Recession fears notwithstanding, cybersecurity skills — both credentialed and noncredentialed — continue to attract higher pay and more job security.

Company executives continue to voice concerns that a recession is likely in 2023, but cybersecurity professionals — along with IT workers and developers with cybersecurity knowledge — appear well-positioned to weather an economic downturn, according to technology-job experts.

Overall, professional certifications have provided declining salary premiums since 2018, but information security certifications continue to command significantly above-average pay premiums, according to an analysis of more than 4,000 employers in the US and Canada by Foote Partners LLC. Cybersecurity-related skills — such as AWS Certified Security, GIAC Certified Incident Handler, and Okta Certified Developer — make up more than half of the "winner" skills, those that have attracted the most pay and have gained the most in market value.

Noncertified security skills — such as cryptography, DevSecOps, and risk analytics — also attract high premiums, says Bill Reynolds, research director at Foote Partners.

"Obviously, security skills and certs are still commanding cash premiums beyond salary at the 4,057 employers \[we surveyed\] in the US and Canada," he says. "That’s a pretty large sample for a survey, so it’s quite meaningful."

**Positioned to Withstand Recession?**

The robustness of the cybersecurity job market comes as company executives continue to worry about a recession in 2023. The vast majority of company executives (83%) expect a recession in 2023 — as do 82% of investors, according to another online survey — and about half of organizations are pre-emptively cutting expenses. In many cases, that means layoffs. In the cybersecurity industry, nearly a score of companies have cut workers in the last three months, according to tracking site Layoffs.fyi.

The fears of a downturn have even affected the valuations of startup companies in the cybersecurity industry.

Because of the difficulty in hiring and retaining knowledgeable cybersecurity workers, however, layoffs will likely come from less-technical groups, leaving knowledgeable cybersecurity workers. In fact, the majority of companies (60%) still planned to increase the head count of their IT departments as of July 2022, according to the _IT Spending and Staffing Benchmarks 2022/2023_ report published by Computer Economics.

"Expected growth is modest, but this is an indication that IT organizations cannot simply rely on increased efficiency from the cloud and virtualization for growth," the report stated. "Some hiring will still need to be done."

**Cybersecurity Skills Fetch a Premium**

Overall, cybersecurity workers remain in demand, with 770,000 positions currently unfilled, compared with a cybersecurity workforce of 1.1 million — a 69% shortfall in workers, according to data from the CyberSeek project. The gap between supply and demand is much greater than the 7.4% for the Businesses and Professional Services industry and the 6.9% gap in the Information sector, according to the US Bureau of Labor Statistics.

Workers with specific cybersecurity skills will continue to see opportunities, according to Foote Partners 2022 Tech Compensation Survey Reports. Ten of the 17 skills listed on the firm's IT Winners list, which includes skills that command an above-average premium and which have seen those premiums accelerate in the past few months, are security-related. The same criteria for noncertified IT skills show that 10 of 39 are security-related.

GIAC Certified Forensics Analyst (GCFA), InfoSys Security Engineering Professional, and Okta Certified Developers each have an average pay premium of 12% over base pay, according to Foote's data. For noncertification-based skills, security auditing, cryptography, and identity and access management each had an 18% premium over base pay.

What else is important? Soft skills, says Foote's Reynolds. A worker's ability to collaborate, deal with stress, manage time, have passion for the work, ability to listen, and include others all matter a great deal, he says.

These are "things that have nothing to do with certifications and this appears to be gaining in importance," he says.

**Avoid "Alphabet Soup" of Certifications**

Workers should take care to not collect certifications, as hiring managers and recruiters are wary of an alphabet soup of certifications on applicants' resumes, according to a recent Axios brief.

Foote's Reynolds agrees. Just because workers with a particular certificate get a pay premium isn't the right reason to get the certificate.

"It's like the argument of whether a college degree is mandatory for job consideration," he says. "Just because you have a college degree doesn't mean you're qualified for a particular job. It's more about what you've done with that college degree on the job. Tangible, measurable experience matters a lot."

Security Skills Command Premiums in Tight Market

Leading global education provider engages with Bugcrowd Security Researchers to identify threats.

**SYDNEY** **and** **SAN FRANCISCO****,** **Dec. 19, 2022** **/PRNewswire/ --** Bugcrowd, the leader in crowdsourced cybersecurity, today announced that Navitas, one of the world's leading global education providers, has launched a private bug bounty program with Bugcrowd to identify and resolve security vulnerabilities.

Navitas delivers educational programs to 60,000 aspirational students each year across its network of 92 colleges and campuses in 24 countries around the world. Under the bug bounty program, dozens of Bugcrowd security researchers will test Navitas' web applications for security risks on an ongoing basis. Ethical hackers who identify and remediate any valid threats will receive a bug bounty financial reward of up to AUD $3,700 (USD $2,500), depending on the severity of the uncovered threat.

Gavin Ryan, Global Head of Information Security for Navitas, selected the Bugcrowd crowdsourced security solution based on its proven track record of being able to scale, reduce costs and risks through a continuous testing process, along with the extensive global reach of its researcher team. 

"At Navitas we take the security of our data and applications extremely seriously and are always seeking innovative ways to protect the private information of our students and staff from continuous and fast-changing cyber threats," said Gavin Ryan. "We are pleased to partner with Bugcrowd to take advantage of its extensive network of trained security researchers who can help us find and resolve online vulnerabilities before attacks occur. Only a month into the program, we are already realising the benefits of a bug bounty program and plan to extended it to include agile continuous security testing across selected non production environments" 

Bugcrowd's ability to deliver a fast return on investment through crowdsourced bug bounties, rather than undertaking lengthy and costly consulting engagements, was one of the biggest contributing factors in its selection. The solution's continuous assurance model was also better positioned to safeguard Navitas' global attack surface, which had made traditional penetration testing less tenable and less effective for ongoing application security assurance.

"Bugcrowd is excited to work with Navitas in assisting to protect both their data and applications with a comprehensive bug bounty strategy and a non production testing strategy," said Nick McKenzie, Chief Information and Security Officer at Bugcrowd. "Our extensive global crowdsourced security team has the ability to scale for Navitas's requirements, provide critical protections around the clock, and through the introduction of non-production testing regimes will help the Navitas business deliver at a higher digital velocity. We are happy that both control outcomes and the economics of the program's delivery (vs other testing regimes) have exceeded expectations."

"Bugcrowd" and the "Bugcrowd Security Knowledge Platform" are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

**About Bugcrowd**

Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organizations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

SOURCE Bugcrowd

Bugcrowd Launches Bug Bounty Program for Australian-Based Navitas

Risk is no longer a single entity, but rather an interconnected web of resources, assets, and users.

Within the first few hours of the FTX implosion, investors and crypto bulls were working through the Kübler-Ross model's five stages of grief: denial, anger, bargaining, depression, and acceptance. As more details came out about the inner workings of FTX, I realized that truth really is stranger than fiction.

The 30-year-old founder of FTX, Sam Bankman-Fried, was known simply as SBF — a single moniker that put him in the company of Madonna or LeBron. His firm seemingly came out of nowhere to establish itself as the de facto standard for crypto exchanges. The firm and the founder were surrounded by all the trappings of success and legitimacy — a fawning press, famous and powerful friends, and sycophantic politicians.

Who would ever suspect fraud with such a veneer of respectability? The obvious comparison was Theranos and its CEO, Elizabeth Holmes. When stories emerged that FTX's potential losses totaled $50 billion, comparisons to another fraudster — Bernie Madoff — emerged.

However, there is one huge difference between SBF and Madoff: Madoff was a singular figure orchestrating a massive Ponzi scheme. The funds that came to Madoff didn't go into other investments. In fact, they didn’t go into any investments. They were used to keep existing clients happy while new clients were brought in. All of the risk for Madoff clients was represented in Madoff himself.

In the case of FTX, SBF lent Alameda Capital — the firm's in-house investing arm — more than $8 billion in client funds. It is patently illegal to mix client funds in an exchange with outside investments. Most shocking of all is what SBF and Alameda were doing with that money. They thew the money into more than 400 different investments in the emerging crypto market, from failing exchanges to worthless coins. Investors who parked their money, and their crypto, at the FTX exchange had no idea the risks they were facing.

**Know Your Attack Surface**

The threat surface for FTX clients wasn't just about protecting their FTX passwords or hoping the exchange wouldn't get hacked like the Mt. Gox bitcoin exchange and so many others did. Instead, their portfolios were at risk of implosions over assets and investments they had never heard of.

That is the definition of risk: having your hard-earned money and investments merged with a toxic mix of super-risky sludge. That’s a helpless place to be.

After more than 20 years in cybersecurity, it is difficult not to think about risk exposure and threat management in a case like this. Security teams are dealing with something much more akin to SBF than Madoff. There is no singular threat facing an enterprise today. Instead, it is a constellation of assets, devices, data, clouds, applications, vulnerabilities, attacks, and defenses.

Security teams' biggest weakness is that they are being asked to secure what they can neither see nor control. Where is our critical data? Who is accessing it, and who needs access? Every day in cybersecurity, the landscape of what needs to be protected changes. Applications are updated. Data is stored or in transit among multiple clouds. Users change. Every day represents new challenges.

Security starts with visibility. That’s why discovery is all the rage these days. From the cloud to data to external assets, security teams are digging into discovery tools that help them understand exactly what they have to secure, where it is, and who is accessing it. There is an urgent need to understand the connections among users, partners, devices, and applications. The FTX crypto investment scenario I've described could just as easily be interconnected enterprise resources, and internal and external users.

I feel terrible for anyone caught up in this FTX mess. For cybersecurity professionals, it is yet another reminder that it is not just the resources and employees of your organization that impact security; it is a web of connections that grows every day. We live in the age of discovery for a reason.

Rethinking Risk After the FTX Debacle

Revived levels of holiday spending have caught the eye of threat actors who exploit consumer behaviors and prey on the surge of online payments and digital activities during the holidays.

As the holiday season barrels to a conclusion, malicious actors are attempting to take advantage of harried consumers by ramping up the volume of spam and phishing attacks in the form of unsolicited emails and email-based threats — and businesses stand to suffer.  

A report from Bitdefender Antispam Lab found the volume of Christmas-themed spam has increased consistently since Nov. 27, with spikes in unsolicited correspondence observed between Dec. 6 and Dec. 9.

Scammers are employing the tried-and-true tactics of bogus surveys, online holiday dating opportunities, adult content offers, and discount shopping for designer goods.

Major corporations, including Netflix and Lowes, have been among the spoof subjects, enticing consumers with exclusive offers and cash giveaways — the catch being they must first enter credit card numbers or banking information, of course.

A recent study found more than a third of Americans have fallen victim to online shopping scams during the holidays, losing $387 on average as a result.

Alina Bizga, security analyst at Bitdefender, explains that threat actors are savvy when it comes to targeting. The holiday season tends to bring a host of socially engineered promotional campaigns aimed at fooling account holders to harvest their credentials and perform other nefarious activities.

"They update their tactics, and lures, and take note of consumer behaviors, timing their social engineering attacks to catch users off guard and steal sensitive personal data and money or compromise their devices and financial accounts," she says.

**Ramifications for Legitimate Businesses**

Bizga adds that when threat actors mimic a legitimate business to trick consumers into giving out their personal information or money, organizations may also suffer financial losses and reputational damages.

"Scams leveraging popular trade names that are proliferated via large-scale spam campaigns can impact both consumers and employees, and organizations need to have a clear action plan to minimize potential damages in the aftermath of a phishing scam," she says.

This includes identifying fraudulent communications, gathering information on the scope of the attacks, and notifying consumers and law enforcement.

Sam Curry, Cybereason chief security officer, says the annual glut of seasonal spam makes legitimate marketing for businesses much harder.

"When the bad guys try to look like legitimate marketing, legitimate marketing becomes less trusted and tolerated," he says. "If your email queue goes up to 200 junk emails a day, and you get tired of hitting delete 170 times, then you're more likely to hit delete on the buried legitimate marketing content than not."

For retailers, the fight against spam and phishing is twofold: protecting the customer and protecting the organization.

Curry points out now is the time when many retailers go into the black.

"They may make more in a few days than in some months in the rest of the year, which is why they freeze IT and changes and focus on servicing customers at scale," he says.

That means any hiccups now are even more painful as a result.

"In security, we measure risk in terms of likelihood and impact, and during the holiday season, impact goes up dramatically," he says. "That in turn changes the responses and contingencies of businesses, making them more likely to pay a ransom or to take drastic measures to fix issues and problems."

**Threat Actors Look for Quick, Easy Wins**

Bizga says that although cybercriminals are regularly adapting their tactics, techniques, and procedures (TTPs), the most common attack vectors seen throughout the holiday season include phishing, exploiting vulnerabilities and human error and misconfigurations.

"In addition, supply chain attacks can exploit access of third parties such as suppliers, distributors, or contractors to their ecosystem," she notes. "For example, breaching a small supplier may result in access to their much larger customer or entire customer base."

Michael DeBolt, chief intelligence officer at Intel 471, says cyber threat actors are always looking for quick and easy wins that result in considerable profit with a low degree of risk and effort.

"The end-of-year holiday period presents a unique window of opportunity for threat actors to increase illicit profits due to the surge in online activity as retailers and consumers transact goods and services, log into online accounts, ship and receive products, and more," he says.

**Keeping Alert Across the Organization**

DeBolt says retail organizations need to be aware of the latest spam and phishing campaigns targeting their customers.

Armed with this information, organizations can employ directed awareness campaigns warning customers of potential threats and how to avoid them.

He notes that security and fraud teams can take mitigating measures by adjusting controls within the environment to defend against account takeover (ATO) attacks.

"The same malware spam campaigns that target consumers can be used to target employees within organizations as well," he adds.

An infected machine belonging to an employee can include login information to remote network accesses or credentials to sensitive data storage, which can lead to theft of company information or as a foothold for a ransomware deployment into the company’s network.

"Perhaps the most important takeaway is that information security needs to be practiced and understood across the entire organization, not just \[by\] the network defenders," he says.

In the fight against spam and holiday season phishing, retailers need to give their customers proper information and channels through which they can report suspicious correspondence sent in their name.

Bizga says businesses should also establish seasonal awareness campaigns to inform consumers about any ongoing spam/phishing campaigns and notify the applicable domain name registrar to report fraudulent activity.

"Additional remedial efforts should include notifying law enforcement and legal bodies that can assist with legal actions and advise against malicious actors," she says.

**The Perils of Losing Customer Trust**

Patrick Harr, CEO at SlashNext, explains that bad actors leverage the brand recognition of major retailers and other businesses to lure their victims into a false sense of security.

"When a victim realizes they have been duped, it can cause them to lose trust in the brand, even though they of course had nothing to do with the actual scam," he says. "As we all know, losing consumer trust can lead to significant decreases in revenue," Harr says.

He advises retailers to deploy a strong brand protection service that checks for brand impersonation instances.

Once a scam or impersonation has been identified, a request must be filed, along with evidence to prove that it is illegitimate.

"This can take quite some time, however, so retailers should adopt an automated service that is continuously scanning and reporting these impersonations," Harr says. "It won't stop impersonations altogether, but companies that fight back make themselves less of a target for future impersonations."

Holiday Spam, Phishing Campaigns Challenge Retailers

Microsoft-owned GitHub is taking steps to secure the open source software ecosystem by rolling out security features to protect code repositories.

GitHub is making secrets scanning available for all public repositories and requiring all developers to enable two-factor authentication (2FA) for their accounts. The secrets scanning service will be available to all users by the end of January, and mandatory 2FA will be in place by the end of 2023, GitHub said.

**Scanning for Secrets**

The secret scanning service alerts developers when secrets such as application tokens and user credentials are exposed in code. Up until now, the service was available to paid enterprise users (via GitHub Advanced Security). The new policy will provide the service for free to all public GitHub repositories.

The service to scan for secrets helped identify 1.7 million potential secrets exposed in public repositories in 2022, GitHub said.

While the scanner can recognize over 200 known token formats, the option to define custom regex patterns is also available. 

“You can define custom patterns at the repository, organization, and enterprise levels. ... With push protection enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern,” the company said.

Developers will be able to find this option in their repository settings under Code security and analysis, where there is a section called Vulnerability alerts, and a Security tab. All secrets found by the service will be displayed in the same section, along with suggested ways to remediate the exposures.

**2FA For All**

The company has been talking about making 2FA mandatory across the platform, and the requirement will begin rolling out in March. Users will receive reminders 45 days prior to when they have to turn on 2FA, and their accounts will be blocked if 2FA is still not enabled seven days after the deadline, the company said.

Users required to enable 2FA include those who publish GitHub or OAuth apps or package, those who create a release, enterprise and organization administrators, and those who contribute code to other repositories.

“We’ll assess the outcomes of the rollout after each group–observing user success rates for 2FA onboarding, rates of account lockout and recovery, and our support ticket volume. This data will enable us to adjust our approach and more appropriately size and schedule remaining groups as needed to ensure a positive experience for developers, and support workloads GitHub can sustain,” GitHub announced.

GitHub Expands Secret Scanning, 2FA Across Platform

The 2022 FIFA Men's World Cup final in Qatar will be the most-watched sporting event in history — but will cybercriminals score a hat trick off its state-of-the-art digital footprint?

As Argentina and France prepare to face off in Doha for the final of the 2022 FIFA Men's World Cup, stadium staff and tournament organizers likely have more on their minds than whether Lionel Messi or Kylian Mbappe will claim the title of top goal-scorer. The event represents a vast cyberattack surface for both FIFA and the host nation of Qatar, security experts say — and ahead of the tournament's grand finale, cyber threats from all corners remain very clear and present.

According to FIFA, 2022 will end up being the most-watched tournament in history, followed by literally billions around the globe. On-the-ground numbers are impressive, too: Stadium Lusail, where the final will be played, is the biggest stadium in Qatar and has a capacity of the 88,966 spectators. Ticket sales for the World Cup have topped 3 million for an unprecedented 1.2 million visitors, which is equivalent to nearly half of Qatar's population.

That's a juicy target for not only financially motivated threat actors and hacktivists but also nation-state groups, who more often than not can get the ball in the back of the intelligence-gathering net when they want to.

**Smart Stadiums & the Digital Pitch**

The risks come from a few different places: social engineering efforts against fans and visitors being the most well known. What's less well known is the fact that Qatar has leaned in hard to the smart stadium concept, connecting its eight World Cup venues into one connected digital space.

A partnership between Johnson Controls' OpenBlue digital platform and Microsoft Azure, for instance, has enabled an artificial intelligence-based approach to physical security and operations, gathering data from edge devices and systems to identify when a security or safety issue has the potential to affect fans and players, or how crowd size and weather changes might affect energy efficiency and playing conditions.

Each stadium also has a 3D digital twin, an interactive digital model that provides live information on safety, comfort, and sustainability to a team of command center experts.

"With major sporting events becoming increasingly digitized, the attack surface for threat actors has also increased," a recent ZeroFox report on World Cup threats noted. "Qatar has constructed eight state-of-the-art 'smart stadiums' specifically for the World Cup, meaning sophisticated threat actors will almost certainly aim to compromise networks by exploiting vulnerabilities within interconnected stadium systems, including operational technology and Internet of Things (IoT) devices."

This raises the possibility of denial-of-service attacks or disruption on the order of the Olympic Destroyer threat, which took aim (largely unsuccessfully) at the Winter Games in Pyeongchang in 2018.

While it's not known what specific cyber defenses this first-of-its-kind footprint has in place, Qatar brought in a team of cybersecurity experts for a summit in March, and it has been working closely with Interpol's Project Stadia to enhance its security posture. So far, so good — but it's not over yet.

**Mobile Privacy Concerns**

Also, notably, there is a pair of mobile apps that everyone 18 and above entering Qatar for the World Cup is required to download, named Ehteraz and Hayya. Ehteraz is a COVID-19 tracking app, while Hayya is an app used for World Cup game tickets and accessing the Qatar metro system to move between stadiums.

At issue is the fact that Ehteraz has an extensive list of required permissions so that it can monitor locations and proximity to other app users; it can capture data from the device, automatically exfiltrate data from a user's phone, disable a lock screen, make calls from the phone, and access location services.

The Hayya app, meanwhile, is able to "access almost all personal information on a phone," according to ZeroFox, and can tap into location services and network connections between a phone and other networks.

Both apps potentially offer riches to cybercriminals. "When threat actors look to exploit an app, the end goal is to steal information that would be profitable — login credentials, personally identifiable information, email, credit cards, etc. — so that they can either sell it to actors who know how to further exploit or use the credentials and check to see if they can steal money or crypto from the victim accounts," says Adam Darrah, senior director of Dark Ops Collections at ZeroFox.

However, more shadowy risks also apply; the apps, with their broad set of access to personal data, are a perfect vector for espionage and creating fan chaos.

"When a nation-state or a motivated hacktivist group has you in their sights, they will find a way in," Darrah says. "All nations view an event such as the World Cup as a way to gather intelligence."

Regarding the COVID-19 contact tracing app for instance, the ZeroFox report noted, "Critics fear downloading the app could give the Qatari government access to privileged or sensitive content on a user’s phone. This is particularly notable if the user is breaking a Qatari law. It could also give Qatari authorities access to proprietary information contained on a company phone."

The firm recommended not installing the app on any phone with access to sensitive information, as a precaution.

**Facial Recognition at the World Cup**

Another wrinkle in the threat landscape for the World Cup is the vast facial-recognition footprint that Qatar has stood up in order to help respond to any threats of bodily harm to visitors and staff. Tensions famously run high at football (aka soccer) matches, but beyond run-of-the-mill hooliganism, some tourney-watchers are concerned that there could be a serious physical security incident.

To help thwart such a situation, the country has installed more than 15,000 cameras with facial recognition technology stationed throughout the eight stadiums and along roads and transportation infrastructure in Doha.

The benefits to physical security are myriad, of course. "Say a fan places a suspicious package close to a stadium entrance. When security personnel are alerted to this threat, staff can retroactively use facial recognition to trace the suspect's steps, determine where they are going next, and possibly pick them out in a crowd if needed," Terry Schulenberg, vice president of business development at CyberLink, tells Dark Reading. "The technology can even alert staff when a bad actor enters their area. Facial recognition will provide staff with the information they need."

However, critics have raised privacy concerns, a well-worn issue when it comes to facial recognition. After all, the population can't "opt in" to being scanned; the potential for surveillance by the Qatari government or advanced persistent threats (APTs) is there; and, it's unclear how the system handles the biometric data it collects.

"It would benefit them not to store faces in the cameras, workstations, or servers," Schulenberg says. "Rather, they could use software that identifies hundreds of vectors on a subject's face — such as the distance between the eyebrows — convert them into an encrypted file, send this file to a workstation or server, and compare its values with those of previously recorded subjects or those enrolled in a database. If it's being used, this more airtight facial recognition model will help security operators process camera feed data more quickly and securely."

If Qatar is not storing full images of attendees' faces, any unlikely leak of facial recognition data would be unreadable without access to the specific software Qatar is using, he stresses. 

**Thwarting Social Engineering Threats**

And finally, utterly predictably, phishers and scammers have been drawn to the event, using World Cup-themed lures, malicious mobile apps, and bogus ticketing websites to harvest data and steal funds from unsuspecting fans. In fact, Kaspersky said this week that its researchers have seen fake tickets being sold for as much as $4,000 a pop.

Group-IB's Digital Risk Protection team recently said it has detected more than 16,000 scam domains, and dozens of fake social media accounts, advertisements, and mobile applications created by scammers aiming to capitalize on the world's largest sporting event. The researchers also uncovered more than 90 potentially compromised accounts on official FIFA World Cup 2022 fan portals.

Patrick Harr, CEO at SlashNext, notes that FIFA and any World Cup host nation can take action to protect aficionados of the beautiful game from social engineering.

"FIFA could ensure its security program includes brand impersonation identification, remediation, and a takedown service," he says. "With this type of security control, FIFA could safeguard their millions of fans, so they don’t accidentally engage with malicious content while following the news on their favorite teams."

Eyal Benishti, founder and CEO at Ironscales, notes that FIFA also should be focusing on raising awareness, sounding a loud drumbeat to fans.

"They should be told to avoid clicking on links behind QR codes, stay away from SMS messages asking to validate or verify, and to go directly to the official FIFA domain only, to interact and purchase tickets," he says. "Send out clear communication to the future guests on the guidelines, what to expect and what to be on the lookout for."

He also pointed out that World Cup employees have also been targeted throughout the tournament, bringing up another layer of responsibility for organizers.

"For the FIFA organization and businesses of Qatar, focus on what you can control, like making sure your internal employees are educated and aware of the probability of fake emails and fake support requests that will spike," he says. "If they receive requests that seem out of place, always validate with the sender via phone or alternate communicate method. Be extra cautious and ensure the proper communication and education are taking place for your employees."

**Cybersecurity Lessons to Be Learned**

Qatar's World Cup hosting duties may be coming to a close, and hopefully without a major cyberattack marring the experience, but there are lessons to be learned when it comes to implementing good security for such a sprawling endeavor. 

Whether it's an attack on infrastructure, privacy concerns, or the phishing glut that has surrounded the tournament, the time is now to be thinking about risk mitigation for future events, like the upcoming 2023 FIFA Women's World Cup next summer.

Researchers say that it's especially crucial to conduct an assessment once all is said and done, ideally using threat intelligence and data from this winter's event — given that it's likely that many of the pioneering technologies that Qatar put in place for the tourney will be tapped for future tournaments. For instance, stadiums across the US, which is a co-host of the 2026 FIFA Men's World Cup, are already using facial recognition tools for staff and fan entry, ticket verification, and contactless payments.

"An event the size and scale of a World Cup represents rich pickings for the criminally inclined, with millions of visitors seen as millions of potential victims," Rob Fitzsimons, field application engineer at Telesoft Technologies, said in a recent column. "It is the responsibility of the host nation to ensure the safety and security of its guests — both physically and digitally."

He added, "Indeed, a continuous flow of real-time threat intelligence in advance of and throughout the tournament \[provides\] a greater understanding of the potential threats, and enables security professionals to better defend against them. Recognizing where vulnerabilities lie, and addressing these accordingly, will allow better protection of mobile networks, and help protect against targeted attacks … and, by monitoring and controlling the flow of information across these networks, it's possible to reduce the likelihood of more widescale attacks."

Cyber Threats Loom as 5B People Prepare to Watch World Cup Final

Patched several months ago, researcher reports how they used Spring Boot to sneak past Akamai's firewall and remotely execute code.

Akamai's Web application firewall (WAF) is intended to fend off potential attacks like distributed denial-of-service (DDoS), but a researcher discovered a way to bypass its protections by using complex payloads to confuse its rules.

The researcher, known as Peter H., along with Usman Mansha, said Akamai has since patched against the vulnerability, which was not assigned a CVE number. In the write-up, Peter H. explained how he used a vulnerable version of Spring Boot to bypass WAF protections.

"We ended up able to bypass Akamai WAF and achieve Remote Code Execution (P1) using Spring Expression Language injection on an application running Spring Boot," the GitHub explanation of the Akamai WAF RCE find explained. "This was the 2nd RCE via SSTI we found on this program, after the 1st one, the program implemented a WAF which we were able to bypass in a different part of the application."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Researcher Bypasses Akamai WAF

Microsoft warns enterprises should pay attention to a new botnet used to launch DDoS attacks on private Minecraft Java servers.

The persistence and spread of a newly identified botnet targeting private Minecraft Java servers has far wider ramifications for enterprises than bumming out a Biome.

Microsoft researchers revealed in a report published Dec. 16 that this new botnet is used to launch distributed denial-of-service (DDoS) attacks on Minecraft servers, which might sound like kid stuff. But enterprises should take note because of the botnet's ability to target both Windows and Linux devices, spread quickly, and avoid detection, the Microsoft team added.

It starts with a user downloading a malicious downloads of "cracked" Windows licenses.

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices," the Defender team reported. "Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet."

The threat researchers suggest that organizations harden their device networks against these kinds of threats.

The group's analysis revealed most of the infected devices were in Russia.

**Enterprises Beware**

Factors including the sheer number of potential server targets and the general lack of cybersecurity protections on private Minecraft servers make this botnet something security teams should take seriously, Patrick Tiquet, vice president of security architecture at Keeper Security, tells Dark Reading.

"The concern in this scenario is that there are a large number of servers that can potentially be compromised and then weaponized against other systems, including enterprise assets," Tiquet explains. "Gaming servers such as Minecraft are typically managed by private individuals who may or may not be interested in or capable of patching and following cybersecurity best-practices. As a result, this vulnerability could continue unmitigated on a large scale for an extended period of time and could potentially be leveraged to target enterprises in the future."

Beyond this particular malware, Microsoft's recommendations are a good idea for protecting the enterprise from all sorts of botnets besides just the Minecraft-focused sort, according to Vulcan Cyber's Mike Parkin.

"They're industry best practices — restricting access, changing default passwords to strong ones, enabling multifactor authentication, etc. — and should be implemented regardless," Parkin says. "While some of the techniques can be challenging to implement on some low-power IoT devices, deploying to best practices is the absolute minimum that should be happening."

New Botnet Targeting Minecraft Servers Poses Potential Enterprise Threat

Cybercriminal rats are at play: Several food suppliers and distributors have experienced hundreds of thousands of dollars in losses after fulfilling fraudulently placed orders for food and ingredient shipments.

Threat actors have typically used business email compromise (BEC) attacks to steal money from unwary organizations in recent years. But in a new twist, cybercriminals are using them to steal food shipments and ingredients from suppliers and distributors around the country.

The FBI and the Food and Drug Administration Office of Criminal Investigations (FDA OCI) on Dec. 16 issued an alert warning that the attacks have been going on since at least the beginning of this year and have cost several organizations hundreds of thousands of dollars in losses so far.

"While BEC is most commonly used to steal money, in cases like this, criminals spoof emails and domains to impersonate employees of legitimate companies to order food products," the two agencies said in the joint cybersecurity advisory.

While the behavior has a certain rat-like scavenging quality to it, the goal behind these thefts often is to repackage and resell the stolen food items without regard for safety and sanitation regulations, they said.

**A Fridge-Full of Incidents**

The advisory highlighted several examples — the earliest one going back to February — where companies have fallen victim to the scam. In one incident in August, a food distributor received an email order supposedly from the chief financial officer of a multinational snack and beverage company for two full truckloads of powered milk. The attacker used the actual name of the CFO but had an email address that contained an extra letter in the domain name than that of the real company. The food distributor fell for the scam and later had to pay their supplier more than $160,000 for the fraudulent shipment.

Also in February, a food manufacturer experienced more than $600,000 in losses after receiving and shipping orders for whole milk powder and nonfat dry milk from four different fraudulent companies. In each instance, the attackers used real employee names and emails with slight variations of domain names belonging to legitimate companies to place the orders.

In another incident in April, an ingredient supplier received a request — purportedly from the president of another large food manufacturer — for pricing information for whole milk powder via the company's Web portal. In this instance, the supplier ran a credit check on the spoofed food manufacturer, extended a line of credit to the company, and made the first of two $100,000 shipments to the criminals, before realizing something was amiss. 

The FBI and FDA OCI alert mentioned other incidents as well where criminals attempted to pull off similar heists but were not successful. 

In each of these attacks, the criminals have created email accounts and websites that look nearly identical to those of a legitimate company but contain nearly indiscernible differences — for example, an extra letter or substitute character such as a "1" instead of a lowercase "l." Their tactics have often included gaining access to a legitimate company's email system and using that to send fraudulent emails to targeted victims.

To add further legitimacy to their fraudulent communications, the attackers have used the actual names of executives and employees at legitimate businesses and used copied company logos in their emails and other documents. The attackers have also used the actual business information of legitimate companies to pass credit checks and obtain lines of credit for fraudulently purchasing food supplies and ingredients from victim companies.

Losses continue to mount from BEC attacks, although the food theft scams are different from usual tactics where threat actors scam organizations into making fraudulent money transfers. In 2021, losses from BEC attacks totaled nearly $2.4 billion, making it one of the most financially damaging online crimes, according to the FBI's Internet Crime Complaint Center (IC3). Many BEC attacks target small and midsize companies, though large organizations are often victims as well. 

A report that IC3 released earlier this year showed that BEC attacks are only continuing to grow and evolve. IC3 estimated that between June 2016 and last December, there were some 241,206 BEC attacks that cumulatively caused organizations worldwide a staggering $43 billion in losses.

**The Big Takeaway**

The takeaway from these attacks is that threat actors can be clever and will adapt their techniques to find ways around an organization's defenses, says Mike Parkin, senior technical engineer at Vulcan Cyber. 

"While using the BEC vector to steal finished food shipments or raw materials seems like a lot more work than simply fooling the victim into sending cash, that may have been the point," he says. "The threat actors here went for a novel scheme in order to slip under the radar and, possibly, steal more than they might have gotten from a single faked invoice."

Mika Aalto, co-founder and CEO at Hoxhunt, says the attacks on the food industry are a reminder of why BEC is the costliest form of cybercrime worldwide. "We've called BEC the kingpin of cybercrime in the past. Advanced technologies will make BEC a monster, particularly for global companies."

The FBI and FDA OCI urged organizations in the food sector to play closer attention to vetting new customers and vendors, especially to things like the new company's name and branding. 

"Carefully check hyperlinks and email addresses for slight variations that can make fraudulent addresses appear legitimate and resemble the names of actual business partners," they noted. 

Organizations should look for additional punctuation, changes in the top-level domains, misspellings, and added prefixes or suffixes. They should also conduct periodic Web scans to ensure that attackers are not spoofing their domain and brands, the advisory said.

FBI: Criminals Using BEC Attacks to Scavenge Food Shipments

A comprehensive data privacy program requires involvement from all parts of the business that deal with personal data.

Most organizations are ill-equipped when it comes to meeting upcoming compliance standards for data privacy, according to a new CYTRIO report focused on GDPR and California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) Data Subject Access Request (DSAR) requirements.

However, the results also indicated that noncompliant companies are making progress moving up the compliance maturity curve by moving to automate processes.

A major stumbling block for nearly all organizations surveyed is the cost and complexity of data privacy management solutions.

Vijay Basani, CEO of CYTRIO, says the most concerning surveying finding was that 52% of respondents who said they need to comply with the CCPA and CPRA do not provide a mechanism for consumers to exercise their data privacy rights.

"This means more than half the companies are electing to ignore data privacy and do not feel they need to respect the rights of consumers and their customers," he says.

Organizations that are still using error-prone and time-consuming manual processes for GDPR and DSAR requirements could be doing so because they are receiving a very low volume (one to five per year) of data requests.

"This could be a function of consumers not being aware of their data rights, such as right to access, right to delete or do not sell my information, and lack of active enforcement and fines for noncompliance in the U.S.," Basani says.

Bryan Cunningham, advisory council member at Theon Technology, explains that many compliance programs are run mostly by lawyers or financial professionals ill-equipped to evaluate technology and often "somewhat luddite" in their adoption of new technology.

"They are also highly risk averse and, partly because of their lack of understanding, skeptical that automated processes can ensure compliance without manual, human supervision," he says.

In addition, highly performant, trustworthy, and affordable technologies to do this type of work are not yet readily available, despite many vendors working to develop and sell solutions.

**Privacy Management Solutions Complex, Costly**

Most first-generation data privacy management solutions offer effective workflow automation capabilities but do not provide automated data discovery capabilities, Basani says.

Data discovery and identifying all personal information (PI) data belonging to a specific individual is the most time-consuming task.

"A typical company will save bits and pieces of PI data in many data stores, including structured databases and unstructured data stores, such as SharePoint, Office 365, Mailchimp, AWS S3, and so on, as well as SaaS applications such as Salesforce, HubSpot, and Shopify," he explains.

Developing technology to discover PI data in structured, unstructured, and software-as-a-service (SaaS) applications is not easy and requires significant investment.

"Technology tools that do this are costly to procure and take time to deploy," Basani says. "It requires various data stakeholders to collaborate during deployment and to respond to a data request."

To effectively respond to data subject requests, the solutions need to have visibility across a broad variety and significant volume of data store types and cloud environments, according to Claude Mandy, chief evangelist of data security at Symmetry Systems.

"The permissions and integrations required for responding to these requests are a challenge of complexity and scale," he says.

Adding to the cost for most solutions is the fact that many organizations have taken a traditional SaaS approach, requiring them to index this data to the solution provider's only environment, driving up storage and network costs.

**Keys to Holistic Data Privacy Management**

From Basani's perspective, a holistic data privacy policy should include both outward-facing communication clearly informing consumers that their PI data is being collected, and educating internal users and partners about the need to respect privacy and comply with data privacy regulations.

"Discuss what PI data is being collected, obtain consent from the consumers, share how the data is used, shared, stored, and processed," he says. "A privacy policy should clearly state what specific rights a consumer has about their personal data collected by the company."

It should also provide an easy mechanism for a consumer to exercise their data privacy rights, such as right to access or delete their information.

Stakeholders include legal and compliance teams, data owners, data processors, and data users in an organization.

Symmetry Systems' Mandy says a holistic data privacy policy should always start with an accurate and precise understanding of the personal information that an organization collects, uses, stores, and shares.

"It's only from an accurate understanding of information that organizations can reliably and transparently create a data privacy policy that reflects their actual practices," he says.

Refining the policy from the actual practice to desired state will require involvement from general counsel, security, privacy, and data teams.

"Most important are business stakeholders, who can describe how the personal information is used and why it is necessary," Mandy adds.

**Compliance Requirements Likely to Grow in 2023**

The CYTRIO report comes as a growing number of states weigh their own privacy legislation, following moves by California, Colorado, Virginia, and, most recently, Utah.

"We should expect data privacy compliance to continue to move forward in several states in 2023," Basani says.

He notes that as enforcement begins in several states, in addition to CPRA going to effect on Jan. 1, 2023, there will be enhanced consumer education about their data privacy rights.

"As CPPA turns its attention to CPRA enforcement with significantly more resources, we expect a meaningful increase in CPRA enforcement action and fines under CCPA/CPRA," he says.

Increased numbers of CCPA/CPRA fines and media coverage will result in greater consumer education about their data privacy rights, Basani adds.

"We saw this happen under GDPR in Europe, and we will see this happen with CCPA/CPRA," he says. "Employees’ rights to data privacy under CPRA should also increase the number of complaints and potential fines for noncompliance under CPRA."

As more states develop their own flavor of state privacy laws, the privacy landscape will continue to become more complex, adds Mandy Pote, managing principal of strategy, privacy, and risk at Coalfire.

"Organizations may find it difficult to keep up with new requirements – understanding applicability and determining reporting requirements," she says.

From her perspective, the best solution is to adopt a comprehensive data privacy program with the objective of implementing the most stringent set of privacy control requirements such that they follow current and future privacy laws.

"Rather than applying this program to certain systems or a certain subset of data, privacy should be blanketly implemented across the organization to ensure proper coverage," she notes.

Source

DARKReading