Effective customer data management helps companies avoid data breaches and the resulting cascade of issues. From validating "clean" data to centralized storage and a data governance strategy, management steps can help keep data safe.

Did you know that over 83% of companies experience data breaches because of inaccurate data management?

Data breaches can cause serious issues, such as information leaks, file corruption, and stolen property.

**Effective Data Management Steps**

The good news is that you can avoid all those issues with proper customer data management. Here's what you need to know about effective customer data management for keeping your business safe, secure, and profitable.

**1\. Keep Data Clean**

One factor of misinformed decisions involves something called dirty data. To get a better idea of what dirty vs. clean data looks like, we've broken things down in the table below:

**CLEAN DATA**

**DIRTY DATA**

*   Complete records for a corresponding database

*   Comes from the people and the system

*   Any information that's unique, valid, and accurate

*   Inaccurate, inconsistent, and duplicated data

*   Readily accessible

*   Mistaken information during data recording

Keeping data clean includes validating and updating email addresses, home addresses, and phone numbers as needed. It also involves deleting obsolete contacts and removing any duplicated data.

Data cleansing can also involve the following:

*   Performing a data audit;
*   Establishing customer data centralization across departments instead of silos; and
*   Following a consistent company data format.

When you do all these, you're enhancing your data's current value. Having clean data within your organization ensures no miscommunications or missed opportunities when interacting with current and potential customers.

**2\. Centralize Your Data Storage**

Data storage centralization focuses on keeping data in a single location to help streamline processes and prevent inaccurate or incorrect data.

Centralizing your data storage also promotes better control and mobility of the information, enhancing your business' overall workflow and boosting efficiency.

Also, having a single data storage system allows quicker and easier maintenance. Imagine running multiple storage systems with different nodes — this makes it difficult to locate the problem whenever a failure occurs.

Finally, centralized data storage systems are easier to safeguard. In contrast, distributed storage systems become more vulnerable and difficult to analyze once a data breach occurs.

Here are a few examples of data storage that you can implement:

*   **On-premises storage:** A local data center set up in your physical office.
*   **Cloud storage:** Involves maintenance by a service provider and an internet connection for easy access.
*   **Hybrid cloud storage:** Combined on-premises and cloud storage, giving you more flexibility.

**3\. Implement Data Sharing**

Data sharing is a give-and-take process that involves various departments gaining access to the company's data.

Implementing data sharing can help the company's data and analytics personnel access the data they need when they need it. This results in better analytics strategies for the business's enhanced digital transformation.

When companies allow data sharing, they also improve efficiency. This is because more employees can access the information they need, speeding up the workflow.

Of course, when implementing data sharing, you must ensure you're doing so carefully. Otherwise, you can easily run into data breach issues. And, of course, informing customers of data breach issues is never fun.

So, use trusted and encrypted data-sharing systems that allow you to transfer information among users safely.

**4\. Create a Data Governance Strategy**

Data governance is another important part of data security and proper management and organization of information.

Essentially, it refers to managing the integrity, usability, accessibility, and security of your company's data.

Creating a data governance strategy also ensures all employees have the same goal for managing your company's customer data.

The three main parts of an effective data governance strategy include:

*   **Alignment:** Standardizing step in customer data collection across all departments.
*   **Validation:** Confirmation that data collection is performed correctly.
*   **Enforcement:** Changes in data collection should pass through the right channels.

The goal of a data governance strategy is a data dictionary, or a tracking plan. It should explain each piece of data collected, its owner, and the purpose of its collection.

**5\. Back up your data**

Roughly 58% of small businesses haven't considered backing up their data. This is a big problem because if that data gets corrupted or goes missing, those businesses won't have a way of restoring it.

One key method of managing your customer data relies on backing it up. A backup protects your business against data leaks, lost data, corrupted data, and other loss-related issues.

The three most common backup methods are:

*   **Full backup:** Which copies all your data in storage.
*   **Incremental backup:** Copies all the changed data since the last backup.
*   **Differential backup:** A full backup at first that later switches to incremental during the succeeding updates.

Any of these methods can help protect your customer data against any type of loss.

**Best Practices**

Effective customer data management helps protect customer privacy and prevent internal and external communication. It can prevent serious issues such as information leaks and data corruption.

A good data management strategy should involve centralized data storage, data sharing, and data governance, clean data, and regular backups.

By implementing these best practices, you'll be able to protect your company's data while ensuring your customers stay confident in your business's reliability.

Compliance Is Not Enough: How to Manage Your Customer Data

Accelerating security challenges and the increasing footprint of edge and IoT devices call for zero-trust principles to drive cyber resiliency.

As businesses ramp up their adoption of edge and Internet of Things (IoT) infrastructure, security risks that already challenge IT organizations stand to become trickier than ever. The distributed nature of edge devices, the scale of IoT, and the limited compute capacity of devices at the edge heap on added difficulties to the increasingly shaky traditional security practices of yesteryear. In the era of edge, it simply won't be feasible anymore to cling to the castle-and-moat security tactics that practitioners have held on to for probably a decade too long as it was.  

Zero-trust principles are going to be key to meeting the security challenges of today and tomorrow — and fundamental to that will be architecting secure server hardware that stands at the bedrock of edge architecture.

**The Challenges Calling for Zero Trust**

Edge and IoT notwithstanding, security threats keep growing. Recent statistics show that global attack rates are up by 28% in the last year. Credential theft, account takeovers, lateral attacks, and DDoS attacks plague organizations of all sizes. And the costs of cybercrime keep ticking upward. Recent figures by the FBI's Internet Crime Complaint Center (IC3) found that cybercrime costs in the US topped $6.9 billion, up dramatically from $1.4 billion in 2017.

Throwing transformative technology architectures into this mix will only exacerbate matters if security isn't baked into the design. Without proper planning, securing assets and processes at the edge becomes more difficult to manage due to the rapidly proliferating pool of enterprise devices.

Market stats show that there are already more than 12.2 billion active IoT and edge endpoints worldwide, with expectations that by 2025 the figure will balloon to 27 billion. Organizations carry more risk because these devices are different than traditional on-premises IT devices. Devices at the edge — particularly IoT devices — frequently:

*   Process critical data away from data centers, with data including more private information
*   Are not supported or secured as strongly by many device manufacturers
*   Don't control passwords and authentication as strongly as traditional endpoints
*   Have limited compute capacity to implement security controls or updates
*   Are geographically distributed in nonsecured physical locations with no barbed wire, cameras, or barriers protecting them

All of this adds up to an enlarged attack surface that is extremely difficult to manage due to the sheer scale of devices out there. Policies and protocols are harder to implement and manage across the edge. Even something as "simple" as doing software updates can be a huge task. For example, often IoT firmware updates require manual or even physical intervention. If there are thousands or even tens of thousands of those devices run by an organization, this quickly becomes a quagmire for an IT team. Organizations need better methods for pushing out these updates, doing remote reboots, and performing malware remediation, not to mention monitoring and tracking the security status of all of these devices.

**More Than Authentication: The Promise of Zero Trust**

Zero trust is a set of guiding principles and an architectural approach to security that's well-suited to start addressing some of the edge security challenges outlined above. The heart of the zero-trust approach is in conditional access. The idea is that the right assets, accounts, and users are only granted access to the assets they need — when they're authorized, and when the situation is safely in line with the org's risk appetite. The architecture is designed to continually evaluate and validate all of the devices and behaviors in the IT environment before granting permissions and also periodically during use. It's great for the fluidity of the edge because it's not tied to the physical location of a device, network location, or asset ownership.

It's a sweeping approach, and one that can help reduce the risk surface at the edge when it is done right. Unfortunately, many organizations have taken a myopic view of zero trust, equating it solely as an authentication and authorization play. But there are a whole lot of other crucial elements to the architecture that enterprises need to get in place.

Arguably the most critical element of zero trust is the verification of assets before access is granted**.** While secure authentication and authorization is crucial, organizations also need mechanisms to ensure the security of the device that's connecting to sensitive assets and networks — including servers handling edge traffic. This includes verifying the status of the firmware in place, monitoring the integrity of the hardware, looking for evidence of compromised hardware, and more.

**Enabling Zero Trust With the Right Hardware**

While there is no such thing as zero-trust devices, organizations can set themselves up for zero-trust success by seeking out edge hardware that's more cyber resilient and enables easier verification of assets to stand up to the rigors of a strong zero-trust approach to security.

This means paying close attention to the way vendors architect their hardware. Ask questions to ensure they're paying more than just marketing lip service to the zero trust ideal. Do they follow a framework like the US Department of Defense's seven-pillar zero-trust standards? Looking for important controls for device trust, user trust, data trust, and software trust baked into the products that organizations choose to make up their edge architecture will in turn help them build zero trust into their own architecture.

Zero Trust in the Era of Edge

Check out our slideshow detailing the emerging cybersecurity trends in cloud, creating a defensible Internet, malware evolution, and more that lit up audiences in London.

Live From London: Next-Gen Cybersecurity Takes Stage at Black Hat Europe

SHA-1 was deprecated in 2011. NIST has set the hashing algorithm's final retirement date to Dec. 31, 2030.

It is time to retire SHA-1, or the Secure Hash Algorithm-1, says the US National Institute of Standards and Technology (NIST). NIST has set the date of Dec. 31, 2030 to remove SHA-1 support from all software and hardware devices.

The once-widely used algorithm is now easy to crack, making it unsafe to use in security contexts. NIST deprecated SHA-1 in 2011 and disallowed using SHA-1 when creating or verifying digital signatures in 2013.

"We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible," NIST computer scientist Chris Celi said in a statement.

SHA-1 was among the seven hash algorithms originally approved for use in the Federal Information Process Standards (FIPS) 180-4. The next version of the government's standard, FIPS 180-5, will be final by the end of 2030 -- and SHA-1 will not be included in that version. That means after 2030, the federal government will not be allowed to purchase devices or applications still using SHA-1.

Developers need to make sure their applications don't use any components that support SHA-1 by that time. While it may seem like plenty of time to make updates, developers need to submit the applications to be certified as meeting FIPS requirements. It's better to get verified and recertified earlier rather than later, as there may be a backlog of revised code to review, NIST said.

"By completing their transition before December 31, 2030, stakeholders – particularly cryptographic module vendors – can help minimize potential delays in the validation process," NIST said.

Along with updating FIPS, NIST will revise NIST Special Publication (SP) 800-131A to reflect the fact that SHA-1 has been withdrawn, and will publish a transition strategy for validating cryptographic modules and algorithms.

SHA-1 has been on its way out for years. Major web browsers stopped supporting digital certifications based on SHA-1 in 2017. Microsoft dropped SHA-1 from Windows Update in 2020. But there are still legacy applications that support SHA-1.

While hashing is supposed to be one-way and not reversible, attackers have taken SHA-1 hashes of common strings and stored them in lookup tables, making it trivial to launch dictionary-based attacks.

Also, collision attacks – initially described as a theoretical attack in 2005 – became more practical in 2017. While individual strings produce unique hashes most of the time, the collision attack creates a situation where two different messages generate the same hash value, allowing attackers to use a different string to crack the hash.

NIST Finally Retires SHA-1, Kind Of

Zero trust is useful in some situations, but organizations should not be trying to fit zero trust everywhere. In some cases, identity-based networking is an appropriate alternative.

People like to tout NIST’s SP 800-207 \[Zero Trust Architecture\] as the hot new thing, but the fact is, zero trust network models have been around for over a decade. Google took zero trust way past the proof of concept stage with its BeyondCorp model, and by the time 2010 rolled around, the company had the most functional zero trust network on the planet.

Fast forward a dozen years, and zero trust is once again the _craze-de-jour_ of the cybersecurity industry. The question is: _Should_ it be?

Zero trust isn’t the silver bullet that many it is, and zero trust shouldn’t be the new normal.

**What's the Problem with Zero Trust?**

Briefly: Zero trust presumes that no network connection, internal or external, can be trusted. Every user authenticates with multi-factor, every system’s authentication is reverified multiple times on the network, and the default access policy for everything is ‘deny’.

The primary methods of establishing and maintaining zero trust are micro-segmentation, overlay networks, enhanced identity governance, and policy-based access controls.

Setting aside the issues and the expense associated with incorporating zero trust into an existing network, the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesn’t coexist well with zero trust.

This is where we see a lot of hand waving on how to make things work. The compromises, the shortcuts, and the sacrifices that organizations wind up making to allow federation under a zero trust model should give pause to even the most hardcore CIO.

But more to the point, the problem with zero trust is that humans don’t work in a zero trust manner, and for a good reason. It’s a waste of time and resources to re-validate someone’s identity over and over again when they haven’t even left the room. Our human trust cycle relies on logic, probability, and casual observation to establish and track the identities within an observable range. Interactions with low or no trust tend to be seen as low value, or even hostile.

So what kind of trust model can fully incorporate federation, and emulate more human and relatable trust cycles?

**What About Identity-First Networking?**

To usefully emulate the kind of ‘informed trust’ model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk.

That’s where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.

Think of it as federation taken to an entirely new level. Or perhaps, a new _layer_. Identity is established at the network transport layer. This means that some of the most traditionally difficult resources to secure (databases, container clusters, etc.) can have their access levels centrally managed by integrating them with a trusted identity provider.

Identity is inextricably intertwined with the concept of trust. All network activity is automatically identity indexed, which means usage patterns are easy to track, and any attempts at unauthorized access are immediately flagged up. If a user or process tries to access something unusual, they’ll stick out like a sore thumb. DNS filters do most of the heavy lifting.

The risk of identity forging is greatly reduced, because the ID provider acts as the one true source of knowledge. The attacker would need the ID provider’s root certificate in order to be effective, a highly unlikely circumstance.

Computationally, this process is far less expensive than zero trust. In the case of zero trust, the work of checking and rechecking authentication several times during any given transaction adds up. In the case of identity-first, the packet doesn’t make it through the front door (or any doors in between as far as internally forged packets are concerned) without the right identity and attached permissions.

Multi-factor authentication is required for identity-first networking, but that’s hardly a bad thing in this day and age. The incorporation of identity-first makes VPNs redundant, which is only a sad story for the VPN providers.

**Zero Trust Should Not Be All-Encompassing**

There are places where zero trust is entirely appropriate. There are certainly government, national defense, and financial sector applications where zero trust shines.

But unless you’re creating your network from scratch, zero trust requires some expensive retooling to fully implement. This makes it inappropriate for many SMEs, as well as any organization that would rather adopt a model based on heavy federation.

In theory, the expense of zero trust is balanced out by the lower cost per security breach. But if a method such as identity-first networking can get the job done, there’s a new cost to benefit analysis that needs to be made on a per-organization basis.

Zero Trust Shouldn’t Be The New Normal

New features bring greater visibility and context into SaaS applications access and activity.

**NEW YORK****,** **Dec. 15, 2022** **/PRNewswire/ --** Axonius, the leader in cybersecurity asset management and SaaS management, today announced the release of two new capabilities within Axonius SaaS Management to help organizations better understand their overall SaaS application risk. Behavioral Analytics and SaaS App-to-Device Correlation allow IT and security teams to gain added visibility and context into the users and devices accessing SaaS applications, and whether suspicious activity is occurring for critical SaaS apps.

SaaS continues to represent an ever-expanding component of an organization's attack surface. Not only does the increase in adoption of SaaS applications change IT and security operations, it also adds new role and skill expectations for IT and security team members – like using already scarce resources to track organization SaaS app utilization and identify misconfigured SaaS settings potentially exposing sensitive data. All of this adds to more complexity and can have a profound impact on an organization's security posture.

"A lot of sensitive data is stored in and shared between SaaS applications, and oftentimes, it's very difficult to understand which users and devices have access to those applications," said Amir Ofek, CEO of AxoniusX, the innovation unit of Axonius. "For IT and security teams tasked with protecting their organization's entire SaaS app stack, they need the right information to help them better understand the who, the what, and the how of SaaS app usage. These new capabilities within our SaaS management solution will bring necessary context to the questions surrounding SaaS security."

**SaaS App-to-Device Correlation**

SaaS App-to-Device Correlation helps understand if unmanaged and unauthorized devices are being used to access various SaaS apps. By leveraging Axonius Cybersecurity Asset Management and its hundreds of adapters across the technology stack, Axonius SaaS Management will now automatically correlate each SaaS user to their associated devices and provide a more comprehensive view of an organization's security posture. Organizations will now have visibility into unmanaged or unauthorized devices accessing SaaS apps, and be able to decrease the risk of data loss.

"SaaS App-to-Device correlation ultimately helps organizations contextualize their SaaS application data," continued Ofek. "Using both Axonius Cybersecurity Asset Management and SaaS Management products, organizations gain a more complete view of their device security posture than they might receive with standalone integrations. No other solution on the market today can offer this much comprehensive and rich data."

**Behavioral Analytics** 

Over the past year, we've seen an increase in data breaches originating from SaaS applications. For example, the Okta breach in early 2022 demonstrated how one compromised SaaS application can often have a domino effect throughout an entire organization.

By adding Behavioral Analytics capabilities within Axonius SaaS Management, organizations will gain visibility into user behavior within SaaS applications over time – and be able to detect any anomalies or suspicious activity that could pose organizational risk. The solution aggregates log data across various sources, including Okta, Microsoft Azure AD, and Google Workspace, to identify suspicious activity, events, and complex behavioral patterns. As a result, Axonius helps facilitate in-depth investigations by the incident response and SOC teams within the organization.

Beyond identifying suspicious behavior, the behavioral analytics capability can help organizations investigate temporary privileges granted for existing users, identify anomalous login activities that deviate from the user's normal activity and other baselines, minimize data theft or leakage of confidential data, and more.

"These latest developments and the integration of the Axonius Cybersecurity Asset Management and SaaS Management products ensure comprehensive visibility and further correlation across SaaS applications, devices, cloud services, and users in an organization's environment, streamlining efforts to reduce the attack surface amidst an increasingly complex cyber landscape," said Ofek.

To learn more about these latest capabilities and to better understand how Axonius can help you control complexity across your entire IT environment, visit the website or request a demo.

**About Axonius**

Axonius gives customers the confidence to control complexity by mitigating threats, navigating risk, automating response actions, and informing business-level strategy. With solutions for both cyber asset attack surface management (CAASM) and SaaS management, Axonius is deployed in minutes and integrates with hundreds of data sources to provide a comprehensive asset inventory, uncover gaps, and automatically validate and enforce policies. Cited as one of the fastest-growing cybersecurity startups, with accolades from CNBC, Forbes, and Fortune, Axonius covers millions of assets, including devices and cloud assets, user accounts, and SaaS applications, for customers around the world. For more, visit Axonius.com.

SOURCE Axonius

Axonius Bolsters SaaS Management Offering With New Behavioral Analytics and SaaS User-Device Association Capabilities to Help Teams Address SaaS Application Risk

InfraGard's members include key security decision-makers and stakeholders from all 16 US civilian critical-infrastructure sectors.

A hacker using the handle "USDoD" has reportedly stolen contact information on more than 80,000 members of an FBI-run program called InfraGard and put the information up for sale on an English-speaking Dark Web forum.

The information the hacker accessed from InfraGard's database appears to be fairly basic and in some cases does not even include an email address, according to KrebsOnSecurity, which first reported on the incident this week. But the information belongs to CISOs, security directors, IT and C-suite executives, healthcare professionals, emergency managers, and law enforcement and military personnel directly responsible for protecting US critical infrastructure.

**A Potentially Valuable Asset**

As such, the stolen data represents a valuable asset for adversaries, says former InfraGard member Chris Pierson, currently CEO of BlackCloak, an online privacy-protection service for top executives and corporate leaders.

"The InfraGard database of contacts is a big win for any intelligence agency or nation-state to possess," Pierson says. The compromised data is nowhere close in sensitivity compared to major breaches such as the one that the US Office of Personnel Management (OPM) disclosed in 2015. Still, it is very practical and easy to use from an attacker's perspective, he says.

"While much of the information may be public or publicly available, the condensing of this information into the key people who run our nation's critical infrastructure is immensely valuable," Pierson notes. Personal addresses, personal cell phones, and easy access to which members possess a security clearance are all key pieces of data for an adversary to have, he says.

The FBI describes InfraGard as an initiative to bolster the nation's collective ability to defend against physical and cyber threats to critical infrastructure targets. It basically connects the FBI directly with critical infrastructure owners, operators, and security stakeholders. Its members include key security personnel and decision-makers from all 16 US civilian critical infrastructure sectors.

According to KrebsOnSecurity, the hacker "USDoD" gained access to the InfraGard database by first applying for a new account using the name, date of birth, and Social Security number of a chief executive officer at a large financial services company. The hacker apparently applied for InfraGard membership in November and provided an attacker-controlled email address and the actual phone number of the CEO, as contact information.

**An Opsec Lapse?**

Though InfraGard was supposed to have vetted that information, they never did and instead approved the application based on the information that the hacker had provided, KrebsOnSecurity reported. Similarly, though accessing InfraGard's portal requires two-factor authentication, the hacker found he could use the email address as a second factor instead — thereby obviating the need for access to the real CEO's phone.

Once on the portal, the attacker discovered that InfraGard user information could be relatively easily accessed via an API built into several components on the website, KrebsOnSecurity said, citing a direct conversation with the attacker. The hacker then apparently got a friend to code a Python query for retrieving all available InfaGard member information via the API. KrebsOnSecurity quoted the attacker as setting an asking price of $50,000 for the stolen dataset, but not really expecting any buyers at that price because of the basic nature of the information.

InfraGard member Will Carson, director of IT and cybersecurity at Cybrary, expressed frustration over the incident. “As an InfraGard member, it certainly isn't great to hear your information may have been disclosed from a news outlet before you hear from the impacted organization," he said in a statement responding to the news. He expressed disappointment over being unable to log into his InfraGard account after the apparent breach.

"Although I have full faith InfraGard leadership has a stronger grasp of the facts than I do from the outside, the radio silence to date makes me uneasy as a potentially impacted professional," he says.

The FBI did not immediately respond to a Dark Reading request for comment submitted via email to its press office.

Stolen Data on 80K+ Members of FBI-Run InfraGard Reportedly for Sale on Dark Web Forum

Facebook's parent company has also expanded bug-bounty payouts to include Oculus and other "metaverse" gadgets for AR/VR.

Facebook parent Meta will pay up to $300,000 to security researchers who report exploitable remote code execution (RCE) vulnerabilities in the Android and iOS versions of Facebook, Messenger, Instagram, and WhatsApp.

The actual amount will vary depending on the amount of user interaction — measured in "clicks" — to trigger the flaw. To qualify for the maximum payout, a security researcher would need to include working proof-of-concept code for exploiting the flaw in any of the current or previous two versions of Android or a currently supported version of Apple's iOS.

**Updated Payout Guidelines**

In addition to the updated guidelines for mobile RCE, Meta this week also released new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities. 

The maximum payout for a 2FA flaw is $20,000, while that for an ATO vulnerability is $130,000. Here again, the actual payout will depend on the ease with which an attacker can exploit a vulnerability. For instance, a researcher who reports and demonstrates an exploitable zero-click authentication bug can garner the $130,000 payout, while a one-click ATO will fetch a $50,000 reward.

The company also introduced new payout guidelines for bugs reported in its Meta Quest Pro and other virtual reality (VR) technologies, making Meta one of the first companies to set rewards for vulnerabilities in VR and mixed-reality devices.

Meta's updated payout guidelines for mobile RCE bugs and its new rewards for ATO and authentication bypass flaws are the latest tweaks to the company's nearly 11-year bug-bounty program. Under it, Meta has so far paid some $16 million to freelance researchers from around the world who have reported bugs in its online platforms.

The latest changes are part of the company's effort to ensure that the bug bounties Meta offers and the products that are covered under the program remain aligned with evolving threats, says Neta Oren, the security engineer who leads Meta's bug-bounty initiative.

"Every year, we continue to learn new things about how to best engage with the community and adjust our program to address some of the most impactful areas in evolving spaces," Oren says. "Our program has grown from just covering Facebook's Web page in 2011 to now cover all of our Web and mobile clients across our family of apps, including Instagram, WhatsApp, Oculus, Workplace, and more."

**Crowdsourced Cybersecurity**

Meta's bug-bounty program is similar to those of the hundreds of other companies that have implemented crowdsourced vulnerability-hunting programs in recent years. Many security experts consider these programs as a relatively cost-effective way of finding vulnerabilities that internal security teams might have missed. The programs give ethical hackers a structured way to find and report vulnerabilities they might discover on a website or Web application — and receive a reward for their effort.

Many of these programs include Safe Harbor clauses that exempt security researchers working under the bug-bounty program from legal liability for their research. For vendors, the programs offer a way to get top-notch security researchers to essentially conduct penetration tests on their platforms in a relatively cost-effective manner. Importantly, it also gives them a better shot at ensuring that researchers report a vulnerability directly to them rather than disclosing it publicly before a fix is available, or worse, selling it to a gray-market purchaser.

Some, though, have cautioned about such programs collapsing under the volume of bug reports that researchers can submit, especially if the organization's security team isn't mature enough or ready enough to respond to them.

**Large Volume of Reports**

Since Facebook launched its bug-bounty program in 2011, the company has received more than 170,000 reports from bug hunters around the world. The company identified more than 8,500 of those reports to be valid vulnerability disclosures, for which it has paid a total of $16 million in rewards. 

So far this year, Meta has received some 10,000 reports from researchers in 45 countries and issued bounties totaling more than $2 million for 750 or so identified vulnerabilities. India, Nepal, and Tunisia topped the list of countries in terms of where bounties were awarded so far this year.

"One benefit of having a 10-plus-year bug-bounty program is that some of our researchers have dedicated years to hunting on our platform and have become extremely familiar with our products and services," Oren says. "These researchers are able to dig beyond surface-level issues and help us identify impactful but niche bugs that the broader community wouldn't necessarily know to look for."

One example of impactful-but-niche was an account takeover and 2FA bypass chain issue that a long-time security researcher reported this year in Facebook's phone number-based account recovery flow; the vulnerability could have allowed an attacker to reset passwords and take over accounts unprotected by 2FA. Meta awarded $163,000 for the discovery.

Meta Ponies Up $300K Bounty for Zero-Click Mobile RCE Bugs in Facebook

New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.

**SEATTLE – December 15, 2022** **–** WatchGuard® Technologies, a global leader in unified cybersecurity, today released its latest quarterly Internet Security Report, detailing the top malware trends, and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q3 2022. Key findings from the data reveal the quarter’s top malware threat was detected exclusively over encrypted connections, ICS attacks are maintaining popularity, LemonDuck malware is evolving beyond cryptominer delivery, a Minecraft cheat engine is delivering a malicious payload, and much more.“We can’t emphasize enough how important it is for HTTPS inspection to be enabled, even if it requires some tuning and exceptions to do properly. The majority of malware arrives over encrypted HTTPS, and not inspecting it means you’re missing those threats,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “Rightfully so, the big prizes for attackers like an Exchange server or a SCADA management system deserve extraordinary attention as well this quarter. When a patch is available, it’s important to update immediately, as attackers will eventually benefit from any organization that has yet to implement the latest patch.” 

Other key findings from the Q3 Internet Security Report include:

*   The vast majority of malware arriving over encrypted connections – Although Agent.IIQ placed third in the normal top 10 malware list this quarter, it landed in the #1 spot at the top of the encrypted malware list for Q3. In fact, if you look at the detections for it on both of these lists, you’ll see all Agent.IIQ detections come from encrypted connections. In Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it detected was through that encrypted connection, leaving only a meager 18% detected without encryption. If you’re not inspecting encrypted traffic on your Firebox, it’s very likely that this average ratio remains true, and you are missing a huge portion of malware. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

*   ICS and SCADA systems remain trending attack targets – New to the top 10 network attacks list this quarter is a SQL injection-type attack that affected several vendors. One of these companies is Advantech, whose WebAccess portal is used for SCADA systems across a variety of critical infrastructure. Another serious exploit in Q3, which also appeared in the top five network attacks by volume, involved Schneider Electric's U.motion Builder software versions 1.2.1 and prior. This is a stark reminder that attackers aren’t quietly waiting for an opportunity – rather, they are actively seeking system compromise wherever possible.
*   Exchange server vulnerabilities continuing to pose risk – The most recent CVE among the Threat Lab’s new signatures this quarter, CVE-2021-26855, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability for on-premises servers. This RCE vulnerability was given a 9.8 CVE score and is known to have been exploited. The date and severity of CVE-2021-26855 should also ring a bell, as it is one of the exploits used by the group HAFNIUM. While most Exchange servers affected by it have likely been patched by now, _most_ does not equate to _all_. Therefore, risks remain.

*   Threat actors targeting seekers of free software – Fugrafa downloads malware that injects malicious code. This quarter, the Threat Lab examined a sample of it that was found in a cheat engine for the popular game Minecraft. While the file shared primarily on Discord claims to be the Minecraft cheat engine Vape V4 Beta, that’s not all it contains. Agent.FZUW has some similarities to Variant.Fugrafa, but instead of installation through a cheat engine, the file itself pretends to have cracked software. The Threat Lab discovered this particular sample has connections with Racoon Stealer, a cryptocurrency hacking campaign used to hijack account information from cryptocurrency exchange services.

*   LemonDuck malware evolving beyond cryptominer delivery – Even with a dip in total blocked or tracked malware domains for the third quarter of 2022, it is easy to see that attacks on unsuspecting users are still high. With three new additions to the top malware domains list – two of which were former LemonDuck malware domains, and the other part of an Emotet classified domain – Q3 saw more malware and attempted malware sites that were newer domains than usual. This trend will change and modify with the landscape of cryptocurrency in turmoil as attackers look for other venues to trick users. Keeping DNS protection enabled is a way to monitor and block unsuspecting users from allowing malware or other serious issues into your organization.

*   JavaScript obfuscation in exploit kits – Signature 1132518, a generic vulnerability for detecting JavaScript Obfuscation attacks against browsers, was the only new addition to the most-widespread network attack signatures list this quarter. JavaScript is a common vector for attacking users and threat actors use JavaScript-based exploit kits all the time – in malvertising, watering hole and phishing attacks, just to name a few. As the defensive fortifications have improved on browsers, so have attackers’ ability to obfuscate malicious JavaScript code.

*   Anatomy of commoditized adversary-in-the-middle attacks – While multi-factor authentication (MFA) is undeniably the single best technology you can deploy to protect against the bulk of authentication attacks, it is not on its own a silver bullet against all attack vectors. Cyber adversaries have made this clear with the rapid rise and commoditization of adversary-in-the-middle (AitM) attacks, and the Threat Lab’s deep dive on EvilProxy, the top security incident of Q3, shows just how malicious actors are beginning to pivot to more sophisticated AitM techniques. Like the Ransomware as a Service offering made popular in recent years, the September 2022 release of an AitM toolkit called EvilProxy has significantly lowered the barrier of entry for what was previously a sophisticated attack technique. From a defensive standpoint, successfully combatting this kind of AitM attack technique requires a mix of both technical tools and user awareness.
*   A malware family with Gothic Panda ties – The Threat Lab’s Q2 2022 report described how Gothic Panda—a state-sponsored threat actor connected to China’s Ministry of State Security—was known to use one of the top malware detections from that quarter. Interestingly, the top encrypted malware list for Q3 includes a malware family called Taidoor, which was not only created by Gothic Panda but has only been seen used by Chinese government cyber actors. While this malware typically focuses on targets in Japan and Taiwan in general, the Generic.Taidoor sample analyzed this quarter was found primarily targeting organizations in France, suggesting that some Fireboxes in this region may have detected and blocked parts of a state-sponsored cyberattack.
*   New ransomware and extortion groups in the wild –Additionally this quarter, the Threat Lab is excited to announce a new, concerted effort to track current ransomware extortion groups and build out its threat intelligence capabilities to provide more ransomware-related information in future reports. LockBit tops the list for Q3 with over 200 public extortions on their dark web page – nearly four times more than that of Basta, the second most prolific ransomware group WatchGuard observed this quarter.WatchGuard’s quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q3, WatchGuard blocked a total of more than 17.3 million malware variants (211 per device) and more than 2.3 million network threats (28 per device). The full report includes details on additional malware and network trends from Q3 2022, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.
    
    For a detailed view of WatchGuard’s research, read the complete Q3 2022 Internet Security Report here.
    
    About WatchGuard Technologies, Inc.
    
    WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
    

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. 

Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

Sweeping operation took down around 50 popular DDoS platforms, just one of which was used in 30M attacks, Europol says.

About 50 of the most popular platforms available for hire to launch distributed denial-of-service (DDoS) attacks against critical Internet infrastructure have been shut down, their operators arrested in a massive international law enforcement crackdown called Operation Power Off.

Europol, along with law enforcement from the UK, US, the Netherlands, Poland, and Germany participated in the takedown targeting DDoS-for-hire services, also called "booter services."

Seven administrators have been arrested, according to Europol's announcement, adding that just one of the services shut down by Operation Power Off was responsible for more than 30 million DDoS attacks.

"DDoS booter services have effectively lowered the entry barrier into cybercrime: for a fee as low as EUR 10, any low-skilled individual can launch DDoS attacks with the click of a button, knocking offline whole websites and networks by barraging them with traffic," Europol's announcement of the success of Operation Power Off said. "The damage they can do to victims can be considerable, crippling businesses financially and depriving people of essential services offered by banks, government institutions and police forces."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading