New laws have made the current US privacy landscape increasingly complex.

With 65% of the global population expected to have its personal data covered under modern privacy regulations by 2023, respecting data privacy has never been more critical. As an example, the introduction of the federal American Data Privacy and Protection Act (ADPPA), along with the recent passage of a patchwork of state-level privacy laws, has made the current US privacy landscape increasingly complex. This results in challenges for organizations, both in managing exploding volumes of data and understanding how specific data privacy regulations apply to them.

As businesses of all sizes try to remain on top of ever-changing data privacy laws and proactively monitor relevant rules, they should also be taking necessary steps to map where consumer and employment data lives, and the potential risks to that data. By bolstering cybersecurity defenses, organizations can be better prepared for data privacy regulations, now and in the future.

Let's remember why this has become so vital. First, consumers and employees are more informed than ever about personal rights and how data privacy regulations apply to them. This is an important and positive development, considering the dramatic increase in the risk of fines and litigation for noncompliance — one of the foundations necessary for protecting individual rights.

The convergence of personally identifiable information (PII) and protected health information (PHI) also represents data risks. For example, payment information from an insurance claim, along with an email address and other digital breadcrumbs found on the Internet, can be used to steal identities or result in data exfiltration. In addition, the adoption and long-term acceptance of hybrid work models can create challenges. Some organizations ask their employees very focused questions about behaviors and work-from-home arrangements for measuring productivity. Depending on the specific questions, there could be further privacy implications.

**Landscape of Confusion**

Given the vast varieties and jurisdictions of the current data privacy and protection regulations, there can be some confusion. For example, US companies located in North Dakota that conduct business domestically may be somewhat less preoccupied with rules that apply overseas. By contrast, for US organizations offering goods and services in the UK or EU, regulations such as the General Data Protection Regulation (GDPR) — along with the potential for penalties if they are breached — may well apply.

Additionally, in some organizations preconceptions related to the size of the company could cause compliance or regulatory issues, such as believing a company is too small for the data privacy regulations to apply. While it's true that most of the newer regulations focus on companies of a certain size, the actual sizing criteria may relate to a range of factors, such as the number of employees or annual revenue. Whether data privacy regulations apply or not might also depend on the volume of consumer information an organization handles.

The point is, every set of regulations has nuances, which is why it's important to understand both the relevance and boundaries of each. This should be monitored under regular review, particularly as organizations grow and regulations begin to apply where they didn't before. For instance, there have been recent developments around the new EU–UK Data Privacy Framework, also known as Privacy Shield 2.0, concerning intelligence activities.

A good rule of thumb is to follow best practices as soon as possible, so when the need for formal compliance arrives, everything is in place. The risk of getting it wrong is serious, with organizations potentially facing massive fines for non-compliance. That says nothing of the impact to brand reputation when a serious breach is revealed, including loss of consumer, employee, or investor confidence, where the effects can be prolonged and painful.

**Time for Federal Laws?**

New data privacy laws are being proposed on a regular basis. There are five US states set to have key regulations going into effect in 2023: California, Virginia, Colorado, Connecticut, and Utah. With 10% of US states to be covered by data privacy legislation by the end of next year, it's clear that a federal law would be useful.

In particular, federal legislation could play a critical role in aligning the US with other countries on the subject of data privacy. It would also provide vendors and users with much-needed clarity on how to use, store, and manage sensitive data. This alone would go a long way in clearing up the widespread confusion that abounds due to the existing patchwork of regulation. While the exact timing of federal legislation like the proposed ADPPA is unclear, it's not a matter of if, but when.

Overall, data and the laws that govern its protection exist within a rapidly evolving regulatory ecosystem. Further change — both domestically and internationally — is inevitable. Therefore, organizations must focus on the short- and long-term responsibilities of handling and safeguarding data. It's not just the right thing to do ethically and morally, it also represents sound decision making for the health of the business.

Where Are We Heading With Data Privacy Regulations?

As the open source social media network grabs the spotlight as a Twitter replacement, researchers caution about vulnerabilities.

From an anonymous server collecting user information to configuration errors that create vulnerabilities, infosec experts are pointing out security holes in Mastodon, which, seen as a replacement for Twittern is experiencing massive user growth — and an increased scrutiny of its flaws.  

Unlike other social media apps, which have a central authority, Mastodon is a federation of servers that can communicate with each other but which are maintained and run separately by independent admins. That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.

One of the most popular "instances" — the Mastodon term for individual servers/communities — for the cybersecurity community is infosec.exchange, and its members certainly scrutinize its configuration. Gareth Heyes (@gaz on infosec.exchange), a researcher at PortSwigger, uncovered an HTML injection vulnerability stemming from attributes of the specific software fork used.

In another example from a recent Security Week article, Lenin Alevski (@alevsk on infosec.exchange), a security software engineer at MinIO, pointed out a system misconfiguration that would allow him to download, modify, or delete everything in the instance's S3 cloud storage bucket.

Finally, researcher Anurag Sen (@hak1mlukha on infosec.exchange) discovered an anonymous server that was scraping Mastodon user data.

**Twitter Users Flock to Mastodon**

Until recently, Mastodon was considered part of the social-media underground, an alternative to Twitter created in 2016 as an escape hatch in the face of buyout rumors. When Elon Musk first agreed to buy the microblogging behemoth back in April, Mastodon gained 30,000 new users in a day, compared with a more typical growth of below 2,000 a day. But that's a drop in the bucket compared with the 135,000 new users who joined on Nov. 7.

"Treat the Fediverse and any Mastodon instance as a place to share information, connect, and collaborate in the same way you'd do those things in person in a town square or public coffee shop. In short, don't use Mastodon to send sensitive, personal, or private information you wouldn't be comfortable posting publicly anyway," said Melissa Bischoping, director and endpoint security research specialist at Tanium, via email.

"Aside from the code, the way Mastodon is segmented means one or two people who administer a particular instance are the weak link in the security model," added David Maynor, senior director of threat intelligence at Cybrary. "My moving advice is firmly 'buyer beware.'"

Of course, Twitter is no stranger to security issues, so _caveat emptor_ is timeless and universal.

Cybersecurity Pros Put Mastodon Flaws Under the Microscope

An AI's "world" only includes the data on which it was trained, so it otherwise lacks context — opening the door for creative attacks from cyber adversaries.

Artificial intelligence and machine learning (AI/ML) systems trained using real-world data are increasingly being seen as open to certain attacks that fool the systems by using unexpected inputs.

At the recent Machine Learning Security Evasion Competition (MLSEC 2022), contestants successfully modified celebrity photos with the goal of having them recognized as a different person, while minimizing obvious changes to the original images. The most common approaches included merging two images — similar to a deepfake — and inserting a smaller image inside the frame of the original.

In another example, researchers from the Massachusetts Institute of Technology (MIT), University of California at Berkeley, and FAR AI found that a professional-level Go AI — that is, for the ancient board game — could be trivially beaten with moves that convinced the machine that the game had completed. While the Go AI could defeat a professional or amateur Go player because they used a logical set of movies, an adversarial attack could easily beat the machine by making decisions that no rational player would normally make.

These attacks highlight that while AI technology may work at superhuman levels and even be extensively tested in real-life scenarios, it continues to be vulnerable to unexpected inputs, says Adam Gleave, a doctoral candidate in artificial intelligence at the University of California at Berkeley, and one of the primary authors of the Go AI paper.

"I would default to assuming that any given machine learning system is insecure," he says. "\[W\]e should always avoid relying on machine learning systems, or any other individual piece of code, more than is strictly necessary \[and\] have the AI system recommend decisions but have a human approve them prior to execution."

All of this underscores a fundamental problem: Systems that are trained to be effective against "real-world" situations — by being trained on real-world data and scenarios — may behave erratically and insecurely when presented with anomalous, or malicious, inputs.

The problem crosses applications and systems. A self-driving car, for example, could handle nearly every situation that a normal driver might encounter while on the road, but act catastrophically during an anomalous event or one caused by an attacker, says Gary McGraw, a cybersecurity expert and co-founder of the Berryville Institute of Machine Learning (BIML).

"The real challenge of machine learning is figuring out how to be very flexible and do things as they are supposed to be done usually, but then to react correctly when an anomalous event occurs," he says, adding: "You typically generalize to what experts do, because you want to build an expert ... so it's what clueless people do, using surprise moves ... that can cause something interesting to happen."

**Fooling AI (And Users) Isn't Hard**

Because few developers of machine learning models and AI systems focus on adversarial attacks and using red teams to test their designs, finding ways to cause AI/ML systems to fail is fairly easy. MITRE, Microsoft, and other organizations have urged companies to take the threat of adversarial AI attacks more seriously, describing current attacks through the Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) knowledge base and noting that research into AI — often without any sort of robustness or security designed in — has skyrocketed.

Part of the problem is that non-experts who do not understand the mathematics behind machine learning often believe that the systems understand context and the world in which it operates. 

Large models for machine learning, such as the graphics-generating DALL-e and the prose-generating GPT-3, have massive data sets and emergent models that appear to result in a machine that reasons, says David Hoelzer, a SANS Fellow at the SANS Technical Institute. 

Yet, for such models, their "world" includes only the data on which they were trained, and so they otherwise lack context. Creating AI systems that act correctly in the face of anomalies or malicious attacks requires threat modeling that takes into account a variety of issues.

"In my experience, most who are building AI/ML solutions are not thinking about how to secure the ... solutions in any real ways," Hoelzer says. "Certainly, chatbot developers have learned that you need to be very careful with the data you provide during training and what kinds of inputs can be permitted from humans that might influence the training so that you can avoid a bot that turns offensive."

At a high level, there are three approaches to an attack on AI-powered systems, such as those for image recognition, says Eugene Neelou, technical director for AI safety at Adversa.ai, a firm focused on adversarial attacks on machine learning and AI systems.

Those are: embedding a smaller image inside the main image; mixing two sets of inputs — such as images — to create a morphed version; or adding specific noise that causes the AI system to fail in a specific way. This last method is typically the least obvious to a human, while still being effective against AI systems.

In a black-box competition to fool AI systems run by Adversa.ai, all but one contestant used the first two types of attacks, the firm stated in a summary of the contest results. The lesson is that AI algorithms do not make systems harder to attack, but easier because they increase the attack surface of regular applications, Neelou says.

"Traditional cybersecurity cannot protect from AI vulnerabilities — the security of AI models is a distinct domain that should be implemented in organizations where AI/ML is responsible for mission-critical or business-critical decisions," he says. "And it's not only facial recognition — anti-fraud, spam filters, content moderation, autonomous driving, and even healthcare AI applications can be bypassed in a similar way."

**Test AI Models for Robustness**

Like other types of brute-force attacks, rate limiting the number of attempted inputs can also help the creators of AI systems prevent ML attacks. In attacking the Go system, UC Berkeley's Gleave and the other researchers built their own adversarial system, which repeatedly played games against the targeted system, raising the victim AI's difficulty level as the adversary became increasingly successful.

The attack technique underscores a potential countermeasure, he says.

"We assume the attacker can train against a fixed 'victim' agent for millions of time steps," Gleave says. "This is a reasonable assumption if the 'victim' is software you can run on your local machine, but not if it's behind an API, in which case you might get detected as being abusive and kicked off the platform, or the victim might learn to stop being vulnerable over time — which introduces a new set of security risks around data poisoning but would help defend against our attack."

Companies should continue following security best practices, including the principle of least privilege — don't give workers more access to sensitive systems than they need or rely on the output of those systems more than necessary. Finally, design the entire ML pipeline and AI system for robustness, he says.

"I'd trust a machine learning system more if it had been extensively adversarially tested, ideally by an independent red team, and if the designers had used training techniques known to be more robust," Gleave says.

Adversarial AI Attacks Highlight Fundamental Security Issues

The Vietnam-based financial cybercrime operation's primary goal is to push out fraudulent ads via compromised business accounts.

A financially motivated threat actor targeting individuals and organizations on Facebook's Ads and Business platform has resumed operations after a brief hiatus, with a new bag of tricks for hijacking accounts and profiting from them.

The Vietnam-based threat campaign, dubbed Ducktail, has been active since at least May 2021 and has affected users with Facebook business accounts in the United States and more than three dozen other countries. Security researchers from WithSecure (formerly F-Secure) who are tracking Ducktail have assessed that the threat actor's primary goal is to push out ads fraudulently via Facebook business accounts to which they manage to gain control.

**Evolving Tactics**

WithSecure spotted Ducktail's activity earlier this year and disclosed details of its tactics and techniques in a July blog post. The disclosure forced Ducktail's operators to suspend operations briefly while they devised new methods for continuing with their campaign.

In September, Ducktail resurfaced with changes to the way it operates and to its mechanisms for evading detection. Far from slowing down, the group appears to have expanded its operations, onboarding multiple affiliate groups to its campaign, WithSecure said in a report on Nov. 22.

In addition to using LinkedIn as an avenue for spear-phishing targets, as it did in previous campaigns, the Ducktail group has now begun using WhatsApp for targeting users as well. The group has also tweaked the capabilities of its primary information stealer and has adopted a new file format for it, to evade detection. Over the course of the last two or three months, Ducktail also has registered multiple fraudulent companies in Vietnam, apparently as a cover for obtaining digital certificates for signing its malware.

"We believe the Ducktail operation uses hijacked business account access purely to make money by pushing out fraudulent ads," says Mohammad Kazem Hassan Nejad, a researcher at WithSecure Intelligence. 

In situations where the threat actor gains access to the finance editor role on a compromised Facebook business account, they also have the ability to modify business credit card information and financial details, such as transactions, invoices, account spending, and payment methods, Nejad says. This would allow the threat actor to add other businesses to the credit card and monthly invoices, and use the linked payment methods to run ads.

"The hijacked business could therefore be used for purposes such as advertising, fraud, or even to spread disinformation," Nejad says. "The threat actor could also use their newfound access to blackmail a company by locking them out of their own page."

**Targeted Attacks**

The tactic of Ducktail's operators is to first identify organizations that have a Facebook Business or Ads account and then target individuals within those companies whom they perceive as having high-level access to the account. Individuals the group has typically targeted include people with managerial roles or roles in digital marketing, digital media, and human resources. 

The attack chain starts with the threat actor sending the targeted individual a spear-phishing lure via LinkedIn or WhatsApp. Users who fall for the lure end up having Ducktail's information stealer installed on their system. The malware can carry out multiple functions, including extracting all stored browser cookies and Facebook session cookies from the victim machine, specific registry data, Facebook security tokens, and Facebook account information. 

The malware steals a wide range of information on all businesses associated with the Facebook account, including name, verification stats, ad spending limits, roles, invite link, client ID, ad account permissions, permitted tasks, and access status. The malware collects similar information on any ad accounts associated with the compromised Facebook account.

The information stealer can "steal information from the victim's Facebook account and hijack any Facebook Business account to which the victim has sufficient access by adding attacker-controlled email addresses into the business account with administrator privileges and finance editor roles," Nejad says.  Adding an email address to a Facebook Business account prompts Facebook to send a link via email to that address — which, in this case, is controlled by the attacker. The threat actor uses that link to gain access to the account, according to WithSecure.

Threat actors with admin access to a victim's Facebook account can do a lot of damage, including taking full control of the business account; viewing and modifying settings, people, and account details; and even deleting the business profile outright, Nejad says. When a targeted victim might not have sufficient access to allow the malware to add the threat actor’s email addresses, the threat has actor relied on the information exfiltrated from the victims’ machines and Facebook accounts to impersonate them.

**Building Smarter Malware**

Nejad says that prior versions of Ducktail's information stealer contained a hard-coded list of email addresses to use for hijacking business accounts. 

"However, with the recent campaign, we observed the threat actor removing this functionality and relying entirely on fetching email addresses directly from its command-and-control channel (C2)," hosted on Telegram, the researcher says. Upon launch, the malware establishes a connection to the C2 and waits for a duration of time to receive a list of attacker-controlled email addresses in order to proceed, he adds.

The report lists several steps that organization can take to mitigate exposure to Ducktail-like attack campaigns, beginning with raising awareness of spear-phishing scams targeting users with access to Facebook business accounts. 

Organizations should also enforce application whitelisting to prevent unknown executables from running, ensure that all managed or personal devices used with company Facebook accounts have basic hygiene and protection in place, and use private browsing to authenticate each work session when accessing Facebook Business accounts.

Ducktail Cyberattackers Add WhatsApp to Facebook Business Attack Chain

Cybercrooks have drained DraftKings accounts of $300K in the past few days thanks to credential stuffing, just as the 2022 FIFA World Cup starts up.

The popular online betting platform DraftKings has been targeted by credential-stuffing attacks — allowing cyberthieves to make off with around $300,000 in ill-gotten funds so far.  

One of its rivals, FanDuel, also said this week that it's seen an uptick in account takeover attempts against its customers.

Credential stuffing is a tactic where cybercrooks try to compromise accounts by using lists of username-and-password combinations gleaned from previous breaches, often purchased on the Dark Web. They bank — quite literally — on account holders reusing their email addresses and passwords across multiple accounts, so that a credential phished from, say, a Netflix user will work against higher-value targets like financial or online-gambling accounts.

Starting this weekend, reports on social media began cropping up from DraftKings users, complaining that they had been locked out of their accounts and their funds drained. The company soon confirmed the activity.

"DraftKings is aware that some customers are experiencing irregular activity with their accounts," Paul Liberman, DraftKings' co-founder and president for global technology and product, said in a media statement on Monday. "We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information."

While the number of accounts affected is unknown, the company said that about $300,000 in funds have been drained so far, and that it intends to "make whole any customer that was impacted."

**Cybercriminals Eye World Cup & More**

The increased activity could be due to the confluence of the NHL and NBA seasons starting, and the NFL season entering the make it-or-break-it phase before the playoffs — and, of course, the 2022 FIFA World Cup kicking off over the weekend.

"Online gambling sites are attractive targets due to the large amounts of money that are wagered on a daily basis," Chris Hauk, consumer privacy champion at Pixel Privacy, tells Dark Reading. "Many customers let their winnings ride (don't cash in when they win) so they have balances they can wager for the next game, match, or other sporting event. This is particularly true now, as the World Cup is now being conducted in Qatar, as soccer matches are attractive to bettors."

And indeed, DraftKings is not alone in seeing an uptick in attacks; one of its main competitors, FanDuel, told CNBC that it has also seen increased account targeting (though no confirmed compromises so far). Yet amid the increased cybercriminal interest, the success of the DraftKings attackers points out an ongoing issue with user awareness, according to James McQuiggan, security awareness advocate at KnowBe4.

"As many data breaches and attacks have occurred, people still don't realize the implications of having their bank accounts attached to their gambling accounts. If not protected adequately, they can be subject to theft," he says. "Most of the time, people don't think it will happen to them and lack the awareness of the various attacks and lengths that cybercriminals will go to steal their money or identity."

The stakes are high for online gambling businesses too. "DraftKings and other online betting sites could see their reputations suffer if they are targeted by attacks like this," Hauk says. "Bettors may lose their faith in the sites as to whether they are secure and can keep their bettors' balances safe from being drained by bad actors."

**More Robust Multifactor Authentication Is Needed**

DraftKings, like most online account providers, offers two-factor authentication for users as an option. But it's not required.

"DraftKings does not force users to enable two-factor authentication on their accounts," explains Paul Bischoff, privacy advocate at Comparitech. "The only exception is Connecticut, which requires DraftKings to force-enable two-factor authentication for all accounts geolocated there. I think this is a mistake given how much money is at stake. Hacking accounts with 2FA enabled would require a further attack to acquire the one-time codes, which makes them far less vulnerable."

Given what's at stake for the business and its customers, Hauk notes that putting more robust protection options in place for users should be an imperative, starting with requiring, at the very least, 2FA that relies on one-time passwords sent via text or email.

KnowBe4's McQuiggan notes that there are also mechanisms for encouraging better user choices.

"Companies' approaches should also \[include the ability to\] cross-reference passwords against known passwords involved in breaches," he explains. "If the users are using simple and breached passwords, they should request that the users reset their passwords to unique and secure passwords."

That said, while these measures could remove some low-hanging fruit, simple 2FA can of course be subverted without too much effort. Thus, researchers note that the proper way to secure accounts would be with FIDO2-approved authentication methods, using non-phishable MFA. But unfortunately, we're not likely to see that implementation anytime soon, given that it's often difficult for these types of companies to adequately balance the user experience with security.

"Much of it comes down to risk-based assessments of the risk of an attack versus the costs to implement more robust MFA applications or features," McQuiggan says. "The gambling sites also want to make it simple for people to log into the platform; if it's too complex, the users will go elsewhere to play. Most users nowadays are familiar with the SMS code, and while it's one of the weaker MFA methods, it's easier for the users to complete account access."

DraftKings Account Takeovers Frame Sports-Betting Cybersecurity Dilemma

To get the full picture, companies need to look into the cybersecurity history and practices of the business they're acquiring.

Imagine getting ready to spend billions of dollars on an acquisition, only to find out that the target of the acquisition was the victim of multiple cyberattacks affecting billions of accounts. One would think such a scenario would be a huge red flag that no corporate board or general counsel would ever forget, regardless of the size of the acquisition, but that clarion call does not seem to be heard universally.

That's what happened around the 2017 revelation of the massive breach of Yahoo uncovered by its sale to Verizon, and it cost the search engine company a $400 million hit to its purchase price. Apparently, however, cybersecurity and related technological components are still relatively low on the essential due diligence checklist.

The right time to start evaluating the cybersecurity risk profile of an acquisition target, experts agree, is early on in the due diligence process. Too often due diligence is limited to balance sheets, sales operations, and outstanding legal obligations, with cybersecurity, compliance, and technical compatibility of security tools left to the end of the discussion, if they are discussed at all.

"The value of pre-sign due diligence is to make sure that companies are assessing all the relevant risks before they sign on the dotted line," says John Hauser, principal and cyber due diligence leader at Ernst & Young, as well as a former FBI special agent and a former assistant United States Attorney. "Cyber can be a major factor in deciding whether or not a client decides to walk away" from a merger or acquisition.

Early cyber due diligence allows a potential suitor to "negotiate better terms through the purchase price reductions, or indemnities, or other contractual provisions," he adds.

In conjunction with the traditional business due diligence, companies are turning to threat intelligence experts to evaluate the prospective target's risk profile, looking for evidence that the company might have been breached with data for sale on the Dark Web or perhaps has weak controls on other internal operations. Using open source intelligence (OSINT), he said, investigators often can find evidence of a breach, such as indicators of leaked credentials, communications between the target company infrastructure and any known malware families and command and control servers, or other insights.

Other significant intelligence can be gleaned by asking the target company to provide data such as attestations made to a cyber insurance provider, source code, penetration test results, and past compliance reports. 

"You're starting to see more technical verification, moving into the pre-sign phase," Hauser says.

**Assessing Vulnerabilities**

Cyber criminals often watch mergers and acquisitions activity, looking for a potentially weak target being acquired by a stronger company, especially one that might have a lot of valuable information for the cybercrooks, notes Heather Clauson Haughian, founder and managing partner at the Atlanta-based law firm Culhane Meadows. Once the acquisition goes through, it would not be uncommon for the target firm to get attacked with the hopes of breaching a weak link and thus accessing the more lucrative part of the merged companies.

Another vulnerability occurs when organizations with differing compliance requirements join, Haughian says. While the acquiring organization might be well versed in its own compliance reporting requirements, it might not have the same expertise with the company it acquires.

If the acquiring company does not employ compliance experts for the acquired company's operations, there could be a gap in compliance reporting, along with missed opportunities to layer security controls over the acquired company, leaving it vulnerable to a cyberattack, she says.

In such cases, using a third-party advisory service is recommended, says Shay Colson, managing partner of cyber diligence at Bellingham, Washington-based firm Coastal Cyber Risk Advisors. A company executing a bolt-on, add-on, or tuck-in acquisition can have its third-party adviser evaluate the target's security posture, including what its program looks like, strengths and weaknesses, and existing security tool sets. 

"Then you can get views on the targets that are both objective to the target and deal with this integration challenge," he says.

**Taking Responsibility**

Ultimately, general counsels need to come up to speed as quickly as possible on cyber risk and cybersecurity. "They are going to be the ones who own cyber risk at their enterprise because if there's an incident, they're calling outside counsel, they're coordinating forensics, and they're looking at regulatory response obligations," Colson says.

"I think the more proactive \[general counsels\] are, \[they are\] going to realize that cyber risk is a place where they can actually drive value to the business and enable things," he adds. "It's just a matter of time before more and more GCs get on board with that."

EY's Hauser said that SEC Chairman Gary Gensler's recent proposed rules for public companies and other financial services organizations could help boards of directors to navigate through the cybersecurity due diligence challenges.

There is a consensus that there is a growing risk of cybercrimes and that boards need to pay greater attention to it, he said. Courts and regulators are making it explicitly clear that failing to do proper cyber due diligence makes it easier for a future plaintiff to accuse a board member of negligence. That, combined with Gensler's proposed rules that put more personal responsibility on C-suites and board members, and you have the perfect storm for cybersecurity experts to take a more active role in board-level decisions, he notes.

Cyber Due Diligence in M&As Uncovers Threats, Improves Valuations

As SASE adoption grows, with its allure of simplified protection via one network and security experience for hybrid workers, remember: Have an overall plan, integrate and migrate to scale usage, and start small.

Digital transformation is ubiquitous across nearly every sector from tech to healthcare to the public sphere, and the result is a new way of connectivity. Cloud migration, with resources moving from the offices to the cloud, and mobility, employees working outside the office, are both large factors in this transformation and have dissolved the perimeter we once knew. In turn, security needs to keep pace.

Midsize businesses have made themselves agile in protecting data, resources, and users by adopting secure access service edge (SASE) solutions. Gartner first coined the term back in 2019 and adoption was accelerated by pandemic-related closures, since remote access security is covered by SASE. Unlike many other shifts caused by the pandemic, SASE is not a temporary measure.

According to Gallup, 59% of employees prefer to work in a hybrid environment, nearly double the 32% that had the same preference in 2019. The CIO 2022 SASE Market Trends Study reports 94% of IT directors and enterprise leaders said the need to make remote work sustainable for the long term has accelerated their interest and investment in SASE. 

**SASE Keeps Hybrid Work Sustainable**

Hybrid work is here to stay, and many businesses are adjusting, now running their corporate networks over the Internet to cover both on-premises and remote users. SASE tools — such as secure Web gateways (SWGs) and zero-trust network access (ZTNA) solutions — are a means of protecting those networks.

SASE adoption is still on the rise. According to a report by Dell'Oro Group, SASE saw 30% growth in the second quarter, and SASE spending is on pace to top $6 billion this year. Modern businesses are adapting faster, while legacy enterprises are still planning the migration. 

The road has been paved for them to join the SASE movement. This has been the pattern with other tech trends, similarly to when Slack went from an underground communications tool to a mainstream necessity for all.

What's the best path for large enterprises' road to SASE? Let's look at three steps every business should take along the way.

**Understand Your End Goal**

It's hard to roll out any plan without a blueprint, including implementing SASE solutions. The objective is to have a unified network and security experience inside and outside the office. That doesn't mean you need to rip and replace all your existing infrastructure, though.

Any SASE vendor should be able to work with the resources you already have as a starting point. You may have even already implemented some of the individual components of SASE, such as a ZTNA tool for remote access, a secure Web gateway, or a cloud access security broker (CASB) to protect employees accessing the Internet and SaaS applications.

Getting all the components in place will properly secure the hybrid environment, which we know is the way of the future. Delaying implementation of these components has a ripple effect and it leaves your business underprotected, which will only cost you down the road.

**Integrate and Migrate**

Many businesses were forced to address remote access at the beginning of the pandemic, which is a well-documented access point for SASE. The other common challenge that leads businesses to adopt SASE is Internet security. SWGs can help you secure employees' Internet access, even outside of the office.

Some enterprises claim to be satisfied with what they currently have (because they've already invested time and money in these tools), but legacy solutions can't solve today's challenges. SASE gives you the opportunity to integrate and migrate new assets to the cloud so you can start small and scale your usage. It doesn't require many resources to get up and running.

All the SASE components can be delivered via cloud-based software, so there is no overhead cost involved for installing and maintaining hardware solutions in an office that may be empty. This modern approach to security complements the changing business landscape, where employees are moving outside the office and resources are migrating to the cloud.

**Start Small**

A common pain point for businesses that adopt SASE is how to get started. Don't try to boil the ocean. Begin implementing SASE for a specific group, such as third-party vendors, your developers, or your quality assurance team, then continue with other departments.

Another approach is to implement based on use case. You're setting up a new public cloud environment and want to ensure you have the proper protection, or you decide to just tackle a set of devices that will be doled out to employees. Implementing SASE step by step will keep you from having to boil the ocean. Once you get it right for a specific department or use case, you can easily expand implementation to other areas.

Taking this approach eases what can be an arduous process. Vendors that require installation of hardware on Day 0 only create complexity and add confusion. This is antithetical to the allure of SASE — simplified protection so there is only one network and security experience.

As SASE adoption continues, particularly in the realm of large enterprises, it will require a new mindset. The headaches of legacy hardware needing add-ons and extra configurability to solve modern problems no longer apply. A scalable, cost-efficient, and cloud-based service is the way of the future to provide simple yet comprehensive security no matter how large your business is or where you connect from.

How Work From Home Shaped the Road to SASE for Enterprises

Orgs are in the middle of a rapid increase in the use of new collaboration tools to serve the needs of an increasingly dispersed workforce — and they're paying a very real security price.

Enterprises are spending nearly $1,200 a year per employee to address the risk that cloud-based workforce collaboration apps bring to their business. 

It's a well-known reality at this point that with corporate workers more dispersed than ever due to the changing work patterns introduced during the pandemic, enterprises are increasingly relying on new Web-based tools beyond email. These include cloud-based messaging, storage, shared workplaces, customer relationship management (CRM), and other apps and services.

The problem is, these tools also have widely expanded the attack surface for threat actors and increased exposure of corporate assets to the internet. Cybercriminals have quickly recognized the opportunity to exploit this reality — helped along by the fact that many of these apps are largely unproven, security-wise, according to a white paper published Nov. 22 by Osterman Research and sponsored by Perception Point.

"Threat actors have responded quickly to the emergence of new channels for employee productivity and collaboration," the researchers wrote.

Specifically, organizations are now paying $1,197 per employee each year to address successful cyber incidents across email services, cloud collaboration apps or services, and Web browsers — meaning a 500-employee company spends, on average, $600,000 on an annual basis, the researchers found. This cost excludes compliance fines, ransomware mitigation costs, and business losses from non-operational processes, they said.

Researchers ran a survey of 250 security and IT decision-makers to parse this surge in malicious incidents against these new services, and found that 60% of the attack attempts arrive via email — which remains the most widely attacked enterprise service, the researchers found.

Moreover some attacks — such as those involving malware installed on an endpoint — are occurring with even more frequency, up 87%.

The situation is only likely to get worse, with more than 70% of respondents believing the frequency of security threats will remain the same or increase over the next two years, the researchers said. This outlook is due to the time organizations need time to respond to the rapid rate of expansion in the use of these apps and adjust their new security posture accordingly, they acknowledged.

**Too Many Cloud Collaboration Apps?**

On average, organizations surveyed said they use about six various apps and services for communication and collaboration across their workforce. 

Among the most popular apps being used for workforce collaboration now include messaging apps such as Microsoft Teams, Slack, or WhatsApp; cloud storage and collaboration apps such as Google Drive, OneDrive, SharePoint, or Box; shared workspaces such as Microsoft Teams, Google Workspace, or Huddle; enterprise social networks such as Facebook Workplace, Jive, or Microsoft Yammer; CRM tools such as Salesforce, HubSpot, Zendesk, or Microsoft Dynamics CRM; cloud storage services such as AWS S3 buckets or Microsoft Blob Storage; and online meeting tools such as Zoom, WebEx, or Microsoft Teams meetings.

Moreover, employees also use a host of unsanctioned communication and cloud collaboration apps, such as personal Dropbox storage accounts or personal Zoom accounts, which also put the enterprise at risk.

There have been recent security incidents that highlight the vulnerability of these apps and why enterprises should be paying close attention. Researchers from Varonis Threat Labs, for instance, recently found multiple security vulnerabilities — including a nasty SQL injection bug — in Zendesk's Web-based CRM platform that could have allowed attackers to access sensitive information from potentially any customer account.

Meanwhile, legions of databases — and, thus, customers' personally identifiable information (PII) — are being inadvertently exposed to the Internet monthly through a feature of Amazon Relational Database Service, a popular cloud-based data-backup service offered by Amazon Web Services, according to recent research from the Mitiga Research Team.

Both of these incidents demonstrate the security weaknesses lurking in the cloud-based apps that are becoming the backbone of enterprise workforce collaboration, with 19% of respondents acknowledging that they use as many as nine of these tools, significantly increasing their attack surface, the researchers said.

"Using such a wide range of tools increases the amount of vectors which attackers can target," they wrote.

Not only are there more attacks against these apps and services but they're also increasing in sophistication, the researchers found. A full 72% of respondents indicated that attacks against cloud storage services have grown more sophisticated over the past year, and 57% said the same about attacks against email.

"This trend is especially concerning given the rapid rate of adoption of new cloud-based apps and services," the researchers noted.

**How to Respond**

The situation clearly demands a response from enterprises, which have a number of options for how they can address and minimize their risk of attack against these various apps and services, the researchers said.

However, it will take some effort on their part, including an updating of traditional security postures, noted Michael Sampson, senior analyst at Osterman Research

"Organizations cannot afford — financially or reputationally — to rely on outdated approaches," he said in a press statement. "Our survey demonstrates the clear need for agile and holistic threat prevention solutions."

Enterprises are already on the case, according to the report. Some ways organizations said they will try to mitigate the situation in the coming year include deploying at least one new security tool to combat threats, with 69% of respondents saying they plan to deploy three or more.

Enterprises also should be consolidating their security stack for more holistic and efficient threat protection, as well as leveraging managed services to support their security teams with scalable and flexible incident response capabilities, the researchers advised.

"Fast, holistic, and accurate threat prevention across all channels is singularly important in an era of increasingly frequent and sophisticated cyber incidents," they wrote.

Enterprises Pay $1,200 Per Employee Annually to Fight Cyberattacks Against Cloud Collab Apps

Google Workspace's team is seeing a spike in phishing and spam hitting Gmail — up 10% in just the last two weeks.

'Tis the season for cybercrime and scams: Just ask Google.

As we move into the holiday season, the cloud giant is already spotting and stopping 10% more spam and phishing messages than usual: It blocked more than 231 billion spam and phishing emails in just the past two weeks. On average, Google says it catches and stops around 15 billion of these sketchy emails in Gmail per day, accounting for 99.9% of all spam, phishing, and malware-laden messages in the service.

Google Workspace Trust & Safety manager Nelson Bradley warned in a Nov. 22 blog post of five main themes and types of email scams to watch out for: gift cards and giveaways; phony charity lures; demographic-targeting; false subscription renewals; and cryptocurrency scams.

Nelson recommends users take time to think over an email before responding, as well as spot-check the information in the email, and, of course, not respond with any personal information or payment. 

"No reputable person or agency will ever demand payment or your personal information on the spot," he wrote.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Blocks 231B Spam, Phishing Emails in Past 2 Weeks

Cybercrime continues to evolve — and shows no signs of slowing down.

Tech companies have created the tools we use to build and run businesses, process consumer transactions, communicate with one another, and organize our personal and professional lives. Technology has shaped the modern world as we know it — and our reliance on tech continues to grow.

The tech industry's importance has not been lost on cybercriminals and nation-state groups, who target tech companies for a variety of reasons: to fulfill strategic, military, and economic goals; to access sensitive corporate data they can hold for ransom or sell on the Dark Web; to compromise supply chains; and much more.

Tech companies are no strangers to cybercrime — they've long been targets of adversary activity — but in the past year, these attacks have rapidly increased. Technology was the most targeted vertical for cyber intrusions between July 2021 and June 2022, according to CrowdStrike threat data. This made tech the most popular sector for threat actors during a year when CrowdStrike threat hunters recorded more than 77,000 potential intrusions, or approximately one potential intrusion every seven minutes.

If this sounds familiar, it's probably because you've seen this threat activity in the news — data breaches affecting the technology industry have dominated headlines in 2022. Tech companies of all sizes should be concerned about the potential for adversary activity, because they're often trying to steal data. Let's take a closer look at the threats that tech companies should be most worried about, what those adversary tactics look like, and how to stop them.

**How Today's Adversaries Target Tech Companies**

Enterprises, small to midsize businesses (SMBs), and startups alike must be aware of the threats they face and how to defend against them.

Adversaries are increasingly moving away from malware in an effort to evade detection: CrowdStrike threat data shows malware-free activity accounted for 71% of all detections between July 2021 and June 2022. This shift is partially related to attackers increasingly abusing valid credentials to gain access and maintain persistence (i.e., establish long-term access to systems despite disruptions such as restarts or changed credentials) in IT environments. However, there is another factor: the rate at which new vulnerabilities are being disclosed and the speed with which adversaries can operationalize exploits.

The number of zero-days and newly disclosed vulnerabilities continues to rise year-over-year. CrowdStrike threat data shows more than 20,000 new vulnerabilities reported in 2021 — more than any previous year — and more than 10,000 were reported by the start of June 2022. This is a clear indication this trend is not slowing down.

A closer look at tactics, techniques, and procedures (TTPs) used during intrusions reveals common patterns in adversary activity. When a vulnerability is successfully exploited, it's routinely followed by the deployment of Web shells (i.e., malicious scripts that enable adversaries to compromise Web servers and launch additional attacks).

**What Can Tech Companies Do to Stop Breaches?**

The technology industry is challenged to maintain a strong defense against a constantly evolving threat landscape. Today's attackers are changing their TTPs to be more subtle, to evade detection, and to cause more damage. It's up to defenders to protect the workloads, identities, and data their business relies on.

There is no one-size-fits-all model for how cybercriminals conduct their attacks, nor is there a single silver bullet for tech companies to defend themselves against every intrusion. However, a closer look at intrusion activity reveals critical areas of focus for IT and security teams. Below are key recommendations:

*   **Get back to basics:** It is paramount that tech companies have the basics of security hygiene in place. This includes deploying a strong patch management program, and ensuring robust user account control and privileged access management to mitigate the effects of compromised credentials.
*   **Routinely audit remote access services:** Adversaries will leverage any pre-existing remote access tooling at their disposal or attempt to install legitimate remote access software in the hope that it evades any automated detections. Regular audits should check to see if the tool is authorized and if the activity falls within an expected timeframe, such as within business hours. Connections made from the same user account to multiple hosts in a short timeframe may be a sign that an adversary has compromised credentials.
*   **Proactively hunt for threats:** Once an adversary breaches a tech company's defenses, it can be tough to detect them as they quietly collect data, look for sensitive information, or steal credentials. This is where threat hunting comes in. By proactively looking for adversaries in their environment, tech companies can detect attacks earlier and strengthen their security posture.
*   **Prioritize identity protection:** Adversaries are increasingly targeting credentials to breach tech companies. Any user, whether they're an employee, third-party vendor, or customer, can unknowingly be compromised and provide an attack path for adversaries. Tech companies must authenticate every identity and authorize each request to prevent cyberattacks, like a supply chain attack, ransomware attack, or data breach.
*   **Don't forget about threat prevention:** For tech companies, threat prevention tools can block cyber threats before they penetrate an environment or before they do damage. Detection and prevention go hand in hand. In order to prevent cyber threats, they must be detected in real-time. The bigger the IT environment, the greater the need for tools that can help with threat detection and prevention.

The evolution of cybercrime and nation-state activity shows no signs of slowing down. Tech companies must strengthen their defenses and understand an adversary's techniques in order to protect their workloads, identities, and data, and keep their organizations running.

Source

DARKReading