risk management as critical to business success."

One of the big factors that could have CISOs reconsidering their career trajectory in cybersecurity altogether is the fear about what will happen to their professional reputation if their company gets breached, says Diana Kelley, a veteran cybersecurity executive and co-founder and CSO of Cybrize, a cybersecurity workforce planning platform. She says CISOs and CSOs worry about "having their name dragged through the mud" after a breach, or even facing criminal charges, which feels more possible in the fallout from the conviction of Uber's Joe Sullivan last year.

"I'm also curious if downward pressure on the level of the CISO and the salary are having an impact," Kelley muses. "CISOs have long been talking about getting to the C-suite and reporting to the CEO, but I've heard more CISOs complain about getting pushed down a level and far fewer celebrating leveling up to true C-suite."

While some media outlets have lauded compensation packages for CISOs that are crossing the $1 million mark, the truth is that most are much lower, Kelley says.

"If you aspired to be a CISO for the $1 million payday and now are in a role where you're under extreme pressure, getting up at 3 a.m. on Saturday to deal with breaches, and being paid $234,000 — while your buddy who's doing DevOps is making $250,000 and sleeping all weekend — you might just say, 'to heck with cyber!'"

1 in 4 CISOs Wants to Say Sayonara to Security

A DoD email server hosted in the cloud (and now secured) had no password protection in place for at least two weeks.

A US Department of Defense email server hosted on Microsoft Azure's government cloud service reportedly was found wide open to the public Internet for a period of about two weeks before it was properly secured.

According to a report on TechCrunch, a security researcher spotted the email server containing internal US military messages, some with sensitive personal information, including an SF-86 questionnaire that federal workers fill out as part of their security clearance process. It was one of a group of email servers in the US Special Operations Command (USSCOM) but likely on the civilian side, the report said.

The email server appeared to have been misconfigured and was running without password protection. Once TechCrunch alerted USSCOM, the agency fixed the issue. "\[W\]hat we can confirm at this point is no one hacked US Special Operations Command's information systems," a USSCOM spokesperson told TechCrunch.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Military Emails Exposed via Cloud Account

Despite increased threats, an uncertain economy, and increasing automation, your organization can still thrive.

When the vulnerability in Log4j happened, security teams sought the answer to a seemingly simple question: Am I vulnerable?

Answering that question led to a maelstrom of activity. Security groups requested information from vendors about their level of vulnerability and, in turn, had to respond to their customers about whether they were vulnerable. In many ways, the entire exercise seemed more about legal obligations than making people more secure.

The deluge of information — some of it useful, some of it useless — highlighted the need to rethink how we are doing security in the future.

We're living in a chaotic time. With a possible recession, technology companies trimming their ranks, and businesses pushing further into the cloud and adopting more automation and AI, security teams need to re-evaluate. Do they just follow the traditional playbook without thinking why? Or do they improve what they are doing to make security better?

Here are some focus areas to reduce chaos and increase overall security effectiveness.

**Simplify for Greater Visibility**

Gaining visibility into your applications and infrastructure is essential. Companies expanding their use of the cloud and converting applications to cloud-native infrastructure often see initial growing complexity because of a period of redundancy and hybrid infrastructure.

Pushing beyond that stage provides both cost and security benefits. Limiting the use of third-party tools to capture and analyze data for security teams is important. There's really no reason to, say, pull NetFlow data off the cloud infrastructure, when that same data — and more — is natively available.

Explore your cloud service provider's tools. Major cloud providers will often provide you detailed data, and you can reduce the complexity of the infrastructure needed to analyze that data.

**Pay Attention to Even the "Small" Breaches**

When NASA astronauts start getting emails in French, it's time to investigate.

That's what happened to Gavin early in his security career. Turns out two students in France were using Telnet to get into the NASA server and using it to send email. The incident ended up driving a greater project around making sure NASA had a robust data classification system and better data isolation.

Weird anomalies can be signs of an attack, but they can also drive a security team to better understand their organization's infrastructure. Investigations are time consuming but also often worthwhile, so even the small stuff should be investigated.

**Threat Intelligence Can Help**

Usually, a security team's most precious commodity is time. The old method of analyzing every IT project (even as they are changing) and looking for security issues is untenable.

Threat intelligence can help cut through the noise. By using threat intelligence, your security team can take a priority-based approach to architecture based on real-world attack intelligence. At the same time, they can deprioritize other areas. Threat intelligence can also help refine your playbooks and increase the maturity of your security team.

**Thriving With Automation, Planning for Layoffs**

Security teams are facing other sorts of stress, with most economists expecting a recession. Security teams still need to be able to perform, despite stressors and even in the face of losing some of their headcount.

To focus on the most important aspects of security, even with fewer people, companies need to adopt more automation, machine learning, and artificial intelligence. Every team should be asking how to speed up manual tasks with automation. Automation, correctly applied, can free up staff to be working on the areas.

In the past, security teams have been considered a roadblock — a bump on the way to a company's core business of making money. Most teams have moved past the reflexive need to say no. We're here to make sure that the business is taking educated risks, but at the end of the day, just saying no to everything doesn't help anyone.

As every security manager surveys the horizon, they need to look at how they have traditionally approached problems. And they should consider whether now is time to say yes to something new.

Headwinds Don't Have to Be a Drag on Your Security Effectiveness

It's a banner year for attacks coming through traditional email as well as newer collaboration technologies, such as Slack and Microsoft Teams. What's next?

Phishing and other messaging-based attacks continue to be a pervasive threat, with 97% of companies seeing at least one email phishing attack in the past 12 months and three-quarters of firms expecting significant costs from an email-based attack.

That's according to the "State of Email Security" (SOES) report, based on a survey of 1,700 IT professionals published by Mimecast this week. The report also found that the most significant email-borne threats continue to be phishing, ransomware, and spoofing. 

Two-thirds of respondents acknowledged a successful ransomware attack, with companies in certain industries more likely to be a victim, including consumer services (87%), energy (83%), healthcare (80%) and the media and entertainment (86%) sectors. On the spoofing side, 91% of those surveyed had seen attempts to steal or use their email domain in an attack, according to the survey.

The increased concern about cyberattacks via email and collaboration platforms comes as companies have shifted to hybrid work environments, making tools like Slack and Microsoft Teams popular ways of exploitation by opportunistic cybercriminals. Nearly three-quarters of companies surveyed feel it is likely or extremely likely that their company will suffer an attack delivered through their collaboration tools, according to the study, which was conducted by market research firm Vanson Bourne.

"While email remains the primary attack vector for bad actors, collaboration tools provide a new threat surface for cybercriminals to infiltrate," the report stated. "And this, in turn, creates even more risk for CISOs and their teams to manage."

Though certainly not a new area, attacks on messaging and collaboration software are a growing source of compromise for companies. In its quarterly "Phishing Activity Trends Report," the Anti-Phishing Working Group (APWG) detected 1.3 million attacks in third quarter of 2022, up from 1.1 million phishing attacks in the second quarter of 2022. Attackers are also getting better at fooling defenses and sneaking into users' inboxes, with 19% of phishing attacks bypassing platform defenses, according to a report released in October.

With the ramped-up activity comes more awareness, at least. "More \[company\] leaders are increasingly aware of the dangerous ramifications cyberattacks pose against their business," says Thom Bailey, senior director of strategy at Mimecast. "However, organizations are still behind the curve in terms of security posture."

**Collaboration Tools Expand Quickly**

Collaboration tools represent an expanding attack surface area, according to the SOES survey. While the vast majority of professionals (90%) maintain that collaboration tools are essential to their company's workflow, keeping up with the installed base of tools is "overwhelming," according to those polled. Two-thirds of professionals (67%) are overwhelmed by the number of tools, and more than half (55%) have to attempt to detect and manage tools downloaded by workers without approval.

That said, whether the attacker uses email as their vector, or Slack or Teams, the end goal is the same, Bailey says.

"It’s important to remember that even though the attack vector is slightly different, the human end user is still the key target," he says. "The majority of attacks targeting collaboration channels leverage the human element, where an adversary makes a compelling appeal for a recipient to engage with the attacker."

On the email side, more companies are adopting email security specifications, such as Domain-based Message Authentication, Reporting and Conformance (DMARC) and Brand Indicators for Message Identification (BIMI) to prevent spoofing. To protect their domains, 88% of survey respondents would like to use the DMARC standard to make their email more resilient to spoofing attacks. Unfortunately, only a bit more than a quarter (27%) have actually deployed the features, according to the SOES survey.

**Can ChatGPT Help With Phishing as Well?**

While anti-spam engines are among the earliest applications of machine learning to cybersecurity, most professionals aim to go further, with 92% either using or planning to use artificial intelligence (AI) features and machine learning (ML) to bolster their current defenses. Doing so can help cybersecurity teams keep up with attackers, Bailey says.

"When combined with natural language processing tools such as auto-encoders or large language models, \[AI\] can help detect anomalies in the writing style and communication patterns of inbound emails, blocking messages and alerting employees accordingly," he says. "It also helps reduce human error ... further enabling strained IT teams ... to offset critical workforce challenges by automating repetitive tasks and streamlining workflows to drive higher levels of efficiency."

The SOES survey included professionals from companies of various sizes, including 15% with fewer than 500 employees, 76% with between 500 and 10,000 employees, and 9% with more than 10,000 employees. The top industry sectors represented by the survey professionals included financial services (14%), technology and telecommunications (13%), retail (13%), and healthcare (11%).

Phishing Fears Ramp Up on Email, Collaboration Platforms

Google's Android and Chrome Vulnerability Reward Programs (VRPs) in particular saw hundreds of valid reports and payouts for security vulnerabilities discovered by ethical hackers.

Google addressed more than 2,900 security vulnerabilities in its products and platforms last year, awarding more than $12 million in bug bounty rewards to researchers in a record-breaking cash storm.

The total well outpaces last year's total of $8.5 million in rewards paid.

According to the tech behemoth's annual "Vulnerability Reward Program" (VRP) report, several VRP segments saw record highs in 2022, including the Android ecosystem, which doled out a cool $4.8 million to bug hunters. That total included the highest paid bounty in Google VRP history ($605,000), for a critical-rated exploit chain submitted by a white-hat known as "gzobqq."

    

Total 2022 stats. Source: Google

Meanwhile, the invite-only Android Chipset Security Reward Program (ACSRP) — which is run in tandem with manufacturers of Android chipsets — awarded $486,000 in collective bounties in 2022, across 700 valid security reports.

Over at the Chrome VRP, $4 million was paid across approximately 470 valid security bug reports. Of that, $3.5 million was rewarded to researchers for 363 reports of security bugs in Chrome Browser, and nearly $500,000 was rewarded for 110 reports of security bugs in ChromeOS.

And finally, the company's relatively new open source software (OSS) VRP — launched last August to cover supply chain issues in Google packages — released more than $110,000 in rewards to its roughly 100 participating bug hunters.

**Changes Afoot for Google Bug Bounty Hunters in 2023**

Sarah Jacobus, technical program manager at the Vulnerability Rewards Team, noted in a blog post today that more opportunities are coming for Google's bug hunters, including an expansion of the Android and Google Devices VRPs to include the latest versions of Google Nest and Fitbit as in scope.

Also, "2023 will be the year of experimentation in the Chrome VRP," she wrote. "Please keep a lookout for announcements of experiments and potential bonus opportunities for Chrome Browser and ChromeOS security bugs."

She also noted that the relatively new Google Play Security Reward Program (GPSRP) will look to expand its stable of bug hunters throughout this year and plans to sponsor various bounty events focused on Android and Google Play apps in order to attract new talent.

Source

DARKReading