Hacking to kill: Dark Reading's Fahmida Y. Rashid reflects on the monumental Black Hat 2011 moment when Jay Radcliffe showed how to hack his insulin pump.

It was a huge wake-up call for the cybersecurity community: Weak security could have deadly consequences.

In 2011, Jay Radcliffe took the stage at Black Hat USA to present deeply personal, and frightening, news — insulin pumps, like the exact one he wore, could be hacked and used to harm or kill.

The implications of the presentation, entitled, "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System," were broad. And despite some early protests from the medical device community early on, it broke open the field of medical device security.

A decade later in 2021, Radcliffe helped start the University of Minnesota's new Medical Device Security Center that joins together researchers, manufacturers, and government to help incubate new solutions for potentially deadly healthcare security problems.

Dark Reading's Fahmida Y. Rashid sat down for Dark Reading's new video series, Black Hat Flashback, to share what it was like to be in the room during the session, and to discuss the incredible changes that have happened since.

Take a look at what she has to say about the Black Hat moment all these years later, then watch Radcliffe returning to Black Hat in 2013 to catch the industry up on what happened in the direct wake of his 2011 blockbuster disclosure.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Black Hat Flashback: The Deadly Consequences of Weak Medical Device Security

The issue concerns the boot layer of ARM chips, which are driving a low-power mobile ecosystem that includes 5G smartphones and base stations.

A security company is leading the coordinated vulnerability disclosure of multiple high-severity vulnerabilities in the Qualcomm Snapdragon chipset.

The vulnerabilities were identified in the Unified Extensible Firmware Interface (UEFI) firmware reference code and impacts ARM-based laptops and devices using Qualcomm Snapdragon chips, according to Binarly Research.

Qualcomm disclosed the vulnerabilities on Jan. 5, along with links to available patches. Lenovo has also issued a bulletin and a BIOS update to address the flaws in affected laptops. However, two of the vulnerabilities are still not fixed, Binarly noted.

If exploited, these hardware vulnerabilities allow attackers to gain control of the system by modifying a variable in nonvolatile memory, which stores data permanently, even when a system is turned off. The modified variable will compromise the secure boot phase of a system, and an attacker can gain persistent access to compromised systems once the exploit is in place, says Alex Matrosov, founder and CEO of Binarly.

"Basically, the attacker can manipulate variables from the operating system level," Matrosov says.

**Firmware Flaws Open the Door to Attacks**

Secure boot is a system deployed in most PCs and servers to ensure that devices start properly. Adversaries can take control of the system if the boot process is either bypassed or under their control. They can execute malicious code before the operating system is loaded. Firmware vulnerabilities are like leaving a door open — an attacker can gain access to system resources as and when they please when the system is switched on, Matrosov says.

"The firmware piece is important because the attacker can gain very, very interesting persistence capabilities, so they can play for the long term on the device," Matrosov says.

The flaws are notable because they affect processors based on the ARM architecture, which are used in PCs, servers, and mobile devices. A number of security problems have been discovered on x86 chips from Intel and AMD, but Matrosov noted that this disclosure is an early indicator of security flaws existing in ARM chip designs.

Firmware developers need to develop a security-first mindset, Matrosov says. Many PCs today boot based on specifications provided by UEFI Forum, which provides the hooks for the software and hardware to interact.

"We found that OpenSSL, which is used in UEFI firmware — it's in the ARM version — is very outdated," Matrosov says. "As an example, one of the major TPM providers called Infineon, they use an 8-year-old OpenSSL version."

**Addressing Affected Systems**

In its security bulletin, Lenovo said the vulnerability affected the BIOS of the ThinkPad X13s laptop. The BIOS update patches the flaws.

Microsoft's Windows Dev Kit 2023, code-named Project Volterra, is also impacted by the vulnerability, Binarly said in a research note. Project Volterra is designed for programmers to write and test code for the Windows 11 operating system. Microsoft is using the Project Volterra device to lure conventional x86 Windows developers into the ARM software ecosystem, and the device's release was a top announcement at Microsoft's Build and ARM's DevSummit conferences last year.

The Meltdown and Spectre vulnerabilities largely affected x86 chips in server and PC infrastructures. But the discovery of vulnerabilities in ARM's boot layer is particularly concerning because the architecture is driving a low-power mobile ecosystem, which includes 5G smartphones and base stations. The base stations are increasingly at the center of communications for edge devices and cloud infrastructures. Attackers could behave like operators, and they will have persistence at base stations and nobody will know, Matrosov says.

System administrators need to prioritize patching firmware flaws by understanding the risk to their company and addressing it quickly, he says. Binarly offers open source tools to detect firmware vulnerabilities.

"Not every company has policies to deliver firmware fixes to their devices," Matrosov says. "I have worked for large companies in the past, and before I started my own company, none of them — even these hardware-related companies — had an internal policy to update the firmware on employee laptops and devices. This is not right."

Latest Firmware Flaws in Qualcomm Snapdragon Need Attention

The AI-based chatbot is allowing bad actors with absolutely no coding experience to develop malware.

Since OpenAI released ChatGPT in late November, many security experts have predicted it would only be a matter of time before cybercriminals began using the AI chatbot for writing malware and enabling other nefarious activities. Just weeks later, it looks like that time is already here.

In fact, researchers at Check Point Research (CPR) have reported spotting at least three instances where black hat hackers demonstrated, in underground forums, how they had leveraged ChatGPT's AI-smarts for malicious purposes.

By way of background, ChatGPT is an AI-powered prototype chatbot designed to help in a wide range of use cases, including code development and debugging. One of its main attractions is the ability for users to interact with the chatbot in a conversational manner and get assistance on everything from writing software to understanding complex topics, writing essays and emails, improving customer service, and testing different business or market scenarios.

But it can also be used for darker purposes.

**From Writing Malware to Creating a Dark Web Marketplace**

In one instance, a malware author disclosed in a forum used by other cybercriminals how he was experimenting with ChatGPT to see if he could recreate known malware strains and techniques.

As one example of his effort, the individual shared the code for a Python-based information stealer he developed using ChatGPT that can search for, copy, and exfiltrate 12 common file types, such as Office documents, PDFs, and images from an infected system. The same malware author also showed how he had used ChatGPT to write Java code for downloading the PuTTY SSH and telnet client, and running it covertly on a system via PowerShell.

On Dec. 21, a threat actor using the handle USDoD posted a Python script he generated with the chatbot for encrypting and decrypting data using the Blowfish and Twofish cryptographic algorithms. CPR researchers found that though the code could be used for entirely benign purposes, a threat actor could easily tweak it so it would run on a system without any user interaction — making it ransomware in the process. Unlike the author of the information stealer, USDoD appeared to have very limited technical skills and in fact claimed that the Python script he generated with ChatGPT was the very first script he had ever created, CPR said.

In the third instance, CPR researchers found a cybercriminal discussing how he had used ChatGPT to create an entirely automated Dark Web marketplace for trading stolen bank account and payment card data, malware tools, drugs, ammunition, and a variety of other illicit goods.

"To illustrate how to use ChatGPT for these purposes, the cybercriminal published a piece of code that uses third-party API to get up-to-date cryptocurrency (Monero, Bitcoin, and \[Ethereum\]) prices as part of the Dark Web market payment system," the security vendor noted.

**No Experience Needed**

Concerns over threat actors abusing ChatGPT have been rife ever since OpenAI released the AI tool in November, with many security researchers perceive the chatbot as significantly lowering the bar for writing malware.

Sergey Shykevich, threat intelligence group manager at Check Point, reiterates that with ChatGPT, a malicious actor needs to have no coding experience to write malware: "You should just know what functionality the malware — or any program — should have. ChatGTP will write the code for you that will execute the required functionality."

Thus, "the short-term concern is definitely about ChatGPT allowing low-skilled cybercriminals to develop malware," Shykevich says. "In the longer term, I assume that also more sophisticated cybercriminals will adopt ChatGPT to improve the efficiency of their activity, or to address different gaps they may have."

From an attacker’s perspective, code-generating AI systems allow malicious actors to easily bridge any skills gap they might have by serving as a sort of translator between languages, added Brad Hong, customer success manager at Horizon3ai. Such tools provide an on-demand means of creating templates of code relevant to an attacker's objectives and cuts down on the need for them to search through developer sites such as Stack Overflow and Git, Hong said in an emailed statement to Dark Reading.

Even prior to its discovery of threat actors abusing ChatGPT, Check Point — like some other security vendors — showed how adversaries could leverage the chatbot in malicious activities. In a Dec. 19 blog, the security vendor described how its researchers created a very plausible-sounding phishing email merely by asking ChatGPT to write one that appears to come from a fictional webhosting service. The researchers also demonstrated how they got ChatGPT to write VBS code they could paste into an Excel workbook for downloading an executable from a remote URL.

The goal of the exercise was to demonstrate how attackers could abuse artificial intelligence models such as ChatGPT to create a full infection chain right from the initial spear-phishing email to running a reverse shell on affected systems.

**Making It Harder for Cybercriminals**

OpenAI and other developers of similar tools have put in filters and controls — and are constantly improving them — to try to limit misuse of their technologies. And at least for the moment, the AI tools remain glitchy and prone to what many researchers have described as flat-out mistakes on occasion, which could thwart some malicious efforts. Even so, the potential for misuse of these technologies remains large over the long term, many have predicted.

To make it harder for criminals to misuse the technologies, developers will need to train and improve their AI engines to identify requests that can be used in a malicious way, Shykevich says. The other option is to implement authentication and authorization requirements in order to use the OpenAI engine, he says. Even something similar to what online financial institutions and payment systems currently use would be sufficient, he notes.

Attackers Are Already Exploiting ChatGPT to Write Malicious Code

The Serbian government reports that it staved off five attacks aimed at crippling Serbian infrastructure.

The Serbian Ministry of the Interior reported over the weekend being targeted by at least five separate distributed denial-of-service (DDoS) attacks in 48 hours, intended to hobble the country's IT infrastructure.

Working together, the Ministry of Internal Affairs and Telecom Serbia were able to fend off the DDoS attacks.

"All attacks were repelled and the Ministry's bases were protected and safe," the statement said. "Enhanced security protocols have been activated, which can lead to slower work and occasional interruptions of certain services, all in order to protect the data of the Ministry of Internal Affairs."

The cyberattacks come amid rising tensions in the Balkans as a result of the Russian invasion of Ukraine.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Serbia Slammed With DDoS Attacks

Organizations often defer patching because of business disruption fears — but that didn't work out very well for Rackspace's Hosted Exchange service.

The recent ransomware incident at Rackspace that took down the company's hosted Microsoft Exchange server environment has focused attention on the often-risky gamble that security teams take when choosing to mitigate a vulnerability — rather than apply a patch for it.

Last week, Rackspace disclosed that a Dec. 2 intrusion into the hosting company's Exchange server service environment resulted from its decision to hold off on applying a patch for a server-side request forgery (SSRF) vulnerability in Exchange Server (CVE-2022-41080) that Microsoft had patched in November. The vulnerability, when chained with another previously disclosed remote code execution (RCE) flaw in Exchange Server — tracked as CVE-2022-41082 — gives attackers a way to take complete control of affected servers.

**Deferred Patching**

According to Rackspace's chief security officer, Karen O'Reilly-Smith, the company held off on applying the patch for the SSRF flaw over concerns that it would cause disruptive authentication errors. Instead, Rackspace decided to apply a mitigation measure that Microsoft had issued for the vulnerability thinking it would be an effective measure. O'Reilly-Smith said that Microsoft's notes on CVE-2022-41080 merely described it as a privilege escalation vulnerability and made no mention of the fact that it was part of an RCE chain.

A Microsoft spokesman tells Dark Reading that the company had nothing to share at this time on Rackspace's comments related to the company's patch for the SSRF flaw, or the notes that accompanied its disclosure.

Rackspace's decision to hold off on patching the vulnerability is not unusual, says John Bambenek, principal threat hunter at Netenrich. "Often mitigations are preferable, especially in highly public resources where there is sensitivity to downtime," he says. In fact, the more public-facing an application is, the more organizations will go for mitigations, he says. 

"Most of the time it can be a good bet if the mitigations are sound and complete," Bambenek notes. "But it requires a really savvy professional who can read between the lines to make a sound judgement."

In Rackspace's case, its mitigation strategy failed because an attacker — later identified as the Play ransomware group — found a way to use CVE-2022-41080 to trigger the CVE-2022-41082 RCE flaw in its environment. Up to that point security researchers had only observed attackers triggering the RCE flaw via a different Exchange Server SSRF vulnerability tracked as CVE-2022-41040, in the combination known as ProxyNotShell. The attack caused widespread service outages for Rackspace customers, many of which are small and midsize businesses.

"Rackspace put mitigations in place in relation to the ProxyNotShell chain disclosed by Microsoft in late September, prior to patches being available, which didn’t happen until November," an external adviser of Rackspace tells Dark Reading. 

When the patches did become available, Rackspace held off on applying them because of concerns over reported authentication issues related to the patches and because the company already had the appropriate mitigations in place, the adviser says. 

"At that time, there were no known or disclosed remote code execution risks associated with CVE-2022-41080, which CrowdStrike discovered while investigating the Rackspace incident," the adviser adds.

**Skipping Security Patches: A Risky Gambit**

The incident highlights the risks organizations take when they rely too much on mitigations alone to keep them safe from vulnerability exploits, says Mike Parkin, senior technical engineer at Vulcan Cyber**.** 

**"**Deploying vendor recommended mitigations for a known vulnerability is not supposed to be the end of the issue," he says. "They’re what you do until the vendor in question can develop a patch and you can deploy it."

The only time it's OK to mitigate and not patch is when the vendor has no patch for the vulnerability yet, or there's some technical reason why an organization cannot deploy it in a target environment, Parkin says. 

"There are going to be cases where change-management procedures delay deploying the patch. But a good process from both change management and security perspectives is to have patches going in as soon as possible while meeting stability concerns," he says, adding that this is especially true when there are known exploits in the wild targeting a particular vulnerability.

Patching and vulnerability remediation in general remains a major challenge for organizations. A study that vulnerability management vendor Edgescan conducted last year showed that organizations still take an average of 60 days to fix critical vulnerabilities of the sort that tripped up Rackspace. 

The study found that 57% of observed vulnerabilities on enterprise networks were more than two years old and a startling 17% were more than five years old. All of these vulnerabilities had working exploits in the wild, and adversaries — including nation-state actors and cybercriminal groups — had exploited many of them.

**Dwindling Time to Exploitation**

Making matters worse is the fact that cybercriminals have become much faster at exploiting new vulnerabilities, so the time between initial disclosure and exploit availability has been shrinking rapidly.

The trend pushed the US Cybersecurity and Infrastructure Security Agency (CISA) to issue a directive in Nov. 2021 that requires all federal civilian branch agencies to remediate known exploited vulnerabilities within a specific — usually two-week — timeframe. CISA has also advocated that all organizations refer to its catalog of Known Exploited Vulnerabilities (KEV) regularly to see what vulnerabilities attackers are exploiting in the wild so they can remediate them immediately. CISA adds new vulnerabilities to its catalog only if a patch or clear remedial action is available from the affected vendor.

Richard Stiennon, chief research analyst at IT-Harvest, says the fact that many companies still take 60 days to patch critical vulnerabilities is not surprising given the complexity of the task, especially for large organizations. Patching often involves scheduled downtime, which for many organizations tends to be on early weekend mornings, he says. The task involves taking down all affected severs, installing the patch, and rebooting and testing them before bringing the systems back up. 

"Imagine you are a big company with 2,000 servers that need an emergency patch," Stiennon says. "Of course, you would apply a mitigation first. You cannot do it the same day."

Steinnon says cloud adoption has begun changing vulnerability management processes in many organizations. These days, a system that needs patching may be a container or a virtual machine. "Now the process is to mirror the production system, patch it, test it, and swap the updated instances into production with no down time."

Rackspace Ransomware Incident Highlights Risks of Relying on Mitigation Alone

Business users receive a message from Facebook warning their accounts will be permanently suspended for using photos illegally if they don't appeal within 24 hours, leading victims to a credential-harvesting page instead.

An extensive credential-harvesting campaign has hackers leveraging Facebook copyright infringement notices to steal enterprise credentials.

Malicious actors continue to use tried and true phishing techniques and social engineering tactics to compel targets into giving up key information, attempting to generate anxiety to prompt a hasty handover. According to a Monday report from Avanan, this latest campaign sends users an email warning that because the page has uploaded a photo violating Facebook’s copyright infringement policy, the account will be permanently suspended unless they click on link to appeal the decision.

This link leads not to a Meta site but rather a credential-harvesting site, the report notes.

"Though this email has a sender address that clearly does not come from Facebook, it’s otherwise fairly believable," the report said.

Jeremy Fuchs, cybersecurity researcher and analyst at Avanan, explains the campaign could be aimed at any organization, but would be most effective with companies that rely heavily on Facebook advertising.

"The urgency indicated in the email could cause some to take quick action," he says. "These types of attacks keep on finding success because they work. Attackers are able to use this to evade legacy defenses and are able to persuade users to click on it and take action."

To guard against similar social media-based phishing attack relying on a harried response to perceived urgency, Fuchs says checking the URL for legitimacy is a good start — as is checking the sender address.

"If those are off, that’s a good sign that something is amiss," he says. "The key thing is to encourage staff to take a beat before responding. That allows them to look for things like grammar errors, mismatched sender address, wrong URLs, and more."

Fuchs adds attacks constantly evolve, and malicious actors are likely to continue to use new lures, new services, and new ways to capture the victim’s attention.

The report advises employing security tactics like always double-checking sender addresses, hovering over all URLs before clicking, and logging into the Facebook account directly to check the status of the account, instead of clicking on the URL in the email.

**Social Media a Popular Attack Vector**

The use of social media, though indispensable for many companies, also carries a risk, and Avanan and other security firms have spotted similar attacks spoofing the same brand as a sign hackers are getting people to bite.

Some 400 mobile apps posing as legitimate software on Google Play and the Apple App Store over the past year were designed to steal Facebook user credentials.

Facebook lead-generation forms had previously been repurposed to collect passwords and credit card information from unsuspecting Facebook advertisers, with attackers piggybacking on the power of the Facebook brand by using emails that look like they're coming from Facebook Ads Manager.

And according to a report this month from Outseer, brand impersonations, or brandjackings, like these increased by 274% last year as attackers continue to peddle their scams by looking like they come from reliable sources.

As digital applications proliferate and use of social media remains strong, educating users against social engineering attempts is a key part of a strong defense.

'Copyright Infringement' Lure Used for Facebook Credential Harvesting

The JsonWebToken package plays a big role in the authentication and authorization functionality for many applications.

A high-severity vulnerability (CVE-2022-23529) has been discovered in the popular JsonWebToken (JWT) open source encryption project, which could be used by attackers to achieve remote code execution (RCE) on a target encryption server.

The JWT open standard defines a method of transferring information securely by encoding and signing JSON data. According to researchers at Palo Alto Networks' Unit 42, an exploit for the vulnerability results in the server verifying a maliciously crafted JSON web token request.

"Running malicious code on a server can lead to a huge damage and loss of confidentiality, integrity, and also may cause a denial of service," cautions Unit 42 security researcher Artur Oleyarsh. "Systems related to and communicating with the vulnerable server may suffer as well, so the attack potential and the consequences once the system is vulnerable for a remote code execution is significant."

The issue poses a threat to all who are using JWT versions prior and including v8.5.1. The patched version of the package is v9.0.0, according to a Jan. 9 posting from Unit 42.

Oleyarsh explains that usually, vulnerabilities related to JSON Web tokens are related to different token forging techniques that allow a malicious actor to bypass authentication and authorization mechanisms.

"This gives them \[the\] opportunity to take over accounts, impersonate users, and elevate privileges," he says. However, "this latest vulnerability is unique for several reasons. First, here we are talking about executing code on a host verifying JSON web tokens."

**Underneath the Hood of CVE-2022-23529**

Rather than bypassing authentication or authorization mechanisms, the bug provides a way for a cyberattacker to gain control over a key retrieval parameter of the "jwt.verify" function (known as secretOrPublicKey).

In a proof-of-concept exploit, Unit 42 was able to override the "toString()" method of the key object.

"In JavaScript, every object that inherits from Object.prototype, inherit the toString() method," Oleyarsh says. "Thus, if there is a blindly trusted call to that method, and we control the key object, we can override its toString() with malicious content and execute arbitrary code."

**Open Source Usage Grows, Along With Cyberthreat Level**

As the use of open source software (OSS) continues to grow, so does cyberattacker interest in using software components and packages like JWT as an attack vector.

"We are seeing threat actors actively scanning for known vulnerabilities and exploiting them within minutes," Oleyarsh says. "Without attention and awareness to OSS security, I think we will see more and more attacks leveraging OSS security issues."

He says as a community, security practitioners need to contribute and cooperate to make OSS software safer.

"Some of the developers and maintainers of OSS are building solutions with security in mind, which means that they are constantly fixing security vulnerabilities, scanning for vulnerable dependencies, and maintaining security advisories and publishing them so the users can patch for the non-vulnerable versions, and some of them are not," Oleyarsh notes.

Increasingly, tools have been launched to help defense, identity and access management, and security operations center teams discover vulnerable components. Google's OSV-Scanner, which launched in December, for instance generates a list of dependencies in a software development project and checks the OSV database for known vulnerabilities.

"Some are doing a great job in creating wonderful and creative solutions for many problems and making it available for use to anyone without charge," Oleyarsh says. "If you are implementing OSS within your organization, it is a good practice to use OSS package scanners to scan for vulnerable versions of OSS packages you are using, as well for vulnerable dependencies."

Meanwhile Google is also throwing its considerable weight behind a proposed US government-led policy framework aimed at shoring up security for open source software, urging the private sector to support the initiative.

From a manual perspective, Oleyarsh adds that teams should take a regular look at the security advisories pages of the OSS projects they use to keep up to date on bugs, and look at implementing software composition analysis (SCA) tools to help to track all the open source packages and modules used by a project in order to inform that process.

Then, "when you encounter a bug which has security implications, it is a good practice to reach out to the maintainers via a private chat and report the issue and even suggest and discuss the solution," he says.

JsonWebToken Security Bug Opens Servers to RCE

**Rueil-Malmaison, France & Boston** **– January 9, 2023** **–** Schneider Electric, the global leader in the digital transformation of energy management and automation, and BitSight, the leader in detecting and managing cyber risk, today announced a strategic partnership to develop a first-of-its-kind global Operational Technology (OT) Risk Identification and Threat Intelligence capability.

In recent years, both opportunistic and advanced cyber threat actors have shown increased willingness to target industrial and operational sites. Schneider Electric and BitSight each see their partnership as an important step in furthering their commitment to improve the security and resilience of their communities - by detecting OT protocols exposed over the internet and contextualizing them with improved attribution.

Through a joint effort, Schneider Electric will fuse its deep knowledge of OT protocols and systems with BitSight’s market-leading exposure detection and management capabilities in order to generate the critical insights necessary for proactive security monitoring of externally observable risks to the OT community. The goal of this collaboration is to strengthen industrial security and provide more visibility into Industrial infrastructure and Industrial Control System (ICS) devices that may be at risk from a cyber breach.

"We are delighted to be partnering with Schneider Electric on this critically important initiative to better manage the cyber risk of Internet-connected OT systems. Both BitSight and Schneider Electric share the mission of creating trust in the digital economy by improving cybersecurity protection across all interconnected business types and industries," said Stephen Boyer, Co-Founder and Chief Technology Officer at BitSight. "Operational Technology systems are often exposed and vulnerable to attackers who can exploit them through connected devices and converging networks. By partnering with Schneider Electric, we are proactively addressing this downstream risk by expanding our capabilities to better detect customers’ industrial infrastructure and control systems at risk and to help them improve business resilience."

"With the enriched data and insight collected by BitSight, Schneider Electric is developing an OT threat intelligence capability to notify and work with customers who have exposed assets or insecure Internet facing deployments," stated Christophe Blassiau, SVP, Cybersecurity & Global CISO at Schneider Electric. The capabilities derived through this partnership will provide the data necessary to identify important areas of risk concentration and drive further remediation initiatives, benefitting both customers and the community at large.

The new capability focused on risk identification and reduction across the entirety of the OT domain is not an exclusive arrangement between BitSight and Schneider Electric. Participation is open to all OT vendors willing to share information about their products to improve risk detection and attribution capabilities.

**About Schneider Electric**

Schneider’s purpose is to empower all to make the most of our energy and resources, bridging progress and sustainability for all. We call this Life Is On.

Our mission is to be your digital partner for Sustainability and Efficiency.

We drive digital transformation by integrating world-leading process and energy technologies, end-point to cloud connecting products, controls, software and services, across the entire lifecycle, enabling integrated company management, for homes, buildings, data centers, infrastructure and industries.

We are the most local of global companies. We are advocates of open standards and partnership ecosystems that are passionate about our shared Meaningful Purpose, Inclusive and Empowered values. Discover the newest perspectives shaping sustainability, electricity 4.0, and next generation automation on Schneider Electric Insights.

**About BitSight**

BitSight creates trust in the digital economy and transforms how organizations manage cyber risk. The BitSight Security Ratings Platform applies sophisticated algorithms, producing daily security ratings that range from 250 to 900, to help organizations manage their own security performance; mitigate third party risk; underwrite cyber insurance policies; conduct financial diligence; and assess aggregate risk. With the largest ecosystem of users and information, BitSight is the Standard in Security Ratings. For more information, please visit www.bitsight.com, read our blog or follow @BitSight on Twitter.

Schneider Electric and BitSight Announce Partnership to Improve Detection of Operational Technology (OT) Cybersecurity Exposure

As infrastructure has grown more complex, the need to effectively manage it has grown, too – particularly for applications and APIs.

With many businesses moving application and API infrastructure to the cloud, business environments have grown more complex in recent years. As a result, it has become harder for businesses to manage, operate, maintain, and protect that infrastructure.

Fortunately, a new crop of solutions analysts have dubbed the "distributed cloud" has been introduced to help customers reduce complexity and better protect their application and API infrastructure, regardless of whether it contains any combination of on-premises, private cloud, public cloud, multicloud, and hybrid environments.

What are some of the top use cases for customers that are in the market for these solutions? Here are seven use cases that I've seen come up repeatedly.

**1\. Visibility**

As was the case when most applications were deployed and hosted either on-premises or in what we now call a private cloud, visibility is a must in complex environments as well. Without proper logging, we are blind to the traffic traversing and hitting our applications and APIs. Without this visibility, we won't be able to properly monitor the environment for compliance violations, security issues, intrusions, abuse, fraud, and other issues. We also won't be able to investigate and analyze when we become aware of an issue, event, or incident.

Clearly we cannot allow ourselves to be in this state; thus, visibility is one of the top use cases for distributed cloud.

**2\. Automation**

Bots continues to be an issue for e-commerce businesses. Whether bots are looking to take over accounts, hoard inventory, open fake accounts, scrape prices, commit loyalty fraud, or otherwise, bots costs enterprises money.

Bots make online applications less appealing to end users, cause fraud losses, increase support costs, and tie up precious infrastructure resources and cycles. Businesses that transact online understand the value in being able to effectively mitigate the risk from malicious bots.

**3\. Fraud Prevention**

When famous bank robber Willie Sutton was asked why he robbed banks, he reportedly replied, "Because that's where the money is." Fraudsters know where the money is, and they pursue that money regardless of where applications and APIs are deployed. As such, the ability to detect and mitigate fraud in near real time is another use case that businesses often look for from this group of solutions.

**4\. Security Policy Portability**

In any environment, creating, implementing, and managing effective security policies is an important part of the overall security strategy. As infrastructure has grown more complex, effectively managing security policy across different environments has become significantly more difficult for businesses.

Businesses are looking for the ability to implement and enforce either a standard security policy across multiple complex environments or the appropriate security policy for each environment or type of environment. For this reason, security policy portability is another popular use case for distributed cloud solutions.

**5\. API Discovery**

Proper asset and infrastructure inventory remains as important as always, regardless of how complex the environment has become. This includes APIs, of course.

Knowing where our APIs are allows us to protect and monitor them. It also allows us to ensure that policies and procedures are being followed during the development life cycle. If we are unaware of APIs, we have absolutely no ability to safeguard them from attack. As you can imagine, businesses are often very interested in this particular use case.

**6\. Malicious User Detection**

Malicious users can be difficult to detect with standard security monitoring techniques. That's because they don't compromise or attack applications, but rather they misuse or abuse the business logic of those applications. This is much more difficult to detect and requires insight into the user layer and the way in which the user is interacting with the application.

Without this ability, malicious users can "go rogue" within applications and cause monetary loss for the business. This is obviously something that businesses are looking to avoid, which makes malicious user detection a favorite use case for distributed cloud.

**7\. Scalability**

It may seem too obvious to state explicitly, but most businesses are looking for easy and flexible deployments across multiple environments, regardless of how complex those environments have become in recent years. This allows companies to develop and deploy applications at the speed required by the competitive environment they operate within.

Customers are, appropriately, demanding, and a business' ability to keep up with the competition translates into real money. Thus it is not surprising that scalability is a top use case here.

**Finding Common Solutions**

As infrastructure has grown more diverse and complex, the need to effectively manage that infrastructure has grown as well. The distributed cloud addresses the needs of businesses, particularly around applications and APIs.

Not surprisingly, many businesses face similar challenges, and thus there are a number of common use cases that are seen repeatedly. By understanding these use cases, businesses can look for a solution that addresses many of them, thus reducing the need for multiple, overlapping technologies.

7 Use Cases for Distributed Cloud Environments

A model of continuous authentication and identification is needed to keep consumers safe.

The emergence of Web 3.0 came during a pivotal transformation for the world. Though we were told to stay home and limit face-to-face interactions during the COVID-19 pandemic, life had to keep moving. Business needed to proceed as usual, deals needed to be signed, and money still needed to be transferred. Web 3.0 is an opportunity for businesses to embrace a digital future that will make all of this easier.

Many more things can and are being done digitally compared with three years ago, and while the benefits are clear, new risks and challenges have emerged. With the transition to Web 3.0, the attack surface has also shifted to the largely unchecked customer journey. As a result, our information, money, and identity are more vulnerable than ever before.

**Trust Levels Have Risen****

Ten years ago, purchasing something online for $20 was a big deal, but today, we make large purchases online without a second thought. Our level of comfort has grown immensely over the years and will only continue to grow. We may have started off making small purchases, but now, high-value transactions like loans, money transfers, and insurance claims are all digital, which means there's much more at stake.

At a consumer level, platforms like Apple Pay and Amazon Pay have emerged, which infuse a sense of trust and security into online purchases. Still, when asked to enter our personal credit card information, many of us pause and consider the legitimacy of the site, vendor, etc. A system with the comfort level provided by platforms like Apple Pay doesn't yet exist for high-value business transactions. What's more, there is no system in place to confirm that a company is who it says it is. Or that a link is valid. Or that a real loan is being signed. The move to a digitized world happened so quickly that no one stopped to think about the fact that we need to make sure the process is legitimate. Without face-to-face interactions, how do we know what is real?

There's a reason phishing attacks have grown by 61% since 2021 and a reason bots are more prominent now than they were five years ago: Because attackers have identified an opportunity and seized it. As an industry, we are at an impasse because our solutions have focused on protecting endpoints. But we now need to secure complete digital processes and customer journeys. We need to consistently prove our identity. Solutions like multifactor authentication (MFA), biometrics, and token-based authentication do some of this today, but unfortunately, it's not enough. Almost every week we see stories of sophisticated business email compromise (BEC) scammers bypassing MFA, leveraging tactics like adversary-in-the-middle (AiTM) phishing attacks.

****It's Time for a New Model****

Organizations should examine their customer journeys and identify friction points. This will allow them to pinpoint instances throughout the journey that attackers could exploit. Most organizations have identified at least one of these instances and put protective measures in place. For example, before we can view our final bill, we get a text with a six-digit code we must enter before moving any further in the process. These are the right steps, but we must remember that a digital transaction isn't just a one-step process.

We're moving toward a model that requires continuous authentication and identification throughout these transactions. This model will look slightly different for each organization, but it ultimately will follow these five steps:

1.  Take an unknown identity and turn it into a known one. This should happen at the beginning of every process before any engagement or transaction occurs. Every party involved should prove their identity, whether it be via government-issued ID, biometrics, etc.
2.  Once identities are confirmed and verified, individualized credentials should be distributed to access the digital property — whether it be a website, app, electronic document, or virtual environment.
3.  Guide customers and consumers through multistep and high-assurance transactions over an interactive, secure virtual environment with various authentication methods.
4.  To execute and complete the transaction itself, the process needs to offer strong identity assurance, be equipped with capabilities like digital signature encryption, and comply with the most rigorous security standards and regulations.
5.  Many contracts must be stored and maintained as unique, original copies throughout their lifecycle in accordance with laws such as ESIGN, the Uniform Electronic Transactions Act (UETA), and Uniform Commercial Code (UCC) Article 9-105. To ensure the integrity of the document or transaction, you must preserve the chain of custody and capture the audit trail.

With a shift in the attack surface, security will need to be woven throughout the journey and throughout workflows, and it will need to be done seamlessly to avoid disrupting the digital experience that exists. As we move into the new year, I anticipate this will be a top priority for organizations and security companies alike, and proving identity and ensuring trust in digital processes will become the defining factor of success.

**

Source

DARKReading