We can bridge that gap by spreading the word about the opportunities, the requirements, and the many tools available to help applicants break into the field.

Cybercrime seems to be in the headlines every day, as ransomware demands escalate and distributed denial-of-service (DDoS) attacks and other assaults paralyze and damage enterprises of all types and sizes. In 2021, the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) received 847,376 reports of cyberattacks, up 7% from 2020, with a growing focus on critical infrastructure and the supply chain. The costs of cybercrime are astronomical, approaching $7 billion, according to FBI statistics.

Hoping to remediate, or preferably prevent, such attacks, companies work daily to bolster their cybersecurity measures. The federal Cybersecurity and Infrastructure Security Agency launched its Shields Up campaign this year to encourage proactive defenses against potential cyberattacks prompted by US sanctions placed on Russia. Insurance companies, meanwhile, are raising premiums and limiting coverage for organizations with inadequate cyber protection.

As willing as employers may be to comply, one of the biggest challenges is finding the staff to implement stronger defenses. In the US alone, there are currently more than 700,000 openings in cybersecurity, a 43% increase over last year, according to CyberSeek. Demand isn't confined to the tech industry; it's growing in sectors such as finance, as well. Employers are struggling to fill these critical posts now but can't find enough applicants, never mind being able to meet future demand.

**Misconceptions and Missed Potential**

One of the major reasons for the severe shortage is the common misconception that it's necessary to have a STEM or security-related degree to work in cybersecurity. This is not the case. Self-motivated individuals with some level of technical skill and problem-solving experience are great candidates. The challenge is to communicate the opportunity and actual requirements so we can begin tapping this potential pool of talent.

Obviously, some familiarity with technology is a must, as it would be difficult to bring in someone with no technical background at all. But that background does not need to be specific to cybersecurity, because many job skills are readily transferable. For example, IT system admins accustomed to patching systems and investigating suspicious or unusual events will find their experience useful in cybersecurity. When I was a systems admin, I was often in meetings with the security team. I learned about vulnerabilities, and it was my responsibility to patch them. That kind of experience is invaluable for anyone considering a cybersecurity career.

We need to search out people with the innate ability to recognize what's normal and investigate deviations from that norm. If they've been involved in troubleshooting, that's a plus. Even seemingly unrelated backgrounds can come in handy. For instance, self-taught techies who love to tinker and have figured out how to build their own systems and solve problems in the process could have a future in the cybersecurity field.

**Resources for the Resourceful**

Let's make it clear that a college degree, specifically in cybersecurity, isn't the only way into this field. There are many training resources available for potential candidates who want to improve their qualifications. Self-learners can take free or low-cost online courses in cybersecurity and networking. Completing this type of training will strengthen a candidate's resume and open up more opportunities.

CyberSeek is a terrific organization dedicated to closing the cybersecurity talent gap. It offers information and resources for students, job seekers, employers, educators, and more. Among its offerings is a list of cybersecurity training available at little or no cost.

(ISC)2 is an excellent resource for experienced IT professionals as well as those just starting out in the field. It offers a range of certifications for everyone from students and entry-level candidates without a technical background to those with years of experience who want to expand or update their knowledge. Its high-level certified information systems security professional (CISSP) certification takes commitment but is considered one of the best in the industry.

There are other less demanding options that might be a good starting point, including Pluralsight's boot camps for coding. Security BSides (often called just BSides) is a nonprofit organization that hosts conferences to share knowledge on information security and provide networking opportunities. TryHackMe bills itself as "a fun way" to learn about cybersecurity through interactive, real-world scenarios suitable for all skill levels. Additionally, Amazon, IBM, and Microsoft each have a variety of free courses that prepare candidates for a career in the field.

**Talk About Rewards**

There's ample reason to hope the public will respond to our compelling message. A CISSP earns $131,030 a year, according to (ISC)2. Yet there are benefits beyond a healthy salary and job availability — protecting against cyber threats can be fulfilling in so many more ways.

For example, those with a military or law enforcement background might find cybersecurity particularly rewarding because it gives them the chance to continue performing meaningful work that protects society at large.

It's clear we must do all we can to attract desperately needed talent into the security industry. We can do that by spreading the word about the opportunities, the requirements, and the many tools available to help applicants break into the field.

How to Narrow the Talent Gap in Cybersecurity

A well-crafted — and tested — disaster recovery plan can minimize downtime and is a key component of business continuity plans.

**CAMBRIDGE, Mass., Nov. 2, 2022 /PRNewswire/** — A new report by MIT Technology Review Insights explores why cybersecurity attacks pose an existential risk to small and midsize enterprises (SMEs) and how they can plan for disaster recovery in case of an attack.

The report, "A new age of disaster recovery planning for SMEs," is produced in association with OVHcloud and draws on in-depth interviews with cybersecurity experts from technology firms including VMware, Fortalice Solutions, and 451 Research. The findings are as follows:

**Cyberattacks have grown more frequent and sophisticated, and SMEs are in the firing line.** The data tells a worrying story. With the pandemic, along with geopolitical factors, causing shifts in how we live and work, the case for disaster recovery planning has never been more urgent. According to one cross-industry study, midsize companies were almost 500% more likely to be targeted by the end of 2021 than two years ago.

**A well-built disaster recovery plan can significantly minimize and even eliminate downtime.** Disaster recovery plans are a key component of business continuity plans. While business continuity focuses on overall strategy, including policies and procedures for recovery following an incident, disaster recovery focuses on IT infrastructure, data, and applications. A well-crafted disaster recovery plan includes clear definitions of recovery time objective (RTO) and recovery point objective (RPO).

**Backups and replication of data are essential for disaster recovery.** With cybercriminals spending over 200 days in companies' systems before being noticed and corrupting backups, SMEs need to store their data in multiple formats on different systems or look toward a data replication solution to ensure near-instantaneous recovery.

**An unexamined disaster recovery plan could bring enterprises back to square one.** Disaster recovery plans are essentially pointless without regular practice runs—and how often this practice should be done depends on how fast an organization is growing or adopting new technologies. Experts say such plans should be updated and tested at least annually, and ideally every quarter.

"Today's data is generated and distributed across highly complex ecosystems—multicloud, hybrid cloud, edge, and internet of things," says Kwee Chuan Yeo, editor of the report. "Enterprises' surface exposure to risks has ballooned. It's not just big corporations that are at risk. Smaller, less sophisticated companies are easier targets due to their lack of resources and expertise."

"While having the right disaster recovery plan for your business needs is critical to your business continuity, it's just as important that sufficient measures are taken to ensure IT resilience can be achieved at both the software and infrastructure level," says Jeffrey Gregor, OVHcloud US General Manager. "Distributed data protection, as the name implies, is when your data is distributed across multiple geographical locations. Making your data available in more than one place helps achieve a more robust disaster recovery plan in the event one location is compromised."

**To download the report, click here.**

**About MIT Technology Review Insights**

MIT Technology Review Insights is the custom publishing division of MIT Technology Review, the world's longest-running technology magazine, backed by the world's foremost technology institution—producing live events and research on the leading technology and business challenges of the day. Insights conducts qualitative and quantitative research and analysis in the US and abroad and publishes a wide variety of content, including articles, reports, infographics, videos, and podcasts. And through its growing MIT Technology Review Global Insights Panel, Insights has unparalleled access to senior-level executives, innovators, and entrepreneurs worldwide for surveys and in-depth interviews.

**SOURCE:** MIT Technology Review Insights

SMEs Must Plan for Recovery from Cybersecurity Attacks Amid Shifting Threats, Says MIT Technology Review Insights

Cybersecurity concerns and education have not mitigated the overuse of the same passwords in 2022.

**BOSTON, Nov. 1, 2022** **—** LastPass today released findings from its fifth annual Psychology of Password findings, which revealed even with cybersecurity education on the rise, password hygiene has not improved. Regardless of generational differences across Boomers, Millennials and Gen Z, the research shows a false sense of password security given current behaviors across the board. In addition, LastPass found that while 65% of all respondents have some form of cybersecurity education — through school, work, social media, books or courses via Coursera or edX — the reality is that 62% almost always or mostly use the same or variation of a password.

The goal of the LastPass Psychology of Passwords research is to showcase how password management education and use can secure users' online life, transforming unpredictable behavior into real and secure password competence. The survey, which explored the password security behaviors of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviors surrounding their online security. The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behavior and can create a detrimental false sense of safety.

**Key findings from the research include:**

*   **Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene.** As the generation who has lived most of their lives online, Gen Z (1997 – 2012) believes their password methods to be “very safe.” They are the most likely to create stronger passwords for social media and entertainment accounts, compared to other generations.
    
    However, Gen Z is also more likely to recognize that using the same or similar password for multiple logins is a risk, but they use a variation of a single password 69% of the time, alongside Millennials (1981 –1996) who do this 66% of the time. On the other hand, Gen Z is the generation most likely to use memorization to keep track of their passwords by 51%, with Boomers (1946 – 1964) the least likely to memorize their passwords at 38%.
    
*   **Cybersecurity education doesn’t necessarily translate to action.** With 65% of those surveyed claiming to have some type of cybersecurity education, the majority (79%) found their education to be effective, whether formal or informal. But of those who received cybersecurity education, only 31% stopped reusing passwords. And only 25% started using a password manager.
*   **Confidence creates a false sense of password security.** While 89% of respondents acknowledged that using the same password or variation is a risk, only 12% use different passwords for different accounts, and 62% always or mostly use the same password or a variation. To add to that, compared to last year, people are now increasingly using variations of the same password, with 41% in 2022 vs. 36% in 2021.

“Our latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyberattacks, there continues to be a disconnect for people when it comes to protecting their digital lives,” said Christofer Hoff, Chief Secure Technology Officer for LastPass. “The reality is that even though nearly two-thirds of respondents have some form of cybersecurity education, it is not being put into practice for varying reasons. For both consumers and businesses, a password manager is a simple step to keep your accounts safe and secure.”

For more information and to download the full Psychology of Passwords research findings, please click here.

**Survey Methodology**

LastPass commissioned the market research firm Lab42 to reveal the current state of password behaviors in the new era of remote work. The responses were generated from a survey of 3,750 professionals at organizations across a variety of industries in the United States, United Kingdom, Germany, Australia, Singapore, and Brazil. The survey asked the professionals surveyed about their feelings and behaviors regarding online security. The result? An increase in time spent online with continued poor password behavior and cognitive dissonance.

**About LastPass**

LastPass is an award-winning password manager which has helped more than 33 million registered users organize and protect their online lives. For more than 100,000 businesses of all sizes, LastPass provides password and identity management solutions that are convenient, easy to manage and effortless to use. From enterprise password management and single sign-on to adaptive multifactor authentication, LastPass for Business gives superior control to IT and frictionless access to users. For more information, visit https://www.lastpass.com. LastPass is trademarked in the U.S. and other countries.

LastPass Research Finds False Sense of Cybersecurity Running Rampant

Insurance and legislation affect how enterprises balance between protecting against breaches and recovering from them.

In 409 A.D., when Flavius Honorius, the ruler of Rome, saw the invading hordes of Visigoths, he must have wondered whether he should have invested more gold into his perimeter defenses. History tells us that such an investment would have been appropriate, but perhaps Honorius' risk analysis never took into consideration the size and scope of a politically sponsored attack.

Centuries later, political and corporate leaders still face similar questions. Do we invest further in physical and digital security to protect our assets? Are our endpoints secure from malware and breaches? If attackers successfully enter the network, do we have the tools to defend it without compromising resources and data?

A key consideration today is whether enterprises should invest in proactive defenses to identify, detect, and protect the network, or whether they should focus on a reactive approach, responding and recovering from a cybersecurity event should one occur. These approaches are components of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which "integrates industry standards and best practices to help organizations manage their cybersecurity risks," according to the NIST website.

"Being proactive doesn't necessarily mean startups need heavy investments in technology," says John Hellickson, field CISO at Coalfire. "Instead, one could ensure the foundational elements, setting reasonable security policies and standards, implementing security from the start when standing up new IT infrastructure, and following secure coding guidelines when it comes to building applications is executed early on.

"As organizations grow, \[they\] should implement more comprehensive information security program elements, proactively assessing risks to mitigate those outside of the risk tolerance before likely threats are realized. Since every organization is unique, finding the right amount of investment is more of an art than science."

Enterprises have considerable motivations to be proactive at cybersecurity. Earlier this year, US Securities and Exchange Commission (SEC) Chairman Gary Gensler proposed several new rules that would put increased responsibility on C-suites and boards of directors to defend against data breaches. While the rules have yet to be ratified, some organizations already are implementing the proposed rules, including adding cybersecurity experts to corporate boards. To date, Gensler has proposed nearly 50 new rules.

**Cyber Insurance Influences Risk Assessment**

Another motivation is obtaining cyber insurance. Without appropriate security controls in place, enterprises can find it difficult to engage a broker or carrier that would risk writing a policy. Even if the policy is written, the prospect still needs to get underwriters' approval before the carrier binds the policy.

Robert Rosenzweig, national cyber risk practice leader and commercial New York metro regional leader at cyber insurance broker Risk Strategies, says his firm recommends that its clients manage risk appropriately to secure more comprehensive and competitive coverage, but it does not require clients to employ cybersecurity controls. Ultimately, he notes, it is the carrier's decision whether to approve the insurance application.

"We do have some information published about some of the top five to 10 controls that we have found to be most important when reducing the probability or cost and complexity of an incident, and also controls that carriers are most focused on when doing their underwriting analysis," he says.

However, Rosenzweig encourages organizations to invest in cybersecurity controls. 

"I think underwriters look favorably upon that. It's just another indicator that a prospective policyholder is investing in having the right culture of security and compliance," he says.

**Risk Goes Beyond Cybersecurity**

Potential fines for failing to properly contain risk could end up costing far more than the risk you were trying to mitigate, and it is not always a cybersecurity matter, says Joseph Williams, partner of cybersecurity at Infosys Consulting. He cites Burlington Northern Santa Fe Railway, which "just got hammered by the Illinois legislators for violating \[the state's new\] biometric \[law\]," as an example. The company must pay $228 million to some 45,000 truck drivers after a jury found the company collected the drivers' fingerprints without consent. This was the first court judgment related to the new Illinois Biometric Privacy Act.

"How would you have predicted that kind of vulnerability?" he asks, rhetorically. "This is my mantra: If you're not factoring, if you don't identify the risk, then you don't factor in that risk to the cost of the project. There's no way that biometric project was going to create $228 million in value, so somebody didn't calculate what that exposure would be. That wasn't cybersecurity; that was regulatory compliance."

Erika Andresen, a business continuity expert and founder of EaaS Consulting, as well as a longtime US Army lawyer, says she believes cybersecurity should be managed through regulatory oversight. 

"I would like to say it should be driven by regulation," she says. "But the problem is, you're going to have to pass that regulation through a series of senators and congressmen who have shares of companies that want to make money. And their interest is not to regulate those companies."

Andresen offers up that the SEC's Gensler has put forth proposed rules, but they have yet to be ratified. "They're supposed to be coming out, but they're going to be tied up," she says.

The Art of Calculating the Cost of Risk

Report reveals new top sources of fake login page referrals, rise of fake third-party cloud apps used to trick users.

**SANTA CLARA, Calif., Nov. 2, 2022 /PRNewswire/** — Netskope, a leader in secure access service edge (SASE), today unveiled new research that shows how the prevalence of cloud applications is changing the way threat actors are using phishing attack delivery methods to steal data.

The Netskope Cloud and Threat Report: Phishing details trends in phishing delivery methods such as fake login pages and fake third-party cloud applications designed to mimic legitimate apps, the targets of phishing attacks, where the fraudulent content is hosted, and more.

Although email is still a primary mechanism for delivering phishing links to fake login pages to capture usernames, passwords, MFA codes and more, the report reveals that users are more frequently clicking phishing links arriving through other channels, including personal websites and blogs, social media, and search engine results. The report also details the rise in fake third-party cloud apps designed to trick users into authorizing access to their cloud data and resources.

**Phishing Comes From All Directions**

Traditionally considered the top phishing threat, 11% of the phishing alerts were referred from webmail services, such as Gmail, Microsoft Live, and Yahoo. Personal websites and blogs, particularly those hosted on free hosting services, were the most common referrers to phishing content, claiming the top spot at 26%. The report identified two primary phishing referral methods: the use of malicious links through spam on legitimate websites and blogs, and the use of websites and blogs created specifically to promote phishing content.

Search engine referrals to phishing pages have also become common, as attackers are weaponizing data voids by creating pages centered around uncommon search terms where they can readily establish themselves as one of the top results for those terms. Examples identified by Netskope Threat Labs include how to use specific features in popular software, quiz answers for online courses, user manuals for a variety of business and personal products, and more.

"Business employees have been trained to spot phishing messages in email and text messages, so threat actors have adjusted their methods and are luring users into clicking on phishing links in other, less expected places," said Ray Canzanese, Threat Research Director, Netskope Threat Labs. "While we might not be thinking about the possibility of a phishing attack while surfing the internet or favorite search engine, we all must use the same level of vigilance and skepticism as we do with inbound email, and never enter credentials or sensitive information into any page after clicking a link. Always browse directly to login pages."

**The Rise of Fake Third-Party Cloud Apps**

Netskope's report discloses another key phishing method: tricking users into granting access to their cloud data and resources through fake third-party cloud applications. This early trend is particularly concerning because access to third-party applications is ubiquitous and poses a large attack surface. On average, end-users in organizations granted more than 440 third-party applications access to their Google data and applications, with one organization having as many as 12,300 different plugins accessing data – an average of 16 plugins per user. Equally as alarming, over 44% of all third-party applications accessing Google Drive have access to either sensitive data or all data on a user's Google Drive—further incentivizing criminals to create fake third-party cloud apps.

"The next generation of phishing attacks is upon us. With the prevalence of cloud applications and the changing nature of how they are used, from Chrome extensions or app add-ons, users are being asked to authorize access in what has become an overlooked attack vector," added Canzanese. "This new trend of fake third-party apps is something we're closely monitoring and tracking for our customers. We expect these types of attacks to increase over time, so organizations need to ensure that new attack paths such as OAuth authorizations are restricted or locked down. Employees should also be aware of these attacks and scrutinize authorization requests the same way they scrutinize emails and text messages."

Within the report, Netskope Threat Labs includes actionable steps organizations can take to identify and control access to phishing sites or applications, such as deploying a security service edge (SSE) cloud platform with a secure web gateway (SWG), enabling zero trust principles for least privilege access to data and continuous monitoring, and using Remote Browser Isolation (RBI) to reduce browsing risk for newly-registered domains.

Additional key findings from the report include:

*   **Employees continue to click, fall victim to malicious links**. It is widely understood that it takes just one click to severely compromise an organization. While enterprise phishing awareness and training continues to be more prevalent, the report reveals that an average of eight out of every 1,000 end-users in the enterprise clicked on a phishing link or otherwise attempted to access phishing content.

*   **Users are being lured by fake websites designed to mimic legitimate login pages.** Attackers primarily host these websites on content servers (22%) followed by newly registered domains (17%). Once users put personal information into a fake site, or grant it access to their data, attackers are able to capture usernames, passwords, and multi-factor authentication (MFA) codes.

*   **Geographic location plays a role in the access rate of phishing.** Africa and the Middle East were the two regions with the highest percentages of users accessing phishing content. In Africa, the percentage of users accessing phishing content is more than 33% above average, and in the Middle East, it is more than twice the average. Attackers frequently use fear, uncertainty, and doubt (FUD) to design phishing lures and also try to capitalize on major news items. Especially in the Middle East, attackers appear to be having success designing lures that capitalize on political, social, and economic issues affecting the region.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. Statistics in this report are based on the three-month period from July 1, 2022 through September 30, 2022.

Get the full Netskope Cloud and Threat Report: Phishing here.

Learn more about Netskope Threat Labs and gain insight from the Netskope Security Cloud Platform by visiting Netskope's Threat Research Hub.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

**SOURCE:** Netskope

Netskope Threat Research: Next Generation of Phishing Attacks Uses Unexpected Delivery Methods to Steal Data

A proposed plan to charge users for the platform's coveted blue check mark has, unsurprisingly, inspired attackers to try to dupe people into giving up their credentials.

One of Elon Musk's proposed first moves after his Twitter takeover seems to have backfired, at least from a security perspective. A teaser by the platform proposing to charge users a monthly fee to have verified accounts confirming them as a public persona or entity — and thus earn the distinction of a coveted blue check mark by their account name — has spawned a phishing campaign aiming to take advantage of the controversy surrounding the move.  

A number of Twitter users claim to have received phishing emails that use the lure of losing their verified status to try to fool them into supplying their credentials. The scam works via a Google doc made to look like a Twitter help page, according to users.

Several of those who were targeted (natch) took to Twitter to warn others about it on Monday, including two reporters: Zach Whittaker, security editor for TechCrunch, and Kevin Collier from NBC News.

"Twitter's ongoing verification chaos is now a cybersecurity problem," Whittaker tweeted, subsequently posting a report on TechCrunch about the scam. "It looks like some people (including in our newsroom) are getting crude phishing emails trying to trick people into turning over their Twitter credentials."

Collier reported that the email he received "apparently slipped right by Outlook's robust protections," though he himself was not fooled. "Didn't get me but I bet this gets somebody," Collier wrote in the post.

The email, according to screenshots both Whittaker and Collier posted, is sent from a Gmail account, twittercontactcenter\[at\]gmail.com, which Collier said is a "dead giveaway" that it's bogus. It warns the targeted user that "the verification badge will be $19.99 per month for some users after November 2, 2022," and that Twitter currently is unable to verify some "famous or well-known people."

The email goes on to inform targets that they need to provide a confirmation of who they are to receive the verification badge "for free," and provides a button to "Provide Information" and a link to the "Help Center" to find out about updated rules for the verification program.

Clicking on the button leads to a Google Doc with another link to a Google site that lets users host web content, according to Whittaker's report. The phishing page itself is designed to look like Twitter's help page and contains an embedded frame from another site, which is hosted by Beget, a Russian web hosting provider, according to the report.

The page asks users to provide their Twitter username, password, and phone number, which could allow an attacker to break into an account without two-factor authentication enabled.

To mitigate damage from the campaign, Google took swift action to take down the phishing site a short time after TechCrunch alerted the company, Whittaker wrote.

**Capitalizing on Controversy**

Security professionals noted that it's not surprising that a threat actor has taken advantage of the commotion currently surrounding Twitter. Leveraging a controversial situation that elicits an emotional response not only spells a cybercriminal opportunity, but also boosts the chance of a phishing campaign's success, Patrick Harr, CEO at SlashNext, an anti-phishing company, wrote in an email to Dark Reading.

"These types of social-engineering phishing attempts are very effective because they play on emotion and instigated immediate action," he said. "Before the victim has time to think if this is phishing, they quickly jump to action."

The obfuscation tactics used in the campaign also make it easier to hide from threat-detection engines because they likely won't flag Google Docs, a trusted service — which, at least in Collier's case, was exactly what happened, security professionals noted.

Indeed, the campaign and its ability to bypass email scanners stresses why it's important for people to remain vigilant when receiving emails from unknown sources, and protect all of their accounts with multifactor authentication (MFA) and other security buffers, observed Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM).

"Make sure you always use MFA, a password manager that creates strong unique passwords for every account, and never give over personal information or credentials details on websites without first verifying authenticity," he advised in an email to Dark Reading.

**Twitter Exodus?**

For his part, Musk in a tweet on Tuesday seemed to corroborate that implementing the controversial verification fee would be a first order of business — the news of which first surfaced in a report on The Verge Monday.

However, after some verified account holders claimed they would leave rather than pay the reported fee of $20 a month for their blue check mark — including high-profile users such as author Stephen King — Musk suggested lowering the price.

"Twitter's current lords & peasants system for who has or doesn't have a blue check mark is bull\*\*\*\*," he tweeted. "Power to the people! Blue for $8/month."

Musk's mere purchase of Twitter in a $44 billion deal — after a highly publicized, months-long back-and-forth between the company and the multibillionaire founder of Tesla — has already drawn the derision of celebrity users of the platform, some of whom already told followers they were closing their accounts.

The verification debacle occurring now is just fuel for the fire, adding to a growing controversy that is likely music to the ears of threat actors, who thrive on social, political, and economic conflict as an opportunity to commit cybercrime, security professionals observed.

"Cybercriminals have long exploited volatile situations for their own gain, especially newsworthy, current events," noted Darren Guccione, CEO and co-founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. "The recent acquisition and upheaval at Twitter is the latest example."

Musk's Twitter-Verification Payment Tease Spurs Cyberattackers

As vehicle security expands to cover cyber threats on the vehicle as well as the vehicle's external network, cross-industry collaboration and market opportunities are expected to increase.

**DUBLIN, Nov. 2, 2022 /PRNewswire/** — The "Automotive Cyber Security 2025: the Secure Connected Car" report has been added to **ResearchAndMarkets.com's** offering.

Over the next decade, vehicle security will expand to cover cyber threats on the vehicle as well as the vehicle's external network including the infrastructure. Therefore, effective Automotive Cyber Security requires cross-industry collaboration.

In the aftermath of the car hacks by cyber security researchers and US Sen. Ed Markey's report on the vulnerability of modern vehicles to malicious attacks, Automotive Cyber Security will unfold as the key topic in OEMs' and suppliers' agenda for the immediate future.

The outcome of these drivers will be a shift in car manufacturers' strategy toward Automotive Cyber Security in the form of new investment, M&A, and collaborations with suppliers and other cyber security companies. This could drive Connected-Cyber Security penetration up quite quickly and alter the competitive landscape. The key challenges here are how quickly the level of security and privacy in Connected Cars will rise to sufficient levels to avoid having vulnerable vehicles.

We expect that the landscape of the Automotive Cyber Security market will change rapidly over the next decade, especially after the expected mandate for standard fitment of cyber security solutions. Regulatory mandates on the standard fitment of cyber security solutions in modern vehicles will be the catalyst that will drive change in the competitive structure as competition intensifies and consolidation continues.

**Read this report to:**

*   Unlock the potential of the Automotive Cyber Security market by reading about investment, M&A, and partnerships in the marketplace
*   Discover the drivers of growth over the next decade
*   Read our penetration forecast of Hardware, Software-based solutions, and Services
*   Identify the leading suppliers of software and hardware equipment
*   Understand the competitive landscape by reading our exclusive interviews
*   A-Z: software, hardware solutions and service portfolio from leading companies

The recent white-hat hacking demonstrations will accelerate the outcome of the regulatory mandate in the US and pave the way for other countries to follow. Additionally, we expect that by the end of 2016, most of the currently ongoing or announced penetration tests will have finished, similarly to product evaluation for most OEMs. Therefore, talks about product integration will begin for their next-generation vehicles. This will fuel demand for both software/hardware solutions and services for Automotive Cyber Security over the next decade.

Additionally, more and more carmakers announce their intention to introduce OTA updates which, although most of them today serves more convenience purposes rather than security ones, it brings them one step closer to the task. As more carmakers exploit the benefits of the cloud, i.e. data storage, remote vehicle control, and wireless updates, demand for cloud security is expected to increase.

The necessity for industry-wide standardisation and collaboration is key for adoption. However, we expect that the regulation will set minimum standards in the form of a basic framework, on top of which carmakers will develop their solutions to help them in competitive differentiation.

What is more, the history of the automotive industry is full of examples of lack of collaboration and unwillingness to standardise procedures for innovative technologies on behalf of the OEMs (e.g. EV charging). Therefore, even though some common, voluntary standards will emerge, it is somehow unrealistic to expect them to cooperatively increase vehicle security unless the regulation demands so or a malicious car hack occurs-given fact that it constitutes an additional cost.

**Key Topics Covered:**

**1\. Executive Summary**

**2\. Automotive Cyber Security: State of the Art**

**3\. Automotive Cyber Security Forecast 2025**

**4\. Interviews with industry experts: insights from 7 buzzing startups**

**5\. 22 Leading suppliers in Automotive Cyber Security**

**Companies Mentioned**

*   Argus Cyber Security Ltd
*   Arilou Technologies Ltd
*   BT Security
*   Cisco Systems Inc.
*   ESCRYPT-Embedded Security
*   Harman
*   Intel Corporation
*   Karamba Security
*   NXP Semiconductors
*   SBD & NCC Group
*   Secunet AG
*   Security Innovation
*   Symphoty Teleca & Guardtime
*   Trillium Incorporated
*   Utimaco IS GmbH
*   APTIV
*   Bosh
*   Continental
*   Denso
*   Harman
*   Magna
*   Valeo

For more information about this report visit https://www.researchandmarkets.com/r/pfsrxc

**SOURCE:** Research and Markets

Global Automotive Cybersecurity Market Report 2022: Expected Mandate for Cybersecurity Protocols to Significantly Boost Sector

While the ransomware-for-hire group works to create ever more efficient exploits, companies can protect themselves with structured vulnerability management processes. Prioritize threats based on severity and risk.

LockBit ransomware is in the minority group of ransomware families that leverage auto-propagating malware and double encryption methods. After its breaches into security behemoth Entrust and the Italian Revenue Agency earlier this summer, LockBit has continued to gain notoriety while on the lookout for its next victim.

LockBit ransomware began its spree of high-profile attacks as early as September 2019 and has remained one of the most prolific groups to date. Motivated by large payouts, the group doesn't fear targeting larger corporations and enterprises.

The ransomware group is known for its particular qualities of a triple-extortion method, sophisticated technology, high-severity cyberattacks, and heavy marketing to affiliates. LockBit's presence is felt globally, and industries are afforded only short moments of respite when the group retreats to develop more devastating upgrades to their toolkit. Its attack frequency and strategy make the group a force to beware of in the cybersecurity world, demonstrating its determination to cause harm.

**LockBit: The Brief**

*   LockBit markets itself as ransomware-as-a-service (RaaS). It works in conjunction with other bad actors who perform attacks for hire, and then split the funds between the LockBit developer team and other accomplices.
*   The LockBit family targets both CVE-2021-22986 and CVE-2018-13379.
*   The Russian threat actor group, TA505 (also known as Hive0065) has been observed using the LockBit ransomware payload in its attacks.

**New Variants**

LockBit's origins began as an ABCD cryptovirus in 2019. Its main targets were government organizations in North America, Europe, and APAC regions and included private companies as well, with crypto as their form of ransom payment.

Early targets of LockBit in 2019 and 2020 included Windows systems within financial and healthcare institutions. The ransomware group then took a hiatus to improve its malware kit and operation strategy. To date, two LockBit versions in addition to the initial version have been released, with each subsequent release possessing increased attack capabilities.

**LockBit 2.0**

LockBit 2.0 was introduced in June 2021 and was documented in attacks in Taiwan, Chile, and the UK. In the 2.0 version, LockBit added the double-extortion technique and auto-encryption of hardware across Windows domains for which it became known. Later in the fall of 2021, the group began branching out into Linux servers, too, specifically attacking ESXi servers.

**LockBit 3.0, Also Known as LockBit Black**

After another brief hiatus, LockBit returned in June 2022 with the release of another improved version of the ransomware, including a bug bounty program that financially incentivizes researchers to share bug reports. In addition to the program, version 3.0 includes Zcash payments and developed new extortion tactics. Building on top of architecture found in BlackMatter and DarkSide, LockBit now has refined its evasion practices, passwordless execution, and implemented command-line features.

The updated LockBit ransomware was used to attack and steal data from the Italian Revenue Agency and a county office in Ontario, Canada. On top of encryption and the threat of data leaks, the ransomware group has included denial-of-service attacks to increase the pressure on victims.

In a surprising turn of events, an alleged LockBit developer leaked the group's builder used to design the 3.0 version on Twitter, citing frustration with the group's leadership as their motivation for the leak. A blow to the group but a potential risk to the cybersecurity field as the leaked information can equip new individuals with the necessary tools to start their own ransomware kit. In no more than a week after the leak, a new ransomware group was observed using the builder to target companies.

**How Dangerous Is LockBit?**

LockBit has a diverse arsenal of technologies and techniques to go after the largest organizations, regardless of industry. Here is a snapshot of the tools, tactics, and methods that make LockBit so dangerous:

*   StealBit, a malware tool first found in the 2.0 version, was designed for encryption and is believed to be the most efficient and quickest encryption tool.
*   StealBit automatically spreads to other connected devices along a network by taking advantage of Windows PowerShell and Server Message Block.
*   LockBit's malware can now infect both Windows and Linux systems when initially it could only exploit Windows systems.
*   The creation of the bug bounty program is the group's attempt at establishing itself as a professional group of hackers while simultaneously improving its defenses.
*   LockBit 3.0 introduced Zcash payment options for ransom collection and to avoid interference from law enforcement agencies.

**How to Prevent a LockBit Attack**

*   **Curb unnecessary permissions:** More restrictions on permissions are not a bad practice to get in the habit of applying, as more levels of authentication make it difficult for remote hackers to escalate permissions and gain greater access. Pay close attention to users with IT and admin-level permissions.

*   **Monitor your attack surface:** Incorporate a solution that scans your entire attack surface for potential entry points for attackers. Routinely monitor existing and newly added assets to your organization's network.

Security leadership can keep attackers away by cultivating a culture of vigilance with structured vulnerability management processes that prioritize threats based on severity and risk. Despite LockBit's capabilities, organizations do have options when it comes to protecting their organization and partners.

Everything You Need to Know About LockBit

New Aravo partnership provides organizations with comprehensive, standards-based third-party technical, financial, and compliance intelligence.

**SAN FRANCISCO and BOSTON,** **Nov. 2, 2022** — Aravo and Black Kite today announced a new partnership designed to empower organizations to improve their cybersecurity defenses by quantifying and monitoring cyber risk across the extended enterprise.

“The majority of B2B and B2C companies are expressing frequent interest and concern in the cybersecurity posture of the organizations that they do business with. And with ESG increasing in importance, it’s imperative for organizations to align cyber risk management with ESG objectives,” said Rick Goad, vice president of customer success and strategic alliances at Aravo. “As more customers continue to mandate cybersecurity risk as a significant determinant when conducting business, Aravo is excited to partner with Black Kite to provide our customers with a comprehensive security risk rating of their third parties.”

Incorporating Black Kite into Aravo’s Cyber Risk and InfoSec application strengthens cyber risk management programs across the extended enterprise of suppliers and third parties. Key features of the Black Kite integration include:

*   Technical cyber ratings – an easy-to-understand, trustworthy snapshot of the supply chain risk in the form of a letter grade, calculated using MITRE standards
*   Risk quantifications – insight into the probable financial impact to an organization if a third party experiences a breach
*   Compliance correlation – an external view of a third party’s compliance against common industry frameworks, such as NIST 800-53, PCI-DSS, ISO 27001, COBIT, GDPR, OTA, and Shared Assessments
*   Ransomware susceptibility – detects the likelihood of a ransomware attack on a third party

“We’re pleased to partner with Aravo and help simplify third-party risk management using our non-intrusive scans to continuously monitor and quantify third-party risk,” said Chuck Schauber, vice president of product and strategy at Black Kite. “Together, we’re enabling customers to build a more secure digital supply chain.”

The Aravo Third Party Management platform provides a flexible integration framework to connect with risk intelligence vendors, either through pre-configured Aravo Connectors or open APIs. Aravo Connectors include standard-defined data packages and best practices to help streamline onboarding, enrich risk reviews, enhance continuous monitoring, and trigger alerts and workflows to log issues and generate corrective actions. Aravo dashboards provide a unified view of risk scores for each third party across multiple risk domains, including ESG, InfoSec, ABAC, GDPR, financial, ethics, supply chain resilience, and business continuity.

**Additional Resources**

*   LinkedIn Live: Enhance Cyber Risk Management in Your Extended Enterprise
*   OCEG Webinar: Transform Your Cybersecurity Risk Management Program
*   Aravo for Information Security

**About Black Kite**

One in four organizations suffered from a cyberattack in the last year, resulting in production, reputation and financial losses. The real problem is adversaries attack companies via third parties, island hopping their way into target organizations. Black Kite is redefining vendor risk management with the world’s first global third-party cyber risk monitoring platform, built from a hacker’s perspective.

With 500+ customers across the globe and counting, Black Kite is committed to improving the health and safety of the entire planet’s cyber ecosystem with the industry’s most accurate and comprehensive cyber intelligence. While other security ratings service (SRS) providers try to narrow the scope, Black Kite providers the only standards-based cyber risk assessments that analyze your supply chain’s cybersecurity posture from three critical dimensions: technical, financial and compliance.

**About Aravo**

Aravo delivers the smartest third-party risk and resilience solutions, powered by intelligent automation. As a centralized system of record for all third-party data, Aravo provides organizations with a complete view of their third-party ecosystem throughout the lifecycle of the relationship and across multiple risk domains including ABAC, ESG, GDPR, InfoSec, financial, ethics, supply chain resilience, and business continuity. For more than 20 years, Aravo’s award-winning technology and unrivaled domain expertise has helped the world’s most respected brands accelerate and optimize their third-party management programs, delivering better business outcomes faster and ensuring the agility to adapt as programs evolve. Learn more at aravo.com.

Aravo Integration With Black Kite Helps Improve Cybersecurity Defenses

The project will advance understanding of how quantum-secure algorithms can be secured against side channel analysis through robust validation and countermeasures.

**London, UK, Nov. 2, 2022** — Riscure, a global security advisory lab and market leader in Side Channel Analysis (SCA), has partnered with PQShield, a cybersecurity company specializing in post-quantum cryptography, to evaluate PQShield’s SCA testing and validation processes.

The quantum threat is high on the global security agenda, with governments and their partners planning their transition to quantum-resistance via post-quantum cryptography (PQC). In July, the US National Institute of Standards and Technology (NIST) announced draft standards for post-quantum cryptography — an important and long-awaited information security milestone.

Even when PQC algorithms are mathematically secure, they can potentially be broken by a class of exploits known as side channel attacks. These attacks exploit algorithm implementation in hardware or software rather than the underlying mathematical problem, underlining how important it is that any side-channel vulnerabilities are identified and addressed before PQC solutions are widely rolled out.

PQShield is a market leader in quantum-ready cryptographic solutions for hardware, software and communications. The company is a major contributor to the NIST post-quantum standardisation project, and the draft standards it announced in July this year are all schemes contributed to by PQShield’s researchers and advisory board.

Riscure provides evaluation and validation services to reinforce the security of products and components, including hardware cryptographic engines, large SoCs, boot ROM, security-enhanced software applications and trusted execution environments. Riscure also provides Security Tools and Training to help companies improve the security knowledge and expertise of their development teams.

With this project, the two companies will evaluate PQShield’s SCA testing process. They will also share knowledge about post-quantum cryptography and its impact on side channel attacks, advancing companies’ and governments’ understanding of how new quantum-secure algorithms can be secured through robust validation and countermeasures.

**PQShield CEO & Founder, Ali El Kaafarani, said:** “Side channel attacks are a serious concern for cryptographers working on quantum-secure solutions. Not all devices running cryptographic operations provide the same level of assurance, so while many governments have encouraged organizations to upgrade their secure digital infrastructure, this must be tested and validated before it can stand up to the quantum threat.

“Riscure has a well-earned reputation when it comes to understanding and tackling complex security challenges. We are delighted to share our learnings in the face of the looming quantum threat to information security.”

**Marc Witteman CEO & Founder from Riscure added:** “We have seen a surge in interest from businesses and governments recently looking to secure sensitive data with PQC. We are looking forward to working alongside PQShield, experts in PQC software and hardware co-design, by educating and sharing best practices with industry. With this collaboration we also aim to provide the industry with robust quantum-resistant Side Channel Analysis and lead to integration of PQC into our leading tools — in turn helping all major businesses and governments mitigate the quantum-threat.”

**About PQShield**

PQShield is a cybersecurity company specialising in post-quantum cryptography, protecting data from today's attacks while readying organisations for the threat landscape of tomorrow. It is the only cybersecurity company that can demonstrate quantum-safe cryptography on chips, in applications, and in the cloud. Headquartered in the UK, with additional teams in the United States, France and the Netherlands, its quantum-secure cryptographic solutions work with companies' legacy systems to protect devices and sensitive data now and for years to come. PQShield is principally backed by Addition, Crane Venture Partners, Oxford Science Enterprises (formerly OSI), Kindred Capital, and InnovateUK. www.pqshield.com | LinkedIn | Twitter

**About Riscure**

Riscure is a leading vendor of security tools, services, and training for edge devices. Our tooling helps global technology leaders to build robust hardware and software solutions. Riscure security analysts bring top-notch security expertise to development teams and aim to run no-pain certification projects. Built on a wealth of security research and extensive practical experience, Riscure is well recognized for its technical leadership. Riscure serves Semiconductor, Mobile Security and Mobile Payment, Automotive and Premium Content industries as well as the Government sector. Follow us on Twitter @Riscure and LinkedIn.

Source

DARKReading