Hole-y software alert, Batman: Cybercriminal faves Citrix Gateway and VMware Workspace ONE have authentication-bypass bugs that could offer up total access to attackers.

Critical authentication-bypass vulnerabilities in Citrix and VMware offerings are threatening devices running remote workspaces with complete takeover, the vendors warned this week.

Admins should prioritize patching, given the history of exploitation that both vendors have. Both disclosures prompted CISA alerts on Wednesday.

**Citrix Gateway: A Perfect Avenue for Infesting Orgs**

As for Citrix, a critical bug tracked as CVE-2022-27510 (with a CVSS vulnerability-severity score of 9.8 out of 10) allows unauthenticated access to Citrix Gateway when the appliance is used as an SSL VPN solution. In that configuration, it gives access to internal company applications from any device via the Internet, and it offers single sign-on across applications and devices. In other words, the flaw would give a successful attacker the means to easily gain initial access, then burrow deeper into an organization's cloud footprint and wreak havoc across the network.

Citrix also noted in the advisory that its Application Delivery Controller (ADC) product, which is used to provide admin visibility into applications across multiple cloud instances, is vulnerable to remote desktop takeover (CVE-2022-27513, CVSS 8.3), and brute force protection bypass (CVE-2022-27516, CVSS 5.3).

Tenable researcher Satnam Narang noted that Citrix Gateway and ADC, thanks to how many parts of an organization they provide entrée into, are always favorite targets for cybercriminals, so patching now is important.

"Citrix ADC and Gateways have been routinely targeted by a number of threat actors over the last few years through the exploitation of CVE-2019-19781, a critical path traversal vulnerability that was first disclosed in December 2019 and subsequently exploited beginning in January 2020 after exploit scripts for the flaw became publicly available," he wrote in a Wednesday blog.

"CVE-2019-19781 has been leveraged by state-sponsored threat actors with ties to China and Iran, as part of ransomware attacks against various entities including the healthcare sector, and was recently included as part of an updated list of the top vulnerabilities exploited by the People’s Republic of China state-sponsored actors from early October," Narang continued.

Users should update ASAP to Gateway versions 13.1-33.47, 13.0-88.12, and 12.1-65.21 to patch the latest issues.

**VMware Workspace ONE Assist: A Trio of Cybercrime Terror**

VMware meanwhile has reported three authentication-bypass bugs, all in its Workspace ONE Assist for Windows. The bugs (CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687, all with CVSS 9.8) allow both local and remote attackers to gain administrative access privileges without the need to authenticate, giving them full run of targeted devices.

Workspace ONE Assist is a remote desktop product that's mainly used by tech support to troubleshoot and fix IT issues for employees from afar; as such, it operates with the highest levels of privilege, potentially giving remote attackers an ideal initial access target and pivot point to other corporate resources.

VMware also disclosed two additional vulnerabilities in Workspace ONE Assist. One is a cross-site scripting (XSS) flaw (CVE-2022-31688, CVSS 6.4), and the other (CVE-2022-31689, CVSS 4.2) allows a "malicious actor who obtains a valid session token to authenticate to the application using that token," according to the vendor's Tuesday advisory.

Like Citrix, VMware has a history of being targeted by cybercriminals. A critical vulnerability in Workspace ONE Access (used for delivering corporate applications to remote employees) tracked as CVE-2022-22954 disclosed in April was almost immediately followed by a proof-of-concept (PoC) exploit released on GitHub and tweeted out to the world. Unsurprisingly, researchers from multiple security firms started seeing probes and exploit attempts very soon thereafter — with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.

Users should update to version 22.10 of Workspace ONE Assist to patch all of the most recently disclosed problems.

Patch ASAP: Critical Citrix, VMware Bugs Threaten Remote Workspaces With Takeover

Cyberattackers like IPFS because it is resilient to content blocking and takedown efforts.

As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks.

Researchers from Cisco Talos this week reported observing multiple malicious campaigns leveraging the IPFS to host phishing kits and malware payloads. For many attackers, the IPFS has become the equivalent of a bulletproof hosting provider that is mostly impervious to takedown efforts, Talos said. Complicating matters for defenders is the fact that the IPFS is often used for legitimate purposes. So, differentiating between benign and malicious IPFS activity is another challenge, the security vendor said.

"Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them," Talos said in a report summarizing the threat.

**Growing Threat**

This marks at least the second time in recent months that researchers have sounded the alarm on IPFS becoming a hotbed of cybercrime activity.

In July, Trustwave's SpiderLabs noted how its researchers had identified more than 3,000 emails with phishing URLs hosted in the IPFS in a three-month period. Phishing pages that it observed on the IPFS included those that spoofed Microsoft Outlook login pages, Google domains and cloud storage services such as Filebase.io and nftstorage.link. "Phishing techniques have taken a leap by utilizing the concept of decentralized cloud services using IPFS," Trustwave said. The growing use of IPFS by many file storage, Web hosting, and cloud service companies means that attackers have a lot more flexibility in creating new phishing URLs that cannot be easily blocked, the security vendor said.

IPFS is a peer-to-peer file sharing system that Protocol Labs launched in 2015. The network is designed to allow decentralized storage of content. Content stored in the IPFS is mirrored across multiple nodes, or systems that participate in the network. Individuals and others can use IPFS to store different types of data including webpages, files, NFTs, and documents.

Resources stored on the IPFS are assigned unique identifiers. Users can employ the identifier to access the content via IPFS clients or gateways, which are like gateways for accessing content on the Tor network. Because content is mirrored on IPFS, it is always available even if one node goes down.

This has made the IPFS an attractive option for hosting phishing kits and malware for cybercriminals. Because content on the IPFS does not have a static IP address, it cannot be blocked using standard IP blocking and blacklisting mechanisms. Similarly, taking down a node containing phishing pages and malware does little to neutralize a threat because the content is mirrored across multiple nodes. There is also no central authority on the IPFS that law enforcement or security vendors can contact to take down a phishing or malware distributing site.

In an example of how attackers are abusing IPFS, Talos pointed to a phishing campaign in which victims receive an email with an attached PDF that purports to be associated with the DocuSign document signing service. When a user clicks on the "Review Document" link, they are directed to a webpage that appears to be a legitimate Microsoft authentication page but is really a credential-harvesting page hosted on the IPFS network.

In situations where an IPFS gateway might recognize the resource being requested as malicious and block access, attacker simply change the IPFS gateway that is used to retrieve the content, Talos said.

**Phishing Not the Only Threat**

Phishing pages are not the only threat. A growing number of attackers are also leveraging the peer-to-peer network to distribute malicious payloads.

In one campaign that Talos researchers observed, the attacker sent victims a phishing email with a ZIP attachment containing a malware dropper in the form of a PE32 executable. When run, the downloader would reach out to an IPFS gateway and retrieve a second-stage malware payload hosted on the peer-to-peer network. The attack chain ended with the Agent Tesla remote-access Trojan getting dropped on the victim's system.

Talos researchers also found a destructive, disk-wiping malware tool and a full-featured information-stealer called Hannabi Grabber hosted in IPFS nodes.

"Many new Web3 technologies have emerged recently, attempting to provide valuable functionality to users," Talos said in the report. "As these technologies have continued to see increased adoption for legitimate purposes, they have begun to be leveraged by adversaries as well."

The researchers expect the trend to gain momentum as more threat actors realize the IPFS is resilient to content moderation and takedown efforts.

"Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments," the vendor said.

InterPlanetary File System Increasingly Weaponized for Phishing, Malware Delivery

The stalling of federal legislation and the continued expansion of data brokers are fueling a phishing epidemic.

It's been over four years since the EU implemented its groundbreaking General Data Protection Regulation. The GDPR became the model for personal data privacy laws in many other countries, and for the California Consumer Privacy Act (CCPA), which took effect in 2020. New data privacy laws are set to take effect in four more US states in 2023, and six states are actively working on bills.

But in four years' time, little progress has been made at the federal level. The latest discussion draft of the American Data Privacy and Protection Act, released on June 6, has several unresolved issues that will likely stand in the way of bipartisan support. This lack of federal privacy regulation is costing US businesses money in ways they don't even realize.

Regulatory uncertainty and the lack of a single compliance standard is obviously costly, though the amount can be difficult to quantify. What's less obvious but more quantifiable is the explosion in crimes against businesses, specifically business email compromise (BEC) and ransomware. These crimes are being fueled by the widespread availability of very detailed, legally collected personal data. If the government won't act, it would behoove businesses to take steps to help employees protect their personal data and, in the process, protect themselves.

According to data from the IC3, the FBI's Internet Crime Complaint Center, BEC attacks cost businesses $2.4 billion in 2021, up from $1.8 billion in 2020. Furthermore, they dwarf all other types of cybercrime against businesses, accounting for 34% of 2021 losses from all types of cybercrime. Ransomware schemes cost businesses $49 billion in 2021, the IC3 says, more than doubling from $20 billion in 2020.

Those costs only reflect direct losses. According to research from the Ponemon Institute, the cost of loss productivity and remediation of compromised credentials and systems associated with these crimes can more than double the tab.

Working from home, where computing environments are less secure, has been a factor in the rise in these crimes. But so has the increase in the amount and variety of personal data available on the Internet.

Data fuels phishing, which is the gateway for these crimes. Phishing is typically done via email but also via text or instant messaging, social media, and even collaboration platforms. Criminals use data to pose as a trusted source communicating in one of these channels and convince the victim to click on a malicious link. That can lead to the installation of malware or ransomware, as well as the collection of login credentials or other sensitive data.

**Phishing for Business**

This can have devastating consequences for individuals, but phishing attacks are increasingly being used to gain entry to government and corporate systems. The IC3 received 323,972 phishing complaints in 2021, up from 25,344 such complaints in 2017 — a stunning 120% increase. According to Verizon's "2020 Mobile Security Index," 2% of employees click on a phishing link every day.

Once they gain access, bad actors can lurk inside company systems, studying workflows, monitoring communications, and waiting for an opportunity. Let's say an employee posts on social media while away on vacation. That's the opening a bad actor has been waiting for. They hop into the vacationing employee's email account, which contains a thread with a vendor's accounts payable department discussing payment of an invoice. The bad actor adds another message to the thread: "Can you also update our bank account and send the payment to the new account." According to the IC3 report, the average loss for a successful BEC attack like this was $120,000 in 2021.

**Data Brokers Don't Help**

Phishing is becoming ever more effective due to all the data criminals have to customize their communications. They don't even have to steal the data. They can get it on any one of about 150 people search sites, which is a segment of the data broker industry that has been growing both in size and in the type of information they collect.

These sites, which are largely unregulated, started out by collecting publicly available data, such as names, addresses, and phone numbers. Now they collect an even wider variety of data gleaned from a much wider variety of sources. Information such as a person's political views, dietary preferences, pets, and even a person's Amazon wish list can be easily found for a small monthly subscription fee. And it's all currently legal.

Personal data is a very sensitive tool that cybercriminals use to cause real harm to people whose data is publicly available on the Internet. But it's not just individuals who suffer. The payday from crimes against businesses can dwarf gains from crimes against individuals, making them especially attractive targets. Businesses are only as safe as their most digitally vulnerable employees.

It may be years before we have comprehensive federal legislation to protect data privacy. That is why organizational efforts to prevent cybercrime must include working with employees to reduce and remove their personal information from the Internet. That will make it more difficult for malicious actors to obtain employee data to leverage in their attacks.

How US Businesses Suffer From the Lack of Personal Data Privacy Laws

Suffolk County had to hand deliver voting databases with ballot results to the county election headquarters.

Lingering effects of a September ransomware attack delayed midterm vote tabulation in Suffolk County, which encompasses eastern Long Island in New York state.

Officials on Tuesday night said that 450,000 election night results would be significantly held up for state, federal, and local races thanks to an unexpected Wi-Fi outage related to the attack. Republican Party chairman Jesse Garcia told local outlet Newsday that the outage had prevented officials from uploading voting results — instead necessitating poll workers to bring 1,446 memory cards containing ballot results to election board headquarters.

Suffolk results began to be counted around 2:30 a.m. early Wednesday, according to the report.

The county is home to around 1.5 million people, and includes tony alcoves and summer destinations like the Hamptons and Fire Island, along with working and middle class neighborhoods. Long Island has been considered an important population bloc when it comes to deciding the fate of midterm election contenders in the Empire State — including the hotly contested governor's race between Democratic incumbent Kathy Hochul and Suffolk County resident and GOP rival Lee Zeldin (Hochul was declared winner on Wednesday).

The Sept. 8 cyberattack wreaked havoc in the area, forcing 911 operators to work with pen and paper, taking down police in-car computers, and even knocking out the real-estate titling system, among other issues. It's unclear what exactly affected the Wi-Fi, though Newsday reported an official speculating that "extra protections" implemented by the county could be to blame.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Long Island Midterm Votes Delayed Due to Cyberattack Aftereffects

Massachusetts Attorney General announced settlements across multiple states for damages from Experian's 2012 and 2015 breaches that violated consumer protection and notification laws.

Massachusetts Attorney General Maura Healey (now governor-elect) this week announced a one-two punch: Experian will pay $13.6 million in a multistate lawsuit settlement over its infamous data breaches in 2012 and 2015, which compromised personal information of millions of consumers nationwide; and T-Mobile will hand over $2.5 million for its customers who were affected by the 2015 breach at the credit-monitoring provider.

Some 15 million T-Mobile customer credit applications were exposed in the 2015 attack on Experian, which handled the processing of the mobile carrier's customer credit applications. Social Security numbers, birthdates, drivers' licenses, and passport information were among the exposed consumer data.

In addition to the settlement fees, both Experian and T-Mobile committed to taking steps to better secure data. Experian also must provide five years of free credit monitoring to people whose data was exposed — on top of the free services that had previously been provided to victims. T-Mobile also agreed to tighten up vendor oversight.

AG Healey helped lead the investigation into the 2012 data breach, working with attorneys general in Connecticut, Illinois, Indiana, Maryland, New Jersey, North Carolina, Texas, and Vermont, and also worked on the 2015 breach investigation, headed up by the attorneys general of Connecticut, Illinois, Maryland, Texas, and Washington, DC.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Experian, T-Mobile Pay Up in Multimillion-Dollar Data Breach Settlements

New approaches to identity access management are indispensable.

Take a moment to consider how frequently you authenticate your identity online: checking your email, logging in to your bank account, accessing cloud-based productivity tools, booking a flight, paying your taxes. We confirm our identities so many times every day that things like providing personally identifiable information and confirming a login attempt through our smartphones have become second nature. 

These are all reminders that identity is the foundation of cybersecurity — which is why it's also a major attack vector that can be exploited by cybercriminals. There are many tools that can prevent hackers from using the identities of their victims to infiltrate organizations and steal sensitive data, such as password managers and multifactor authentication. However, the adoption of these tools isn't as widespread as it should be — identity protection is often siloed, which means entire networks can be put at risk by single entry points. 

This is why many companies are moving toward a more comprehensive security architecture that will allow them to systematize their identity access management (IAM) protocols and defend many attack vectors at once. It has never been more critical for companies' cybersecurity platforms to be adaptive, automated, and distributed, which is why they're increasingly adopting flexible IAM systems that offer protection at every level. 

**Identity Is a Significant Attack Vector**

There are many reasons cybercriminals target IAM systems: these systems are often especially vulnerable because they're dependent on individual user behavior, fragmented cloud applications create many lines of attack, and a single access point often allows bad actors to break into entire networks. It's no surprise that, according to the 2022 Verizon "Data Breach Investigations Report," the use of stolen credentials is the top action variety in breaches. 

Verizon researchers outline yet another reason why cybercriminals prioritize identity: "We've long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system." When cybercriminals use credentials or other stolen forms of identity to access a network, they can operate undetected for long periods of time, which allows them to install malware, manipulate privileges, and deceive other users to steal sensitive data or gain deeper access.

This problem is all the more urgent with the proliferation of devices and cloud-based services employees use for work, as well as the continued reliance on remote and hybrid work. As employees sign in to their work accounts from home and around the world — sometimes using unsecured Wi-Fi at airports, coffee shops, and hotel lobbies — siloed IAM systems have become even more dangerous. 

**Poor Cybersecurity Hygiene and the Risks of Siloed IAM**

Human behavior is one of the most significant cybersecurity liabilities any company faces, and flawed IAM security architecture is one of the main reasons why. At a time when companies are simultaneously using an average of three clouds with many different apps and devices, IAM is more important than ever. But relying on individual users and disconnected security protocols dramatically increases the risk of a breach. 

Although there are plenty of digital tools that can make apps and other cloud-based services safer, many employees fail to use these tools. For example, despite the fact that password security habits are notoriously unhealthy — almost two-thirds of people reuse passwords, and 13% use the same password for every account — less than a quarter say they use a password manager. The same applies to other forms of access: a 2021 survey found that less than one-third of respondents use two-factor authentication across all applications. 

It's costly and inefficient to develop IAM protocols for the full range of devices and apps that employees use, and it isn't feasible for companies to redevelop all their legacy apps to meet emerging security requirements. This is why many companies feel like they're stuck with a status quo that leaves them susceptible to cyberattacks — they lack the robust, standardized security architecture necessary to protect their networks and systems across the board. But this perception is changing with the rapid evolution of IAM architectures. 

**The Emergence of Orchestrated IAM**

Many factors are coming together at the same time and forcing companies to revisit their IAM frameworks: digitization, more distributed workforces, and a profusion of cloud-based apps. These developments should cause companies to create more comprehensive, coherent, and adaptive IAM systems, but in too many cases they're having the opposite effect. Companies are scrambling to keep up with new technological developments and the shifting cyber-threat landscape, which is causing them to make even more disjointed decisions. 

A recent Gartner report emphasized these problems and argued that organizations should "evolve their identity and access management (IAM) infrastructure to be more secure, resilient, composable and distributed." Gartner explained that this evolution should involve the establishment of an "identity fabric using a standards-based connector framework across multiple computing environments, so that the organization can answer the question of who has access to what, regardless of where the resources and users are located." The answer to siloed IAM systems is the creation of an orchestrated and unified platform that will allow companies to make identity security more consistent across users and apps.

There's no sign that cybercriminals will stop using identity to penetrate secure systems and steal from companies. Although recent technological developments have increased the number of identity-based vulnerabilities for cybercriminals to exploit, companies are quickly learning how to keep their networks safe. The development of new approaches to IAM will be an indispensable part of this process.

A Better Way to Resist Identity-Based Cyber Threats

The Swiss Army knife-like browser extension is heaven for attackers — and can be hell for enterprise users.

A malicious browser extension that works on both Google Chrome and Microsoft Edge allows attackers to remotely take over someone's browser session and carry out a full range of attacks. It's built to steal cookies and other info, mine cryptocurrency, install malware, or take over the entire device for use in a distributed denial-of-service (DDoS) attack — among other things.  

Thanks to this multitool approach, the Cloud9 botnet basically acts like a remote access Trojan (RAT) for the Chromium browser, which is the framework for Chrome, Edge, and some other browsers, researchers at Zimperium zLabs revealed in a blog post Nov. 8.

The malware is comprised of three JavaScript files and has been active since as far back as 2017, with an update in 2020 that proliferated as a single JavaScript that can be included on any website using script tags, researchers said.

Researchers have linked Cloud9 to the Keksec malware group due to the activity of its command-and-control servers (C2s), which point to domains previously used by the gang. The well-resourced group — known for creating various botnets-for-hire — was seen in June weaponizing a Linux botnet called EnemyBot against vulnerabilities in enterprise services. In Cloud9's case, it's likely being sold "for a few hundred dollars" or offered for free to other groups on various hacker forums, researchers said.

"As it is quite trivial to use and available for free, it can be used by many malware groups or individuals for specific purposes," Zimperium zLabs malware analyst Nipun Gupta wrote in the post.

**Enterprise Users at Risk**

The malware offers a veritable buffet of nefarious activity, "purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta wrote. This includes enterprise users, where the botnet can be used to infiltrate a user's machine to propagate further malicious activity.

That said, "the Cloud9 malware does not target any specific group, meaning it is as much an enterprise threat as it is a consumer threat," Gupta wrote. "It is quite clear that this malware group is targeting all browsers and operating systems and thus trying to increase their attack surface."

Core capabilities of Cloud9 include: the ability to send GET/POST requests, which can be used to fetch malicious resources; cookie stealing to compromise user sessions; keylogging for nabbing passwords and other info; and the ability to launch a Layer 4/Layer 7 hybrid attack, which can be used to perform DDoS attacks from victims' machines.

Cloud9 also can detect a user's OS and/or browser to deliver next-stage payloads; inject ads by opening 'pop-unders'; execute JavaScript code from other sources for further malicious code delivery; silently load web pages for ad or malicious-code injection; mine cryptocurrency using the browser or the victim's device resources; or send a browser exploit to inject malicious code and take complete control of the device.

**Browser Escape and a Multifaceted Attack**

Researchers walked through an example of a Cloud9 attack on a Chrome browser, outlining several steps that ultimately perform a slew of nefarious tasks — including mining cryptocurrency from a victim's machine, stealing cookies and clipboard data, and even using exploits to "escape" the browser and execute malware on the victim's device.

The main functionality of the extension is available in a file named campaign.js, JavaScript that also can be used as a standalone and thus can redirect victims to a malicious website that contains the campaign.js script.

The campaign.js starts by identifying the victim's OS and then injects a JavaScript file that mines cryptocurrency using the victim's computer resources, both diminishing the performance of the device while reducing hardware lifespan and increasing energy usage — "which translates into a slow but steady monetary loss," Gupta noted.

Cloud9 then injects another script named cthulhu.js that contains a full-chain exploit for two vulnerabilities — CVE-2019-11708 and CVE-2019-98100 — that target Firefox on a 64-bit Windows OS. Upon successful exploitation, it drops Windows-based malware on the device, enabling the threat actor to take over the entire system.

Researchers also witnessed Cloud9 using other browser exploits for Internet Explorer (CVE-2014-6332, CVE-2016-0189) and Edge (CVE-2016-7200 that, if successful, gives the attacker the same user rights as the current user and can execute code on the victim's device accordingly. Further, if the user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, researchers said.

Cloud9 also can use its ability to send POST requests to any domain to carry out Layer 7 DDoS attacks if the attacker has a significant number of victims connected as botnets. In fact, true to its reputation, Keksec likely is selling the extension to provide a botnet service to perform DDoS, Gupta noted.

**Protecting the Enterprise**

Because of the broad capabilities of Cloud9 and the wide attack surface it can generate, enterprise customers should be on alert, researchers said. Indeed, traditional endpoint security solutions don't typically monitor this type of attack vector, which leaves browsers "susceptible and vulnerable," Gupta observed.

It's unclear how Cloud9 is being spread, but so far, Zimperium zLabs has seen no evidence of the malicious extension on the Google Play Store or any other legitimate mobile app shop. For this reason, enterprises should train users on the risks associated with browser extensions that they encounter outside of official repositories, he said. They also should consider what security controls they have in place for such risks in their security posture overall.

Cloud9 Malware Offers a Paradise of Cyberattack Methods

An annual HIPAA security risk assessment is required to meet HIPAA requirements.

**NEW YORK, Nov. 9, 2022 /PRNewswire/** — Compliancy Group reminds healthcare organizations of their obligation to complete their annual HIPAA security risk assessment.

HIPAA compliance largely depends on a HIPAA security risk assessment (SRA). By completing a security risk assessment, healthcare organizations can be better prepared against cyberattacks and other security incidents. To meet HIPAA requirements, healthcare organizations must complete an SRA each year.

Learn more about security risk assessments, SIGN UP for their webinar on Nov. 16th @ 2 pm ET.

"The healthcare industry has become a prime target for hackers. With the threat growing yearly, healthcare organizations must be vigilant to secure patient information. The best way to do that is to conduct a security risk assessment to identify risks so that you can implement additional security measures to prevent incidents from occurring." — Marc Haskelson, CEO and President, Compliancy Group.

Not sure where to start? Compliancy Group has a series of educational materials to help organizations meet their HIPAA requirements. You can find e-books, articles, and webinars that provide tips on meeting your annual SRA requirement.

HIPAA Resources

DOWNLOAD: HIPAA Security Risk Assessment e-book  
DOWNLOAD: HIPAA Compliance Checklist  
How to Conduct a Security Risk Assessment  
HIPAA SRA Requirements

About Compliancy Group

Compliancy Group gives healthcare professionals confidence in their compliance plan, increasing client loyalty, and profitability of their business while reducing risk. Using simplified software and dedicated Compliance Coaches, Compliancy Group removes the complexities and stress of HIPAA. Find out more about Compliancy Group and HIPAA compliance. Get compliant today!

**SOURCE:** Compliancy Group

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Compliancy Group Urges Healthcare Organizations to Complete Their HIPAA Security Risk Assessments

A lack of precision in our terminology leads to misunderstandings and confusion about the activities we engage in, the information we share, and the expectations we hold.

The words safety and security are often the same in many languages. That is also true in the world of cyber, where we frequently say cyber_security_ when we really mean cyber _safety_. They are, however, distinct concepts, and the lack of precision in our terminology leads to misunderstandings and confusion about the activities we engage in, the information we share, and the expectations we hold.

To simplify the distinction between safety and security, it helps to put another descriptor in front of these words. For example, food _safety_ practices include hygiene, third-party inspections, and checklists. Food _security_ evokes concerns about the shortage of baby formula, poisoning of the food supply, and starvation. Food safety and food security are not the same.

**Cyber Safety ≠ Cybersecurity**

Similarly, cyber safety and cybersecurity are not the same. If you believe that compliance does not equal security, perhaps it is because compliance is about safety. Adherence to good safety practices generally improves the quality of the output while security often delays the output. Good safety practices don’t eliminate the possibility of intentional compromise, but practices that promote higher quality outputs enable investigators to quickly rule out accidental causes.

If you wonder why some types of information in cyber are widely shared and others are not, consider that regardless of geopolitical affiliations, we openly share nuclear safety practices but not nuclear security practices. We naturally tend to be transparent about safety but not about security. We generally want safety measures to be very visible, obvious, and well known. Hotels and airlines prominently and repeatedly share the measures they have taken to ensure our safety. Most manufacturing environments prominently showcase a sign relaying how long they have gone without a safety incident. 

Conversely, we tend to keep security measures invisible and unknown (unless we explicitly want to deter attackers through overt displays of guns, guards, and gates). This mindset extends to information sharing and may explain our general reluctance to voluntarily share security information with outside parties (and even internally).

Safety measures may be hidden from view in some cases, such as with car airbags and elevator brakes. Even so we will see inspection certificates to demonstrate that the minimum safety standards have been met. We are subjected to numerous and different inspections in the world of cyber, but the results are often hidden from public view. If routine assessments such as SOC2 and ISO27001 are more akin to safety inspections, perhaps these results should be made public by default (as with SOC3) to communicate when we have met minimum cyber-safety measures.

**Taking Personal Responsibility**

Individual choices have a direct impact on our safety. For example, most of us know what steps we can take to improve our personal hygiene and are appalled when others neglect or ignore such simple steps. Security on the other hand, is often seen as someone else’s responsibility with the individual usually limited to a passive "see something, say something" role.

Safety requires active participation from everyone and most people embrace safety measures as a personal responsibility. Individuals can see how they can directly contribute to the improvement (or deterioration) of safety. We can instill a greater sense of personal responsibility and accountability among an organization's stakeholders to maintain proper cyber hygiene by appropriately recasting many common cyber activities that we ask of others (e.g., patching) as actions to promote cyber safety.

To remind us of our personal responsibility for safety, we receive safety awareness briefings with every flight (with the flight attendants pleading with us to pay attention even if we've already heard it before). If you try to drive away without buckled seat belts, our vehicles chime in with pleasant tones. In many other domains, safety awareness happens regularly and is not reserved for just one month in October.

**Making Safety Usable**

Framing our activities as safety can also help cyber practitioners understand that we cannot go overboard on cyber-safety measures. Many of us may desire for all vulnerabilities patched immediately but requiring food service workers to clean food preparation areas whenever a speck of dust falls would bring productivity to a grinding halt. Similarly, insisting on immediate patching of all code vulnerabilities may hamper software development. For safety measures to be truly effective, we must understand and establish reasonable margins of safety. The fact is that most vulnerabilities do not need to be patched right away, and we can increase our margin of safety by implementing compensating cyber-safety controls, allowing us to postpone patching for a more opportune time.

Importantly, these cyber-safety controls must be easy to use with little to no room for operator error. Unfortunately, we are far from that today. Our current cyber-safety mechanisms operate like child safety seats from the 1980s: Parents must figure out a complex harness system, and if they get it wrong, they are treated as idiots. In our digital environments today, the user is often blamed for being the weakest link despite confusing and unhelpful interfaces.

Making child safety seats easier to install required cooperation from both the car and seat manufacturers as well as a federal requirement to comply with a Latch system. Personal responsibility is still a factor, but the multiparty collaboration among federal regulators, carmakers, and child safety seat manufacturers enabled parents to avoid common mistakes.

Such coordination among producers, consumers, and regulators for cyber safety is sorely lacking in the digital world. But perhaps the starting point is to get everyone on the same page by understanding the real differences between cybersecurity and cyber safety.

What We Really Mean When We Talk About ‘Cybersecurity’

Teleport releases its second annual State of Infrastructure Access and Security report.

**OAKLAND, Calif., Nov. 9, 2022 /PRNewswire/** — Teleport, the leader in identity-native infrastructure access, today revealed its second annual State of Infrastructure Access and Security Report (PDF). The research seeks to uncover the specific challenges facing DevOps, security engineering and other security professionals. The survey found access built on secrets continues to represent the status quo, as 80% of respondents are still using passwords as a top security method. Concerningly, less than a quarter (24%) of respondents are fully confident that ex-employees no longer have access to company infrastructure.

The report offers a representative sample of the common beliefs and observations shared by industry professionals, as well as the actions they take to keep their organizations safe. Key findings include:

*   **Infrastructure is becoming more complex — with no signs of slowing down:** Organizations use on average 5.7 different tools to manage access policy, making it complicated and time-consuming to completely shut off access.
*   **Even the best-laid plans fall victim to complexity or apathy:** More than half (57%) of respondents said their organization has implemented new security methods that failed to be adopted by employees.
*   **Security spending is on the rise:** Even amid the ongoing inflation crisis, 85% of respondents say their security spending increased within the last 12 months.

"The 2022 Infrastructure Access and Security Report definitively shows that DevOps, security engineering and other security professionals understand the challenges they face, as well as the most effective tools for securing their infrastructure," said Ev Kontsevoy, CEO of Teleport. "But while the vision is clear, execution continues to lag behind."

**Infrastructure is only becoming more complex**

One year ago, the 2021 State of Infrastructure Access and Security Report highlighted the incredible complexity of technology architectures. While 77% of respondents said that moving to passwordless access was Important or Very Important, this year's survey reveals that number of respondents using passwords to grant access to infrastructure increased by 10% year over year, from 70% in 2021 to 80% in 2022.

**Crises of confidence and clarity**

When asked how confident they were that employees who leave the company can no longer use secrets to access company infrastructure, less than a quarter of respondents reported being 100% confident that the access had been revoked. Strikingly, nearly half of organizations are less than 50% confident that former employees no longer have access to infrastructure. This lack of confidence is trending in the wrong direction: the share of respondents with less than 50% confidence increased by 55% year over year.

The report found that respondents recognize the need to move toward passwordless access, and the share of those who view this shift as important increased over the last 12 months. Compared with 77% in 2021, 87% of respondents to this year's survey said moving towards a passwordless infrastructure is important or very important. This priority is reflected in company initiatives: 77% of respondents have an active initiative to move towards passwordless access; and 78% of respondents have an active initiative to move to biometric authentication, the most effective tool for establishing human identity for secure access.

While adoption of biometric authentication is promising — more than half (55%) of respondents already use biometrics in their systems — there are still significant barriers to widespread adoption. Notably, 62% of respondents cited privacy concerns as a leading challenge when replacing passwords with biometric authentication, while 55% pointed to a lack of devices capable of biometric authentication.

"With architectures growing in complexity, coupled with the rising number of threats and bad actors, DevOps and security engineering leaders cannot afford to delay any longer in turning their plans into actions," said Kontsevoy. "Secretless, identity-based infrastructure access is the only way forward."

**Methodology**

The 2022 Infrastructure Access and Security Report survey was based on a representative sample of DevOps, Security Engineering, and other security professionals with knowledge about how their company manages access to infrastructure. A total of 500 respondents completed the survey, which was conducted by Schlesinger Group, an independent research company.

The Teleport Infrastructure Access and Security report is available today and can be found here (PDF).  

**About Teleport**

Teleport is the first identity-native infrastructure access platform for engineers and machines. By replacing insecure secrets with true identity, Teleport delivers phishing-proof zero trust for every engineer and service connected to your global infrastructure. The open source Teleport Access Platform provides a frictionless developer experience and a single source of truth for infrastructure access. Teleport is used by leading companies including Elastic, Samsung, NASDAQ, and IBM. The company is backed by Bessemer Venture Partners, Insight Partners and Kleiner Perkins. Headquartered in Oakland, California, the company embraces a remote-first work culture. For more information, please visit goteleport.com.

**SOURCE:** Teleport

Source

DARKReading