**BOSTON****,** **Jan. 19, 2023** **/PRNewswire/ --** Mendix, a Siemens business and global leader in modern enterprise application development, and Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, have announced the release of Mendix Quality & Security Management (QSM), a new cybersecurity solution that provides continuous deep-dive insights into security and code quality to immediately address risks and vulnerabilities. The introduction of Mendix QSM enables enterprises to fuel innovation and growth, while managing cyber risks and building future-fit software.

The Mendix low-code development platform enables companies to accelerate the delivery of new innovations. Succeeding the Mendix Application Quality Monitor (AQM), the new Mendix QSM solution provides IT management, quality assurance teams, and software security experts deep visibility across the entire portfolio of Mendix applications. This enables close control of the software development process without compromising the quality and security of software, ensuring that security oversight is always top of mind for customers.

Mendix QSM is powered by Sigrid®, SIG's software assurance guiding platform. Combining more than 20 best-of-class security scanning tools, it provides a comprehensive overview of how security findings impact business objectives. With Mendix QSM, Mendix clients can scan their Mendix applications, including third-party libraries, for vulnerabilities and incorrectly configured security models, rank for compliance with main industry standards such as OWASP, ISO 5055 and PCI, and receive recommendations and clear guidance on risk mitigation.

Mendix QSM is based on static analysis of application models. Mendix models have been mapped to the ISO 25010 Maintainability model by SIG experts based on the Mendix model metadata. This allows for benchmarking of Mendix applications against a database of thousands of projects, including open-source initiatives. Mendix QSM also presents a five-star rating of the software quality. For example, a four-star software rating means issues are resolved three times faster, throughput increases seven-fold, and productivity increases almost 11-fold compared to a two-star rating.

"Mendix and SIG have been Original Equipment Manufacturer (OEM) partners since 2016," said Hans de Visser, chief product officer at Mendix. "In the past six years, we have strived to empower our customers with fast software development and best-of-industry governance tooling to build future-proof applications. Security is top of mind for our customers, and the new cybersecurity capabilities in Mendix Quality & Security Management is a logical extension to cater to the increasing security demands and requirements of our customers. Mendix and SIG expanded the OEM partnership to help Mendix customers manage the quality of their applications proactively, ensuring faster issue resolution with higher technical quality of software."

Luc Brandts, group CEO at SIG_,_ said, "With the number of cyber attacks growing every day, it is crucial for organizations worldwide to manage the build quality and security of their IT landscapes in a continuous fashion. We are providing this service as part of our quality assurance commitment to our customers. This new and improved joint security solution offers Mendix clients from bit to boardroom the transparency and continuous security insights they require in order to build business-ready applications with total confidence."

SIG inspects and certifies thousands of software systems per year on technical quality according to ISO/IEC 25010 and will continue to add new scanning tools and rules to QSM as part of its ongoing service.

**Connect with Mendix**

*   Follow @Mendix on Twitter
*   Connect with Mendix on LinkedIn

**About Mendix**

In a digital-first world, customers want their every need anticipated, employees want better tools to do their jobs, and enterprises know that sweeping digital transformation is the key to survival and success. Mendix, the low-code engine of the Siemens Xcelerator platform, is quickly becoming the application development platform of choice to drive the enterprise digital landscape. Mendix's industry-leading low-code platform, dedicated partner network, and extensive marketplace support advanced technology solutions that boost engagement, streamline operations, and relieve IT logjams. Built on the pillars of abstraction, automation, cloud, and collaboration, Mendix dramatically increases developer productivity and engages business technologists to create apps guided by their particular domain expertise. Mendix empowers enterprises to build apps faster than ever; catalyzes meaningful collaboration between IT and business experts; and maintains IT control of the entire application landscape. Consistently recognized as a leader and visionary by leading industry analysts, the platform is cloud-native, open, extensible, agile, and proven. From artificial intelligence and augmented reality to intelligent automation and native mobile, Mendix and Siemens Xcelerator are the backbone of digital-first enterprises. The Mendix low-code platform is used by more than 4,000 companies worldwide, over 200,000 applications have already been realized, and the active community comprises more than 300,000 developers.

**About SIG**

Software Improvement Group (SIG) guides business and technology leaders to drive their organizational objectives by fundamentally improving the health and security of their software applications. SIG offers Sigrid® - the software assurance guiding platform - to partners and enterprise organizations to help them measure, evaluate and improve code quality.SIG has the world's largest software benchmark with more than 75 billion lines of code across more than 300 technologies. The SIG laboratory has been accredited according to ISO/IEC 17025 for software quality analysis. Founded in 2000, SIG is headquartered in Amsterdam with regional offices in New York, Frankfurt, Brussels, and Copenhagen.

More information: www.softwareimprovementgroup.com

Mendix and Software Improvement Group Launch a New Software Application Quality and Security Scanning Solution

Research shows that over 50% of organizations performing software development
struggle with fully integrating security into their software development
lifecycle.

**BOULDER, Colo. , Jan. 19, 2023 /PRNewswire-PRWeb/ --** Enterprise Management  
Associates (EMA(TM)), a leading IT and data management research and consulting  
firm, has released a new research report, "Secure Coding Practices - Growing  
Success or Zero-Day Epidemic?" authored by Christopher M. Steffen, managing  
research director of security and risk management at EMA, and Ken Buckler,  
research analyst covering security and risk management at EMA.

From 2015 to 2021, the number of new vulnerabilities per year in the National  
Vulnerability Database grew from 6,487 to 20,139.\* This increase in  
vulnerabilities may be due to a significant skills gap when it comes to secure  
software development. In 2019, a review of the top 20 computer science schools  
found that out of all the schools listed, only one listed security as an  
undergraduate degree requirement for computer science.\*\* Simply put, software  
developers are not being taught secure coding practices at colleges and  
universities, and with a significant number of organizations failing to invest  
in any secure coding training whatsoever, even some of the most seasoned  
developers in the industry may have little to no awareness of secure coding  
concepts.

EMA surveyed 129 professionals across multiple industry verticals, seeking to  
understand how organizations are tackling the challenge of developing secure  
software applications. The results revealed that over half of organizations  
performing software development struggle with fully integrating security into  
their software development lifecycle (SDLC), and many organizations are failing  
to make critical investments in enhancing the security knowledge of their  
development teams.

Some of the key findings include:

\-- 69.3% of organizations have SDLCs that miss critical security steps.  
This includes 45.3% of organizations that do not have a dedicated  
validation step in their security SDLC, 20% of organizations that do  
not have a dedicated planning step, and 4% that do not have a  
dedicated implementation step.  
\-- 100% of organizations using a combination of code reviews, code  
scanning tools, and third-party training saw improvement in their code  
security.  
\-- Only 75% of organizations not using training saw improvement in their  
code security.  
All too often when it comes to cybersecurity, the human element is the most  
overlooked component of any system. With lowest adoption rates (54%) and highest  
code security improvement rates (100%), third-party training appears to be the  
critical component in which some organizations are failing to invest.

"The human element is the first and last line of defense when it comes to any  
cybersecurity program," said Buckler. "The rapidly growing number of software  
vulnerabilities discovered per year clearly outlines the need for better  
cybersecurity practices from the ground up. This includes developing secure  
applications from the start through investing in improving the secure coding  
practices of the industry's software development workforce."

A detailed analysis of the research findings is available in the report, "Secure  
Coding Practices - Growing Success or Zero-Day Epidemic?"

EMA will reveal highlights from the report during the free February 7th webinar,  
"Secure Coding Practices - Growing Success or Zero-Day Epidemic?"

Security Journey sponsored this independent research report. Security Journey  
offers robust application security education tools to help developers and the  
entire SDLC team recognize and understand vulnerabilities and threats to  
proactively mitigate these risks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Research From EMA Reveals How Organizations Are Struggling to Develop Secure Software Applications

Corsha’s Annual State of API Secrets Management Report finds over 50% of respondents suffered a data breach due to compromised API secrets.

**WASHINGTON, D.C. – January 19, 2023 –** Corsha Inc., a leading API security company, today released new research that paints a picture of cybersecurity professionals who are both frustrated over how much time and attention they must devote to API security and worried that their defenses still remain inadequate. 

The Corsha team recently surveyed more than 400 security and engineering professionals to learn about their API secrets management practices and the challenges they face in thwarting API attacks. Among the key takeaways:

●86% of respondents spend up to 15 hours a week provisioning, managing, and dealing with secrets.

●Over half (53%) of respondents have already experienced a data breach with unauthorized access to their networks or apps due to compromised API tokens.

●72% of respondents use a secrets management solution yet over half (56%) are still concerned about a potential data breach due to their current secrets management practices.

“Security and engineering teams are forced to divert their attention away from forward-facing engineering to focus on secrets management, yet their organizations remain vulnerable to attackers both through lateral attacks and leaked or compromised API secrets to gain illegitimate access to sensitive data,” said Jared Elder, Chief Growth Officer at Corsha. “Data is everything and the potential risk from data breaches associated with leaked API secrets is clearly high and growing.  Yet with an explosion of credentials to provision, rotate, and manage, the good guys find themselves constantly behind the eight ball.” 

**A Rapidly Changing Threat Landscape**

API usage has exploded over the last several years as companies continue to expand their adoption of could native technologies and API-driven ecosystems such as microservices and serverless architectures, hybrid cloud infrastructures, CI/CD pipelines, and a host of other applications and services that are sending and receiving sensitive information through APIs. According to the Corsha survey, 44% of respondents host their API services across multiple clouds. For many enterprises, this often means disjointed secrets management solutions across disparate environments. 

As a result, Corsha survey respondents spend an inordinate amount of time managing API tokens. 78% reported they manage at least 250 API tokens, keys, or certificates across their networks. Unfortunately, their security strategies for API-based communication cannot keep up with the level of scale and automation that’s possible today.

**Outdated Approaches to a Modern Security Challenge**

All APIs have one thing in common: they connect services to facilitate data transfers. That makes them a favorite target for hackers as the number of APIs that depend on secrets increases, and workflows (e.g., secret provisioning and sharing, secret management, monitoring, control) become more difficult. 

According to the Corsha survey, the top three API secrets management pain points are:

1.  Working with certificate authorities (44%)
2.  Rotating secrets (37%)
3.  Provisioning secrets (36%)

The methods respondents most commonly use to address these pain points are often dated, manual, error-prone, and cumbersome.

While many security teams assign specific entitlements to API keys, tokens, and certificates, the survey discovered that more than 42% do not. That means they’re granting all-or-nothing access to any users bearing these credentials, which although is the path of least resistance in access management, also increases the security risk.

Corsha’s researchers also found that more than 50% of respondents have little-to-no visibility into the machines, devices, or services (i.e., clients) that leverage the API tokens, keys, or certificates that their organizations are provisioning. Limited visibility can lead to secrets that are forgotten, neglected, or left behind, making them prime targets for bad actors to exploit undetected by traditional security tools and best practices.

Another red flag: although 54% of respondents rotate their secrets at least once a month, over 25% admit that they can take as long as a year to rotate secrets.  The long-lived, static nature of these bearer secrets make them prime targets for adversaries, much like the static nature of passwords to online accounts. 

**API Security Best Practices**

The Corsha report also outlines what organizations can do to implement effective secrets management processes, including:

●Integrating a good secrets manager to gain overall visibility into all secrets

●Using mTLS when and where possible

●Always set a short expiry on secrets when possible

●Always sign _and_ verify tokens 

●Don’t store or pass secrets in plaintext

“Today, even the most robust modern secrets management implementation isn’t sufficient to prevent APIs from being exploited, which explains why over half of our survey respondents highlighted the continuing worry of suffering a potential data breach due to their current secrets management practices,” added Scott Hopkins, Chief Operating Officer at Corsha.  “The heavy administrative workload and exceedingly manual processes for maintaining good security hygiene around secrets management create significant opportunities for error or oversight.  Organizations would benefit from a stronger, automated, and highly scalable answer to their API authentication woes that can readily integrate into any environment.  Corsha provides a robust added factor to API authentication to protect an organization’s critical systems and data from savvy and opportunistic bad actors.”

It’s also important for security and development teams to recognize that risk is predominantly shifting from human to machine to machine-to-machine and consider what needs to be done to account for this transformation. 

Corsha is on a mission to simplify API security and allow enterprises, developers, and DevSecOps teams to embrace modernization, complex deployments, and hybrid environments with confidence. Using a dynamic, blockchain-based machine identity, Corsha has developed a patented way to provide multi-factor authentication (MFA) for APIs, where API access may be pinned to only trusted machines. With Corsha, each API call now requires a fresh, one-time use credential, enabling zero-trust access for an organization's API services.  

To learn more about the Corsha Platform, visit: https://corsha.com/the-platform/.

Follow this link to read and download the Corsha State of API Secrets Management Report. 

**About Corsha**

Corsha fully automates multi-factor authentication (MFA) for APIs to better secure machine-to-machine communication. Our product creates dynamic identities for trusted clients, and adds an automated, one-time use MFA credential to every API call, ensuring only trusted machines are able or leverage keys, tokens or certificates across your applications, services, and infrastructure. Halt and resume access to a machine or group of machines without revoking secrets or impacting other workloads, leaving compromised secrets are rendered useless using Corsha.

API-first ecosystems are driven by the machines that power them. Whether those are Kubernetes pods, containers, virtual machines, physical servers, IoT devices, or other form factors, risk is shifting from human to machine as we automate more and securing communication between machines often becomes an afterthought. Today, API secrets like keys, tokens and certificates are used as a way to broker access between machines, but these static secrets are often shared, rarely rotated and are being leaked in CI pipelines, logs and code repositories at an alarming rate. 

Corsha is taking all the goodness of MFA and using the same principals like one time use credentials to secure APIs. This provides teams security, visibility and control into the machines that are accessing your APIs and the ability to revoke API access at the drop of a hat. For more information, visit: https://corsha.com/.

New Survey Sheds Light on Why Enterprises Struggle to Thwart API Attacks

The growing use of mobile devices for MFA and the proliferation of 5G and VoIP in general could result in more attacks in future, experts say.

The growing use of mobile devices for multifactor authentication increasingly has made telecom providers a juicy target for cybercrime. An ongoing SIM card-swapping campaign by a Chinese threat actor called "Scattered Spider" is just the latest example of that trend.

Scattered Spider is an APT group that researchers from CrowdStrike have been tracking for the past several months. The group has been targeting telecom companies and business-process outsourcing (BPO) firms that support these telecom companies with the objective of gaining access to their respective carrier networks.

**SIM-Jacking Via the Carrier Network**

In at least two instances where the threat actor gained that access, they used it to do SIM swapping, a process where an adversary essentially transfers another person's phone number to their SIM card. Attackers can then use the hijacked phone number to access bank accounts or any other account where the legitimate user might have registered the phone as a second form of authentication. SIM jacking also gives attackers a way to register and associate rogue devices to accounts on compromised networks.

Bud Broomhead, CEO at Viakoo, says the wide use of mobile networks for multifactor authentication has painted a big target on telecom providers. "While there have always been efforts to breach telecom systems, the increased reliance on them for security has increased the frequency of attacks against them," he says.

In the campaigns that CrowdStrike observed, Scattered Spider gained initial access to a targeted telecom or BPO network by impersonating IT personnel and convincing individuals working at these organizations to part with their credentials or to grant remote access to their computers. Once inside the target environment the threat actors moved laterally across it — often using legitimate tools such as Windows Management Instrumentation — till they gained access to the carrier network.

The group has targeted multiple telecom firms since at least June 2022 and has simply kept moving to different targets each time it gets booted from one, prompting CrowdStrike to describe the campaign as an "extremely persistent and brazen" threat. Recently, CrowdStrike observed Scattered Spider deploy a malicious kernel driver via a vulnerability exploit as part of its attack chain.

Adam Meyers, senior vice president of intelligence at CrowdStrike, says Scattered Spider's campaign appears to be financially motivated and therefore different from the many attacks on carrier networks focused on cyber espionage.

"Based on what we have seen, they are focused on SIM swapping," Meyers says. "When you have two factor-authentication and do a SIM swap, you can bypass that authentication."

**Crime v. Espionage**

Campaigns like Scattered Spider represent a relatively new kind of attack on carrier networks. In recent years, many campaigns that targeted telecom companies have focused on some form of intelligence-gathering activity and have often involved advanced persistent threat groups from countries such as China, Iran, and Turkey, Meyers notes. The goal usually is to intercept communications and to harvest the detailed information available in call data records (CDRs), he says. CDRs can be very powerful for monitoring and tracking individuals, he says.

Back in 2019, Cybereason reported on one such campaign that it dubbed Operation Soft Cell, where a Chinese APT group infiltrated carrier networks belonging to a major telecommunication company to steal CDRs. The security vendor assessed at the time that the campaign had been active since at least 2012, giving the threat actor access to data that would have helped the government target politicians, foreign intelligence agencies, dissidents, law enforcement, and others.

In 2021, CrowdStrike reported on a multi-year campaign where a threat actor called Light Basin broke into at least 13 telecom networks worldwide and systematically stole Mobile Subscriber Identity (IMSI) data and call metadata on users. The threat actor installed tools on the carrier networks that allowed it to intercept call and text messages, call information, and records for tracking and monitoring targeted individuals.

More recently, Bitdefender reported observing a Chinese threat actor targeting a telecom firm in the Middle East in a cyber-espionage campaign. "The attack carries the hallmarks of BackdoorDiplomacy, a known APT group with ties to China," says Danny O’Neill, director of MDR operations at Bitdefender. The initial compromise used binaries vulnerable to side-loading techniques and likely involved an exploit of the ProxyShell vulnerability in Microsoft Exchange Server, he says.

"Once inside, the APT used multiple tools — some legit and some custom — and malware to spy, move laterally across the environment, and evade detection," he says.

**Catalysts for More Attacks?**

Meyers and others expect that the proliferation of 5G networks and VoIP services in general in coming years will make it easier for threat actors to execute these attacks on telecommunication companies. Newer telecom services such as 5G are susceptible to cyberattacks because everything — including the core networks — are software designed, O'Neill says. That means all the risks associated with software technologies will manifest on carrier networks as well, he says.

"There are going to be a greater number of cells, pico-cells, and micro-cells required to deliver the coverage given the much higher operating frequencies of 5G," O'Neill points out. From an attacker's perspective, this equates to more access and entry points, he says.

"The almost universal adoption of voice over IP technology has made pretty much every network a data network and blurred the lines between mediums," says Mike Parkin, senior technical engineer at Vulcan Cyber. "It's hard to separate old school voice telecommunication from today’s data networks," he says.

**Why Disruptive Cyberattacks Remain Rare**

One notable aspect of attacks on carrier networks is that very few so far have involved attempts to cause widespread service outages or sabotage — a major concern with attacks on organizations in other critical infrastructure sectors. In its 2019 report, Cybereason in fact had noted how the attackers could have used their access on the telecom network to do pretty much anything they had wanted: "A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network."

That is an assessment that Meyers shares about the Scattered Spider campaign as well.

One reason why disruptive cyberattacks on telecom infrastructure might not have happened so far is because they are really not necessary.

"The primary motivation for attacks on signal-carrying networks is espionage," says John Bambenek, principal threat hunter at Netenrich. "Certainly, there are sabotage interests, but those are usually correlated to the proximity of physical conflict." As an example, he points to Russian attacks on Ukraine's telecom infrastructure at the start of the war.

Pulling off a disruptive cyberattack on a telecom network often is not needed because other, more straightforward options are available. "What we see many examples of is disruption due to physical means. Getting a little out of hand with a backhoe in the wrong place has disrupted communications for entire metropolitan areas," he says.

The shift to VoIP means old school tactics such as DDoS attacks could soon become an effective way to disrupt a carrier network, adds Parkin. Even so, other methods are easier, he says.

"A crowbar can gain access to a wiring trunk, and a pair of bolt cutters can make short work of the cables inside," Parkin says. "Taking out wireless communications takes more sophisticated equipment, but a couple of signal jammers could take down a surprisingly large area."

**Regs to the Rescue**

Going forward, governments and regulatory bodies will have to take a more active role in ensuring the security of the telecom sector against cyberattacks. Parkin points to recent steps by the US, UK, and other governments to mitigate against perceived "high risk" vendors and equipment manufacturers that sit at the core of telco networks as an example of what's needed in future.

"Government influence in achieving end-to-end cybersecurity should focus foremost on governance and regulatory requirements," O'Neill notes. "Existing policies and standards need to be developed and strengthened to incorporate new services like 5G."

He fears that operators, if left unchecked, could default to focusing on availability and convenience at the expense of security.

Cybercriminals Target Telecom Provider Networks

Craft specific awareness training for high-exposure teams like finance, and reinforce other critical awareness training across the organization.

After hardening our corporate environment and improving our device management as the chief information security officer (CISO) with other organizations, I began to notice the threat landscape changing and evolving rapidly. Specifically, social engineering and phishing tactics shifted seemingly overnight and continued to stay steps ahead of our awareness training.

Instead of sending emails to corporate addresses protected with multiple security solutions, cybercriminals started doing their homework, using social media sites like LinkedIn to capture names, roles, and photos to build dossiers on individual users.

They then started engaging our employees through messaging apps like WeChat, Facebook Messenger, WhatsApp, and Signal. The cybercriminals set up accounts under the names of senior managers or executives from our company. They used names and photos they found on social media to mimic the person's name and likeness. They became very effective at becoming the person they were imitating.

After creating these social accounts, the cybercriminals then used them to reach out to unsuspecting employees. The employees saw the name and photo, and immediately assumed they were chatting with someone they knew. The fake account holder then asked them to make changes or process requests. They used the pretext that they'd been locked out of their corporate account or that they were looking at a merger and acquisition and didn't want to put the request into the corporate system as cover for instigating the request from a personal account. Next, they asked for a purchase order to be paid or for a bank account number to be changed.

When done legitimately, these requests typically followed standardized processes to prevent these exact types of scams. Yet, over and over again I saw how powerful these fake identities were in causing my employees to forget these processes. Instead, they genuinely wanted to help and truly believed that's what they were doing.

We had a few of these reported over the course of a week. This led to us crafting specific awareness training — a unique program for high-impact teams, including finance, human resources, accounting, and others. We adapted our annual awareness training to reflect this change in tactics. We also added examples of these types of attacks to our internal newsletters and communicated them to our entire organization.

Attackers will learn how to get to our end users. They have every incentive to do so. If they don't get to our employees, then they don't make money. They are financially motivated, and they will continue to adapt to find a way to be successful.

Here are six ways your organization can adapt to protect your employees and your business.

**Conduct security awareness training**

Ensure your organization is trained. Every user needs to be aware of these types of attacks and fraud attempts. They can detect, report, or simply ignore them if they have the right knowledge. This will not only help to protect the business, it will also help protect our employees in their personal lives, as they will be less likely to fall for these types of attacks against their personal accounts.

**Update apps and mobile devices**

All software has flaws. When a patch is available, it's always best to update it. Even if there isn't a listed security fix, things that are not part of the updated notes are being updated or fixed.

**Encourage use of privacy settings**

Most applications have privacy settings. Warn employees against leaving their accounts, profiles, and posts up for anyone to see. Apply privacy to prevent unsanctioned eyes from seeing your content. Don't allow pictures and personal information to be downloaded without the user’s consent. This won't be available on every platform, but it's always wise to set privacy settings to see the available options.

**Focus on credentials**

Encourage employees to use strong credentials when signing up for accounts. The last thing you want is for someone to compromise your account and then use it to trick your contacts. Mandate strong passwords and enable two-factor authentication where available or, better yet, multifactor authentication.

**Think before you click**

Explain the importance of being mindful of clicking links. Not every link is legitimate. Teach users to consider the context surrounding the link being shared before clicking on it. Where possible, hover over the link and see if the link is going to the domain you'd expect. When in doubt, don't follow odd requests.

**Ignore sketchy messages**

Establish a protocol for giving strange requests greater scrutiny. If it's a stranger, ignore it. If it claims to be from a known person, verify. Reach out via another method, like a corporate messaging solution such as Slack or Teams, or verify using a mobile number. Remember, often, employees want to help or avoid bothering a superior, so make sure they know that will not be the case.

In all my interactions with executives and senior business leaders, I have never had one complaint when I reached out to verify their identity or confirm one of their requests. So don't be afraid to do it. It's easier to confirm ahead of time than to explain why a predetermined process that led to the company losing money got ignored.

Cybercriminals and scammers are good at their jobs, and we wouldn't have ours if they weren't. They are social engineering experts. They know how to appeal to emotions and get people to act the way they want. But following these steps can reduce the risk of falling victim to their requests.

Stay safe out there, friends!

Read more _Partner Perspectives_ from Zscaler.

As Social Engineering Tactics Change, So Must Your Security Training

Ensuring that data can be easily discovered, classified, and secured is a crucial cornerstone of a data security strategy.

The explosion of data and applications has made multicloud – where the organization's data is stored on multiple cloud platforms and applications -- a reality for many organizations. Along with expanding the attack surface, the multicloud makes the task of securing and managing data even more challenging.

Almost 20% of CISOs responding to a data security survey from Eureka Security and YL Ventures say they don't know what database/platform they use to store the organization's sensitive data.

The survey defined sensitive data as personally identifiable information (PII), personal health information (PHI), secrets such as passwords and application tokens, and payment card information (PCI). In this survey, PII was the most common sensitive data stored (84%), followed by secrets (55%), PHI (29%) and PCI (29%).

Most CISOs say they employ tools and methodologies for limiting access to data. The majority of respondents say they rely on dedicated groups (92%) and network policies (51%).

**Sensitive Data Stored in the Cloud**

There are organizations still leery about migrating application workloads to the cloud because of concerns about storing sensitive data in servers they don't have full control over. However, the survey suggests that most organizations are not letting data security concerns hold them back from the cloud. About 45% of respondents say they store sensitive data in public clouds, and the same number of respondents say they rely on a hybrid approach, with sensitive data stored across cloud and on-premise systems. Just 2% of respondents say sensitive data are stored on-premises.

In fact, 22% of respondents stated that more than half of their cloud data is sensitive.

Respondents were also asked to list the top three databases/platforms used to store sensitive data. PostgreSQL was by far the most popular database (41%) and MySQL, MsSQL, Oracle, and Snowflake had the same usage rates (22%). The report notes that many CISOs are relying on "lift-and-shift" – where they are moving from on-premises to cloud without adopting cloud-specific data security controls, such as classification and masking policies.

There is also a bit of a disconnect between the number of respondents who say they store sensitive data in cloud systems and the number of respondents who use cloud platforms. Of the top 5 platforms, Snowflake is the only one specifically built for the cloud with end-to-end cloud data security features.

The Addressing Cloud Data Security in the Multi-Cloud Era report is available from Eureka Security and YL Ventures.

Data Security in Multicloud: Limit Access, Increase Visibility

Without noncompetes, how do organizations make sure employees aren't taking intellectual property when they go work to work for a competitor?

**Question: How would the FTC rule on noncompetes affect data security?**

**Jadee Hanson, CIO and CISO, Code42:** The Federal Trade Commission's proposed rule grants employees well-deserved autonomy regarding where they work, and when. However, it also complicates the relationship between employer and employee when it comes to data ownership, and security teams need to be aware that, if passed, their employees could easily leave their company for a competitor, with sensitive data and intellectual property (IP) in tow.

One reason noncompetes exist is to keep company data and intellectual property from leaking to competitors. It's easy to verify when a former employee takes a new position with a competitor, but not so easy to know if that employee took company data with them. I would argue that companies should not be relying solely on noncompete agreements to keep their valuable IP safe — but their potential ban makes it even more important to have the proper data security in place.

Organizations should incorporate technologies and processes that can identify risky file movements without inhibiting the organization's collaborative culture and employee productivity. They need technology that can see movement across a variety of cloud applications, automate security alerts, and prioritize insider risk concerns. Today, data is highly portable, and users are doing their jobs off the company network — greatly decreasing security's visibility into file movements. Potential risk indicators could include file movements made while users are off-hours, changing file extensions, or having access to the files of a highly confidential project. Without technology providing the right visibility, it's nearly impossible for security to focus on the right protections and mitigate the overall data exposure risk.

There's an assortment of tools that business leaders can choose from, but the most effective data protection technology can tell the difference between trusted and untrusted locations and allows employees to openly collaborate. In particular, insider risk management tools allow you to monitor, filter, and prioritize risk events, detecting when files are moving to noncorporate locations, including personal devices and cloud storage solutions.

This being said, it's not solely about the tools. Security and HR teams should also be sure to define formal onboarding and offboarding policies for employees, proper data handling training, and processes to address insider risks as they are found. A good security culture starts with a security team that is willing to empower the entire organization to get its job done. Using a "trust but verify" approach allows leaders to facilitate positive, trusting relationships with employees, using monitoring tools to ensure they're only intervening when it's absolutely necessary. The way organizations manage the relationship between their security teams and the broader employee and user base has decisive effects on retention and the overall employee experience. If security, legal, and HR teams approach insider risk events in the same combative, and sometimes hostile, manner they do external threats, it can increase tension between themselves and the rest of the organization, sowing the seeds for a culture of distrust among employees.

At the end of the day, it's on every employee in the workforce to do their part in keeping the company secure, and creating a security-aware culture from the get-go is a great way to create this vigilance.

By embodying a security-focused attitude and having a holistic data protection program in place internally, security leaders can have peace of mind knowing that they're maintaining a positive work environment for their teams while also feeling confident that important competitive data is not leaving with employees.

How Would the FTC Rule on Noncompetes Affect Data Security?

These specialized database servers, which collect and archive information on device operation, often connect IT and OT networks.

Databases are a common point of attack by threat actors, but an uncommon type of database is gaining attention as a potentially critical target: data historian servers.

On Jan. 17, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that a set of five vulnerabilities found in the the GE Proficy Historian server could leave unpatched servers vulnerable to exploitation of poor access controls and the upload of dangerous files. GE is not alone: In the past, security researchers have found security issues in Schneider Electric's Vijeo Historian Web server and Siemens' SIMATIC Process Historian.

The servers could be used as a bridge between an organization's information technology (IT) network and its operational technology (OT) network, Uri Katz, a security researcher for cybersecurity firm Claroty's Team82 stated in its advisory on the GE Proficy vulnerabilities. 

"\[D\]ue to its unique position in between the IT and OT networks, attackers are targeting the historian, and could use it as a pivot point into the OT network," Katz said, adding that "historians often contain valuable data about industrial processes, including data about process control, performance, and maintenance."

Data historian servers — also called operational historians or process historians — give companies the ability to monitor and analyze data from their industrial control systems and physical-device networks. Essentially a data lake to store time-series data in an industrial setting, historians collect real-time information on critical infrastructure, manufacturing, and operations. 

For attackers, however, the historian server represents an opportunistic bridge between the IT and OT segments of a network because it is typically a centralized database connected to both. Because of this, historian servers have been identified as a likely target of attack in ICS networks, including adversary-in-the-middle attacks and database injection attacks, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

**DMZ**

While combining IT and OT networks can make industrial technology more agile and cost effective, "multi-network integration strategies often lead to vulnerabilities that greatly reduce the security of an organization, and can expose mission-critical control systems to cyber threats," CISA stated in its Control Systems Cyber Security Defense in Depth Strategies document.

While only one of the four advisories for industrial control systems published by the agency on Jan. 17 had to do with historian servers, CISA has warned in the past about vulnerable historian servers, such as Siemens SIMATIC Process Historian in 2021. In its previous incarnation as the ICS-CERT, the organization also warned about default passwords in Schneider Electric's Wonderware Historian in 2017 and vulnerabilities in Schneider Electric's Vijeo Historian Web Server in 2013.

Claroty's Team 82 research group installed the historian software, enumerated the structure of the messages it uses to communication, and looked for authentication bypasses to compromise the server. It found vulnerabilities that could allow an attacker to bypass authentication, delete a code library, replace the library with malicious code, and then run that code.

So far, no attack using a historian server has caused a publicized breach, Claroty's Katz said in an email interview. Yet historian servers do represent an interconnection between operational and information networks that will likely be exploited in the future, he added.

"Historian servers are generally not Internet-facing, but they are often located in the DMZ layer between the enterprise network and OT network," he said. "Some of the vulnerabilities can be chained to bypass authentication and gain pre-authentication remote code execution."

**History Lessons**

Industrial and critical-infrastructure organizations should include historian servers in their cybersecurity planning, experts say. In a list of five scenarios that companies should perform as industrial control system (ICS) tabletop exercises, the SANS Institute's Dean Parsons included a breach that uses a data historian to gather data on sensitive devices and controls.

"A set of compromised IT Active Directory credentials \[could be\] used to access the Data Historian, then pivot into the industrial control environment," said Parsons, who is also CEO and a principal consultant of ICS Defense Force. "It is critical that ICS networks be segmented from the Internet and from the IT business network."

Organizations should ensure historian servers are up to date and separated from other parts of the network, Claroty's Katz said. "Network segmentation is ... a mitigation that could help against these vulnerabilities and keep attackers from using them as a pivot point from IT to OT," he says.

Some ICS cybersecurity vendors, such as Waterfall Security and Clarify, limit access to the historian servers. They instead clone the system in the IT network segment or offer an intermediary service, allowing engineers and technicians to access the data while preventing attackers from executing code or changing data.

Vulnerable Historian Servers Imperil OT Networks

The founder and majority owner of a cryptocurrency exchange, Bitzlato Ltd. (Bitzlato), was arrested last night in Miami for his alleged operation of a money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements. 

Anatoly Legkodymov, 40, a Russian national who resides in Shenzhen, People’s Republic of China, is scheduled to be arraigned this afternoon in the U.S. District Court for the Southern District of Florida. French authorities and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) are taking concurrent enforcement actions.

"Today the Department of Justice dealt a significant blow to the cryptocrime ecosystem," said Deputy Attorney General Lisa O. Monaco. “Overnight, the Department worked with key partners here and abroad to disrupt Bitzlato, the China-based money laundering engine that fueled a high-tech axis of cryptocrime, and to arrest its founder, Russian national Anatoly Legkodymov. Today’s actions send the clear message: whether you break our laws from China or Europe – or abuse our financial system from a tropical island – you can expect to answer for your crimes inside a United States courtroom.”

“As alleged, the defendant helped operate a cryptocurrency exchange that failed to implement required anti-money laundering safeguards and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “The National Cryptocurrency Enforcement Team’s tremendous efforts to disrupt Bitzlato and arrest the defendant demonstrate that we will continue to work with our partners – both foreign and domestic – to combat cryptocurrency-fueled crimes, even if they transcend international borders.”

According to court documents, Legkodymov is a senior executive and the majority shareholder of Bitzlato, a Hong Kong-registered cryptocurrency exchange that operates globally. Bitzlato has marketed itself as requiring minimal identification from its users, specifying that “neither selfies nor passports \[are\] required.” On occasions when Bitzlato did direct users to submit identifying information, it repeatedly allowed them to provide information belonging to “straw man” registrants.

“Institutions that trade in cryptocurrency are not above the law and their owners are not beyond our reach,” said U.S. Attorney Breon Peace for the Eastern District of New York. “As alleged, Bitzlato sold itself to criminals as a no-questions-asked cryptocurrency exchange, and reaped hundreds of millions of dollars’ worth of deposits as a result. The defendant is now paying the price for the malign role that his company played in the cryptocurrency ecosystem.”

As a result of these deficient know-your-customer (KYC) procedures, Bitzlato allegedly became a haven for criminal proceeds and funds intended for use in criminal activity. Bitzlato’s largest counterparty in cryptocurrency transactions was Hydra Market (Hydra), an anonymous, illicit online marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services that was the largest and longest running darknet market in the world. Hydra users exchanged more than $700 million in cryptocurrency with Bitzlato, either directly or through intermediaries, until Hydra was shuttered by U.S. and German law enforcement in April 2022. Bitzlato also received more than $15 million in ransomware proceeds.

“The FBI will continue to pursue actors who attempt to mask their criminal activity behind keyboards and use means such as cryptocurrency to evade law enforcement,” said Assistant Deputy Director Brian Turner of the FBI. “We, along with our federal and international partners, will work relentlessly to disrupt and dismantle these types of criminal enterprises. Today’s arrest should serve as a reminder the FBI will impose risk and consequences upon those who engage in these activities.”

“As alleged today, Legkodymov knowingly allowed Bitzlato to become a perceived safe haven for funds used for and resulting from a variety of criminal activities,” said Assistant Director in Charge Michael J. Driscoll of the FBI New York Field Office. “The FBI and our partners remain steadfast in our commitment to keeping cryptocurrency markets – as with any financial market – free from illicit activity.  Today’s action should serve as an example of this commitment as Legkodymov will now face the consequences of his actions in our criminal justice system.”

As alleged in the complaint, Bitzlato’s customers routinely used the company’s customer service portal to request support for transactions with Hydra, which Bitzlato often provided, and admitted in chats with Bitzlato personnel that they were trading under assumed identities. Moreover, Legkodymov and Bitzlato’s other managers were aware that Bitzlato’s accounts were rife with illicit activity and that many of its users were registered under others’ identities. For instance, on May 29, 2019, Legkodymov used Bitzlato’s internal chat system to write to a colleague that Bitzlato’s users were “known to be crooks,” using others’ identity documents to register their accounts. Legkodymov was repeatedly warned by colleagues that Bitzlato’s customer base consisted of “addicts who buy drugs at \[\] Hydra” and “drug traffickers,” with one senior executive even stressing that Bitzlato should combat drug dealers only “nominally,” to avoid hurting the company’s bottom line. An internal spreadsheet saved in Bitzlato’s shared management folder encapsulated the company’s view of itself: “Positives: No KYC. . . . Negatives: Dirty money. . . .”

As alleged in the complaint, although Bitzlato claimed not to accept users from the United States, it did substantial business with U.S.-based customers, and its customer service representatives repeatedly advised users that they could transfer funds from U.S. financial institutions. Moreover, Legkodymov – who himself administered Bitzlato from Miami in 2022 and 2023 – received reports reflecting substantial traffic to Bitzlato’s website from U.S.-based Internet Protocol addresses, including over 250 million such visits in July 2022.

Legkodymov is charged with conducting an unlicensed money transmitting business. If convicted, he faces a maximum penalty of five years in prison.

Concurrent with the arrest announced today, French authorities, working with Europol and partners in Spain, Portugal, and Cyprus, dismantled Bitzlato’s digital infrastructure, seized Bitzlato’s cryptocurrency, and took other enforcement actions.

In addition, the Treasury Department’s FinCEN announced an Order pursuant to section 9714(a) of the Combating Russian Money Laundering Act, as amended, identifying Bitzlato as a “primary money laundering concern” in connection to Russian illicit finance. The order imposes a special measure prohibiting certain transmittals of funds involving Bitzlato by any covered financial institution.

National Cryptocurrency Enforcement Team (NCET) Trial Attorneys Alexander Mindlin, Scott Meisler, and Matthew Blackwood of the Justice Department’s Criminal Division and Assistant U.S. Attorney Artie McConnell for the Eastern District of New York are prosecuting the case, with assistance from Paralegal Specialist Mary Clare McMahon.

The Justice Department investigated this case in close coordination with French law enforcement authorities and the Treasury Department’s FinCEN, both of which took separate enforcement actions today under their respective authorities. The Justice Department’s Office of International Affairs and the FBI’s Legal Attaché in France provided critical assistance in this case, with significant support from the department’s Cyber Operations International Liaison. The NCET and U.S. Attorney’s Office for the Eastern District of New York also extend their appreciation to the Cyber Division of the Paris Prosecution Office and to France’s Gendarmerie Nationale Cyberspace Command (Cyber Crime Investigation Unit / C3N). Assistance was also provided by the Customs and Border Protection, the Transportation Safety Administration, and the New York City Police Department. EUROPOL and Dutch and Belgian authorities have contributed to the overall investigation with respect to operational expertise, coordination, and information-sharing.

The NCET was established to combat the growing illicit use of cryptocurrencies and digital assets. Under the Criminal Division, the NCET conducts and supports investigations into individuals and entities that enable the use of digital assets to commit and facilitate a variety of crimes, with a particular focus on virtual currency exchanges, mixing and tumbling services, and infrastructure providers. The NCET also sets strategic priorities regarding digital asset technologies, identifies areas for increased investigative and prosecutorial focus, and leads the department’s efforts to collaborate with domestic and foreign government agencies as well as the private sector to aggressively investigate and prosecute crimes involving cryptocurrency and digital assets. 

_A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law._

Founder and Majority Owner of Cryptocurrency Exchange Charged With Processing Over $700 Million of Illicit Funds

Layoffs intended to cut costs, help company shift its focus on cybersecurity services, Sophos says.

A slowing economy and a strategic push into the cybersecurity services market were reportedly behind a decision to cut some 450 jobs at Sophos.

Although reports haven't confirmed the exact number of layoffs at Sophos, a company spokesperson, Jitendra Bulani, told TechCrunch the restructuring could potentially impact as much as 10% of the global Sophos workforce.

"Sophos is taking these steps for two main reasons: first, to ensure that we achieve the optimal balance of growth and profitability to support Sophos’ long-term success, which is particularly important in the midst of a challenging and uncertain macro environment, and second, to allocate our investments across the company to support our strategic imperative to be a market leader in delivering cybersecurity as a service," Jitendra said.

Sophos was acquired by Thoma Bravo for $3.9 billion in March 2020.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading