The strategy document does nothing to change things on the ground in the near term; legislation, regulation, and follow-up executive action are all going to be key to moving forward the administration's agenda.

The Biden administration's plans to introduce minimum cybersecurity requirements for organizations in critical infrastructure sectors could face challenges in a divided Congress.

That said, many other proposals in the president's broad new National Cybersecurity Strategy, announced March 2, could be relatively easier to implement, even though some of them might have to be via executive fiat, several former government officials and security experts said.

**Much Needed Updating**

"President Biden's National Cybersecurity Strategy will drive a much-needed updating of the United States' cyber-social contract," a senior administration official tells Dark Reading. "That includes both immediate initiatives that build on the administration's executive actions to drive critical infrastructure cybersecurity, as well as an ambitious, long-term vision that will require legislative, regulatory, and technological innovations over the next several years."

The strategy represents a commitment by federal agencies to pursue those innovations and to collaborate with industry to meet objectives, the official says, and continues "our longtime, critical partnership with Congress in developing bipartisan cybersecurity policy."

The key focus areas for Biden's strategy for building US resilience in cyberspace are: critical infrastructure defense, disrupting threat actors, and using the government's purchasing clout and other mechanisms to influence better cybersecurity practices in the public and private sector. The plan also proposes new federal investment in cybersecurity research and development, building a digital identity ecosystem, and focusing on foundational Internet technologies such as the Domain Name System and IPv6.

Individual components of the strategy include mandatory minimum cybersecurity requirements for critical infrastructure, a proposal to make software vendors liable for the security of their products, and services and scaling existing public and private partnerships.

**What's Next for the National Cybersecurity Strategy?**

For the moment, at least, the strategy document does nothing to change things on the ground. Legislation, regulation, and follow-up executive action are all going to be key to moving forward the administration's agenda, says Jordan Burris, senior vice president and head of public sector strategy at Socure. 

"Specifically, we will see this play out in regulation for critical infrastructure sectors to set minimum requirements for cybersecurity," says Burris, former chief of staff at the White House Office of Management and Budget. Legislation will also play a role in ensuring that resources are available for some of the new requirements in the strategy for agencies and other stakeholders.

"Cybersecurity has always been viewed as a non-partisan issue in Washington, DC," Burris says. "However, it is critical that as the administration continues to roll out its plans, that it works with both sides of the aisle to make progress." 

This is going to be especially key when calling on Congress to invest in cybersecurity capabilities across agencies, he says, "Unfortunately, there are many proposals that administrations have advocated for that have obtained little to no traction in the halls of Congress."

Ideally, Biden's plans should receive bipartisan applause and action for his proposals, says Theresa Payton, CEO at Fortalice Solutions and a former CIO at the Executive Office of the President at the White House. "But I've been around long enough to understand the political atmosphere in Washington right now is just short of toxic," she says. "So, finding common ground on these critically important issues is going to be difficult," she adds.

Like Burris, Payton notes that for now, the new strategy provides a road map for the administration's cybersecurity priorities more than anything else. Essentially, the strategy acknowledges the federal government's significant role in cybersecurity while also demanding a whole lot more from the private sector.

**The Biggest Congressional Sign-Off Challenges**

Garnering the support in Congress is going to be especially difficult when it comes to the regulatory component in Biden's strategy document, Payton says. While it is notable the administration is willing to wade into an area that other administrations have stayed away from, the regulatory question will be a tough sell on the Hill, given the pro-business/anti-regulation climate amongst the House majority. Even so, "I think in the aftermath of the SolarWinds breach and the Colonial Pipeline attack, it's an important and probably overdue dialogue that all public and private sector partners need to have," Payton says.

And the Biden administration's proposal to shift liability for software away from users to software vendors and publishers is almost certainly going to be another hard sell. There have been similar proposals in the past that have gone nowhere, and there's little to suggest the new plans will fare any differently.

One initial stumbling block is that software is still not a tangible product under the Uniform Commercial Code (UCC) in the US, explains John Pescatore, a former National Security Agency (NSA) analyst and current director of emerging security trends at the SANS Institute. Before discussions around legislative support for the liability-shifting proposal in Biden's new strategy can even begin, that issue needs resolution, Pescatore tells Dark Reading. 

"The UCC says software is not a tangible good and without that you cannot assign liability," he says. The lobbying power that tech giants have in Washington is only going to exacerbate the challenge, he notes.

Even so, the White House can also take unilateral action in many cases, according to Payton. "Nearly all areas of the strategy can be actionable whether if implemented as an executive order or as a law passed by Congress," Payton adds. "Given the divided nature of Congress, I would expect to see a series of executive orders coming from the White House in the weeks and months ahead."

**There Are Some Actionable Strategy Components**

While the biggest pieces of the plan remain unactionable for now, not all of the proposals in Biden's strategy are dependent on legislation and regulatory action. Perhaps the most important among this group, according to security experts, is the plan to use the federal government's purchasing power to get software vendors and others doing business with the government to follow cybersecurity best practices. 

A Biden May 2021 executive order already requires all federal contractors to produce a software bill of materials (SBOM) and other artifacts of secure software development practices to their federal agency customers. Last week's strategy seeks to scale up and build on those kinds of efforts and doing so will require no legislative support. The strategy document's proposal to bolster public-private information sharing and for dismantling threat actor infrastructure are two other areas that are also not dependent on Congress to move on.

And indeed, Burris perceives that the administration can also move things forward on that front by getting Sector Risk Management Agencies (SRMAs) to better coordinate with entities such as information sharing and analysis centers (ISACs), the US Cybersecurity and Infrastructure Agency (CISA), and bodies such as the Joint Cyber Defense Collaborative.

"Some of the strategy can be enacted by the executive branch under the direction of the White House," says Curtis Franklin, an analyst with Omdia. "These pieces are quite likely to be actionable and, once in place, binding and long-lasting." As examples, he points to proposals in the new strategy to integrate federal cybersecurity centers, to update the federal incident response plan and processes, and integrating federal disruption activities. 

"There's a lot in the document that is an extension of existing strategic items and those will have the easiest time moving forward," Franklin says. Nonetheless, he agrees that it's important to be realistic: "The pieces that would require legal or regulatory action are much more challenging, and some will never happen."

Key Proposals in Biden's Cybersecurity Strategy Face Congressional Challenges

The health, manufacturing, and energy sectors are the most vulnerable to ransomware.

National defense and security experts long predicted that future warfare would not be waged by firearms but with code designed to disable services people depend on for daily life.

In May 2021, security experts' worst fears came true, when a ransomware attack struck the Colonial Pipeline. Gas delivery to most of the US Northeast halted almost overnight. Although systems were eventually restored, the event still lives in infamy today and reminds us of the destructive potential cyberattacks can have when levied against critical infrastructure. Since then, similar infrastructure attacks have dominated headlines across most of the world and are increasingly carried out by non-state-sponsored actors.

In our "Q2/Q3 Ransomware Index Update," Securin (formerly Cyber Security Works) researchers mapped out the impact of ransomware on industrial control systems (ICS) deployed in critical infrastructure establishments. They identified the three most at-risk sectors: healthcare, energy, and manufacturing. Our researchers also examined 16 ransomware vulnerabilities and the bad actors who exploit them, such as Ryuk, Conti, WannaCry, and Petya. We have included a table at the end of the article with the full list of vulnerabilities and impacted vendors.

With each successful attack, ransomware groups grow bolder and target industries that can cause the most pain to exploit the crises for maximum extortion. Understanding the threat actors and their methods is the key to protecting critical industries and maintaining smooth operations.

    

Ransomware CVEs affecting ICS products yet to be included in the CISA KEVs (as on date of publishing the report).

**Healthcare**

Cybersecurity and Infrastructure Security Agency (CISA) advisories to healthcare providers come in the aftermath of ongoing attacks by ransomware groups such as Black Basta, Quantum, and MountLocker. The impact of unpatched critical vulnerabilities in this sector could be potentially life threatening.

Public health and healthcare systems are affected by the majority of vulnerabilities — nine out of the 16 identified — because they are dependent on other sectors for the continuity of their service delivery and operations. Philips Healthcare, a technology-based company that develops advanced visualization software for crucial imaging equipment, is the most affected vendor, clocking in eight vulnerabilities found in its IntelliSpace Portal 9.0. Vulnerabilities CVE-2017-0144 and CVE-2017-0147 should be patched immediately for their high ransomware family associations used in real-world attacks.

**Energy**

An attack on an energy provider can result in grid failure or inconsistent energy output to homes, commercial buildings, or other critical service providers. The energy sector is plagued by six vulnerabilities that organizations must watch, particularly those found in Schneider Electric's products.

CVE-2017-6032 and CVE-2017-6034 affect Schneider Electric's Modicon Modbus Protocol, an open communications standard that is used across critical infrastructure, which can lead to chain reaction attacks. However, vulnerabilities CVE-2019-18935 and CVE-2020-10713 found in Hitachi ABB Power Grid systems and Hitachi Energy Transformer Asset Performance Management (APM) Edge, respectively, pose just as much risk. They should be treated as serious by network security administrators.

**Manufacturing**

The critical manufacturing sector can be divided into four core subindustries: transportation equipment; machinery manufacturing; electrical equipment, appliance and component manufacturing; and primary metals manufacturing.

A quarter of the vulnerabilities included in our analysis affect vendors in the manufacturing sector, including Exacq Technologies, Sensormatic Electronics, and Schneider Electric.

**How to Stay Protected**

We encourage organizations to stay aware of vendor advisories of the products they utilize and take steps to organize vulnerability enumeration according to severity. Most of the vulnerabilities in this article take advantage of legacy setups comprising out-of-date software and, sometimes, unsupported end-of-life components. Here are key insights to keep your system and industry safe:

*   **Improper input validation** is the most prevalent weakness powering ICS ransomware CVEs. Proper input screening can prevent bad actors from infiltrating databases and locking admins out of the system.
*   **Six vulnerabilities** are missing from the CISA Known Exploited Vulnerability (KEV) catalog and should be patched: CVE-2018-5391, CVE-2018-10115, CVE-2017-6034, CVE-2017-6032, CVE-2017-7494, and CVE-2020-10713.
*   **Performing simulated** **penetration tests** of your systems can identify hidden entry points that criminals would otherwise use. Finding where you are most exposed can help set patch priorities and build defenses before attackers can leverage them.

The US economy depends on an interconnected infrastructure of energy, health, and manufacturing. Hospitals need the energy to function and render life-saving services, and oil and natural gas refineries deliver necessary fuel to power domestic manufacturing — it's a marvelous system to appreciate, but a rather precious one as well, and we should take steps to protect it.

CVE ID

Impacted Vendors

CVSS v3 Score

Action

CVE-2021-44228

Exacq Technologies, a subsidiary of Johnson Controls, Inc.; Sensormatic Electronics, LLC, a subsidiary of Johnson Controls Inc.

10

Vendor patch

CVE-2020-10713

Hitachi Energy

8.2

Vendor patch

CVE-2019-18935

Hitachi ABB Power Grids

9.8

Vendor patch

CVE-2019-0708

Spacelabs

9.8

Vendor patch

CVE-2018-5391

Siemens

7.5

Vendor patch

CVE-2018-10115

Philips

7.8

Update to latest version

CVE-2017-7494

Schneider Electric

9.8

Vendor advisory

CVE-2017-6034

Schneider Electric

9.8

ICS advisory

CVE-2017-6032

Schneider Electric

5.3

ICS advisory

CVE-2017-0199

Philips

7.8

Vendor patch

CVE-2017-0148

Philips

8.1

Vendor patch

CVE-2017-0147

Philips

5.9

Vendor patch

CVE-2017-0146

Philips

8.1

Vendor patch

CVE-2017-0145

Philips

8.1

Vendor patch

CVE-2017-0144

Philips

8.1

Vendor patch

CVE-2017-0143

Baxter, Philips

8.1

Vendor patch

Ransomware's Favorite Target: Critical Infrastructure and Its Industrial Control Systems

**DENVER****,** **March 7, 2023** **/PRNewswire/ --** Digitization and the heavy adoption of connected devices are enabling organizations to reach new heights and, at the same time, have intensified the threat landscape and extended the attack surface. As organizations work to reap the benefits of the IT, OT and industrial control system (ICS) convergence, Optiv, the cyber advisory and solutions leader, is helping businesses secure their critical hardware, systems and processes with a full suite of OT security advisory, deployment and management services.

Organizations need a path to mature their OT while also protecting what is most important to the business: safety, uptime and resiliency.

Optiv's OT cyber advisors hold nearly 130 combined years of on-the-ground ICS experience. They provide the foundation for identifying and quantifying risk with assessments, threat modeling, roadmapping, network validation, site walks and policy building.

"We're seeing organizations manage their production environment more effectively while improving their security posture. This has resulted in reduced downtime and increased output," said Sean Tufts, Optiv's OT security services leader. "New endpoints and data sources also create hidden vulnerabilities. Traditional network security struggles to map cyber risk, which puts an OT-driven facility's entire state of being on shaky ground. An impact to OT is an impact to the bottom line."

Optiv provides the necessary tools and services for organizations to gain control over protecting their crucial functions, SCADA systems and both company- and vendor-owned devices. Experts work closely with finely vetted technology partners on OT technology racking, stacking, tuning and integration.

In addition, OT/ICS clients can lift the operational burden from their in-house security teams, with Optiv customizing managed security services to their unique business needs. These might include real-time threat detection and response, platform patching, device maintenance and continuous technology configuration and optimization in OT alert triaging, technology management and Optiv's OT SOC and Advanced Fusion Center.

Whether it is mastering the fundamentals or building advanced capabilities, Optiv's OT cyber services are designed to help identify business-specific OT risks for an integrated approach that spans an organization's entire ecosystem.

Learn more about Optiv's OT Security Services with these resources:

*   Advise – Service Brief
*   Deploy – Service Brief
*   Operate – Service Brief

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom/. 

**Optiv Security: Secure greatness.®**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Optiv Launches Full Suite of Operational Technology Services

Securin Inc. will provide tech-enabled security solutions, vulnerability
intelligence and deep domain expertise.

**ALBUQUERQUE, N.M., March 7, 2023 /PRNewswire-PRWeb/ --** Cyber Security Works Inc., a leading security company, today announced that it is rebranding as  
Securin Inc. due to the evolution of its service capabilities and offerings.  
Under the new identity, it will provide tech-enabled security solutions to  
continuously improve customers' security posture and help them gain resilience  
against evolving threats.

CSW offers flagship services such as vulnerability management and penetration  
testing to customers around the globe. In 2020, CSW became a CVE Numbering  
Authority (CNA) to help the Department of Homeland Security (DHS) and MITRE  
validate newly discovered zero-day vulnerabilities.  

In 2022, CSW acquired Securin, an automated platform with solutions such as  
attack surface management (ASM) and vulnerability intelligence (VI). Since its  
launch, Securin ASM has been providing many leading tech companies with an  
outside-in view of their expanding attack surface from an adversary's  
perspective and helping them to prioritize and remediate their most dangerous  
exposures. Securin VI offers an entire spectrum of vulnerability intelligence  
powered by 700+ authentic intelligence feeds that continuously measure a  
vulnerability's risk. Through its artificial intelligence (AI) & machine  
learning (ML) models, Securin's VI platform warns its customers about  
vulnerabilities that will likely be exploited soon, enabling them to prioritize  
and patch proactively.  

After this rebrand, Securin will combine its offerings to provide customers with  
a comprehensive suite of security solutions such as ASM, VI, Vulnerability  
Management, and Penetration Testing to level up their security. Securin has  
grown to 250+ employees globally and will continue to operate from its offices  
in Albuquerque, New Mexico and Chennai, India.  

Ram Movva, Co-Founder and Chairman of Securin, said, "In the past few years, we  
have added many new capabilities to our offerings. With the shifting  
cybersecurity landscape and evolving threats, it is critical to implement tools  
and solutions that can provide actionable and timely intelligence to prevent  
cybersecurity breaches before they happen. As we forge ahead, we want to become a tech-enabled solution organization focused on increasing the security posture of our customers through our suite of offerings. We believe Securin, as our  
overall brand name, embodies our vision to secure organizations to build  
resilience against emerging threats."  

Expanding on Movva's comments, Aaron Sandeen, CEO of Securin, said, "We are very excited to rebrand as Securin. CSW has seen amazing growth in the past two years and evolved beyond recognition. We have been providing our customers with a full suite of capabilities, such as vulnerability management and penetration testing, bundled with ASM & VI. Rebranding into Securin is the next step in our business evolution, which will enable us to focus on our vision to improve security posture and reduce the attack surface of our customers."  

Sandeen added, "By combining our services - vulnerability management and  
penetration testing with products like Securin ASM and Securin VI, we will be  
offering customers a powerful suite of solutions that will manage and shrink  
their expanding attack surface and also keep them a step ahead of the bad guys."  
After the rebrand, Securin will continue to act as a CVE Numbering Authority  
(CNA) and help MITRE validate zero days and expedite their entry in the National  
Vulnerability Database (NVD).  
To learn more, visit http://www.securin.io.**About Securin**  
Securin is a leading provider of tech-enabled cybersecurity services, helping  
hundreds of customers worldwide gain resilience against emerging threats.  
Powered by accurate vulnerability intelligence, human expertise, and automation,  
its products and services have enabled enterprises to make critical security  
decisions to manage their expanding attack surface.

Cyber Security Works to Rebrand As Securin Inc.

The third iteration of the Exploit Prediction Scoring System (EPSS) performs 82% better than previous versions, giving companies a better tool for evaluating vulnerabilities and prioritizing patching.

A public effort to create a way of predicting the exploitation of vulnerabilities announced a new machine learning model that improves its prediction capabilities by 82%, a significant boost, according to the team of researchers behind the project. Organizations can access the model, which will go live on Mar. 7, via an API to identify the highest scoring software flaws at any moment in time.

The third version of the Exploit Prediction Scoring System (EPSS) uses more than 1,400 features — such as the age of the vulnerability, whether it is remotely exploitable, and whether a specific vendor is affected — to successfully predict which software issues will be exploited in the next 30 days. Security teams that prioritize vulnerability remediation based on the scoring system could reduce their remediation workload to an eighth of the effort by using the latest version of the Common Vulnerability Scoring System (CVSS), according to a paper on EPSS version 3 published to arXiv last week.

EPSS can be used as a tool to reduce workloads on security teams, while enabling companies to remediate the vulnerabilities that represent the most risk, says Jay Jacobs, chief data scientist at Cyentia Institute and first author on the paper.

"Companies can look at the top end of the list of scores and start to work their way down — factoring in ... asset importance, criticality, location, compensating controls — and remediate what they can," he says. "If it's really high, maybe they do want to bump it into critical — let's fix it in the next five days."

The EPSS is designed to address two problems that security teams face on a daily basis: keeping up with the increasing number of software vulnerabilities disclosed every year, and determining which vulnerabilities represent the most risk. In 2022, for example, more than 25,000 vulnerabilities were reported into the Common Vulnerabilities and Exposure (CVE) database maintained by MITRE, according to the National Vulnerability Database.

    

EPSS version 3 (red line) performs much better than previous versions. Source: Jacobs, Jay et al., "Enhancing Vulnerability Prioritization."

Work on EPSS started at Cyentia, but now a group of about 170 security practitioners has formed a Special Interest Group (SIG) as part of the Forum of Incident Response and Security Teams (FIRST) to continue to develop the model. Other research teams have developed alternative machine learning models, such as Expected Exploitability.

Previous measures of the risk represented by a particular vulnerability — typically, the Common Vulnerability Scoring System (CVSS) — do not work well, says Sasha Romanosky, a senior policy researcher at the RAND Corporation, a public-policy think tank and co-chair of the EPSS Special Interest Group.

"While CVSS is useful for capturing the impact \[or\] severity of a vuln, it's not a useful measure of threat — we've fundamentally lacked that capability as an industry, and this is the gap that EPSS seeks to fill," he says. "The good news is that as we integrate more exploit data from more vendors, our scores will get better and better."

**Connecting Disparate Data**

The Exploit Prediction Scoring System connects a variety of data from third parties, including information from software maintainers, code from exploit databases, and exploit events submitted by security firms. By connecting all of these events through a common identifier for each vulnerability — the CVE — a machine learning model can learn the factors that could indicate whether the flaw will be exploited. For example, whether the vulnerability allows code execution, whether instructions on how to exploit the vulnerability have been published to any of three major exploit databases, and how many references are mentioned in the CVE are all factors that can be used to predict whether a vulnerability will be exploited.

The model behind the EPSS has grown more complex over time. The first iteration only had 16 variables and reduced the effort by 44%, compared to 58%, if vulnerabilities were evaluated with the Common Vulnerability Scoring System (CVSS) and considered critical (7 or higher on the 10-point scale). EPSS version 2 greatly expanded the number of variables to more than 1,100. The latest version added about 300 more.

The prediction model carries tradeoffs — for example, between how many exploitable vulnerabilities it catches and the rate of false positives — but overall is pretty efficient, says Rand's Romanosky.

"While no solution is perfectly able to tell you which vulnerability will be exploited next, I’d like to think that EPSS is a step in the right direction," he says.

**Significant Improvement**

Overall, by adding features and improving the machine learning model, the researchers improved the performance of the scoring system by 82%, as measured by the area under curve (AUC) plotting precision versus recall — also known as coverage versus efficiency. The model currently accounts for a 0.779 AUC, which is 82% better than the second EPSS version, which had a 0.429 AUC. An AUC of 1.0 would be a perfect prediction model.

Using the latest version of the EPSS, a company that wanted to catch more than 82% of exploited vulnerabilities would only have to mitigate about 7.3% of all vulnerabilities assigned a Common Vulnerabilities and Exposures (CVE) identifier, much less than the 58% of the CVEs that would have to be remediated using the CVSS.

The model is available through an API on the FIRST site, allowing companies to get the score of a particular vulnerability or to retrieve the highest scoring software flaws at any moment in time. Yet companies will need more information to determine the best priority for their remediation efforts, says Cyentia's Jacobs.

"The data is free, so you can go get the EPSS scores, and you can go grab daily dumps of that, but the challenge is when you put it into practice," he says. "Exploitability is only one factor of everything that you need to consider, and the other things, we can't measure."

Machine Learning Improves Prediction of Exploited Vulnerabilities

The Android app unnecessarily accessed clipboard device contents, which often includes passwords and other sensitive data.

A version of the Shein shopping application in the Google Play store with more than 100 million downloads was unnecessarily accessing Android-device clipboard contents, creating a potential security threat, according to Microsoft.

The software giant said in a blog post from Microsoft Threat Intelligence that it asked Shein to remove the feature from its Android app that accessed user clipboards, and the company complied. However, users need to update their apps to be free from danger. 

From passwords to account numbers, and auto-fill information of all kinds, device clipboards can contain a treasure trove of sensitive data.

"Microsoft discovered that an old version of the Shein Android application periodically read the contents of the Android device clipboard and, if a particular pattern was present, sent the contents of the clipboard to a remote server," the Microsoft blog post said. "While we are not specifically aware of any malicious intent behind the behavior, we assessed that this behavior was not necessary for users to perform their tasks on the app."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Shein Shopping App Glitch Copies Android Clipboard Contents

This is the latest in a line of law-enforcement actions busting up the ransomware scene.

On Feb. 28, multiple police forces carried out a coordinated action against two suspected members of the cybercrime gang behind the DoppelPaymer ransomware.

These latest raids, revealed on March 6 by Europol, follow a series of other law enforcement campaigns against prominent ransomware groups in recent years. "We've seen an increase in the velocity of law enforcement and government action against actors that are involved in ransomware or in the supporting ecosystem," Jeremy Kennelly, lead analyst in financial crime analysis for Mandiant, tells Dark Reading. "And that does, in aggregate, seem to be causing a bit of a chilling effect."

**Police Chip Away at DoppelPaymer**

DoppelPaymer is a 4-year-old ransomware derived from the BitPaymer ransomware and Dridex banking Trojan. Cybercriminals have used it to freeze corporations like Compal and Kia, sometimes demanding multimillion-dollar ransoms in the process. It has also been used in attacks against government agencies and critical infrastructure.

In September 2020, for example, DoppelPaymer cut off communications between emergency personnel and a Dusseldorf hospital. "At least one individual requiring emergency services was re-routed to a hospital 20 miles away," the FBI explained in a notice to the private sector. "This individual later died," though police "felt the individual’s health was poor and the patient likely would have died even if they had not been re-routed."

In a press release published March 6, Europol revealed that officers of the North Rhine-Westphalia Police raided the home of a German citizen "who is believed to have played a major role" in the group behind DoppelPaymer. At the same time, the agency noted that "despite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia," Ukrainian National Police officers interrogated a second suspected core member of the group, and searched two associated locations — one in Kiev and the other in Kharkiv.

In both cases, officers seized electronic equipment, which is currently under forensic examination. These coordinated actions were aided by Europol, the Dutch National Police Corps, and the FBI.

**Is Law Enforcement Having an Impact?**

Some of the darkest days in cybercrime history occurred in 2020 when, capitalizing on the COVID-19 pandemic, financially motivated cybercriminals ramped up their ransomware activity to never-before-seen levels. It "was hugely lucrative," Kennelly explains. "They just kept pressing that button, and money kept coming out of it." Worst of all, though, "their actions weren't getting disrupted, and people weren't getting arrested."

Eventually, the rampant attacks against hospitals, in particular, put an unignorable spotlight on the scourge of ransomware. Law enforcement responded, cracking down on some of the world's most prominent ransomware groups. For example, Hive has been thoroughly disrupted by a months-long campaign by the US Department of Justice, and REvil — once the scariest name in the game — was almost completely dismantled following coordinated arrests in Russia.

"Any one action won't completely stem the tide," Kennelly says, but "it's the aggregate result of pressure from all sides" that has caused a noticeable effect on the underground cybercrime economy.

"A lot of cyber-threat activity is still being monetized via ransomware," Kennelly explains, "but based on our own observations, and data from other data from public sources, it appears as though there has been an overall decline in the amount of ransomware activity globally."

By taking down infrastructure, removing key members of these groups, and intimidating those that remain, law enforcement is beginning to make a real impact on ransomware. But even these many good news stories only address a small fraction of the ecosystem at large. "It's still very prevalent," Kennelly warns. "So to say that ransomware is going away or that the criminal ecosystem is shifting away from it isn't reasonable."

Police Raid Rounds Up Core Members of DoppelPaymer Ransomware Gang

A team has found that the Crystals-Kyber encryption algorithm is open to side-channel attacks, under certain implementations.

One of the four post-quantum computing encryption algorithm standards selected by the US National Institute of Standards and Technology (NIST) for public key encryption is open to side-channel attacks, researchers warn.

A new paper published by a team from the Royal Institute of Technology in Sweden reported that Crystal-Kyber implementations under certain masked implementation conditions could be vulnerable.

"Crystals-Kyber has been selected by the NIST as a public-key encryption and key encapsulation mechanism to be standardized," the paper's abstract explained. "It is also included in the NSA's suite of cryptographic algorithms recommended for national security systems. This makes it important to evaluate the resistance of Crystals-Kyber's implementations to side-channel attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

NIST's Quantum-Proof Algorithm Has a Bug, Analysts Say

**Bethesda, MD -** SANS Institute, the global leader in cybersecurity training and certifications, is proud to announce the launch of the SANS Cloud Diversity Academy (SCDA), brought to you by SANS & Google. This academy provides unparalleled training and certifications to Black, Indigenous, and People of Color (BIPOC), women, and other underrepresented groups who are passionate about pursuing a technical career in cybersecurity. The SCDA aims to reduce the skills gap in the industry, with a particular focus on cloud security, while also creating a more diverse and inclusive workforce.

"Empowering communities that have been traditionally underrepresented to pursue a career in cybersecurity is of utmost importance to SANS and Google.," said Max Shuftan, Director of Mission Programs and Partnerships at SANS Institute. "The White House just released the National Cybersecurity Strategy to secure the full benefits of a safe and secure digital ecosystem for all Americans. SCDA directly supports the Administration’s strategic objective of developing a national strategy to strengthen our cyber workforce and tackle the lack of diversity in the field head-on. We are committed to reducing the talent shortage and driving greater diversity, equity, and inclusion, ensuring careers in cybersecurity are well within reach for all Americans.”

"As more businesses adopt cloud technology, the need for skilled professionals in cloud security becomes increasingly vital,” said Frank Kim, SANS Institute Fellow, Cloud Curriculum lead, and CISO-in-Residence at YL Ventures. “SANS Cloud Diversity Academy equips professionals with essential skills to protect businesses and their data through SANS OnDemand training & hands-on labs with industry experts."

Applicants can currently be employed in an entry-level IT or STEM role, but priority may be given to those unemployed, underemployed, or interested in a career change. In addition, applicants must demonstrate their aptitude and passion for security, and also be currently living in the U.S. and have work authorization as a U.S. citizen or permanent legal resident.

“The SANS Cloud Diversity Academy is an exciting initiative that we're proud to support,” said M.K. Palmore, Director, Office of the CISO, for Google Cloud. “By partnering with SANS, we will reduce the critical shortage of skilled talent in cybersecurity by providing individuals from diverse backgrounds with the training they need to launch a career in cloud security. The program offers an exceptional opportunity for participants to develop hands-on, practical cloud security skills and gain industry-leading certifications. We're eager to see this initiative's impact on the cybersecurity workforce!”

The academy will provide scholarship-based training of up to three SANS courses and the associated GIAC certifications, the gold standard in the industry. This accelerated SANS training and GIAC certification will launch careers in months, not years, and provide valuable, validated skills and knowledge for graduates as they launch careers in cloud security.

The SANS Cloud Diversity Academy application window opens March 1, 2023, and ends April 14, 2023. To learn more and apply today, please visit https://www.sans.org/scholarship-academies/cloud-diversity-academy/.

**About SANS Institute**

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cybersecurity events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on technical certifications in cybersecurity. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's and bachelor's degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to manage their "human" cybersecurity risk easily and effectively. SANS also delivers a wide variety of free resources to the InfoSec community, including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners representing varied global organizations, from corporations to universities, working together to support and educate the global information security community.

SANS Institute Partners With Google to Launch Cloud Diversity Academy

As digital identity verification challenges grow, organizations need to adopt a more advanced and forward-focused approach to preventing hacks.

Online authentication is a challenge for organizations of all shapes and sizes. Despite increasingly sophisticated cybersecurity tools, hackers and criminals continually find new and more nefarious ways to enter enterprise systems.

One method gaining attention for fighting account compromise attacks is verifiable credentials. The concept refers to using digital credentials that adhere to an open standard. These credentials typically include data and elements from vetted physical artifacts, like a driver's license, passport, or digital equivalent, such as a bank account.

Verifiable credentials are appealing because they use digital signatures, making them far more resistant to tampering and theft than physical identifiers. It's possible to carry these digital credentials in a digital wallet within a smartphone or on a PC, enabling trust to be established within and across organizations.

At a time when identity theft, fraud, and malware are rampant, verifiable credentials are rapidly gaining traction. Moreover, security protections multiply when these digital artifacts are combined with a verifiable data registry. Additionally, verifiable credentials allow for selective disclosure, which means individuals can choose to share only necessary information with a specific party rather than sharing all of their personal data. This helps to protect sensitive information and reduce the risk of identity theft.

**Truth or Consequences**

Verifying a person's identity is a simple task in the physical world. Birth certificates, utility bills, and government IDs demonstrate that a person is who they say they are. A trusted authority has authenticated the person and presented them with an artifact they can use to verify pieces of information. This makes it possible for a person to board a flight, apply for government benefits, or open a bank account.

Online, there's no central authority for identity. Every company, website, or account requires a specific username and password. While a few large companies like Google, Apple, and Facebook have attempted to consolidate identity using their login credentials for single sign-on (SSO), there's still no central authority to verify actual identity.

Enter verifiable credentials and verifiable data registries — an approach that transforms the security of the physical world into the digital realm.

**Resilience in Any Situation**

Verifiable credentials can improve system resilience in an identity provider outage or network interruption. For example, if a natural disaster like a hurricane occurs — and takes an identity provider offline — it's still possible to verify a user's identity. Since the user's device holds their signed credentials, it can be presented to an application that can verify the credential using a cached copy of the user's public key. For another example, consider cruise ships, which are notorious for their satellite Internet connections dropping or becoming slow. Using the previously discussed verifiable credentials flow, onboard applications could still verify a user's identity and allow users to make dinner or entertainment reservations, or book excursions.

**Making the Move**

Migrating to verified credentials with verifiable data registries involves a few challenges. Typically, it's necessary to rewrite applications to support them. One way to overcome this roadblock is by decoupling identity from applications through orchestration. This makes it possible to migrate from legacy and brittle services to distributed and resilient systems without touching the codebases of those legacy applications.

Orchestration delivers a highly flexible and secure framework. For example, a company may want to establish only essential criteria like the user's citizenship and employer, or impose any other requirements, each of which may need to be validated by different identity services or systems. All these criteria and conditions can be managed seamlessly and invisibly using orchestration.

Companies looking to adopt verifiable credentials should focus on two key areas. First, ensuring that the initial verification process is secure and that the entity issuing the credential is entirely trustworthy. Second, it's essential to establish a process to handle edge cases and issues, such as when a network outage occurs. 

As digital identity verification challenges grow, many organizations are recognizing the need to adopt a more advanced and forward-focused approach. Verifiable credentials and verifiable data registries offer a path to more robust and resilient security.

Source

DARKReading