The company emerges from stealth with an automated security remediation product identifies and remediates cloud misconfigurations.

Some of the most common issues in cloud security involve misconfigured systems. Cloud servers may be mistakenly configured to allow anyone on the Internet to access the data. The firewall rules may have inadvertently created a hole big enough for a threat actor to slip through. These kinds of issues trip up enterprises on a regular basis because securing cloud infrastructure is labor-intensive and security operations rely heavily on manual processes to manage the complex environment.

Enter OpsHelm, a cloud security startup which came out of stealth with its automated security remediation product on Thursday. The product monitors the IT environment looking for cloud misconfigurations and makes it possible to fix the issues in a seamless way. The tool integrates with common enterprise communications tools such as Slack or Microsoft Teams and informs the security operations team of the issues as they are found. The team can address the issues and the tool learns what actions should be taken so that it knows how to handle the situation the next time that issue comes up.

"Companies attempt to solve this problem with enhanced visibility into their cloud infrastructure, yet this isn't enough--they are still stuck doing the time-consuming triage and remediation with their limited team resources," Andrew Peterson, co-founder and CEO of Signal Sciences and an investor in the company, said in a statement.

The company says OpsHelm can detect and fix common cloud issues such as misconfigurations, overly permissive firewall rulesets, potential data exposures, unmanaged resources in Infrastructure as Code (IaC), credential sprawl, and unsecured assets exposed to the Internet.

"For example, if S3 buckets are routinely exposed when you stand up new programs, you can eliminate all exposed S3 buckets in seconds and ensure that any new ones are instantly locked down the second they are exposed," Bill Gambardella, OpsHelm CEO and co-founder, wrote on the company's blog. Gambardella was previously COO at Leviathan Security Group and previously ran security at Sprout Social. Other members of the founding team include OpsHelm CTO Kyle McCullough, who was a platform engineer at Sprout Social; COO Bob Bregant and founding engineer Lee Brotherson.

At the moment, OpsHelm integrates with Google Cloud Platform and Amazon Web Services. Support for Microsoft Azure is “coming soon.” Currently in public beta, general availability is expected early next year, the company says.

New Startup OpsHelm Tackles Cloud Misconfigurations

Your journey to zero trust can be perilous if you are using legacy equipment that wasn’t designed for it. Begin the transformation where it makes the most sense for your organization.

Digital transformation is a journey, and much like any adventure, a bit of preparation can go a long way in driving a successful outcome. Preparing for any adventure includes determining where you want to go, deciding on the best way to get there, and gathering the equipment, services, and supplies you’ll need along the way.

An IT transformation journey typically begins with application transformation, where you move applications out of the data center and into the cloud. Then, network transformation becomes necessary to enable users to access applications that are now widely dispersed—moving from a hub-and-spoke network architecture to a direct connectivity approach. This, in turn, drives a need for security transformation, where you shift from a castle-and-moat security approach to a zero-trust architecture.

While the aforementioned order is typical, there are a few different ways to achieve similar outcomes. You should begin your journey toward zero trust wherever you feel most comfortable or prepared. If it makes more sense for your organization to begin with security transformation before app transformation, you can.

**Assess Your Equipment**

Castle-and-moat security architectures, leveraging firewalls, VPNs, and centralized security appliances, worked well when applications lived in the data center and users worked in the office. It was the right equipment for the job at the time. Today, though, your workforce works from everywhere, and applications have moved out of the data center and into public clouds, SaaS, and other parts of the internet. Those firewalls, VPNs, and legacy security hardware stacks were not designed to meet the needs of today’s highly distributed business and have outlived their usefulness.

To grant users access to applications, VPNs and firewalls must connect users to your network, essentially extending the network to all your remote users, devices, and locations. This puts your organization at greater risk by giving attackers more opportunities to compromise users, devices, and workloads, and more ways to move laterally to reach high-value assets, extract sensitive data, and inflict damage on your business. Protecting your highly distributed users, data, and applications requires a new approach—a better approach.

**Mapping the Best Route**

When it comes to security transformation, innovative leaders are turning to zero trust. Unlike perimeter-based security approaches that rely on firewalls and implicit trust and provide broad access once trust is established, zero trust is a holistic approach to security based on the principle of least-privileged access and the idea that no user, device, or workload should be inherently trusted. It begins with the assumption that everything is hostile, and grants access only after identity and context are verified and policy checks are enforced.

Achieving true zero trust requires more than pushing firewalls to the cloud. It requires a new architecture, born in the cloud and delivered natively through the cloud, to securely connect users, devices, and workloads to applications without connecting to the network.

As with any significant journey, it’s helpful to break your way to zero trust into various legs that clearly define the path while keeping the ultimate destination in mind. When considering your approach, seven essential elements will enable you to dynamically and continuously assess risk and securely broker communications over any network, from any location.

Using these elements, your organization can implement true zero trust to eliminate your attack surface, prevent the lateral movement of threats, and protect your business against compromise and data loss.

These elements can be grouped into three sections:

*   Verify identity and context
*   Control content and access
*   Enforce policy

Let’s take a closer look.

    

Source: Zscaler

**Verify Identity and Context**

The adventure begins when a connection is requested. The zero-trust architecture will begin by terminating the connection and verifying identity and context. It looks at the who, what, and where of the requested connection.

**1\. Who is connecting?** The first essential element is to verify the user/device, IoT/OT device, or workload identity. This is achieved through integrations with third-party identity providers (IdPs) as part of an enterprise identity access management (IAM) provider.

**2\. What is the access context?** Next, the solution must validate the context of the connection requester by looking into details such as the role, responsibility, time of day, location, device type, and circumstances of the request.

**3\. Where is the connection going?** The solution next needs to confirm that the identity owner has the rights and meets the required context to access the application or resource based on entity-to-resource segmentation rules—the cornerstone of zero trust.

**Control Content and Access**

After verifying identity and context, the zero-trust architecture evaluates the risk associated with the requested connection and inspects traffic to protect against cyber threats and the loss of sensitive data.

**4\. Assess risk:** The solution should use AI to dynamically compute a risk score. Factors including device posture, threats, destination, behavior, and policy should be continually evaluated throughout the life of the connection to ensure the risk score remains up to date.

**5\. Prevent compromise:** To identify and block malicious content and prevent compromise, an effective zero-trust architecture must decrypt traffic inline and leverage deep content inspection of entity-to-resource traffic at scale.

**6\. Prevent data loss:** Outbound traffic must be decrypted and inspected to identify sensitive data and prevent its exfiltration using inline controls or by isolating access within a controlled environment.

**Enforce Policy**

Before reaching the end of the journey and ultimately establishing a connection to the requested internal or external application, one final element must be implemented: enforcing policy.

**7\. Enforce policy:** Using the outputs of the previous elements, this element determines what action to take regarding the requested connection. The end goal is not a simple pass/not pass decision. Instead, the solution must constantly and uniformly apply policy on a per-session basis—regardless of location or enforcement point—to provide granular controls that ultimately result in a conditional allow or conditional block decision.

Once an allow decision is reached, a user is granted a secure connection to the internet, SaaS app, or internal application.

**Securely Reach Your Destination**

Your journey to zero trust can be perilous if you’re trying to get there with legacy equipment that wasn’t designed for it. While finding a solution that enables true zero trust may at first seem daunting, begin where it makes the most sense for your organization, and let the seven elements outlined here serve as your guide.

_Read more_ _Partner Perspectives from Zscaler._

Charting the Path to Zero Trust: Where to Begin

Although the group relies on good old phishing to deliver Royal ransomware, researchers say DEV-0569 regularly uses new and creative discovery techniques to lure victims.

It generally starts with malvertising and ends with the deployment of Royal ransomware, but a new threat group has distinguished itself by its ability to innovate the malicious steps in between to lure in new targets.

The cyberattack group, tracked by Microsoft Security Threat Intelligence as DEV-0569, is notable for its ability to continuously improve its discovery, detection evasion, and post-compromise payloads, according to a report this week from the computing giant.

"DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments," the Microsoft researchers said.

In just a few months, the Microsoft team observed the group's innovations, including hiding malicious links on organizations' contact forms; burying fake installers on legitimate download sites and repositories; and using Google ads in its campaigns to camouflage its malicious activities.

"DEV-0569 activity uses signed binaries and delivers encrypted malware payloads," the Microsoft team added. "The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns."

The group's success positions DEV-0569 to serve as an access broker for other ransomware operations, Microsoft Security said.

**How to Combat Cyberattack Ingenuity**

New tricks aside, Mike Parkin, senior technical engineer at Vulcan Cyber, points out the threat group indeed makes adjustments along the edges of their campaign tactics, but consistently relies on users to make mistakes. Thus, for defense, user education is the key, he says.

"The phishing and malvertising attacks reported here rely entirely on getting users to interact with the lure," Parkin tells Dark Reading. "Which means that if the user doesn't interact, there is no breach."

He adds, "Security teams need to stay ahead of the latest exploits and malware being deployed in the wild, but there is still an element of user education and awareness that's required, and will always be required, to turn the user community from the main attack surface into a solid line of defense."

Making users impervious to lures certainly sounds like a solid strategy, but Chris Clements, vice president of solutions architecture at Cerberus Sentinel, tells Dark Reading it's "both unrealistic and unfair" to expect users to maintain 100% vigilance in the face of increasingly convincing social engineering ploys. Instead, a more holistic approach to security is required, he explains.

"It falls then to the technical and cybersecurity teams at an organization to ensure that a compromise of a single user doesn't lead to widespread organizational damage from the most common cybercriminal goals of mass data theft and ransomware," Clements says.

**IAM Controls Matter**

Robert Hughes, CISO at RSA, recommends starting with identity and access management (IAM) controls.

"Strong identity and access governance can help control the lateral spread of malware and limit its impact, even after a failure at the human and endpoint malware prevention level, such as stopping authorized individual from clicking on a link and installing software that they are allowed to install," Hughes tells Dark Reading. "Once you've ensured that your data and identities are safe, the fallout of a ransomware attack won't be as damaging — and it won't be as much of an effort to re-image an endpoint."

Phil Neray from CardinalOps agrees. He explains that tactics like malicious Google Ads are tough to defend against, so security teams must also focus on minimizing fallout once a ransomware attack occurs.

"That means making sure the SoC has detections in place for suspicious or unauthorized behavior, such as privilege escalation and the use of living-off-the-land admin tools like PowerShell and remote management utilities," Neray says.

DEV-0569 Ransomware Group Remarkably Innovative, Microsoft Cautions

How far can its government — or any government or private company — go to proactively disrupt cyber threats without causing collateral damage?

The Australian government's defiant proclamation recently that it would hack back against hackers that sought to target organizations in the country represents a break from the usual cautious manner in which nations have approached international cyber threats.

How effective the country's newly announced "joint standing operation against cybercriminal syndicates" will be remains an open question, as does the issue of whether other nations will follow suit. Also unclear is how far exactly law enforcement is willing to go to neutralize infrastructure that it perceives as being used in cyberattacks against Australian entities.

**Pressure for Hack-Back Legislation May Be Mounting**

"As it becomes more obvious that the majority of organizations are poorly prepared to defend themselves, I think it is justifiable for well-resourced governments to step in," says Richard Stiennon, chief research analyst at IT-Harvest. "I fully expect hack-back legislation to pass in response to some devastating attack that is visible to lots of voters. But I do not expect it to have teeth or change the landscape much."

Australian prime minister Anthony Albanese's government on Nov. 12 announced a joint initiative between the Australian Federal Police and the Australian Signals Directorate to "investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups."

The government launched the initiative following two major cyberattacks — one on telecommunications company Optus and the other on health insurer Medibank — that together exposed personally identifiable information (PII) and other sensitive information belonging to more than one-third of Australia's total population of some 26 million people.

The cyberattacks were among the largest in scope in the country's history and sparked considerable outrage and concern, especially after attackers began publicly leaking medical records (including abortion records) following Medibank's refusal to pay a demanded $10 million ransom. Some security researchers have pinned the blame for the ransomware attack on Medibank on Russia's notorious REvil threat group.

The Australian counter-hacking operation will prioritize cyber threats perceived as presenting the greatest threat to national interests. It will focus on intelligence gathering, identifying cybercrime ring leaders and networks, so law enforcement can intercept and disrupt operations and actors regardless of where they are operating from. Media outlets including the _Guardian_ quoted Australian home affairs minister Clare O'Neil promising to "day in, day out hunt down the scumbags" responsible for the recent attacks.

"The smartest and toughest people in our country are going to hack the hackers," the Guardian quoted O'Neil as saying.

**An Ongoing Practice**

The strong language notwithstanding, it's unclear how far exactly the Australian government will go — or can go — beyond what is already being done to disrupt cyber threats, especially those originating from outside its jurisdiction. Law enforcement and intelligence agencies in several countries, including the US, UK, and Australia itself, routinely are engaged in the kind of intelligence gathering and tracking down of cybercriminals that the Australian government said it would carry out under the new initiative.

"It is my belief that the U.S. has been taking action in the cyber-domain since at 2010 when US Cyber Command was stood up," Stiennon says. "Other countries like the Netherlands and Israel have also demonstrated their abilities to strike back at sophisticated attackers."

Such efforts have resulted in numerous infrastructure takedowns and arrests, indictments and convictions of cybercrime gang members and leaders over the years. Even major U.S. technology companies — often acting under the authority of court orders — have participated in these efforts: Examples include Microsoft's participation in the takedown of the Zloader botnet operation and its more recent disruption of the Seaborgium phishing operation out of Russia.

"Cybercriminal groups, despite the level of impunity they often operate under, are vulnerable to disruption," says Casey Ellis, founder and CTO of Bugcrowd. "In my opinion this makes proactive hunting a viable pursuit," he says, pointing to examples like law enforcement's takedown of the Conti and REvil group operations.

Since the sort of activity that the Australian government announced has been going on for quite some time now, Ellis says the recent announcement represents a doubling down on those efforts, designed to send a signal.

"Cybercriminal groups are far less effective when they distrust each other or feel as though they are actively targeted," Ellis says.

US lawmakers have on a few occasions attempted — and failed — to pass bills that would offer some legal backing for organizations that hack back against cyberattackers. One notable example was H.R. 4036, the Active Cyber Defense Certainty Act (ACDC) of 2017, which would have allowed hacking back as a defense measure on an organization's own network under certain circumstances.

Another bill in 2021, titled "Study on Cyber-Attack Response Options Act," would have required the US Department of Homeland Security to assess the benefits and consequences of amending the nation's current computer abuse law to provide provisions for hacking back at attackers.

The initiatives failed amid controversy, largely around concerns that innocent entities could be caught in the crossfire.

**The Need for Caution**

Security researchers too have long advocated the need for caution around proactive efforts to disrupt criminal infrastructure — or to hack back against operators — because of the difficulties around attribution and collateral damage.

Innocent organizations, for instance, can get disrupted from the takedown of a hosting provider that a threat actor might have used to launch attacks. The ability for threat actors to launch attacks that appear to originate from somewhere else is another reason why critics have noted hack-back initiatives are dangerous.

"In general, truly attributing an attack is quite difficult," says Erick Galinkin, principal researcher at Rapid7, a company that has been a staunch critic of hack-back bills such as ACDC. "Attribution may be one of the hardest problems in all of cybersecurity."

There are a number of reasons for this, but among the main ones is that attackers are happy to use victims to target other victims. This means that when a victim hacks back, they may in fact be targeting another victim rather than an attacker, he says. "Moreover, allowing private sector hack back is incredibly challenging from an oversight and accountability perspective — how could a determination be made about who took the first offensive action?" he asks.

There are also potential legal landmines to consider. A law that Georgia's state legislature passed in 2018 — but which the Governor later vetoed — contained a provision that in essence would have protected a company against legal liability if it conducted a hack-back operation against another entity so long as it was part of "active defense."

As Rapid7 has noted, the term "active defense" as used in the bill could have been interpreted in any number of ways, leading to potential misuse and unintended consequences. "Here is a hypothetical: Remotely breaking into and searching another person's computers to see if that person possesses stolen passwords that could potentially be used for unauthorized access," the company said.

The main con is that you don't want to get it wrong, especially when operating under government authority, Ellis from Bugcrowd agrees. "This type of activity certainly has the potential to escalate into an international incident," he says. "The upside is the opportunity to use the cyberattacker's advantage against them, thereby leveling the playing field a little better."

Nonetheless, there could be a growing appetite for such measures, Galinkin says, as the Australian bill shows. "Calls for bills such as the Active Cyber Defense Certainty Act and others may increase given the current cyber threat environment, but we as practitioners have a responsibility to continue to inform policymakers about the risks associated with allowing such activities."

Australia's Hack-Back Plan Against Cyberattackers Raises Familiar Concerns

As carriers rewrite their act-of-war exclusions following the NotPetya settlement between Mondelez and Zurich, organizations should read their cyber insurance policies carefully to see what is still covered.

The consequences from NotPetya, which the US government said was caused by a Russian cyberattack on Ukraine in 2017, continue to be felt as cyber insurers modify coverage exclusions, expanding the definition of an "act of war." Indeed, the 5-year-old cyberattack appears to be turning the cyber insurance market on its head.

Mondelez International, parent of such popular brands as Cadbury, Oreo, Ritz, and Triscuit, was hit hard by NotPetya, with factories and production disrupted. It took days for the company's staff to regain control of its computer systems. The company filed a claim with its property and casualty insurer, Zurich American, for $100 million in losses. After initially approving a fraction of the claim — $10 million — Zurich declined to pay, stating the attack was an act of war and thus excluded from the coverage. Mondelez filed a lawsuit.

Late last month Mondelez and Zurich American reportedly agreed to the original $100 million claim, but that wasn't until after Merck won its $1.4 billion lawsuit against Ace American Insurance Company in January 2022 for its NotPetya-related losses. Merck's claims also were against its property and casualty policy, not a cyber insurance policy.

Back in 2017, cyber insurance policies were still nascent, so many large corporations filed claims for damages related to NotPetya — the scourge that caused an estimated $10 billion in damage worldwide — against corporate property and casualty policies.

**What's Changed?**

The significance of these settlements illustrate an ongoing maturation of the cyber insurance market, says Alla Valente, senior analyst at Forrester Research.

Until 2020 and the COVID-19 pandemic, cyber insurance policies were sold in a fashion akin to traditional home or auto policies, with little concern for a company's cybersecurity profile, the tools it had in place to defend its networks and data, or its general cyber hygiene.

Once a large number of ransomware attacks occurred that built off of the lax cybersecurity many organizations demonstrated, insurance carriers began changing their requirements and tightening the requirements for obtaining such policies, Valente says.

The business model for cyber insurance is dramatically different from other policies, making the cyber insurance policies of 2017 obsolete. Cyber insurance is in a state of flux, with turnover in the carrier market, lower limits on covered offered, and more aggressive terms, including exclusions, over what was in place prior to 2020.

**Defining an Act of War**

Acts of war are a common insurance exclusion. Traditionally, exclusions required a "hot war," such as what we see in Ukraine today. However, courts are starting to recognize cyberattacks as potential acts of war without a declaration of war or the use of land troops or aircraft. The state-sponsored attack itself constitutes a war footing, the carriers maintain.

In April 2023, new verbiage will go into effect for cyber policies from Lloyd's of London that will exclude liability losses arising from state-backed cyberattacks. In a Market Bulletin released in August 2022, Lloyd's underwriting director Tony Chaudhry wrote, "Lloyd's remains strongly supportive of the writing of cyber-attack cover but recognizes also that cyber related business continues to be an evolving risk. If not managed properly it has the potential to expose the market to systemic risks that syndicates could struggle to manage."

Lloyd's went on to publish additional supplemental requirements and guidance that modified its rules from 2016, just prior to the NotPetya attack.

Effectively, Forrester's Valente notes, larger enterprises might have to set aside large stores of cash in case they are hit with a state-sponsored attack. Should insurance carriers be successful in asserting in court that a state-sponsored attack is, by definition, an act of war, no company will have coverage unless they negotiate that into the contract specifically to eliminate the exclusion.

When buying cyber insurance, "it is worth having a detailed conversation with the broker to compare so-called 'war exclusions' and determining whether there are carriers offering more favorable terms," says Scott Godes, partner and co-chair of the Insurance Recovery and Counseling Practice and the Data Security & Privacy practice at District of Columbia law firm Barnes & Thornburg. "Unfortunately, litigation over this issue is another example of carriers trying to tilt the playing field in their favor by taking premium, restricting coverage, and fighting over ambiguous terms."

For small and midsize businesses (SMBs) that get hit by a state-sponsored attack, it could be "lights out," Valente says. Plus, she emphasizes, SMBs often are targeted if they are primary or secondary suppliers to a large enterprise with information the attacker wants. That means a state-sponsored attack on a small company without the right insurance coverage could be out of business simply because the attacker was a nation-state rather than a cybercriminal.

**Understand What Is Covered**

While the European and North American cyber insurance markets are similar, they are by no means identical.

"Not every \[American\] policy will have language recommended by the London insurance market, and those rules do not apply to American insurance carriers," Godes says. "As a best practice, policyholders should consider whether London market insurance carriers are offering the most robust coverage after the recommended changes go into effect."

Godes, whose firm represents the insured rather than the carriers or brokers, notes, "This case is an example to policyholders that when claims get really expensive, carriers will do everything they can to fight coverage. The insured always should remember that the insurance carrier must prove that an exclusion applies. And sometimes," he quips, "the insured will need to litigate with its carrier to get the coverage it thought it was buying."

The upshot from the Merck and Mondelez cases, as well as Lloyd's recent announcement: State-sponsored attacks now fall into the act-of-war exclusion.

"Many carriers are in the process of rewriting their act of war exclusions to address the realities of state-sponsored or assisted cyberattacks and also because courts, as indicated in a few recent decisions and perhaps implied by the Mondelez settlement, are looking skeptically at the application of clauses written for traditional guns and bullets warfare to cyberattacks," says Kenneth Rashbaum, a partner at New York law firm Barton. "I think this is the most significant takeaway from Mondelez and those recent court decisions. Carriers who update their clauses will be more aggressive in denials of coverage for attacks that may be considered state-sponsored, while those that do not update the clauses may be less inclined to rely on them."

Amid Legal Fallout, Cyber Insurers Redefine State-Sponsored Attacks as Act of War

PAN plans to add Cider's CI/CD security platform to its Prisma Cloud suite of AppSec tools.

Palo Alto Networks will acquire application-security specialist Cider Security for $195 million, in a bid to round out its cloud security offering.

Cider is particularly focused on secure developer approaches and software supply chain security. Its platform specifically offers visibility into the hundreds of developer tools that are connected to the average CI/CD pipeline.

"While much attention has been put on where code comes from, very little has been placed on the applications and software used in the development pipeline," according to a Thursday announcement of the deal.

PAN plans to combine the platform with its recently announced software composition analysis (SCA) tools, all integrated into its Prisma Cloud offering for what it calls a soup-to-nuts security strategy for the software engineering ecosystem, from "code to cloud."

"Any organization using public cloud has an application infrastructure with hundreds of tools and applications that can access their code and yet, they have limited visibility to their configuration or if they are secured," Lee Klarich, chief product officer at PAN, said in a statement. "Cider has made it possible to connect into infrastructure, analyze the tools, and identify the risks, as well as how to remediate them. We are acquiring Cider for their innovation that will help enable Prisma Cloud to provide this capability that anyone doing cloud operations has to have."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Palo Alto Networks Focuses on Secure Coding with $195M Cider Deal

A secure-by-design culture is needed to develop a comprehensive offboarding and identity management strategy that limits potential for broader compromise in case of unauthorized access.

Increased turnover is putting a strain on existing offboarding processes — especially manual ones — for departing employees and contractors. Recent high-profile layoffs at major tech companies have put the spotlight on this issue.

Meanwhile, efforts to limit access to sensitive company information are growing more complex as data access points multiply.

The rise of distributed workforces, cloud computing, work from home, and shadow IT suggest a comprehensive offboarding policy is required, aided by automation.

A recent survey from Oomnitza found, however, that nearly half of IT leaders have doubts about their company's onboarding and offboarding automation capabilities.

The study found a third of enterprises lose more than 10% of their technology assets when offboarding workers, and more than four in 10 (42%) said they experienced unauthorized access to SaaS applications and cloud resources.

**Deploying ETM to Fortify Endpoints and Applications**

Ramin Ettehad, co-founder of Oomnitza, explains that enterprise technology management (ETM) solutions, with built-in integrations, rich analytics, and simplified workflows, allow organizations to define and continuously improve onboarding and offboarding processes.

"They can fortify onboarding user experience by ensuring the right endpoints, accessories, applications, and cloud resources are available at the start so that the new hire can be productive on day one," he says.

These solutions can also enable secure offboarding by ensuring endpoints and their data are secured, software licenses are reclaimed, and access to systems, SaaS, and cloud resources are deprovisioned.

Furthermore, departing workers' email, applications, and workplaces can be reassigned automatically to ensure business continuity.

"All of this is done with true process automation across teams and systems, and is not driven by tickets and requests, which rely on manual workloads and are prone to delays and errors," Ettehad adds.

Cyberhaven CEO Howard Ting explains that most organizations today have a single sign-on product that can turn off an employee's access to all apps with one click and device software that can lock and remotely wipe a laptop.

"While many companies today turn off access as soon as, or even before, they notify employees they're being let go, people can sense what's coming and they preemptively collect customer lists, design files, and source code in anticipation of losing access," he adds.

When an employee voluntarily quits, companies have even fewer tools to prevent data exfiltration because the employee knows they're going to depart before their employer.

While many organizations more closely monitor employees from when they give notice to quit until their last day, a Cyberhaven survey found employees are 83% more likely to take sensitive data in the two weeks before they give notice when they're under less scrutiny.

**Coordinating Offboarding Programs**

Ting says the best employee offboarding programs are coordinated across HR, IT, IT security, and physical security teams working together to protect company data and assets.

The HR team finalizes departures and notifies employees, IT ensures access to apps and company laptops is shut off in a timely manner, the physical security team disables access to company facilities, and the IT security team monitors for unusual behavior.

"These teams perform specific tasks in sequence the day an employee or group of employees is let go," he says.

Ting adds he's also seeing more companies monitor for employees putting company data on personal devices or applications. When offboarding, they make the employee's severance agreement contingent on returning or destroying that company data.

Ettehad adds managing and enabling a remote workforce today requires executives to break down silos and automate key technology business processes.

"They must connect their key systems and orchestrate rules, policies, and workflows across the technology and employee lifecycle with conditional rule-based automation of all tasks across teams and systems," he says.

**The Need for 'Controlled Urgency'**

Tom McAndrew, CEO at Coalfire, calls for "controlled urgency" to tackle the secure offboarding challenge.

"When we look at identity management more broadly, it can often be a complex problem, spanning many applications, internal, external, SaaS, on-prem, and so on," he says. "The identity strategy is the central point. The fewer sources of identity and access control there are to manage, the more automation can support these operations at scale."

He argues that when HR and information security are not operating as a team, it's easy to see platforms spinning to solve point solutions rather than looking at the "what-if" scenarios.

"Every system that is not integrated with a core identity platform becomes one more manual task or another tool that needs to be invested in to solve a problem that could have been avoided with sensible planning," he says.

McAndrew adds that a rogue employee with authorized access to critical, sensitive information is a significant threat.

"When you look at the potential risk from a disgruntled staff member, combined with an HR team struggling to manage a substantial scale of departures, it's easy for mistakes to be made and for frustrated or disaffected staff to take matters into their own hands," he says.

He warns that this can also trigger legal complications, often requiring further professional forensic support, making a poor business decision even more costly.

**Unauthorized Access to SaaS, Cloud Apps a Major Challenge**

Corey O'Connor, director of products at DoControl, a provider of automated SaaS security, points out that unauthorized access to SaaS applications and cloud resources is an identity security problem for both human and machine identities.

"However, preventative controls and detective mechanisms could help mitigate the risk of unauthorized access," he explains.

This means having full visibility and a complete inventory (i.e., users, assets, applications, groups, and domains) will enable security and IT teams to put in place the appropriate preventative controls.

"From there, implementing detective mechanisms that identify high-risk or anomalous activity" is the next step, he says.

Application-to-application connectivity, including machine identity, needs to be secure as well; otherwise the organization increases the risk of supply chain based attacks.

"Machine identities can be over privileged, unsanctioned, and not within the security team's visibility," he says. "When they become compromised, they can provide unauthorized access to sensitive data within the application that it's connected to."

That means both human user and machine identities need preventative controls and detective mechanisms to reduce risk.

**Detecting Exfiltration, Managing Applications**

Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services, says that post-pandemic, many organizations increased their utilization of various cloud and SaaS platforms.

"Because different departments use different applications, and some individuals integrate with interim solutions, IT departments found themselves drowning in the white noise of XaaS, with no standard way of managing it," he says.

While IT admins generally lock down the corporate email account during offboarding, ex-employees may still have access to unknown services that contain sensitive data.

"Putting the idea of an insider threat aside, if one of those unknown services is hacked and needs the password changed, no one may know to take action," he warns.

McCarthy says network defenders need to determine where sensitive data is stored and develop ways to detect exfiltration.

"Deploying an egress filtering solution limits how a threat can exfiltrate data, while also providing the needed visibility to verify it has not occurred," he says. "The impact of stolen data varies from industry to industry, but most data breaches result in monetary fines and loss of customer confidence."

He adds that if IT security teams are bogged down with managing all the SaaS applications an organization uses, having too many of their own tools is also a burden.

"Deploying scalable, multi-cloud management tools that consolidate visibility and policy enforcement reduces their operational overhead," McCarthy says.

Secure Offboarding in the Spotlight as Tech Layoffs Mount

With the proliferation of interconnected third-party applications, new strategies are needed to close the security gap.

Earlier this year, Gartner predicted that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains — a three-fold increase from 2021. Not only are these attacks increasing, but the level at which they are penetrating systems and the techniques attackers are using are also new. Attackers are now taking advantage of access granted to third-party cloud services as a backdoor into companies' most sensitive core systems, as seen in recent high-profile attacks on Mailchimp, GitHub, and Microsoft. A new generation of supply chain attacks is emerging.

**Rise of App-to-App Integrations**

As the vast majority of the workforce has gone digital, organizations' core systems have been moving to the cloud. This accelerated cloud adoption has exponentially increased the use of third-party applications and the connections between systems and services, unleashing an entirely new cybersecurity challenge.

There are three main factors that lead to the rise in app-to-app connectivity:

*   **Product-led growth (PLG):** In an era of PLG and bottom-up software adoption, with software-as-a-service (SaaS) leaders like Okta and Slack
*   **DevOps:** Dev teams are freely generating and embedding API keys in
*   **Hyperautomation:** The rise of hyperautomation and low code/no code platforms means "citizen developers" can integrate and automate processes with the flip of a switch.

The vast scope of integrations are now easily accessible to any kind of team, which means time saved and increased productivity. But while this makes an organization's job easier, it blurs visibility into potentially vulnerable app connections, making it extremely difficult for organizational IT and security leaders to have insight into all of the integrations deployed in their environment, which expands the organization's digital supply chain.

**Third-Party Problems**

There is some acknowledgement of this problem: the National Institute of Standards and Technology (NIST) recently updated its guidelines for cybersecurity supply chain risk management. These new directives consider that as enterprises adopt more and more software to help run their business, they increasingly integrate third-party code into their software products to boost efficiency and productivity. While this is great recognition, there is another whole ecosystem of supply chain dependencies related to the mass amount of integrations of core systems with third-party applications that is being overlooked.

For companies whose internal processes are irreversibly hyperconnected, all it takes is an attacker spotting the weakest link within connected apps or services to compromise the entire system.

Businesses have to determine how best to manage this kind of scenario. What level of data are these apps gaining access to? What kind of permissions will this app have? Is the app being used, and what is the activity like?

Understanding the layers in which these integrations operate can help security teams pinpoint their potential attack areas. Some forward-looking chief information security officers (CISOs) are aware of the problem but only seeing a fraction of the challenge. In the era of product-led growth and bottom-up software adoption, it's difficult to have visibility into all the integrations between an organization's cloud applications, as the average enterprise uses 1,400 cloud services.

**Closing the Security Gap**

The risks of digital supply chain attacks are no longer confined to core business applications or engineering platforms — these vulnerabilities have now expanded with the proliferating web of interconnected third-party applications, integrations, and services. Only new governance and security strategies will close this expanding security gap.

There needs to be a paradigm shift within the market to protect this sprawling attack surface. In doing so, the following would need to be addressed:

*   **Visibility into all app-to-app connections:**Security teams need a clear line of sight not only into systems that connect to sensitive assets, but into
*   **Threat detection:**The nature of every integration — not just the standalone applications — need to be evaluated for risk level and exposure (e.g., redundant access, excessive permissions).
*   **Remediation strategies**_:_ Threat prevention strategies cannot be a one-size-fits-all affair. Security professionals need contextual mitigations that acknowledge the complex range of interconnected apps that comprise the attack surface.
*   **Automatic, zero-trust enforcement:**Security teams must be able to set and enforce policy guardrails around app-layer access (e.g., permission levels, authentication protocols).

The good news is that we are starting to see a shift in the industry's mindset. Some businesses are already taking the initiative and putting processes in place to stay ahead of a potential service supply chain attack — like HubSpot, which just released a message to help eliminate potential risks associated with the use of API keys. GitHub also recently introduced a fine-grained personal access token that offers enhanced security to developers and organization owners to reduce the risk to data of compromised tokens.

Ultimately, the digital world in which we live is only going to become more hyperconnected. In parallel, the industry needs to further its understanding and knowledge of these potential threats within the supply chain, before they cascade into more headline-making attacks.

The Next Generation of Supply Chain Attacks Is Here to Stay

The county reports unauthorized access to files in its Department of Social Services' systems between Nov. 18, 2021, and April 9. It has added enhanced alert and monitoring software and is offering complimentary credit monitoring and identity theft protection services to those whose personal information may have been compromised in the breach.

**RED BLUFF, Calif., Nov. 17, 2022 /PRNewswir****e/** — Today, the County of Tehama, Calif. announced that it has addressed a data security incident that resulted in unauthorized access to files on its systems.

On Aug. 19, 2022, the County of Tehama concluded its investigation of a data security incident that resulted in unauthorized access to personal information pertaining to certain County of Tehama Department of Social Services files. The County of Tehama first learned about the incident on April 9, 2022, when the County of Tehama detected suspicious activity on its IT systems. Upon identifying this suspicious activity, the County of Tehama immediately took steps to protect and secure its systems. The County of Tehama also launched an investigation and notified law enforcement. Through the investigation, the County of Tehama determined that an unauthorized party gained access to its IT network between the dates of Nov. 18, 2021, and April 9, 2022. The investigation further determined that the unauthorized party accessed files on the County of Tehama Department of Social Services' systems. The County of Tehama conducted a review of the files that may have been accessed as a result of this incident. Through this review, the County of Tehama determined that information pertaining to certain current and former County of Tehama employees, recipients of services from the County of Tehama Department of Social Services, and other affiliated individuals was contained in one or more of those files. This information included individuals' names, dates of birth, mailing addresses, Social Security numbers, driver's license numbers, and information related to services received from County of Tehama Department of Social Services.

On Nov. 17, 2022, the County of Tehama began mailing letters to individuals whose information may have been involved in the incident. The County of Tehama is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers or driver's license numbers were involved. The County of Tehama also has established a dedicated, toll-free incident response line to answer questions that individuals may have. If individuals have any questions about this incident or believe their information may have been involved, they should call 855-926-1376, Monday through Friday, between 6:00 a.m. and 3:30 p.m., Pacific Time.

To date, the County of Tehama has not received any reports of fraud related to this incident. However, the County of Tehama recommends that individuals whose information may have been involved remain vigilant to the possibility of fraud by reviewing their financial account statements and immediately reporting any suspicious activity to their financial institution.

The County of Tehama deeply regrets any inconvenience or concern this may cause. To help prevent a similar incident from occurring in the future, the County of Tehama has implemented enhanced monitoring and alerting software.

SOURCE: County of Tehama, California

County of Tehama, Calif., Identifies and Addresses Data Security Incident

Languages such as C and C++ rely too heavily on the programmer not making simple memory-related security errors.

Security analysts welcomed a recommendation from the US National Security Agency (NSA) last week for software developers to consider adopting languages, such as C#, Go, Java, Ruby, Rust, and Swift, that reduce memory-related vulnerabilities in code.

The NSA described these as "memory-safe" languages that manage memory automatically as part of the computer language. They do not rely on the programmer to implement memory security and instead use a combination of compile time and runtime checks to protect against memory errors, the NSA said.

**The Case for Memory-Safe Languages**

The NSA's somewhat unusual advisory on Nov. 10 pointed to widely used languages such as C and C++ as relying too heavily on programmers not to make memory-related mistakes, which it noted continues to be the top cause for security vulnerabilities in software. Previous studies — one by Microsoft in 2019 and another from Google in 2020 related to its Chrome browser, for instance — found 70% of vulnerabilities were memory-safety issues, the NSA said.

"Commonly used languages, such as C and C++, provide a lot of freedom and flexibility in memory management while relying heavily on the programmer to perform the needed checks on memory references," the NSA said. This often results in exploitable vulnerabilities tied to simple mistakes such as buffer overflow errors, memory allocation issues, and race conditions.

C#, Go, Java, Ruby, Rust, Swift, and other memory-safe languages do not completely eliminate the risk of these issues, the NSA said in its advisory. Most of them, for instance, include at least a few classes or functions that aren't memory-safe and allow the programmer to perform a potentially unsafe memory management function. Memory-safe languages can sometimes also include libraries written in languages that contain potentially unsafe memory functions.

But even with these caveats, memory-safe languages can help reduce vulnerabilities in software resulting from poor and careless memory management, the NSA said.

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center, welcomes the NSA's recommendation. The use of memory-safe languages should, in fact, be the default for most applications, he says.

"For practical purposes, relying on developers to focus on memory management issues instead of programming cool, new features represents a tax on innovation," he says.

With memory-safe programming languages and associated frameworks, it is the authors of the language that ensure proper memory management and not the application developers, Mackey says.

**Shift Can Be Challenging**

Shifting a mature software development environment from one language to another can be hard, the NSA acknowledged. Programmers will need to learn the new language, and there are likely going to be newbie mistakes and efficiency hits during the process. The extent of memory security that is available can also vary significantly by language. Some might offer only minimal memory security, while others offer considerable protections around memory access, allocation, and management.

In addition, organizations will need to consider how much of a tradeoff they are willing to make between security and performance. "Memory safety can be costly in performance and flexibility," the NSA warned. "For languages with an extreme level of inherent protection, considerable work may be needed to simply get the program to compile due to the checks and protections."

Myriad variables are in play when trying to port an application from one language to another, says Mike Parkin, senior technical engineer at Vulcan Cyber.

"In a best-case scenario, the shift is simple and an organization can accomplish it relatively painlessly," Parkin says. "In others, the application relies on features that are trivial in the original language but require extensive and expensive development to re-create in the new one."

The use of memory-safe languages also doesn't replace the need for proper software testing, Mackey cautions. Just because a programming language is memory-safe doesn't mean the language or applications developed on it are free from bugs.

Moving from one programming language to another is a risky proposition unless you have staff that already understands both the old language and the new one, Mackey says.

"Such a migration is best done when the application is going through a major version update," he notes. "Otherwise there is the potential that inadvertent bugs are introduced as part of the migration effort."

Mackey suggests that organizations consider using microservices when it comes to shifting languages.

"With a microservices architecture, the application is decomposed into a set of services that are containerized," Mackey says. "From the perspective of a programming language, there is nothing that inherently requires that each microservice be programmed in the same programming language as other services within the same application."

**Making the Move**

Recent data from Statista shows that many developers are already using languages that are considered memory-safe. For instance, nearly two-thirds (65.6%) use JavaScript, nearly half (48.06%) use Python, one-third use Java, and nearly 28% use C#. At the same time, a substantial proportion are still using unsafe languages, such as C++ (22.5%) and C (19.25%).

"I think many organizations have already been switching away from C/C++ not only for the memory-safety issue, but also for the overall ease of development and maintenance," says Johannes Ullrich, dean of research at the SANS Technology Institute. "But there will still be legacy code bases that will have to be maintained for many years to come."

NSA's advisory offered little insight into what might have prompted its recommendation at this juncture. But John Bambenek, principal threat hunter at Netenrich, advises organizations not to ignore it.

"Memory vulnerabilities and attacks have been pervasive since the 1990s, so in general, this is good advice," he says. "With that being said, as this is coming from the NSA, I believe this advice should take added urgency and is being driven by knowledge they have and we don't."

Source

DARKReading