*   _Significant Number of Businesses Experienced Permanent Data Loss_
*   _Businesses Unable to Maintain Business Continuity after Losing Data_
*   _Risk to Businesses as Disaster Recovery Plans Aren't Updated, Tested, and Well Documented_

Eden Prairie, MN – September 13, 2022 – Arcserve, the world's most experienced provider of backup, recovery and immutable storage solutions for unified data resilience against ransomware and disasters, today announced key findings from its annual independent global research study that showed the loss of critical data continues to disrupt businesses and remain an issue for organizations. In the research study of experiences and attitudes of IT decision makers (ITDMs), 76% of respondents reported a severe loss of critical data in their organization. Of that number, 45% had permanent data loss. Data is a priceless commodity, and these findings underscore the importance of building data resilience with a robust data backup and recovery plan with data integrity at the core to prevent severe business disruptions.

The research study also found that many organizations could not maintain business continuity on time once data was lost or compromised. It is vital for businesses to quickly recover data, especially in today's always-on world.

*   83% of respondents said that 12 hours or less is an acceptable level of downtime for critical systems before there is a measurable negative business impact. Still, only 52% could recover from a severe data loss in 12 hours or less.
*   29% of the businesses surveyed couldn't recover data for one day or more.

The research results also revealed that a new approach to disaster recovery is needed. Organizations should continuously update, test, and document their disaster recovery plan to build data resilience. The importance of protecting and recovering data should also be elevated to all company levels with specific goals.

*   95% of respondents in the survey said their company has a disaster recovery plan. However, only 24% have a mature plan that is well documented, tested, and updated.
*   83% said their organizations include data resilience in their strategies. Still, only 23% have a mature approach with associated goals to track progress.

Said Florian Malecki, executive vice president, marketing at Arcserve: "Our annual survey reinforces the business imperative for organizations to implement a data resilience strategy that incorporates mature data backup and disaster recovery plans. We live in a world of growing ransomware attacks and frequent natural disasters. Any downtime from data loss can be destructive for a business from impacting sales to losing customer loyalty." He continued: "Arcserve aims to help businesses avoid costly business disasters and reputational damage from data loss with our best-in-class unified data resilience solutions suite. Our backup and recovery solutions, and immutable storage offering, ensure a near-zero impact on businesses."

**About the research conducted by Dimensional Research:** 1,121 IT decision-makers completed the survey. All participants had a budget or technical decision-making responsibility for data management, data protection, and storage solutions at a company with 100 - 2,500 employees and at least 5 TB of data. The survey was fielded in Australia, New Zealand, Brazil, France, Germany, India, Japan, Korea, the United Kingdom, the United States, and Canada (North America).

**About Arcserve**  

Arcserve, a top 5 data protection vendor and unified data resilience platform provider, offers the broadest set of best-in-class solutions to manage, protect, and recover all data workloads, from SMB to enterprise, regardless of location or complexity. Arcserve solutions eliminate complexity while bringing best-in-class, cost-effective, agile, and massively scalable data protection and certainty across all data environments. This includes on-prem, off-prem (including DRaaS, BaaS, and Cloud-to-Cloud), hyper-converged, and edge infrastructures. The company's nearly three decades of award-winning IP, plus a continuous focus on innovation, means that partners and customers, including MSPs, VARs, LARs, and end-users, are assured of the fastest route to next-generation data workloads and infrastructures. A 100% channel-centric organization, Arcserve has a presence in over 150 countries, with 19,000 channel partners helping to protect 235,000 customers' critical data assets. Explore more at arcserve.com and follow @Arcserve on Twitter.

Arcserve Independent Global Study Finds Businesses Still Losing Mission-Critical Company Data

The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks.

A ransomware gang has been seen using a unique initial-access tactic to exploit a vulnerability in voice-over-IP (VoIP) appliances to breach corporate phone systems, before pivoting to corporate networks to commit double-extortion attacks.  

Researchers from Artic Wolf Labs have spotted the Lorenz ransomware group exploiting a flaw in Mitel MiVoice VoIP appliances. The bug (tracked as CVE-2022-29499) was discovered in April and fully patched in July, and is a remote code execution (RCE) flaw affecting the Mitel Service Appliance component of MiVoice Connect.

Lorenz exploited the flaw to obtain a reverse shell, after which the group leveraged Chisel, a Golang-based fast TCP/UDP tunnel that’s transported over HTTP, as a tunneling tool to breach the corporate environment, Arctic Wolf researchers said this week. The tool is "mainly useful for passing through firewalls," according to the GitHub page.

The attacks show an evolution by threat actors to use "lesser known or monitored assets" to access networks and perform further nefarious activity to avoid detection, according to Arctic Wolf.

"In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and Internet of Things (IoT) devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected," the researchers wrote.

The activity underscores the need for enterprises to monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices, researchers said.

Mitel identified CVE-2022-29499 on April 19 and provided a script for releases 19.2 SP3 and earlier, and R14.x and earlier as a workaround before releasing MiVoice Connect version R19.3 in July to fully remediate the flaw.

**Attack Details**

Lorenz is a ransomware group that has been active since at least February 2021, and, like many of its cohorts, performs double extortion of its victims by exfiltrating data and threatening to expose it online if victims don't pay the desired ransom in a certain time frame.

Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico, according to Arctic Wolf.

In the attacks that researchers identified, the initial malicious activity originated from a Mitel appliance sitting on the network perimeter. Once establishing a reverse shell, Lorenz made use of the Mitel device’s command line interface to create a hidden directory and proceeded to download a compiled binary of Chisel directly from GitHub, via Wget.

Threat actors then renamed the Chisel binary to "mem," unzipped it, and executed it to establish a connection back to a Chisel server listening at hxxps\[://\]137.184.181\[.\]252\[:\]8443, researchers said. Lorenz skipped TLS certificate verification and turned the client into a SOCKS proxy.

It's worth noting that Lorenz waited nearly a month after breaching the corporate network to conduct additional ransomware activity, researchers said. Upon returning to the Mitel device, threat actors interacted with a Web shell named "pdf\_import\_export.php." Shortly thereafter, the Mitel device started a reverse shell and Chisel tunnel again so threat actors could jump onto the corporate network, according to Arctic Wolf.

Once on the network, Lorenz obtained credentials for two privileged administrator accounts, one with local admin privileges and one with domain admin privileges, and used them to move laterally through the environment via RDP and subsequently to a domain controller.

Before encrypting files using BitLocker and Lorenz ransomware on ESXi, Lorenz exfiltrated data for double-extortion purposes via FileZilla, researchers said.

**Attack Mitigation**

To mitigate attacks that can leverage the Mitel flaw to launch ransomware or other threat activity, researchers recommend that organizations apply the patch as soon as possible.

Researchers also made general recommendations to avoid risk from perimeter devices as a way to avoid the pathways to corporate networks. One way to do this is to perform external scans to assess an organization's footprint and harden its environment and security posture, they said. This will allow enterprises to discover assets about which administrators may not have known so that they can be protected, as well as help define an organization's attack surface across devices exposed to the Internet, researchers noted.

Once all assets are identified, organizations should ensure that critical ones are not directly exposed to the Internet, removing a device from the perimeter if it doesn't need to be there, researchers recommended.

Artic Wolf also recommended that organizations turn on Module Logging, Script Block Logging, and Transcription Logging, and send logs to a centralized logging solution as part of their PowerShell Logging configuration. They also should store captured logs externally so that they can perform detailed forensic analysis against evasive actions by threat actors in the case of an attack.

Lorenz Ransomware Goes After SMBs via Mitel VoIP Phone Systems

How identity-centric security can support business objectives.

With identity's emergence as the new perimeter, its role in supporting digital transformation, cloud adoption, and a distributed workforce is not being overlooked by today's enterprises. According to a recent report (registration required), 64% of IT stakeholders consider effectively managing and securing digital identities to be either the top priority (16%) of their security program or in the top three (48%). Despite this, businesses continue to struggle with identity-related breaches — 84% of the security and IT pros reported their organization suffered such a breach in the past year.

Getting buy-in for identity-centric security is vital, but making a case for investing in cybersecurity isn't about trafficking in FUD (fear, uncertainty, and doubt). Pushing identity further into strategic discussions requires the ability to demonstrate business value — to showcase how identity-based security aligns with and supports business objectives.

Almost all participants in the survey (98%) said the number of identities in their organization was increasing, with commonly cited causes including cloud adoption, more employees using technology, increasing third-party relationships, and growing numbers of machine identities. In this environment, many of today's enterprises have found themselves under immense pressure to ensure seamless and secure access to data and resources in an environment growing more distributed and complex.

This complexity, combined with motivated attackers and the increasing number of identities that must be managed, makes effective identity management a critical part of enabling business operations. Among the organizations that experienced an identity-related breach in the past year, the common threads were issues such as stolen credentials, phishing, and mismanaged privileges. The direct business impacts of a breach can be significant — with 42% citing a significant distraction from the core business, 44% noting recovery costs, and 35% reporting a negative impact on the organization's reputation. Loss of revenue (29%) and customer attrition (16%) were also reported.

**Translating IT Needs into Business Needs**

The case for focusing on identity is clear, but how do we begin translating IT needs into business needs? Step one is aligning the organization's priorities with where identity-centric security can fit in. Business goals tend to revolve around reducing costs, increasing productivity, and minimizing risk. Conversations about identity-based security, therefore, must demonstrate how that approach can advance some or all these points.

From the standpoint of productivity, for example, tight identity governance simplifies user provisioning and reviews of access rights. That means employees can be onboarded faster, and any departing employees will have their access revoked automatically. Eliminating manual efforts reduces the chance of error, including users with excessive privileges creating an unnecessary risk of exposure. The more streamlined and automated the processes around identity management are, the more efficient the business is — and the more secure.

As noted earlier, some of the driving forces for the growth in identities include cloud adoption and a spike in machine identities. The growth of machine identities is linked in part to Internet of Things (IoT) devices and bots. IoT and cloud are often parts of digital transformation strategies that can easily get hung up by concerns about access and the consistent enforcement of security policies. This reality presents an opportunity to frame discussions about security around how the business can adopt these technologies safely and without sacrificing compliance and security requirements.

**Frame Security Discussions in Breach Context**

Multifactor authentication (MFA), for example, was cited by many IT and security professionals as a measure that could have prevented or minimized the impact of the breaches they experienced. MFA is vital to enforcing access control, particularly for businesses with remote workers or those using cloud applications and infrastructure. Like them or not, passwords are ubiquitous. But they are also an attractive (and relatively easy) target for threat actors looking to access resources and gain a deeper foothold in your environment. Along with other identity-centric best practices that improve security posture, MFA provides another layer of defense that can bolster an organization's security.

In addition to MFA, IT and security pros commonly noted that more timely reviews of privileged access and continuous discovery of all user access rights would have prevented or lessened the effect of a breach. While many of these remain works in progress, overall, it appears organizations are starting to get the message.

When asked if during the past year their organization's identity program was included as an area of investment as part of any of these strategic initiatives — zero trust, cloud adoption, digital transformation, cyber-insurance investments, and vendor management — almost everyone chose at least one. Fifty-one percent said identity had been invested in as part of zero-trust efforts. Sixty-two percent said it was included as part of cloud initiatives, and 42% said it was part of digital transformation.

Getting started with identity-based security need not be overwhelming. However, it does require an understanding of your environment and business priorities. By focusing on how an identity-centric approach to security can support business objectives, IT professionals can get the leadership buy-in they need to implement the technology and processes that will raise the barrier of entry for threat actors.

Business Security Starts With Identity

*   **_Sixty-five percent of organizations consolidate to improve risk posture._**
*   **_Only 29% of organizations consolidate to reduce spending on licensing._**
*   **_SASE and XDR are opportunities for consolidation: 41.5% of organizations plan to have adopted SASE by the end of 2022._**

A recent survey by Gartner, Inc. found that 75% of organizations are pursuing security vendor consolidation in 2022, up from 29% in 2020.

“Security and risk management leaders are increasingly dissatisfied with the operational inefficiencies and the lack of integration of a heterogenous security stack,” said John Watts, VP Analyst at Gartner. “As a result, they are consolidating the number of security vendors they use.”

The survey found that 57% of organizations are working with fewer than 10 vendors for their security needs, as they are looking to optimize to fewer vendors in key areas like secure access service edge (SASE) and extended detection and response (XDR).

The survey was conducted online during March and April 2022 among 418 respondents from North America, Asia Pacific and EMEA. Its objective was to determine organizations’ security vendor consolidation efforts and priorities, and the drivers and benefits of consolidation endeavours.

Gartner analysts are discussing how organizations can shape their security vendor strategy and projects during the Gartner Security & Risk Management Summit, taking place in London through Wednesday.

**Improving Risk Posture Is the No. 1 Benefit of Consolidation**

The survey found that organizations want to consolidate their security vendors to reduce complexity and improve risk posture, not to save on budget or to improve procurement. Sixty-five percent of surveyed organizations expect to improve their overall risk posture, and only 29% of respondents expect reduced spending on licensing.

“Cost optimization should not be the primary driver for vendor consolidation,” said Watts. “Organizations that look to optimize costs must reduce products, licenses and features, or ultimately renegotiate contracts.”

Organizations that have not pursued security vendor consolidation yet indicated that the two primary impediments to consolidation were time constraints and having a vendor partnership that is too rigid (34% of respondents for each answer).

**SASE and XDR Are Opportunities for Consolidation**

Lengthy procurement processes or requests for proposals are allowing for consolidated offerings, such as XDR for endpoints and SASE for edge connectivity and security with integration on the backend.

The survey found that 41.5% of respondents plan to have adopted SASE within their organizations by the end of 2022, while 54.5% of organizations have plans to adopt XDR by the end of 2022.

“Security and risk management leaders must consider XDR and SASE as compelling options to start their consolidation journey,” said Dionisio Zumerle, VP Analyst at Gartner. “SASE provides secure enterprise access, while XDR focuses on detecting and responding to threats through increased visibility on networks, cloud, endpoints and other components.”

In fact, the survey found that 57% of organizations resolved security threats faster after implementing an XDR strategy. More than half of surveyed organizations use SASE projects to simplify network and security policy management and improve security posture.

“While 89% of surveyed organizations want SASE and XDR to work together, security and risk management leaders will often opt to keep them distinct from one another but ensure they can interoperate,” said Zumerle. “This is an approach validated by 46% of surveyed organizations, which allows for flexibility to select best-of-breed functionality.”

“Security and IT leaders should plan at least two years for consolidation as it takes time to effectively consolidate and consider incumbent vendor switching costs,” said Watts. “It is also important to anticipate vendor M&A disruption as the security market is always consolidating but never consolidated.”

Gartner clients can learn more in “Infographic: Top Trends in Cybersecurity 2022 — Vendor Consolidation.”

Learn how to be an effective chief security officer in the complimentary Gartner ebook Four Factors of Effective CISO Leadership.

**Gartner Security & Risk Management Summit**

Gartner analysts are presenting their latest research and advice for security and risk executives at the Gartner Security & Risk Management Summit 2022, taking place from 12-14 September in London. Follow news and updates from the conferences on Twitter using #GartnerSEC.

**About Gartner for Information Technology Executives**

Gartner for Information Technology Executives provides actionable, objective insight to CIOs and IT leaders to help them drive their organizations through digital transformation and lead business growth. Additional information is available at www.gartner.com/en/information-technology.

Follow news and updates from Gartner for IT Executives on Twitter and LinkedIn. Visit the IT Newsroom for more information and insights.

Gartner Survey Shows 75% of Organizations Are Pursuing Security Vendor Consolidation in 2022

An analysis of cloud services finds that known vulnerabilities typically open the door for attackers, while insecure cloud architectures allow them to gain access to the crown jewels.

Companies and their cloud providers often leave vulnerabilities open in their system and services, gifting attackers with an easy path to gain access to critical data.

According to an Orca Security analysis of data collected from major cloud services and released on Sept. 13, attackers only need, on average, three steps to gain access to sensitive data, the so-called "crown jewels," starting most often — in 78% of cases — with the exploitation of a known vulnerability.  

While much of the security discussion has focused on the misconfigurations of cloud resources by companies, cloud providers have often been slow to plug vulnerabilities, says Avi Shua, CEO and co-founder of Orca Security.

"The key is to fix the root causes, which is the initial vector, and to increase the number of steps that they attacker needs to take," he says. "Proper security controls can make sure that even if there is an initial attack vector, you are still not able to reach the crown jewels."

The report analyzed data from Orca's security research team using data from a "billions of cloud assets on AWS, Azure, and Google Cloud," which the company's customers regularly scan. The data included cloud workload and configuration data, environment data, and information on assets collected in the first half of 2022.

**Unpatched Vulnerabilities Cause Most Cloud Risk**

The analysis identified a few main problems with cloud-native architectures. On average, 11% of cloud providers' and their customers' cloud assets were considered "neglected," defined as not having been patched in the last 180 days. Containers and virtual machines, which make up the most common components of such infrastructure, accounted for more than 89% of neglected cloud assets.  

"There is room for improvement on both sides of the shared responsibility model," Shua says. "Critics have always focused on the customer side of the house \[for patching\], but in the past few years, there have been quite a few issues on the cloud-provider end that have not been fixed in a timely manner."  

In fact, fixing vulnerabilities may be the most critical problem, because the average container, image, and virtual machine had at least 50 known vulnerabilities. About three-quarters — 78% — of attacks start with the exploitation of a known vulnerability, Orca stated in the report. Moreover, a tenth of all companies have a cloud asset using software with a vulnerability at least 10 years old.

Yet the security debt caused by vulnerabilities is not evenly distributed across all assets, the report found. More than two-thirds — 68% — of Log4j vulnerabilities were found in virtual machines. However, only 5% of workload assets still have at least one of the Log4j vulnerabilities, and only 10.5% of those could be targeted from the Internet.

**Customer-Side Issues**

Another major problem is that a third of companies have a root account with a cloud provider that is not protected by multifactor authentication (MFA). Fifty-eight percent of companies have disabled MFA for at least one privileged user account, according to Orca's data. Failing to provide the additional security of MFA leaves systems and services open to brute-force attacks and password spraying.

In addition to the 33% of firms lacking MFA protections for root accounts, 12% of companies have an Internet-accessible workload with at least one weak or leaked password, Orca stated in its report.

Companies should look to enforce MFA across their organization (especially for privileged accounts), assess and fix vulnerabilities faster, and find ways to slow down attackers, Shua says.

"The key is to fix the root causes, which is the initial vector, and to increase the number of steps that the attacker needs to take, " he says. "Proper security controls can make sure that even if the attacker has success with the initial attack vector, they are still not able to reach the crown jewels."

Overall, both cloud providers and their business clients have security issues that need to be identified and patched, and both need to find ways to more efficiently close those issues, he adds; visibility and consistent security controls across all aspects of cloud infrastructure is key.

"It is not that their walls are not high enough," Shua says. "It is that they are not covering the entire castle."

Attackers Can Compromise Most Cloud Data in Just 3 Steps

Opswat says its new tool uses neural networks to protect critical environments through AI-assisted asset discovery, network visibility, and risk management.

The goal of neural networking in cybersecurity is to be able to detect unusual behavior and patterns, especially within OT assets and networks. Detecting unusual behaviors often leads to the discovery that you have been compromised or something has been misconfigured.

"Having visibility into your industrial assets and networks is the first step to understanding your overall OT cybersecurity posture," says Pete Lund, vice president of products for OT security at infrastructure cybersecurity specialist Opswat.

To take advantage of such abilities, Opswat unveiled a AI-powered network visibility solution, Neuralyzer. The software tool leverages machine learning (ML) to learn the communication patterns between assets and networks to determine what "normal" activity is. This enables OT workers to remain focused on the primary tasks at hand and only alerted when abnormal activity occurs.

"Neural networks have the ability to learn in a similar way as the human brain, and so they can spot red flags on your behalf like a second set of eyes," Lund explains. "The ML in Neuralyzer can identify the type of device or asset on the network, providing asset visibility."

**Machine Learning Looks for Assets and Anomalies**

One application of ML in Neuralyzer is the ability to identify the type of device/asset on the network, aptly called the asset visibility feature.

For asset visibility, most tools use the device fingerprint (DFP) to discover and/or profile the device. Typical OT devices, unlike IT devices, do not have a browser installed, so a browser fingerprint (an effective approach for DFP in IT) usually will not work for the OT environment.

"Through extensive research and experiments, our team has worked out a selected feature set and ML algorithm that works best — in terms of accuracy, performance, and required inputs — for classifying the device type," explains Lund.

Another application for ML is to detect anomalies on the network connectivity and activity of a particular device or of the whole network, he says.

Neuralyzer can model the device or devices and their network connections as a graph, then use the 1D convolutional neural network for anomalies detection.

"Network traffic dissection and anomaly detection are good use cases for ML and neural networks," Lund says. "Network traffic dissection would be a feasible approach for DFP in the OT."

Anomaly detection is an important aspect in OT environment visibility, he points out.

"An anomaly might not only relate to integrity — for example, a network breach — but it might also relate to the availability or normal operation of the assets, which is crucial to the OT environment," Lund says.

**Neural Networks Offer Multiple Cybersecurity Advantages**

Bud Broomhead, CEO at automated IoT cyber hygiene provider Viakoo, says neural networks, like any other technology, can be used both for improving and for defeating cybersecurity.

"Many examples exist on how neural networks can be trained to produce bad outcomes or be fed data to disrupt systems," he explains. "Yet the massive improvement in efficiency — for example, detecting cyber threats in seconds or finding threat actors within a crowd almost immediately — will be needed for many years ahead to overcome the resource gaps present in cybersecurity."

Neural networks can analyze complex systems and make intelligent decisions on how to present and classify them. In other words, they take a lot of raw data and turn it into meaningful insights.

"Simply having an asset inventory does not show you the combination of them in a tightly coupled workflow — yet that is what businesses need to prioritize the vulnerability and risk of these systems," Broomhead says.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, adds that neural networks allow for statistical analysis well beyond the capacity of a human.

"Given enough data points and thorough and effective training, they can classify normal and abnormal quickly, allowing an analyst to follow up on events that would not be detected otherwise," he says.

But Bambenek says he doesn't see neural networks as reliable for asset discovery or vulnerability management.

"If an asset isn't visible in DHCP logs, there isn't a good deal of data to otherwise find it," he points out. "Risk management, on the other hand, can find abnormal and then categorize the risky behavior using other available context to give the business risk answers."

Even detecting subtle changes to OT system behavior can enable a neural network to see when maintenance is needed, when cyber threats occur, and how environmental changes cause the system to react, Broomhead says.

"Especially in times like now when there are limited human resources to keep OT systems operating safely and securely, neural networks are a force multiplier that many organizations have some to rely on," he says.

How Machine Learning Can Boost Network Visibility for OT Teams

Unpatched Pixel devices are at risk for escalation of privileges, Google warns.

A pair of critical security vulnerabilities in Google's Pixel mobile phone line could lead to privilege escalation and device takeover.

The Pixel bugs, tracked as CVE-2022-20231 and CVE-2022-20364, are in the Trust and Kernel components, respectively, according to Google's Android security advisory.

"For Google devices, security patch levels of 2022-09-05 or later address all issues in this bulletin and all issues in the September 2022 Android Security Bulletin," Google said in its Pixel patch advisory. "All supported Google devices will receive an update to the 2022-09-05 patch level. We encourage all customers to accept these updates to their devices."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Releases Pixel Patches for Critical Bugs

The American Data Privacy and Protection Act would provide federal-level protections that don't exist in most states, but override existing, stronger state protections.

A new national privacy law promising Americans many of the same consumer privacy rights as the European Union's General Data Protection Regulation (GDPR) is working its way through the US Congress. However, the proposed bill falls short of the data privacy protections already enshrined in existing state privacy laws and regulations.

The federal legislation's goal is to provide a single, national foundation for data privacy for consumers while providing governmental oversight and enforcement by the Federal Trade Commission (FTC). In reality, the proposed American Data Privacy and Protection Act fails to meet the benchmarks set in the California Consumer Privacy Act (CCPA) of 2018, or in the replacement California Privacy Rights Act (CPRA), which goes into effect Jan. 1, 2023, critics say.

The law would fall under the purview of the Federal Trade Commission (FTC), which means that it only covers those issues already addressed by the FTC. These include consumer fraud, identity theft, children's privacy, and some cybersecurity issues.

Nancy Pelosi, a California representative who as Speaker of the House has the power to keep the bill from reaching the House floor for a vote, issued a statement on Sept. 1 noting "the American Data Privacy and Protection Act does not guarantee the same essential consumer protections as California's existing privacy laws." Her statement is being interpreted by pundits to mean she will not support the bill without new preemption language to protect California's laws, and would kill it rather than bring it to a vote.

In an open letter to Congressional leaders, 10 attorneys general representing states that currently have privacy laws encouraged Congress to pass legislation that sets only a baseline for privacy. "We encourage Congress to adopt legislation that sets a federal floor, not a ceiling, for critical privacy rights and respects the important work already undertaken by states to provide strong privacy protections for our residents," they wrote. They cited existing federal baselines for other laws, including existing consumer privacy protections, children's privacy and health privacy, and HIPAA. "Any federal privacy framework must leave room for states to legislate responsively to changes in technology and data collection practices," the attorneys general wrote in the letter. "This is because states are better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight."

The Electronic Frontier Foundation also sent a letter to Rep. Frank Pallone, chairman of the House Committee on Energy and Commerce and sponsor of the bill, asking that provisions of the federal bill be strengthened and that the preemption of state privacy bills be eliminated. The Illinois Information Privacy Act, CCPA, and Vermont's Data Broker Act already protect consumers, and other states are looking at similar proposals. "While EFF supports federal legislation that actually protects consumer data privacy, we have long opposed doing so if the price is preemption of stronger state laws," the EFF wrote in the letter.

**California Opposes Weakened Protections**

The bill also drew strong criticism from California, where the California Privacy Protection Agency issued a memorandum that recommends California's congressional delegation, which makes up 12% of the House of Representatives, oppose the bill.

California legislators and state officials cite several areas where they claim the federal law would reduce privacy protections currently provided by existing state laws. These include reducing privacy protections for individuals seeing abortion-related services and teen mental health.

The federal bill, as currently written, does not permit California to recover the monetary penalties associated with its enforcement of the federal law. In contrast, CCPA currently allows recovery of significant penalties for the violations of the state law.

Other changes ADPPA would make for California, currently covered by CCPA:

*   Removing the current opt out of automated decision-making
*   Replacing California's definition of _personal information_ with a definition of _covered data_ that does not include some "derived data and unique identifiers" under California law
*   Removing certain protections with respect to non-retaliation for exercising privacy rights
*   Adding a requirement to authenticate global opt-out requests — California law requires businesses to honor browser privacy signals as an opt-out, whereas ADPPA requires an explicit opt-in for sensitive categories

Debbie Reynolds, a global data privacy and protection expert and the CEO and chief privacy officer of Debbie Reynolds Consulting, says the federal bill limits privacy rights only to the original consumer of a device. For example, if a digital assistant, such as Alexa, is in an office, only the company that purchased the Alexa service would have their privacy protected. Any employee that is overhead by the device discussing private information would not be protect by the law since they were not the _consumer_ of the device's service.

Fiona Campbell-Webster, chief privacy officer at MediaMath and the former head legal counsel and global data protection officer of cloud-based Beeswax, a SaaS application acquired by Comcast, says there are real-life consequences.

"I think we need to be mindful of, before these any of these laws are finalized, what that's going to mean for the experience of consuming content of interacting on the Internet," she says. "The concerns about ... the unintended consequences of big platforms ultimately controlling everything."

She cautions that privacy comes at a price. "I think it would be a real shame to see a world where we were penalized if we couldn't pay for all these different services that we now get for free in a certain way." Some unintended consequences of the privacy bill, she warned, could negatively impact small companies, forcing them to pay higher costs in order to meet the new privacy regulations.

**Canada Considers Similar Legislation**

The US is not the only North American country working to create a new, national privacy bill. Canada introduced the much-anticipated Digital Charter Implementation Act, 2022 — Bill C-27 — which replaces a similar bill that failed to pass the Canadian Parliament in August 2021. The bill would enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, as well as amend other existing acts.

"This is a very significant law for Canada," says David Goodis, a partner at INQ Law in Toronto. "It will apply in all provinces and territories except for British Columbia, Alberta, and Quebec. Quebec passed its own new, updated law earlier this year. BC and Alberta are considering updating their now very old laws. Apart from Quebec, CPPA will be the most modern and strict privacy law in Canada, and roughly on a par with Europe's GDPR and California's CCPA."

There are a few significant differences between the old Bill C-11 and the new Bill C-27, Goodis says. "There are several new duties placed on organizations that may attract monetary penalties if not complied with. For example, organizations will need to implement a privacy management program, ensure their service providers have equivalent privacy protection when transferring personal information from the company to the service provider, and ensure a service provider that discovers a security breach notify the organization. There is also an entirely new portion of the legislation that addresses the specific concerns around protecting children's privacy," he explains.

In addition, according to analysis from global business law firm DLA Piper, the old bill didn't replace provincial laws that are "substantially similar" to the federal law, which meant that the provinces of Quebec, Alberta, and British Columbia would have been able to apply their laws instead of the federal one. While the new bill allows the federal government to decide whether provincial laws as substantially similar and thus allowed to stand, it's not yet clear whether Alberta and British Columbia will pass muster — Quebec, which updated its privacy law in 2021, is expected to be exempt.

Federal Privacy Bill That Would Preempt State Privacy Laws Faces Uncertain Future

Analysis shows attackers breached employee credentials with voice phishing and were preparing a ransomware attack against Cisco Systems.

A month after confirming its systems were breached, networking giant Cisco reported that the attack was a failed ransomware attempt conducted on behalf of the Lapsus$ group.

The cybercriminals obtained access to Cisco's systems with a social engineering attack that began with an attacker taking control of an employee's personal Google account, where credentials saved in the victim’s browser were being synchronized. Then, in a series of sophisticated voice phishing attacks, the gang convinced the victim to accept multifactor authentication (MFA) push notifications, giving crooks the ability to log in to the corporate VPN as if they were the victim.

From there, the attackers were able to compromise Cisco systems, elevate privileges, drop remote access tools, deploy Cobalt Strike and other offensive malware, and add their own backdoors into the system.

"Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$," the Cisco Talos team explained in a Sept. 11 update on the August breach. "While we did not observe ransomware deployment in this attack, the TTPs used were consistent with 'pre-ransomware activity,' activity commonly observed leading up to the deployment of ransomware in victim environments."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco Data Breach Attributed to Lapsus$ Ransomware Group

Your chance to be a part of a ground-breaking study.

The European Agency for Cybersecurity (ENISA) each October promotes cybersecurity among EU citizens and organizations, and is partnering with Anima People, specialists in behavioral science related to security, in a critical project to evaluate cybersecurity awareness campaigns in behavior change among employees. Organizations worldwide will benefit by the intelligence they need to design successful campaigns in the future, helping to drive long-term behavior conducive to a cyber-secure world. Please participate by completing this survey: https://ec.europa.eu/eusurvey/runner/Cybersecurity\_Awareness\_ECSM-PreC

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading