An analysis of cloud services finds that known vulnerabilities typically open the door for attackers, while insecure cloud architectures allow them to gain access to the crown jewels.

Companies and their cloud providers often leave vulnerabilities open in their system and services, gifting attackers with an easy path to gain access to critical data.

According to an Orca Security analysis of data collected from major cloud services and released on Sept. 13, attackers only need, on average, three steps to gain access to sensitive data, the so-called "crown jewels," starting most often — in 78% of cases — with the exploitation of a known vulnerability.  

While much of the security discussion has focused on the misconfigurations of cloud resources by companies, cloud providers have often been slow to plug vulnerabilities, says Avi Shua, CEO and co-founder of Orca Security.

"The key is to fix the root causes, which is the initial vector, and to increase the number of steps that they attacker needs to take," he says. "Proper security controls can make sure that even if there is an initial attack vector, you are still not able to reach the crown jewels."

The report analyzed data from Orca's security research team using data from a "billions of cloud assets on AWS, Azure, and Google Cloud," which the company's customers regularly scan. The data included cloud workload and configuration data, environment data, and information on assets collected in the first half of 2022.

**Unpatched Vulnerabilities Cause Most Cloud Risk**

The analysis identified a few main problems with cloud-native architectures. On average, 11% of cloud providers' and their customers' cloud assets were considered "neglected," defined as not having been patched in the last 180 days. Containers and virtual machines, which make up the most common components of such infrastructure, accounted for more than 89% of neglected cloud assets.  

"There is room for improvement on both sides of the shared responsibility model," Shua says. "Critics have always focused on the customer side of the house \[for patching\], but in the past few years, there have been quite a few issues on the cloud-provider end that have not been fixed in a timely manner."  

In fact, fixing vulnerabilities may be the most critical problem, because the average container, image, and virtual machine had at least 50 known vulnerabilities. About three-quarters — 78% — of attacks start with the exploitation of a known vulnerability, Orca stated in the report. Moreover, a tenth of all companies have a cloud asset using software with a vulnerability at least 10 years old.

Yet the security debt caused by vulnerabilities is not evenly distributed across all assets, the report found. More than two-thirds — 68% — of Log4j vulnerabilities were found in virtual machines. However, only 5% of workload assets still have at least one of the Log4j vulnerabilities, and only 10.5% of those could be targeted from the Internet.

**Customer-Side Issues**

Another major problem is that a third of companies have a root account with a cloud provider that is not protected by multifactor authentication (MFA). Fifty-eight percent of companies have disabled MFA for at least one privileged user account, according to Orca's data. Failing to provide the additional security of MFA leaves systems and services open to brute-force attacks and password spraying.

In addition to the 33% of firms lacking MFA protections for root accounts, 12% of companies have an Internet-accessible workload with at least one weak or leaked password, Orca stated in its report.

Companies should look to enforce MFA across their organization (especially for privileged accounts), assess and fix vulnerabilities faster, and find ways to slow down attackers, Shua says.

"The key is to fix the root causes, which is the initial vector, and to increase the number of steps that the attacker needs to take, " he says. "Proper security controls can make sure that even if the attacker has success with the initial attack vector, they are still not able to reach the crown jewels."

Overall, both cloud providers and their business clients have security issues that need to be identified and patched, and both need to find ways to more efficiently close those issues, he adds; visibility and consistent security controls across all aspects of cloud infrastructure is key.

"It is not that their walls are not high enough," Shua says. "It is that they are not covering the entire castle."

Attackers Can Compromise Most Cloud Data in Just 3 Steps

Opswat says its new tool uses neural networks to protect critical environments through AI-assisted asset discovery, network visibility, and risk management.

The goal of neural networking in cybersecurity is to be able to detect unusual behavior and patterns, especially within OT assets and networks. Detecting unusual behaviors often leads to the discovery that you have been compromised or something has been misconfigured.

"Having visibility into your industrial assets and networks is the first step to understanding your overall OT cybersecurity posture," says Pete Lund, vice president of products for OT security at infrastructure cybersecurity specialist Opswat.

To take advantage of such abilities, Opswat unveiled a AI-powered network visibility solution, Neuralyzer. The software tool leverages machine learning (ML) to learn the communication patterns between assets and networks to determine what "normal" activity is. This enables OT workers to remain focused on the primary tasks at hand and only alerted when abnormal activity occurs.

"Neural networks have the ability to learn in a similar way as the human brain, and so they can spot red flags on your behalf like a second set of eyes," Lund explains. "The ML in Neuralyzer can identify the type of device or asset on the network, providing asset visibility."

**Machine Learning Looks for Assets and Anomalies**

One application of ML in Neuralyzer is the ability to identify the type of device/asset on the network, aptly called the asset visibility feature.

For asset visibility, most tools use the device fingerprint (DFP) to discover and/or profile the device. Typical OT devices, unlike IT devices, do not have a browser installed, so a browser fingerprint (an effective approach for DFP in IT) usually will not work for the OT environment.

"Through extensive research and experiments, our team has worked out a selected feature set and ML algorithm that works best — in terms of accuracy, performance, and required inputs — for classifying the device type," explains Lund.

Another application for ML is to detect anomalies on the network connectivity and activity of a particular device or of the whole network, he says.

Neuralyzer can model the device or devices and their network connections as a graph, then use the 1D convolutional neural network for anomalies detection.

"Network traffic dissection and anomaly detection are good use cases for ML and neural networks," Lund says. "Network traffic dissection would be a feasible approach for DFP in the OT."

Anomaly detection is an important aspect in OT environment visibility, he points out.

"An anomaly might not only relate to integrity — for example, a network breach — but it might also relate to the availability or normal operation of the assets, which is crucial to the OT environment," Lund says.

**Neural Networks Offer Multiple Cybersecurity Advantages**

Bud Broomhead, CEO at automated IoT cyber hygiene provider Viakoo, says neural networks, like any other technology, can be used both for improving and for defeating cybersecurity.

"Many examples exist on how neural networks can be trained to produce bad outcomes or be fed data to disrupt systems," he explains. "Yet the massive improvement in efficiency — for example, detecting cyber threats in seconds or finding threat actors within a crowd almost immediately — will be needed for many years ahead to overcome the resource gaps present in cybersecurity."

Neural networks can analyze complex systems and make intelligent decisions on how to present and classify them. In other words, they take a lot of raw data and turn it into meaningful insights.

"Simply having an asset inventory does not show you the combination of them in a tightly coupled workflow — yet that is what businesses need to prioritize the vulnerability and risk of these systems," Broomhead says.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, adds that neural networks allow for statistical analysis well beyond the capacity of a human.

"Given enough data points and thorough and effective training, they can classify normal and abnormal quickly, allowing an analyst to follow up on events that would not be detected otherwise," he says.

But Bambenek says he doesn't see neural networks as reliable for asset discovery or vulnerability management.

"If an asset isn't visible in DHCP logs, there isn't a good deal of data to otherwise find it," he points out. "Risk management, on the other hand, can find abnormal and then categorize the risky behavior using other available context to give the business risk answers."

Even detecting subtle changes to OT system behavior can enable a neural network to see when maintenance is needed, when cyber threats occur, and how environmental changes cause the system to react, Broomhead says.

"Especially in times like now when there are limited human resources to keep OT systems operating safely and securely, neural networks are a force multiplier that many organizations have some to rely on," he says.

How Machine Learning Can Boost Network Visibility for OT Teams

Unpatched Pixel devices are at risk for escalation of privileges, Google warns.

A pair of critical security vulnerabilities in Google's Pixel mobile phone line could lead to privilege escalation and device takeover.

The Pixel bugs, tracked as CVE-2022-20231 and CVE-2022-20364, are in the Trust and Kernel components, respectively, according to Google's Android security advisory.

"For Google devices, security patch levels of 2022-09-05 or later address all issues in this bulletin and all issues in the September 2022 Android Security Bulletin," Google said in its Pixel patch advisory. "All supported Google devices will receive an update to the 2022-09-05 patch level. We encourage all customers to accept these updates to their devices."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Releases Pixel Patches for Critical Bugs

The American Data Privacy and Protection Act would provide federal-level protections that don't exist in most states, but override existing, stronger state protections.

A new national privacy law promising Americans many of the same consumer privacy rights as the European Union's General Data Protection Regulation (GDPR) is working its way through the US Congress. However, the proposed bill falls short of the data privacy protections already enshrined in existing state privacy laws and regulations.

The federal legislation's goal is to provide a single, national foundation for data privacy for consumers while providing governmental oversight and enforcement by the Federal Trade Commission (FTC). In reality, the proposed American Data Privacy and Protection Act fails to meet the benchmarks set in the California Consumer Privacy Act (CCPA) of 2018, or in the replacement California Privacy Rights Act (CPRA), which goes into effect Jan. 1, 2023, critics say.

The law would fall under the purview of the Federal Trade Commission (FTC), which means that it only covers those issues already addressed by the FTC. These include consumer fraud, identity theft, children's privacy, and some cybersecurity issues.

Nancy Pelosi, a California representative who as Speaker of the House has the power to keep the bill from reaching the House floor for a vote, issued a statement on Sept. 1 noting "the American Data Privacy and Protection Act does not guarantee the same essential consumer protections as California's existing privacy laws." Her statement is being interpreted by pundits to mean she will not support the bill without new preemption language to protect California's laws, and would kill it rather than bring it to a vote.

In an open letter to Congressional leaders, 10 attorneys general representing states that currently have privacy laws encouraged Congress to pass legislation that sets only a baseline for privacy. "We encourage Congress to adopt legislation that sets a federal floor, not a ceiling, for critical privacy rights and respects the important work already undertaken by states to provide strong privacy protections for our residents," they wrote. They cited existing federal baselines for other laws, including existing consumer privacy protections, children's privacy and health privacy, and HIPAA. "Any federal privacy framework must leave room for states to legislate responsively to changes in technology and data collection practices," the attorneys general wrote in the letter. "This is because states are better equipped to quickly adjust to the challenges presented by technological innovation that may elude federal oversight."

The Electronic Frontier Foundation also sent a letter to Rep. Frank Pallone, chairman of the House Committee on Energy and Commerce and sponsor of the bill, asking that provisions of the federal bill be strengthened and that the preemption of state privacy bills be eliminated. The Illinois Information Privacy Act, CCPA, and Vermont's Data Broker Act already protect consumers, and other states are looking at similar proposals. "While EFF supports federal legislation that actually protects consumer data privacy, we have long opposed doing so if the price is preemption of stronger state laws," the EFF wrote in the letter.

**California Opposes Weakened Protections**

The bill also drew strong criticism from California, where the California Privacy Protection Agency issued a memorandum that recommends California's congressional delegation, which makes up 12% of the House of Representatives, oppose the bill.

California legislators and state officials cite several areas where they claim the federal law would reduce privacy protections currently provided by existing state laws. These include reducing privacy protections for individuals seeing abortion-related services and teen mental health.

The federal bill, as currently written, does not permit California to recover the monetary penalties associated with its enforcement of the federal law. In contrast, CCPA currently allows recovery of significant penalties for the violations of the state law.

Other changes ADPPA would make for California, currently covered by CCPA:

*   Removing the current opt out of automated decision-making
*   Replacing California's definition of _personal information_ with a definition of _covered data_ that does not include some "derived data and unique identifiers" under California law
*   Removing certain protections with respect to non-retaliation for exercising privacy rights
*   Adding a requirement to authenticate global opt-out requests — California law requires businesses to honor browser privacy signals as an opt-out, whereas ADPPA requires an explicit opt-in for sensitive categories

Debbie Reynolds, a global data privacy and protection expert and the CEO and chief privacy officer of Debbie Reynolds Consulting, says the federal bill limits privacy rights only to the original consumer of a device. For example, if a digital assistant, such as Alexa, is in an office, only the company that purchased the Alexa service would have their privacy protected. Any employee that is overhead by the device discussing private information would not be protect by the law since they were not the _consumer_ of the device's service.

Fiona Campbell-Webster, chief privacy officer at MediaMath and the former head legal counsel and global data protection officer of cloud-based Beeswax, a SaaS application acquired by Comcast, says there are real-life consequences.

"I think we need to be mindful of, before these any of these laws are finalized, what that's going to mean for the experience of consuming content of interacting on the Internet," she says. "The concerns about ... the unintended consequences of big platforms ultimately controlling everything."

She cautions that privacy comes at a price. "I think it would be a real shame to see a world where we were penalized if we couldn't pay for all these different services that we now get for free in a certain way." Some unintended consequences of the privacy bill, she warned, could negatively impact small companies, forcing them to pay higher costs in order to meet the new privacy regulations.

**Canada Considers Similar Legislation**

The US is not the only North American country working to create a new, national privacy bill. Canada introduced the much-anticipated Digital Charter Implementation Act, 2022 — Bill C-27 — which replaces a similar bill that failed to pass the Canadian Parliament in August 2021. The bill would enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, as well as amend other existing acts.

"This is a very significant law for Canada," says David Goodis, a partner at INQ Law in Toronto. "It will apply in all provinces and territories except for British Columbia, Alberta, and Quebec. Quebec passed its own new, updated law earlier this year. BC and Alberta are considering updating their now very old laws. Apart from Quebec, CPPA will be the most modern and strict privacy law in Canada, and roughly on a par with Europe's GDPR and California's CCPA."

There are a few significant differences between the old Bill C-11 and the new Bill C-27, Goodis says. "There are several new duties placed on organizations that may attract monetary penalties if not complied with. For example, organizations will need to implement a privacy management program, ensure their service providers have equivalent privacy protection when transferring personal information from the company to the service provider, and ensure a service provider that discovers a security breach notify the organization. There is also an entirely new portion of the legislation that addresses the specific concerns around protecting children's privacy," he explains.

In addition, according to analysis from global business law firm DLA Piper, the old bill didn't replace provincial laws that are "substantially similar" to the federal law, which meant that the provinces of Quebec, Alberta, and British Columbia would have been able to apply their laws instead of the federal one. While the new bill allows the federal government to decide whether provincial laws as substantially similar and thus allowed to stand, it's not yet clear whether Alberta and British Columbia will pass muster — Quebec, which updated its privacy law in 2021, is expected to be exempt.

Federal Privacy Bill That Would Preempt State Privacy Laws Faces Uncertain Future

Analysis shows attackers breached employee credentials with voice phishing and were preparing a ransomware attack against Cisco Systems.

A month after confirming its systems were breached, networking giant Cisco reported that the attack was a failed ransomware attempt conducted on behalf of the Lapsus$ group.

The cybercriminals obtained access to Cisco's systems with a social engineering attack that began with an attacker taking control of an employee's personal Google account, where credentials saved in the victim’s browser were being synchronized. Then, in a series of sophisticated voice phishing attacks, the gang convinced the victim to accept multifactor authentication (MFA) push notifications, giving crooks the ability to log in to the corporate VPN as if they were the victim.

From there, the attackers were able to compromise Cisco systems, elevate privileges, drop remote access tools, deploy Cobalt Strike and other offensive malware, and add their own backdoors into the system.

"Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$," the Cisco Talos team explained in a Sept. 11 update on the August breach. "While we did not observe ransomware deployment in this attack, the TTPs used were consistent with 'pre-ransomware activity,' activity commonly observed leading up to the deployment of ransomware in victim environments."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco Data Breach Attributed to Lapsus$ Ransomware Group

Your chance to be a part of a ground-breaking study.

The European Agency for Cybersecurity (ENISA) each October promotes cybersecurity among EU citizens and organizations, and is partnering with Anima People, specialists in behavioral science related to security, in a critical project to evaluate cybersecurity awareness campaigns in behavior change among employees. Organizations worldwide will benefit by the intelligence they need to design successful campaigns in the future, helping to drive long-term behavior conducive to a cyber-secure world. Please participate by completing this survey: https://ec.europa.eu/eusurvey/runner/Cybersecurity\_Awareness\_ECSM-PreC

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybersecurity Awareness Campaigns: How Effective Are They in Changing Behavior?

The threat-intelligence and cyberdefense company company will join Google Cloud and retain its brand name.

**MOUNTAIN VIEW, Calif., and RESTON, Va., Sept. 12, 2022 /PRNewswire/** — Google LLC today announced the completion of its acquisition of Mandiant Inc. (NASDAQ: MNDT), a recognized leader in dynamic cyberdefense, threat intelligence and incident-response services. Mandiant will join Google Cloud and retain the Mandiant brand.

Google and Mandiant share a long commitment to industry-leading security. Over the past two decades, Google has innovated to build some of the most secure computing systems in the world. Google Cloud customers and partners benefit from these pioneering security capabilities, including world-class threat intelligence, zero trust architecture, and planet-scale analytics for security operations. Mandiant, which is known for delivering unparalleled frontline expertise and industry-leading threat intelligence, is a proven first responder to the world's largest cybersecurity incidents. Mandiant's services, delivered by their team of security and intelligence individuals spread across 22 countries, are widely recognized for helping top enterprises and organizations prepare for and react to cybersecurity incidents.

With this acquisition, Google Cloud and Mandiant will deliver an end-to-end security operations suite with even greater capabilities to support customers across their cloud and on-premise environments.

"The completion of this acquisition will enable us to deliver a comprehensive and best-in-class cybersecurity solution," said Thomas Kurian, CEO of Google Cloud. "We believe this acquisition creates incredible value for our customers and the security industry at large. Together, Google Cloud and Mandiant will help reinvent how organizations protect themselves, as well as detect and respond to threats."

Organizations today are facing cybersecurity challenges that have accelerated in frequency, severity and diversity, creating a global security imperative. Enterprises need to be able to detect and respond to malicious actors quickly, with actionable threat intelligence to continually protect their organizations against new attacks.

"Mandiant is driven by a mission to make every organization secure from cyber threats and confident in their readiness," said Kevin Mandia, CEO, Mandiant. "Combining our 18 years of threat intelligence and incident response experience with Google Cloud's security expertise presents an incredible opportunity to deliver with the speed and scale that the security industry needs."

Hear from others on the impact of this acquisition:

*   "The power of stronger partnerships across the cybersecurity ecosystem is critical to driving value for clients and protecting industries around the globe. The combination of Google Cloud and Mandiant and their commitment to multi-cloud will further support increased collaboration, driving innovation across the cybersecurity industry and augmenting threat research capabilities. We look forward to working with them on this mission." — Paolo Dal Cin, Global Lead, Accenture Security
*   "Google's acquisition of Mandiant, a leader in threat intelligence, security advisory, consulting and incident response services will allow Google Cloud to deliver an end-to-end security operations suite with even greater capabilities and services to support customers in their security transformation across cloud and on-premise environments." — Craig Robinson, Research VP, Security Services, IDC
*   "Bringing together Mandiant and Google Cloud, two long-time cybersecurity leaders, will advance how companies identify and defend against threats. We look forward to the impact of this acquisition, both for the security industry and the protection of our customers." — Andy Schworer, Director, Cyber Defense Engineering, Uber

For more information, see the Google Cloud blog and Mandiant blog.

**About Google  
**Google's mission is to organize the world's information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely known companies in the world. Google is a subsidiary of Alphabet Inc.

**About Google Cloud  
**Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology — all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

**About Mandiant, Inc.  
**Since 2004, Mandiant has been a trusted partner to security-conscious organizations. Effective security is based on the right combination of expertise, intelligence, and adaptive technology, and the Mandiant Advantage SaaS platform scales decades of frontline experience and industry-leading threat intelligence to deliver a range of dynamic cyber defense solutions. Mandiant's approach helps organizations develop more effective and efficient cyber security programs and instills confidence in their readiness to defend against and respond to cyber threats.

**Forward-Looking Statements  
**This release includes forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These forward-looking statements involve certain risks and uncertainties that could cause actual results to differ materially from those indicated in such forward-looking statements, including but not limited to the ability of Google to successfully integrate Mandiant's operations, product lines and technology; the ability of Google to implement its plans, forecasts and other expectations with respect to Mandiant's business after the completion of the transaction and realize additional opportunities for growth and innovation; and the other risks and important factors contained and identified in Alphabet's filings with the Securities and Exchange Commission, any of which could cause actual results to differ materially from the forward-looking statements. The forward-looking statements included in this release are made only as of the date hereof. Google and Alphabet undertake no obligation to update the forward-looking statements to reflect subsequent events or circumstances.

SOURCE: Google Inc.

Google Completes Acquisition of Mandiant

Users must continually be made aware of new threats, including attacks targeting shipping, the supply chain, email, and hybrid workers.

Digital transformation has accelerated during the past couple years, and so, too, have security threats. With more employees working remotely, more customers buying through mobile and social channels, and more retailers expanding their supply chains to keep inventory in stock, criminals have more ways than ever to go after e-commerce businesses.

Meanwhile, security awareness training may not be keeping up. It's a good time to review your organization's awareness program and adjust reflect the current threat landscape. Here's how retailers can update their awareness training and practices to match their digital transformation progress.

**A Dramatic Increase in Shipping Fraud**

While most retailers understandably focus on fraud at the payment stage of the customer journey, shipping fraud should also be considered. In fact, shipping fraud is the fastest-growing type of fraud worldwide, according to TransUnion's "2022 Global Digital Fraud Trends" report. Shipping fraud grew by 780% from 2020 to 2021, and by 1,541% from 2019 through 2021, according to the report. Shipping fraud can lead to chargebacks, inventory losses, and brand damage just as card-not-present (CNP) and account takeover (ATO) fraud do.

"Shipping fraud" is an umbrella term that covers several tactics that criminals use to exploit the e-commerce shipping process. Different approaches can target different areas of your business, so it's important to expand shipping fraud awareness across your organization rather than solely training your fraud team on this threat.

For example, your customer service and fulfillment teams should be aware of how package rerouting scams operate. Fraudsters place orders with stolen payment data or hijacked customer accounts and use the victim's real delivery address so the order doesn't get flagged as suspicious. After the order is approved, fraudsters contact customer service and request a delivery address change, claiming they made a mistake.

While honoring such a request may seem like good customer service, it could be exposing your company to fraud. One solution that can satisfy legitimate customer requests while avoiding fraud is to cancel the original transaction and run it again with the updated delivery address. If it's approved, customers get their purchases directed to the right address. If it's not, your company has avoided a case of shipping fraud.

**Expanding Supply Chains, More Email Attack Risk**

Other security risks aren't necessarily coming in through your website or shopping app, but they can imperil your brand, your business operations, and your customers. A prime example is email phishing attacks, which increased against e-commerce businesses by 53.9% from 2019 through 2021, according to the TransUnion report.

One reason for the current email phishing surge is the rapid expansion of supply chains since the start of the pandemic, as retailers made new connections to avoid running out of stock and disruptions. Another is the increasing reliance on email for customer interactions since early 2020: Online interactions now make up 61% of all customer engagements with companies, according to Salesforce's "State of the Connected Customer" report. The addition of more contacts to the email ecosystem and the higher volume of email traffic provides criminals with more opportunities to launch email attacks.

A subset of business email compromise (BEC) is vendor email compromise, and it's a growing problem. In a vendor email compromise scheme, attackers impersonate trusted third parties such as suppliers and vendors to trick employees into paying fraudulent invoices, entering login credentials, or sharing proprietary data. According to a report from email security firm Abnormal, more than half of all BEC attacks now impersonate third parties. As a result, all employees need to be aware that when emails from trusted senders, including suppliers and vendors, contain requests that seem unusual, they should flag those messages for the security team to review before responding.

**Attackers Exploit Remote and Hybrid Workforce Trends**

Ransomware and other forms of malware are a perennial problem for retailers, especially malware that steals customer payment data. Verizon's "2022 Data Breach Investigations Report" found that the retail industry suffered seven times as many instances of "capture app data" malware than other industry. These Magecart-style attacks can silently scrape data as it's entered, going undetected until fraud complaints start coming in. To prevent them, everyone who works with your website needs to be aware of the potential for this type of malware and the processes for scanning, removal, and remediation.

Another growing opportunity for malware attackers is retailers' shift to remote or hybrid workforces. As employees log in remotely more often — and more often from personal rather than company devices — fraudsters have seized the opportunity to create realistic-looking login request emails that can appear to come from your company's cloud services, such as Google Drive or Microsoft SharePoint. All employees and executives need to be aware of the risk that unexpected or slightly unusual login request messages can pose. Like unusual vendor messages, these should be reported to the security team for review before replying.

These trends illustrate why it's important for security awareness to be a process rather than a one-time discussion. This year, your people need to be aware of shipping fraud, vendor email compromise, and credential phishing attacks posing as company resource providers. Next year, it will likely be something else. By having regular discussions about these security issues and encouraging a data-safety mindset, you can reduce the risk of today's threats and create a culture of security that benefits your company over the long term.

Security Awareness Training Must Evolve to Align With Growing E-Commerce Security Threats

Multiclient research report shows organizations are significantly increasing efforts to secure their supply chains in response to software supply chain attacks.

In August 2022, the Enterprise Strategy Group (ESG) released "Walking the Line: GitOps and Shift Left Security," a multiclient developer security research report examining the current state of application security. The report's key finding is the prevalence of software supply chain risks in cloud-native applications. Jason Schmitt, general manager of the Synopsys Software Integrity Group, echoed this, stating, "As organizations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritization of a proactive security strategy is now a foundational business imperative."

**_The report shows that organizations are realizing the supply chain is more than just dependencies. It's development tools/pipelines, repos, APIs, infrastructure-as-code (IaC), containers, cloud configurations, and more._**

Although open source software may be the original supply chain concern, the shift toward cloud-native application development has organizations concerned about the risks posed to additional nodes of their supply chain. In fact, 73% of organizations reported that they have "significantly increased" their software supply chain security efforts in response to recent supply chain attacks.

Respondents to the report's survey cited the adoption of some form of strong multifactor authentication technology (33%), investment in application security testing controls (32%), and improved asset discovery to update their organization's attack surface inventory (30%) as key security initiatives they are pursuing in response to supply chain attacks.

Forty-five percent of respondents cited APIs as the area most susceptible to attack in their organization today. Data storage repositories were considered most at risk by 42%, and application container images were identified as most susceptible by 34%.  

**_The report shows that a lack of open source management is threatening SBOM compilation_**.

The survey found that 99% of organizations either use or plan to use open source software within the next 12 months. While respondents have many concerns regarding the maintenance, security, and trustworthiness of these open source projects, their most-cited concern relates to the scale at which open source is being leveraged within application development. Ninety-one percent of organizations using open source believe their organization's code is — or will be — composed of up to 75% open source. Fifty-four percent of respondents cited "having a high percentage of application code that is open source" as concern or challenge with open source software.

Synopsys studies have likewise found a correlation between the scale of open source software (OSS) usage and the presence of related risk. As the scale of OSS usage increases, its presence in applications will naturally increase as well. Pressure to improve software supply chain risk management has placed a spotlight on software bill of materials (SBOM) compilation. But with exploding OSS usage and lackluster OSS management, SBOM compilation becomes a complex task — and 39% of survey respondents in the ESG study marked as a challenge of using OSS.

**_OSS risk management is a priority, but organizations lack a clear delineation of responsibilities._**

The survey points toward the reality that while the focus on open source patching following recent events (such as the Log4Shell and Spring4Shell vulnerabilities) has resulted in a significant increase in OSS risk mitigation activities (the 73% we mentioned above), the party responsible for these mitigation efforts remains unclear.

A clear majority of DevOps teams view OSS management as part of the developer role, whereas most IT teams view it as a security team responsibility. This may well explain why organizations have long struggled to properly patch OSS. The survey found that IT teams are more concerned than security teams (48% vs. 34%) about the source of OSS code, which is a reflection on the role IT has in properly maintaining OSS vulnerability patches. Muddying the waters even further, IT and DevOps respondents (at 49% and 40%) view the identification of vulnerabilities before deployment as the security team's responsibility.

**_Developer enablement is growing, but lack of security expertise is problematic._**

"Shifting left" has been a key driver of pushing security responsibilities to the developer. This shift has not been without challenges; although 68% of respondents named developer enablement as a high priority in their organization, only 34% of security respondents actually felt confident with Development teams taking on responsibility for security testing.

Concerns like overburdening development teams with additional tooling and responsibilities, disrupting innovation and velocity, and obtaining oversight into security efforts seem to be the biggest obstacles to developer-led AppSec efforts. A majority of security and AppDev/DevOps respondents (at 65% and 60%) have policies in place allowing developers to test and fix their code without interaction with security teams, and 63% of IT respondents said their organization has policies requiring developers to involve security teams.

**About the Author**

    

Mike McGuire is a senior solutions manager at Synopsys where he is focused on open source and software supply chain risk management. After beginning his career as a software engineer, Mike transitioned into product and market strategy roles, as he enjoys interfacing with the buyers and users of the products he works on. Leveraging several years of experience in the software industry, Mike's main objective is connecting the market's complex AppSec problems with Synopsys' solutions for building secure software.

Report Highlights Prevalence of Software Supply Chain Risks

Security Pro File: The DevOps evangelist and angel investor shares his expertise with the next generation of startups. If you're lucky, maybe he'll even share his Lagavulin.

It was only a few years ago, around 2016 or '17, that Zane Lackey had a conversation that encapsulated the challenge of his life. Then a founding adviser at Signal Sciences, he was meeting with the CISO and CIO of a certain Fortune 500 client (he won't say which). 

He met with the CISO first. Lackey suggested a cloud migration, but the man refused to budge. "I'm not allowing any of that," Lackey remembers him saying. "It's all insecure."

Lackey's second meeting of the day was with the CIO, who informed him that cloud migration was "our No. 1 priority." Lackey must have given the man a strange look because he laughed. "I see you've been talking to the CISO," the CIO said. "We just don't invite him to meetings anymore."

Lackey, former CISO and general partner at Andreessen Horowitz (a16z) since March, is one of the foremost champions of DevOps, the integration of a company's code-writing and code-deploying teams. "The teams have different priorities," he tells Dark Reading, "but they form a Venn diagram. Solutions have to help everybody, in security and everything else."

The greatest obstacle to the kind of architectures Lackey lives for has nothing to do with code or obsolete firewalls: It's the culture of siloed security and operations teams, ignoring each other's processes, or, like the Fortune 500 officers that day, actively subverting each other.

In his words, "Technology is the easy bit. Culture is the hard bit."

**The Early Years**

The ancient feuds and impenetrable silos of digital business teams must be a particular headache to someone like Lackey, who never outgrew his boyhood joy in attacking tech problems. Lackey grew up in Murphys, Calif., a tiny village without much in the way of mental stimulation. Lackey discovered PCs in his early teens and began saving money for a new hard drive to learn Linux. It was hard, lonely work, and he loved it. It took him months to figure out the PPP settings to connect to his local ISP. But once he was on, it took only five minutes for someone to hack him and shut him down.

"It was a moment that changed my life," he says, "in an extraordinarily positive way." 

Security infrastructure became Lackey's obsession. He began spending nights playing virtual "capture the flag" with his friends, devouring Red Hat, Windows, and every systems manual he could find. The passion for infrastructure and offense-defense security took Lackey to UC Davis, that improbable cradle of geniuses, where he worked as an intern in the computer security lab (a rarity in the early 2000s, even at big universities). 

At one point he had to develop a honeytrap, and so he created an entire, fake departmental website to lure in hackers. A group of South American teenagers took the bait and installed their own Counter Strike server. He describes the event today as if it were a rugby match: all give and take, high pressure and clever footwork.

His first job out of Davis came from a 2005 Craigslist ad: A Bay Area startup called iSEC Partners was looking for its first employee. Lackey started immediately, working as a general consultant under the direction of Alex Stamos. His work involved a lot of app, wireless, and network pen testing and assessment.

Then in 2010 the NCC Group bought iSEC Partners, and Lackey went to New York to start an East Coast branch. It was there, around 2011, that Lackey began exploring the tools and tactics that would come to be known as DevOps. Companies were growing faster than their linear waterfall deployments could handle. Cloud storage and bespoke, integrated tool chains had only just bridged the gap of concept and code.

But Lackey was on the case, especially after Etsy took on the 26-year-old, briefly as a consultant and then as CISO. It wasn't exactly a gamble on the company's part, at least as Lackey tells it; his credentials spoke for themselves. Etsy gave Lackey his first real taste of the colossal volume of modern, international security upkeep. At iSEC, Lackey had deployed a pen test once every 18 months. At Etsy, he was expected to deploy 30 times _per day_.

"This was security," he says, "but for a different world." (Etsy was ahead of the pack — at the time, Google and Facebook were deploying once a week.)

That different world brought its own new tools, not only at Etsy but at its mirror company on the West Coast, Netflix, where another iSEC veteran, Jason Chan, was now CISO. Like Chan, Lackey saw that reliance on thousands of discrete Web application firewalls (WAFs) could never keep pace with the modern volume of threats. The cloud transition was part of the solution, as was a more nuanced zero-trust strategy than was common, then or now. 

But what companies like Etsy needed was a new architecture altogether, where each individual application fits into a companywide, vertically integrated security system like teeth in a zipper, accessible through one "single pane of glass" console. The console would have to be completely visible across teams, never "someone else's job" (in or out of the company), and, most importantly, scalable. That's where DevOps came in.

Businesses grow at different speeds; the point of DevOps is to keep their security operations moving at exactly the speed they need. Lackey says that scale is the foremost problem facing every security team, and that "if you have to be a security expert to use a security tool, \[the tool\] doesn't scale."

**Changing Up His Game**

In 2014, Lackey left Etsy with two of his colleagues to form Signal Sciences, a venture-backed Web app and API security startup. Signal Sciences blew up (in a good way): At the peak of Lackey's tenure as board member and CSO, the company had 150 employees, $28 million in annual recurring revenue, and outlets like Forbes and Gartner piled on accolades.

Lackey then found himself on the other side of the table, advising the Fortune 500 companies and, increasingly, investing in new firms. "I enjoy adapting," he says, with the same relish that comes through in his tales of early 2000s hacking games.

"Security was one of the largest speed bumps to early DevOps adoption," Lackey says. As CISO at Etsy, an early DevOps adopter, he learned how to institute DevOps through firsthand experience. He co-authored a book on the topic, called _Building a Modern Security Program_, and found he enjoyed sharing the lessons he learned with other enterprises going through the shift.

Angel investing seems to unite Lackey's two professional passions: the steady march of DevOps as a discipline and the love of frustrating, high-stakes, high-risk play. It's also a union of right-brain tech and left-brain leadership skills, which seems to come naturally to Lackey. Last year he explained to Cloud Security podcast that as all roles merge, founders have to keep their goals in mind or risk failing. "You're building a company," he told them, "not a tech project" — remarkable advice from an infrastructure specialist.

Fastly bought Signal Sciences in 2020. Lackey consulted independently for two years before accepting the partner role at a16z. He likes the work, particularly his interactions with founders — "I enjoy being their first call," he says — and says the new solutions he's seeing are extraordinary. He won't say what those solutions are, for confidentiality's sake; presumably they include updated zero-trust protocols for the 2020s. But he's happy to see the discipline he helped shape, DevOps, take on a life of its own. 

"This is a generational change in software development and delivery," he says. "I'm excited for the future."

**PERSONALITY BYTES**

**What professional achievement are you most proud of?** "It's not an achievement, but I'm very proud of all the teams I've been able to be a part of, and the work we've done."

**What one technology or solution has made the greatest impact on your work?** "Again, it's not a technology, but I'd say velocity — the increase in velocity. The shift from the waterfall-approach era to the DevOps era has been about rapid movement, rapid iteration. I mean, think of how long it took to found a company in the '90s, compared to the early 2000s, compared to now."

**What's one thing your colleagues would never guess about you?** "I was born in a fishing village in Alaska. Talk about low tech! My parents went to Alaska in the '70s to work as commercial fishermen. After they had me, they moved to Murphys."

**Any hobbies?** "Travel — I've been to every continent except Antarctica, but that's next. I ski and snowboard."

**Finally, we understand you're a scotch drinker. Islay, Speyside, Highland?** "I love all whiskeys: bourbon, scotch, Japanese. I tend to like peatier scotches, though — your basic Lagavulin 16, for example. One glass is usually enough."

Source

DARKReading