CISOs need to define their risk tolerance, identify specific critical data, and make changes based on strategic business goals.

The past few years have been a bumpy ride all around. 2022 was supposed to be a breather for CISOs as the uncertainty surrounding the pandemic largely subsided. Sadly, they found themselves coming to terms with the new "never normal" instead.

A soaring cost of living, geopolitical conflicts, catastrophic climate crisis, and a rapidly evolving regulatory environment all will shape the cybersecurity landscape this year. Newer threats have emerged and older ones have evolved. Critical infrastructure, public service delivery, and people's privacy all seem to be in the line of fire. And with ongoing digital transformation initiatives, exponential data growth, limited funds, and an ongoing skills shortage, CISOs and their teams, it seems, are barely holding it together.

**Waypoints on Path to Action**

Keeping up with emerging threats and challenges in 2023 can help organizations get on the path to developing a coherent security strategy.

**1\. Cyberattacks increase, tactics evolve:** Ransomware incidents dropped by 34% earlier in 2022, only to roar back with a vengeance. Ransomware has evolved to double and triple extortion with data theft and denial of service. We'll see an uptick in stolen data being sold on Dark Web forums and later being used in highly targeted phishing attacks.

The underground cybercrime landscape is also shifting from cybercrime-as-a-service to cyber mercenaries for hire. Expect cybercriminals and nation-state actors to hire highly skilled cyber mercenaries for granular tasks that can lead to major attacks and breaches. These attacks will be very impactful but near impossible to trace.

**2\. Supply chain risks balloon:** Supply chain security risks quickly bleed into the business side of operations, often bringing them to a halt. These risks will likely balloon this year as businesses outsource the infrastructure, applications, and services they need to multiple cloud and software-as-a-service (SaaS) vendors. With so many external providers and partners, attackers will target the most vulnerable ones to gain easy access.

**3\. Data-well poisoning attacks emerge:** Artificial intelligence-powered systems depend on the integrity of the data they're fed to make sound decisions. As businesses get real with AI in 2023, data will become an invaluable asset as well as a liability. Cybercriminals will be targeting data wells to manipulate systems into making rogue decisions. Beyond confidentiality and availability, data integrity is now at risk.

**4\. Tech, threat, and regulatory environments continually change:** Threats are evolving, and so is the regulatory landscape. General and country-specific regulations will compel organizations to ensure ethical data collection, storage, and use. These changes will likely keep CISOs on their toes, trying to preserve all the good pieces of the security pie while also ensuring enough flexibility to accommodate new changes.

**Creating a Business-Based Security Strategy**

Here's what organizations in general need to focus on to create a security strategy that can steer them through what appears will be a challenging year for security, economy, and trade.

**1\. Aligning security with business strategy:** CISOs are responsible for assuring business executives that cybersecurity is a business risk, not just an IT issue. As boards determine a business's strategic direction, CISOs must incorporate security into that process. To do that, addressing cyber-risks should frequently be on the agenda for board meetings.

A CISO who appreciates the business tactic of developing a security strategy that supports the organization's goals probably won't have to chase after the board for security funds and resources.

**2\. Building cyber resiliency:** Cyber resiliency is an organization's preparedness to deal with the impact of threats that can't be predicted or prevented. The first step to achieving cyber resilience is to adopt a governance framework for monitoring cyber activities, including partner collaborations and relevant regulatory changes. Organizations must also develop cyber situational awareness through cyber threat intelligence gathering, analysis, and sharing.

Next, they should identify and prioritize critical assets and continually evaluate them as their value changes. Based on the insights they gather, they need to plan and rehearse for just-in-case scenarios. Rehearsed incident-response plans can cut down the cost of a data breach almost by half.

Building cyber resilience is an ongoing process because threats evolve, businesses mature, and the value of different assets changes. Keeping up with the process, organizations can prevent, detect, and respond to emerging threats and their aftermath immediately and effectively.

**3\. Determining cyber-risk tolerance:** Organizations need to determine and define their risk tolerance regarding cyber-loss incidents. And that involves evaluating the dependencies, stability, and security of external partners and providers as well. Monitoring and protecting assets and data is not about boiling the ocean. It's about starting small, being very specific in identifying critical data elements, and then ensuring their security and integrity at all stages of the data life cycle.

A similar, selective approach should work for addressing changes in regulatory and compliance requirements, too. Organizations don't have the time or resources to do it all. They must identify what matters and make changes selectively based on their strategic business goals.

Addressing cyber-risks isn't a static process. Security teams know it, and the boards must realize it. The world of work is changing, and policies and procedures will have to reflect that. This rapidly evolving work and security environment can cause cyber fatigue and mental health challenges. Organizations must prioritize employees' education, satisfaction, and mental health. Otherwise, we'll also be witnessing a surge in insider threats on top of everything else.

Build Cyber Resiliency With These Security Threat-Mitigation Considerations

**MUNICH, February 15, 2023 –** IGEL, provider of the managed endpoint operating system for secure access to any digital workspace, today announced IGEL COSMOS. Unveiled at DISRUPT23 – The Ultimate Global EUC event in Munich, COSMOS is a unified, agile platform to securely manage and automate the delivery of digital workspaces, from any cloud. Offering a modular architecture, granular endpoint control and end-user freedom, COSMOS is designed to enable organizations to garner the full power of current-day and future clouds with extensive control, while powering great user experiences for today’s hybrid work.

The most significant new advancement with IGEL COSMOS is that, for the first time, IGEL is completely separating the base IGEL OS from its validated and integrated applications and interfaces, while adding an additional separate component in the form of value-added cloud services. Together, these three vital components comprise IGEL COSMOS. This modular architecture of “separate but equal” elements of endpoint operating system, management and control, and cloud services enables maximum IT flexibility in introducing or enhancing apps, desktops, services, and any other form of cloud-delivered digital workspaces as the cloud continues to evolve.

Featuring extensive management and control powered by the new IGEL UMS 12, the next generation of the IGEL Universal Management Suite (UMS), COSMOS enables the parallel use, management and control of endpoints running both IGEL OS 11 and the new IGEL OS 12 operating system. New cloud services, which are de-coupled from the OS, include the IGEL App Portal for use-case specific software applications offered from IGEL software partners and available for seamless download and implementation. Additional cloud services include the IGEL Onboarding Service, IGEL Insight Service, and other services and portals all designed to enhance effectiveness and user experiences for both IT professionals and end users. 

“Today’s workspaces are hybrid. Hybrid work, hybrid clouds and hybrid applications. While VDI and DaaS continue to provide organizations the safest way to deliver secure access to windows client server applications, a transition to SaaS and web-based applications has already started.  IT organizations need to make sure they can evolve at their optimal pace and at the same time, enable employees seamless, yet secure access to their cloud workspaces,” said Matthias Haas, Chief Technology Officer, IGEL. “The COSMOS platform has been designed for this new era of hybrid work. With a new modularized version of IGEL OS, a new version of our UMS management platform coupled with new cloud services that extend capabilities and enhance user experiences, COSMOS enables unmatched speed and flexibility to our customers across traditional and modern application delivery models, while still retaining security, management, and control across the entire endpoint estate.” 

“Having deployed IGEL OS to our remote workforce, we have been excited to pilot the latest innovation from IGEL including UMS 12 and IGEL OS 12,” said Simon Barlow, Group Chief Technology Officer, Operations, AXA UK & Ireland. “Our remote workforce, the agile application landscape and more frequent update cycles of unified comms require us to onboard, manage and update our endpoints faster and more efficiently than ever before. Based on our initial testing of OS 12, we are already confident that we can remotely configure, update, and patch our remote machines faster and more efficiently. With small updates and the ability to only update the Azure Virtual Desktop client, IGEL COSMOS allows us to be more agile without compromising security or change control. We are excited about the new cloud services which complement IGEL OS and UMS 12 and are proud to be included in the COSMOS platform launch.”

“Having utilized the secure IGEL OS for our VMware VDI environment, we were excited to work with IGEL on the IGEL OS 12 pilot,” said Billy Cruz, Technology Services Manager, Desktop Engineering, COCC. “The ability to update the VMware Horizon client independently from IGEL OS in the new offering allows us to deploy the latest innovation from VMware faster and more efficiently than before. The additional ability to now also update the Zoom and Webex offloading clients, independently from the VMware Horizon app, also provides additional flexibility and reduces the amount of time needed to perform management updates to increase employee experience. With a smaller attack surface and faster updates, we are excited about rolling out IGEL OS 12 in the future.”

**The Powerful, Unified Components of COSMOS**

At the core of the IGEL COSMOS platform is the new IGEL UMS 12, which offers a unified view across a heterogeneous mix of endpoints running either IGEL OS 11 or the new IGEL OS 12. This powerful, yet simple to use, management and control console enables environments already benefitting from IGEL OS to easily migrate and leverage immediate value of COSMOS without requiring an OS upgrade on all their existing devices. 

Released with COSMOS is the new IGEL OS 12 which is more lightweight and adaptable than ever. Offering increased flexibility, speed, and agile integrations, IGEL OS 12 has been architected to support any form of cloud-delivered digital experiences. It also supports a faster, more efficient delivery of features and applications tuned to specific use cases via the IGEL App Portal.  Other key services tuned to IGEL OS 12 include fast user onboarding and deep insights into endpoint usage, security, status, and compliance of IGEL UMS-managed endpoints. 

One of the most significant new cloud services adding additional value to COSMOS is the IGEL App Portal. The App Portal delivers a full range of validated applications from IGEL’s vast IGEL Ready technology partner community designed for use on IGEL OS-powered devices. Since the App Portal operates separately and independently from the IGEL OS endpoint operating system, it sharply streamlines the process of application integration, introduction, and qualification for IT teams since there is no longer any dependence on the classic, highly integrated software release process. Available for download at no extra cost, these apps can be rapidly qualified and delivered as a feature-rich experience for users, while reducing the app qualification, implementation and update processes for IT. Applications include the Microsoft Azure Virtual Desktop client, VMware Horizon client, Citrix Workspace app, Chromium Browser, Zoom Media Plugins for VDI and many more. IGEL also offers an IGEL OS API (application programming interface) for software providers that want to validate their solution for availability using COSMOS and the IGEL App Portal. 

**Availability**

COSMOS, IGEL UMS 12, and IGEL OS 12 will be available April 1. Existing users of IGEL OS 11 will be able to engage IGEL UMS 12 via an easy migration to access COSMOS advancements for existing and new devices running IGEL OS 12 in the future. For more information visit igel.com/cosmos. To schedule a discovery meeting and get early access to GA code, visit igel.com/yes.

**DISRUPT23**

COSMOS was announcement from DISRUPT23 – The Ultimate Global EUC in Munich, held February 15 and 16 at the INFINITY Hotel & Conference Resort. DISRUPT23 will hold its North American installment at the Gaylord Opryland Resort & Convention Center in Nashville, Tennessee, on April 3-5. Registration is $399 per person. To register, visit: www.disruptEUC.com.

**About IGEL**

Today, the world of work is hybrid. Multiple clouds can deliver applications sourced from anywhere to a widely distributed workforce using all types of devices. Right at the moment when the world of work needs it most, IGEL has the solution for fully managed, secure endpoint access to any digital workspace that gives IT teams strong control and end-users the freedom to work as they wish in a hybrid world. Enabling choice of any cloud, from any device, anywhere, IGEL unlocks a collaborative and productive end user computing experience while solving the common security and management challenges required to compete and win in today’s world of hybrid work.  With a growing ecosystem of more than 100 IGEL Ready technology partners, IGEL has offices in Europe and the United States and is represented by partners in over 50 countries. For more information on IGEL, visit www.igel.com.

IGEL Unveils COSMOS, the Unified End User Computing Platform for Secure, Managed Access to Any Cloud Workspace

**COMMERCE, Mich.****,** **Feb. 15, 2023** **/PRNewswire/ --** Nuspire, a leading managed security services provider (MSSP), today announced the release of its Q4 and Year in Review 2022 Threat Report. The quarterly report provides a comprehensive analysis of the threat landscape, parsing malware, botnet and exploit data as well as breaking down the tactics, techniques and procedures (TTPs) favored by cybercriminals.

Nuspire's latest report validates the presumption that 2022 yielded the most threat activity in history. While Q4 saw dips across all three sectors Nuspire monitors, including malware, botnets and exploits, the net sum for the year shows a marked increase, especially in the case of exploits, which nearly doubled.

"We saw some normal ebbs in threat activity over the year, but the surges were stunning, delivering a volume of attacks we've never seen before," said J.R. Cunningham, Chief Security Officer at Nuspire. "While many of the methods focused on securing quick wins, like phishing and exploiting unpatched vulnerabilities, we also saw a rise in more coordinated threat group attacks on large organizations and critical infrastructure. Expect 2023 to have more of this activity, as well as adversaries' increased attention toward attacking consumer IoT devices."

Notable findings from Nuspire's quarterly report include:

*   Exploit activity grew by 105% in Q4 2022, with total 2022 exploits nearly doubling over 2021. Brute forcing was the most popular tactic, increasing by nearly 400% over Q3 2022.
*   Malware jumped nearly 35% in Q4, with its year-over-year increase reaching 6.85%. Nuspire attributes this relatively smaller increase to the positive effects of Microsoft's decision to block Visual Basic for Applications (VBA) macros by default for Office files. 
*   Botnets jumped by 30% in 2022, with banking trojan Torpig Mebroot comprising more than 40% of all botnet activity throughout the year.   

"If 2022 showed us anything, it's that threat actors are not only increasingly adept at finding ways to circumnavigate established cybersecurity defenses, but also, they bring a level of agility that lets them quickly course correct when a vector loses viability," said Craig Robinson, Research VP for Security Services at IDC. "We've seen the emergence of new security technologies aimed at thwarting a more creative and sophisticated adversary population, but no specific technology can replace the value of targeted threat intelligence to understand what's out there, how they're doing it and what you can do to protect yourself."

Access Nuspire's Q4 and Year in Review 2022 Threat Report to view the data and learn key mitigation strategies for protecting your organization's environment.

**About Nuspire** 

_Nuspire is a managed security services provider (MSSP), offering managed security services (MSS), managed detection and response (MDR), endpoint detection and response (EDR) that supports best in breed EDR solutions, and cybersecurity consulting services (CSC) that includes incident readiness and response, threat modeling, digital forensics, technology optimization, posture assessments and more. Our self-service, technology-agnostic platform, myNuspire, allows greater visibility into your entire security program. Powered by the self-healing always on Nuspire Cyber X Platform (CXP), myNuspire will help CISOs alleviate the pain associated with tech sprawl, provide intelligence driven recommendations, solve for alert fatigue and help their clients become more secure over time. Our deep bench of cybersecurity experts, award-winning threat intelligence and three 24×7 security operations centers (SOCs) detect, respond, and remediate advanced cyber threats. Our client base spans thousands of enterprises from midsized to large enterprises that span across multiple industries and geographic footprints. For more information, visit_ www.nuspire.com _and follow us at on LinkedIn @Nuspire._

SOURCE Nuspire

Report Reveals Record-Breaking Year for Cyber Threats

As CPRA went into effect on January 1, latest CYTRIO research says 91% of companies still uncompliant with GDPR; 92% not compliant with CCPA and CPRA.

**BOSTON — Feb. 15, 2023 —** CYTRIO, a next-generation data privacy compliance company, released its latest research report from Q4 2022 on companies’ preparedness to comply with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the European Union’s General Data Protection Regulation (GDPR). The fifth report shows that as of December 31, 2022, 92% of companies across all verticals, states, and business sizes are still unprepared for CCPA and CPRA, and 91% are unprepared for GDPR, using time consuming and error prone manual processes. CPRA and employees’ rights to exercise data privacy went into effect on January 1, 2023, requiring companies to deploy a CCPA/CPRA and GDPR compliance management solution to avoid fines and penalties.

"The requirements that companies are facing today related to data privacy regulations are steadily increasing," said Vijay Basani, founder and CEO of CYTRIO. "As the California Privacy Protection Agency (CPPA) turns its attention to CPRA enforcement, we will see a significant increase in enforcement actions. Additionally, as was the case with GDPR, media coverage of increasingly higher numbers of enforcement actions will educate consumers regarding their data privacy rights resulting in consumer requests under CPRA. Companies need to act now to implement solutions to comply with CCPA, GDPR, and other data privacy regulations."

GDPR continues to be actively enforced with fines totaling in excess of $2.5 billion and total number of fines under GDPR reaching 1,462 as of the end of Q4 2022.

Key findings of the research showed 53.2% of companies stated they need to comply with CCPA but do not provide a mechanism for consumers to exercise their data privacy rights. Further, 38.6% of companies are using expensive and error prone manual processes. Four percent of companies that were using manual processes in Q1 2022 moved to compliance automation solutions, while 11% of non-compliant companies moved to a manual process to comply with CCPA by Q4 2022, indicating companies are slowly moving up the CCPA/GDPR compliance maturity curve.

During Q4 2022, CYTRIO researched an additional 1,521 U.S. mid to large companies with revenues from $25 million to $5+ billion, bringing the total number of companies researched to 11,358 over five quarters. CYTRIO continued looking for trends among companies that were either non-compliant or partially compliant by comparing its compliance status to previous quarters.

This year, data privacy regulations go into effect in Virginia, Colorado, Utah, and Connecticut, while  several other states are expected to approve a data privacy regulation.

After Q3 2022 saw the first enforcement action under CCPA with Sephora being fined $1.2 million for violating the Do Not Sell My Information provision, last month, California Attorney General Rob Bonta announced a new enforcement sweep aimed at businesses with mobile apps and others that fail to comply with CCPA.

**About CYTRIO**

CYTRIO’s software-as-a-service (SaaS) data privacy compliance management platform helps organizations comply with data privacy regulations such as GDPR, CCPA, CPRA, VCDPA, CPA, and others. The company offers an all-in-one solution built on automation, AI-led data discovery, and automated response workflows. CYTRIO’s solutions are simple to deploy, deliver value in the first hour, and do not require dedicated privacy teams to manage. Learn more at www.cytrio.com and follow on LinkedIn and Twitter.

5th State of CCPA, CPRA, and GDPR Compliance Report Shows More Than 90% of Companies Are Not Compliant

**KANSAS CITY, Missouri, and MIAMI (****S4X23****) —**  In an effort to improve cybersecurity resiliency for critical infrastructure environments, 1898 & Co. is launching Managed Threat Protection & Response, a new proactive threat hunting and response capability to its existing Managed Security Services (MSS) solution. 1898 & Co. is the business, technology and cybersecurity consulting arm of Burns & McDonnell, a 100% employee-owned engineering, construction and architecture firm.

Since the beginning of 2020, cyberattacks aimed at sectors that are critical to society have increased by more than 400%. Of those attacks, 45% were ransomware attacks that targeted or impacted industrial control systems. Left undetected, cyber sabotage within critical infrastructure environments like the power grid and water systems result in service disruptions, infrastructure damage and negative impacts to the environment and to public health and safety.

Unlike other firms that focus mostly on information technology cybersecurity, 1898 & Co. is one of the first firms to apply their operational technology (OT) and industrial control systems (ICS) cybersecurity specialization into managed security services.  

“Managing security for ICS and OT is a rare capability for a reason: Critical infrastructure is a highly complex environment,” says Chris Underwood, vice president and general manager of 1898 & Co. “At 1898 & Co., our consultants live and breathe critical infrastructure. We’ve worked in the industry and for the industry, so we have a deep understanding of its challenges.”

1898 & Co.’s Managed Threat Protection & Response service, through intelligence enrichment and insights gained from collective defense information sharing, leverages a variety of indicators and tactics, techniques and procedures to provide 24x7 threat monitoring and detection. 1898 & Co.’s service also proactively hunts for possible intrusions within clients’ OT and ICS.

Industry analysts note that incidents in these environments are inevitable, however damage and fallout can be lessened through rapid detection and response capabilities. Additionally, regulatory measures continue to evolve in response to the heightened threats posed to critical infrastructure companies. For example, Federal Energy Regulatory Commission recently directed the North American Electric Reliability Corporation to develop reliability standards requiring Internal Network Security Monitoring standards. These new standards require power utilities to implement monitoring and detection and identify anomalous activity by way of regulatory mandate, a significant development for that industry.

“Cyber-related risk remains a top concern and consideration for every critical infrastructure company,” says Matt Morris, managing director of Security & Risk Consulting, 1898 & Co. “We continue to see increasing digitization, threats and corresponding regulation. Given the increasing talent shortage, keeping critical processes operational is getting more and more complicated. As specialists who focus on critical infrastructure cybersecurity, we uniquely understand how these environments are designed, built and operated, and we have an unmatched team of engineers and consultants at our back.”

The new capability and MSS services from 1898 & Co. are now available and uniquely leverages multiple on-premise monitoring and detection partner platforms, including Dragos, Claroty and Armis, with a limited number of platforms expected to be added over time. The MSS provides active response via CrowdStrike Falcon platform, an industry-leading security solution. The MSS service also provides the additional value of OT asset discovery, inventory and reporting to include vulnerabilities and network topology mapping.

1898 & Co. has also collaborated with various information sharing and analysis centers (ISACs) to access various industry-specific indicators of compromise and tactics, techniques, and procedures. Initial affiliates include the E-ISAC (electric utilities) and WaterISAC (water utilities), with additional ISACs on the roadmap.   
This summer, 1898 & Co. will launch an upgraded, next generation security operations center (SOC) for advanced protection and response.

**About 1898 & Co.**

1898 & Co. is a global business and technology consultancy that brings together a unique blend of engineers and industry leaders to deliver strategic business insights and solutions for critical infrastructure industries. We partner with clients to plan, invest, secure and optimize critical assets for a successful, sustainable future. For more information, visit 1898andCo.com.

**About Burns & McDonnell**

Burns & McDonnell is a family of companies bringing together an unmatched team of more than 13,500 engineers, construction and craft professionals, architects, planners, technologists, and scientists to design and build our critical infrastructure. With an integrated construction and design mindset, we offer full-service capabilities. Founded in 1898 and working from 70 offices globally, Burns & McDonnell is 100% employee-owned. Learn how we are designed to build.

1898 & Co Launches New Cybersecurity Service for Critical Infrastructure

The National Institute of Standards and Technology has settled on a standard for encrypting Internet of Things (IoT) communications, but many devices remain vulnerable and unpatched.

A new encryption standard for Internet of Things (IoT) should help advance security for these connected devices in businesses, manufacturers, critical infrastructure, and other sectors running this equipment.

But many of these devices continue to lag behind in cybersecurity functions and practices.

On Feb. 7, the National Institute of Standards and Technology (NIST) announced it had selected a group of cryptographic algorithms, known as Ascon, to be the formal encryption standard for "lightweight" electronic devices and their communications. The standard should help devices makers and their customers better secure the data and devices from attackers increasingly targeting operational technology even though such devices have limited processing power and storage.

The algorithms allow encryption protections for even the smallest devices, NIST computer scientist Kerry McKay said in the announcement of the standard.

"The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation," she said. "These algorithms should cover most devices that have these sorts of resource constraints."

**Why IoT Is Exploding**

Connected devices in business and industrial settings are a rapidly growing application driven by two major forces over the past three years. Initially, the pandemic spurred the need to support remote operations, while the current concerns of a recession are pushing companies to automate operations using connected devices.

For example, the Industrial Internet of Things (IIoT) — an umbrella term for connected devices that monitor and control physical systems and industrial processes — is predicted to grow dramatically. The number of industrial IoT connections — a measure of the number of devices deployed — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020, according to Juniper Research.

    

Self-assessed maturity of industrial firms. Source: Fortinet

However, the massive growth also brings a massive attack surface area. Vulnerabilities in the so-called Extended Internet of Things (XIoT), which includes both devices and the systems that manage those devices, jumped 57% in the first half of 2022 continuing a dramatic rise from the prior year. On the enterprise side, security researchers demonstrated 63 exploitable vulnerabilities in a variety of connected devices at this year's Pwn2Own, such as printers and network-attached storage.

Meanwhile, enterprise and industrial IoT devices and systems are often used for decades without regular updates, unlike conventional IT environments, which are replaced every three to five years and updated regularly in between, says Bill Malik, vice president of infrastructure strategies at cybersecurity firm Trend Micro.

"Right now, tens of thousands of industrial IoT environments are open to the Internet, either through carelessness or a lack of awareness of the risks," he says. "Many of these systems ship with default passwords, which are rarely changed by the use, and those systems are often incapable of being updated."

**Lightweight — but Not Light — Security**

The NIST standard aims to give even low-power devices a base level of cybersecurity by encrypting stored data and communications. The process took several years, starting with 57 candidates in March 2019, which were whittled down to 10 finalists in 2021. 

"The ability to provide security was paramount, but we also had to consider factors such as a candidate algorithm's performance and flexibility in terms of speed, size, and energy use," NIST's McKay stated in the Feb. 7 announcement. "In the end, we made a selection that was a good all-around choice."

Implementing the NIST standard will take time, as many IoT vendors are still catching up to cybersecurity best practices, with devices often lacking strong authentication capabilities, no easy way to distribute and install patches, and poor visibility into activity, including weak or nonexistent logging, Trend Micro's Malik says.

The level of maturity for the industrial sector in North America, for example, continues to lag behind other some other countries. Compared to the worldwide average of 57%, only half the companies (50%) in the region have adopted technologies that look for anomalous behavior or use automation and orchestration to manage and secure devices, considered the top two tiers of security maturity for operational technology, according to Fortinet's "2022 State of Operational Technology and Cybersecurity Report."

The risks to connected enterprise and industrial devices is growing, especially against the manufacturing sector, which accounted for 68% of observed attacks against industrial systems in the third quarter of 2022, according to Dragos, a cybersecurity services firm. Russia's invasion of Ukraine has created an online battlefield with threat actors on both sides targeting a variety of systems and devices, aiming at causing physical damage and disruption through cyberattacks.

As enterprises and industries continue to move toward ubiquitous monitoring and control, enabling smart factories, smart cities, and smart infrastructure, cyberattacks will become more impactful, Deloitte stated in its "Industry 4.0 and Cybersecurity" report.

**Detection Alone Is "Not Enough"**

Focusing on detection, however, is not enough, says Keao Caindec, a principal analyst with Farallon Technology Group and chair of the Security Working Group at the Industry IoT Consortium (IIC).

"A lot of the security controls that we use today, focus more on detection and remediation, a lot of monitoring and then prioritizing events and alerts," he says. "The problem is that leaves you always just one step behind the attacker, so companies need to really focus on addressing initial access, preventing compromised access, preventing unauthorized discovery and reconnaissance and preventing lateral attacks."

Yet the ability to protect enterprise and industrial IoT remains with companies, which should seek to gain as much visibility as possible into what devices are connected to their environments, Caindec says. He points to an already-pursued defensive framework, zero-trust architectures, as perhaps the best current approach to securing enterprise and industrial IoT devices and systems.

In addition, companies need to have the top decision makers on their side. Cybersecurity efforts are a significant investment, especially if they include replacing devices, so you need executive support, says Wendy Frank, cyber IoT leader with consultancy Deloitte.

"I think a lot of this comes down to really talking to your boards, making sure they're aware of the specific problems around devices, because they don't do this for a living," she says.

NIST's New Crypto Standard a Step Forward in IoT Security

De-shaming security mistakes and taking the blame and punishment out of incident reporting can strengthen security efforts both inside and outside of the workplace.

Your boss may respect work-life boundaries, but cybercriminals don't. Bad actors are increasingly targeting employees in social engineering scams that originate on their personal networks, with the ultimate goal of compromising the workplace. This year, chief information security officers (CISOs) should focus on how they can defend and protect employees beyond the walls of corporate systems.

Large high-profile tech companies are the most recent in a long line of organizations that have fallen victim to social engineering attacks. In 2023, there are bound to be more. Social engineering will be the leading root cause of major cyberattacks for the foreseeable future, for two reasons: They're cheap to execute, and they actually work. When one path — such as corporate email — becomes more difficult, attackers shift to other communication methods, including employees' personal platforms like texts, social media, or LinkedIn profiles. In fact, according to recent Tessian data, 56% of employees said they received a text message scam in the past year.

It's clear that security needs to extend outside of corporate walls, but there's an important balance that security leaders must strike to respect boundaries on employees' personal accounts and devices. Here's what should be top of mind when building a strategy to cover risks outside of the security team's reach. 

**Social Engineering Attacks Have Moved to Personal Channels**

While corporate email has historically been the main channel for social engineering scams, a combination of cybersecurity tools, strategies, and awareness training has made it more difficult for attackers to break through. As a result, attackers are moving to personal channels that aren't as well protected. 

In last summer's major Twilio breach, attackers targeted employees through their personal phone numbers and sent text messages posing as Twilio's IT department, rather than the traditional method of sending messages to a corporate email address. The text messages instructed employees to log in to a fraudulent Twilio website, which attackers then used to harvest employee credentials and breach the company's internal systems. Targeting personal devices can be especially effective, because people tend to give their phone numbers away less often than their email addresses, so there's a higher level of trust when receiving a text message that impersonates an employer.

**How to Protect Employees Outside of the Workplace **

De-shaming security mistakes and taking the blame and punishment out of incident reporting can strengthen security efforts both inside and outside of the workplace. Leaders should create a security culture where employees are encouraged to flag mistakes and suspicious activity, even if a personal account is breached on a company computer.

It's difficult for many employees to find and access simple, actionable steps to improve personal information security. There's a strong opportunity for security teams to provide curated resources to help employees, including arming them with resources to help their friends and family as well.

For example, some enterprise security vendors, including several password managers, provide employees with free personal versions of their tools as part of their B2B business. Another tactic is to develop an internal list of resources available to employees to help protect them in their personal lives. This can be quite efficient for improving the overall security of the workforce.

**How to Respect Employees' Personal Boundaries**

Trust is a crucial part of security. IT and security teams must respect boundaries when it comes to employees' personal devices and accounts. 

Being predictable and transparent is key to building trust and increasing engagement with employees. Having well-defined security support processes, including examples, can help employees know exactly what will happen when they reach out for support at work, or for support outside the workplace. For example, if an employee needs help with targeted phishing emails in their personal email, knowing ahead of time that the security team will not ask for remote access to their personal devices can increase their confidence and trust when they reach out for help.

One strategy that's worked quite well for my teams is to maintain a "transparency page" that provides high-level information about internal security practices such as logging and monitoring on laptops and other corporate systems. This way, employees are not surprised and can make informed, safe choices about personal data and usage (within the acceptable use policy, of course). 

Attackers will continue to evolve their social engineering strategies and cross whatever boundaries it takes to successfully execute a breach. Even when corporate systems and devices aren't the initial source of an attack, these tactics can compromise company systems, credentials, and data. Security teams must continue to evolve their strategies and expand their reach while respecting the personal privacy of employees and maintaining crucial trust.

How Security Teams Can Protect Employees Beyond Corporate Walls

Vladislav Klyushin and co-conspirators used SEC filings stolen from the networks of Tesla, Roku, and other publicly traded companies to earn nearly $100 million in illegal trades.

A former cybersecurity entrepreneur from Russia has been convicted for crimes related to insider trading conducted using information stolen from US computer networks, ultimately earning him and his co-conspirators nearly $100 million.

A jury in a US District Court in Boston convicted Vladislav Klyushin, aka Vladislav Kliushin, of conspiring to obtain unauthorized access to computers and to commit both wire fraud and securities fraud, according to the United States Attorney's Office, District of Massachusetts. He also was convicted on substantive counts of obtaining unauthorized access to computers, wire fraud, and securities fraud.

“The jury saw Mr. Klyushin for exactly what he is — a cybercriminal and a cheat," US Attorney Rachael S. Rollins said in a statement. "He repeatedly gamed the system and finally got caught."

The charges of securities fraud and wire fraud alone each provide sentence of up to 20 years in prison, while other charges each provide lesser penalties of up to five years in prison. All the charges also include substantial fines. Klyushin, 42, will face sentencing May 4.

Authorities arrested Klyushin in Sion, Switzerland, on March 21, 2021, as he was about to embark on a ski trip; he was extradited to the US later that year on Dec. 18. His conviction comes after a 10-day jury trial presided in a US District Court in Massachusetts.

Klyushin was charged alongside co-conspirators Ivan Ermakov and Nikolai Rumiantcev, former business colleagues who were employed at Klyushin's Moscow-based IT firm M-13, which offered penetration testing and so-called "advanced persistent threat emulation," according to its website. Two others involved in the crimes, Mikhail Vladimirovich Irzak and Igor Sergeevich Sladkov, also have been charged in a separate indictment; all four of Klyushin's co-conspirators remain at large.

M-13 did business with the Kremlin, which the company's website officially indicated as the Administration of the President of the Russian Federation and the Government of the Russian Federation, authorities said. Other customers included various federal ministries and departments as well as regional government bodies, in addition to commercial organizations and public entities.

**Trading Scam**

Klyushin and his colleagues also had an overtly nefarious side hustle: For about two and a half years between January 2018 and September 2020, they hacked into the computer networks of publicly traded companies — including Tesla, Capstead Mortgage, SS&C Technologies, Roku, and Snap Inc. — and used earnings and other information included in SEC files stolen from these attacks to make illegal trades on stock exchanges, including Nasdaq and the NYSE, according to trial evidence.

The attacks involved deploying malware that could harvest and steal employee login information to gain access to victim networks; from there, they stole earnings reports to gain access to information before it was made public.

The cybercriminals used proxy networks outside of Russia to conceal the origin of the activity, with many of the illegally obtained reports downloaded through a computer server located in downtown Boston — hence the site of the trial.

Armed with the information they stole, Klyushin and his cohorts used a company's financial performance data to know whether its share price would rise or fall, then traded based on that info via various brokerage accounts distributed across several countries —including Cyprus, Denmark, Portugal, Russia, and the US. When conducting business, the cybercriminals misled brokerage firms about the nature of their trading activities, according to trial evidence.

**How Their MO Ultimately Exposed Them**

Authorities ultimately learned what the crew was doing based on their patterns of trading and the return on investment, which ultimately gave them away, trial evidence revealed. For instance, the times of their profitable trades corresponded with the times in which the targeted companies reported being hacked, according to authorities.

Moreover, while Klyushin and his cohorts were raking it in — earning a return of more than 900% based on close to $100 million in earnings traded from $9 million in investment — the overall stock market wasn't doing nearly that well, authorities said. During the period of their crimes, the market returned just over 25%, they said.

Additionally, of the more than 2,000 earnings events around which Klyushin and his co-conspirators traded during the period of their activity, the victim filing agents filed more than 97% with the SEC. During the trial, testimony indicated that the odds of this trading pattern occurring without a relationship between the trading and the company itself was less than one in a trillion, according to authorities.

Of the total earned by the co-conspirators, Klyushin individually netted more than $38 million, including nearly $23 million on his personal trading and trading for M-13. He also earned more than $13 million on money he invested for others.

Russian Cybercriminal Faces Decades in Prison for Hacking and Trading Operation

Explosive growth of devices associated with the Internet of Things and operational technologies gives attackers a larger pool of targets.

Internet of Things (IoT) and operational technology (OT) devices represent a rapidly expanding, often unchecked, risk surface that is largely driven by the technology's pervasiveness, vulnerability, and cloud connectivity. This has left a wider array of industries and organizations vulnerable and opened the door for damaging infrastructure attacks. 

Microsoft recently identified unpatched, high-severity vulnerabilities in 75% of the most common industrial controllers in customer OT networks. Keep reading to learn more about these cyber-risks to critical infrastructure and what you can do to mitigate them.

**IoT's Growth Has Outstripped Device Security**

Over the past year, Microsoft has observed threats exploiting devices in almost every monitored and visible part of an organization. This includes traditional IT equipment, OT controllers, and IoT devices like sensors and cameras. Many organizations have adopted a converged, interconnected model of OT and IoT in recent years. This trend has caused attackers' presences in these environments and networks to grow exponentially.

IDC estimates there will be 41.6 billion connected IoT devices by 2025, a growth rate higher than traditional IT equipment. And although the security of IT equipment has strengthened in recent years, IoT and OT device security has not kept pace. Threat actors are exploiting these devices accordingly by compromising newly networked devices to gain access to sensitive critical infrastructure networks.

Take the recent Boa Web server vulnerabilities, for example. Microsoft discovered these vulnerabilities during an investigation of continued attacks on Indian power grid assets by Chinese state-sponsored groups. Despite being discontinued in 2005, the Boa Web server is still used by different vendors across a variety of IoT devices and popular software development kits. Data from the Microsoft Defender Threat Intelligence platform identified more than 1 million Internet-exposed Boa server components around the world over the span of a week. Without developers managing the Boa Web server, its known vulnerabilities create an opening for attackers to silently gain access to networks by collecting information from files.

**Nation-States Targeting Critical Infrastructure**

It is important to remember that attackers can have varied motives. Russia's cyberattacks against Ukraine, as well as other state-sponsored cybercriminal activity, demonstrate that some nation-states will target critical infrastructure in order to achieve military and economic objectives.

Threat actors have more varied ways of mounting large-scale attacks as the cybercriminal economy expands and malicious software targeting OT systems becomes more prevalent and easier to use. 

Ransomware attacks, previously perceived as an IT-focused attack vector, are today affecting OT environments. This can be seen in instances like the Colonial Pipeline attack, where OT systems and pipeline operations were temporarily shut down while incident responders worked to identify and contain the spread of ransomware on the company's IT network. Adversaries realize that the financial impact and extortion leverage of shutting down energy and other critical infrastructures is far greater than other industries.

Microsoft has observed Chinese-linked threat actors targeting vulnerable home and small-office routers in order to compromise these devices as footholds. This provides new address space that is less associated with their previous campaigns — giving them a new foothold from which to launch future attacks.

**Secure Your OT and IoT**

While the prevalence of IoT and OT vulnerabilities presents a challenge for all organizations, critical infrastructure is at increased risk. Disabling critical services, not even necessarily destroying them, is a powerful lever.

If organizations are to secure their IoT and OT systems, there are a number of recommendations that should be put in place.

● **Identify your vulnerabilities:** It's important to map out business-critical assets in IT and OT environments so you can fully understand your landscape and its innate weaknesses.

● **Evaluate device visibility:** Next, you should identify which IoT and OT devices are critical assets by themselves and which are associated with other critical assets.

● **Perform a risk analysis on critical assets:** Focus on the business impact of different attack scenarios as suggested by MITRE. This publicly available knowledge base outlines common tactics, techniques, and procedures deployed by cybercriminals, and offers specific guidance for a variety of control systems.

● **Define a strategy:** Finally, define your protection strategy by addressing the risks that you previously identified. Rank risk by business impact priority.

Looking for more tips on how to secure your IoT and OT systems? Explore the full breadth of our cybersecurity research and recommendations with Microsoft's Security Insider.

Infrastructure Risks Increase As IT and OT Converge

The new managed detection and response platform simplifies cloud security for Kubernetes applications.

Expel unveiled its Managed Detection and Response for Kubernetes offering this week. With Expel MDR for Kubernetes, security teams can quickly detect and respond to security risks in their Kubernetes environments without slowing down the DevOps teams.

Kubernetes is an open source orchestration system that relies on containers to automate the deployment, scaling, and management of applications in cloud environments. The overall container application market is expected to grow to $12 billion by 2028, with Kubernetes driving the majority of spending, according to KBV Research.

Security teams have to recognize that the shift to Kubernetes comes with a new set of security challenges. Misconfigurations (53%) and major vulnerabilities (38%) are the two top security incidents affecting Kubernetes environments, according to Red Hat's 2022 State of Kubernetes Security report. Security teams are struggling with challenges specific to Kubernetes, including a lack of security knowledge about containers and Kubernetes, inadequate security tooling, and being unable to keep up with DevOps teams.

With Expel MDR, organizations can secure their business across their Kubernetes environment and adopt new technologies at scale, Expel said in a statement. Because the new offering aligns to MITRE ATT&CK framework, security teams can quickly remediate issues and build resilience into their networks.

To help organizations stay ahead of pervasive misconfigurations, Expel's offering identifies cluster misconfigurations and references the Center for Internet Security (CIS) Kubernetes benchmark when making recommendations on configuration improvements. Expel MDR integrates with Amazon Elastic Kubernetes Service (EKS) and Google Kubernetes Engine (GKE) infrastructure to analyze audit logs and apply custom detection to alert on malicious activity. Finally, the MDR platform integrates with a runtime container security vendor to get better security insights regarding the devices the users are using — a necessity in "Bring Your Own Tech" shops, Expel said.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading