A vulnerability within Microsoft's OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit.

Microsoft is a primary target for threat actors, who scour Microsoft applications for weaknesses. Our security research team at Adaptive Shield recently discovered a new attack vector caused by a vulnerability within Microsoft's OAuth application registration that allows attackers to leverage Exchange's legacy API to create hidden forwarding rules in Microsoft 365 mailboxes.

To understand this new attack vector, you must understand the key components therein. These include hidden forwarding rules and SaaS-to-SaaS app access, all of which amount to a malicious SaaS rootkit that can infiltrate users' accounts and control their mailboxes — without the users' knowledge.

Learn more about the top use cases to secure your entire SaaS stack.

**Hidden Forwarding Rules**

Inbox rules are actions that occur based on preset conditions within a Microsoft mailbox. Users or admins can use forwarding rules to trigger protocols based on different attributes of the user's inbox.

Hidden forwarding rules (Figure 1) were first discovered by Compass Security's Damian Pflammater in 2018. He covered the discovery and Microsoft’s response in a blog post titled "Hidden Inbox Rules in Microsoft Exchange." These rules are fully functional and can be seen on the back end. However, they are not visible common interfaces such as email clients, an admin dashboard, or an API (Figure 2).

    

Figure 1. Hidden forwarding rules are visible on the back end.

    

Figure 2. Forwarding rules don’t appear in searches through common interfaces.

**SaaS-to-SaaS Access Through OAuth 2.0**

SaaS-to-SaaS app access, also referred to as third-party app access, describes the conditions under which one app can connect to another app and, in doing so, gain access and permission to different information and settings. The OAuth 2.0 mechanism simplifies the process of authentication and authorization between consumers and service providers through a seamless process that allows users to quickly verify their identities and grant permissions to the app. The app is then allowed to execute code and perform logic within its environment behind the scenes.

In many instances, these apps are completely harmless and often serve as a valuable business tool. In other instances, these apps can act as malware, similar to an executable file.

    

Figure 3. Connecting third-party apps.

**The Next Evolution: An Attack Method Through SaaS**

With this SaaS rootkit, threat actors can create malware that lives as a SaaS app and can infiltrate and maintain access to a user's account while going unnoticed.

While bad actors can't find Exchange Legacy scopes that can used to add programmatically online hidden forwarding in the Microsoft UI, they can add them through a terminal script.

The attacker's job is simple: Create an app that looks credible, add the legacy scope protocols removed from the UI to the app (exploiting the vulnerability that the Adaptive Shield team uncovered), and send an offer to users to connect to it. The user will see an OAuth app dialogue box on the official Microsoft site, and many will likely accept it (Figure 4).

    

Figure 4. This screen shows a fake app permissions request.

Once a user accepts, the bad actor receives a token that grants permission to create forwarding rules and hides them from the user interface like a rootkit.

An attack through these hidden forwarding rules should not be mistaken for a one-off attack but, rather, the start of a new attack method through SaaS apps.

**Microsoft Response**

In 2022, Adaptive Shield contacted Microsoft about the issue, Microsoft in response said that the issue has been flagged for future review by the product team as an opportunity to improve the security of the affected product.

**How to Best Mitigate a SaaS Rootkit Attack**

There's no bulletproof way to eliminate SaaS rootkit attacks but there are a few best practices that can help keep organizations more protected.

*   **Monitor third-party app access** and their permissions to ensure that apps are legitimate and given only the access they require.
*   **Track activities** and be on the lookout for new inbox rules to identify any new connections from untrusted domains.
*   **Disable third-party app registrations** where possible to reduce risk.

**Conclusion**

Hidden forwarding rules are still a threat, even more so when they appear through the trusted Microsoft website. The traditional controls that were created to stop malware have struggled to keep up with the evolution of malware and the new attack vector that can exploit any SaaS app, from M365 to Salesforce to G-Workspace, etc. Organizations should utilize native security configurations to control the OAuth application installations across SaaS apps to protect users from malicious attacks like these.

Get Forrester's SSPM Report, "Embrace aParadigm Shift In SaaS Protection: SaaS Security Posture Management."

**About the Author**

    

A former cybersecurity intelligence officer in the IDF, Maor Bin has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his B.Sc. in computer science and is CEO and co-founder of Adaptive Shield.

SaaS RootKit Exploits Hidden Rules in Microsoft 365

The US Department of Justice hacked into Hive's infrastructure, made off with hundreds of decryptors, and seized the gang's operations.

The Feds have disrupted the prolific Hive ransomware gang, saving victims from a collective $130 million in ransom demands. But it remains to be seen how much of a blow the effort will be to the overall ransomware landscape.

The group's operations have been buzzing with activity for months, racking up more than 1,500 victims in 80-plus countries around the world since it appeared in June 2021, according to an announcement from the US Justice Department. The gang has been operating with a ransomware-as-a-service (RaaS) model, engaging in data theft and double extortion, and delivering its venom indiscriminately to school districts, financial firms, critical infrastructure, and others. At least one affiliate has become a bit of a hospital specialist, disrupting patient care in some attacks.

In what officials called "a 21st-Century cyber-stakeout," the FBI has been infiltrating the gang's network infrastructure since last July and, perhaps most notably, has now seized its decryption keys.

"The FBI has provided over 300 decryption keys to Hive victims who were under attack," according to Thursday's announcement. "In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims."

**Hive: Gone for Good?**

Aside from swiping the decryptors, the DoJ also worked with German law enforcement to execute a coordinated seizure of the group's command-and-control (C2) infrastructure (including two servers located in Los Angeles) and the group's Dark Web leak site, US Attorney General Merrick Garland said during a press conference.

The actions could have a significant effect on the volume of ransomware attacks, at least in the short term. According to Mandiant, Hive was the most prolific ransomware family that it dealt with in its incident response engagements, accounting for more than 15% of the ransomware intrusions that it responded to.

That said, while the strike will certainly be a blow to the gang, it's unlikely that its affiliates and members will be dormant for long. As with other high-profile takedowns such as those of Conti and REvil, it's likely that they will simply join other teams or regroup to sting another day.

"We've seen multiple actors using Hive ransomware since it emerged, but the most prolific actor over the past year, based on our visibility, was UNC2727," Kimberly Goody, senior manager at Mandiant Intelligence — Google Cloud, said in an email statement. "Hive also hasn't been the only ransomware in their toolkit; in the past we've seen them employ Conti and MountLocker, among others. This shows that some actors already have relationships within the broad ecosystem that could enable them to easily shift to using another brand as part of their operations."

**Ransomware Is Becoming Less Attractive**

Still, the ransomware game is getting tougher for operators, who are facing declining profit margins, lower valuations for cryptocurrency, intense law enforcement scrutiny, more victims having appropriate backups in place, and increasing refusals from targets to pay up. As such, researchers have seen an emerging trend of ransomware actors pursuing other avenues to make money.

Crane Hassold, former FBI cyber psychological operations analyst and head of research at Abnormal Security, said via email that this latest event is likely to add fuel to that phenomenon.

"It's very possible that we'll start to see ransomware actors pivot to other types of cyberattacks, like business email compromise (BEC)," he said. "BEC is the most financially impactful cyberthreat today and, instead of using their initial access malware to gain a foothold on a company's network, they could simply reconfigure the malware to establish access to employee mailboxes, which could lead to more scaled and sophisticated vendor email compromise attacks."

Hive Ransomware Gang Loses Its Honeycomb, Thanks to DoJ

After Berlin pledged tanks for Ukraine, some German websites were knocked offline temporarily by Killnet DDoS attacks.

After Berlin agreed to send its advanced Leopard 2 tanks to Ukraine, Russia-backed threat group Killnet retaliated with DDoS attacks aimed at Germany's government, banking, and airport sites.

Germany's BSI federal agency, which oversees information security, said the attacks caused some small outages, but otherwise did little damage.

"Currently, some websites are not accessible," the BSI said in a statement to Reuters. "There are currently no indications of direct effects on the respective service and, according to the BSI's assessment, these are not to be expected if the usual protective measures are taken."

Last fall Killnet was behind similar DDoS attacks against US airports last fall and has been escalating its nefarious cyber activities throughout Russia's invasion of Ukraine.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

German Government, Airports, Banks Hit With Killnet DDoS Attacks

The rapid maturation and rebranding of ransomware groups calls for relentless preparation and flexibility in response, according to one view from the trenches.

Analysis of ransomware trends in 2022 shows that business was booming last year for extortionary cybercriminals, with the highest volume of ransomware attacks lobbed by sophisticated criminals that organize into groups that utilize very consistent tactics, techniques, and procedures (TTPs) amongst themselves, even if these organizations "retire" and then come back, rebranded.

A Jan. 26 report from the GuidePoint Research and Intelligence Team (GRIT) showed that while at least one new ransomware group emerged every month last year, the majority of attacks were perpetrated by a relatively small group of entrenched players.

The "GRIT 2022 Ransomware Report" examined data and circumstances from 2,507 publicly posted ransomware victims across 40 industry verticals that were carried out by 54 active threat groups.

"The thing that we really wanted to emphasize was that ransomware is not going anywhere," says Drew Schmitt, GRIT lead analyst and an experienced ransomware negotiator for GuidePoint Security. "It's very present. A lot of people seem to think that ransomware is potentially declining, because of things like Bitcoin payments are becoming less valuable. But ransomware is still happening at crazy rates."

    

Source: GRIT 2022 Ransomware Report, GuidePoint Security

As a negotiator, Schmitt works with actively attacked companies to act on their behalf and interface with the extortionist. There are two goals: to either gain enough information and time to help their security operations centers (SOCs) recover, or to negotiate a lower payment.

Using his inside knowledge about how attackers operate, and the data freely available about victimology last year, he and his team were able to put together a number of insights for the report. Dark Reading caught up with Schmitt to not only dig into details the report, but also to glean observations from his ongoing work as a negotiator. He provided seven key points that defenders should keep in mind as they prepare for more ransomware campaigns in 2023.

**1\. There's a Definite Taxonomy to Ransomware Gangs**

A big part of the analysis revolved around the development of a ransomware taxonomy for categorizing ransomware groups, which the team organized into four buckets: full-time, rebrands, splinter, and ephemeral. 

The majority of attacks came from what the taxonomy dubbed full-time groups, which have been active for nine or more months and publicly claim 10 or more victims.

"These are the Lockbits of the world, and they're the ones that are doing very consistent operations \[and\] can maintain a very high tempo," Schmitt says. "They are very consistent in behaviors and have a lot of really robust infrastructure. Those are the ones that have been operating for a very long period of time, and they're doing it consistently."

As the report pointed out, Lockbit alone accounted for 33% of attacks last year.

Then there are the rebrand groups, which have been active for less than nine months but claim nearly the same number of victims as full-time groups, and with some examination of TTPs usually have some correlation with a retired group.

"Really the only difference between the rebrand and the fulltime is the duration of operation," Schmitt says. "Groups like Royal also fit into this type of category where they just have very robust operations and they're able to operate at a high tempo."

Meantime, "splinter" groups are those that have some TTP overlap with known groups, but are less consistent in their behaviors.

"The splinter groups are an offshoot from either a rebrand or a full-time, where it's maybe somebody going off and doing their own thing," he says. "They haven't been around for very long. Their identity is not solidified at this point in time, and they're really just trying to find themselves and how they're going to operate."

Finally rounding things out are "ephemeral" groups that have been active for less than two months, which have varied but low victim rates. Sometimes these groups come and go, while other times they end up developing into more mature groups.

**2\. Rapid Rebranding of Ransomware Groups Makes Threat Intelligence Key**

The classification into those four taxonomy groups looks cleaner in an annual report than it does on the ground when a SOC starts lighting up.

"When you start dealing with these types of groups that are popping up and going away very quickly, or they're rebranding, they're developing new names, it does make it very much more difficult for the blue teamers or the defenders to keep up with these types of trends," says Schmitt, who explains that keeping tabs on rebranding and splintering of groups is where threat intelligence should come into play.

"We really like to focus on emphasizing communication when it comes to threat intelligence — whether it's threat intelligence talking with the SOC or the incident response team, or even vulnerability management," he says. "Getting an idea of what these trends look like, what the threat actors are focusing on, how much they pop up and go away, all of that is very valuable for the defenders to know."

**3\. RaaS Groups Are a Wild Card in Negotiations**

Even though the underlying TTPs of fulltime groups makes a lot of ransomware detection and response a little easier, there are still some big variables out there. For example, as many groups have employed the ransomware-as-a-service (RaaS) model, they employ a lot more affiliates, which means negotiators are always dealing with different people.

"In the early days of ransomware, when you started negotiations, there was a good chance you were dealing with the same person if you were dealing with the same ransomware," Schmitt says. "But in today's ecosystem, there are just so many different groups, and so many different affiliates that are participating as part of these groups, that a lot of times you're almost starting from scratch."

**4\. Ransom Demands Are Climbing Sky High**

One of the anecdotal observations Schmitt made was the fact that he's seen a lot of very high initial ransom demands from ransomware operators lately.

"We've seen $15 million, we've seen $13 million, we had $12.5 million. There's a lot of very high initial ransom demands that have been happening, which is a little bit surprising," he says. "And a lot of times we do successfully negotiate significantly lower ransoms. So starting at $15 million and getting down to $500,000 is not uncommon. But at the same time there are just certain threat actors that are like, 'You know what? This is my price and I don't care what you say, I'm not going to negotiate.'"

**5\. Improved Backup Strategies Are Making a Difference in Preparation**

The ratio of clients he sees who can successfully recover without caving to the extortion demands versus those that need to pay a ransom is coming close to a 1:1 parity, Schmitt says.

"In the early days it was like, 'Well crap, we got encrypted. We can't recover unless we pay this ransom,'" he notes. "As time has gone on, having really effective backup strategies has been huge for being able to recover; there are a lot of organizations that get hit with ransomware and they're able to recover simply because they have a really solid backup strategy in place."

**6\. Double Extortion Is the Norm**

However, there are still plenty of organizations that are still behind the curve, he says, which keep ransomware more profitable than ever. Additionally, the bad guys are also adjusting through doubleextortion, not only encrypting files, but stealing and threatening to publicly leak sensitive information as well. All of the groups tracked in the report utilize double extortion.

"It's a little bit unclear whether that's just because people are getting better at securitynor the groups are really realizing that maybe it's not worth the effort to deploy the ransomware if the client already has a backup strategy in place that's going to allow them to recover," he says. "So, they've been focusing on that data exfiltration because I think they know that that's the best chance that they actually have to make money off of an attack."

**7\. There's No Honor Among Thieves, but There's Business Sense**

Finally, the big question in dealing with criminal extortionists is whether the bad guys are even going to keep their word once the money drops in their account. As a negotiator, Schmitt says that, for the most part, they typically do so.

"Obviously, there's no honor among thieves, but they do believe in their reputation," he says. "There are edge cases where something bad happens, but most commonly the bigger groups are going to make sure they don't post your data and they're going to provide you the decryptor. It's not going to be some malware backdoor decryptor that's going to do more damage. They're very focused on their reputation, and their business model simply just doesn't work if you pay them and then they still leak your data or they don't give you what they're supposed to."

7 Insights From a Ransomware Negotiator

Only one in 10 enterprises will create a robust zero-trust foundation in the next three years, while more than half of attacks won't even be prevented by it, according to Gartner.

The zero-trust approach to security promises to reduce threats and make successful attacks less damaging, but companies should not expect that implementing zero-trust principles will be easy or prevent most attacks, business intelligence firm Gartner said this week.

While interest in zero-trust architectures is high, only about 1% of organizations currently have a mature program that meets the definition of zero trust. The firm also estimates that only a 10th of all organizations will create a mature zero-trust framework by 2026, and by that time, those measures will end up only blocking or minimizing the impact of about half of all attacks. 

Even so, moving from 1% to 10% is significant progress, says John Watts, vice president analyst at Gartner.

"That's a relatively large increase," he says. "\[Ten percent\] may seem low, but at the same time, right now, when we talk to clients, and we look at other industry data points, it doesn't seem like there are many large organizations you can point to that have a mature and measurable zero-trust program."

Zero-trust initiatives continue to be an aspirational goal for companies and their cybersecurity teams, with 80% of executives indicating that the strategy is a top priority and 77% increasing their budget for implementation, according to a 2022 survey published by the Cloud Security Alliance in June. A separate report published by Microsoft in 2021 found that 96% of security leaders considered zero trust critical to their success — and 76% were "in the process" of implementing a zero-trust initiative.

**Turning Zero Trust Into Action**

As companies mull their paths forward, they should recognize that getting to a comprehensive zero-trust architecture is not easy and will take time, says Christopher Hallenbeck, CISO for the Americas at Tanium, a provider of converged endpoint management.

"The process of migrating to zero trust can seem overwhelming, and it often causes paralysis," he says. "I’m surprised the \[forecasted\] number is as high as 10%. While many organizations have zero-trust aspirations, few have made holistic changes to fully embrace it."

It can also be confusing, given the widespread use of "zero trust" in the marketing of cybersecurity products and services. 

In a prior Insights report, Gartner pushed back against the overzealous use of the term. Neil MacDonald, a distinguished vice president and analyst at the firm, said that zero trust requires that the degree of trust granted to users and devices need be explicitly granted, continuously calculated, and then adapted to allow the right amount of access only for as long as necessary.

"Zero trust is a way of thinking, not a specific technology or architecture," he said. "It's really about zero implicit trust, as that's what we want to get rid of."

While the notion of removing implicit trust from enterprise computing infrastructure is a good one, the architecture is difficult and time-consuming to implement and does not solve all problems, the analyst firm stated as part of this week's post.

As such, organizations need to move to integrating zero-trust initiatives into specific pieces of their operations, Hallenbeck notes.

"You need to configure each system to bring it under zero trust and should prioritize those systems holding the most sensitive information," he says. "It all comes down to knowing what you have in order to form a plan."

**Know the Limits of Zero Trust**

Indeed, knowing the scope and limits of zero trust is critical, Gartner's Watts says. The architecture and technologies used in zero-trust implementations are good for blocking lateral movement and containing the impact of an initial breach. However, companies should not expect a zero-trust service to prevent compromises of consumer-facing systems.

Anything that's intended for consumer consumption and exposed to the Internet, where anybody can find and try to use the service, is not a candidate for zero trust and not in scope for a company's initiatives, Watts says. Attackers are already starting to bypass some identity and authentication techniques, such as last year's compromise of Rockstar Games through spear-phishing and an internal collaboration platform. They will continued to find entry points that are not controlled by zero-trust protections, or they will focus on the weakness of zero trust, he says.

The firm, in fact, predicts that by 2026, zero trust will not be able to prevent more than half of all cyberattacks.

Still, adopting zero-trust frameworks will eventually pay off, Tanium's Hallenbeck says. A company with a mature zero-trust program knows "what systems \[they\] have and where data lives," he says. In that way, even if an attacker bypasses a zero-trust protection, the organization can limit the damage by limiting the attacker's access to internal systems and data.

"We're just starting to move past this phase, from where every vendor tells you they can solve all your zero-trust problems, and into the space where organizations now are implementing more zero-trust controls," Watts says. "They're facing a reality of both good and bad, right? And it's not all good, and it's not all bad."

Companies Struggle With Zero Trust as Attackers Adapt to Get Around It

**25****th****January 2023**– The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment has released its report ‘Deconstructing Application Connectivity Challenges in a Complex Cloud Environment’. The survey, conducted in partnership with AlgoSec, a global cybersecurity leader in securing application connectivity, sought to better understand the industry’s knowledge, attitudes, and opinions regarding application connectivity security in the cloud.

“Increasingly, organizations are taking advantage of SaaS applications to the point where application security has become an integral part of many organizations' security strategies. Despite their growing prevalence, organizations are still faced with a host of pain points when it comes to application connectivity security and risk management,” said Hillary Baron, Senior Technical Director for Research, Cloud Security Alliance, and a lead author of the report.

Among the key findings:

**Managing risk for application connectivity is a complicated task**. Lacking a single source of truth, organizations are trying to use multiple methods to get similar information: 53 percent of respondents reported using a cloud provider’s assessment service; 50 percent use a third-party cloud-only tool, another 45 percent use a generic risk or vulnerability assessment tool, and 32 percent use a third-party hybrid network security tool.

**Managing application connectivity risks in the deployment process is changing**. Traditional security teams are responsible for identifying and mitigating risk and this still holds true for 42 percent of organizations. However, there is a shift happening: Thirty-two percent of organizations utilize infrastructure as code with embedded security checks, suggesting organizations are beginning to use more automation, leaving less room for human error.

**Human error leads to significant application downtime.**Nearly 75 percent of organizations have experienced an application outage in the past 12 months, and for over half (52%) of the outages, operational human error and mismanagement was the cause—unsurprising, given the skills gap that has plagued the information security industry.

“As cloud-native business applications become the standard for business transformation and innovation, the need to incorporate security into the DevOps process is paramount,” said Jade Kahn, Chief Marketing Officer, AlgoSec. “However, cumbersome security processes and lack of visibility are slowing applications’ time-to-market and compromising security in this new paradigm. This research underscores the importance of identifying risk early in the DevOps process and aligning all stakeholders around risk and compliance gaps from the start.”

The survey, which was sponsored by AlgoSec, was conducted online by CSA in August 2022 and received 1,551 responses from IT and security professionals from organizations of various sizes and locations. CSA research prides itself on vendor neutrality, agility, and integrity of results. Sponsors are CSA Corporate Members who support the findings of the research project but have no added influence on the content development or editing rights to CSA research.

New Study Examines Application Connectivity Security in the Cloud

Program provides financial assistance to aspiring information security professionals, enabling students toward long-term career success.

**ALEXANDRIA, Va.****,** **Jan. 26, 2023** **/PRNewswire/ --** The Center for Cyber Safety and Education, the charitable arm of (ISC)² - the world's largest nonprofit association of certified cybersecurity professionals – announced it is now accepting applications for its 2023 scholarships. The scholarships award qualifying information security students financial support as they pursue associate, undergraduate, and graduate degrees. The application period began January 17 with the (ISC)² associates and undergraduate, graduate, and women's scholarships and KnowBe4's women's scholarship all opening for applications. 

The scholarships were created to provide financial assistance to aspiring cybersecurity professionals from diverse backgrounds from around the world. Applicants must be pursuing, or plan to pursue, a degree with a focus on cybersecurity, information assurance or a similar field in the fall of 2023 and have at least a 3.3 GPA on a 4.0 scale. The Center for Cyber Safety and Education evaluates applicants based on academic excellence, passion for the industry, and financial need.

"Since the launch of our scholarship program in 2011, the Center for Cyber Safety and Education has provided financial aid to more than 700 students pursuing a cybersecurity career path," said Holly Schneider Brown, Center Senior Director. "We aim to remove financial barriers and foster greater diversity by providing additional pathways into the cybersecurity field." 

In addition to the financial award, the Center for Cyber Safety and Education's scholarship program provides opportunities for recipients to learn from cybersecurity professionals and past scholarship recipients and get more information about internship and career opportunities. As part of their scholarship, recipients can pursue the Certified in Cybersecurity certification exam for free through the (ISC)² One Million Certified in Cybersecurity program.

The deadline to submit a scholarship application is February 28, 2023. To complete an application and learn more about the scholarship opportunities, please visit https://www.iamcybersafe.org/Scholarships/.

**About the Center for Cyber Safety and Education** 

The Center for Cyber Safety and Education, formerly (ISC)² Foundation, is a non-profit charity formed by (ISC)² in 2011 as a means to reach the general public and empower students, parents, teachers, and members of society across all age groups and demographics to secure their online life with cybersecurity education and awareness programs. The Center breaks down barriers in exposure and access to the cyber profession and provides opportunities for underserved individuals, groups, and organizations to benefit from the commitment of (ISC)² to the profession. 

Visit www.iamcybersafe.org.

**About (ISC)²**

 (ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates, and members, nearly 280,000 strong, is made up of certified cyber, information, software, and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter, or connect with us on Facebook and LinkedIn.

Center for Cyber Safety and Education Opens 2023 Cybersecurity Scholarship Applications

Advanced workflow, approval process, and management dashboard enhance control, distribution, and supervision, while reducing errors and streamlining the entire SBOM management process.

**TEL AVIV, Israel****,** **Jan. 26, 2023** **/PRNewswire/ --** Cybellum, provider of the award-winning Product Security Platform for connected product and device manufacturers, announced today the release of version 2.22, providing enhanced SBOM management and security capabilities for the automotive, medical device, and industrial sectors. Generation of reliable SBOMs is only the first step in the process. Version 2.22 offers greater visibility for managing SBOMs via advanced workflows for approval process and management dashboards, and improved support for protecting against supply chain vulnerabilities.

Increased pressure from regulatory bodies and asset owners requires that manufacturers provide better visibility into their software components using Software Bill of Materials (SBOM). But generating SBOMs is not enough. It is only the first step for manufacturers who need to monitor and manage the multitudes of SBOMs created, now and into the future. 

"There is heightened focus on Software Bill of Materials in connected devices, especially since the Presidential Executive Order 14028 was released in May 2021, and as a result of the work that CISA and the NTIA have been doing in this area," said Eran Rosenberg, VP of Products and Strategy at Cybellum.

"But it's not enough to just create SBOMs," Rosenberg stressed."SBOMs must be managed - vetted, edited and approved - so they correctly represent the software make-up of a device. In addition, security and compliance stakeholders should be able to seamlessly share the SBOMs and support must-have use-cases for vulnerability management, supply chain security and support of product security incident response teams (PSIRT)."

Version 2.22 includes new features and capabilities for product security teams to streamline the management process including:

*   **Management dashboards** - for managing the control of SBOMs, their distribution and approval processes across product, security, compliance and management teams.
*   **SBOM approval process** - locks an SBOM for further editing, designates it as "approved" for further usage, and logs approver details in the platform's audit log.
*   **Improved Access Control** - for role-based access control with SBOM-level access permissions.
*   **Ability to track KPIs and Risk -** reveals the organization's SBOM readiness and cyber risk status, helping managers identify areas requiring immediate attention.
*   **Multiple SBOM formats** - support for managing formats including CycloneDX, SPDX, SWID.
*   **Hierarchical product configuration** \- including system, product and component level.
*   **Support for NTIA minimal elements for SBOMs** - component vendor, name, CPE, CPE aliases, version, latest version, website, reference and dependencies.
*   **Lifecycle support** - for SBOM lifecycle phase, component End-of-Life and End-of-Support.

To schedule a demo of the SBOM management capabilities, click here.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybellum Releases Enhanced SBOM Management and Compliance Oversight for Manufacturers with New Release of its Product Security Platform

New guidance seeks to cultivate trust in AI technologies and promote AI innovation while mitigating risk

**January 26, 2023-****WASHINGTON —** The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has released its _Artificial Intelligence Risk Management Framework_ (AI RMF 1.0), a guidance document for voluntary use by organizations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies. 

The AI RMF follows a direction from Congress for NIST to develop the framework and was produced in close collaboration with the private and public sectors. It is intended to adapt to the AI landscape as technologies continue to develop, and to be used by organizations in varying degrees and capacities so that society can benefit from AI technologies while also being protected from its potential harms.

“This voluntary framework will help develop and deploy AI technologies in ways that enable the United States, other nations and organizations to enhance AI trustworthiness while managing risks based on our democratic values,” said Deputy Commerce Secretary Don Graves. “It should accelerate AI innovation and growth while advancing — rather than restricting or damaging — civil rights, civil liberties and equity for all.” 

Compared with traditional software, AI poses a number of different risks. AI systems are trained on data that can change over time, sometimes significantly and unexpectedly, affecting the systems in ways that can be difficult to understand. These systems are also “socio-technical” in nature, meaning they are influenced by societal dynamics and human behavior. AI risks can emerge from the complex interplay of these technical and societal factors, affecting people’s lives in situations ranging from their experiences with online chatbots to the results of job and loan applications.   

The framework equips organizations to think about AI and risk differently. It promotes a change in institutional culture, encouraging organizations to approach AI with a new perspective — including how to think about, communicate, measure and monitor AI risks and its potential positive and negative impacts.

The AI RMF provides a flexible, structured and measurable process that will enable organizations to address AI risks. Following this process for managing AI risks can maximize the benefits of AI technologies while reducing the likelihood of negative impacts to individuals, groups, communities, organizations and society.

The framework is part of NIST’s larger effort to cultivate trust in AI technologies — necessary if the technology is to be accepted widely by society, according to Under Secretary for Standards and Technology and NIST Director Laurie E. Locascio. 

“The AI Risk Management Framework can help companies and other organizations in any sector and any size to jump-start or enhance their AI risk management approaches,” Locascio said. “It offers a new way to integrate responsible practices and actionable guidance to operationalize trustworthy and responsible AI. We expect the AI RMF to help drive development of best practices and standards.”

The AI RMF is divided into two parts. The first part discusses how organizations can frame the risks related to AI and outlines the characteristics of trustworthy AI systems. The second part, the core of the framework, describes four specific functions — govern, map, measure and manage — to help organizations address the risks of AI systems in practice. These functions can be applied in context-specific use cases and at any stages of the AI life cycle.

Working closely with the private and public sectors, NIST has been developing the AI RMF for 18 months. The document reflects about 400 sets of formal comments NIST received from more than 240 different organizations on draft versions of the framework. NIST today released statements from some of the organizations that have already committed to use or promote the framework.

The agency also today released a companion voluntary AI RMF Playbook, which suggests ways to navigate and use the framework. 

NIST plans to work with the AI community to update the framework periodically and welcomes suggestions for additions and improvements to the playbook at any time. Comments received by the end of February 2023 will be included in an updated version of the playbook to be released in spring 2023.

In addition, NIST plans to launch a Trustworthy and Responsible AI Resource Center to help organizations put the AI RMF 1.0 into practice. The agency encourages organizations to develop and share profiles of how they would put it to use in their specific contexts. Submissions may be sent to \[email protected\].

NIST is committed to continuing its work with companies, civil society, government agencies, universities and others to develop additional guidance. The agency today issued a roadmap for that work.

The framework is part of NIST’s broad and growing portfolio of AI-related work that includes fundamental and applied research along with a focus on measurement and evaluation, technical standards, and contributions to AI policy.

NIST Risk Management Framework Aims to Improve Trustworthiness of Artificial Intelligence

Expect more regulatory and enforcement action in the US and around the world.

In 2022, we saw broad support behind federal privacy legislation in the US Congress. While the American Data Privacy Protection Act (ADPPA) did not see the president's pen prior to the midterms, the fact that such a bill saw a committee vote in the House — approved 53–2, with bipartisan support — and both industry and advocates promoted passage is notable. The question is no longer whether we will see federal privacy law, but when. And while the ADPPA took up much of the attention in the US in 2022, the year also brought a progressive Federal Trade Commission (FTC) launching a broad regulatory initiative, continued growth of state privacy issues in California and beyond, and the introduction of an executive order to repair the Privacy Shield program. In 2022, US privacy was searing hot.  

Last year also saw continued growth in the international realm. China's new law began to show the significant risks of noncompliance. India continued its parliamentary moves toward passage of a comprehensive data protection law. And the Europen Union saw significant traction in enforcement activity. More than 100 countries now have national privacy laws, and the field grows every day.

These trends will continue, and accelerate, in 2023. Expect more state law in the US, more regulatory and enforcement action from the Federal Trade Commission, an active enforcement environment in the EU — major cases are expected in Ireland, very soon — and continued maturity and growth around the world as privacy professionals grapple with the complexity and risk of these laws.

**Predictions for 2023**

2023 will be a turbulent year in privacy. Economic headwinds and disruption in the tech industry may give rise to calls for additional privacy protections and stronger enforcement. M&A activity may highlight the fact that corporate privacy policies may be modified or ignored when competing interests take priority. Data transfers will still be a central concern, with the EU assessment of adequacy for the updated Privacy Shield emerging early in the new year.

Here are a few key trends to watch:

*   **Tighter budgets, but an even tighter talent pool.** Privacy leaders will struggle with two competing themes. On the one hand, privacy budgets, like all expense lines in organizations, will feel the pressure of recessionary forces in the global market. Privacy leaders will need to do more with less in many cases. Conversely, the talent shortage in the privacy field will continue to get worse with experienced privacy pros commanding greater salary levels and poaching of top talent across the field.

*   **Who's your data privacy officer (DPO)?** The EU Data Protection Board has announced that the appointment and role of the DPO under the General Data Protection Regulation (GDPR) will be a shared enforcement priority across the EU for 2023. Now is a good time to make sure that: (1) you have a DPO; (2) you have registered them appropriately with your DPA; (3) they are adequately trained, experienced, and resourced for the job; (4) they have independence in their duties; and (5) they have access to the top levels of management. Expect more from the European Data Protection Board (EDPB) guidance too. We may see expectations emerge around proper qualifications, independence, and conflicts within the DPO role.

*   **Something old, something new.** New laws take up much of our focus in the privacy field, and rightly so. The American Data Privacy Protection Act (ADPPA), Brazil's General Data Protection Law (LGPD), and China's Personal Information Protection Law (PIPL) all present new compliance complexity for privacy pros. But do not lose sight of the number of laws that are being updated, even overhauled, around the world. Canada, Australia, New Zealand, and more have completed or initiated major reform of their existing privacy laws. These changes can be just as consequential as a new law.

*   **Enforcement risk and creativity.** Often, we focus on the monetary size of an enforcement action. But there are other enforcement tools available to regulators around the world. Watch for the rise of executive liability (sometimes criminal!), data disgorgement, and board oversight obligations as regulators look to change corporate behavior. These tools undoubtedly change the risk profile for privacy and may elevate attention to the highest levels in organizations.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading