Avast researchers also discovered and reported two zero-day vulnerabilities, and observed the spread of information-stealing malware, remote access trojans, and botnets.

**TEMPE, Ariz.** **and** **PRAGUE****,** **Feb. 9, 2023** **/PRNewswire/ --** Avast, a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), saw an increase in threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, during Q4 of the calendar year 2022. Cybercriminals also remained active in spying and information stealing, with lottery-themed adware campaigns used as a tactic to obtain people's contact details. Avast threat researchers also discovered zero-day exploits in Google Chrome and Windows. These vulnerabilities have since been patched. These insights are covered in the Avast Q4/2022 Threat Report.

"At the end of 2022, we have seen an increase in human-centered threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn't order. It's human nature to react to urgency, fear and try to regain control of issues, and that's where cybercriminals succeed," said Jakub Kroustek, Avast Malware Research Director. "When people face surprising pop-up messages or emails, we recommend they stay calm and take a moment to think before they act. Threats are so ubiquitous today that it's hard for consumers to keep up. It is our mission to help protect people by detecting threats and alerting users before they can do any harm, using the latest AI-based technology."

**Growth in refund and invoice fraud, and tech support scams**

The Avast threat labs also saw an increase in tech support scam activity. Top affected countries include the United States, Brazil, Japan, Canada, and France. These scams often start with a pop-up window that alerts people of an alleged malware infection and urges them to call a helpline to resolve the issue. Scammers will convince the caller to set up a remote connection to their computer, opening the door to theft of personal information and money, as the criminals try to access people's bank accounts or crypto wallets, and ask for a payment for their services.

"We recommend people ignore such pop-up messages and close the window with the escape key, or if that's not possible, restart their computer," advises Kroustek. "Also, never give remote access to your computer to somebody you don't know."

The Avast threat labs also saw an uptick in refund and invoice fraud of 14% from October to November 2022, and another increase of 22% in December. Refund fraud works in a comparable way to tech support scams, and often comes in the form of an email that looks like it was sent from a trusted company. People will receive an email including a fake receipt making them believe they were charged for a purchase they didn't make. People are then tricked into calling a phone number, where an agent asks them to create a remote connection to their computer and open their banking account, so the person can see how the refund is done. The goal of the attacker is to steal the person's money. In the case of invoice fraud, people, and more often businesses, receive bills for goods or services the business never ordered or received.

"To avoid invoice fraud, people need to pay close attention to invoices they receive. Fraudulent invoices often look legitimate, and people need to verify whether an order really was made, the service received, and whether the sender is truly who they pretend to be," said Kroustek.

**Information stealing adware, remote access trojans and bots**

Web-based adware was also prevalent in the quarter, not only annoying people with intrusive ads, but also trying to steal their personal data. For example, people are asked to take part in a lottery, spinning a roulette wheel to win, and are then asked to enter their contact information and pay a "handling fee" using their credit card or Google Pay or Apple Pay account. Avast researchers also saw a flood of DealPly adware, which comes as a Google Chrome extension and sends statistical and search information to the attackers. The risk to get infected by DealPly increased around the world, most significantly in the Americas, in Europe, and South and Southeast Asia.

Avast researchers saw a significant increase of 437% in the global spread of the Arkei information stealer, which is known for stealing data from browsers' autofill forms, passwords and other sources. There was also a 57% increase in people and businesses protected against AgentTesla, a strain of malware that often spreads through phishing emails to businesses and designed to steal credentials, as well as a 37% increase in RedLine stealer, which often spreads in cracked games and services, stealing information from browsers and cryptowallets.

Avast telemetry also shows that the global spread of LimeRAT tripled in Q4. LimeRAT is a remote access trojan capable of stealing passwords, cryptocurrencies, driving Distributed Denial of Service (DDoS) attacks and installing ransomware on a victim's computer. It was mostly active in South and Southeast Asia and Latin America. The Emotet botnet, also a malware distributor with a wide variety of capabilities to steal information and spread malware, has evolved its technique of evading detection by antivirus software in the past few months through the use of timers to incrementally continue the payload's execution. The Qakbot information stealer botnet has also evolved further and started using "HTML smuggling" to hide an encoded malicious script within an email attachment. For example, the threat actors have started abusing SVG images to hide malicious payloads and the code used for its reassembly.

**Zero-day exploits in the wild**  
Two sophisticated zero-day exploits were also discovered by Avast researchers in the quarter. Avast protected its users as both were exploited in the wild. The first, CVE-2022-3723, was a type confusion in V8 and used to do a 'get Remote Code Execution' (RCE) against Google Chrome. Avast reported this vulnerability to Google who quickly rolled out a patch in just two days, on October 27, 2022. The second zero-day CVE-2023-21674, was an LPE vulnerability in ALPC that allowed attackers to get from the browser sandbox all the way into the Windows kernel. Microsoft patched this exploit in the January 2023 Patch Tuesday update. In addition, the Avast Q4/2022 Threat Report from the Avast Threat Labs shares insights into spyware, and the latest in mobile banking Trojans and Trojan SMS. Avast helps protect its users from all threats covered in the report. The Avast Q4/2022 Threat Report can be found on the Decoded blog: https://decoded.avast.io/threatresearch/avast-q4-2022-threat-report

**About Avast:** 

Avast is a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands. Avast protects hundreds of millions of users from online threats with a threat detection network that is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of the Coalition Against Stalkerware, No More Ransom and Internet Watch Foundation. Visit: www.avast.com.

SOURCE Avast Software, Inc.

Avast Threat Report: Consumers Plagued With Refund Fraud, Tech Support Scams, and Adware

From shadow data to misconfigurations, and overpermissioning to multicloud sprawl, Dark Reading's cloud security slideshow helps security pros understand the threat horizon.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

7 Critical Cloud Threats Facing the Enterprise in 2023

**CHANDLER, Ariz.****,** **Feb. 9, 2023** **/PRNewswire/ --** SynSaber, an early-stage ICS/OT cybersecurity and asset monitoring company, announced today the release of the company's first Industrial Control Systems (ICS) CVE Retrospective: 3 Years of CISA Advisories, which provides insights and analysis of CISA issued CVEs over the past three years.

The number of CVEs reported via ICS Advisories has increased each year. The ever-growing volume of vulnerabilities highlights continued efforts to secure the ICS systems critical to our nation's energy, manufacturing, water, and transportation infrastructure. But the growing focus and regulation come with additional administrative requirements for an already overstretched ICS workforce. Operators in critical infrastructure are being asked to analyze, mitigate, and report on new and existing vulnerabilities.

"The number of ICS vulnerabilities reported are growing at an exponential rate, creating more alert fatigue and potential apathy within the ICS/OT ecosystem," said Jori VanAntwerp, SynSaber Co-Founder and CEO. "This report highlights the great work being done by manufacturers, CISA, researchers, and vendors to disclose vulnerabilities, while recognizing the need for more context around these CVEs to determine what should be patched and remediated to protect our national security and infrastructure."

**Key Findings:**

*   CISA Advisory numbers continue to increase: 2020-2021 saw a 67.3% increase in CISA ICS CVEs, while 2021-2022 saw a 2% increase.
*   For the 3-year period, 21.2% of the CVEs reported via ICS Advisories currently have no patch or remediation available.
*   Requiring a user to interact in order to exploit is present in an average of one-quarter of all CVEs released since 2020 (22% in 2020, 35% in 2021, 29% in 2022).

"It's key to remember that one does not simply patch ICS. In addition to operational barriers to entry, there are a number of practical challenges to updating industrial systems. ICS has not only software components to update but also device firmware and architectural challenges that may involve updating whole protocols," said Ron Fabela, SynSaber Co-Founder and CTO. "Each has a level of risk that should be considered when prioritizing activities. For example, upgrading device firmware may come with a significant risk of 'bricking' the system, which could be hard to recover."

SynSaber will provide copies of the report to attendees at the S4x23 ICS Security Conference next week in Miami, Fl., https://synsaber.com/news-and-events/s4x23-ics-security-conference/

For more information on the report, please visit: https://synsaber.com/resources/industrial-cve-retrospective-2020-2021-2022 

**About SynSaber:**

SynSaber is the simple, flexible, and scalable industrial asset and network monitoring solution that provides continuous insight into the status, vulnerabilities, and threats across every point in the industrial ecosystem, empowering operators to observe, detect and defend OT/IT systems and protect critical infrastructure. SynSaber is privately held with funding from SYN Ventures, Rally Ventures, and Cyber Mentor Fund. Learn more at SynSaber.com.

SOURCE SynSaber

SynSaber Releases ICS CVE Retrospective: 3 Years of CISA Advisories

Schools paying higher ransoms and seeing longer closures, according to survey of parents.

**WOBURN, Mass.****,** **Feb. 9, 2023** **/PRNewswire/ --** Today Kaspersky released new survey data, revealing that 14% of American parents have experienced ransomware attacks on their children's K-12 schools while there child was a student, an increase from 9% last year. Among schools that paid a ransom to their attackers, parents reported that the average ransom was $887,360. In 2021, the average was just $375,311. The Ransomware Attacks on K-12 Schools report revealed a number of other findings related to parents' experiences with these incidents.

In October 2022, Kaspersky surveyed 2,000 parents of school-age children in the United States to find out about their experiences with ransomware attacks on schools. The results are compared to a previous report that posed the same questions to a similar group of parents in October 2021, as well as to an earlier report in June 2021 asking parents more generally about cyberattacks on schools.

According to the survey results, a growing number of schools are opting to pay a ransom to their attackers, in order to restore their systems. In October 2021, 71% of parents who had experienced an attack said their school paid a ransom. This time, that figure rose to 76%, although 14% said their school didn't pay, which was about the same as last time, while a shrinking percentage didn't know. Ten percent of parents reporting an attack said the district paid a ransom of more than $1 million; up from 3.7% in 2021.

The rate of attacks on schools may still be rising. Forty-four percent of parents who have experienced an attack said it happened either last summer (2022) or during this school year – which is only partway over – compared to 42% who said it happened last school year (2021-2022) or the previous summer (2021). Fifteen percent said it happened during the 2020-2021 school year or earlier.

In better news, 32% of parents who experienced an attack said their child's data was not compromised. This was up from 25% in October 2021. A slightly smaller percentage of parents reporting an attack said their child's data was compromised (60% in 2022; down from 61% in 2021), while a lower percentage of parents said they didn't know whether it was compromised or not (8%, down from 14%).

82% of parents who experienced attacks said their school was forced to close for at least 1 day as a result, up from 75% in October 2021. The average closure was 2.5 days, up slightly from 2.3 days reported last year. Thirty-two percent of affected parents said they were notified by the school immediately, which was a slight drop from 34% in the June 2021survey.

"This fall, cybercriminals continued to attack vulnerable schools in an effort not only to get ransom money, but also to steal students' and teachers' Social Security numbers, banking information, and even medical histories," said Kurt Baumgartner, principal security researcher at Kaspersky. "It is, however, encouraging to see that a shrinking number of students appear to be getting their data stolen. We urge school administrators to build on this success by employing some basic security mechanisms, such as multi-factor authentication, regular software updates and to train staff and students to spot phishing attacks. No one should ever pay a ransom, which continues to perpetuate the problem."

Among parents who experienced an attack, 82% said they were satisfied with their school's response to the attack, up from 80% in October 2021, while 81% of all parents said they are confident in their school's ability to successfully handle cybersecurity incidents in the future. In June 2021, only 68% said they think their school was somewhat or very prepared for an attack.

For their part, 69% of all responding parents said they talk at least regularly with their child about practicing good security hygiene, such as using strong passwords, down from 75% in June 2021. 

The full report, Ransomware attacks on K-12 schools is available here.

In order to protect against ransomware attacks, Kaspersky recommends:

*   Keep software updated on all the devices you use. This prevents attackers from exploiting vulnerabilities and infiltrating your network in the first place.
*   Set up offline backups and make sure you can access them quickly when needed or in an emergency.
*   School IT administrators should focus their defense strategy on detecting lateral movements and data exfiltration to the internet, and pay special attention to outgoing traffic to detect cybercriminals' connections to your network.
*   Parents, students and teachers should protect their personal devices with a cybersecurity product, such as Kaspersky, which offers real-time malware protection that stops ransomware and other attacks.

**Additional Resources:**

*   Survey report: Ransomware attacks on K-12 schools
*   Blog post: Ransomware Attacks on US K-12 Schools: An Update
*   November 2021 survey report: Ransomware attacks on K-12 schools
*   June 2021 survey report: Ransomware, schools and parents

**About Kaspersky**

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky's deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company's comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com. 

SOURCE Kaspersky

Kaspersky Finds Growing Number of Parents Experiencing Ransomware Attacks on Children's Schools

Nearly a half-millennium after her execution, encrypted letters from the imprisoned royal offer a fascinating look into early cryptography.

A tranche of more than 55 encoded letters written by Mary, Queen of Scots has been uncovered — and decrypted — by a team of cryptographic experts.

Writing while being held for 19 years in the Tower of London for treason by her cousin Queen Elizabeth I, Mary Stuart sent a series of missives to the French Ambassador to the English court, Michel de Castelnau de Mauvissière. The idea was to evade the hawklike scrutiny of Elizabeth's spymaster, Sir Francis Walsingham.

The 16th-century letters (written between 1578 and 1584) were found in the online archives at the National Library of France by an interdisciplinary team consisting of computer scientist George Lasry, pianist Norbert Biermann, and astrophysicist Satoshi Tomokiyo. According to their resulting paper, the cipher uses a typical replacement approach in which symbols were substituted for letters — but with more than 150,000 symbols used in total, the team turned to computerized codebreaking to make them readable, combined with old-fashioned sleuthing.

The effort combined "computerized cryptanalysis, manual codebreaking, and linguistic and contextual analysis," according to the team.

    

Source: George Lasry, Norbert Biermann, and Satoshi Tomokiyo (2023) Deciphering Mary Stuart's lost letters from 1578-1584, Cryptologia, DOI: 10.1080/01611194.2022.2160677

The letters' subjects included mulling marriage proposals for Elizabeth, the state of Mary's support in Catholic France, and negotiations around her release and the ascension of her son James VI (future James I of England) to the Scottish throne.

"The existence of a secret communication channel between Mary and Castelnau has been well-known to historians, and it was even known to the English government at the time," the researchers noted in the paper. "Even though its existence was known ... the channel was so secure that its contents \[were thought to\] have been lost. ... Our new decipherments provide further insights into how this channel was operated, and on the people involved."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cryptographers Decode Secret Letters of Mary, Queen of Scots

AI and phishing-as-a-service (PaaS) kits are making it easier for threat actors to create malicious email campaigns, which continue to target high-volume applications using popular brand names.

Phishing is having a moment, with a massive spike in campaign volumes in the latter half of 2022. In fact, total phishing emails increased by 61% in the second half, according to an analysis this week. That could also be set to accelerate, as the rise of ChatGPT and other new tools are making their mark on the sector too. 

That's according the "Q4 2022 Phishing and Malware Report" from email security firm Vade, published Feb. 9. Phishing volumes increased 36% between the third and fourth quarters, with researchers tracking 278.3 million unique phishing emails in the last three months of the year, according to the report.

Malware volumes overall also increased, 12% quarter for quarter, with Vade detecting 58.9 million emails in the fourth quarter of 2022 that included malware, the researchers found.

Email remains the top channel for distributing phishing and malware, giving hackers a convenient, scalable, and efficient vehicle for exploiting users and compromising accounts, Todd Stansfield, content marketing manager, noted in the report.

"Email threat activity continues to increase, creating the need for organizations of all sizes to fortify their cybersecurity," he wrote.

Breaking down the numbers by the month, phishing volumes remained relatively stable through the first half of the fourth quarter, with 62.3 million phishing emails tracked in October and 47 million in November, according to the report.

Then, as is typical during the annual holiday season — in which phishers use a range of year-end and holiday-themed lures to try to snare victims — December saw a big jump in phishing emails with 169 million, representing a 260% month-over-month increase, the researchers found. This pattern is similar to what happened in the fourth quarter of 2021, they said.

**Reliable Targets & Tactics**

In terms of who they target and how they do it, phishing threat actors aren't getting especially creative given the current way enterprise users work and collaborate.

Facebook remained the top brand in terms of impersonation for the second consecutive quarter, with researchers observing 6,700 unique phishing URLs impersonating the social networking giant in the fourth quarter of 2022, they reported. The company was followed by Microsoft, PayPal, Google, and Netflix in descending order as the brands that threat actors prefer to impersonate.

In terms of targets threat actors continued to find value in campaigns targeting productivity applications, for which they have a wide pool of corporate users and are most likely to find success, the researchers found. Microsoft 365, which has more than 345 million users, and Google Workspace, the second-most popular productivity suite, continued to be the top targets for phishers in the second half of 2022, according to Vade.

"With the growing popularity of productivity suites, users are increasingly using email to access and use productivity apps such as file sharing and instant messaging," Stansfield wrote, adding that threat actors have taken notice and are crafting phishing campaigns to target the specific behavior of corporate productivity-suite users.

**AI & New Tools Bolster Phishing**

While some things remained the same in terms of phishing campaigns, changes are afoot in other aspects of this type of threat, the researchers found. In particular, new tools have emerged that can make anyone, even with limited skills, a phishing threat actor thanks to more sophisticated phishing-as-a-service (PaaS) kits, and the meteoric rise in popularity of the AI platform ChatGPT.

"By purchasing a phishing kit, novice hackers can deploy highly convincing and effective schemes against their targets," Stansfield acknowledged.

One recent enhancement to these kits is the ability to automatically localize phishing pages based on a victim's native language, a handy tool that allows threat actors to target various regions quickly without being multilingual themselves, the researchers said.

The feature works by identifying the language settings of the targeted user's browser and leveraging it to update and display the phishing page accordingly. While improving the contextual accuracy of each phishing attack, the new feature also enables hackers to target users across multiple languages using a single kit, thus increasing the reach of their campaigns, according to Vade.

ChatGPT — the chatbot that can assist anyone in producing instantaneous, high-volume content that's already become notorious for its cybersecurity implications since its November release by OpenAI — also is becoming a phisher's best friend, according to Vade analysts.

Hackers can weaponize ChatGPT to produce sophisticated phishing kits efficiently by using commands that empower the AI tool to write phishing emails and malicious code in seconds, they said.

**Protecting the Enterprise From Phishing**

With phishing showing no sign of letting up despite being one of the oldest forms of cybercriminal activity, it's clear enterprises need to roll with the changes in the technology landscape just as attackers are.

"In the past year, nearly seven out of 10 businesses experienced a serious data breach that bypassed their email security," Stansfield noted, citing previous research from Vade.

Moreover, the problem with phishing is that it doesn't just end with an attacker giving up credentials, but ultimately, they can use these credentials as a way into corporate networks to steal data, distribute ransomware and other malware, and engage in other nefarious activity.

Enterprises need to move beyond traditional email security solutions and adopt ones that can respond to the more sophisticated tactics of attackers, the researchers said. Specifically, collaborative and AI-enhanced solutions that can provide "predictive defense against known and unknown threats using the latest threat intelligence and a core set of AI technologies," are the way forward, Stansfield said.

Indeed, just as AI is empowering attackers through technology like ChatGPT, it also can empower enterprises with new types of security, Adrien Gendre, co-founder and chief tech and product officer at Vade, tells Dark Reading.

"On the flip side, we use AI to detect anomalies in email, from the content itself to the behavior of files that might be included in those emails," he says. "There will be a battle between what you might call good and bad AI."

If phishing emails do slip through an organization's security protections, training employees to identify phishing emails before they click on them can also be a reliable way to prevent credential or malware compromise before it occurs, Scott Caveza, senior research manager at cyber exposure management firm Tenable, tells Dark Reading.

"Phishing attacks continue to be successful as they target our weakest link in security, humans," he says. "Regardless of the author of the email, be it AI or an actual human, organizations need to invest in and develop mature security programs where security awareness training, including specific training on spotting phishing attacks, are priorities for the organization."

Phishing Surges Ahead, as ChatGPT & AI Loom

NIST announces that it will use Ascon as a cryptography standard for lightweight IoT device protection.

After a search that took several years, the National Institute of Standards and Technology (NIST) has chosen Ascon to be the standard to protect data generated by exploding ranks of lightweight electronics that make up the Internet of Things (IoT).

NIST will publish the full standard later in 2023, the organization says.

The Ascon group of algorithms is able to provide protection under the electronic constraints of small technology like medical devices, stress detectors on roads and bridges, and keyless entry fobs for cars, according to NIST.

"The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation," NIST computer scientist Kerry McKay said in the announcement of the selection. "These algorithms should cover most devices that have these sorts of resource constraints."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NIST Picks IoT Standard for Small Electronics Cybersecurity

By simplifying compliance management, security and risk teams can focus on managing operational risk, not compliance risk — and better counter threats.

For most of my career, I worked for major international financial services companies in the security and risk functions. These organizations were multinational global institutions that operated in a plethora of countries. One of the challenges that was common in these organizations was ensuring we complied with each jurisdiction's information and cybersecurity regulations. In practice, that work involved managing relationships with, in some cases, more than 250 regulatory authorities, each of which came with its own expectations of standards for cybersecurity best practice.

In the intervening years, cybersecurity has become exponentially more important to businesses and consumers alike, and data privacy and security regulations have proliferated as a result — as have the standards frameworks to help businesses achieve compliance.

Your average global financial services company today must contend with general data privacy regulations, including GDPR (EU), CCPA (US), and PIPL (China), among many, many more (some 194 countries have put in place legislation to ensure the protection of data and privacy).

In addition, firms must also comply with various sector-specific requirements, such as FFIEC assessment (US), MAS's TRM requirements (Singapore), CPS 234 mandates (Australia), and others. So, too, financial services are often deemed part of nations' "critical infrastructure," with their own regulations to comply with, including the SOCI Act (Australia) and the NIS Directive (UK).

**The Complicated State of Security Policy Regulations**

Complying with privacy and cybersecurity laws and standards is a major undertaking, especially as significant new rules, regulations, and best practices continue to emerge. Given that businesses will often turn to their security and risk partners to help them implement standards and ensure compliance, this is a burden not only for the regulated, but also for those organizations that support them.

Of course, few would argue that regulation is a bad thing. It pulls up the lowest common denominator and drives organizations to act. But the staggering complexity of the global regulatory environment makes compliance a costly and hugely time-consuming affair (it's thought that companies spend up to 40% of their cybersecurity budget submitting regulatory compliance reports).

As for standards, the proliferation of frameworks such as NIST CSF, ISO 27001 and ISO 27002, and NERC CIP can leave organizations wondering just which one to standardize on and, when they do, how they can then demonstrate compliance with other standards. An entire cottage industry has been built around helping businesses map security controls across the different frameworks available to them.

Companies that need to meet security requirements across diverse jurisdictions often find that no matter how many resources they throw at the challenge, they cannot eliminate the risk of regulatory action for an unintended compliance misstep. Not only that, but when security professionals spend a huge amount of time sorting through the nuances of various regulatory bodies' cyber rules, it's time lost that they could otherwise focus on combating the actual risks their company faces. They may miss threats looming in the forest because they're concentrating on the regulatory trees. After all, being compliant and being secure are two very different things.

**A Way Forward for Policy Harmonization**

The time has come for a much greater degree of global regulatory harmonization. In theory, the gold standard for harmonization would involve making the regulatory requirements or governmental policies of different jurisdictions identical. However, given the enormous complexity of the issue, the capability and maturity gaps between jurisdictions, and the requirement for widespread cooperation between nation states, it's unlikely that this level of harmonization is feasible. But that's not to say progress can't be made. Here are just a few potential paths harmonization could take:

*   **A principles-based approach**. As a first step, governments and regulators could come together on a set of agreed-upon overarching principles to inform regulation, such as the sanctity and integrity of personal data and citizens' rights to data consent and transparency.

*   **Regulatory equivalence**. In lieu of common laws, different jurisdictions could agree to accept proven compliance with one set of laws as being tantamount to compliance with another.

*   **Borrow gold standard rules.** Legislators should only introduce new laws and obligations having first assessed whether there are existing laws from another jurisdiction that can be imported.

Regulatory harmonization on a large scale can and does work. A good example of this is in the European Union, where common regulatory standards across the bloc are normal. Indeed, EU law is often designed specifically to bring order and simplicity to a legacy mismatch of various national laws. We are seeing this again with the Digital Operational Resilience Act (DORA).

Standards harmonization is a prize worth fighting for. By simplifying the complexity of managing compliance, we can enable security and risk teams to focus on managing the operational risk, not the compliance risk. Doing so, they will be able to better counter threats and maintain operations. It's a big, complex job, and all stakeholders, including government collaborative bodies (e.g., G20, etc.), international bodies (e.g., the UN, the World Economic Forum), and industry leaders, like corporate CEOs and security and risk executives and practitioners, need to agitate for greater traction on this, and work together to collaboratively make progress.

In Perfect Harmony: Cybersecurity Regulation Harmonization

Restricting the Twitter API will have implications across Twitter, the broader Internet, and society, experts say. Is there a cybersecurity silver lining, or will threat actors pay to play?

Twitter's new policies surrounding its application programming interface (API) have just gone into effect — and they will have broad implications for social media bots, both good (RSS integrations, say) and evil (political influencer campaigns), researchers note.

On Feb. 2, the Twitter dev team announced that the site would no longer provide free access to its API, starting on Feb. 9. After some negative publicity, Elon Musk personally provided an amendment — that Twitter would continue to service "a light, write-only API for bots providing good content that is free."

APIs are what enable different computer programs to communicate with one another. Just as your computer provides an interface so that you can easily interact with its many complex functions, an API provides an interface for two software programs to interact with one another. Twitter's API is necessary for any enterprises, academics, or bot developers whose applications rely on the social platform.

The choice between a limited or subscription model threatens to push away smaller, more cash-strapped developers and academics who have used the free access to create useful bots, applications, and research.

On the other hand, bad bots have also ravished Twitter since the beginning. They're regularly used by hackers to spread scams and by evil regimes to spread fake news, to say nothing of their smaller-scale negative impacts in influencer culture, marketing, and general trolling.

Is a paid API the answer to Twitter's influence campaign and bot-driven ills? Some experts think the new move is just smoke and mirrors.

**Twitter's Bad-Bot Problem**

In May 2018, the National Bureau of Economic Research (NBER) in Cambridge, Mass., published a working paper on the role of social media bots in shaping public opinion. The study focused on Twitter, and its bots' impacts on two 2016 elections: the US presidential race, and the UK vote to leave the European Union. The data indicated that "the aggressive use of Twitter bots, coupled with the fragmentation of social media and the role of sentiment, could contribute to the vote outcomes."

They found that in the UK, the greater volume of automated pro-"leave" tweets may have "translated into 1.76 percentage points of actual pro-'leave' vote share." And in the US, "3.23 percentage points of the actual vote could be rationalized with the influence of bots."

Three crucial swing states in that election — Pennsylvania, Wisconsin, and Michigan — with enough collective electoral votes to swing the result the other way — were won by less than a percentage point.

Bots don’t always have to sway world history — sometimes, they're just a useful tool for hackers looking to commit cybercrime at scale. Cybercriminals have been observed using Twitter bots to distribute spam and malicious links, and to amplify their content and profiles.

"Bots are an amazingly huge problem," David Maynor, director of the Cybrary Threat Intelligence Team, explains to Dark Reading. "If Twitter were the real world, you would see random inanimate objects trolling people, and the victims would spend hours or days trying to prove a random object wrong. Bots also give astroturfed efforts a real feel of legitimacy."

Astroturfing is the practice of presenting choreographed marketing in such a way as to make it appear to come from the general public (hiding sponsorship information, for instance, or presenting "reviews" as objective third-party assessments).

**Is Twitter Hiding Its True Motives?**

Some speculate that Twitter's real motives for putting its API behind a paywall have nothing to do with security. After all, is a basic subscription plan going to stand in the way of a cybercrime group, or even a lone scammer? Certainly not the government of Russia, one of the largest operators of social media influence campaigns.

In fact, notes Ted Miracco, CEO at Approov, "there are numerous mobile app security platforms and cloud based solutions that could easily eliminate the bot traffic overnight, and Elon Musk is well aware of these technologies."

Indeed, there are a number of strategies and tools for social media sites (and website owners and admins of all kinds) to use to snuff out botnets. For one thing, bots tend to follow specific behavioral patterns, like posting in regular intervals and only in limited ways. And after identifying even just a few suspect accounts, clever specialized tools can help reveal entire networks of connected bots.

Maynor noted that in addition to sussing out malicious automated tweets, naming and shaming might be important: "This isn't popular, but to fight bots and information operations you have to tie accounts to real-world people and organizations."

He adds, "This raises issues about privacy and misuse of data, but remember: they are already mining every bit of data they can get. Tying accounts to real-world identities won’t affect the platforms' data harvesting, but instead will stomp bots and \[astroturfing\]."

Why go so far as to remove free access to the API, before exhausting other available cybersecurity measures?

The reason is an open secret — an elephant in the room — in Silicon Valley, Miracco argues. Simply put, social media companies like their bots, according to Miracco.

The premise is this: Twitter makes money by selling ads. Bots look like users, to advertisers, so they bring in revenue all the same. More bots, more money.

In January, Musk threatened to back out of his Twitter buyout on the grounds that a large portion of the company’s stated users were, in fact, secretly bots. Perhaps his mood changed, however, after transitioning from an interested party to the outright owner. Miracco guesses that "revealing the problem now will result in a precipitous fall in traffic, so there needs to be some found revenue along the path to reduced traffic in order for the company to stay relevant, hence the API paywall."

He puts it in plain terms: "the paywall is dressed up to stop bots, but is really only to drive revenue."

The paywall just took effect. Time will tell whether it really does put a dent in Twitter's bot problem, or if it merely lines Musk's pockets.

Twitter did not immediately respond to a request for comment from Dark Reading.

Twitter Implements API Paywall, but Will That Solve Its Enormous Bot Crisis?

High-quality tools and standards remain critical components in cybersecurity efforts even as budgets decline. It's important that staff knows response procedures and their roles, and also communicates well.

The terms "Military Specification" or "MIL-SPEC" may sound like government bureaucracy. This requirement, however, that every piece of equipment used by the military — down to its components, such as screws, electronics, and plastic — needs to meet certain standards was arguably why the United States was able to win the Cold War.

While the US military focused on quality, the Soviet Union focused on quantity, driven by its own doctrine that quantity was a key part of quality. The regime believed that endless numbers of tanks and planes would allow them to win any conflict; that turned out to be faulty thinking.

For the US military, quality — and the details it takes to get there — remains critical. I know this firsthand from the seven years I spent working on F-16 fighter jets during my service in the US Air Force. Everything that was installed in that plane had to have a MIL-SPEC rating, or it wasn't good enough. MIL-SPEC means that the material or component that was used to build a circuit board, for example, had to be tested in a way that pushed the component to the point of failure, which was far beyond the operational requirement for what it was designed for. This includes but isn't limited to exposure to freezing, thawing, heating, vibrating, dropping, pressurizing, depressurizing, and electromagnetic pulses (EMPs). It was this focus on quality that allowed the US to put a man on the moon, have stealth fighters that rule the skies, and submarines that "make like a hole in the water."

A focus on quality should also be the guiding principle for enterprise cybersecurity, especially when budgets are limited. It's increasingly clear that quantity isn't working; spending on cybersecurity tools and services is growing more than 12% a year, yet data breaches are multiplying and their damage will likely amount to more than $10 trillion annually by 2025, according to a McKinsey report. Amid this challenge, it's crucial to embrace quality at every step of the way, from building a team to testing products to planning for an attack.

**Build a Team With Military Experience**

As the threat from state-backed attacks grows, companies can benefit greatly if their cyber team, whether internal or through an outside provider, contains people with experience in the government or military sectors. Businesses realize that state-backed attacks from places like Russia and China are a growing threat; 42% of surveyed companies say they feel at risk from a state-backed attack, and half said they had already been targeted in one. But few have the resources to prevent and mitigate these types of sophisticated attacks, the survey found.

Professionals with a background in military or government work are especially valuable when it comes to finding and evaluating threats from state-backed hacking groups. In addition to being more familiar with the technical hallmarks of such threats, those coming from the military or government also bring valuable insight into the changing geopolitical landscape, which must be considered when evaluating potential threats from state-backed hackers. A military or government background also prepares these professionals to understand the importance of processes and communications. These are two elements that can determine the quality of a company's cybersecurity stature.

**Test, Test, and Test Again**

Just as every element I used in F-16s needed to stand up to the most extreme scenarios, so should a company's cybersecurity safeguards. Engaging a professional red team, or ethical hackers that try to infiltrate and gain control of a company's IT system, is one of the best ways to check the quality of defensive tools and strategies. Real-life testing is the only way to determine which tools and policies are working and which need to be changed or improved.

Similar to the joint exercises and Operational Readiness Inspections the US Air Force performs, such testing should be carried out on a regular basis. Critical events such as a when significant new threat is introduced, or infiltration, should also trigger extensive testing. A key part of engaging a red team is making sure communications are good and that the hiring company receives a full report of what was done, what the results were, and suggestions on mitigating the findings. These technical aspects then need to be translated into language and concepts that nontechnical corporate leaders can understand, including what effect cyber vulnerabilities have on a business's bottom line, potential for growth, and overall risk stature. That way, these decision-makers will understand what is most at risk and where they need to invest to improve the real-life quality of their cyber posture.

**Don't Underestimate Tabletop Exercises**

Holding drills as if attacks have happened can test the quality of a company's response and mitigation abilities far beyond the technical level. This is increasingly important, as a cyberattack is no longer simply a technical event; attacks and data breaches cause significant business interruptions, as well as legal and public relations challenges.

The truth is that even with quality defenses, most organizations will at some point fall victim to some type of attack or data breach. But the damage can be reduced or eliminated if all parties inside a company understand response procedures, know their roles, and communicate well. Organizations need to understand how to handle the inevitable in the best manner possible.

When companies take these steps, they stand a better chance against hackers. Cybercriminals often have an unlimited amount of time and many tools — sort of like the Soviet Union. Companies must counter this by making sure their tools and processes are of the highest quality and can prove themselves in battle.

Source

DARKReading