Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

What secrets might be released with a quick peck under the combination lock? For that we need a cybersecurity-related caption. Here are four convenient ways to submit your ideas before the Jan. 11, 2023, deadline.

*   Email _\[email protected\]_ with the subject line "Dark Reading December Toon."
*   Via social media: Twitter, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address_._)

**Last Month's Winner**

We had many excellent caption contenders for last month's "Fall Cleanup" contest. (Thanks to all who participated.) But since we had to pick a favorite (below), congratulations go to Dark Reading reader "Rita." A $25 gift card is on the way.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Kiss and Tell

Trend Micro will be joining Google's App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store.

Google has announced Trend Micro will be joining their App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store. Trend Micro will be pre-scanning apps utilizing our Mobile App Reputation Service (MARS). We’re proud to be asked to support this alliance and join the other members who are part of this program which supports Trend Micro’s mission to make the World safe for exchanging digital information.

MARS, was initially developed and launched in 2012. protects our mobile customers by supporting a reputation service that checks any apps on their mobile devices. This uses a process whereby a query is sent by the customer to MARS, which then responds with a detection of whether the app is good, bad, or unknown. If unknown, we utilize threat intelligence to quickly make a determination. MARS received over 47 billion queries in 2021, resulting in 37 million malicious app detections. As of September 2022, MARS has received over 36 billion queries and made 27 million detections.

Trend Micro mobile researchers are regularly publishing articles and reports on mobile threats to help people better understand what this threat landscape looks like. Trend Micro will continue to invest in our research and development both in human capital and technology like artificial intelligence and machine learning to improve the mobile ecosystem. As one of the largest pure cybersecurity vendors in the world, this investment and focus allow us to protect both our partners like Google and our customers from cyber threats targeting them.

As more and more consumers rely on their mobile devices and the apps installed for everyday work and play, this partnership will ensure they are protected from malicious actors around the world. Trend Micro looks forward to a long partnership with Google.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Trend Micro Joins Google’s App Defense Alliance

DoJ charges allege they hacked into the taxi dispatch system for profit, selling the ability for cab drivers to skip the line for picking up a fare at JFK terminals.

Two Americans have been indicted for hacking the New York taxi industry.

With the help of two Russian nationals, Daniel Abayev and Peter Leyman are accused by the Department of Justice and the Port Authority of New York and New Jersey of breaching the John F. Kennedy International Airport taxi dispatch system and selling slots to cabbies who wanted to skip to the head of the line to pick up the next airport fare.

New York cabs at JFK airport are required to wait in a holding lot, and line up and pick up the next fare in the order they arrive.

During their intercepted text messages with the Russian nationals, Abayev asked the hackers, "I know that the Pentagon is being hacked, so why can't we hack the taxi industry?"

The DoJ alleges the two, over the course of their fraud, used their unauthorized access to the JFK taxi dispatch to help as many as a 1,000 taxis a day skip the line.

“As alleged in the indictment, these two defendants — with the help of Russian hackers — took the Port Authority for a ride," US Attorney Damian Williams said about the indictments. "For years, the defendants' hacking kept honest cab drivers from being able to pick up fares at JFK in the order in which they arrived."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

'Russian Hackers' Help Fraudsters Hijack JFK Airport's Taxi Dispatch

**Woburn, MA – December 21, 2022 —** According toresults shown by the latest statistics from participantspassing Kaspersky Expert Training courses, the most desired skill IT security professionals wanted to advance in 2022 is the ability to reverse engineer malware.

According to the Burning Glass report, the number of new cybersecurity programs is rapidly growing, but demand for cyber professionals is growing faster and outstripping the supply of skilled workers, as companies now pay more attention to their cybersecurity than previously.

Kaspersky has launched Expert Training, a series of courses for those who want to advance their IT security skills and take them to the next level by learning how to identify threats quicker and with less effort.

Statistics from these training sessions reveal more than 45% of learners were interested in improving their reverse engineering skills demonstrated by beginners and advanced specialists wanting to enhance their knowledge. There was also high demand for Yara rules training, with almost 28% of students enrolled. Additionally, 27% of learners signed up for courses related to incident response, malware analysis, and product security assessment.

Kaspersky Expert Training Portfolio includes eight different programs aimed at InfoSec professionals wanting to improve their skills, and leading managers looking to invest in their SOC & incident response teams. In 2022, more than 2,000 people worldwide enrolled on Kaspersky’s courses, gaining solid knowledge and practical field experience. In total, more than 22,000 hours of hands-on training were spent in virtual skill labs.

“With a constantly evolving threat landscape, it’s vital for IT security specialists to keep their skills up-to-date,” said Victor Chebyshev, lead security researcher at Kaspersky. “Our expert course authors understand how best to handle the threats posed by the malware samples we encounter every day, and they share that knowledge with those doing battle with the evolving dangers of today’s cyber-realities. We do our best to prepare qualified specialists with high-level expertise and help companies best meet their demand for professionals with necessary credentials.”

To learn more about Kaspersky Expert Training, please visit the website.

Kaspersky Research Finds Reverse Engineering Is the Most On-Demand Skill Among InfoSec Specialists

The first step toward securing Kubernetes environments is understanding the risks they pose and identifying the ways in which those risks can be mitigated.

_Editor's note: For more tools and techniques for securing Kubernetes, read our_ _companion article_ _in the DR Tech section._

A few short years ago, not many people had heard of the word "Kubernetes." Today, the open source container tool is becoming increasingly ubiquitous, with a rapidly growing number of businesses using Kubernetes to facilitate a more streamlined and scalable application development process. But as its convenience and scalability lead to greater adoption, protecting Kubernetes environments has become a challenge. Security and IT leaders who want to keep their Kubernetes environments secure must be aware of the three primary classes of risk they face — and how to mitigate them.

**Class 1: Accidental Misconfigurations**

Thus far, accidental misconfigurations have been the most common form of Kubernetes risk — the one most security experts are likely to be familiar with. Misconfigurations can occur anytime a user does something that unintentionally introduces risk into the environment. That might mean adding a workload that grants unnecessary permissions or accidentally creating an opening for someone from the anonymous Internet to access the system. Kubernetes is still relatively new to many, which means it can be easy to make mistakes.

Fortunately, there are several ways to mitigate misconfigurations. Just about everything that happens in Kubernetes automatically produces an audit log, and security teams can monitor those logs for anomalous signs. Many businesses do this by sending the logs to a security information and event management (SIEM) platform, which can identify predetermined signs of misconfiguration. Additionally, tools (both paid and open source) are available that can be used to scan your Kubernetes environment for best practice violations. Once the problem is identified, an alert can be sent to the appropriate party and the problem triaged.

**Class 2: Software Supply Chain**

The most common way software ends up running in Kubernetes is via deployed container images. Those images are deployed to Kubernetes for distribution across the environment, which makes them an ideal target for attackers. In today's world, businesses rely heavily on third-party software with code they didn't write — and anytime a business introduces outside code into its environment, risks are involved. If a compromised image is introduced, that image may proliferate throughout the environment, distributing malicious code wherever it goes.

Thankfully, controls can help. It's always better to identify compromised code _before_ it enters the system rather than remediate it afterward, and consumers can seek out developer security platforms and other solutions capable of scanning code and images to look for signs of malicious code and prevent it from being deployed. That said, it's impossible to prevent everything, which means continuous monitoring at runtime is also important. Keeping an eye out for suspicious behavior or code that comes from an unknown source can help identify potential security threats before they have a chance to escalate.

**Class 3: Active Attacker Compromise**

This type of threat gets the most attention because it's the "flashiest," but, in reality, it's the least common. Yes,  the threat of an attacker specifically working to compromise a business' Kubernetes environment always exists. For now, these instances are rare, but that is likely to change as businesses continue to adopt Kubernetes. There are a number of ways attackers have found success targeting Kubernetes environments. Cross-site request forgery (CSRF) attacks involve convincing an application to make a request on the attacker's behalf, while remote code execution (RCE) attacks convince an application to run a command of the attacker's choice. In both cases, the target is commonly credential data, which the attacker can then use to grant themselves additional access to the environment.

Avoiding this class of risk often boils down to ensuring your software and infrastructure follow security best practices and monitoring to catch potential vulnerabilities. Developer security awareness and education are useful tools, but it's also important to reduce the opportunity for error with security controls — your environment should never be one mistake away from a serious vulnerability. Fortunately, controls are improving. Cloud security posture management (CSPM) tools and static analysis tools can help flag and prevent vulnerabilities before they are deployed. It's also crucial to have visibility and monitoring at runtime to detect issues that slip through the cracks. This can be accomplished by monitoring audit logs and installing container security solutions to detect when something goes wrong at runtime.

**Understand — and Mitigate — Kubernetes Risks**

Kubernetes is still relatively new, but its usefulness has driven rapid adoption. This is great for the developers who use it, but it poses an undeniable challenge for security and IT teams scrambling to keep up. The first step toward securing Kubernetes environments is understanding the risks they pose and identifying the ways in which those risks can be mitigated. With security lagging behind adoption, attackers are beginning to view Kubernetes as an attractive target — and businesses using Kubernetes need to avoid making themselves easy prey.

Understanding the 3 Classes of Kubernetes Risk

The open source container tool is quite popular among developers — and threat actors. Here are a few ways DevOps teams can take control.

_Editor's note: For more about the kinds of vulnerabilities Kubernetes presents and how to address them, read our_ _companion article_ _in The Edge._

Since its initial release in 2014, Kubernetes (aka K8s) has become the standard open source container tool for managing software applications. Kubernetes is cost-effective, offers autoscaling, and can run on any infrastructure. Its benefits are why 85% of IT leaders consider Kubernetes "extremely important" to cloud-native strategies. On top of this, 61% of people use Kubernetes to manage their computer application deployment.

Funso Richard, information security officer at Ensemble, tells Dark Reading that "forward-thinking organizations understand the importance of leveraging containerized microservices to develop scalable and reliable applications as an essential digital transformation strategy" — and Kubernetes has become the leading tool used to achieve this strategy, he adds.

However, Kubernetes also comes with security challenges: It's susceptible to data theft, computational power theft, and denial-of-service (DoS) attacks. Kubernetes' public components (such as kubelets and API authentication) are widely exploited. And threat actors target infrastructure misconfiguration, unpatched software programs, and poor login credentials to gain unauthorized entry to Kubernetes. The vulnerabilities are also widespread. According to Red Hat's "2022 State of Kubernetes" security report, 93% of Kubernetes users experienced at least one security incident in the past 12 months.

As DevOps teams continue to grapple with rising Kubernetes security mishaps, here are a few ways to stay ahead of attackers and keep cloud-native environments secure.

**Securing Kubernetes With Tools**

Kubernetes' security vulnerability affects its efficiency. For instance, concerns over Kubernetes security caused developers to delay application rollouts in 2022, according to Red Hat. Although Kubernetes provides several benefits in application development and container orchestration, says Richard, inadequate security controls expose the open source tool to serious security concerns like misconfiguration, privilege abuse, data exfiltration, credential compromise, exploited public-facing components, and API vulnerabilities. To address these, several Kubernetes security tools have sprung up, including Kubescape, Kube-bench, Kubeaudit, Kube-hunter, and Kyverno.

Kubescape is an open source security platform from ARMO to protect Kubernetes clusters with capabilities such as risk analysis, security compliance, misconfiguration scanning, CI/CD security, RBAC visualizer, and vulnerabilities scanning. One thing that sets Kubescape apart is its library of robust capabilities that aligns with MITRE ATT&CK and NSA-CISA frameworks, says Richard.

"As I track Kubernetes security offerings — both commercial and non-commercial offerings — I haven't come across another offering with the same exact components as Kubescape," agrees Fernando Montenegro, senior principal analyst of cybersecurity infrastructure at Omdia.

Kubescape scans clusters, YAML files, and Helm charts for vulnerabilities either directly or via CI/CD integrations. The idea of scanning infrastructure-as-code (IaC) templates is well-popularized across the industry, says Montenegro. Most IaC scanning is done for cloud resources like Amazon's CloudFormation, HashiCorp's Terraform, and others, with Kubernetes scanning being a more specialized use case, he adds.

There are other offerings in the market — like Red Hat's StackRox (acquired in 2021), Tenable's Terrascan, and Palo Alto Networks' Checkov — offering similar capabilities as Kubernetes.

**Implementing Best Security Practices in Kubernetes**

Richard notes that adherence to cybersecurity fundamentals remains the bedrock of any security effort. While Kubescape is undoubtedly a powerful Kubernetes security tool, he believes developers can effectively secure their Kubernetes clusters by following the basics: implementing proper cluster configuration, pod security standards and policy enforcement, network segmentation, vulnerability scanning, periodic policy reviews, and security audits. "Containers should run with the least privileges and only necessary services, while role-based access controls should be in place to manage user access," Richard says.

While Montenegro says there are several Kubernetes best practices for DevOps and DevSecOps teams to follow, he notes that the following practices must be top on their priority list:

*   **Think about security early on:** Collaborate with your developers/architects to work through a proper threat modeling.
*   **Work with embedding security throughout the application lifecycle:** Security is an end-to-end process, from providing on-the-spot security advice and functionality for a developer working through the code in their development environment, through making sure security tests are part and parcel of the integration stages, then adding the necessary runtime protections to monitor workloads in production.
*   **Safely store Kubernetes secrets:** Implement features like proper namespace separation, use of role-based access control (RBAC).

As Kubernetes grows in adoption, IT teams can avoid security pitfalls by using tools like Kubescape and StackRox, as well as following the best security practices for securing their critical Kubernetes assets.

How to Run Kubernetes More Securely

The malware has resurfaced, using an icon and name similar to the legitimate Google Play app MYT Music, a popular app with more than 10 million downloads.

A type of Android malware that's been targeting banking users worldwide since March has resurfaced with advanced obfuscation methods, masquerading as a legitimate application on the Google Play store with more than 10 million downloads, researchers have found.

Godfather is a banking Trojan that is best known for targeting banking users in European countries, but its latest activity shows an increased sophistication in its ability to fly under the radar of common malware-detection methods, researchers from Cyble Research & Intelligence Labs (CRIL) said in a blog post on Dec. 20.

Once it's successfully installed on a victim's device, Godfather initiates a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, the researchers said. But it also steals sensitive data such as SMSs, basic device details — including data from installed applications — and the device's phone number, and it can perform a number of nefarious actions silently in the background.

"Apart from these, it can also control the device screen using VNC \[virtual network computing\], forwarding incoming calls of the victim's device and injecting banking URLs," the Cyble researchers wrote.

The latest sample of Godfather that researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic of the threat actors behind the malware, the researchers said.

**Targeting Businesses & Consumers**

Upon further examination, the researchers found that the malware was using an icon and name similar to the legitimate Google Play app MYT Music, which already has logged more than 10 million downloads. Indeed, threat actors often hide malware on Google Play, despite Google's best efforts in the last several years to keep bad apps off its store before users are affected by it.

MYT Music was written in the Turkish language and thus researchers assume the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect other versions of the malware continue to be active and targeting banking users worldwide.

Though banking Trojans tend to affect consumers more than the enterprise, business users are still at risk because they use their mobile devices at work and may even have business apps and data stored on their devices. For this reason, enterprise users should be especially wary of downloading apps from the Internet or opening any links received via SMS or emails delivered to a mobile phone, the researchers said.

Google Play has removed the app, but those with it installed are still at risk.

**How Godfather Pulls Victims' Strings**

Once it's installed on an Android device, Godfather requests 23 different permissions from the device, abusing a number of them to gain access to a user's contacts and the state of the device, as well as information related to the user account. It also can write or delete files in external storage and disable the keylock and any associated password security, the Cyble researchers said.

Godfather can successfully do money transfers from a hacked device through its ability to initiate phone calls through Unstructured Supplementary Service Data (USSD) that don't require use of the dialer user interface, and thus don't need the user to confirm the call, they said.

The malware also extracts sensitive user data from the device — including application key logs — that can be sent back to a command-and-control (C2) server, which also sends Godfather a command that forwards any incoming calls the victim receives to a number provided by the threat actor, the researchers said.

Godfather then harvests credentials: It creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages via a separate command from C2, the server URL of which is from a Telegram channel, hxxps://t\[.\]me/varezotukomirza, the researchers said.

Once it completes its malicious activity, Godfather receives a "killbot" command from C2 to self-terminate, they added.

**Avoiding Being Whacked by Godfather**

The most common way to avoid downloading mobile app malware is to download and install software only from official app stores such as Google Play or Apple, the conventional wisdom goes.

However, as this instance proves, malware can lurk in official app stores too, so "practicing basic cyber-hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices," the researchers noted in the post, including using a reputable antivirus and Internet security software package on connected devices to ensure anything downloaded is free from malware.

Also, advanced anti-detection methods like the ones the threat actors behind Godfather are using can make even downloading what look like legitimate apps tricky, they said. To further protect themselves, users can utilize strong passwords and enforce multifactor authentication on devices wherever possible, making it more difficult for threat actors to crack into their accounts. 

Android device users also should ensure that Google Play Protect is enabled on their devices for further security protection, the Cyble researchers added.

All mobile device users also should enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device and using apps, where possible, and be especially careful when enabling permissions on devices, especially if an app has not been verified by a reputable provider, they added.

Godfather Banking Trojan Masquerades as Legitimate Google Play App

Employee education, biometric and adaptive authentication, and zero trust can go a long way in strengthening security.

Bzz, bzz, bzz…  

Like a fly buzzing around your head at 3 a.m., persistent requests from multifactor authentication (MFA) fatigue attacks are keeping security professionals awake at night. However, while silenced phones may help individual users sleep a bit better at night, security professionals are having cyber\-breach nightmares.  

MFA fatigue, also known as an MFA bombing attack, is a type of social engineering scheme where a cybercriminal sends multiple MFA requests — sometimes in the dead of night — in the hope of frustrating a legitimate user. In response, this user may turn off MFA, thinking it's malfunctioning, or the cybercriminal may impersonate a support employee and request the code they need to enter the user's account.  

In the case of the Uber breach this fall, the hacker group Lapsus$ employed the latter strategy. Putting their acting skills and persistence to the test, hackers stole an Uber contractor's credentials and then faked their way into jumping the last barrier protecting Uber's internal systems: a flimsy MFA text code. 

Security professionals can learn a lot from this cyber event and make several changes to their own company's policies to shore up their defenses. 

**MFA Tokens Are Not the Be-All, End-All**

Unfortunately, biometric authentication is as close to absolute as we're going to get. Fingerprint and facial recognition are — as of now — very difficult to replicate. Corporate security teams must encourage all employees to enable biometric authentication to every device and system that supports it. Even the savviest user can fall for phishing attempts, as they become more sophisticated by the day. Large US companies lose about $14.8 million annually to phishers. (In 2015, this figure was $3.8 million.)

To protect company coffers, in addition to valuable company information, it's best to filter out as many phishing attempts as possible with software; however, the onus is still partially on users. 

**Rely on Additional Security Measures Over MFA**

Leave it to cybercriminals to make security professionals rethink what they previously regarded as unbreachable. These days, it's crucial to rely on much more than MFA tokens (and even biometric authentication) alone to keep company systems safe from hackers. Alternatives include rotating access keys, only enabling the absolute minimal privileges, and sticking closely to zero\-trust policies company wide. Additionally, adaptive authentication, a security protocol that asks for additional identity authentication steps depending on the situation and the user, can further strengthen entry points.  

Zero\-trust and adaptive authentication are especially helpful in safeguarding an organization's most sensitive platforms. However, all it takes is for one slip-up or lapse in judgment to let a cybercriminal waltz right into a company's IT ecosystem. How can security teams defend against those? 

**Proactive Threat Prevention Is Optimal**

Proactive detection and real-time response are the best ways for organizations to prevent cyber threats. One step better is to combine prevention and resolution under one platform. A single pane of glass gives teams a holistic, real-time view that's essential in protecting workloads without friction. Malware, ransomware, zero\-days, fileless attacks, advanced persistent threats and more phishing schemes than anyone can count are constantly circling, waiting for someone in an organization to make a mistake. A cyber\-protection solution can squash a threat before it causes a leak.  

**A Delicate Security Balance**

While security teams may be hasty to pile on every additional security measure in existence to supplement MFA, they must not compromise too heavily on convenience. The more inconvenient and time consuming something as simple as logging in is, the more likely it is that employees will cut corners.

It's a delicate balance and a difficult one to strike. Comprehensive employee education, biometric and adaptive authentication, and zero trust can go a long way in strengthening your security perimeter. Partnering with a centralized data protection, cybersecurity, and an endpoint management solution can be the extra peace of mind IT leaders need to sleep soundly.

Why Security Teams Shouldn't Snooze on MFA Fatigue

Automating your defenses can bring good tidings of great joy.

_CRON rest ye merry user base; let nothing you dismay!__Remember that the spam filter still works on Christmas Day!__To save us all from scammers' pow'r when we're still on vacay.__O tidings of comfort and joy.__Comfort and joy!__O tidings of comfort and joy._

It's the holiday season, and even the most naughty cybersecurity engineer deserves a little break! Yes, even you, little Timmy. I know you work in the retail sector and this is your busiest time of year, but there are ways to maximize your chances of a happy, peaceful holiday with friends and/or family.

What is this magical methodology that mutes malicious madmen? I'm glad you asked! Please sing this with me, to the tune of Handel's "Hallelujah Chorus."

_Au-to-ma-tion!__Au-to-ma-tion!__Automation.__Automation.__Auto-ma-a-ation!_

That's right: If you want to tip the scales in your favor this holiday season, you have to let the good bots fight the evil bots. No, we're not talking about the evil robot Santa from "Futurama." We're talking about practical cybersecurity preparations that might just save the holidays!

**Making Sure New Accounts Are on the Good List**

Anyone who isn't in B2B is likely to experience an uptick in new account creation during the holiday season. Whether it's because people want to order something from your website or because they simply have more time on their hands during the holidays, new sign-ups aren't exactly uncommon. There will also be people taking advantage of New Year's sales, spending last year's departmental budget while they still can, and registering the warranties on gifted products.

Sadly, that means this time of year is also perfect for anyone creating illicit accounts if they want to be lost in the shuffle. Why is that? Because the sheer volume of new account creation prohibits manually checking each one, at least in medium to large enterprises that experience high volumes around this time.

That's why many naughty little bots pick the holiday season to create a massive number of accounts. They might not _do_ anything with them, at least not for a while. But you don't want all of these accounts sitting around and maturing if it means they can be used in a variety of other attacks down the line.

So before you clock out for the last time in December, make sure your automated account validation services are running properly! Lack of diligence now can burn you in the months to come. Run some tests, make sure that bots are being caught when they make a new account, and double-check the associated logging and reporting functions. If you need help with this, fake account creation detection, alerts, and reporting tools can keep you covered until you get back into the office.

**Keeping Inventory Numbers Accurate for Santa**

Your little elves have been working hard to build up an inventory that will survive the holiday rush. It would be a shame if a mean-spirited competitor or hacker invalidated all of their efforts by messing with your system.

But that's exactly what can happen, and the holidays are the perfect time to execute such an attack. With online carts and real-life fulfillment centers already seeing a ton of action, all it takes is one bad actor with a botnet to ruin the holiday season for a whole lot of people.

The way a botnet can mess with your inventory is via a stockout, also called a denial-of-inventory attack. Fraudulent orders are put on the books to reserve products, only to have the orders canceled after the holiday rush is over. Alternatively, the cancellations and reorders can come in waves, only to end with mass cancellations.

These days, stockout detection is vital. Even in a service-based industry, bots creating meetings or appointments that waste the sales team's time can be an absolute nightmare. **Make sure that the automation is up and running, and test it** before you leave for the holidays.

**Putting Coal in Ad Fraudsters' Stockings**

If you're like most companies, December and January distribute the lion's share of your ad budget. Throwing your hat into the ring for the holiday season is critical to many businesses and can significantly impact how the next 12 months go.

But certain Grinches out there will use your increased ad spend as an opportunity to steal everything they can. Much like the new account fraud crowd, these thieves are hoping that increased legitimate activity will provide cover for their more nefarious activities during the holiday season.

Fake impressions pushed out by the millions can rapidly burn through your holiday ad budget, leaving you running on empty, out of leads and sales. Meanwhile, the metrics of your ad campaigns look great, giving you false positives without producing real results. It's a double betrayal: You've been robbed _and_ you don't even know whether your ads would have been effective under normal circumstances.

The holiday season is ripe for programmatic ad fraud. If you don't have an antifraud system that covers this aspect of your business, you'll want to rectify that as quickly as possible.

**Other Tips Before You Close Up Shop**

The week prior to closing up for the holidays, you should run an analysis of seasonal false positives from holidays past. If you know that you're going to get hit with false positives, make sure that you have a decent idea of what those impressions look like. If you can create more accurate filtering that will catch the bad guys but allow you to sleep in on Boxing Day, you should put that work in before you take off for the year.

Lead generation fraud isn't limited to traditional ad campaigns. Social media click fraud is rampant this time of year. Make sure that your automation covers all of your social profiles, including business profiles such as LinkedIn; otherwise, reputational damage might set in before the social team returns after the holidays.

One thing people tend to forget is smart building access control. Targeting people who are on vacation with everything from biometric access fraud to impersonation attacks is common during the holiday season. With so many people on vacation, physical security is naturally more lax. So make sure to contact your smart building security provider and optimize your building's settings for the end of the year.

**The Gift of Automation**

Cybersecurity is typically the last thing on the minds of most people who are rushing out of the office at the end of the year — sometimes including even cybersecurity professionals! Automation is the answer. It's a great stress reducer because you can set up automated defenses once and permanently enjoy increased security. And everyone needs that, particularly during this time of the year.

So relax. Enjoy the tree, the lights, the music, and the people who surround you, secure in the knowledge that somewhere out there, a good little bot is looking out for you.

Happy holidays!

Give Yourself the Gift of Secure Holiday E-Commerce

Lower cybersecurity awareness coupled with vulnerable OT gear makes manufacturers tempting targets, but zero trust can blunt attackers’ advantages.

Everyone in information security knows ransomware actors target different industries for different reasons. Some are seen as flush with cash. Some have obvious reasons for needing to resume operations ASAP. Others are just widely recognized as poorly protected.

But did you know that manufacturers pay the highest ransoms of any vertical?

A recent report spelled it out in stark detail. Across all industries, the average ransom paid is a hefty $812,360. Yet for manufacturing, that average skyrockets to a stunning $2,036,189 — about two and a half times the average.

Attackers prefer easy, weak targets as a rule. So what is it about manufacturing that qualifies such organizations as easy or weak?

First, it’s worth asking whether manufacturers are targeted more often, or if they just happen to fall victim more frequently due to inherent factors like outdated tech or lack of cybersecurity awareness. The next interesting question is why they tend to shell out sums so egregiously above what organizations in other verticals do.

As a chief information security officer (CISO) with years of experience leading cybersecurity operations for a global manufacturer, I have some immediate explanations in mind. Here are some of the factors that inevitably contribute:

*   Manufacturers typically have slim profit margins and rely on steady productivity to compensate.
*   Manufacturers know they won’t make much profit on any one iteration of manufactured goods, so high volume is necessary to hit business targets over time. But high volume requires regular output, uninterrupted by slowdowns or complete outages.
*   While organizations in industries with fatter margins might be able to tolerate an extended outage, manufacturers typically can’t. The result is exceptional pressure on manufacturers to pay ransoms and pay them quickly. That’s why attackers, conscious of all this context and the leverage it gives them, may feel emboldened to charge higher ransoms than they would in other industries.

**Manufacturing Suffers From Low Cybersecurity Awareness**

Many factory workers don’t routinely use IT gear like desktop computers, laptops, or tablets. Some may not even have corporate-issued email addresses. Additionally, very few have received extensive training on current cyber threats, and as such, wouldn’t know how to recognize, react, or, report them to their IT team once they’re spotted.

Think of the most standard, low-hanging fruit of cybersecurity awareness training: the phishing simulation. Even if email addresses are provided (far from a given, especially in manufacturing facilities in the developing world), it’s simply unreasonable to expect employees to develop an understanding of the attack chain that may lead from a phishing email to a compromise by a ransomware actor.

These factors increase an organization’s total attack surface. They make the manufacturer more apparent to attackers and more likely to fall prey to attacks if they appear.

**Manufacturing Data Can Be Extraordinarily Valuable**

Imagine that a drywall manufacturer has a unique proprietary method for creating drywall that dries quickly and can be rapidly shipped on demand, yielding a competitive advantage. This type of intellectual property, once compromised, can easily be held for an exceptionally high ransom, because the entire business model would be in jeopardy if it were to leave the company.

Similar concerns can apply to data involved in market timing. Suppose a clothing manufacturer planned to release a new line in the spring based on a combination of colors its market research found would be in high demand. The company may have orchestrated its entire spring-season marketing and supply chain ordering on that basis. Attackers could hold such information for a substantial ransom, because if it were given to competitors, those competitors may get to market first with a competing product, raking in all the expected benefits.

Operational technology (OT) used by manufacturers typically involves many assets (pumps, generators, turbines, etc.) that are on the IT infrastructure — and thus accessible to attackers — yet difficult to patch or secure. Sometimes, even if an asset can be secured, only its manufacturer can secure it without voiding the asset’s warranty.

Being outdated and insecure doesn’t always make them less valuable to the organization, however. Many times, these are legacy systems are required for a basic function, with no adequate substitute available, so the organization continues using them. Attackers often take advantage in such cases to maximize their leverage in charging ransoms.

Suppose an attacker is interested in compromising a Fortune 500 bank. If that bank is a client of a manufacturer whose security is less sophisticated than the bank’s, attackers could use the manufacturer as a stepping stone.

Additionally, manufacturing organizations often simply don’t realize how many third parties (partners, clients, suppliers) can access their networks and data. They may grant network privileges too easily, and in many cases, those privileges give unrestricted access instead of being limited to just the assets required for business purposes.

**Better Security Is Available Today**

I know from experience that manufacturers can significantly reduce their attack surface by adopting zero-trust principles. In turn, this makes it less likely that attackers opportunistically probing the open Internet for weaknesses will discover the organization.

If the organization is discovered, zero trust eliminates an adversary’s ability to move laterally across a network, where they could discover the sort of valuable data that would give them leverage over their target.

Adopting a zero trust approach helps an organization to:

*   Rigorously validate the identity of all participants in a network transaction

*   Obscure from the public Internet the true IP addresses of all assets at any manufacturing facility (or combination of them) via a buffering service

*   Segment the network and support application microtunneling, limiting any possible access by attackers

*   Apply identical policies to public clouds and remote workers, with the ability to scale automatically over time as the network topology changes

These and other techniques, once implemented, can help manufacturers reduce the risk of a breach, lessen their exposure should a breach occur, and minimize the business impact of any successful attack. Best of all, they will help manufacturers hang on to more of their hard-earned profits.

Read more _Partner Perspectives_ from Zscaler

Source

DARKReading