The application security expert, who went by "@aloria," is being remembered for her brilliance and generosity, as tributes start to pour in honoring her life.

The cybersecurity sector is mourning the passing of security expert Kelly Lum, also widely known by her Twitter handle, @aloria.

SummerCon, one of the many cybersecurity organizations to which Lum lent her expertise over the years, was one of the first to share the news about her death. "It is with profound sadness that we mourn the loss of out friend and mentor, @aloria," the tweet from SummerCon said.

Lum was the director of information security at Service Channel, a position she held since 2019. She previously served an adjunct professor at New York University's Tandon School of Engineering, where she shared her vast experience in application security with a new generation of cybersecurity professionals. Lum was regularly featured at cybersecurity conferences, including Black Hat, where she served as a member of the Black Hat Advisory Board and as the Defense Track lead.

In 2014 at Black Hat USA, Lum, who was then a security engineer with Tumblr, teamed up with Zach Lanier, then-senior security researcher at Duo Security, to disclose their findings on dangerous cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities in four commercial data loss prevention (DLP) products. 

Lum passed away "due to progressed critical illness, in a hospitalized setting surrounded by her family," SummerCon tweeted.

_**Editor's note:**_ _**Lum was a respected expert source to Dark Reading and a friend to many. She will be deeply missed.**_

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Renowned Researcher Kelly Lum Passes Away

Global study reveals boards still undervalue cyber's role.

**DALLAS****,** **March 21, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today released new research\* revealing that while global organizations plan to increase cybersecurity budgets in 2023, business leaders hold conflicting views on the function.

**To read a full copy of the report,** _Risky Rewards_**, please visit:** https://www.trendmicro.com/explore/risk-reward2023/2031-tl-en-rpt#page=1

Jon Clay**, VP of threat intelligence at Trend Micro:** "If organizations want to make the most of their security investments, business leaders must reframe their view of cybersecurity – to think more broadly about how it can positively impact the enterprise. This research shows it's clearly a critical component of winning new business and talent. At a time when every dollar/penny counts, it's concerning to see stereotyped views of security persist at the very top."

Nearly two-thirds (64%) of business decision-maker (BDM) respondents say they plan to increase security investment in 2023.

However, the research also reveals critical gaps in BDMs' understanding of the relationship between cybersecurity and other parts of the organization.

On the one hand, half (51%) claim cybersecurity is a necessary cost but not a revenue contributor, while a similar share (48%) argue that its value is limited to attack/threat prevention. Nearly a fifth (38%) even see security as a barrier rather than a business enabler.

However, on the other hand, 81% worry that a lack of cybersecurity credentials could impact their ability to win new business – with a fifth (19%) admitting it already has. This comes as nearly three-quarters (71%) of BDMs admit they're being asked about security posture in negotiations with prospects and suppliers. And 78% say these requests for information are increasing in frequency.

This apparent contradiction in attitudes is laid bare by another finding. Despite prospects and suppliers clearly prioritizing security in negotiations, only 57% of BDMs perceive there to be a strong or very strong connection between cyber and client acquisition/satisfaction.

Talent acquisition is another area where there are clear gaps in BDMs' understanding of the interconnectivity between cybersecurity and the rest of the business.

Nearly three-quarters (71%) of respondents claim that the ability to work from anywhere has become vital in the battle for talent. Yet only around two-fifths understand the strong connection between cybersecurity and employee retention (42%) and talent attraction (43%).

That's despite respondents recognizing the impact of cyber on the employee experience:

*   83% say current security policies have affected remote employees' ability to do their jobs (eg. network and information access issues, and slowing the pace of work)
*   43% say current security policies place restrictions on employees' ability to work from anywhere
*   54% say current policies restrict what devices/platforms employees can choose to use

_\* Trend Micro commissioned Sapio Research to poll 2718 business decision-makers in companies with 250+ employees across 26 countries._ 

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.  

SOURCE Trend Micro Incorporated

Research Highlights Cyber Security's Underestimated Role As a Business and Revenue Enabler

**WATERLOO, ON****,** **March 21, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) announced today that it has entered into an agreement to sell substantially all of its non-core patents and patent applications to Malikie Innovations Limited ("Malikie"), a newly-formed subsidiary of Key Patent Innovations Limited ("KPI"), a leading intellectual property monetization company, for a combination of cash at closing and potential future royalties in the aggregate amount of up to $900 million.

The transaction is not subject to any financing conditions. Funding has been secured from a leading US-based investment firm, with in excess of $30 billion of assets under management.

_"We're extremely pleased to have executed this agreement with KPI, whose industry-leading expertise and experience positions them well to realize the patent portfolio's potential and enhance returns for BlackBerry," said_ John Chen_, Executive Chairman & CEO, BlackBerry. "This transaction, once complete, will further strengthen our balance sheet while simplifying our business and enabling increased focus on our core IoT and Cybersecurity opportunities."_

_"We are very excited to have completed this transaction with a partner of BlackBerry's calibre, and we look forward to getting to work to maximize returns from this portfolio," said_ Angela Quinlan_, Managing Director, KPI._

Under the terms of the agreement, BlackBerry will receive $170 million in cash on closing and an additional $30 millionin cash by no later than the third anniversary of closing.  BlackBerry will also be entitled to receive annual cash royalties from the profits generated from the BlackBerry patents, on the following basis:

*   8% of the first $500 million of profits;
*   15% of the next $250 million of profits;
*   30% of the next $250 million of profits; and
*   50% of all subsequent profits.

Royalty payments to BlackBerry will initially be capped at $700 million, subject to an annual cap increase of an amount equal to 4% of the remaining portion of the $700 million that has not been paid to BlackBerry as of the date of the increase.  Malikie's costs will also be capped in the calculation of profits generated.

Approximately 32,000 patents and applications relating primarily to mobile devices, messaging and wireless networking will be sold in the transaction with Malikie.  The transaction excludes patents and applications that are necessary to support BlackBerry's current core business operations. It also excludes approximately 120 monetizable non-core patent families relating to mobile devices (representing approximately 2,000 patents and applications which are primarily standards essential), as well as all existing revenue generating agreements.  BlackBerry will receive a license back to the patents being sold and the transaction will not impact customers' use of any of BlackBerry's products, solutions or services.

Completion of the transaction is conditional upon, among other things, satisfaction of all regulatory conditions under the Hart–Scott–Rodino Antitrust Improvements Act in the United States and the Investment Canada Act. 

Termination of Agreement with Catapult:

On December 20, 2022, BlackBerry provided an update on its previously-announced patent portfolio sale transaction with Catapult IP Innovations, Inc., indicating that Catapult was working with a financing partner and that the parties were negotiating definitive closing documents.  BlackBerry also disclosed that it was then in advanced term sheet discussions with another party that was fully financed, and which had completed its due diligence on the portfolio. 

Catapult was unable to secure financing that would have enabled it to complete the previously-announced transaction on amended terms that were acceptable to BlackBerry, and therefore BlackBerry has terminated its agreement with Catapult and has instead entered into the patent sale agreement with Malikie. 

**About BlackBerry** 

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world. The company secures more than 500M endpoints including over 215M vehicles. Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety, and data privacy solutions, and is a leader in the areas of endpoint security, endpoint management, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

_BlackBerry. Intelligent Security. Everywhere._  

For more information, visit BlackBerry.com and follow @BlackBerry.

BlackBerry Announces New Patent Sale Transaction With Patent Monetization Company for Up to $900M

**SAN FRANCISCO****,** **March 21, 2023** **/PRNewswire/ --** Normalyze, a pioneering provider of cloud data security solutions, was granted the most fundamental patent to date for Data Security Posture Management (DSPM) by the U.S. Patent and Trademark Office. The patent addresses cloud data attack path detection based on security posture of the cloud environment and resource network path tracing. This patent is foundational for an emerging data-first approach to secure cloud-resident sensitive data and its implications will help to innovate the enterprise cybersecurity market at large.

Patent #11,575,696 describes how an accurate measure of cloud security posture enables the Normalyze DSPM platform to automatically trace network paths at scale between cloud-resident sensitive data and all points of access to determine attack paths. Paths are dynamically displayed to IT, security, and compliance teams, which instantly identify authorized versus unauthorized access – including propagation of breach attacks. Automated remediation workflows ensure continuous safety and compliance of the sensitive data. The Normalyze patent details how its technology, via integration, improves systems and methods of separate siloed tools such as cloud security posture management (CSPM), cloud infrastructure entitlement management (CIEM), cloud-native application protection platform (CNAPP), and/or cloud-native configuration management databases (CMDB).

"This patent's technology enables the Normalyze platform with 360-degree visibility of where our data resides across our cloud environments and any associated risks," said Rahul Gupta, Head of Information Security and GRC at Sigma Computing. "Normalyze's ability to connect the dots around data – including accesses, identities, vulnerabilities, and configurations – helps us understand where the real threats are and remediate them in near real-time. It is a game changer for securing our cloud environments."

"This patent is the first and the most important in the DSPM space. Its technology connects the risks to sensitive data in customer cloud environments, allowing them to focus on what matters most instead of chasing thousands of alerts generated by other siloed products," said Ravi Ithal, CTO and cofounder of Normalyze. "Getting the first major patent for an emerging new category such as DSPM shows our thought leadership in helping customers protect their most valuable asset, which is their data."

Read more detail about the patent from Ravi Ithal in this blog post. Normalyze has additional patents pending and will be announcing them in the first half of 2023.

The Normalyze platform is generally available in full functionality and supports all major IaaS and PaaS cloud services such as AWS, Google Cloud, Microsoft Azure and Snowflake.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture, including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze patented and agentless scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans 

Ravi Ithal and Amer Deeba and has several customers, including Chargepoint, Corelight,

 Fairfield, Ginkgo Bio, Netskope, Sigma Computing and others. The company is funded by Lightspeed Venture Partners and Battery Ventures.

For more information, please visit normalyze.ai

SOURCE Normalyze

Normalyze Granted Patent for Data Security Posture Management (DSPM)

After its second cyberattack in under a year, General Bytes urges customers to up the security on their personal accounts to prevent losses from hackers.

Over St. Patrick's Day weekend, unidentified hackers stole more than $1.6 million in cryptocurrency from Bitcoin ATMs owned by General Bytes.

In what the ATM owner called a security incident of the highest severity, threat actors were able to exploit a zero-day flaw by uploading "his own java application remotely via the master service interface used by terminals to upload videos, and run it using batm user privileges," the advisory released by General Bytes stated.

Once the attackers were able to accomplish this, they secured access to the database, where they were able to "read and decrypt API keys used to access funds in hot wallets and exchanges, send funds from hot wallets, and download usernames, password hashes" as well as turn off the two-factor authentication (2FA) feature. 

This cryptocurrency-related breach is the second aimed at General Bytes in under a year, the last of which occurred less than a year ago, in August.

Though the company has stated that it has run multiple security audits since 2021, this was a vulnerability that was never caught. General Bytes advises its terminal operator customers to keep their servers behind firewalls and VPNs, as well as assume that the passwords and API keys to exchanges and hot wallets used by end users are compromised — and should be changed accordingly.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Zero-Day Bug Allows Crypto Hackers to Drain $1.6M From Bitcoin ATMs

**NEW YORK****,** **March 21, 2023** **/PRNewswire/ --** BigID, the leading platform for data security, compliance, privacy, and governance,, announced today that native integrations with leading Security Orchestration, Automation, and Response (SOAR) platforms, including Splunk SOAR (formerly Phantom) and Palo Alto Networks Cortex XSOAR (formerly Demisto).

Enterprises have been struggling with responding to the deluge of security events generated by all their security information and event management systems. The volume and complexity of these events increases the need for automated security orchestration and response (SOAR) platforms to help security teams streamline and automate their incident response processes.

BigID's native integrations with SOAR platforms, including Splunk, Palo Alto Networks and Torq , provide customers with access to thousands of pre-built playbooks, enabling them to automate the incident response process from detection to remediation. With these native orchestrations, customers can seamlessly manage and automate their security response workflows, reducing response time and improving overall security posture.

"BigID is committed to helping organizations manage and secure their sensitive data. With these native integrations with leading SOAR platforms, we're able to provide customers with a powerful, integrated solution that enables them to streamline their incident response processes and more effectively manage security risks," said Dimitri Sirota, CEO of BigID.

With this integration, customers can now:

*   Leverage automation to reduce response time and improve accuracy
*   Automate incident response workflows with access to thousands of SOAR playbooks
*   Gain better visibility into incidents and manage responses with ease
*   Increase productivity and reduce the manual effort involved in incident response

The integration with Splunk SOAR, Cortex XSOAR and Torq offers a seamless user experience and significant improvements to security operations.

For more information, please visit www.bigid.com or visit https://home.bigid.com/demo to see it in action.

**About BigID:**

BigID enables organizations to know their enterprise data and take action for data-centric security, privacy, compliance and governance. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape. BigID has been recognized for its data intelligence innovation as a 2019 World Economic Forum Technology Pioneer, named to the 2021 Forbes Cloud 100, the 2021 Inc 5000 as the #19th fastest growing company and #1 in Security, the 2021 and 2022 Deloitte 500, and an RSA Innovation Sandbox winner. Find out more at https://bigid.com.

SOURCE BigID

BigID's Data Security Posture Management Solution Integrates With SOAR Platforms

For companies, training an existing worker is cheaper than hiring, while for employees, training brings job security and more interesting work.

Companies continue to value cybersecurity skills, but many have moved their focus from hiring cybersecurity professionals to training up in-house staff on needed cybersecurity skills.

The monthly number of cybersecurity-related job postings plummeted by nearly a third (31%) in the last month, compared with its peak a year ago, according to employment services firm Indeed.com. Yet cybersecurity is the No. 1 desired skill set that companies would like their employees to learn, with 59% of technology leaders rating cybersecurity as a top-three topic for training, ahead of both data science and cloud skills, according to training firm Pluralsight.

For companies that need to fill gaps in their employee's technical skills, training employees in new skill sets — "upskilling" in the industry parlance — is a relative bargain, compared with the cost of hiring a new employee, says Gary Eimerman, chief product officer at Pluralsight.

"Given the level of risk, cybersecurity hacks are a boardroom conversation across organizations," he says. "Upskilling internally for cybersecurity talent is significantly more cost effective than hiring externally for cybersecurity skills."

Companies would both hire and train cybersecurity professionals, but given the shortage in available skilled workers, training has taken precedence, says Bill Reynolds, research director at Foote Partners, a workforce research firm. The average estimate to hire a technology workers, such as a full-time developer, is about $32,000.

"They are absolutely doing both, but with the significant shortfall in the marketplace for skilled cybersecurity professionals, the sense I'm getting by talking to hundreds of employers ... is that they're focusing more right now on training and developing talent from within," he says. "And it is not just technical skills — they want a whole market basket of soft nontech skills \[as well\]."

**Cybersecurity Skills as Layoff Protection?**

As recession fears continue to roil the technology industry, on March 20 Amazon announced its second tranche of layoffs — this time, planning to cut 9,000 corporate and technology workers, bringing the total number of job affected to 27,000. Cybersecurity vendors have not been spared, shedding thousands of employees in the last three quarters, with some companies cutting more than a quarter of their workforce, according to tracking site Layoffs.fyi.

    

Cybersecurity takes the top spot among skills preferred by employers for training purposes. Source: Pluralsight

Yet, overall, workers with cybersecurity skills have largely been protected from layoffs, due to the relative difficulty in hiring or replacing them. Only 10% of C-level executives intend to lay off cybersecurity staff, much lower than other departments, such as human resources (30%), finance (24%), and even information technology (14%).

As another metric, two-thirds of tech executives have been asked to reduce costs, but 72% still plan to increase investments in the development of technology skills, according to Pluralsight's "2023 State of Upskilling" report. 

"When layoffs are on the table for an organization, where the cuts are made is highly individualized based on business need," Pluralsight's Eimerman says. "Among layoffs that have been done in the tech industry, few have focused on technology-specific roles." 

**Cybersecurity as the Most-Wanted Tech Skill**

Among technology skills, cybersecurity is most often in the top-three skills demanded by technology leaders. Overall, if employees had a weekly sprint for learning, 59% of executives would want them to learn cybersecurity skills, while 44% preferred data-science skills, and 42% selected cloud skill sets, according to Pluralsight's report.

But learning such skills has gained priority for employees, too, who list their top reasons for upskilling as salary growth, personal development, and job security. 

Across the 53 noncertified cybersecurity skills tracked by Foote Partners, the average worker commands a 12.3% base-salary cash premium. Skills such as security auditing, penetration testing, vulnerability scanning and management, DevSecOps, and cyberthreat intelligence all have significant premiums, Reynolds says.

Some combinations of skills are in even greater demand, such as cloud and cybersecurity, he says. With companies focused on shrinking their attack surface area and putting more security capabilities into a very small footprint, for example, workers with cybersecurity, embedded OS, optimizing, and threat detection skills together would garner even greater premiums. 

"From a career perspective, there is so much opportunity for cybersecurity professionals," he says.

While a lack of time and budget has undermined upskilling efforts in the past, workers have new incentives in the tighter employment market: Almost half say that a hiring freeze or pause has resulted in them doing more duties outside their job function. In 2022, 60% of workers cited "I'm too busy" as the top barrier to gaining new technology skills, according to Pluralsight. In 2023, that number dropped to 42%, while 30% cited uncertainty in where to focus their efforts as a top barrier.

Cybersecurity Skills Shortage, Recession Fears Drive 'Upskilling' Training Trend

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

The Monster using a mobile device is certainly not the way _Frankenstein_ author Mary Shelley — or even_Young Frankenstein_ screenplay writers Mel Brooks and Gene Wilder — ever envisioned him. But modern times call for a modern creature, and now it's up to you to set the updated scene with a clever cybersecurity-related caption. Our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the April 12, 2023, deadline:

*   Email _\[email protected\]_ with the subject line "Dark Reading March Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

A round of applause goes to Todd Schamberger, information security manager/CISSP at accounting firm Miller Kaplan. Todd's caption (below) hit the nail — er, computer — right on its head. And a big thanks to all who submitted their ideas!

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: It's E-Live!

Threat actors are using legitimate network assets and open source code to fly under the radar in data-stealing attacks using a set of custom malware bent on evasion.

A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.

According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments. But Naplistener — along with other new types of malware used by the group —appear "designed to evade network-based forms of detection," says Jake King, Elastic Security's director of engineering.

So, don't sleep on that defense-in-depth strategy.

Researchers observed Naplistener in the form of a new executable that was created and installed on a victim network as a Windows Service on Jan. 20. Threat actors created the executable, Wmdtc.exe, using a naming convention similar to the legitimate binary used by the Microsoft Distributed Transaction Coordinator service.

**A Focus on Detection Evasion**

Naplistener is the latest in a series of new types of custom malware that Elastic researchers have observed REF2924 using in its attacks that support a particular focus on evading network-based detection, King says. What these new malware families all have in common is not only that they are based on open source technologies but also that they use familiar and legitimate network assets to mask their activities.

"A consistent theme to all these capabilities is the intention to hide in legitimate and expected forms of network communication, and \[they\] are installed to resemble the underlying services they abuse," King notes.

While other threat groups also adopt these approaches with custom malware, they do so "less often, and less consistently" than REF2924, he notes, demonstrating that REF2924 is betting heavily on avoiding detection for success.

"A unique observation of this threat actor is in the deep focus of evasion tactics," King says. "While many threats masquerade in similar ways, this threat pursues the methodology to an extreme and consistently uses these methodologies."

**Custom Malware at a Glance**

In addition to Naplistener, which mimics the behavior of Web servers on a network to hide itself, REF2924 also is wielding custom malware that Elastic Security tracks as SiestaGraph and Somnirecord, among others. The former is notable for using Microsoft cloud resources for command and control to evade detection, and the latter masquerades as DNS protocol traffic, King says.

"Organizations in the observed regions of impact who rely strictly on network-based methods of detection will struggle to identify these malware families," he adds.

Specifically, Naplistener creates an HTTP request listener that can process incoming requests from the Internet, read any data that was submitted, decode it from Base64 format, and execute it in memory, the researchers said.

As mentioned, it evades victims' attempts at network-based detection by behaving similarly to Web servers, operating between legitimate Web users and resembling normal Web traffic. It does this all without generating Web server log events, the researchers said.

Naplistener also relies on code present in public repositories for a variety of purposes, and it appears that REF2924 may be developing additional prototypes and production-quality code from open sources, they added.

**Going Beyond Network-Level Detection**

Because REF2024 is so focused on avoiding network-based detection methods, enterprises in its crosshairs can avoid compromise by the group primarily by prioritizing endpoint-based detection technologies, more commonly known as endpoint detection and response (EDR), King says.

Indeed, while EDR is not a new security strategy for many organizations in the US, in the region of the world where the group is operating, it is still in early stages of adoption, he says. This exposes these organizations to risk from the custom malware that the group is deploying.

"Organizations which rely on network technologies to detect threats will face significant challenges, and those are compounded relative to the complexity of their networks," King says. "In short: The more connections and types of connections, the harder it is for organizations to monitor them effectively; this is relatively quickly addressed with another host-based form of visibility."

Another technology that organizations can deploy to combat malware that can evade network-based detection is egress filtering, or limiting the kinds of outbound network communications they permit, King says.

However, he adds, "this is not a particularly scalable approach once an organization reaches a significant size, due to the large number of egress points they manage and the diversity of legitimate communication methods."

Custom 'Naplistener' Malware a Nightmare for Network-Based Detection

Third-party breaches have a wide effect that legacy security practices can no longer detect.

Cybersecurity is a huge priority for the federal government, from President Biden's Executive Order 14028 to the National Cyber Strategy, but there's still one major gap in their net: third parties. In fact, nearly 60% of all data breaches are initiated via third-party vendors, which are often undetectable by the usual outward-facing approach to security until they have reached the perimeter of an organization.

The Transportation Security Administration's (TSA) no-fly list hack is the latest example of the massive risk that a third-party leak can have on federal cybersecurity. Data breaches in third parties cast a wide net of effects across the private and public sector alike, which legacy cybersecurity practices can no longer detect. As the Biden administration determines its cyber path, it is imperative that we all take a step back to look at the expanding security perimeter.

**The Effects of Third-Party Data Risk Are Far Reaching**

With more data being shared every day outside typical security perimeters, a single third-party data leak is enough to cause a devastating breach that can take down anything from the largest company to the most critical federal agency. Visibility is the primary culprit at play with third-party risk. In fact, the average organization shares sensitive data with 583 third parties — a staggering number of possible attack vectors to monitor. For the US government, this means contractors, vendors, other agencies, and more.

The effects of the expanding digital supply chain and weak visibility combine to open a variety of risks. SolarWinds is the most notorious example of a third-party supply chain hack, affecting not only organizations that used the software but also their network of customers and partners. The reach of this impact is especially important to consider for the federal government, where agencies play host to both critical and sensitive data for the nation and its citizens. Protection from a chain reaction of data compromise can only come from regularly updating security practices and technology.

The US government is making consistent strides to undergo a digital transformation — and this must expand to cybersecurity in the face of third-party risks. It cannot rely on legacy cybersecurity standards. Today's threats require always-on system security technologies and practices. Questionnaires, policies, and process reviews are ineffective in the new digital landscape.

**Preemptive Cybersecurity Combats Third-Party Risk**

To be effective, a third-party risk strategy must be preemptive. It is fairly common practice to review security policies, along with past security incidents and remediations of potential vendors, to predict future risk. However, this is not enough — it is merely reviewing a plan of prevention and attack.

It is, of course, imperative to make informed decisions regarding third-party relationships by researching organizations and their areas of possible exposure before committing to share data with them. Part of this evaluation should be understanding their dedication to visibility and strong security hygiene. Though scanning for malicious behavior is an important step, negligence also plays a major role in security vulnerabilities, and partners should be evaluated on how up to date their practices are.

Implementing contracts for existing partnerships can help address any found weaknesses. Those that fail to comply with security standards can be dealt with by enforcing clawback clauses and integrating supply chain penalties for data leaks of confidential information.

From there, it's important to maintain that preemptive security posture through ongoing monitoring and risk assessment. For part of a larger third-party life cycle management plan, helpful tools include automated risk management platforms, regular real-time risk assessments, and tools (such as external attack surface management, or EASM) for continually discovering, inventorying, classifying, prioritizing, and monitoring sensitive external assets within an IT infrastructure. \[Note: The author's company is one of many that offer EASM.\]

Most private and public organizations recognize the importance of cybersecurity, yet there are surprisingly still some laggard industries, and this poses a strong threat to federal cybersecurity. As we see more cyber priorities rolling out from the federal government — and better security practices trickling down to vendors through Cybersecurity Maturity Model Certification (CMMC) — we can hope to see more initiatives around these growing issues in the future. With the TSA no-fly leak behind us, third-party data protection should take a top spot in federal cyber priorities.

Source

DARKReading