Devices running Android 12 and below are at risk of attackers downloading apps that direct users to a malicious domain.

The Galaxy App Store, the official mobile app store available on Samsung devices, has two vulnerabilities, which, if exploited, could allow threat actors to install a malicious application without the user ever knowing it's taken place.

The issue only affects devices with Android 12 and lower, according to an analysis from NCC Group.

The first vulnerability, tracked as CVE-2023-21433, lets attackers install applications from the Galaxy App Store. The second, tracked as CVE-2023-21434, could let attackers launch a Web domain they control and execute JavaScript, the NCC Group report on the bugs explained.

"Samsung has released an updated version of the Galaxy App Store (version 4.5.49.8)," NCC Group's Ken Gannon said. "Users should open the Galaxy App Store on their phone, and, if prompted, download and install the latest version."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Pair of Galaxy App Store Bugs Offer Cyberattackers Mobile Device Access

Security leaders must build resiliency against these complex attacks immediately.

**TORONTO****,** **Jan. 23, 2023** **/PRNewswire/ -** Cyberattacks, especially ransomware, are becoming more sophisticated more frequent, with more severe impacts, year over year. These attacks can quickly encrypt systems and steal sensitive data, making data recovery challenging for organizations. Although there is much concern about the ransomware threat, corporate executives are not yet willing to spend on solutions without clear evidence of the improvements being made. To help IT leaders improve their organization's ability to prevent incursions and defend against ransomware attacks in the current climate, global IT research and advisory firm Info-Tech Research Group has published a new research-backed industry blueprint, titled Build Resilience Against Ransomware Attacks.

Ransomware is a high-profile threat that demands immediate attention, as it is a much more complex security threat than other types of attacks. Malicious actors have also developed increasingly sophisticated methods to pressure organizations into paying ransom payments. These emerging strains can exfiltrate, encrypt, and destroy data and backups in hours, making data recovery a grueling challenge.

**"As ransomware attacks become more frequent and impactful, organizations need to focus on building resiliency to withstand these attacks instead of solely relying on response and recovery,"** says Michel Hébert, research director at Info-Tech Research Group**. "The process of building resilience is like climbing a mountain, requiring time, planning, and help from others to overcome challenges and work through problems."**

Info-Tech's findings show that organizations often misunderstand the risk scenarios associated with ransomware attacks, which can lead to underestimating the potential impact of an attack. The cost of a ransomware attack goes beyond just the ransom, with four key areas driving recovery costs: detection and response, notification, lost business, and post-breach response.

To effectively protect against ransomware, the firm recommends disrupting the attack at every stage of the attack workflow, which includes putting controls in place to prevent intrusion, improve detection, respond quickly, and recover effectively. Organizations also struggle with "dwell time," which is the time between when a malicious actor gains access to a network and when they are detected. Organizations must improve their ability to detect and respond early to prevent serious disruption from ransomware attacks.

As outlined in the blueprint, security leaders must conduct a thorough assessment of their current state, identify potential gaps, and assess the possible outcomes of an attack. Info-Tech advises the following holistic methodology to build resiliency against potential ransomware attacks:

**Assess resilience** – It is essential to conduct a resilience assessment, build a risk scenario, and determine the business impact. Conduct a thorough assessment of the current state, identify potential gaps, and assess the possible outcomes of an attack.

**Protect and detect** – Analyze attack vectors, prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce the attack surface.

**Respond and recover** – Visualize, plan, and practice ransomware response and recovery to reduce the potential impact of an attack.

Resiliency is crucial to surviving a ransomware attack. As covered by Info-Tech's resource, organizations should focus now on what is in their control and cultivate strengths that allow them to protect assets, detect incursions, and respond and recover quickly in the future.

To learn more, download the complete Build Resilience Against Ransomware Attacks blueprint.

For more information about Info-Tech Research Group or to access the latest research, visit infotech.com and connect via LinkedIn and Twitter.

**About Info-Tech Research Group**

Info-Tech Research Group is one of the world's leading information technology research and advisory firms, proudly serving over 30,000 IT professionals. The company produces unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. For 25 years, Info-Tech has partnered closely with IT teams to provide them with everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

Media professionals can register for unrestricted access to research across IT, HR, and software and over 200 IT and Industry analysts through the ITRG Media Insiders Program. To gain access, contact \[email protected\].

SOURCE Info-Tech Research Group

Organizations Likely to Experience Ransomware Threat in the Next 24 Months, According to Info-Tech Research Group

**TORONTO--(****BUSINESS WIRE****)--** Magnet Forensics Inc. (the “**Company**” or “**Magnet**”) (TSX: MAGT), developer of digital investigation solutions for more than 4,000 enterprises and public safety organizations, is pleased to announce that it has entered into a definitive arrangement agreement (the “**Arrangement Agreement**”) with Morpheus Purchaser Inc. (the “**Purchaser**”), a newly created corporation controlled by Thoma Bravo, a leading software investment firm, whereby the Purchaser will acquire the Company, subject to obtaining shareholder and other customary approvals (the “**Transaction**”). Under the terms of the Arrangement Agreement, holders of the outstanding Subordinate Voting Shares (“**SV Shares**”) of the Company (other than Messrs. Jad Saliba and Adam Belsher and associates and affiliates thereof (collectively with Mr. Jim Balsillie and his associates and affiliates, the “**Rolling Shareholders**”)) will receive CA$44.25 cash per SV Share (the “**Purchase Price**”) and the Rolling Shareholders will receive CA$39.00 for each outstanding SV Share and Multiple Voting Share (“**MV Share**”) of the Company (together with the SV Shares, the “**Shares**”) they sell for cash to the Purchaser (see “Transaction Details” below), representing an aggregate total equity value of approximately CA$1.8 billion on a fully-diluted, in-the-money, treasury method basis and inclusive of Rollover Shares (as defined below). Upon completion of the Transaction, Magnet will become a privately held company.

The Purchase Price represents a premium of approximately 15% to the closing price on the Toronto Stock Exchange (the “**TSX**”) of the SV Shares on January 19, 2023, the last trading day prior to the announcement of the Transaction, and a premium of approximately 41% to the 90-trading day volume weighted average trading price per SV Share as at that date. The Purchase Price is also above the 52-week high closing price of the SV Shares as of January 19, 2023, and represents a premium of approximately 160% to the Company’s initial public offering price of the SV Shares of CA$17.00. This value further represents an 87% premium to the closing price on October 5, 2022, the last day prior to Thoma Bravo’s submission of its initial non-binding proposal for an acquisition of the Company.

Following the closing of the Transaction, Thoma Bravo intends to combine the Company and Grayshift LLC, which Thoma Bravo acquired majority control of in July 2022. The companies’ complementary offerings are expected to create a powerful end-to-end digital investigations platform empowering more public safety agencies around the world to seek justice, solve crimes, and protect victims. Grayshift is a leading provider of mobile device digital forensics, specializing in lawful access and extraction. By combining Grayshift’s mobile access and extraction capabilities with the Company’s digital investigation suite, customers are expected to be able to leverage the platform to extract, process, examine, collaborate on and manage digital forensic evidence. Adam Belsher and Jad Saliba, Founders of Magnet, and David Miles and Braden Thomas, Founders of Grayshift, will each hold critical leadership positions in the combined company. Magnet’s Chair, Jim Balsillie, will serve on the board of the combined company.

“We believe the combination of Magnet and Grayshift will unlock tremendous value for our customers by further integrating and expanding our product suite which will result in more seamless workflows in the recovery and analysis of critical digital evidence to investigations and ultimately contribute to our shared mission of the pursuit of justice,” said Adam Belsher, CEO of Magnet. “We look forward to partnering with Thoma Bravo and Grayshift to build upon our digital investigation suite to further innovate and continue to serve a growing number of organizations and use cases. We are confident that this transaction — joining two complementary organizations to form a new private company — offers the most compelling value creation for all our stakeholders and is a testament to the value of digital investigation solutions, the Magnet platform, our talented team, and loyal customer base.”

“Since early in Grayshift’s history, Magnet Forensics has been a trusted and strategic partner,” said David Miles, Co-Founder and Chief Executive Officer of Grayshift. “Bringing Magnet and Grayshift together will accelerate innovation and ultimately transform digital investigations. Today's announcement is a defining moment in the industry, and together we will accelerate the future of digital forensics.”

“We look forward to bringing together the complementary capabilities of Magnet and Grayshift to create a leader in the digital forensics and cyber security space,” said Hudson Smith, a Partner at Thoma Bravo. “Digital evidence is an increasingly critical aspect of investigations and the combined company will be well-positioned to further market expansion, accelerate innovation, and provide even greater solutions to its customers. We look forward to leveraging Thoma Bravo’s deep industry, operational and investment expertise to help the combined company capture the tremendous growth opportunities ahead.”

**Transaction Details**

The Company entered into the Arrangement Agreement based on the unanimous approval of the Company’s board of directors (the “**Board**”) (with conflicted directors abstaining) and the unanimous recommendation of a committee of independent directors (the “**Special Committee**”), that the Transaction is fair from a financial point of view to the holders of the Shares (the “**Shareholders**”) (other than the Rolling Shareholders), and is in the best interests of the Company. The Arrangement Agreement was the result of a comprehensive negotiation process that was undertaken at arm’s length with the oversight and participation of the Special Committee advised by independent and highly qualified legal and financial advisors. See “Unanimous Board Approval” below.

The Rolling Shareholders are effectively rolling over 55% of their Shares (in the aggregate approximately 15.9 million MV Shares and approximately 0.2 million SV Shares, collectively, the “**Rollover Shares**”) at an implied value per Share equal to CA$39.00 per Share, such that upon completion of the Transaction, they will be minority shareholders of the Purchaser. The remaining Shares owned by the Rolling Shareholders (in the aggregate approximately 13.0 million MV Shares and approximately 0.2 millionSV Shares) will be sold to the Purchaser for cash at CA$39.00 per Share. The Rolling Shareholders, at the request of, and after negotiations with, the Special Committee, agreed to accept less per Share in order to benefit the holders of SV Shares.

As at the date hereof, the Rolling Shareholders own or control, directly or indirectly, all of the issued and outstanding 28,903,303 MV Shares, and Messrs Saliba and Belsher, together, own or control, directly or indirectly, an aggregate of 368,522 SV Shares, representing approximately 3.0% of the Company’s issued and outstanding SV Shares.

**Unanimous Board Approval**

The Board, with Messrs Saliba, Belsher and Balsillie declaring their conflicts of interest and abstaining from voting, unanimously approved the Arrangement Agreement following receipt of the unanimous recommendation of the Special Committee, which was appointed by the Board to, among other matters, review strategic alternatives for the Company including the Transaction, consider the Company’s best interests and the implications to shareholders and other stakeholders, and provide the Board with advice and recommendations with respect to the Transaction. As such, the Board unanimously, with the conflicted directors abstaining from voting, recommends that holders of SV Shares vote in favour of the Transaction. The Company intends to hold a special meeting of Shareholders in March 2023 (the “**Shareholders’ Meeting**”), where the Transaction will be considered and voted upon by Shareholders of record.

In making its determination to unanimously recommend approval of the Transaction to the Board, the Special Committee, and in the Board’s determination to approve the Transaction, the Board, considered, among other things, the following reasons for the Transaction:

*   _Fairness Opinions_ _–_ receipt of the fairness opinions from each of Morgan Stanley & Co. LLC (“**Morgan Stanley**”) and CIBC World Markets Inc. (“**CIBC Capital Markets**”), which each concluded that, based upon and subject to the assumptions, limitations and qualifications set out in their respective opinions, that the consideration to be received by the holders of SV Shares (other than the Rolling Shareholders) pursuant to the Transaction is fair, from a financial point of view, to such shareholders;

*   _Formal Valuation_ _–_ the formal valuation prepared by CIBC Capital Markets concluded that, based upon and subject to the assumptions, limitations and qualifications set forth thereof, the fair market value of the Shares as at January 20, 2023 was in the range of CA$36.50 to CA$48.75 per Share;

*   _Arrangement Agreement Terms –_ the Arrangement Agreement is the result of a comprehensive negotiation process that was undertaken at arm’s length with the oversight and participation of the Special Committee advised by independent and highly qualified legal and financial advisors and resulted in terms and conditions that are reasonable in the judgment of the Special Committee and the Board, including a customary “fiduciary out” that will enable the Company to enter into a Superior Proposal (as defined in the Arrangement Agreement) in certain circumstances;

*   _Break Fee and Reverse Break Fee –_ the break fee payable by the Company of CA$50 million is reasonable in the circumstances and only payable in customary and limited circumstances, and the Company is entitled to a reverse break fee of CA$70 million in certain circumstances if the Arrangement Agreement is terminated;

*   _Market Check –_ the Company, with the assistance of Morgan Stanley, conducted a market check subsequent to the receipt of an initial proposal from the Purchaser that did not result in any proposal that was superior to the Transaction;

*   _All Cash Consideration_ – the all cash consideration provides holders of SV Shares with certainty of value, and is of particular benefit given the limited trading and lack of liquidity in the SV Shares;

*   _Value of Shares as a Multiple of Revenues & EBITDA_ – the favourable comparison of implied revenue and adjusted EBITDA multiples per SV Share of approximately 10x the portion of 2023 estimated revenue attributable to non-rolling holders of SV Shares and approximately 51x the portion of 2023 estimated adjusted EBITDA attributable to non-rolling holders of SV Shares, respectively, when compared to comparable precedent transactions as well as the current trading value of industry peers and their corresponding implied multiples with such estimates based on prevailing equity research analyst consensus estimates for both the Company and industry peers. This value was obtained, in part, by having the Rolling Shareholders agree to a purchase price of CA$39.00 per Share in order to benefit the holders of SV Shares;

*   _Minority Vote and Court Approval_ _–_ the Transaction must be approved by not only two-thirds of the votes cast by Shareholders, but also by a majority of the minority in accordance with MI 61-101 (as defined below), and by the Ontario Superior Court of Justice (Commercial List), which will consider the fairness and reasonableness of the Transaction to all Shareholders; and

*   _Support for the Transaction_ – as described below, all of the Rolling Shareholders as well as all of the directors and certain of the officers of the Company have entered into voting support agreements, pursuant to which they have agreed to, among other things, vote in favour of the Transaction at the Shareholders’ Meeting.

_Cautionary Note Regarding Forward-Looking Information_

_This press release contains “forward-looking information” and “forward-looking statements” (collectively, “forward-looking information”) within the meaning of applicable securities laws. Such forward-looking information or statements (“_**FLS”**_) are provided for the purpose of providing information about management's current expectations and plans relating to the future. Readers are cautioned that reliance on such information may not be appropriate for other purposes. Any such FLS may be identified by words such as “proposed”, “expects”, “intends”, “may”, “will”, and similar expressions. FLS contained or referred to in this press release includes, but is not limited to, statements regarding the proposed timing and various steps contemplated in respect of the Transaction, the holding of the Company’s Shareholders’ Meeting and the results of the completion of the Transaction, the combination of the Company and Grayshift, the resulting digital forensics platform, benefits to customers, future innovation, creation of value for stakeholders, acceleration of the future of digital investigations, and capturing growth opportunities._

_FLS is based on a number of factors and assumptions which have been used to develop such statements and information, but which may prove to be incorrect. Although the Company believes that the expectations reflected in such FLS is reasonable, undue reliance should not be placed on FLS because the Company can give no assurance that such expectations will prove to be correct. Factors that could cause actual results to differ materially from those described in such FLS include, without limitation, the following factors, many of which are beyond the Company’s control and the effects of which can be difficult to predict: (a) the possibility that the Transaction will not be completed on the terms and conditions, or on the timing, currently contemplated, and that it may not be completed at all, due to a failure to obtain or satisfy, in a timely manner or otherwise, required shareholder, Court and regulatory approvals and other conditions of closing necessary to complete the Transaction or for other reasons; (b) risks related to tax matters; (c) the possibility of adverse reactions or changes in business relationships resulting from the announcement or completion of the Transaction; (d) risks relating to Company’s ability to retain and attract key personnel during and following the interim period; (e) the possibility of litigation relating to the Transaction; (f) credit, market, currency, operational, liquidity and funding risks generally and relating specifically to the Transaction, including changes in economic conditions, interest rates or tax rates; (g) business, operational and financial risks and uncertainties relating to the COVID-19 pandemic; (h) risks related to the Company resulting from the combination of the Company and Grayshift in retaining existing customers and attracting new customers, retaining key personnel, executing on growth strategies, advancing its product line and protecting its intellectual property rights and proprietary information; (i) risks related to the Company’s ability to prevent unauthorized access to or disclosure, loss, destruction or modification of data, through cybersecurity breaches or computer viruses disrupting the functionality of the Company’s products; (j) the impact of competition; (k) changes and trends in the Company’s industry and the global economy; and (k) the identified risk factors included in the Company’s public disclosure, including the annual information form dated March 9, 2022,_ _which is available on SEDAR at_ www.sedar.com _and on the Company’s website at_ www. magnetforensics.com_._ _If any of these risks or uncertainties materialize, or if the assumptions underlying the FLS prove incorrect, actual results or future events might vary materially from those anticipated in the FLS._ _Although the Company has attempted to identify important risk factors that could cause actual results to differ materially from those contained in FLS, there may be other risk factors not presently known to the Company or that the Company presently believe are not material that could also cause actual results or future events to differ materially from those expressed in such FLS._ _The FLS in this press release reflect the current expectations, assumptions, judgements and/or beliefs of the Company based on information currently available to the Company, and are subject to change without notice._

_Any FLS speaks only as of the date on which it is made and, except as may be required by applicable securities laws, the Company disclaims any intent or obligation to update any FLS, whether as a result of new information, future events or results or otherwise, except as required under applicable securities laws. The FLS contained in this press release are expressly qualified by this cautionary statement. For more information on the Company, please review the Company's continuous disclosure filings that are available at_ www.sedar.com_._

_No securities regulatory authority has either approved or disapproved of the contents of this news release. The TSX accepts no responsibility for the adequacy or accuracy of this release._

Magnet Forensics Inc. Enters Into Definitive Agreement to be Acquired by Thoma Bravo

**Woburn, MA – January 23, 2023 –** According to Kaspersky research experts’ predictions for challenges in Security Operation Centers (SOCs) in 2023, the number of incidents in government and mass media segments will increase this year. SOCs from these and other industries are likely to face more reoccurring targeted attacks, as will supply chain attacks via telecommunication providers. Another threat awaiting SOCs will be more initial compromises through public-facing applications. Organizations that are threatened by ransomware attacks might also encounter data destruction. 

**More reoccurring targeted attacks by state-sponsored actors**   

In 2022, Kaspersky experts saw the average number of incidents in the mass media sector double in growth from 263 in 2021, to 561 in 2022.  Throughout the last year, a number of high-profile cases occurred including when Iranian state TV broadcasting was interrupted by hackers during protests in the country. Media outlets were also subject to DDoS attacks like those in Czech Republic. 

Alongside the government sector where the average number of incidents increased by 36% in 2022, mass media became the prime target for cybercriminals among the 13 other analyzed segments including industrial, food, development, financial, and others.

This growth will continue in 2023, with reoccurring targeted attacks by state-sponsored actors.While this is normally relevant for government organizations, the mass media segment has been increasingly targeted during international conflicts that are traditionally accompanied by information warfare where mass media inevitably play an important role.

_“Large businesses and government agencies have always been targets of cybercriminals and state-sponsored actors, but geopolitical turbulence increased attackers’ motivations and enlivened hacktivism, which cybersecurity specialists have not regularly encountered until 2022,”_ said Sergey Soldatov, head of security operation center (SOC) at Kaspersky. “_The new wave of politically-motivated attacks is especially relevant for the government and mass media sectors. To effectively protect a company, it’s necessary to implement a comprehensive threat detection and remediation provided through Managed Detection and Response services._”

**Supply chain attacks via telecommunication providers** 

In 2023, perpetrators may increase supply chain strikes by attacking telecommunication companies. For the first time in 2021, the telecom industry saw a prevalence of high severity incidents throughout the year. While in 2022 the average share of high severity incidents was lower (79 in 2021 per 10k systems monitored, versus roughly 12 in 2022), these companies remain attractive targets for cybercriminals. 

**Ransomware destroyers;** **initial compromises via public-facing applications** 

Throughout 2022, Kasperksy observed a new ransomware trend that will continue in 2023: ransomware actors will not only encrypt companies’ data but also destroy it. This is relevant for organizations which are subject to politically-driven attacks. 

Another threat awaiting SOCs is more initial compromises through public-facing applications. Penetration from the perimeter requires less preparation than phishing and old vulnerabilities are still exposed.

**What SOCs will face internally? Processes and efficiency** 

In 2023, it will be imperative for SOCs to develop the skills of their team to counter the increasing amount of threats. Trainings such as incident response or any form of SOC exercises such as TTX, purple teaming, and advisory attack simulations, will be of vital importance. 

The growing threat landscape leads to increasing budgets and demand for more efficiencies. Increasing numbers of incidents and threats transforms into a need to predict attacks and techniques, raising the value of threat intelligence and hunting. 

To read the full report on SOC challenges in 2023, please visit Securelist.com. Click here to read other KSB pieces.

To protect from the relevant threats, Kaspersky researchers recommend implementing the following measures:

*   Always keep software updated on all the devices you use to prevent attackers from infiltrating your network by exploiting vulnerabilities. Install patches for new vulnerabilities as soon as possible. Once it is downloaded, threat actors can no longer abuse the vulnerability. 
*   Dedicated services can help combat high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop intrusions in their early stages, before the perpetrators achieve their goals.  If you encounter an incident, Kaspersky Incident Response service will help you respond and minimize the consequences. In particular, identify compromised nodes and protect the infrastructure from similar attacks in the future.
*   Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
*   Choose a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behavior-based detection and anomaly control capabilities for effective protection against known and unknown threats.

**About Kaspersky**

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelli-gence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

SOCs to Face Greater Challenges From Cybercriminals Targeting Governments and Media in 2023

Amid all the NFL playoff action, FanDuel has sent an email warning to gamblers that their data was exposed in its third-party breach, putting them at risk for phishing attacks.

The FanDuel online sportsbook has told its users to be on the lookout for phishing cyberattacks in the wake of a breach of its email marketing contractor, Mailchimp.

Mailchimp announced its systems were breached on Jan. 11 using stolen employee credentials, allowing threat actors to access 133 accounts on the email marketing platform. One of those compromised accounts was FanDuel, according to an email sent to users and made public by security researcher Graham Cluley, who identified the breached company as Mailchimp.

"On Sunday evening, the vendor confirmed that FanDuel customer names and email addresses were acquired by an unauthorized actor," the FanDuel email said.

Cluley pointed out that although nothing more than emails and names were exposed, that's plenty of information for threat actors to launch future phishing attacks.

"I would recommend that FanDuel customers be on their guard and — if they haven't already done so — enable two-factor authentication on their FanDuel accounts," Cluley wrote in his blog post about the FanDuel email to customers. "It was kind of FanDuel, in its notification to affected customers, not to mention Mailchimp as the company."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

FanDuel Sportsbook Bettors Exposed in Mailchimp Breach

Here's how a security team can present itself to citizen developers as a valuable resource rather than a bureaucratic roadblock.

Amid volatile times and gloomy predictions for 2023, low-code/no-code (LCNC) adoption continues to grow rapidly. A recent forecast published by analyst firm Gartner predicts that low-code markets will grow 20% in 2023, with citizen development in particular growing 30%. While business units continue to go all-in on LCNC, security teams were mainly out of the loop until not long ago. This reality is quickly changing as LCNC becomes a business-critical infrastructure, and as business developers build critical applications. Now security teams have to ensure that things were built correctly. This is a recipe for conflict.

As security teams we can't cover everything, so we make tough choices and focus on the business-critical. The byproduct of that is that some business units get used to working without us. In many cases, that's fine. They go about their daily business; security is not involved because they aren't doing anything risky or critical enough. But then, one day, they succeed in creating critical applications. They make a big splash, and are rewarded with the attention of the organization. Of course, this also comes with heightened security attention.

While this is a challenging situation, it's important to notice the fact that it's a good problem to have! Your organization has been successful, and you are getting a chance to build an entirely new security pillar from scratch and introduce new types of developers to working with the security team. You have the opportunity to establish things the right way. But how?

**1\. Start With Learning**

First, understand the fundamental security challenges LCNC poses. Learn why other security teams are concerned about LCNC, and focus your attention on the most common risks to target first. By familiarizing yourself with the risks specific to LCNC, you will arrive to the conversation with business teams armed with knowledge that is highly relevant to the challenges they are having and be able to speak in a language that they will understand and relate to. You will also be able to focus on and drive the conversation toward the risks that are more relevant for your organization.

**2\. Understand the Business Context**

Acknowledge the fact that the business units have been successful in bringing in this new technology and using it to generate meaningful value. Make sure they are aware that your involvement is itself an acknowledgement of their success.

Take the time required to learn what they have been doing so far. How are they addressing operations and management of the platforms? How do they handle application lifecycle management? While they might have been able to succeed on grit and perseverance, when problems become complex enough, they will encounter areas where your expertise as a security professional would be tremendously helpful. Learning about their operations and struggles could help you find ways in which they could really use your guidance to solve critical issues or change a fundamental concept they got wrong.

**3\. Identify Opportunities to Help**

Once you've identified areas where they could use your expertise, think about how you and the security organization could help address those challenges. Could you offer a security risk assessment? Could you help them figure out configurations? Permission management?

By identifying areas where you can help, you will also identify areas where you can apply controls. These challenges, which are much better addressed by a central security team with the right skills, will help the business solve problems that prevent them from moving forward while also allowing you to put guardrails in place.

**4\. Map Risk Hotspots**

While learning about existing challenges, you must also build an independent understanding of the current risks in your environments. Use threat modeling and security assessments to gain visibility into security risk in the existing environment and its applications. Review existing development processes and assess their adherence to secure SDLC. Identify and treat cases that need urgent attention or security risks that could easily manifest into significant harm. With a clear distinction of the areas where risk is most acute, you will be able to focus your attention — and that of the business leaders — and get results faster.

**5\. Lay a Path Toward Enablement**

Everybody worries about security, and in a big organization in particular, people are always concerned even if they don't actually do something about it. Business teams that have brought in and built upon new technology without relying on central IT / security teams know that some risk is involved. They might have even made choices to restrict access, or prevent usage of this or that useful platform feature, in fear of what might happen. One clear way to win the business' heart and mind is to help them unblock usage. Allow more people to build applications, or use advanced and potentially risky features. With your security expertise, you can evaluate the security risk, identify compensating controls, and provide a path for them to expand usage, while elevating their feeling of responsibility and easing fear of a security issue.

**Moving Forward Together**

Change is never easy and will cause friction. With LCNC continuing to soar and business relying more and more on applications produced outside of IT on the one hand, and hackers targeting business on the other, security teams must assume their role as a guide that can help business teams innovate while not introducing new security risks.

By taking the time to consider the business' perspective, its previous success, and its challenges, security teams will be able to build mutual trust and articulate a way forward that demonstrates a win-win for business innovation and security guarantees.

No One Wants to Be Governed, Everyone Wants to Be Helped

A Swiss hacker poking around in an unprotected Jenkins development server belonging to CommuteAir accessed the names and birthdates of some 1.5 million people on a TSA no-fly list from 2019.

A recent incident where a bored hacker found a list of 1.5 million individuals on TSA's no-fly list sitting unprotected on an Internet-exposed server has highlighted, once again, the risky practice of using production data and sensitive information in development environments.

Swiss hacker "maia arson crimew" recently discovered the TSA list on a Jenkins open source automation server belonging to CommuteAir, an Ohio-based airline company that supports United Airlines operations on regional flights. In comments to Daily Dot — the first to report on the incident — she said she found the no-fly list while searching for Internet-exposed Jenkins servers using the Shodan search engine, and notified the company of the issue.

**Openly Accessible**

The list — housed in a text file named "NoFly.csv" — contained the names of more than 1.5 million individuals that the US government has barred from flying because of security concerns. The TSA makes the list available to airlines around the world so they can screen passengers intending to fly from, to, or over the US.

Daily Dot quoted maia arson crimew — who describes herself as a "security researcher" — as saying she had also found credentials to some 40 Amazon S3 buckets belonging to CommuteAir on the same server. One of those credentials led her to a database containing sensitive information — such as passport numbers, phone numbers, and postal addresses—belonging to some 900 CommuteAir employees.

Erik Kane, corporate communications manager at CommuteAir, in a media statement described the leak as resulting from a misconfigured development server. 

"The researcher accessed files including an outdated 2019 version of the federal no-fly list that included first and last name and date of birth," Kane said. "Additionally, through information found on the server, the researcher discovered access to a database containing personal identifiable information of CommuteAir employees."

An initial investigation has shown that no other customer data was exposed, adding that CommuteAir immediately took the affected server offline after the hacker had informed the company about the issue, Kane noted.

"CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees," the statement read.

**Using Sensitive Data for Test & Development**

The incident is an example of the things that can go wrong when organizations permit the use of production data, or sensitive information, in development and testing environments — in this case, a Jenkins server. 

Quality assurance teams and developers often cut and paste raw production data into their environments when testing, developing, or staging apps because it offers a less expensive, faster, and more valid way to do things compared to using test data. However, security experts have long warned about the practice being fraught with risks, because development and test environments typically lack the security controls that are present in a live, production setting. 

Common issues include over-permissions, lack of network segmentation, poor patch management, and a general lack of awareness of data-privacy requirements.

Concerns over the security, privacy, and compliance issues related to the practice have, in fact, pushed many organizations into taking additional precautions such as masking, obfuscating, or encrypting sensitive and live production data before using it for testing or development. Many simply use dummy data as a stand in for the real thing when testing or staging software. Even so, the practice of using raw production data and sensitive information in development and test settings continues to be quite rampant according to security experts.

"Sadly, testing with production data is very common," says John Bambenek, principal threat hunter at Netenrich. "Quite simply, creating credible and at-scale test data is often complicated especially when dealing with unique data sets." Testing teams often want their tests to represent the real world as much as possible, so it's a very natural temptation to use production data, he says.

Patrick Tiquet, vice president of security and architecture at Keeper Security says that DevOps servers often tend to be prime targets for attackers because they are usually less protected than live, production servers. He advocates that organizations avoid using production data in non-production environments no matter how benign the data might appear. 

"The use of production data in development systems increases the risk of disclosure of that information, because in many organizations, development systems may not be as protected as their production systems," Tiquet says.

Organizations that permit the practice need to recognize the fact that many data-privacy regulations require covered entities to apply specific controls for protecting sensitive data, regardless of where it might exist in the environment or how it is used. Using production data in a development environment could violate those requirements, Tiquet says.

"Exposing sensitive data can not only open an organization to litigation or government-related trouble depending on the data, but it can also lead to an erosion of customer trust," he warns. "While there are many steps organizations can take to protect their test environments, such as data masking and encryption, the most important will be including the security teams in the setup and continuous management of DevOps servers."

TSA No-Fly List Snafu Highlights Risk of Keeping Sensitive Data in Dev Environments

Use threat intelligence to reduce chance of success for malicious insider and Dark Web threats.

Insider threats are a serious and growing problem. According to recent research, malicious employees contribute to 20% of incidents and the attacks that insiders are involved in are, on average, 10 times larger than those conducted by external actors. Further data (PDF) has shown an increase in insider threat attacks over the past two years, as the risk has been exacerbated by the remote working through the pandemic.

To minimize insider threats, all organizations should monitor marketplaces, forums, and social media channels for chatter about their company. This helps them to spot the early warning signs of an imminent attack, such as cybercriminals looking for insider knowledge, or disgruntled employees making unsavory comments. This monitoring must also extend to the Dark Web, as this is a gold mine for cybercriminal reconnaissance on organizations, because threat actors believe that they're out of the reach of law enforcement and cybersecurity teams.

**Types of Insider Threat**

When we talk about insider threats it is important to understand that there is more than one type of malicious insider. Broadly, you can categorize them in three groups:

**Insiders motivated by financial gains****:** In the current economic climate, employees can be nudged into malicious activity by threat groups. For example, the threat group Lapsus$ infamously posted a recruitment call for help from employees in telecom companies, software and gaming corporations, and call centers — offering money in exchange for information.

    

Ad that Lapsus$ ran.

**Loners and opportunistic threat actors:** These are hard-to-spot insiders who use their privileged position in the network to harm the company. While they're statistically less common, they can have a severe impact on an organization when they do strike. For example, the New York Post employee who took an ax to the company's reputation recently by posting offensive messages on its corporate Twitter account. Dark Web analysis can help to spot these malicious actors if and when they publish an inquiry or ask for help on specific issues they face when navigating around the corporate environment. They can also be spotted offering to sell insider information on the Dark Web.

**Innocent insiders:** These can also unwittingly harm the company by being involved in threat activity without their consent or knowledge. According to research, employees are more than twice as likely to make an error and click malicious links, rather than to maliciously misuse their access.

That's who you're up against, but it's also important to understand what malicious actors could be looking for, inquiring about, or selling.

**Threat Modeling for Insider Threat**

Companies threat modeling for malicious insiders need to identify where their infrastructure is the most insecure, what assets they have that are the highest value, and which tactics are most regularly used by threat actors. Insight into the Dark Web can help the organization establish how criminals go about their reconnaissance and use malicious insiders, which can help inform their defenses.

The most popular method used to gain access to a company's environment is obtaining and utilizing leaked credentials. But apart from basic "password and username" sales, businesses also need to look out for cookie-session leaks for apps such as Slack and Teams, which threat actors can use to socially engineer their way into the company and abuse the trust of an employee.

Another aspect that companies need to be conscious of are trigger events that increase the likelihood of a company being targeted for attack. For example, if an oil company is set to announce its annual revenue during a cost-of-living crisis, the organization must assess the animosity level from employees, ex-employees, and outsiders reacting to the announcement. The revenue reveal, in this example, is a potential trigger event, requiring the business to be particularly diligent in monitoring the Dark Web for any chatter around the company before, during, and after the event. In cases like these, companies must ask themselves whether they should implement extra defenses or apportion additional resources.

During trigger events, companies could potentially spot malicious insiders by monitoring an uptick in alerts or irregular online activity. Connections between a company device and the Tor network are a very reliable data point for discovering an insider threat, because there is virtually no good reason why an employee would be connecting to the Dark Web in most organizations.

**Shifting Left in the Cyber Kill Chain**

As with any incident, time is always of the essence. Where possible, organizations need to pinpoint insider threat activity during reconnaissance, the first stage of the cyber kill chain, to successfully mitigate against a malicious actor. Logic dictates that the earlier, or further to the left in the kill chain, that threat actors can be identified, then the less likely they are to be successful in their attack.

Organizations understand the need for preparedness, shielding their borders, and educating their employees. However, these are simply a solid foundation of security infrastructure that requires augmenting with intelligence to stop threats earlier. Dark Web threat intelligence should be considered as an integral component to enhancing an organizations' security posture. As most cybercriminals rely on Dark Web infrastructure to conduct their operations, cutting off this channel can vastly reduce the chance of insider threats taking hold and disrupting business operations.

Hunting Insider Threats on the Dark Web

**STAMFORD,** **Conn.,** **January** **23,** **2023** **—** Zero trust is top of mind for most organizations as a critical strategy to reduce risk, but few organizations have actually completed zero-trust implementations.Gartner, Inc. predicts thatby 2026, 10% of large enterprises will have a mature and measurable zero-trust program in place, up from less than 1% today.

Gartner defines zero trust as a security paradigm that explicitly identifies users and devices and grants them just the right amount of access so the business can operate with minimal friction while risks are reduced.

“Many organizations established their infrastructure with implicit rather than explicit trust models to ease access and operations for workers and workloads. Attackers abuse this implicit trust in infrastructure to establish malware and then move laterally to achieve their objectives,” said John Watts, VP Analyst at Gartner. “Zero trust is a shift in thinking to address these threats by requiring continuously assessed, explicitly calculated and adaptive trust between users, devices, and resources.”

To help organizations complete the scope of their zero-trust implementations, it is critical that chief information security officers (CISOs) and risk management leaders start by developing an effective zero-trust strategy which balances the need for security with the need to run the business.

“It means starting with an organization’s strategy and defining a scope for zero-trust programs,” said Watts. “Once the strategy is defined, CISOs and risk management leaders must start with identity - it is foundational to zero trust. They also need to improve not only technology, but the people and processes to build and manage those identities.

“However, CISOs and risk managementleaders should not assume that zero trust will eliminate cyberthreats. Rather, zero trust reduces risk and limits impacts of an attack.”

Gartner analysts predict thatthrough 2026, more than half of cyberattacks will be aimed at areas that zero- trust controls don’t cover and cannot mitigate.

“The enterprise attack surface is expanding faster and attackers will quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of zero-trust architectures (ZTAs),”said Jeremy D’Hoinne, VP Analyst at Gartner.”This can take the form ofscanning and exploiting of public-facing APIs or targeting employees through social engineering, bullying or exploiting flaws due to employees creating their own “bypass” to avoid stringent zero-trust policies.”

Gartner recommends that organizations implement zero trust to improve risk mitigation for the most critical assets first, as this is where the greatest return on risk mitigation will occur. However, zero trust does not solve all security needs. CISOs and risk management leaders must also run a continuous threat exposure management (CTEM) program to better inventory and optimize their exposure to threats beyond the scope of ZTA.

Gartner clients can learn more in “Predicts 2023: Zero Trust Moves Past Marketing Hype Into Reality.”

Learn how to prepare for any cybersecurity attack in the complimentary Gartner ebook 3 Must-Haves in Your Cybersecurity Incident Response Plan.

**About Gartner Security & Risk Management Summit** 

Gartner analysts present the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summits 2023, taking place February 13-14 in India, February 27-28 in Dubai, June 5-7 in National Harbor, MD, March 28-29 in Sydney, July 26-28 in Tokyo and September 26-28 in London. Follow news and updates from the conferences on Twitter using #GartnerSEC.

**About Gartner for Information Technology Executives**

Gartner for Information Technology Executives provides actionable, objective insight to CIOs and IT leaders to help them drive their organizations through digital transformation and lead business growth. Additional information is available at www.gartner.com/en/information-technology.

Follow news and updates from Gartner for IT Executives on Twitter and LinkedIn. Visit the IT Newsroom for more information and insights. 

**About Gartner**

Gartner, Inc. (NYSE: IT) delivers actionable, objective insight to executives and their teams. Our expert guidance and tools enable faster, smarter decisions and stronger performance on an organization’s mission critical priorities. To learn more, visit gartner.com.

Gartner Predicts 10% of Large Enterprises Will Have a Mature and Measurable Zero-Trust Program in Place by 2026

S-RM reports show that cybersecurity concerns surrounding hybrid work prevail for 37% of organizations.

**23rd January 2023 – LONDON –** Leading global intelligence and cyber security consultancy S-RM has today revealed in its _Cyber Security Insights Report_ that there has been a drop in concern around the cyber security threats posed by hybrid working. However, a significant proportion (35%) of IT leaders say they are concerned over a cyber skills gap among employees. 

The report, which draws on data from 600 C-suite and IT budget holders from organisations with revenue over USD $500m, found that 37% of organisations reported concerns around hybrid working – a drop from 46% in 2021. This may be in part due to growing awareness of cyber security threats among employees. When asked about the biggest cyber security challenges their organisation faced, just 31% of respondents'perceived lack of importance from employees in 2022'. While there is still a way to go, this figure is down from 36% in 2021. 

Despite growing awareness among employees, the cyber skills gap still remains an area of vulnerability. Over a third of senior IT leaders and C-suite holders in 2022 (35%) highlighted a lack of cyber skills and expertise as a key challenge facing their business when it comes to cyber security defence and incident management – a figure that rose to 42% within the financial services industry. These statistics support the ongoing industry discussion about the difficulties of attracting and retaining the best talent.

The report also illustrated that businesses with more mature cyber security policies prioritise different challenges than less experienced companies. Businesses where senior leaders viewed the company’s cyber security as ‘very mature’ were more likely to consider compliance and unsophisticated or outdated cyber security tools as their key challenges (37% and 33%). 

Comparatively, companies describing themselves as 'somewhat mature' were less likely to identify these as key challenges (25% and 26%) but rather identified a lack of skills and expertise (38%) as well as a lack of internal training (33%) as their main issues to their business – highlighting again the worries over the skills gap amongst decision makers .

**Jamie Smith, Board Director at S-RM said:**

_“While we have found that more companies are now adjusting to hybrid working and viewing it as less of a risk, it is clear that cyber security challenges are continuously evolving and2023 will bring fresh risks to consider._ 

_“One of the biggest protective measures companies can take over cyber security threats is to build a resilient workforce, and a positive takeaway from our report is that we are seeing more employees take more notice of security threats.”_ 

**Paul Caron, Head of Cyber Security, at S-RM said:**

_“Our report finds some great progress in cyber security maturity across a slew of industries but there is still asignificant skills gap evident in the workforce. This is a perennial problem for the sector: how to attract and retain the best talent, to win the knowledge, skills, and technology arms race between threat actors and private businesses._ 

_“It is crucial, for businesses to continue to invest in high quality cyber security training in order to both attract this talent and firm up their own defences by closing this skills gap.”_  

Further detail on the full report can be accessed on the S-RM website, here: https://www.s-rminform.com/cyber-security-insights-report

Source

DARKReading