A Florida man was sentenced today to 133 months in prison for his role in an international telemarketing scheme orchestrated from a call center in Costa Rica that defrauded more than 400 victims — many of whom were elderly — in the United States out of millions of dollars.

Manuel Mauro Chavez, 32, of Hollywood, was convicted at trial in July 2021 in the Western District of North Carolina of one count of conspiracy to commit mail and wire fraud, six counts of wire fraud, one count of conspiracy to commit international money laundering, and six counts of international money laundering. According to court documents and evidence presented at trial, Chavez was a U.S.-based participant in a fraudulent scheme in which telemarketers based in Costa Rica falsely posed as U.S. government officials and contacted victims in the United States to tell them they had won a substantial “sweepstakes” prize, but before collecting this supposed prize, they needed to make a series of up-front payments to cover purported taxes or other fees. After deceiving victims out of their money, Chavez transmitted these funds from the United States for the benefit of the call center and others involved in the scheme in Costa Rica.

In two related matters, Mark Raymond Oman, 38, of Long Beach, Washington, was sentenced on Nov. 17, 2022, to three years and one month in prison, and Paul Andy Stiep, 30, of Miami, was sentenced on Dec. 20, 2022, to seven years in prison. Oman worked at the call center soliciting victims and collected victim funds in Costa Rica, while Stiep transmitted victims’ payments from the United States for the benefit of the call center in Costa Rica.

Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division, Assistant Director Luis Quesada of the FBI’s Criminal Investigative Division, Acting Special Agent in Charge Michael Scherck of the FBI Charlotte Field Office, Inspector in Charge Tommy Coke of the U.S. Postal Inspection Service’s (USPIS) Atlanta Division, and Special Agent in Charge Bryant Jackson of the IRS Criminal Investigation (IRS-CI) Cincinnati Field Office made the announcement.

The FBI, USPIS, and IRS-CI investigated the case.

Trial Attorneys Joshua DeBold and Della Sentilles of the Criminal Division’s Fraud Section prosecuted the case.

The department’s extensive and broad-based efforts to combat elder fraud seek to halt the widespread losses seniors suffer from fraud schemes. The best method for prevention, however, is by sharing information about the various types of elder fraud schemes with relatives, friends, neighbors, and other seniors who can use that information to protect themselves.

If you or someone you know is age 60 or older and has been a victim of financial fraud, help is available at the National Elder Fraud Hotline: 1-833-FRAUD-11 (1-833-372-8311). This Department of Justice hotline, managed by the Office for Victims of Crime, is staffed by experienced professionals who provide personalized support to callers by assessing the needs of the victim and identifying relevant next steps. Case managers will identify appropriate reporting agencies, provide information to callers to assist them in reporting, connect callers directly with appropriate agencies, and provide resources and referrals, on a case-by-case basis. Reporting is the first step. Reporting can help authorities identify those who commit fraud and reporting certain financial losses due to fraud as soon as possible can increase the likelihood of recovering losses. The hotline is staffed seven days a week from 6:00 a.m. to 11:00 p.m. ET. English, Spanish, and other languages are available.

Man Sentenced for Role in International Telemarketing Scheme

Space Rogue gives a behind the scenes look at the famous hacking group, their senate testimony, and how their legacy continues to shape the security of the online world today.

**PHILADELPHIA, PA, January 11, 2023 —** The memoir of world-renowned hacker Cris Thomas “Space Rogue: How the Hackers Known as L0pht Changed the World” is available for pre-order now. The new book, to be released on February 16, 2023, will cover the influential hacking group L0pht Heavy Industries, the hacker underground of the 1990s, the L0pht’s rise to prominence, their testimony in front of the US Senate, their claim of being able to “take down the Internet”, and how their legacy continues to shape the security of the online world today.

“Cyber security has become a critical part of today’s world. The L0pht was there at the start. We helped shape the cyber industry, and form the online world we all live in today.” –Space Rogue

In May 1998, the US Congress invited the seven members of the L0pht to testify on the state of government computer security. Two years later, that same group rode the dot-com bubble to create the preeminent security consultancy the industry has ever known, @stake. Along the way, they stood up against tech giants like Microsoft, Oracle, Novell and others to expose weaknesses in those companies’ premiere products. Despite the L0pht’s technical prowess, the group could not keep what they had built together as money and internal politics turned friend against friend. Look inside L0pht Heavy Industries, or simply The L0pht, one of the most influential hacker groups in history. From formation, to congressional testimony, to going legit and the aftermath that followed. 

Follow the hacker ‘Space Rogue’ as he takes you on a journey through the magical hacker scene of the 1990s. The L0pht hacker collective no longer exists, but its legacy lives on. L0pht set the standard for how the cyber security industry now releases vulnerability information. Famous hackers that were once L0pht members, Mudge, Weld Pond, Kingpin, Dildog, Space Rogue, and others have done even more impressive things in the following years. The hackers and consultants hired by @stake and indoctrinated into the L0pht way of thinking have now become giants in the industry. All the hackers who read security information off the L0pht’s website, downloaded software from the Whacked Mac Archives, or watched the Hacker News Network and became inspired have changed the world more than the L0pht could have ever done alone. The L0pht’s message of bringing security issues to light and getting them fixed still echoes throughout the industry and is more important today than ever. The L0pht’s dire warning of an increasingly dependent culture on a fragile Internet made during their testimony twenty-five years ago still holds true. In fact, the Internet may be in even be worse today. Is it too late to listen?

About Space Rogue (Cris Thomas)

With over two decades of experience, Space Rogue (Cris Thomas) has testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs, and has been interviewed by Wired, CNBC and even MTV. He created the wildly popular websites the Whacked Mac Archives and Cyber Squirrel 1. He produced the weekly podcast SpiderLabs Radio, and the critically acclaimed weekly news video program the Hacker News Network. His writing has appeared in Network Computing, New Statesman, The Hill, and the Christian Science Monitor. He has spoken at security conferences such as Def Con, Blackhat, and Shmoocon. Space Rogue currently works as the Global Lead of Policy and Special Initiatives for the legendary IBM X-Force.The book is available for preorder today and will be released on February 16th in hardcover, paperback and eBook at better books stores everywhere. Distributed via Ingram Spark.

Hacker Space Rogue to Release Book on Hacking Group L0pht Heavy Industries in February

This Tech Tip outlines the steps enterprise defenders should take as they protect their data in cloud environments in response to the security incident with the CI/CD platform.

As CircleCI continues to investigate the security incident affecting its continuous integration and continuous delivery (CI/CD) platform, enterprise defenders should also be hunting for signs of malicious activities on third-party applications integrated with CircleCI.

In its Jan. 4 disclosure, CircleCI urged users to rotate all secrets stored within the platform and to check internal logs for any signs of "unauthorized access" starting from Dec. 21, 2022. Since enterprises integrate software-as-a-service (SaaS) applications and other cloud providers, defenders should also hunt for signs of malicious behavior on those environments as well.

**Step 1: Change Secrets**

The first step is to change all passwords, secrets, access tokens, environment variables, and public-private keypairs because the attackers may have stolen them. When organizations integrate CircleCI with other SaaS and cloud providers, they provide CircleCI with those authentication tokens and secrets. The breach with CircleCI means the platform itself is compromised, as are all the SaaS platforms and cloud providers integrated with CircleCI because those credentials are now exposed.

CircleCI is offering a script CircleCI-Env-Inspector to export a JSON-formatted list of the names of CI secrets that need to be changed. The list would not contain the values of the secrets, CircleCI said.

To run this script, clone the repository and execute the _run.sh_ file.

In subsequent updates, CircleCI said it has invalidated Project API tokens used by projects and that it has rotated all GitHub OAuth tokens on behalf of customers. Amazon Web Services is alerting customers via email with lists of potentially impacted tokens (subject line: _\[Action Required\] CircleCI Security Alert to Rotate Access Keys._) that customers should change.

For organizations using TruffleHog, the log scanning feature outputs any passwords or API keys that may have been accidentally logged. Run TruffleHog with the following flags:

trufflehog circleci –token=<token>

**Step 2: Check CircleCI for Suspicious Activity**

CircleCI has made self-serve audit logs available to all customers, including free customers, through the platform's user interface. Customers can query up to 30 days of data and have 30 days to download the resulting logs. CircleCI's documentation outlines how to use the logs.

The logs provide information about actions taken, by which actor, on which target, and at what time, according to a threat hunting guide from Mitiga. Look for log entries indicating actions taken by a CircleCI user during the time between Dec. 21, 2022, and when the secrets were changed and updated. Actions attackers may be interested in are those for gaining access (_user.logged\_in_) and maintaining persistence (_project.ssh\_key.create_, _project.api\_token.create_, _user.create_).

**Step 3: Hunt for Malicious Actors in Third-Party Apps**

The impact of the breach extends beyond CircleCI as it includes third-party applications that are integrated with the development platform, such as GitHub, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Enterprise defenders need to hunt for signs of malicious activity across each of the integrated SaaS applications and cloud providers.

**For GitHub:** CircleCI authenticates to GitHub via PAT, an SSH key, or locally generated private and public keys. Defenders should check GitHub security log for suspicious GitHub activity – such as _git.clone_ (copying the repository), _git.fetch_ and _git.pull_ (different ways of grabbing the code from the repository) – originating from CircleCI users, according to Mitiga's threat hunting guide. The GitHub Audit logs provide information about the actions performed, who performed the action, and when it was performed. Check the GitHub Audit logs containing _actor\_location_ and look for abnormal connections and operations originating from new IP addresses.

**For AWS:** Look at API management events actions in AWS CloudTrail's management activity logs. Search for events the CircleCI user shouldn't be performing, such as suspicious reconnaissance actions (for example, _ListBuckets GetCallerIdentitiy_), _AccessDenied_ events, and activity originating from unknown IP addresses and programmatic UserAgents (such as _boto3_ and _CURL_).

**For GCP:** Review Cloud Audit logs – Admin Activity audit logs, Data Access audit logs, and Policy Denied audit logs – via the Google Cloud console (Logs Explorer), the Google Cloud CLI, or the Logging API. Check which resources the service account used with CircleCI has permissions.

The API call:

searchAllIamPolicies

From the command line:

gcloud asset search-all-iam-policies

Search for abnormalities, such as an error severity record, weird timestamps, or unusual IP subnets, Mitiga recommends in its guide.

**For Azure:** Review sign-in errors and patterns in Azure Active Directory Sign-in logs and check for abnormalities, such as the date of the sign-in and the source IP address. The Azure Monitor activity log is a platform log in Azure providing information about subscription-level events such as when a resource is modified or a virtual machine is started. One thing to look for in this log is whether there are actions listed that are different from the ones the service account typically performs.

"Hunting for malicious actions done by compromised CI/CD tools in your organization is not trivial, because their scope goes beyond that CI/CD tool and affects other SaaS platforms integrated with it," Mitiga's team wrote in the guide.

Use CircleCI? Here Are 3 Steps You Need to Take

Traditional metrics don't reflect real-world severity. Instead, analyzing previously reported incidents can help teams decide how to react, a new report says.

Accepted metrics for measuring the severity of security incidents, like mean time to repair (MTTR), may not be as reliable as previously thought and are not providing IT security teams with the correct information, according to Verica's latest Open Incident Database (VOID) report.

The report is based off 10,000 incidents from just under 600 companies ranging from Fortune 100s to startups. The amount of data gathered enables a deeper level of statistical analysis to determine patterns and debunk previous industry assumptions that lacked statistical evidence, Verica said.

"Enterprises are running some of the most sophisticated infrastructure in the world, supporting many parts of our daily lives, without most of us even thinking about — until something isn't working," says Nora Jones, CEO and co-founder of Jeli. "Their businesses heavily rely on site reliability, and yet incidents are not going away as technology gets more and more complex."

"Most organizations are running incident management decisions based on longstanding assumptions," she says, noting that enterprises need to be making data-driven decisions on how they approach organizational resilience.

**Share Information to Understand Incidents**

Courtney Nash, lead research analyst at Verica and creator of VOID, explains that, in much the same way airline companies set aside competitive concerns in the late '90s and beyond in order to share information, enterprises have an immense body of commoditized knowledge they could use to learn from each other and push the industry forward, while making what gets built safer for everyone.

"Collecting these reports matters because software has long moved on from hosting pictures of cats online to running transportation, infrastructure, power grids, healthcare software and devices, voting systems, autonomous vehicles, and many critical (often safety-critical) societal functions," Nash says.

David Severski, senior security data scientist at the Cyentia Institute, points out that enterprises can only see their own incidents, which limits the ability to see and avoid broader trends affecting other organizations.

"Incident databases and reports like \[VOID\] help them escape tunnel vision and hopefully act before they experience problems themselves," he says.

**Duration and Severity Are 'Shallow' Data**

How organizations experience incidents vary, as does long it takes to resolve those incidents, regardless of severity. Which scenarios even get recognized as an "incident" and at what level varies among colleagues within an organization and is not consistent across organizations, the report cautioned.

Nash explains duration and severity are "shallow" data — they are appealing because they appear to make clear, concrete sense of what are messy, surprising situations that don't lend themselves to simple summaries. However, measuring the duration isn't really useful.

"The duration of an incident yields little internally actionable information about the incident, and severity is often negotiated in different ways, even on the same team," Nash says.

Severity may be used as a proxy for customer impact or, in other cases, engineering effort required to fix or urgency. "It is subjectively assigned, for varying reasons, including to draw attention to or get assistance for an incident, to trigger — or avoid triggering — a post-incident review, or to garner management approval for desired funding, headcount, and so on," Nash says.

There's no correlation between the duration and severity of incidents, according to the report. Companies can have long or short incidents that are very minor, existentially critical, and nearly every combination in between.

"Not only can duration or severity not tell a team how reliable or effective they are, but they also don't convey anything useful about the event's impact or the effort required to deal with the incident," Nash says.

**Analyze Past Incidents**

"While MTTR isn't useful as a metric, no one wants their incidents to go on any longer than they must," she says. "To respond better, companies must first study how they've responded in the past with more in-depth analysis, which will teach them about a host of previously unforeseen factors, both technical and organizational."

Jones adds the culture of an organization will also play a role in how teams tag incidents and to what degree.

"This all goes back to the people of an organization — the people building the infrastructure, maintaining the infrastructure, resolving incidents, and then reviewing them," she says. "This is all done by people."

From her perspective, no matter how automated our technology gets, people are still the most adaptable part of the system and the reason for continued success.

"This is why you must recognize these socio-technical systems as just that, and then approach your incident analysis with the same understanding," Jones says.

Severski says the security industry is full of opinions on what should be done to improve things, noting Cyentia continues to analyze large datasets in their Information Risk Insights Study (IRIS) research.

"Basing our recommendations on actual failures and lessons learned from this is a far more effective approach," he says. "We place a high value on studying real-world incidents."

Why Analyzing Past Incidents Helps Teams More Than Usual Security Metrics

Catchpoint’s Internet Performance Monitoring Platform helps IT teams identify and mitigate BGP incidents, including hijack attempts and routing issues, with the industry’s broadest network of vantage points in the world drawing on real-time BGP monitoring.

**January 11, 2023 --** Catchpoint, The Internet Resilience Company, releases major enhancements to its industry-leading Network Experience solution. These enhancements include network reachability, engineering & traffic routing improvements, as well as comprehensive monitoring for SASE, VPN, and the entire Internet stack. This makes it even easier for IT professionals to catch issues before they impact the business.

The latest release includes a wide range of enhancements to Catchpoint’s Network Experience solution including:

*   **The world’s largest observability network** with over two thousand vantage points around the world. This includes **the world’s most extensive global BGP coverage** with over a thousand vantage points around the globe from more than 400 ASNs and support for both IPv6 and IPv4 real-time global data:

*   143 Catchpoint peers
*   388 University of Oregon Route Views Project peers
*   744 RIPE NCC RIS peers

*   **An improved BGP Smartboard** to identify incidents and root cause faster and with fewer clicks for improved MTTR. The new Smartboard lets IT teams investigate BGP peer event data across selected timeframes, view announcements and withdrawals, then drill down to the details of each event. The result is faster and more effective troubleshooting.
*   **An enhanced BGP Dashboard & Score Metrics** to see the health of the networks you rely upon at a glance. Information presented includes visibility for reachability, hijacks, peer visibility, mass withdrawals, RPKI status, and BGP data by region.
*   **Route Hijack Detection** via the updated control center library, which stores a list of customer ASNs. The BGP Overview Dashboard flags any prefix announced from unexpected ASNs, so IT is immediately alerted to potential hijacks.
*   **Network Mesh/Node-to-Node General Availability testing** to continuously monitor the availability & performance of the network, including jitter, latency and packet loss. This ensures an always-on, high-quality network experience. 
*   **Traceroute enhancements**, including Path MTU and TCP MSS features for more effective network path visualization and troubleshooting.
*   **A DNSSEC Custom Monitor** that authenticates the resolution of IP addresses with a cryptographic signature and ensures that answers provided by the DNS server are valid and authentic. 

To learn more about these updated features, please join us on January 18, 2023 for our upcoming webinar “Catchpoint Launches New Capabilities to Power Internet Performance Monitoring.”

**View and Pinpoint All BGP Issues from One Dashboard  **

All these capabilities are available via the Catchpoint Platform. The market leader in Internet Performance Monitoring (IPM), Catchpoint provides deep visibility into every aspect of the Internet stack that impacts your business. Only Catchpoint offers the breadth and depth of IPM solutions to help make IT, Network Operations, and SREs jobs easier and ensure Internet Resilience with fewer resources. 

“With this release, Catchpoint helps our customers uncover BGP issues with more confidence and in less time. We now deliver more detailed real-time information from three distinct BGP peer sources that we are able to collect from over 1000 BGP peers worldwide. By comparison, our nearest competitor monitors less than 100 peers and provides data that is at least 15 minutes old. That 15-minute delay is a lifetime when you’re dealing with an issue like a BGP hijack, and you don’t know where your data is going!” said Catchpoint’s EVP of Product, Matt Izzo. 

Catchpoint’s customers agree. “We were never able to monitor reachability in this detail before using the Catchpoint solution. Now we can figure out whether an issue is related to a BGP announcement, routing, or something else instead of blindly trusting our partners that everything is working as it should,” said Andreas Lunz, Chief Technology Officer, Team Internet.

“The top websites in the world rely on Catchpoint as their main platform to monitor, detect, and mitigate BGP incidents, as well as any other incidents in their Internet stack,” said Dritan Suljoti, CTO and co-founder of Catchpoint. “Today, all businesses rely on the Internet to survive, and there is really no other platform that comes close to what we have developed over fourteen years of dedication to Internet Performance Monitoring.” 

**Learn More**

*   Read more about Catchpoint’s Network Experience Solution at catchpoint.com/network-experience.
*   Dive into our Comprehensive Guide to BGP.
*   Join us at our upcoming webinar, “Catchpoint Launches New Capabilities to Power Internet Performance Monitoring” on January 18, 2023. 
*   Watch a brief but helpful demo on BGP. 
*   Request an evaluation of the Catchpoint platform.

**About Catchpoint**

Catchpoint is the Internet Resilience Company™. The top online retailers, Global2000, CDNs, cloud service providers, and xSPs in the world rely on Catchpoint to increase their resilience by catching any issues in the Internet stack before they impact their business. The Catchpoint platform offers synthetics, RUM, performance optimization, high fidelity data and flexible visualizations with advanced analytics. It leverages thousands of global vantage points (including inside wireless networks, BGP, backbone, last mile, endpoint, enterprise, ISPs and more) to provide unparalleled observability into anything that impacts your customers, workforce, networks, website performance, applications, and APIs. Learn more at www.catchpoint.com.

Catchpoint Announces Solution to Monitor and Protect Companies From BGP Incidents

Current defenses are able to protect against today's AI-enhanced cybersecurity threats, but that won't be the case for long as these attacks become more effective and sophisticated.

Artificial intelligence and machine learning (AI/ML) models have already shown some promise in increasing the sophistication of phishing lures, creating synthetic profiles, and creating rudimentary malware, but even more innovative applications of cyberattacks will likely come in the near future.

Malware developers have already started toying with code generation using AI, with security researchers demonstrating that a full attack chain could be created. 

The Check Point Research team, for example, used current AI tools to create a complete attack campaign, starting with a phishing email generated by OpenAI's ChatGPT that urges a victim to open an Excel document. The researchers then used the Codex AI programming assistant to create an Excel macro that executes code downloaded from a URL and a Python script to infect the targeted system. 

Each step required multiple iterations to produce acceptable code, but the eventual attack chain worked, says Sergey Shykevich, threat intelligence group manager at Check Point Research.

"It did require a lot of iteration," he says. "At every step, the first output was not the optimal output — if we were a criminal, we would have been blocked by antivirus. It took us time until we were able to generate good code."

Over the past six weeks, ChatGPT — a large language model (LLM) based on the third iteration of OpenAI's generative pre-trained transformer (GPT-3) — has spurred a variety of what-if scenarios, both optimistic and fearful, for the potential applications of artificial intelligence and machine learning. The dual-use nature of AI/ML models have left businesses scrambling to find ways to improve efficiency using the technology, while digital-rights advocates worry over the impact the technology will have on organizations and workers. 

Cybersecurity is no different. Researchers and cybercriminal groups have already experimented with using GPT technology for a variety of tasks. Purportedly novice malware authors have used ChatGPT to write malware, although developers attempts to use the ChatGPT service to produce applications, while sometimes successful, often produce code with bugs and vulnerabilities.

Yet AI/ML is influencing other areas of security and privacy as well. Generative neural networks (GNNs) have been used to create photos of synthetic humans, which appear authentic but do not depict a real person, as a way to enhance profiles used for fraud and disinformation. A related model, known as a generative adversarial network (GAN), can create fake video and audio of specific people, and in one case, allowed fraudsters to convince accountants and human resources departments to wire $35 million to the criminals' bank account.

The AI systems will only improve over time, raising the specter of a variety of enhanced threats that can fool existing defensive strategies.

**Variations on a (Phishing) Theme**

For now, cybercriminals often use the same or similar template to create spear-phishing email messages or construct landing pages for business email compromise (BEC) attacks, but using a single template across a campaign increases the chance that defensive software could detect the attack.

So, one main initial use of LLMs like ChatGPT will be as a way to produce more convincing phishing lures, with more variability and in a variety of languages, that can dynamically adjust to the victim's profile.

To demonstrate the point, Crane Hassold, a director of threat intelligence at email security firm Abnormal Security, requested that ChatGPT generate five variations on a simple phishing email request. The five variations differed significantly from each other but kept the same content — a request to the human resources department about what information a fictional company would require to change the bank account to which a paycheck is deposited. 

**Fast, Undetectable Implants**

While a novice programmer may be able to create a malicious program using an AI coding assistant, errors and vulnerabilities still get in the way. AI systems' coding capabilities are impressive, but ultimately, they do not rise to the level of being able to create working code on their own.

Still, advances could change that in the future, just as malware authors used automation to create a vast number of variants of viruses and worms to escape detection by signature-scanning engines. Similarly, attackers could use AI to quickly create fast implants that use the latest vulnerabilities before organizations can patch.

"I think it is a bit more than a thought experiment," says Check Point's Shykevich. "We were able to use those tools to create workable malware."

**Passing the Turing Test?**

Perhaps the best application of AI system may be the most obvious: the ability to function as artificial humans. 

Already, many of the people who interact with ChatGPT and other AI systems — including some purported experts — believe that the machines have gained some form of sentience. Perhaps most famously, Google fired a software engineer, Blake Lemoine, who claimed that the company's LLM, dubbed LaMDA, had reached consciousness.

"People believe that these machines understand what they are doing, conceptually," says Gary McGraw, co-founder and CEO at the Berryville Institute of Machine Learning, which studies threats to AI/ML systems. "What they are doing is incredible, statistical predictive auto-associators. The fact that they can do what they do is mind boggling — that they can have that much cool stuff happening. But it is not understanding."

While these auto-associative systems do not have sentience, they may be good enough to fool workers at call centers and support lines, a group that often represents the last line of defense against account takeover, a common cybercrime.

**Slower Than Predicted**

Yet while cybersecurity researchers have quickly developed some innovative cyberattacks, threat actors will likely hold back. While ChatGPT's technology is "absolutely transformative," attackers will likely only adopt ChatGPT and other forms of artificial intelligence and machine learning, if it offers them a faster path to monetization, says Abnormal Security's Hassold. 

"AI cyberthreats have been a hot topic for years," Hassold says. "But when you look at financially motivated attackers, they do not want to put a ton of effort or work into facilitating their attacks, they want to make as much money as possible with the least amount of effort."

For now, attacks conducted by humans require less effort than attempting to create AI-enhanced attacks, such as deepfakes or GPT-generated text, he says.

**Defense Should Ignore the AI Fluff**

Just because cyberattackers make use of the latest artificial intelligence system does not mean the attacks are harder to detect, for now. Current malicious content produced by AI/ML models are typically icing on the cake — they make text or images appear more human, but by focusing on the technical indicators, cybersecurity products can still recognize the threat, Hassold stresses.

"The same sort of behavioral indicators that we use to identify malicious emails are all still there," he says. "While the email may look more legitimate, the fact that the email is coming from an email address that does not belong to the person who is sending it or that a link may be hosted on a domain that has been recently registered — those are indicators that will not change."

Similarly, processes in place to double check requests to change a bank account for payment and paycheck remittance would defeat even the most convincing deepfake impersonation, unless the threat group had access or control over the additional layers of security that have grown more common.

Better Phishing, Easy Malicious Implants: How AI Could Change Cyberattacks

CISOs' top cloud challenge is harmonizing standards, policies, and procedures across blended environments.

In Coalfire's "2023 State of CISO Influence" report, developed in partnership with Dark Reading — security executives in major industries and companies of all sizes called out _lack of good governance strategy_ as one of the top challenges they face in managing cloud migration.

With any move to the cloud, corporate leaders focus intently on leveraging capabilities and harnessing myriad services, with IT often juggling the management of multiple assets in a hybrid environment. CISOs want to take the existing security program and wrap it around newly migrated systems to keep people, processes, and policies as consistent as possible and avoid the need to invent anything new. Updating and unifying standards and procedures usually lands last on the list.

While no single governance model is the right answer for all organizations, governance in the cloud age must, at a minimum, establish oversight, strategy, and enforcement of standards to ensure alignment of operational practices to the objectives and risk tolerance of the organization.

Security governance bridges business priorities with technical implementation like architecture, standards, and policy.

For smaller companies especially, the governance function is sometimes overlooked until it's too late. C-level security executives at firms with 500 or fewer employees ranked governance problems 10 points ahead of their midsize and larger enterprise counterparts.

**Optimizing Governance to Bolster Brand Confidence**

The report confirmed what I believe to be the essence of business resilience today: setting priorities, communicating effective incident response strategy, preplanning continuity of systems, and assuring continuous compliance.

Business goals and risk management are the best security program guideposts, ensuring that efforts are optimized to focus on the organization's top areas of concern. So naturally, it's becoming mission-critical to optimize governance processes to work effectively in today's hybrid server environments. Increasing infrastructure complexity drives hard questions, such as:

*   _How do we absorb the operational risk introduced by third parties within our cloud-based ecosystem?_
*   _How do we configure and uniformly apply access policies for employees, customers, vendors, remote workers, IoT, etc.?_
*   _Can we achieve zero trust, and can it be retrofitted to effectively fit into a hybrid environment?_
*   _What's our strategy and execution plan to enable operational resilience with pervasive incident detection and response?_
*   _How do we assure customers and stakeholders of our business's ability to continue operations after a disruption or during a mitigation?_

Addressing these questions facilitates a rational, cost-efficient approach instead of the outdated "sky is falling/spend more" mentality that has proven to be unsustainable. With the ever-expanding attack surface of the hyperscale cloud, CISOs can't eliminate risk, nor can they justify impulsive spending on endless identification of threats and scanning for vulnerabilities. Instead, they must respond and remediate problems, reduce costs, and enhance secure product life cycles to bolster brand reputation and customer confidence.

**Align Governance Responsibilities to Avoid Conflict**

Our research reflects that service delivery across industries is moving further into the cloud every year. Though all on-premises systems are eventually considered candidates for transition, legacy systems aren't going away tomorrow, so we need a pragmatic management style to keep the cloud momentum going while dealing with an expanding attack surface — the other "top two" concern of CISOs in the survey along with lack of good governance.

When developing governance strategies for hybrid cloud operations, it's critical that CISOs understand what services are provided by cloud and SaaS vendors, and that they have clarity on where the responsibilities and liabilities fall. While security professionals are more effectively closing known gaps, security teams still feel most of the heat when there are problems. Cloud vs. on-premises staff may fall into an adversarial pattern that results in attempts to deflect responsibility or engage in finger-pointing.

A well-planned governance model that assigns roles and responsibilities through a RACI responsibility alignment matrix is one of the best ways to avoid these situations. Failure to develop those plans up front can exacerbate the impact of even minor conflicts. Forward-thinking security leaders road map what needs to be done and who's going to do what, well ahead of time. At the onset of any migration or lift-and-shift, savvy CISOs need to start with a clear understanding of "who's on first." Prioritize that forethought by shifting core governance functions to the far-left side of the project management planning matrix.

Great CISOs don't just implement security measures, they build trust by working with business leadership to apply essential governance disciplines that align business strategy, risk management, asset protection, and innovation security while providing guidance to drive execution of security best practices and controls.

Across the board, CISOs in every sector and company size say governance is too often an afterthought. Lack of strategy produces hazards such as potential breach, disruption, and policy failures, as well as interdepartmental friction between cloud and on-prem teams. Whether it's a risk steering committee or a Cloud Advisory Board, good governance keeps the business moving and the supply chain flowing. It's a core competency for all security leaders.

**About the Author**

    

Michael Eisenberg is a seasoned information security professional with more than 31 years of experience working across public and private sectors, including two global Fortune 250 organizations (Aon and McDonald's Corporation), the government sector and the U.S. military. As vice president of Strategy, Privacy, and Risk at Coalfire, Michael leverages his experience through a range of security consultative services that help C-level officers build and improve security strategies and deliver cybersecurity programs. He received a master's degree in computer science from Illinois Institute of Technology. Michael holds CISSP, CISA, CISM, and CRISC security certifications.

Governance in the Cloud Shifts Left

School to resume Thursday, Jan. 12, after Iowa school district detected unusual network activity and pulled the plug.

The largest public school system in Iowa is slated to resume classes on Thursday, Jan. 12, following the detection of abnormal network activity that prompted the district to pull its systems offline.

On Jan. 9, DesMoines Public Schools alerted parents classes would be canceled and that their district's Internet and network services would be unavailable following a suspected cyberattack.

DMPS announced today that classes would resume tomorrow — Thursday, Jan. 12 — now that phones are operational. For the time being, students can expect an "offline learning experience," the district added.

"The school district’s information technology staff continues to investigate the cause and extent of the cybersecurity incident that took place earlier this week, in coordination with the school district’s cyber insurance company, and are working to fully restore the district’s network when it is safe to do so," the latest update on the school cyberattack said. "This work will continue in the days ahead."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattack Cancels Classes for Des Moines Public Schools

Organizations are looking for new methods to safeguard the virtual machines, containers, and workload services they use in the cloud.

In 2022, we saw explosive transitions in the cloud security market — every aspect of the ecosystem, including vendors, products, and infrastructure, went through a radical change. It birthed new categories like data security posture management (DSPM), saw established vendors jumping to announce cloud data lakes like Amazon Security Lake, and put vendors through turmoil, like KnowBe4 being acquired by Vista Equity for $4.3 billion.

As we look forward to 2023, cybersecurity for workloads (virtual machines, containers, services) in the public cloud will continue to evolve, with customers trying to balance the need for aggressive cloud adoption and compliance with security needs. CIOs and CISOs will challenge their teams to build the foundation for a security platform that can consolidate point products, support multiple clouds (AWS, Azure, and GCP), and leverage automation to scale security operations. A zero-trust architecture will lead the way to workload protection in the cloud, real-time data protection, and centralized policy enforcement. Here’s a deeper dive into how these five dynamics will make their presence felt in 2023 with public cloud workloads.

**Generative Attacks Will Become Targeted and Personalized**

Automation and machine learning empower cybercriminals to launch sophisticated, targeted attacks. Scripted botnets can conduct network reconnaissance on cloud infrastructure, and valuable data can be harvested and used to launch further attacks. Malware packages are becoming a commodity, with readily available automated tools in which the level of abstraction enables even unimaginative minds to become lethal. For example, ChatGPT, which has taken the tech world by storm, can use machine learning to auto-script malware.

Cyberthreat researcher @lordx64 shared an example of malware auto-generated by ChatGPT. The malware used PowerShell to download ransomware using an obfuscation script, encrypt all the files, and exfiltrate the key to google.com.

**Centralized Security Posture Will Become the Norm to Tackle Workload Sprawl**

Misconfigurations due to human error remain the biggest root cause of cyberattacks. Many attacks use techniques such as code injection and buffer overflow to prey on weak configurations. With the cloud enabling workloads to be spun up and down frequently, configuring security policies at individual firewalls at every virtual private cloud (or a trust zone) opens the door for human error.

Organizations will increasingly look for architectures that can centralize cloud security policy definitions, enforcements, and remediations. Only when cyber prevention is delivered from a central platform can defense be applied to all workloads, instead of just a few select ones.

**Zero-Trust For Workload Protection Will Gain Momentum**

Zero trust will see widespread adoption to protect assets by enforcing an explicit trust framework for all assets in the public cloud. Implementing zero trust in the public cloud is different and unique because customers are dealing with ephemeral and dynamic resources. With zero trust platforms that were architectured for the cloud can bring down cost overruns and complexity. Before a workload in a public cloud can request a resource, it must go through an extensive trust check — one that combines identity, device risk, location, threat intelligence, behavioral analytics, and context. Upon successfully establishing explicit trust, the resource will then be subject to corporate security policy for access control.

**CIOs Will Look For More Effective Multicloud Security Tools**

When it comes to vendor best practices, CIOs are increasingly looking at diversified portfolios of public cloud infrastructure for three main reasons. They want to reduce reliance on a single vendor; many are also looking to integrate infrastructure inherited from mergers and acquisitions. And CIOs need to leverage best-of-breed services from different vendors, such as Google Cloud BigQuery for data analytics, AWS for mobile apps, Oracle Cloud for ERP, for example.

    

Figure: AWS shared responsibility model for protecting cloud resources.

Every cloud vendor preaches the notion of “shared security responsibility,” putting the onus on the customer to implement a security infrastructure for their cloud resources. Savvy IT shops ensure they pick a cybersecurity platform that supports multiple public cloud environments.

**Real-Time Data Protection Will Be a Core Criterion for Cloud Data Governance, Security**

Securing sensitive data such as protected health information, personally identifying information, financial information, patents, confidential corporate data, and other intellectual property is arduous when data moves to the cloud. Legacy data loss prevention (DLP) architectures that rely on regexes, scans, and static rules are insufficient and ineffective for DLP in the cloud.

The rise of the data security posture management category has provided critical visibility into the need for observability and real-time analysis. Proxy-based architectures that can decrypt and inspect all SSL traffic will become a cornerstone for enterprises that truly care about protecting their sensitive data.

Migration to the cloud is not a new trend in the corporate world, but the implications of cybersecurity for cloud workloads are still evolving. While there are no clear answers yet, these are some of the leading indicators customers will use to navigate in 2023.

Read more _Partner Perspectives_ from Zscaler.

5 Ways Cybersecurity for Cloud Workloads Will Evolve in 2023

With artificial intelligence poised to displace many SOC professionals, it's important to think ahead to potential niches for cybersmart humans — even to outer space.

As routine work is increasingly performed by automated systems, exciting new jobs are likely to emerge in cybersecurity. Positions in outer space cybersecurity, AI mentoring, and digital footprint consulting may sound unusual at first glance, but the rapid development of technology could make them a reality in just a few years. Let's take a look at a few of the possibilities.

**Outer Space Cybersecurity Engineer**

Satellites are one of the most essential pieces of space technology in daily life, used in navigation systems, broadcast media, and other communications. The more we use technologies that rely on satellites, the more attractive a target this type of space-based infrastructure becomes to threat actors.

Satellites and the space industry as a whole require dedicated specialists who can prevent attacks of all kinds. This is particularly true when securing systems such as navigation, engine control, emergency, and communication infrastructure. With the development of space tourism, asteroid mining, and new space stations, there will be rising demand for out-of-earth cybersecurity experts.

**AI Mentor**

The rise of AI-based technologies and assistants, such as speech-based systems (e.g. Siri, Alexa, Cortana, etc.) has helped make new technologies more accessible. At the same time, they introduce new privacy and security concerns, while their control, regulation, and monitoring requirements go beyond product management and development areas of expertise.

Speculative fiction writer William Gibson envisioned a Turing Police force in charge of controlling AI and AI-based systems in the technological future. We may realistically need AI mentors as a new type of expert who controls and assesses these technologies. Mentors' responsibilities may also include teaching AIs, controlling their access to data, imposing evolutionary constraints, and acting as a parent to the AI. As the complexity and sophistication of these technologies increases, there will be a growing demand for experts like these.

An AI mentor's assistant could be another role. They would be dedicated specialists responsible for creating a "stop" button to prevent AI systems from operating on their own. This involves the development of protection against malfunctions and alternative rescue plans in case computers are out of service.

**Cyber Immunity Developer**

For decades, people have developed new technologies first, only to think about the cybersecurity implications later. To make the world safer, we’ll need a “security-first” approach. Solutions with embedded cybersecurity principles help move us in that direction, allowing a device to be cyber-immune by default, with built-in protection against most types of cyberattack.

This will drive demand for developers with skills in this methodology, creating systems that are secure by design. These will be too expensive to hack, and the vast majority of threats won't be able to hinder their critical functions.

**Threat Endurance Manager**

A cyberattack can lead to the interruption of production and business processes, posing potential reputational risks and financial losses. Imagine an attacker interferes with the production process of a huge metal processing plant and disables the factory for a day. Because of this, they don't fulfill a bulk order which results in millions of dollars in losses.

Threat endurance managers will be in demand at critical infrastructure sites or large companies that cannot afford such a shutdown. These specialists will be responsible for business continuity and protect companies by controlling IT systems, responding to cyberattacks, and managing software and human errors.

**Cyber Investigator**

This profession already exists, but over the next few years it will become more complex and diverse, following the increased sophistication of digital systems and the trend toward automation.

We know that these specialists normally manage the aftermath of a security breach, covering the entire investigation and working to eliminate the threat to the organization. They collect evidence based on the results of the incident, analyze log files and events on the network, create indicators of compromise, and much more. Cyber investigators of the next generation will be generalists with skills not only in programming and hacking but also in psychology and decision-making in volatile conditions. Apart from that, they will be experts in robotics and AI, as they would have to work with those newly emerging systems.

**Digital Footprint Consultant**

This specialist plays a key role in the future protection of a brand against the potential negative effects of a cyber incident. Cyberattackers are well known for extracting data and blackmailing companies by threatening their reputation. Experts of the future will need to be able to assess a company's vulnerability to these sorts of risks and count skills related to safeguarding the image of the business among their competencies.

**Digital Bodyguard**

This will essentially be a consultant protecting a person’s digital identity. Like a bodyguard in the physical world, they will guard against things like doxing, cyber stalking, and other harassment. This bodyguard will help clients to protect their digital identities by cleaning their accounts and digital history, guiding and supporting their virtual lives.

In 2021, nearly 46% of US middle and high schoolers had been cyberbullied during their lifetime, while 41% of adults reported experiencing online harassment, and 24% said they'd been stalked using technology. In some cases, this can be combined with offline harassment or even physical violence. A proactive consultant would help protect children and adults from threats of this nature. When it does happen, they will act as a private digital security force, helping to disrupt the offender, identify them, and prevent similar incidents in the future. They could even help the victim cope with the incident from a psychological perspective. In many countries cyberbullying is a crime, so this profession might be in extra demand in those places.

You can hardly single out a business in which cybersecurity is not relevant. Even companies that don’t make money from it still often can have sizeable cybersecurity departments. Apple, for example, has an internal team that handles endpoint security. As technology and business continue to evolve, career opportunities in cybersecurity should remain plentiful and varied long into the future.

Source

DARKReading