The bug could allow unauthorized access and takeover, earning it a spot on the Known Exploited Vulnerabilities Catalog.

A critical bug in Oracle's Fusion Middleware Access Manager has landed on the Cybersecurity and Infrastructure Security Agency's list of known exploited vulnerabilities. 

The critical flaw, tracked under CVE-2021-35587, could allow a threat actor to compromise and take over the Oracle Access Manager.

Oracle's Fusion Middleware is an enterprise cloud platform used by customers that include large telecom carriers and factories, according to its site.

CISA labeled it an an "unspecified" vuln. "Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to take over the Access Manager product," CISA warned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Oracle Fusion Middleware Flaw Flagged by CISA

Expect to see attackers expand their use of current consumer-targeting tactics while exploring new ways to target Internet users — with implications for businesses.

A combination of maturing and emerging consumer-facing cyber threats could add to the many challenges that enterprise security teams will need to contend with in 2023.

Researchers at Kaspersky, looking at how the cyber threat landscape will likely evolve over the next year, expect that threat actors will expand use of many of their current tactics while exploring new avenues for attack via social media, streaming services, and online gaming platforms.

For business admins, the expansion of brands into the world of the metaverse (the theoretical universal and immersive virtual world of the Internet, facilitated by the use of virtual reality and social media) could open them up to attack. And in the era of remote work and bring-your-own-device (BYOD), any consumer threat is potentially an enterprise one, so IT security teams would do well to follow the trends in this space.

**Attacks Using Current Techniques Will Grow...**

The security vendor for example expects that cybercriminals will continue to take advantage of the post-pandemic surge in consumer interest around online streaming services to try to distribute malware, steal data, and execute other malicious activity.

Many of the attacks will target individuals looking for alternate sources for downloading a legitimate streaming app, or a particular episode of a show. Expect to see cybercriminals use widely anticipated titles and streaming service provider names such as Netflix, Hulu, and Amazon Prime Video as lures to get users to download malware or to direct them to phishing sites, according to Kaspersky.

Consumers will also face more gaming subscription fraud and scams that involve online currencies and artifacts. Attackers will primarily target games that use currencies and allow sale of in-game items and boosters because they give threat actors a way to process money obtained from other illegal activities.

In a report earlier this year, Kount, an Equifax-owned fraud protection service, also identified online currencies as offering a plethora of opportunities for adversaries to launder money and carry out payment card fraud. "For example, a fraudster creates a free account for an online multiplayer game then uses stolen credit cards to fill up the account with in-game currency and skins," Kount researchers had noted, adding, "Once the account is loaded, the fraudster sells it on a trading site," for anywhere between several hundreds to several thousands of dollars.

Kaspersky expects that attackers will also try to exploit a continuing shortage in the availability of popular gaming consoles via fake pre-sale offers as well as fraudulent giveaways and discounts from online stores purporting to sell hard-to-find consoles.

**...Even as Threat Actors Explore New Attack Avenues**

Meanwhile, the metaverse, online education platforms, and certain categories of health-related apps will all become new avenues for attack in 2023, Kaspersky said.

Privacy will emerge as a major concern in the metaverse, Kaspersky predicted. "As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification," Kaspersky said.

Others have also expressed concern over the increased amount of personal information that will be collected in fully immersive environments via VR headsets and their collection of cameras, microphones, and motion trackers. Many expect the data will reveal a lot about a user's location, appearance, and other private information while also enabling attackers to carry out more sophisticated phishing and social engineering scams.

At least some of the attacks in virtual reality and augmented reality environments will involve virtual abuse and sexual assault — such as that involving cases of avatar rape, Kaspersky said.

The security vendor pointed to an incident where an avatar associated with a researcher at a nonprofit advocacy group was raped on a metaverse platform owned by Meta as one example of the kind of issues consumers can increasingly run into.

Despite efforts by technology companies to build protection mechanisms into metaverses, "virtual abuse and sexual assault will spill over into metaverses," Kaspersky said. "As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023."

"The metaverse represents an area where consumer threats will be different from years past," says Anna Larkina, a security expert at Kaspersky. "Fake, malicious VR and AR apps, as well as privacy risks and potential abuse associated with this new frontier, will account for threats we haven't necessarily seen before," she says.

Certain kinds of apps — such as those related to meditation or those where a consumer might offer a hint of their current emotional state — could become another new attack avenue, Larkina says.

"It is easy enough to imagine a variety of applications for meditation, in which you indicate your current state/emotions, and they select the appropriate course for you," she explains. "Such data can easily be collected and stored in order to track the state of the user and offer them suitable meditation practices." An attacker that gains access to such data could execute successful spear-phishing and social engineering scams in a highly targeted manner, she notes.

Attacks targeting consumers should matter to enterprise security teams because attacks on companies quite often involve the human factor, Larkina says. "If the system is technically secure enough, then you can get inside the system by 'hacking' employees of the company."

The Metaverse Could Become a Top Avenue for Cyberattacks in 2023

Elon Musk-owned Starlink, WhiteHouse.gov, and the Prince of Wales were targeted by Killnet in apparent retaliation for its support of Ukraine.

Killnet and its band of hacker collaborators are claiming they were able to pull off a trio of symbolic distributed denial-of-service (DDoS) attacks aimed at punishing some of the most critical supporters of Ukraine against the Russian invasion — Elon Musk's Starlink satellite broadband service and the websites of the White House in the US and the Prince of Wales in the UK. 

Researchers at Trustwave were able to find evidence corroborating the Russian-backed threat group's claims. 

Killnet claimed it took down Starlink service on Nov. 18, which has been critical for providing the Ukraine war effort with Internet connectivity. Indeed, Trustwave found Starlink customers on Reddit on the same day complaining they couldn't log in to their accounts for several hours. 

"You've been waiting for this comrades," Killnet posted on Telegram, according to Trustwave. "Collective DDoS attack on Starlink! No one can log into Starlink." 

Other threat groups, and known past Killnet collaborators, also claimed they were involved in the Starlink and other DDoS takedowns, including Anonymous Russian, Msidstress, Radis, Mrai, and Halva. 

**White House, Prince of Wales' Websites Targeted **

Besides Starlink, Killnet also bragged that it was able to successfully run "30 minutes of a test attack" on the White House's website on Nov. 17. 

"Of course, we wanted to take longer, but did not take into account the intensity of the request filtering system," Killnet added. "But!!! The White House was banged up in front of everyone!" 

Trustwave added that the White House uses military-grade protection against DDoS attacks from Automattic. 

Days later, on Nov. 22, the group launched yet another DDoS attack, this time against the Prince of Wales' site, and warned that the UK healthcare system would be next, the Trustwave team reported. Killnet also threatened future attacks against the London Stock Exchange, the British Army, and more. 

Along with its claim of the UK DDoS attack, Killnet added ominously, "today it does not work, perhaps this is due to the supply of high-precision missiles to Ukraine!" 

Although the targets are ambitious, Trustwave said Killnet and its cybercrime cohort aren't advanced enough to pull off more than basic DDoS attacks. 

"We should expect to see more of these low skill attacks from Killnet targeting an ever-growing list of targets that it considers to be in opposition to Russian interests," Trustwave said in its Tuesday report on the Killnet DDoS attacks. "However, it remains to be seen whether the group can graduate to attacks that cause damage, exfiltrate data, or do more than take down a website for a short period of time."

Killnet Gloats About DDoS Attacks Downing Starlink, White House

A lack of federal regulatory legislation leaves US privacy concerns to battle for attention with other business priorities.

Over the past 15 years, several events have reshaped how we think about data — what it means from a business perspective and what rights individuals have regarding how their personal information is used. Data security governance undoubtedly will play a large role in the future; however, conversations are still in relatively early stages. 

In 2016, when European regulators created the General Data Protection Regulation (GDPR) as a legislative framework that clearly mandates rules and fines, a fundamental shift occurred that elevated privacy to a board-level discussion. This resulted in CEOs taking part in the conversation while empowering the C-suite to make more decisions. 

Next, the data culture quickly evolved from one of implicit trust (where organizations freely used data without much restriction) to limiting risk (controlling data access based on regulations and customer feedback). While the data protection industry in Europe has made great strides since GDPR came into existence, we still have a long way to go because, for decades, technology solutions were built without privacy in mind. 

In the United States, the picture is quite different, as the lack of federal regulatory legislation leaves privacy concerns to battle for attention with other business priorities. Let's dig deeper into what the future of data privacy looks like across the pond. 

**Beyond Cookies: Delving Beneath the Data Veneer**

Marketplaces built around selling data need to pivot, because the future is about protecting individual data rights and that change goes far beyond a website pop-up asking to approve the use of cookies. Historically, data brokers have cashed in on users' data, which precipitated state laws in Vermont and California that aim to protect consumers by identifying the brokers and determining how they use the information. 

Tech giants like Apple and Google have also increased privacy protections with app-tracking transparency and plans to phase out third-party cookies. These titans of industry are pioneering an important movement that other companies need to follow. There's hope that legislation may spark further change, especially with privacy receiving bipartisan support.

If the American Data Privacy and Protection Act (ADPPA) takes effect in the United States, the biggest win would be a common standard for how to handle data. States like California have already established stricter standards for data privacy through the California Consumer Privacy Act (CCPA). Compliance requirements and hefty fines would be important accelerators in protecting consumer data. 

**Privacy Needs Security **

A comprehensive data security strategy is essential and a prerequisite to an overall privacy-centric posture for data-driven organizations. It's imperative to implement scalable, fine-grained access controls so policies can keep the data safe in the first place.

As the pendulum shifts toward implementing broader and complete data security strategies, companies need to adjust. The work of chief information security officers (CISOs), chief data officers (CDOs), and chief information officers (CIOs) alongside their actions is more critical than ever, because they are responsible for implementing tools and processes that help align companies toward their privacy-related goals. The increased focus on a complete data security strategy applies to data-driven organizations of any size. 

A Cisco study cites that 92% of organizations claim privacy to be integral to their culture, but it comes with a technical challenge. Oftentimes, CISOs and CIOs are confronted with data spread across their organization and they need to gain visibility into all their siloed, heterogeneous data to understand who controls, maintains, processes, and accesses which parts of the data. 

This challenge is exacerbated by the need to modernize with cloud-native technologies so companies have a better understanding of how data is used and that it is used in accordance with privacy guidelines, principles, and any governing legislation. 

**A Look into the Future**

None of this happened by accident. Consumers didn't like data collection practices and they spoke up. Legislators heard from their constituents and started creating regulations like the ADPPA. Companies started serving consumers differently and taking data privacy seriously.

Consumer awareness of how data is collected and used is becoming mainstream. According to HubSpot's "2022 State of U.S. Consumer Trends Report," 80% of consumers consider data privacy a human right and believe individuals should have complete control over how companies use their data. As a result of these growing trends, more businesses should leverage privacy as a differentiator. 

There is still a gap between companies' intent to satisfy data privacy concerns and the action that protects that information. As consumers become better educated about how their data is used, and legislation inches closer to reality, it becomes even more critical. Making the right investments in data security provides visibility, access control, and insights into your data while ensuring compliance, and can help make all the difference.

Why the Culture Shift on Privacy and Security Means Today's Data Looks Different

**SINGAPORE, Nov. 29, 2022 /PRNewswire/ —** CDNetworks, the global-leading CDN (Content Delivery Network) and Edge Service Provider, released its annual State of Web Security Report for H1 2022. The Security Report notes that distributed denial-of-service (DDoS), bot, and Application Programming Interface (API) attacks increased at an alarming rate in H1 2022. Web application attacks also increased over the same period, but at a much slower rate than DDoS attacks. CDNetworks believes this trend shows that security tools focusing on single attacks are no longer effective against today's multiple cyber threat landscape. Leveraging a comprehensive security solution has never played a more important role for businesses and individuals.

**Surging Trend for All Types of Attacks:**

Of particular note are the following indicators noted in the Security Report:

*   The level of DDoS attacks topped 2.09 TBPS, which broke the record level of traffic-induced DDoS attacks.
*   The number of web application attacks increased by 12.56% over the same period last year, reaching 62.8875 million per day.
*   Malicious bot attacks surged 2.27 times over the same period in 2021, with 77.366 billion incidents recorded.
*   The number of API attacks had a 168.80% increase over the same period in 2021, with 9.0865 million API attacks blocked daily in H1 2021.

The Security Report goes on to say that data generated by the CDNetworks' security platform shows that risks of data breaches continue to escalate. This risk stems from the fact that increasing amounts of data and devices are being exposed to the network, making them vulnerable to the dual threat of external attacks and internal breaches. At the same time, API security threats continue to rise at breakneck speed, and the security challenges they present exceed those of traditional webpages. The end result is confirmation that the cybersecurity environment continues to change dramatically.

"As enterprises shift their business to the cloud, we found that some traditional web-protection rules no longer offer the capabilities they once did in combatting today's complex and virulent cyberthreats. What enterprises actually need are security solutions that address cloud and hybrid environments holistically in a comprehensive and systematic security architecture." said Doyle Deng, head of Global Marketing and Product of CDNetworks. "For this reason, we strongly recommend that enterprises adopt CDNetworks' WAAP services to secure their data and their business with more beyond rule-based web protections. Features such as web application firewall, DDoS protection, bot management, and API management capabilities empower enterprise users of our WAAP services to establish a comprehensive cornerstone that has been proven effective in combatting API and web application attacks."

The Security Report also monitored security associated with telecommuting within today's enterprises. As the long-term global impact of COVID-19 takes hold, organizations are starting to accept remote a remote workforce and cloud-based applications as an alternative to on-premise workers. The Security Report compared policies governing centrally managed corporate devices to policies aimed at Bring Your Own Devices (BYODs), which allow employees to use their own devices — phone, laptop, tablet, or other device — to access business applications and data, rather than forcing employees to use company-provided devices for that purpose. The Security Report found that BYOD rules generally lack a clear security management policy, making them vulnerable to targeted hacking attacks. To address this, CDNetworks recommends that enterprises select Enterprise Secure Access (ESA), our zero-trust access solution, to establish a secure, efficient, and easy-to-use hybrid networking environment.

Click here to download State of Web Security Report for H1 2022 or visit at www.cdnetworks.com.

**About CDNetworks  
**As a global-leading CDN (Content Delivery Network) and Edge Service provider, CDNetworks delivers fully integrated cloud and edge computing solutions with unparalleled speed, ultra-low latency, rigorous security and reliability. Our diverse products and services include web performance, media delivery, enterprise applications, cloud security, and colocation services — all of which are designed to spur business innovation.

CDNetworks Releases State of Web Security H1 2022: Attacks Against API Services Surged 168.8%

The manufacturer is working to fix a vulnerability — similar to a previous problem in Lenovo laptops — that allows threat actors to modify or disable Secure Boot settings to load malware.

Acer is working to fix a firmware flaw affecting five of its laptop models. An exploit could allow attackers to disable a machine's Secure Boot settings to bypass key security measures and load malware, researchers have found.

ESET Research researcher Martin Smolar discovered the flaw, tracked as CVE-2022-4020, in the HQSwSmiDxe DXE driver on some versions of consumer Acer Aspire and Extensa notebooks. An attacker with elevated privileges can use the flaw to modify UEFI Secure Boot settings via an NVRAM variable, ESET disclosed in a series of tweets posted Nov. 28.

"#CVE-2022-4020 is found in the DXE driver HQSwSmiDxe, which checks for the 'BootOrderSecureBootDisable' NVRAM variable," according to ESET. "If the variable exists, the driver disables Secure Boot."

Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, OS files, and unauthorized option ROMs by validating their digital signatures. The feature blocks any malicious activity before it can infect the system.

By exploiting the flaw, threat actors can bypass this feature and run whatever code they want on the machine, malware or otherwise, even achieving persistence in a case in which an OS is reinstalled, the researchers said.

**Different Manufacturer, Similar Security Vulnerability**

Specifically, CVE-2020-4020 affects Acer Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G notebooks. The flaw creates a similar opportunity for attackers to the one caused by vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 that ESET researchers found in early November in various Lenovo Yoga IdeaPad and ThinkBook devices, and subsequently detailed extensively in a series of tweets.

As in that case, ESET also reported the vulnerability to the computer manufacturer for remediation. Acer quickly responded on Nov. 29 with a security update corroborating Smolar's findings and stressing the serious nature of the flaw.

"By disabling the Secure Boot feature, an attacker can load their own unsigned malicious bootloader to allow absolute control over the OS loading process," the company said. "This can allow them to disable or bypass protections to silently deploy their own payloads with the system privileges."

Acer is working on a BIOS update to resolve the issue that it will post on the Acer Support site, and recommends that affected users update their BIOS, once available, to the latest version to resolve the problem. The patch also will be included as a critical Windows update, the company said.

**Common NVRAM Variable Problem**

In both the Lenovo and Acer scenarios, attackers can exploit the Acer bug by creating special NVRAM variables, the actual value of which is not important—the existence of the variable itself is the only thing an affected firmware driver checks, the researchers noted.

NVRAM variables define a name for the boot option that can be displayed to a user. The variable also contains a pointer to the hardware device and to a file on that hardware device that contains the UEFI image to be loaded.

This problem appears to be quite well known, with researchers already advising against firmware developers storing security-sensitive components in these variables. Firmware security engineer Nikolaj Schlej even tweeted a plea to firmware developers in October to "stop using common NVRAM as trusted storage" because of the security problem it poses.

"It is indeed really tempting to use NVRAM or CMOS SRAM for storing triggers for various things, but both need to be assumed being under full attacker control," he said in a response to his own tweet. "Even volatile NVRAM variables aren't completely safe because there is still a chance of incorrect attribute check."

In the case of the Lenovo flaws, it does appear that developers already were aware of the issue before it made its way into the company's laptops, as some of the affected components were only meant to be used during manufacturing and were mistakenly included in production, according to ESET.

Acer Firmware Flaw Lets Attackers Bypass Key Security Feature

Nok Nok’s S3 Suite brings next-level MFA to UberEther’s IAM Advantage Platform to protect the US federal government and its suppliers.

**San Jose, CA - November 29, 2022 —** Nok Nok, a leader in FIDO (Fast IDentity Online) authentication solutions and a founder of the FIDO Alliance, today announced it is partnering with UberEther, a leading provider of identity and access management solutions to the federal government. Together they will extend FedRAMP certification of UberEther's IAM Advantage platform with innovative cybersecurity capabilities requested by some of the world’s highest-profile agencies and organizations.

FedRAMP’s standards-based approach to security assessment and authorization enables federal agencies, customers, and their suppliers to transition from insecure legacy IT infrastructure to mission-enabling, secure, and continuously-monitored cloud solutions with an increased focus on securing and protecting federal information.

UberEther’s IAM Advantage model is FedRAMP High and DoD Impact Level 5 ready, which means that even the most closely monitored companies can run their identity in the cloud more securely, efficiently, and effectively. Once UberEther is fully FedRAMP authorized, it will have one of the only private-tenant, cloud identity solutions available in the federal marketplace that government agencies use to find compliant, FedRAMP-approved cloud services. This designation builds on UberEther’s highest commitment to security standards.  

“Nok Nok is very honored to partner with UberEther to deliver trusted IAM solutions to the largest government agencies with built-in next-level MFA that meets the highest levels of security,” said Nok Nok CEO Phillip Dunkelberger. “Nok Nok’s FIDO authentication solutions add key features and benefits per the federal mandate in the White House’s 2021 Cybersecurity Executive Order that defines how the government will lead by example in adopting best of breed cybersecurity capabilities. Nok Nok and UberEther’s partnership adds new innovation to mandated FedRAMP solutions that enables government agencies and their supplier networks to become phishing-resistant and therefore more secure, while also becoming easier to use.”

“At UberEther, we're extremely excited to be working with Nok Nok on this opportunity to bring phishing-resistant credentials to the federal government,” said Matt Topper, President and CEO, UberEther. “We're not only focused on enabling citizens and partners of the federal government to connect to services more securely, but we're also enabling service members, civilians, government employees, and contractors to work with mission-critical systems more easily.”

“We all know that zero trust is the future of security within the federal government and worldwide, and identity is the first pillar of zero trust that we need to protect the nation. With Nok Nok inside, government agencies and their suppliers will be able to offer more secure sign-in and a great user experience that's better than anything we've been able to provide before,” continued Topper.

Robert Lentz, a member of Nok Nok’s Board of Advisors and who served our nation as Deputy Assistant Secretary of Defense and the first Chief Information Security Officer for the Department of Defense added, “I am excited about the future that Nok Nok and UberEther are creating. With FIDO passkeys built into device hardware and software applications, and now FedRAMP standards incorporating phishing-resistant MFA, we are keeping our nation’s networks safe along with the agencies, partners, civilians, and government employees who use these networks”.

**About UberEther**

UberEther effectively builds and efficiently runs the security, identity, and access management services that protect many of our nation’s most critical assets. Identity is the core foundation for secure services in every organization, and we pride ourselves on protecting it. Our established and dependable UberEther team delivers identity solutions for some of the most trusted government agencies and supplier networks.

Since 2009, the UberEther team has been building simple, secure, sustainable customer solutions for local and Federal Government agencies and within the Intelligence Community. We are passionate about using technology to solve problems, and we use this passion to prove innovative solutions on our own time before bringing these innovations to our customers. Our diverse background of development, integration, and operations skills allows our team to take into account all aspects of a solution and ensure that what works great in the lab will excel in production.

For more information, visit UberEther.com, read our company blog, and follow us on LinkedIn, Twitter, and YouTube.

**About Nok Nok**

Nok Nok is a global leader in passwordless customer authentication. Delivering the most innovative FIDO solutions for the authentication market today, Nok Nok empowers global organizations to dramatically improve their user experience and security, and reduce operating expenses while meeting the most advanced privacy and regulatory requirements. TheNok Nok™ S3 Authentication Suite integrates into existing security environments to deliver proven, FIDO-enabled passwordless customer authentication. Headquartered in Silicon Valley, California, the company has delivered unique inventions and innovations protected by a robust global patent portfolio. As a founder of the FIDO Alliance and an innovator of FIDO standards, Nok Nok is an expert in next-level, multi factor authentication. Global customers trust their customer authentications with Nok Nok’s S3 Suite for their user registrations, sign-ins, and payment confirmations. Nok Nok’s customers and partners include Verizon, Intuit, T-Mobile, BBVA, NTT DOCOMO, NTT DATA, MUFG Bank, AFLAC Japan, Standard Bank, Fujitsu Limited, and Hitachi.

For more information on Nok Nok and phishing-resistant FIDO MFA, visit www.noknok.com, read our company blog, follow us on LinkedIn, see our company videos on YouTube, and read (_Director, CISA)_ Jen Easterly’s blog post on next-level-mfa-fido-authentication.

Nok Nok and UberEther Partner to Deliver Phishing-Resistant MFA FedRAMP-Certified IAM Solutions

Today's cyber environment requires less emphasis on detection and perimeter defenses and more focus on bolstering security with resilience.

The federal government has once again signaled that our traditional approach to cybersecurity, one predicated solely on prevention and perimeter defenses, is failing us. In the past two years alone, 76% of organizations were attacked by ransomware, and 66% experienced at least one software supply chain attack. Now, the Cybersecurity and Infrastructure Security Agency (CISA) is the latest federal entity to shake up cybersecurity best practices — underscoring that we need drastic change to withstand today's dynamic threat landscape. 

CISA, the group tasked with strengthening our national approach to cybersecurity and securing critical infrastructure, has released a strategic plan that outlines four goals that must be met to address the "diverse and dynamic challenges facing our nation." The CISA Strategic Plan 2023-25 is the first of its kind for the agency, which was founded four years ago. The plan is light on details, but it's notably marked with a move away from traditional prevention and detection approaches toward "resilience."

The first of CISA's outlined objectives is to "enhance the ability of federal systems to withstand cyberattacks." Federal agencies should be prepared for and able to rapidly recover from cyberattacks and incidents, as well as maintain mission continuity during and after cyberattacks and incidents.

That the agency places this goal above the ability to actively detect cyberthreats (Objective 1.2) speaks volumes about today's priorities. Instead of focusing first on preventing and detecting breaches, CISA is acknowledging that breaches will occur. This marks a subtle but dramatic shift in thinking. Only by recognizing that cyberattacks and breaches are inevitable can we effectively reduce their impact.  

**A Marked Shift Away From Prevention**

Detection, firewalls, and perimeter defenses represent cybersecurity’s status quo — fundamentally, the same strategy employed since the dot-com era. But in the past decade, hyperconnectivity and hybrid work have become the norm — drastically expanding the attack surface. The painful takeaway from the long string of ransomware attacks and breaches we've witnessed during the past three years (Colonial Pipeline, Kaseya, SolarWinds, and many more) is that legacy solutions and traditional cyber approaches focused solely on keeping bad actors out no longer provide adequate protection.

If we consider CISA's plan in combination with the Biden Administration's May 2021 Executive Order on Improving the Nation’s Cybersecurity, which mandated that federal agencies must implement zero-trust architectures, it's clear that protecting our most critical infrastructure is now more about ensuring continuous operations, proactive risk mitigation, and resilience than preventing digital break-ins entirely. In fact, CISA's strategic plan mentions the word "resilience" 30 times.

Withstanding attacks through resilience is among zero trust's core principles, along with the concepts of assume breach, least privilege, and "never trust, always verify." In fact, zero trust is the rational response to the current threat landscape, with our hyperconnected, multicloud environments and sophisticated cyberattackers constantly changing strategies.  

Breaches are inevitable today, but zero-trust tools and technologies are designed to shrink the initial attack surface and curtail the larger implications of attacks — for example, preventing a single breach from turning into a larger supply chain failure.

**Driving Real Change**

CISA's plan is encouraging. For one thing, it is recognition that the government believes zero trust is the way forward. It's also another indication that federal security leaders are serious about shoring up our national resilience in cyberspace.

We know that our critical infrastructure will continue to be a top target for digital adversaries. In 2021, according to the FBI, ransomware attacks hit 649 US critical infrastructure entities, and nearly 90% of all US critical infrastructure sectors were hit by a successful ransomware attack.

Still, the devil is in the details. CISA's plan offers rough specifics, but goals, standards, and deadlines must be set. Accountability must be mandated.

For the CISA plan to accomplish any of its goals, it will require cooperation from both the government and private stakeholders. Fueling these objectives will also require a commitment to continuous funding and resources. Without sufficient finances and personnel, agencies don’t have the bandwidth to act on their goals, let alone be held accountable. CISA's goals are admirable and a step in the right direction, but without a clear outline of funding priorities, there's little assurance that goals and plans like these will come to fruition.

Today's most daunting cyber challenges boil down to this: History has proven that the concept of preventing intrusions by building digital moats and walls is a fantasy. Modern organizations — private or public — are bound to be breached. What we need is more emphasis on breach containment, end-to-end visibility, and more private-public cooperation. We need more accountability, and we need to move faster toward zero trust to fuel national resilience.

CISA's Strategic Plan Is Ushering in a New Cybersecurity Era

**MILWAUKEE, Nov. 29, 2022 /PRNewswire/ —** In an effort to understand key factors and concerns impacting U.S. Internal Audit executives, Jefferson Wells, the Finance & Accounting, Internal Audit, Risk & Compliance, and Tax professional services firm, part of ManpowerGroup (NYSE: MAN), announced today results from its sixth annual Internal Audit Priorities survey. While cybersecurity continues as the number one risk, Environmental, Social, and Governance (ESG) jumped up to number two on the list of emerging risks.

"Cybersecurity remains the top concern for many executives, who are seeing their audit teams expand their coverage of Information Technology Governance," said Jim Gusich, ManpowerGroup's Chief Audit Executive. "But this year's survey also reveals the growing importance of ESG as more organizations are increasing their commitment to developing comprehensive ESG strategies in 2023 and beyond."

Many Internal Audit leaders expressed concern about Internal Audit Departments struggling to keep fully staffed, amid the ongoing pandemic and shifts in how and where auditors work. The survey shows 53% are working hybrid and 25% are fully remote.

"Today's Chief Audit Executives are faced with balancing constrained audit resources with the consistent pressure to expand audit coverage within their organizations," Tim Lietz, National Practice Director, Risk & Compliance at Jefferson Wells, said. "Companies are experiencing a 100% increase, year-over-year, in audit departments deferring audits because resources aren't available. Due to the current state of the job market, many internal audit departments have not been fully staffed over the past 12-18 months."

**KEY FINDINGS**

*   The top five areas for Audit Committees are Data privacy and cybersecurity (43%), Emerging risks and impacts on major initiatives (37%), Strategic risk (33%), ESG (31%), and Employee retention (29%).
*   With the growing importance of ESG, 71% of Chief Audit Executives (CAE) are including an assessment of ESG in their audit plans.
*   As ransomware and other attacks have exponentially increased in both frequency and ferocity, Internal Audit departments are now shifting more attention to preventative, strategic methods of cyber defense.
*   As operational involvement increases, internal audit leaders are looking for other ways to enhance their audit function. Two areas with the highest return on investment are data analytics (52%) and other internal audit specific technologies (48%).

For the complete 2022 Internal Audit Priorities survey results, visit www.jeffersonwells.com.**ABOUT JEFFERSON WELLS**

Jefferson Wells is a professional services firm delivering solutions in Finance & Accounting, Internal Audit, Risk & Compliance, and Tax. We provide consulting, thought leadership, integrated resourcing, and executive search. Jefferson Wells is a part of the ManpowerGroup family of companies.

**ABOUT MANPOWERGROUP**

ManpowerGroup® (NYSE: MAN), the leading global workforce solutions company, helps organizations transform in a fast-changing world of work by sourcing, assessing, developing, and managing the talent that enables them to win. We develop innovative solutions for hundreds of thousands of organizations every year, providing them with skilled talent while finding meaningful, sustainable employment for millions of people across a wide range of industries and skills. Our expert family of brands – Manpower, Experis, and Talent Solutions – creates substantially more value for candidates and clients across more than 75 countries and territories and has done so for over 70 years. We are recognized consistently for our diversity – as a best place to work for Women, Inclusion, Equality, and Disability, and in 2022 ManpowerGroup was named one of the World's Most Ethical Companies for the 13th year – all confirming our position as the brand of choice for in-demand talent.

Cybersecurity and ESG Among Top Areas of Concern for Audit Leaders in 2023

Senior cybersecurity professionals reveal their number one frustration is the inability to continuously measure enterprise-wide security posture and identify control failures.

**LONDON and NEW YORK, Nov. 29, 2022 /PRNewswire/ —** Panaseer, a leader in security posture management using Continuous Controls Monitoring, today released the third edition of its Security Leaders Peer Report looking at the concerns and constraints currently faced by CISOs and other senior cybersecurity leaders across the US and UK. The survey of over 800 respondents from large organisations conducted by Censuswide found that almost 9 in 10 security leaders see the failure of controls expected to be in place as the primary reason for data breaches, and 79% of enterprises have experienced cyber incidents that should have been prevented with existing safeguards. As a result, most breaches are preventable but are still occurring – and security leaders are becoming increasingly frustrated.

For the first time, the 2023 report examines how security professionals are personally impacted by the high-pressure environment they work in. Many revealed that a lack of visibility and understanding of their security posture is the leading cause of their frustrations – specifically, the inability to continuously measure enterprise-wide security posture and identify control failures (ranked as number one, with 70% frustrated). Incidents that should have been stopped by an expected control followed closely, with 68% exasperated by this inability to stop preventable breaches. Respondents also pointed to issues with data and tooling as a bigger driver for security team resignations than demands for higher salary and greater seniority.

Each year, the report also looks at how much time security teams dedicate to manually collecting and reporting on security data. This year, Panaseer found that teams spend 59% of their time on these tasks – a 9% increase on the previous year's research, and a 64% rise from the first survey in 2019. In fact, 70% of security teams now spend more than half of their time on manual reporting, leaving less time for threat detection and vulnerability patching.

As explained by Andreas Wuchner, Field CISO at Panaseer, "To effectively reduce the significant amount of time spent manually reporting, CISOs and their teams need to be looking to automation. As well as freeing up qualified security professionals to dedicate time to higher value tasks – from threat detection to business continuity planning – automation provides the road to accurate, trustworthy data. We need to prioritise the maturation of automation, metrics and risk management in order to help teams cope with heavy reporting workloads."

**Measuring risk**In overcoming the issue of preventable breaches and frustrated security teams, only 44% of organisations are extremely confident in their ability to continuously measure their control gaps. Respondents have pointed to a lack of internal resources (39%), inability to evidence remediation (38%), ineffective tooling (34%) and poor control failure visibility (34%) as the reasons behind this lack of confidence.

However, 82% agree that monitoring and addressing expected controls failure and risk would likely have a bigger impact on their security posture than buying additional tools. This is particularly pertinent given the issue of tool sprawl – the two previous reports have found that it's not uncommon for organisations to use more than 75 or even 100 security tools.

Fortunately, awareness of how these control failures can be addressed is growing. 88% of security leaders stated they are likely to implement a Continuous Controls Monitoring (CCM) platform in the next two years, a solution critical to measuring and advising on security control effectiveness. That compares to 79% who said the same in 2022.

"Unfortunately, the majority of breaches we see occur because of a preventable security control failure," says Jim Doggett, CISO at Semperis. "By going back to basics, reducing complexity and truly knowing their security stack – the tools they have and their utilisation – security leaders can achieve an end-to-end view of their organisations' security posture. And increasingly, they are converging on CCM to provide the single source of truth they need to do so."

Other key findings from the report point towards a lack of confidence in _what_ to measure to improve security posture. These include:

*   Nearly all (99%) security leaders are actively engaged in trying to benchmark their security metrics, policies and standards, but almost three-quarters (72%) admit they are not absolutely satisfied with their ability to do so currently
*   Less than half of respondents are highly confident they are continuously evaluating best practice security metrics specifically aligned to their organisational size and industry
*   Of the remainder, 47% simply don't know the right metrics to monitor and 51% don't have the resources to help them do it

To find out more, read the full Security Leaders Peer Report here.

**About Panaseer**Panaseer is an enterprise cybersecurity automation and data analytics company that helps organisations stop preventable breaches by ensuring security controls are fully deployed and working effectively — maximising their security investments and resources. Control failures are the biggest problem in cybersecurity, with 79% of organisations admitting to being surprised by a security event that evaded existing controls.

Panaseer's Continuous Controls Monitoring platform gives a complete, trusted view of security controls, with metrics and measures guidance aligned to best practice frameworks that improve collaboration and prioritisation. With $262 billion spent on cybersecurity tools in 2021, CCM means organisations can do more for less by getting the most out of their existing security investments.

For more information visit: **www.panaseer.com**

Source

DARKReading