Over the weekend, cybercriminals laid the groundwork for Silicon Valley Bank-related fraud attacks that they're now starting to cash in on. Businesses are the targets and, sometimes, the enablers.

Right now, hackers are developing phishing campaigns that capitalize on the news of Silicon Valley Bank's failure.

SVB was the 16th-largest bank in the United States, known primarily for servicing Silicon Valley startups and technology companies, including such name brands as Buzzfeed, Roblox, Trustpilot, and Roku. A chain reaction beginning with global inflation and ending with a run on deposits saw regulators shut down the bank on Friday.

SVB customers panicked over the weekend, unsure if they would recoup their deposits. And, right on cue, "hackers are exploiting the SVB situation to prey on people's emotions," Ironscales CEO Eyal Benishti says. "They're incorporating SVB-relevant content into their existing, proven tactics that create a sense of urgency when their victims are distracted and less alert."

Indeed, analysts have picked up on a wave of SVB-related attacks this week — phishing and otherwise — with dozens of new threats arising daily. And, unfortunately, perfectly legitimate companies are actually, unwittingly, helping the attackers along.

**SVB Phishing Campaigns**

Oren Koren, CPO and co-founder of Veriti, saw the data start to flow in right away. "Hackers started on March 10 and 11, buying domains that are very close to domains related to SVB," he says. The domains reference payments, or a bailout, or try to mimic legitimate SVB domains — such as, Benshiti says, "svblogin\[.\]com" and "login-svb\[.\]com". Sometimes, hackers take a less tactful approach — something like "wefinancesvbclients\[.\]com."

Koren observed as the perpetrators, having registered their lookalike domains, created and tested their phishing attack flows. "Before you deploy, you create a phishing process, and then you test it on yourself to verify it works," he explains.

In one case, a malicious actor tipped their hand by clearly testing their infrastructure from Turkey. "That was a mistake, and that's why we know he started there, and then eventually moved to target the US," he notes. In all, Koren has observed attacks from two major groups, in addition to some smaller entities.

As of this writing, Veriti has tracked more than 62 new domains registered for SVB-related attacks, and 200 phishing attacks in all, primarily against targets in the United States (understandable, as most of SVB's clients are US-based companies).

Source: Veriti

Source: Veriti

That hackers capitalize on important news stories is nothing new — it's a pattern that repeats itself time and time again. What's interesting and somewhat unique to this case is how the public may be inadvertently helping the offenders achieve their goals.

**How We're Making It Easy for the Hackers**

The analysts who spoke with Dark Reading emphasized the many ways in which the public response to SVB is actually making hackers' jobs easier.

Koren made note of websites like affectedbysvbornot.com and svbmeltdown.fyi, which have been publishing lists of customers affected by SVB, and how badly they were exposed. "It's important from a publication perspective," he admits, "but for attackers, those services allow them to know better whom they should target." Attackers can use specific details from these websites to help legitimize their phishing emails, or scale ransom payments according to how much money they see these companies stowing away in their coffers.

Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, points to an even more subtle problem. As SVB customers shift to other banks, they're having to inform clients and vendors about new channels for payments. Those notifications, sometimes, aren't so distinguishable from phishing.

Take the perfectly honest email below — a vendor notifying clients that, due to SVB's failure, payments should be sent to a new bank account. "As a result of that news," it reads, "we are asking that _**with immediate effect**_ your Company's payments that we previously directed be paid to Silicon Valley Bank, now be paid in accordance with the **attached** letter from our Finance Department."

Source: Proofpoint

"So actually, the email is extremely unhelpful," Kalember explains, "because even if it provides the right account details, it looks so much like phishing," from the language right on down to the minor details. "It even looks extremely malicious, because of the .docx.pdf."

**How to Prepare for the SVB Fraud Onslaught**

Kalember had to deal with this payment problem first hand — not just from a security analyst's perspective — since his own company had limited exposure to SVB. When notifying relevant clients, he advises a more careful approach. "What the email should say is: 'Please call us in a pre-recognized fashion, to an official and indisputably legitimate phone number. And we will discuss kind where we should go from a payment perspective going forward.'"

To address the broader issue of SVB-related attacks, Benishti highlighted the need for a security-forward culture, and reviewing internal security processes. "Companies should also have robust systems in place," he says, "to detect fake login pages and prevent credential harvesting, which will be a featured play with SVB-related scams."

Koren thinks the solution is even simpler. He gave an example of one organization that's already targeted in an SVB phishing campaign. "They had anti-phishing in their mail security," he points out, alongside robust endpoint and network security solutions. "Unfortunately, in this case, their security was not maximized. The phishing email got through. They have all the technologies necessary to protect from those kinds of attacks, they specifically just hadn't used it, because they were not aware that they have a technology to do anti-phishing."

Most organizations, Koren says, are in a similar position. "So the goal is to maximize what you have, from a security perspective, or use automations and AI just to do that." As SVB-related campaigns continue to rise, companies will certainly need to maximize what security they already have.

Analysts Spot a Wave of SVB-Related Cyber Fraud Striking the Business Sector

Protection laws are always evolving. Here's how you can streamline your compliance efforts     .

In the coming months, data protection laws will continue to evolve and strengthen, requiring organizations to refine their data protection policies and demonstrate how they safeguard customers' information. As part of the changing mandates, cybersecurity frameworks will also refine customer data retention regulations.

Understanding the ongoing changes to data privacy regulations is challenging enough for chief information security officers (CISOs) and their teams. Implementing the needed changes as they occur only adds complexity and confusion. This article explores changes to consumer privacy regulations and describes ways companies can streamline their compliance efforts.

This year, the US Department of Defense is expected to enhance its national cybersecurity standard for all contractors working with the federal supply chain and handling controlled unclassified information (CUI), and mandate Cybersecurity Maturity Model Certification (CMMC) program requirements. While this mandate does not directly affect many enterprises, the ruling will certainly affect other organizations that conduct indirect business with the federal supply chain, as well as those in the private market, requiring them to meet changing data protection laws that are pivotal to businesses' daily operations.

Additionally, the California Consumer Privacy Act (CCPA), one of the country’s more stringent consumer privacy laws, will introduce enhanced rights for individuals wishing to change their personal data or opt out of marketing and third-party communications — an important consideration given the many recent third-party data breaches. Businesses must therefore establish more rigorous policies and processes to protect their systems and the critical data stored on them, and ensure those processes are well-understood and enforced.

Prescriptive cyber regulations around data protection can be an asset to businesses. They help strengthen their brand reputation, given their focus on protecting user data and keeping the company safe from attacks. But because increasing regulation further stresses already constrained security, risk, and IT resources and steepens the learning curve, the negative aspects of these changes often can overshadow the benefits they offer.

**Proactive vs. Reactive Measures: Which Approach Is More Effective?**

As the frameworks accompanying cybersecurity mandates and compliance guidelines are also refined, many now encourage (and sometimes mandate) that businesses transition to a proactive, risk-based approach that establishes their liability based on the type of data they collect and how it's used. At the same time, many data-centric cybersecurity frameworks are pushing the industry toward proactive prioritization and risk-ranking gap analysis to enable an accurate measure of system risk while reducing required resources and time for compliance. This collision of data privacy concerns and the associated cybersecurity framework regulations are overwhelming for companies trying to strengthen their security and compliance posture.

Proactive risk prioritization based on comprehensive, contextual, and historical threat intelligence coupled with active control over the enterprise can alleviate many of the compliance headaches CISOs face. To achieve this, I recommend that CISOs and their teams take the following steps:

**1\. Understand how your enterprise is using data.** The growing volume of data that companies collect brings a greater need for asset-aligned contextual cyber intelligence that reveals what data is needed for day-to-day operations and how that data is used. Technology solutions are available that facilitate comprehension, but gaining an accurate understanding requires an audit approach. CISOs and other leaders must consider and define the company's BAU (business as usual) processes to understand what data is needed for standard day-to-day operations. By doing this, companies can set a solid policy around what and how they use certain data types.

**2\. Conduct a thorough risk assessment.** A full-scale cybersecurity risk assessment weighs risks both within the organization and across the supply chain against the effectiveness of core security controls that protect data. This step is critical given the high-profile software supply chain vulnerabilities in recent years. Incidents like the notorious SolarWinds breach, and many others like it, provide evidence of the importance of paying close attention to third-party risks to secure an organization's systems, networks, and data.

**3\. Quantify cyber-risks.** Typical enterprise risk assessments prioritize risks with generic "high," "medium," or "low" ratings, pointing to the likelihood of that risk becoming an attack and the resulting impact. However, more is needed to quantify a company's risk. For example, where does the company have a presence online? How widespread are its vulnerabilities? What assets are at risk? Also, how resilient is the organization in maintaining business as usual if an attack occurs? How much would an attack cost the enterprise?

A quality threat intelligence solution identifies and enriches measurement of an enterprise's vulnerabilities and helps entities safely prioritize which gaps to address. \[Note: The author's company is one of many that offer threat intelligence services.\] Such threat intelligence can help security teams understand which business sectors are more at risk and the organization’s posture, and whether cybercriminals are targeting a particular business or software, including their own. Any area of a business or its suppliers can be a target, such as a retailer's point-of-sale systems. Threat intelligence can reveal hundreds of posts on Dark Web forums about plans to target these critical systems, for example, and alert the retailer to tighten security and prevent attackers from gaining access to business systems or customer data well before an active attack begins.

**4\. Define a measurable, consumable security awareness policy.** Measuring the effectiveness of a security awareness program requires knowing if employees, business partners, third-party suppliers, and others fully understand and follow the company's security policies. Keeping track of cyber incidents and how they are handled can reveal how well the company communicates, trains, and enforces these policies to people on the front line, a company’s greatest vulnerability. Additionally, a robust security awareness policy requires the organization and its vendors’ cooperation, which should be clearly articulated as part of any formalized agreement.

As the amount of data companies consume and process continues to grow and malicious actors find more sophisticated ways to access that data, tightening data privacy regulations makes perfect sense. Yet the added burden of continually meeting ever-changing compliance requirements can seem near impossible to over-stretched teams.

By following these steps and putting proactive intelligence and analysis in place, companies and their employees, partners, and customers all come out ahead — which is good for business and good for society.

Meet Data Privacy Mandates With Cybersecurity Frameworks

The new malware was discovered targeting three banks in Brazil.

Another Android banking Trojan with the capability to make instant unauthorized money transfers is targeting Brazilian banks as part of a growing trend among threat actors to exploit a new automated payment system in Latin America.

The new GoatRAT — like BraxDex, Senomorphy, and PixPirate before it — steals the Pix key of the mobile devices it targets to make instant payments from compromised accounts, researchers from Cyble revealed in a blog post. Attackers behind GoatRAT use that key to access the Pix payment platform, created and operated by the Brazil Central Bank for users to make instant mobile payments across Latin America using a variety of banks.

So far, the Cyble researchers have observed the RAT — which they said was created first as an Android remote administration tool to take control over victims' devices — targeting three Brazilian banks: NUBank, Banco Inter, and PagBank.

Making automated transfers appears to be the sole aim of the Trojan, which unlike similar malware doesn't include the ability to steal authentication codes or incoming SMS messages, according to the findings.

The malware is part of a growing trend by threat actors over the last six months to create more sophisticated banking malware that includes an automatic transfer system (ATS) framework, "allowing attackers to conduct unauthorized money transfers on infected devices," the Cyble researchers wrote.

"This new variant highlights that in the current technological landscape, there is an elevated risk of cyber attacks that do not require multiple permissions or many banking trojan functionalities to execute financial fraud," the report said.

Indeed, mobile banking Trojan deployment overall is on the rise, with nearly 200,000 new variants of this malware emerging in 2022, according to Kaspersky's "Mobile Threats in 2022" report. This number represents a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.

**How GoatRAT Makes Instant Transfers**

GoatRAT typically uses a four-step process to perform automated transfers once it infects a user's device. The researchers outlined the system used specifically for the Banco Inter mobile banking application; however, the Trojan also has incorporated similar functions to carry out automatic transfers for the other banking applications, such as NUBank and PagBank, that it targets, they said.

GoatRAT first abuses the Accessibility Service on an Android device to verify that the name of the active package matches one of a list of targeted application package names, and then deploys a further infection.

Once the targeted app is identified, the malware creates a fake banking overlay window that appears above the legitimate application to hide its malicious activity from the victim. This and another covert process allow the Trojan to enter an amount of money to transfer as well as the device's Pix key into the legitimate banking app without alerting the victim, the researchers said.

The malware also introduces an automatic clicking mechanism for the “Confirm” and “Pay” buttons of the legitimate banking app to complete the instant money transfer. Once this transfer is complete, it removes the overlay window from the top of the legitimate banking app and the malicious process is concluded.

**Defending Against ATS Trojans**

Researchers made several security recommendations that go along with typical best practices for downloading and using mobile applications to keep devices free of infection from Trojans and other malware that not only can steal funds but also spread to enterprise networks through connected devices.

Mobile device users should only download and install software from official app stores like Google Play Store or the iOS App Store, and use a reputed antivirus and Internet security software package on all connected devices, including not only mobile but also on PCs and laptops, the researchers advised.

They also recommended users never share details for payment cards with untrusted sources and use strong passwords and enforce multifactor authentication (MFA) on mobile devices wherever possible. Further, implementing biometric security features such as fingerprint or facial recognition for unlocking their mobile devices wherever possible, is key, the researchers said.

Other commonsense security rules that researchers advised but which users often ignore are to keep devices, operating systems, and apps updated, and avoid opening links received via SMS or emails delivered to mobile devices. Users should take care when enabling any permissions on devices, and ensure that Google Play Protect is enabled on Android devices, the Cyble researchers added.

GoatRAT Android Banking Trojan Targets Mobile Automated Payment System

The sooner CISOs become proactive in understanding the flip side of the organizations they protect, the better they'll be at their jobs.

Not too long ago, cybersecurity was seen as something separate from the rest of a business (think two guys in hoodies working in a separate room). But in the past decade, it has finally received well-deserved and long-needed recognition and attention. An increasing number of companies are hiring chief information security officers (CISOs) to help shape their overall business strategy, making security a top priority for corporate boards of directors. On their end, CISOs are starting to understand and outline the role of security as a business enabler, not as a department of "no."

Things are evolving, and it is exciting to witness these changes, although there seems to be an important gap.

Much of the discussion about the evolving place of security in business is centered around the role and ever-expanding responsibilities of CISOs: recruit and grow high-performing teams, build relationships with leaders from other departments, communicate and manage up and across, enable the business to achieve its goals and objectives, and the like. What is missing in most of these conversations are security practitioners and how important it is for them to understand the business side of security.

There are two important reasons why having CISOs be the only people who think about business won't work well: 1) Without an understanding of the business, it is hard for security practitioners to do good work securing it; and 2) without an understanding of the business side of cybersecurity, it is hard for technical security professionals to be effective in building the future of the industry. Let's take a closer look at each of these factors.

**You Can't Secure What You Don't Understand**

Every organization's environment is different. There are different tools and applications used by employees, different ways people collaborate, different types of data companies collect, and most importantly, different crown jewels that need protection. Many (I would even say most) of these differences are direct results of the business the company is in. A fridge manufacturer has different types of risks and different types of parties with access to its data than a marketing agency or a biotech lab would.

Every day, security professionals are making decisions that impact their organization's security posture; they cannot rely on CISOs to be the only people with critical knowledge about the business. Understanding how the company generates revenue, how salespeople share information with one another and with their prospects, how finance teams access information when working remotely, and how vendors get paid is critical to properly securing the organization's environment. Statistically, it is more likely that a company will suffer a breach because of how some department has set up its business process, not because of the latest zero-day found by Apple (although learning about the latter might rightly be more exciting).

**You Can't Innovate What You Don't Understand**

Not all security practitioners should become entrepreneurs, but some inevitably will. Future cybersecurity founders typically spend many years in the industry before finding a painful problem worth solving and building a determination to go do it. This means that by the time they launch a startup, security entrepreneurs have a deep understanding of the technical side of the industry. Unfortunately, the same isn't true about the business side of cybersecurity.

Staying curious, asking questions, and building relationships with people from other parts of the company helps future founders and security leaders with the following:

*   Understanding how the purchasing process in organizations works, who is involved, and how the decisions are made.
*   Building an understanding of what areas of a business are being overlooked by current security solutions, and what problems haven't been solved yet.
*   Developing a broader view of what it takes to run a company, and how different functions contribute to the overall success.
*   Getting a broad view of different types of companies, different revenue models, and organizational structures, and how these factors impact business outcomes.

While understanding the business of the organization one is trying to protect is critical to building the right defensive measures, knowing what the business side of cybersecurity looks like is useful to make sure that founders won't get excited about technology so much that they forget that there needs to be a sustainable business model for the company to grow.

**Looking Into the Future**

There was a time when software development was where security is today, with engineers not having to think about the business side of things. A product manager would bring the requirements, and developers would turn them into working software without asking any questions. Nowadays, product development is seen as collective problem solving — developers, designers, and product managers work together to achieve business goals. For that, product people need to understand the basics of technology, and engineers need a strong grasp of the business their company is in.

The sooner security practitioners become more proactive in understanding the business side of the organizations they are hired to protect, and the industry overall, the better they will be able to do their jobs, and the more likely they are to build the innovations that change the way things work in the industry for the better. While nobody will expect them to get MBAs, every security practitioner would benefit from getting some visibility into areas like marketing, sales, customer service, finance, operations, and the like. After all, business processes are where many vulnerabilities come from.

Why Security Practitioners Should Understand Their Business

Smaller firms are boosting cybersecurity budgets, but there's a long way to go to address a deep lack of cyber preparedness among SMBs.

Nearly half of small and midsize businesses (SMBs) plan to spend more on cybersecurity in 2023 — which is a good thing given that six in 10 firms (61%) have no dedicated cybersecurity staff, about half (47%) have no incident response plan, and 40% fail to conduct formal awareness training.

That's according to a survey of IT professionals at SMBs with 250 to 2,000 employees from Huntress, published on March 15, which found that while respondent organizations deploy a variety of cybersecurity products — such as email security (86%), endpoint protection (79%), and network protection (73%) — they tend to forgo "basic defensive measures," such as supplementing workers' password security with two-factor or multifactor authentication — a recommendation recently made by the US Cybersecurity and Infrastructure Security Agency (CISA). 

"A significant number of these businesses feel either unprepared, understaffed, and/or under-resourced for responding to evolving threats, and a significant number face challenges in securing cyber insurance coverage and proper security awareness training for their workforces," the Huntress report stated, adding that "midsize businesses are aware of the need for multiple cybersecurity layers, \[but that\] notable gaps exist in their current tools and planning processes."

To boot, a full third (34%) of respondents said they didn't believe they could detect advanced threats.

"There's a percentage out there that doesn’t know they're actively being targeted or have already been compromised," says Roger Koehler, CISO at Huntress. "Visibility is key for these businesses, as threat actors can be sitting in their networks for weeks or even months finding footholds and collecting information before they execute their attacks."

The Huntress survey found that 14% of this business segment had confirmed an attack in the past year, while another 10% of those IT professionals surveyed were not sure whether a cyberattack occurred. Given that there are about 6 million businesses with 250–2,000 employees in the United States, those numbers can add up.

**Additional Cyber Spending on the Way**

The report did offer some good news: Huntress also found that 49% are planning to spend more on cybersecurity in the coming year to address the shocking need for more knowledge and preparedness. The fact that so many SMBs are taking a proactive approach going forward, rather than reacting to attacks, is hopeful, Koehler says. That said, sourcing the right staff will be the biggest challenge for figuring out how to spend that budget.

"Midsize businesses aren't just waiting until they face an incident to respond, but are actually investing in preventative measures that will stop the attacks in the first place," he says. "However, you can't put a dollar value on having the right people on your team that have the skills to fight off attacks — and that's where midsize businesses could improve." 

As of last fall, there were more than 700,000 openings in cybersecurity jobs, a 43% increase over 2021, according to CyberSeek. And with cybersecurity pros facing burnout and dissatisfaction, finding people to hire is tougher than ever.

The combination of more budget and a tight market for knowledgeable cybersecurity people will lead to strong growth in managed cybersecurity services, according to an October analysis by consulting firm McKinsey. The company's consultants argue that half the market will go to managed security service providers (MSSPs) and security-and-operations management.

"Across all segments, forecasted changes in allocated security spending is increasing as a percentage of services between internal and third-party services," McKinsey stated in its analysis. "So long as talent remains a problem, outsourced services will be essential for companies that need to support strong security outcomes."

SMBs Orgs Want Help, but Cybersecurity Expertise Is Scarce

Organizations are coming under pressure to protect their data, but does all data need the same security? To secure it, you first need to know what and where it is.

Let's start by examining those two broad-brush data categories: structured and unstructured.

Structured data refers to the data resident within relational databases, often presented via customer relationship management (CRM) systems and corporate applications. Tables and rows of related information in limited formats, structured and only accessible to users with suitable authorization.

Unstructured data is much less easy to ring-fence, being comprised of all the different, unrelated files present on end-user devices. The data is stored in a wide array of locations locally, across the network and in cloud-based services. When considering all these formats and types on local and network-based devices, it is easy to see how vital it is to include all this data into the overall data security equation. Omdia estimates that as much as 80% of an organization's data is resident in this unstructured category.

Now let's consider how all the data needs to be protected.

Due to the general level of sensitivity of structured data (personally identifiable information, payroll, financials, legal, etc.) security strategies will often focus on this tier. Organizations typically separate and secure the various types of data here. However, even these measures are potentially far from sufficient to protect against a determined hacker. Can any organization really say with confidence that it is adequately protected when the next attack could be from an entirely unknown quarter?

Questions of security robustness aside, for structured data, organizations do tend to treat data differently, considering the actual content (and risk to the business if it were lost) and thus appropriate controls are reasonably applied.

Given the sheer volumes, can it be said that unstructured data receives proportional (or even anything like) the same consideration structured data receives? The answer is most likely "no."

First, let's ask a more fundamental question. Can an organization, hand on heart, say it even knows where all its unstructured data is? Most organizations may struggle here. File authors may have difficulty remembering a specific file or what they did with it, or even may have left the business altogether.

This then presents this challenge: "If the organization doesn't know where a file is or what it contains, how can it be protected?"

**Discovery Solutions**

Data discovery solutions can make retrospective retrieval more palatable, but it's better to be able to classify documents at time of creation and then store them clearly and appropriately according to their value (or risk) to the business.

Omdia argues that the authors of these documents are best placed to apply a suitable mark, but artificial intelligence (AI) tools can also be employed. Today, organizational culture tends to determine if the preference is for a user or AI-centric approach. Either way, a visual and a similar embedded mark classifying the document, working in tandem with a data loss prevention (DLP) tool, will not only indicate the sensitivity of the document and with it how it should be handled, the labels will also dictate how the document can be distributed. This is the foundation to protecting unstructured data.

A consideration here. Adopting a one-size-does-not-fit-all approach does get granular quite quickly when considering all the different types and levels of data sensitivity circulating within a business. This is a necessary part of the planning process, however, and clarity and time taken to construct a hierarchical data framework at this stage will bear dividends later. Thorough and well-defined data type definition and a prioritization strategy mapped across all the various data types will not only deliver enhanced security, but also ensure that if, or when, an attack occurs, the regulators can be subsequently assured that every possible measure was in place to preserve the security of an organization's data, and, moreover, that all data was being handled in the right way. It is also worth considering at this point that highly restricted, legally sensitive data one day can become public information the next.

In terms of working with end users, views about this group and security of any type are highly polarized. Omdia firmly believes in thorough cybersecurity training for the workforce. It is vital to include users in an organization's security posture, employing them as a resilient part of the data security defensive fortification rather than sideline them as a part of the problem. Cybersecurity training is vital, but it should be ongoing and frequent to create a "security culture" within the organization.

No organization can claim to be 100% secure against the ever-evolving threat landscape. By working to understand data and accordingly implementing appropriate security controls across the varying types and sensitivities, together with proactive involvement of the end users, both the impact of unauthorized or malicious data loss can be mitigated and expensive costs associated with a blanket data security approach can be avoided.

Are We Doing Enough to Protect Our Unstructured Data?

Organizations will likely have until the end of 2024 to gain visibility and control over their keys and certificates.

Google is proposing to reduce the life span of digital certificates used to secure websites and other online communications to just 90 days. Currently, public Transport Layer Security (TLS) certificates have a maximum validity of 13 months, or 398 days.

Certificate authorities issue TLS certificates (also called Secure Socket Layer, or SSL, certificates) with an expiration date. The life span of these certificates have been shrinking over the last few years, since frequently cycling them makes it harder for attackers to use fraudulent certificates.

In the Chromium Project's “Moving Forward, Together” roadmap, Google suggested the change to 90 days could be made either in the form of a future policy update or as a CA/B Forum Ballot Proposal. If the CA/B Forum, a consortium of browser makers, certificate authorities, and other stakeholders in the digital certificate ecosystem, doesn't formally make 90 days the industry standard, Google can unilateral force this change on the industry by making the shorter validity period a requirement for the Chrome root program. Browsers control their own root program requirements, so browser makers don't have to wait for formal rule changes from the CA/B Forum. By virtue of Chrome's market share, if Google makes this change for Chrome, that makes it a de facto standard that every commercial public certificate authority would have to follow.

The impact goes beyond browser makers and certificate authorities as organizations will need to renew their digital certificates more often. The process, if handled manually, can be a brittle process, as it involves identifying certificates about to expire, getting new ones issued, revoking the old ones, and deploying the new certificates. With the new validity period, IT security teams will have to handle renewals four times a year for each certificate -- an arduous task considering most enterprises have many certificates and that number is growing rapidly.

Google did not provide a specific timeline in its roadmap but based on how the changes have unfolded in the past, the new validity period will likely take effect by the end of 2024, which gives organizations time to gain visibility and control over their keys and certificates.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Proposes Reducing TLS Cert Life Span to 90 Days

Patch Tuesday turned security updates from chaotic events into a routine. Here's how we got here and where things might be heading.

On Oct. 9, 2003, Microsoft CEO Steve Ballmer announced that the company would issue security patches only once a month to "reduce the burden on IT administrators by adding a level of increased predictability and manageability."

Two decades later, Microsoft continues to issue its security updates on the second Tuesday of every month, with occasional exceptions for emergency situations. Many other companies, like Oracle and Adobe, follow similar rules.

Patch Tuesday turned risk management into a monthly appointment, but like many innovations it was founded from crisis. At the beginning of 2002, shortly after the world experienced two of its first cyber doomsdays, Code Red and Nimda, Microsoft decided to change its philosophy around security. The two worms, which infected hundreds of thousands of machines in a matter of hours, exploited vulnerabilities for which patches were available.

"The problem was not that we weren't building patches; the problem was that people weren't deploying them quickly enough," says Christopher Budd, who was with Microsoft from 2000 to 2010 and is now a senior manager for threat research at Sophos.

At that time, the trauma of 9/11 was palpable in North America, and there was a growing concern within Microsoft regarding security. On Jan. 15, 2002, Bill Gates sent his famous Trustworthy Computing memo, highlighting the importance of protecting customers and their systems.

One way to improve security was to change how patches were delivered. So instead of announcing them unpredictably, on a ship-when-ready basis, several times during a week, Microsoft began to stack them together to make it easier for customers to keep up.

At first, the idea was implemented as a "silent pilot project," Budd says. But as it showed promising results, it was soon made official. The first official Patch Tuesday report was published on Oct. 14, 2003, and it included seven vulnerabilities, five of which were seen as critical.

"Tuesday was the earliest day in the week that we felt we could sustainably offer these," says Budd, who helped build Patch Tuesday.

This fixed-schedule approach has become a standard industry practice. But the road was not always smooth.

**The Early Days of Patch Tuesday**

Throughout the years, Microsoft has evolved and refined its approach to security patches, adapting to changing threats. Notable worms that followed Code Red, such as Sasser and Blaster, helped Patch Tuesday to grow and eventually mature.

Budd and his colleagues in the Microsoft Security Response Center, who "suddenly became incredibly important" after the Trustworthy Computing memo, tried to make improvements around patch deployment and detection. One key achievement was to build tools that enabled admins to do a scan and identify the systems that needed security updates — an idea that, while simple, proved to be a game-changer.

The entire process of releasing patches required extensive work, particularly on the Monday before Patch Tuesday, when everything had to be checked. Security experts put in long hours, missed birthday parties, and even showered in Microsoft's headquarters because they didn't have the time to go home.

It is why the releases of the bulletins were celebrated with music blasting over loudspeakers. "When the bulletins were live, it was a big deal for us," says Dustin Childs, who was with Microsoft between 2008 to 2014 and is now the head of threat awareness at Trend Micro's Zero Day Initiative.

Typically, the music was picked by the release manager for that bulletin. "I remember one month it was Klingon music, but it was usually rock and roll," Childs says.

Occasionally, soon after the music stopped, chaos would ensue because some patches caused unintended consequences. One notable incident happened in February 2010, when thousands of customers reported blue screens almost immediately.

When security experts in Redmond heard about the issue, they tried to replicate it but were unsuccessful. For the lack of a better solution, Microsoft bought the computer of a customer who called a support center near Dallas to report the issue.

"And as soon as we got that computer, we found that it had a rootkit installed in it," Childs says.

The Alureon rootkit made modifications to Windows Kernel binaries, which caused the systems to be unstable. The company reissued the patch and fixed the problem.

"The really funny part, though, was that the people who made the rootkit figured it out faster than we did, and they had updated their rootkit to avoid the patch within 48 hours \[of the release\]," Childs says. "It took us a week to fix it!"

And it wasn't the only bizarre episode in Patch Tuesday's history. For instance, Childs remembers that an Internet Explorer patch crashed online banking in South Korea, while a Windows Media Player patch broke an entire country — twice.

"For some reason, on systems in Denmark, it blue-screened," he says. "So we had to recall that patch, fix it and re-release it. And then, the very next month, the same thing happened again. I don't know what was specific about the systems in Denmark."

Even today, some patches released by software companies in general, not just Microsoft, can cause issues, which can be frustrating for those installing them. Childs argues that if vendors improve the reliability of these fixes, customers might be more willing to apply them promptly, as opposed to waiting weeks or months to see if others experienced issues.

Taking the waiting approach can be risky, as it leaves their systems vulnerable to known vulnerabilities. It is why Childs recommends users apply patches as soon as possible. He also tells them to call attention to poor-quality patches.

"Let's hold vendors accountable," Childs says. "Let's make sure that they're producing good patches."

Aanchal Gupta, deputy CISO at Microsoft, says the company is doing "extensive testing" of patches.

"Before we issue any patch to our customers, it goes through rigorous testing not just within Microsoft. ... \[W\]e also have a set of beta testers, external companies, and they get the patches early on before these are actually made public," she says. "They can test in their environment and report back to us whether there is something unique in their environment which could make the patch not work."

**Patch Tuesday Today**

Patch Tuesday has come a long way since those early days when Klingon music blasted from the speakers. Over time, the releases have become quieter and even automated, becoming invisible to some users.

In the past decade, Microsoft has made several changes to streamline the process. In the mid-2010s, for instance, it announced cumulative updates so that a customer who missed, for instance, five patches only needed to apply the last one because the other ones were included in it. The company also launched machine-readable Security Update Guides, which meant that organizations with huge fleet deployments could rely on automation.

But not every change was welcomed by the community. When Microsoft decided to eliminate security bulletins and replace them with Security Update Guides, customers complained that the information they received was less intuitive. Something similar happened in the fall of 2020, when the tech giant removed executive summaries that included detailed information on vulnerabilities. Once again, many in the industry argued that they didn't receive enough information, which made their decision-making processes difficult.

That was "probably the most disruptive" decision Microsoft made, says security researcher Claire Tills. "I know some defenders also really had trouble with that."

More recently, in 2022 Microsoft took yet another step toward making Patch Tuesday a regular Tuesday, when it announced Autopatch, which promised to ease the process of addressing vulns for customers with Windows Enterprise E3 and E5 licenses. The move made organizations wonder whether Patch Tuesday as we know it might disappear — a rumor Microsoft denied.

The publicity around Patch Tuesday is getting smaller and the number of Patch Tuesday vulnerabilities may have peaked. In 2020, a particularly "aggressive year," Tills counted around 1,200 vulns, while in 2022, she saw 663.

"In terms of the types of vulnerabilities, it's consistently elevation of privilege and remote code execution," she says. "Every once in a while, we'll get peaks in information disclosures and security feature bypass — those two also pop up."

But despite the features meant to streamline the process of applying patches, this task can still be daunting for small businesses that can't afford a dedicated tech support team. It is why Gupta recommends these clients to move to the cloud.

"Then you can purely focus on your business and you don't have to worry about patching and managing systems," she says. "I also encourage people to not disable the default upgrades."

But as we transition toward automating the processes, is dedicating one day for updates obsolete?

**Is Patch Tuesday Becoming Obsolete?**

It is hard to fathom a world of cybersecurity without Patch Tuesday, which has been an integral part of the industry for two decades. As threats become more sophisticated and geopolitics becomes more volatile, however, the traditional model of Patch Tuesday may no longer be sufficient to keep systems secure.

Organizations operating in complex environments, such as in those competitive fields or based in hot areas like Ukraine, cannot afford to make mistakes when it comes to patch management. Threat actors often "targeted technical vulnerabilities rather than specific individuals or organizations," says Nazar Tymoshyk, founder and CEO of cybersecurity startup UnderDefense, which has protected several organizations during the ongoing war with Russia.

"The exploitation of unpatched vulnerabilities in technology stacks or outdated Web resources still accounts for 50% of \[Russia's\] success in cyber-intelligence operations," he says.

Tymoshyk believes that Patch Tuesday is still necessary and should not be retired. However, organizations should build on top of it, adopting additional patching routines depending on the size and complexity of their infrastructure or the types of software and systems they use.

Satnam Narang, senior staff research engineer at Tenable, also favors keeping Patch Tuesday alive because routines can help organizations foster a security-focused culture.

"Each week the folks come to pick up the trash from our street, and we know that that's happening every week on a specific day," he says. "The reason why Patch Tuesday is a valuable resource is that it happens every month on a specific day, so it allows organizations to carve out the time necessary to patch these vulnerabilities."

A chaotic patching system might not work, Narang says, because security teams are already overwhelmed. Aviv Grafi, CTO and founder at Votiro, agrees. "Time is of the essence, and we need to focus on leveraging technologies and software that give security teams more time back in their day," Grafi says.

Security researchers also add that continual patch cycles and automatic updates might not always be feasible at enterprise level in some cases. "In the event of a problem, large organizations need to be able to revert systems to a known state, and that requires planning," says David Farquhar, solutions architect at Nucleus.

Patch Tuesday is a crucial element in the routines of many organizations, but despite that, it can be unpredictable. The past years have shown that its structure can change without prior warnings. "Even though Patch Tuesday feels so foundational and so solid, it can change at the drop of a hat," Tills says. "The end of Patch Tuesday could feel disastrous for a lot of organizations."

For the time being, though, it appears that Microsoft will keep the program running. "I wouldn't worry about Patch Tuesday going away anytime soon," Gupta says.

How Patch Tuesday Keeps the Beat After 20 Years

Convergence of two leading cybersecurity companies creates federal sector powerhouse.

**DENVER — March 14, 2023 —** Optiv, the cyber advisory and solutions leader, today announced it has acquired Maryland-based ClearShark LLC and ClearShark Services, Inc. (collectively ClearShark), a premier advisor and top value-added reseller of cybersecurity and modernization technology to the United States federal government. The transaction more-than doubles Optiv’s federal presence, while significantly deepening its bench of government expertise and expanding the breadth of its federal capabilities.

“ClearShark is now the cornerstone of a vibrant Optiv federal business where we will together bring a new level of world-class federal capabilities to the market at scale,” said Optiv CEO Kevin Lynch. “Between the uptick in cyberattacks, the recentBiden-Harris Administration’s National Cybersecurity Strategy and other security regulations, cybersecurity has never been more vital. Together with ClearShark, we are primed to better help federal agencies and contractors ensure a strong cybersecurity posture and build a lasting legacy in the public sector space.”

“Joining forces with the largest pure-play cybersecurity company in the world provides us, our clients and partners with a tremendous growth opportunity. We couldn’t be more excited about this partnership or more bullish on the future,” said Brian Strosser, ClearShark LLC president.

ClearShark Services President Marshall Bailey added, “Leveraging Optiv’s comprehensive suite of cybersecurity solutions and services, we can continue to expand our already dominate delivery capabilities and operate at scale while also providing employees with new career opportunities.” 

The acquisition brings together two leading cybersecurity companies to create a powerhouse partnership that will better serve current and new clients by providing:

*   An expanded federal presence with more direct connections to the public sector.
*   An even broader federal team that builds on the exceptional Optiv service and expertise clients and partners have come to depend on.
*   A vast and comprehensive portfolio of cybersecurity services and solutions, technical capabilities and federal resources.
*   Exceptional relationships with the industry’s leading security technology companies and product manufacturers.

The terms of the transaction are not being disclosed.Holland & Hart LLP provided counsel to Optiv during the transaction.IzenbergLaw PLLC,Fontana Law GroupandPilieroMazza PLLC provided counsel to ClearShark.

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom

**Follow Optiv**

Twitter: www.twitter.com/optiv

LinkedIn: www.linkedin.com/company/optiv-inc

Facebook: www.facebook.com/optivinc

YouTube: www.youtube.com/c/OptivInc

Blog: www.optiv.com/explore-optiv-insights/blog

**Optiv Security: Secure greatness.****®**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

**ClearShark**

ClearShark is an IT solutions provider, comprised of ClearShark LLC (including FedBiz) and ClearShark Services, Inc., focusing on providing cybersecurity, datacenter and cloud infrastructure, AI and data analytics and DevSecOps solutions and services. Our first-class engineering team is made up of mission-focused, results-driven subject matter experts from the intelligence community, Department of Defense and Department of Energy. We are focused and innovative, making investments in technologies we believe in, and being free to pivot and find disruptive technologies. For more information, visit www.clearshark.com.

Optiv More Than Doubles Federal Presence With ClearShark Acquisition

**Brescia, Istanbul,** **Tel** **Aviv,** **March** **14th,** **2023** **—** Camozzi Group, a leading provider of Industrial Automation solutions, and Radiflow, part of Sabanci Holding and a global player in Industrial Cybersecurity and Operational Technology (OT), have announced a collaboration agreement to implement cybersecurity technologies across Camozzi's production sites.

The collaboration between Camozzi Group and Radiflow aims to strengthen the resilience and security of industrial infrastructures in any sector, recognizing cybersecurity as a core strategic business pillar. The risks of OT Cybersecurity attacks aimed at productive systems have become a fast-growing phenomenon in Italy and around the world. The collaboration seeks to identify vulnerabilities and sources of attacks while relying on high-performance risk management systems.

According to Exprivia's latest threat report, the total number of detected threats in Italy was 2,600 in 2022, which is double the number registered in 2021 and four times higher than those registered in 2020. Therefore, it is crucial for enterprises to understand the level of risk exposure and secure their technology systems by adopting advanced software and platforms, as well as through organizational and training models suitable for the new challenges of OT and IIOT (Industrial Internet of Things) security.

The collaboration with Radiflow will enable Camozzi Group to maximize security and stability further. Already characterized by an elevated level of technology reliability, this collaboration reinforces Camozzi Group's commitment to its customers' security and stability.

The partnership between Camozzi Group and Radiflow will undoubtedly lead to strengthened cybersecurity for industrial systems, making Camozzi Group a safer and more secure provider of Industrial Automation solutions.

**About Camozzi Group**

Founded in 1964, Camozzi Automation proposes a product range including components, systems and technologies for the Industrial Automation field, the control of fluids - both liquids and gases - and applications dedicated to the Transportation and Life Science industries.

Camozzi Automation’s offering includes ever more IIoT products and solutions. We work on both the digitalisation of production processes and the creation of real cyber-physical systems, to enable the integration of mechanical, electronic and digital elements, constantly improving process performance and the management of the data chain.

**About Radiflow**

Radiflow is an OT Cyber Security company that has unique tools to protect and manage digital OT assets for the long term. Radiflow works directly with Managed Security Service Providers to oversee the discovery and management of all relevant data security points. Radiflow’s unique pinpoint approach brings the businesses’ team into the fold, trading the industry’s one-size-fits-all approach for a calculated, focused, and secured system without inhibiting communication or productivity. With offices in Europe and the US, Radiflow’s solution is installed in over 6000 sites around the globe.

Source

DARKReading