YL Ventures CISO-in-Residence Frank Kim weighs in on the top security concerns facing CISOs in a Dark Reading Q&A interview.

Industry veteran and SANS Institute fellow Frank Kim has joined joined YL Ventures as its new full-time CISO-in-residence. YL Ventures connects startup entrepreneurs with CISOs to provide advice and guidance as they develop their cybersecurity solutions and grow their business. As a CISO-in-residence, Kim will focus on the business impact of cybersecurity solutions. Kim, the founder of ThinkSec, a security consulting and CISO advisory firm, as well as the former CISO of the SANS Institute, brings his in-depth perspective from key facets of cybersecurity to his new role. Kim took part in the following Q&A with Dark Reading.

_(The contents have been edited for length and clarity)_

**Dark Reading: What is the CISO's role in a startup? How can CISO advisors help fast-track tech startups?**

**Frank Kim, YL Ventures:** Over my 20+ years in cybersecurity, I’ve advised my share of security startups and mentored many more during my time at the SANS Institute. Today, as the CISO-in-Residence at cybersecurity VC, YL Ventures, I begin working with the firm’s entrepreneurs even before we invest in them and continue to do so across their entire company-building journey. Being a CISO-in-Residence offers experienced CISOs who have been deep in operational security for years, the chance to impact and drive the growth of the next generation of top-tier cybersecurity vendors. I work closely and directly with cybersecurity startup founders on their ideation, product-market-fit and value realization, on an in-house and regular basis. I provide them with what can be considered an invaluable vantage point into the needs of modern CISOs, security teams and businesses, and I specifically guide them on making sure security solutions provide business value at business speed, resolving the gap between business and tech latency. We need better, more modern approaches for securing today’s digitally led businesses so that security transforms from a potential hindrance to a proper enabler.

This career path is a natural progression from my role at SANS, where I grew the cloud security and CISO cybersecurity leadership curricula to help shape and develop future security leaders. Every YL Ventures founder that I've spoken with is inherently building for the cloud-first world of today and tomorrow where leadership, coupled with innovative ways of securing the modern ecosystem, matters more than ever. My goal is to help founders and entrepreneurs bring these new capabilities to light.

**Dark Reading: What are the top emerging CISO cyber concerns? Is ransomware still public enemy No. 1?**

**Frank Kim, YL Ventures:** Regarding ransomware, it’s still a concern. YL Ventures recently published a unique report on ransomware risk, in which half of the CISOs surveyed stated that their organization had been the target of a ransomware attack - but at the same time, many did not believe they need a dedicated ransomware solution, but a multi-layered security approach.

Data security is another growing concern, specifically the ability of businesses to use, share and leverage data securely. If we look at future revenue streams for startups, the key is driving and enabling the adoption and use of data. It has become such a pivotal part of business and such a lucrative target for attackers, that it’s justified in becoming a top priority for CISOs. In the modern, dynamic business environment with M&As and consolidation - data keeps moving and changing, and we have to keep up.

Security operations teams struggle with alert fatigue and challenges with leveraging automation to remediate security issues in the cloud, and this is concerning as the volume of attacks only continues to grow. Now that tools like cloud security posture management (CSPM) have increased visibility and security teams have the information they need, they don’t always know how to use it - increasing the risk and the time from detection to remediation. Visibility is no longer enough.

Resiliency and recovery are top of mind for businesses now due to high-profile attacks. Organizations want to cut down on time and resources needed to bounce back after cyber-attacks and minimize potential damage.

Finally, GRC and risk measurement. Security is becoming a board-level discussion and an acute business risk for organizations. CISOs must have the right tools to be able to govern their program, measure cyber risks and mature their program/stack over time. They are looking for solutions that will enhance their ability to assess risks and run security programs more efficiently, in a data-driven way, measure efficacy and translate it to top executives and board members.

**Dark Reading: Are CISOs pretty much a position only for larger organizations, or would smaller organizations benefit from having the CISO role?**

**Frank Kim, YL Ventures:** Security should be a business priority from the earliest stages of company-building, regardless of size or sector. It’s about more than just hardware and software - getting security on board early speaks to the type of culture you’re creating in your organization, and it should be in a company’s DNA from day one. CISOs and security teams need to be part of the core business and grow along with other critical positions on the team such as HR, operations, development and others. Many organizations - especially the bigger ones - actually fumble the basics and including security when you’re building your foundations will ensure that the most fundamental security hygiene priorities are taken care of. These will be valuable as the organization scales, and the security team scales with it.

**Dark Reading: How do you advise organizations on addressing security workforce talent shortages?**

**Frank Kim, YL Ventures:** In my time as a Fellow at the SANS Institute, I made it my mission to grow and support the next generation of security professionals. Unfortunately, it has been well-documented that there aren’t enough of us. ISC² places the global shortage of cybersecurity jobs at nearly 3 million, and there simply aren’t enough young professionals to support growing security needs.

CISO burnout is a real thing. Security teams have about 14 balls in the air at all times, as they try to do incident-response, provide clarity to business leaders, address new vulnerabilities and more. Organizations must address this as a hazard and prioritize automation tools and other streamlining processes to reduce the load and turn CISOs from firefights to strategic actors. The characteristics of a CISO’s job are also to blame. Being a CISO can be a lonely, solitary job that is detached from the rest of the organization.

Fostering a collaborative and engaged working environment is key to ensuring that the security talent you have will want to remain in your organization.

**Dark Reading: How is the integration with the rest of the C-suite working out? Are we seeing an improvement in overall security posture for the organization?**

**Frank Kim, YL Ventures:** CISOs are constantly between a rock and a hard place. Our responsibilities are growing in importance, but we bring doom and gloom into the boardroom and that isn’t always appreciated.

That being said, we are witnessing a dramatic shift in perception of both security itself and its practitioners. CISOs are no longer security officers; they have strategic value for business and their insights are sought after in almost every decision-making process. This is to be celebrated, as it will definitely improve visibility into the organization’s security posture and it will strengthen accountability and ensure that the right processes and people are in place in a proactive, rather than reactive, approach.

Modern CISO: More Than a Security Officer

Part 2 in our series addressing the top 10 unanswered questions in security: How will TPGRM evolve?

Sophisticated breaches like SUNBURST (aka the SolarWinds hack that made headlines in late 2020) make the risk associated with third-party platforms abundantly clear. Modern organizations are increasingly depending on a variety of third parties for SaaS — everything from finance to supply chain to IT service management (ITSM).

From an operations perspective, this is great. Organizations focus less on "keeping the lights on" and more on their core value proposition. However, there's also an uncomfortable tradeoff when it comes to security. If you don't control the platform, you don't completely control your — or your customer's — data, which has security and compliance implications. Similarly, the availability of critical business functions often depends on multiple external platforms, many of which can be a single point of failure.

For many organizations, simply navigating the complex dependencies and clearly defining risk appetites and mitigations is a real challenge. Third-party governance and risk management (TPGRM) aims to solve this problem by analyzing and performing due diligence on risks stemming from third-party relationships.

While there are plenty of TPGRM/TPRM tools, effective risk management takes more than just tech. Deloitte's 3-step process for TPGRM provides a realistic breakdown of the transformation required to leverage a TPGRM framework. To summarize the steps:

1.  **Change risk and governance positioning:** This step deals with the reframing of risk in an organization. Traditionally, risk has been something we _eliminate_. It needs to become something we _manage_.
2.  **Understand risk appetite and lines of defense:** The next step is broken into quantifying an organization's risk appetite in different contexts and identifying lines of defense against those risks.
3.  **Establish a TPGRM framework:** This is where the rubber hits the road. Organizations must implement strategies that leverage people, processes, and tech to help manage risk and deliver value.

Clearly, a large part of TPGRM will require qualitative input from humans, such as developing strategies or conducting detailed audits. That said, we can expect a shift towards more automation thanks to drivers like cyber insurance actively developing standards and measurable ways to quantify risk with analytics platforms like CyberCube.

**Quantifying TPGRM Metrics**

With that in mind, I expect to see the use of security portals and dashboards that quantify TPGRM metrics spike in the coming years. These portals will do for risk management what uptime monitoring platforms like Uptime Robot and Pingdom do for website monitoring: roll up the most important metrics in an easily digestible way. Like the website monitoring world, we'll see a varying level of sophistication and depth across solutions, but a standard baseline of "table stakes" metrics will emerge.

We're already seeing platforms like SafeBase make substantial progress here by automating security questionnaires and enabling vendors to share security posture across multiple categories. The risk management company Prevalent is solving similar problems with a focus on providing both IT solutions and services.

Additionally, solutions with a narrower focus are already leveraging automation to solve TPGRM problems in specific industries. For example, SignalX is addressing the problem space of financial and legal analysis in India to enable organizations to perform better due diligence before entering contracts or partnerships with vendors.

Fundamentally, these solutions demonstrate the broader trend toward standardization and automation in the TPGRM space. Tools alone aren't going to solve third-party risk management, but there is an emerging need for automated visibility into third-party risk, and that's where TPGRM tech can make a real impact.

In the years to come, I expect the winners in the space to be the tools that provide visibility into the "headline" TPGRM metrics required for cyber insurance and compliance for organizations with relatively immature TPGRM framework implementations, as well as those that can "go deep" and provide detailed analysis using AI/ML for enterprises.

_Read part 1, which asks_ _what will replace EDR__._

Where Can Third-Party Governance and Risk Management Take Us?

Weak configurations for encryption and missing security headers topped the list of software issues found during a variety of penetration and application security tests.

Nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability, a new study shows.

Weak SSL and TLS configuration, missing Content Security Policy (CSP) header, and information leakage through server banners topped the list of software issues with security implications, according to findings in software and hardware tools conglomerate Synopsys' new  Software Vulnerabilities Snapshot 2022 report published today. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe.

Configuration issues are often put in a less severe bucket, but both configuration and coding issues are equally risky, says Ray Kelly, a fellow with the Software Integrity Group at Synopsys.

"This really just points out that, \[while\] organizations may be doing a good job performing static scans to lower the number of coding vulnerabilities, they are not taking configuration into account, as it may be more difficult," he says. "Unfortunately, static application security testing (SAST) scans cannot perform configuration checks as \[they have\] no knowledge of the production environment where the code will be deployed."

The data argues for the benefits of using multiple tools to analyze software for vulnerabilities and misconfigurations. 

Penetration tests, for example, detected 77% of the weak SSL/TLS configuration issues, while dynamic application security testing (DAST) detected the issue in 81% of tests. Both the technologies, plus mobile application security testing (MAST), led to the issue being discovered in 82% of tests, according to the Synopsys report.

    

Most common application vulnerabilities. Source: Synopsys

Other application security firms have documented similar results. Over the past decade, for example, three times more applications are scanned, and each one is scanned 20 times more frequently, Veracode stated in its "State of Software Security" report in February. While that report found that 77% of third-party libraries still had not eliminated a disclosed vulnerability three months after the issue was reported, patched code was applied three times faster.

Software firms that use dynamic and static scanning in concert remediated half of flaws 24 days faster, Veracode stated.

"Continuous testing and integration, which includes security scanning in pipelines, is becoming the norm," the firm stated in a blog post at the time.

**Not Just SAST, Not Just DAST**

Synopsys released data from a variety of different tests with each having similar top offenders. Weak configurations of encryption technology — namely, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) — topped the charts for static, dynamic, and mobile application security tests, for example.

Yet, the issues star to diverge further down the lists. Penetration tests identified weak password policies in a quarter of applications and cross-site scripting in 22%, while DAST identified applications lacking adequate session timeouts in 38% of tests and those vulnerable to clickjacking in 30% of tests.

Static and dynamic testing as well as software composition analysis (SCA) all have advantages and should be used together to have the highest chance to detect potential misconfigurations and vulnerabilities, says Synopsys's Kelly.

"Having said that, a holistic approach takes time, resources, and money, so this may not be feasible for many organizations," he says. "Taking the time to design security into the process can also help find and eliminate as many vulnerabilities as possible — whatever their type — along the way so that security is proactive and risk is reduced."

Overall the company collected data from nearly 4,400 tests on more than 2,700 programs. Cross-site scripting was the top high-risk vulnerability, accounting for 22% of the vulnerabilities discovered, while SQL injection was the most critical vulnerability category, accounting for 4%.

**Software Supply Chain Dangers**

With open-source software comprising nearly 80% of codebases, it's little surprise that 81% of codebases have at least one vulnerability and another 85% have an open-source component that is four years out of date.

Yet, Synopsys found that, despite those concerns, vulnerabilities in supply-chain security and open-source software components accounted for only about a quarter of issues. The Vulnerable Third-Party Libraries in Use category of security weaknesses was uncovered in 21% of the penetration tests and 27% of the static analysis tests, the report said.

Part of the reason for the lower-than-expected vulnerabilities in software components may be because software composition analysis (SCA) has become more widely used, says Kelly.

"These types of issues can be found in the early stages of the software development lifecycle (SDLC), such as the development and DevOps phases, which reduces the number that make it into production," he says.

Misconfigurations, Vulnerabilities Found in 95% of Applications

Testing is an ongoing mission, not a one-and-done fix.

Cybersecurity must evolve beyond reactively handling breaches and pivoting to protect an organization's data after the fact. Without proper precautions, cybercriminals from all over the world can easily take advantage of vulnerabilities within a company's Web applications, mobile applications, APIs, and more. Penetration testing, also known as pen testing, is a method of cybersecurity in which an expert plays the role of a malicious actor to expose the holes and flaws within a security infrastructure or codebase. 

Pen testing is primarily facilitated by dedicated pen testers — some hired internally and others externally through an agency or freelance service. My six years at Cobalt have taught me new, unique, and hidden best practices. It's my ongoing mission and commitment to spread my knowledge and lessons with other security executives to enhance organizations' protection efforts.

**What Is the Goal of Pen Testing?**

Simply put, penetration testing is when a dedicated group of cybersecurity professionals simulate different cyberattacks on an application or network to test for potential vulnerabilities. The goal is to improve the security posture of an organization and discover easily exploitable vulnerabilities within a security system so the company can proactively fix them. Bugs are bound to occur, but being aware of where vulnerabilities lie can polish your product and tighten up your security. 

While many companies invest heavily in building up their infrastructure, the majority of the steps needed to protect investments happen _after_ deployment. Thus, companies are left with a reactive response in place, addressing breaches and attacks on their network once it's too late. Given the fact that cyberattacks have the potential to ripple both internally and externally, leaders must take a proactive approach to cybersecurity, developing at-the-ready responses to squash incoming threats as they appear.

The merits of pen testing come into the limelight once organizations recognize the cycle of destruction caused by cyberattacks. This cycle entails more than the data potentially stolen. It involves the time not only to address the initial vulnerability but to recover and secure any data that could have been potentially stolen. Needless time and resources are spent cleaning up the mess, rather than developing new code. A cycle develops wherein an organization launches new code into their network, an unforeseen vulnerability shows up, and the team has to scramble to fix the issue before it grows even larger. By taking the necessary steps before the new code goes into production, companies can remove themselves from this vicious circle of destruction.

According to Cobalt's "State of Pentesting Report 2021," pen testing can be a time-consuming task. In fact, 55% of organizations said it takes weeks to get a pen test scheduled, with 22% saying it takes months. Modern pen testing practices use both automated tools and skilled manual testers to ensure maximum security in an efficient and timely fashion. Staying agile in your organization's cybersecurity practices will help cut down on the amount of time it takes to schedule the proper precautions.

**What Are the Outside Benefits?**

Pen testing has benefits outside of just vulnerability identification. Code often is dependent on other code, so frequent pen testing allows for new code to be tested before it's deployed into the live build, thus streamlining the development process and lowering development costs. Frequent pen testing also provides more timely results, enabling teams to be at the ready for emerging threats — compared with the standard annual pen test, where developers won't be aware of vulnerabilities for months on end. 

In 2021, many security professionals had to quickly respond to the Log4j threat, but those who frequently pen tested were prepared to patch the exploitable vulnerabilities it caused. Due to the insight these developers obtained from previous pen tests, future code will become more secure, and engineers will learn from mistakes when developing future versions of their products. The more often these pen tests happen, the more compliant your products and code will become.

**When to Schedule a Pen Test**

The best time to schedule a pen test is — of course — before an attack occurs. While we cannot predict exactly when a breach will come, staying proactive and regularly testing and retesting vulnerabilities can save the company from a vicious cyberattack. Organizations can use pen testing to prepare new products, updates, and tools for customer or employee use, all while staying compliant and secure. But for those products to safely go into the hands of the intended audience, they need to be tested.

Proactivity starts with internally evaluating where vulnerabilities already exist within a security system. If discovered early, these vulnerabilities can be dealt with before they take on a life of their own — ultimately saving the company's reputation. Take note of all of the assets your team has (websites, servers, live code, etc.), and set a clear plan for exposure detection. Once your team is clear on the future strategy and practices, your pen testers can begin identifying and exposing the vulnerabilities that may be in your company's resources. Once the test is concluded, developers can start remediating any discovered vulnerabilities.

The important takeaway here is, these tests should not be performed on a one-and-done basis. Pen tests must be executed regularly to ensure security remains up to date with modern breaching methods. Cybersecurity changes (and becomes more complex) each day, forcing organizations to be ready for what's to come at a moment's notice.

How Routine Pen Testing Can Reveal the Unseen Flaws in Your Cybersecurity Posture

A misleading location-tracking practice ensnared the search-engine giant in massive privacy case spanning 40 states.

Google has agreed to pay $391.5 million in a settlement with 40 US state attorneys general, over its eyebrow-raising location-tracking practices. State officials are calling it a "historic" consumer privacy case.

The search-engine giant was penalized for misleading users that they were no longer being geo-tracked when they disabled location tracking in their Google account settings. In reality, Google was still collecting their location data. As part of the settlement, Google also must clarify and revamp the way it discloses tracking policy and user controls, beginning in 2023.

"For years Google has prioritized profit over their users' privacy," said Oregon Attorney General Ellen Rosenblum, who led the case along with Nebraska Attorney General Doug Peterson, in a statement. "They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers."

As part of the settlement, Google is required to:  

1.  Show additional information to users whenever they turn a location-related account setting on or off;
2.  Make key information about location tracking unavoidable for users (i.e., not hidden); and
3.  Give users detailed information about the types of location data Google collects and how it’s used at an enhanced “Location Technologies” webpage.

Besides Oregon and Nebraska, the states working on the case were: Arkansas, Florida, Illinois, Louisiana, New Jersey, North Carolina, Pennsylvania, and Tennessee. The settlement is also joined by Alabama, Alaska, Colorado, Connecticut, Delaware, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nevada, New Mexico, New York, North Dakota, Ohio, Oklahoma, South Carolina, South Dakota, Utah, Vermont, Virginia, and Wisconsin.

Google Forks Over $391.5M in Record-Setting US Consumer Privacy Settlement

**YAKIMA, Wash., Nov. 14, 2022 /PRNewswire/ —** Yakima Neighborhood Health Services ("YNHS") has learned of a data security incident that may have impacted data belonging to certain current and former patients.

On October 4, 2022, a file containing certain individuals' personal and protected information was inadvertently distributed to one individual. Upon learning of this accidental disclosure, YNHS took steps to ensure the recipient deleted the file from their possession.

While YNHS has no evidence that any information potentially involved in this incident has been misused, out of an abundance of caution, YNHS is informing affected individuals about the steps they can take to help protect their information. The potentially affected information may include individuals' names, dates of birth, medical record numbers, and medical treatment locations. On November 10, 2022, YNHS completed the process of identifying current address information for the affected individuals in order to effectuate written notification of the incident via US mail.

YNHS has taken steps in response to this incident and has made alterations to its cyber environment to help prevent similar incidents from occurring in the future.

YNHS has established a toll-free call center to answer questions about the incident and to address related concerns. Call center representatives are available Monday through Friday between 6am – 3:30pm PST and can be reached at 855-926-1377.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Yakima Neighborhood Health Services Notice of Data Security Incident

**DENVER, Nov. 15, 2022 /PRNewswire/ —** Red Canary, a leader in Managed Detection and Response (MDR), is one of 15 providers that participated in the first-ever MITRE Engenuity™ ATT&CK® Evaluations for Managed Services. Published in November 2022, the independent ATT&CK Evaluations assessed provider capabilities in their ability to analyze and describe adversary behavior.

**Red Canary MDR Performance Summary:**

*   Detected intrusion in Step 1
*   Identified all intrusion steps
*   Named OilRig as the emulated adversary group
*   Provided zero false positives
*   Presented information just as we would to our real-world customers

To help organizations better interpret the test, Red Canary has created an unbiased analysis of the MITRE ATT&CK results. This report provides the necessary context needed to understand the results and evaluate how different participants performed. Separately, experts have also provided a deep-dive technical analysis of Red Canary's performance, highlighting what they detected and how they responded to MITRE Engenuity's emulation activity.

"One of Red Canary's core values is our relentlessness in finding and stopping adversaries, which is why we were so excited to hear there would be an ATT&CK Evaluation of managed security service providers," said Brian Beyer, CEO and co-founder of Red Canary. "The MITRE ATT&CK test is a great resource for evaluating different providers and determining how they would help protect your organization in a real-world intrusion. All the participants should be commended for being transparent enough to take part in the evaluation."

"More than half of organizations use security service providers to protect their data and networks. We wanted to research how they are employing threat-informed defense practices for their clients," said Ashwin Radhakrishnan, general manager, ATT&CK Evaluations, MITRE Engenuity. "We don't rank the vendors in our evaluations. Organizations, however, can use the evaluations to determine which service providers may best address their own cybersecurity gaps and fit their particular business needs."

Red Canary is one of only two vendors to be a participant in the MITRE ATT&CK Evaluations for Managed Service Providers and is also listed as a "Leader" in the Forrester Wave™: Managed Detection And Response, Q1 2021. The impressive performance by Red Canary in the MITRE ATT&CK Evaluation comes on the heels of winning the Security Trailblazer award in the Microsoft Security Excellence Awards 2022.

Trusted by nearly 800 customers, including many Fortune 500 companies across industries, Red Canary is growing at 3x the pace of the overall MDR market. This growth is fueled by market-leading technology that allows Red Canary to detect threats missed by other tools – providing MDR across endpoints, networks, cloud, SaaS, and identity applications.

**About MITRE Engenuity ATT&CK® Evaluations**

ATT&CK® Evaluations (Evals) is built on the backbone of MITRE's objective insight and conflict-free perspective. Cybersecurity vendors turn to the Evals program to improve their offerings and to provide defenders with insights into their product's capabilities and performance. Evals enables defenders to make better informed decisions on how to leverage the products that secure their networks. The program follows a rigorous, transparent methodology, using a collaborative, threat-informed, purple-teaming approach that brings together vendors and MITRE experts to evaluate solutions within the context of ATT&CK. In line with MITRE Engenuity's commitment to serve the public good, Evals results and threat emulation plans are freely accessible.

**About Red Canary**

Red Canary stops cyber threats no one else does, so organizations can fearlessly pursue their missions. We do it by delivering managed detection and response (MDR) across enterprise endpoints, cloud workloads, network, identities, and SaaS apps. As a security ally, we define MDR in our own terms with unlimited 24×7 support, deep threat expertise, hands-on remediation, and by doing what's right for customers and partners.

Red Canary Provides First-Ever MITRE Engenuity™ ATT&CK® Evaluations for Managed Services

The API-related vulnerabilities put conversations, email addresses, tickets, and more in danger of exposure via the Zendesk Explore reporting service.

Multiple security vulnerabilities in Zendesk's Web-based customer relationship management (CRM) platform could have allowed attackers to access sensitive information from potentially any customer account — a discovery that showcases application programming interface (API) endpoint weaknesses in enterprise software-as-a-solution (SaaS) applications.  

Researchers from Varonis Threat Labs discovered the issues — specifically an SQL injection vulnerability and a logical access flaw — in Zendesk Explore, a component of Zendesk's platform, they said in a blog post published Nov. 15.

More than 100,000 customers currently use Zendesk for their customer experience solution, according to the company's website. Zendesk Explore is the aspect of the suite aimed at helping those customers analyze, understand, and share data about their respective businesses.

Researchers found they could use the flaws to extract data from Zendesk Explore, including the list of tables from Zendesk’s relational database service (RDS) instance as well as all the information stored in the database. That info included email addresses of users, sales leads, deals from the CRM, live agent conversations, tickets, help center articles, and more, they said.

For successful exploitation, a potential victim would have to have Zendesk Explore enabled, and an attacker would first have to register for the ticketing service of a victim’s Zendesk account as a new external user, the researchers explained.

However, "registration is enabled by default because many Zendesk customers rely on end users submitting support tickets directly via the web," they wrote in the post. Zendesk Explore, on the other hand, is not enabled by default, but it is "heavily advertised as a requirement for the analytic insights page," the researchers noted.

Varonis worked with Zendesk to fix the flaws, which the company managed to do quickly, pushing out a patch that required no customer action "in less than one work week," the researchers said. There is no evidence that the vulnerabilities were exploited before the fix was issued, they added.

However, a look at the technical details brings up just how easy it is to introduce security flaws into cloud-based enterprise apps.

**Common Flaw, Unique Coding**

While SQL injection (SQLi) flaws are one of the most common types of vulnerabilities found in Web applications, the Zendesk issue was unique for a couple of reasons, Michael Buckbee, a security engineer at Varonis, tells Dark Reading.

"What made this particular attack novel was both how the Zendesk application was building its SQL queries — as nested objects within a larger GraphQL message — and the use of Postgres DB’s dollar-quoted string constant feature to bypass the application’s existing SQL injection filter," Buckbee says.

Zendesk uses multiple GraphQL APIs in its products, especially in the administration console, the researchers explained in the post. GraphQL is a relatively new API format, and upon investigation of its implementation in Zendesk, they found a particularly interesting object type in Zendesk Explore, named QueryTemplate, that pointed to a potential issue.

"The querySchema field stood out because it contains a Base64-encoded XML document named Query inside of a JSON object, and many of the attributes in the XML were Base64-encoded JSON objects themselves," the researchers wrote.

This represented a multiple-nested encoding, a code scenario that always catches the attention of threat researchers, "because a large number of wrappers around data usually means that many different services (which were most likely created by separate developers or even teams) are used to process this data," they said.

In short, the more code there is in an application, the more potential locations there are for vulnerabilities to lurk, the researchers said.

Researchers leveraged the admin user of their lab's own Zendesk account to explore the application further by visualizing a report in Zendesk Explore, where they found an API called execute-query that eventually led them to discover the flaws.

**Unpacking the Issues**

Some further digging led the researchers to an XML document in which all the name attributes were found to be vulnerable to a SQL injection attack, they said. Name attributes define the tables and columns to be queried in an XML document.

Further exploration of the execute-query API found that it did not perform several logical checks on request, representing another vulnerability in the application.

"The integrity of documents was not checked, allowing our team to modify them in ways that exposed the inner workings of the system," the researchers said.

Moreover, the "query,” “datasources,” and “cubeModels” IDs were not evaluated to see if they belonged to the current user. And finally, and "most critically," the API endpoint did not verify that the caller had permission to access the database and execute queries, the researchers noted

"This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account’s RDS, no SQLi required," they said.

**Mitigating Risk**

With Zendesk patching the flaw quickly before it affected any customers, enterprises using the CRM solution don't need to take further action to mitigate the issue, Buckbee says. However, with SQLi issues such a common problem, Zendesk and other companies offering Web-hosted application suites should be more proactive by taking preventative steps to monitor their environments to avoid similar scenarios in the future, he says.

The situation is real: US companies face a combined $12 billion to $23 billion in losses in 2022 from compromises linked to Web APIs, which have proliferated with the increased adoption of SaaS and cloud services, and DevOps-style development methodologies, according to a recent analysis of breach data.

"Enterprise SaaS vendors should rigorously test their API endpoints for novel SQL injection attacks," Buckbee says, "such as those involving internally developed methods of generating dynamic SQL statements, to avoid exposing customers to similar risk."

Nasty SQL Injection Bug in Zendesk Endangers Sensitive Customer Data

As the threat landscape increases, public cloud security needs to evolve.

Multicloud services have become the norm rather than the exception as organizations shift to accommodate increasingly dynamic workloads. IDC has predicted that by the end of 2022, more than 90% of enterprises worldwide will rely on a mix of on-premises, dedicated private clouds, multiple public clouds, and legacy platforms to meet their infrastructure needs. As these changes continue to take root, the threat landscape has increased, and security approaches developed for the public cloud also need to evolve.

This is particularly true for government agencies. Cloud infrastructure delivers benefits including agility, mobility, cost control, and performance, but government agencies manage significant volumes of sensitive information. The stakes are higher when they move to the cloud and network traffic patterns change. As the Internet now serves as the network, firewalls, virtual private networks (VPNs), and the concept of perimeter security is obsolete. This dynamic requires a new security model, one that leverages the power and scale of the cloud.

**New Challenges**

Multicloud models enable new services for citizens and improve efficiency across the federal government; however, they also introduce new security challenges, including:

*   **Understanding and prioritizing cloud risk:** Gartner predicts that by 2025, 99% of cloud security incidents will be an enterprise's own fault, as cloud processes are managed by well-intentioned employees with little knowledge of secure cloud configuration or understanding of highly dynamic cloud environments.
*   **Applying security policies across multicloud environments:** Agencies must ensure security across infrastructure, applications, and data in multiple clouds. But managing a multicloud architecture is extremely complex, as cloud providers can be very different in terms of access and resource management.
*   **Gaining workload visibility and understanding risk exposure:** The whirlwind pace of cloud adoption creates new opportunities for threats as the attack surface expands. Security teams may find it difficult to keep pace with agile development methodologies and, in the process, lose visibility into infrastructure and risk.
*   **Ensuring misconfiguration does not expose private services or data:** Continuous development, testing, and deployment improves efficiency, but can also allow misconfigurations to slip through the cracks and introduce security vulnerabilities.
*   **Achieving workload segmentation:** IP-based network segments are typically configured to be open whether they need to be or not, which increases the attack surface. Workload segmentation, on the other hand, uses machine learning and cryptographic identity to segment application workloads and automatically update security policies.
*   **Routing traffic among multicloud environments:** Multiple environments can mean fragmented security solutions across the various cloud and data center environments. Fragmented security creates points of weakness that can make agencies vulnerable to attack.

The federal community is working to improve multicloud security. The National Institute of Standards and Technology's (NIST) Multi-Cloud Security Public Working Group explores best practices for securing complex cloud solutions involving multiple service providers and clouds. NIST has recreated a resource hub that includes free assessment tools (many developed by industry partners) to help agencies understand their cyber-risks. And, the General Service Administration Data Center and Cloud Optimization Initiative's Program Management Office has released a Multi-Cloud and Hybrid Cloud Guide for agencies migrating and deploying various cloud services.

**Multicloud Best Practices**

You can reduce multicloud security risks with best practices including:  

*   **Implement zero trust:** Protecting government data in a cloud-based, mobile-enabled world demands a “trust nothing, inspect everything” approach as mandated by the May 2021 cybersecurity executive order. A recent survey of federal cybersecurity decision-makers found that 82% agree allocating staff and budget to zero trust is vital to national security.
*   **Securely connect** **users, devices, and workloads using business policies over any network:** A cloud-delivered approach to providing fast, seamless, and policy-based access to external and internal applications can ensure employees work securely and productively from anywhere.
*   **Reduce risk of lateral threat movement**: Identity-based workload protection prevents lateral movement of malware and ransomware across servers, cloud workloads, and desktops.
*   **Simplify cloud communications:** Once lateral threat movement has been reduced, the next step is to secure workload communications to the Internet, other clouds, and data centers. Agencies need zero-trust connectivity across multicloud and hybrid cloud infrastructure, securing workload-to-Internet, workload-to-workload, and workload-to-data-center communications without the need for hubs, virtual firewalls, VPNs, or network-based policies.

Although implementing multicloud security can be a heavy lift for the government, agencies are making progress. The Technology Modernization Fund has invested in a total of 29 projects to secure and modernize IT across 17 federal agencies. And 91% of federal cybersecurity decision-makers believe the 2021 cybersecurity executive order has made US data and critical infrastructure safer.

To keep on this trajectory, government agencies need to apply lessons learned from each other, while also utilizing the expertise industry can offer.

Evolving Security for Government Multiclouds

Only 30% of respondents from other industries are as concerned about the risks associated with their IT staff.

**FRISCO, Texas, Nov. 15, 2022 /PRNewswire/ —** Netwrix, a cybersecurity vendor that makes data security easy, today announced additional findings for the financial and banking sector from its global 2022 Cloud Security Report.

Compared to other industries surveyed, financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure. Indeed, 44% of respondents in this sector say their own IT staff poses the biggest risk to data security in the cloud and 47% worry about contractors and partners, compared to 30% and 36% respectively in other verticals surveyed.

"Financial organizations experience accidental data leakage more often than companies in other verticals: 32% of them reported this type of security incident within the last 12 months, compared to the average of 25%. This is a good reason for them to be concerned about users who might unintentionally expose sensitive information. To address this threat, organizations need to implement a zero-standing privilege approach in which elevated access rights are granted only when they are needed and only for as long as needed," comments Dirk Schrader, VP of Security Research at Netwrix. "Cloud misconfigurations are another common reason for accidental data leakage. Therefore, security teams must continually monitor the integrity of their cloud configurations, ideally with a dedicated solution that automates the process."

All sectors say phishing is the most common type of attack they experience. However, 91% of financial institutions say they can spot phishing within minutes or hours, compared to 82% of respondents in other verticals.

"Even though financial organizations detect phishing quickly, it is still crucial for them to keep educating their personnel on this threat because attacks are becoming more sophisticated," adds Schrader. "To increase the likelihood of a user clicking a malicious link, attackers are crafting custom spear phishing messages that are directed at the person responsible for a certain task in the organization and that appear to come from an authority figure. Regular staff training, along with continuous activity monitoring, will help reduce the risk of infiltration".

**About Netwrix**

Netwrix makes data security easy, thereby simplifying how professionals can control sensitive, regulated and business-critical data, regardless of where it resides. More than 11,500 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers.

Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information, visit www.netwrix.com.

Source

DARKReading