The data exposure was the result of an "unintentional misconfiguration on an endpoint" and not a security vulnerability, Microsoft said.

Sensitive information for some Microsoft customers were exposed by a misconfigured server, Microsoft Security Response Center said on Wednesday. The misconfigured endpoint was accessible on the Internet and did not require authentication.

The exposed information included names, email addresses, email content, company name, phone numbers, and files "relating to business between a customer and Microsoft or an authorized Microsoft partner," the company said. The endpoint has already been secured to require authentication, and affected customers have been notified.

"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said, noting that there is no indication that customer accounts or systems had been compromised.

Microsoft learned of the misconfiguration on Sept. 24 from a research team at SOCRadar.

SOCRadar's researchers claimed in their own blog post to have found 2.4TB of emails and project files containing Statement of Work documents, product orders, project details, personally identifiable information, invoices, price lists, and "documents that may reveal intellectual property." The researchers claimed the exposed information could be linked to more than 65,000 entities from 111 countries.

Microsoft said SOCRadar "greatly exaggerated the scope of this issue" and did not account for duplicate records in its estimate of affected entities. Microsoft also said SOCRadar's decision to release a search tool to look through the files "is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Customer Data Exposed by Misconfigured Server

Research shows 1 in 7 employees involved in a cyberattack exhibits clinical trauma symptoms months after the incident.

The ransomware crisis hasn't just cost companies time and money, but also the mental health of their employees. New research shows that in the wake of a ransomware or other cyberattack, IT and security staff tasked with responding to a cyberattack can experience intense adverse psychological impacts for years afterward.

Research conducted by organizational psychologist Inge van der Beijl, director of behavior & resilience at Northwave, revealed that 1 out of every 7 employees experiences trauma symptoms months after a cyberattack, including trouble sleeping and back pain. Some 75% reported having "negative ruminative thoughts," and 1 in 5 impacted by a breach has considered a job change, according to the Northwave findings.

"Top management and HRM \[human resources management\] need to take measures against this, in fact right from the very beginning of the crisis," van der Beijl said in a statement. "They are the ones bearing responsibility for the well-being of their staff. The study reveals that effects can linger throughout the organization."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Emotional Toll From Cyberattacks Can Linger Among Staff for Years

Increasingly vendors are looking for ways to take security awareness beyond checkbox compliance courses to more context-dependent interactions — a "shift left" to the average worker.

Companies need to move beyond security awareness and training (SA&T) efforts to find ways to reinforce security concepts at the right times, security experts said this week.

While security awareness and training (SA&T) programs are an effective first step in raising cybersecurity awareness, the focus is too often on compliance and less on improving security — to the point that checking the required boxes is all that matters, says Russell Spitler, co-founder and CEO of cybersecurity startup Nudge Security. Security training classes are less than scintillating — employees generally dislike mandatory classes — and active phishing exercises often seem more like attempts at "gotcha," he says.

"These are approaches that set up an artificial antagonism between the organization and the employees," he says. "It is not intended to be that way, but when the people running the exercise say, 'Ah, ha! You fell for my trick!' ... It feels like such a nonproductive action."

In the midst of Cybersecurity Awareness Month, companies are increasingly realizing that they need more than SA&T and compliance to harden their workforces against the cybersecurity threats they are currently facing. The shift in perceptions follows the exodus of workers from their offices to work-from-home arrangements, in the process becoming the first line of defense against attackers.

**Improving Culture, Not Just Courses**

Organizations should focus on awareness, behavior, and culture — the ABCs of human risk reduction — not just courses and training, according to Forrester Research. A focus on quantifying human risks and determining those risks based on actual user behavior leads to better outcomes, the research firm stated in "The Forrester Wave: Security Awareness And Training Solutions, Q1 2022."

"With employees operating remotely or physically, security awareness is now borderless — so it’s paramount to instill a 'security everywhere' culture," Forrester's analysts wrote. "All of this is causing well-needed disruption in a long-stagnant market. Fortunately, many vendors have risen to the challenge, creating solutions that no longer function solely to train people for the sake of it."

Nudge Security, for example, is not primarily a security awareness training tool, but a method of gaining visibility into software-as-a-service usage and automating security for those services. The company grants businesses visibility into their employees' actions by scanning for emails that indicate when users have signed up for a service.

However, the service also automatically sends users reminders to reinforce good cybersecurity behavior by using context-specific interactions — or "nudges" — that iteratively improve the security know-how of the user.

"The point of those relatively simple interactions is that the opportunity for compliance is much higher when you are engaging those employees as part of your team and extending that trust," Spitler says. "We are not treating the employees as an extension of the computer. We are assuming that the employee is going to get their job done, and then we are presenting them with more context for the situation."

**'Micro-Training' to Change Behavior**

Nudge Security is not alone. In November 2021, the most established player in the security awareness and training (SA&T) sector, KnowBe4, acquired SecurityAdvisor, a provider of real-time behavior analysis and micro-learning. The company aims to combine the two approaches to create a "human detection and response" service that delivers training at the right moments, says Erich Kron, a security awareness advocate with KnowBe4.

"I see a future where, if an employee replies to a phishing email and includes PII \[personally identifiable information\] or other sensitive information, a favored tactic of bad actors, not only does the data loss prevention \[DLP\] control stop the information from leaving the organization, but it also triggers a short training session about protecting information and that type of scam," he says. "In those situations, the person is likely to be thankful that the technical control stopped something bad from happening but will also be motivated to learn how not to make the mistake again."

Another firm, CybSafe, has focused on changing behaviors as well, using data-based metrics and behavioral psychology to create a platform that measures specific actions and provide context-specific feedback.

"Awareness is good to have, sure, but it doesn't change behavior," the company stated in a blog post. "Yet, organizations keep assigning more traditional security awareness training to their people. Yes, we're puzzled too."

**Managing and Reducing Risk**

Companies involved with security awareness and training need to find better ways, not just to educate employees about cybersecurity, but measurable ways to reduce risk. Security groups should determine the best metrics to track human risk, and find improved ways to reduce that risk, Forrester Research stated in its report.

"Innovation is important to \[businesses\] because the way the industry has long addressed SA&T has yielded nothing but frustration for employees, eroding security's brand and goodwill," the analysts stated. "You need a different way to manage human risk, not better ways to train people."

Security Awareness Urged to Grow Beyond Compliance

FBI warns that cybercriminals are stealing personal information by posing as administrators of the Student Loan Debt Relief Plan.

Fraudsters are contacting people through email, text, phone, and online claiming to be administrators for the Federal Student Loan Forgiveness Program in an effort to steal personally identifiable information, the FBI warned this week.

In late August, the Biden Administration announced that the US Department of Education would cancel up to $20,000 in student loans per borrower.

The FBI says anyone contacted by someone purporting to be working for the federal student loan forgiveness program should not provide any sensitive personal data, particularly any payment information.

"Cybercriminals and fraudsters use their schemes to receive payment for services they will not provide or collect victim information they can then use to facilitate a variety of other crimes," the FBI announcement said. "Entrance into or assistance with any federal student aid program through the Department of Education or their trusted partners never requires payment."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Scammers Targeting Those Seeking Student Loan Forgiveness

Experts say CVE-2022-42899 is a serious vulnerability, but widespread exploitation is unlikely because of the specific conditions that need to exist for it to happen.

Researchers who have analyzed the recently disclosed vulnerability in Apache Commons Text — referred to by some as Text4Shell — described it this week as serious but unlikely to be as disruptive as last year's Log4j bug.

The flaw (CVE-2022-42889) is present in versions 1.5 through 1.9 of Apache Commons Text and gives attackers a way to run malicious code remotely on vulnerable systems. The Apache Software Foundation (ASF) disclosed the flaw last week in a brief advisory and recommended that organizations upgrade to Apache Commons Text 1.10.0, a version that the ASF released on Sept. 24 or more than two weeks before bug disclosure.

CVE-2022-42889 stems from insecure defaults when Apache Commons Text performs a function called variable interpolation, which involves the process of looking up and evaluating code strings that contain placeholders. According to the ASF, the set of Lookup instances in versions 1.5 through 1.9 of Apache Commons Text included interpolators that could trigger arbitrary code execution or contact with remote servers. Since the vulnerability was disclosed, several researchers have released proof-of-concept code showing how it can be exploited and scanners for finding potential targets to attack.

Shachar Menashe, senior director of security research at JFrog, says Apache Commons Text (ACT) is an extremely common Java library focused on algorithms that work on strings. "ACT provides an API to perform variable interpolation — or substitution — allowing properties to be dynamically evaluated and expanded," Menashe says. "Some functions of this library were found to lead to remote code execution if attacker-controlled data is passed to these functions."

There are three potential substitution sources that could have a security impact if an attacker has control of the string being interpolated: script, dns, and url, he explains. Attackers could use the script source to execute arbitrary JavaScript code; they could use the dns source to proxy dns requests, and the url source as a server-side request forgery vector, Menashe says.

However, "the vulnerability can only be exploited in cases where some Java code exists that uses \[Apache Commons Text\] and passes attacker-controlled data to specific functions," he says. "We believe exploitation won't be as widespread as Log4Shell since these functions seem to be less likely to receive external user input." 

An attacker would have to research the target Java application and find an input that is passed to the vulnerable functions, which the attacker can control, Menashe says. At the same time, it's unwise to rule out that possibility.

"It's still possible this will blow up if researchers start finding other popular third-party services that use this library and pass external input to these vulnerable functions by default," Menashe notes. "But as of now, no such third-party services have been found."

ASF describes the Commons Text library as providing additions to the standard Java Development Kit's (JDK) text handling. Sonatype's Maven Central Java repository lists 2,588 projects that currently use the library. Among them are Apache Hadoop Common, Apache Velocity, Spark Project Core, and Apache Commons Configuration,

**Widespread Exploitation Seems Unlikely**

Erick Galinkin, principal researcher at Rapid7, says the fact that CVE-2022-42889 is a library vulnerability makes it hard to say for certain what its impact will be. A lot depends on how the vulnerable object is used in a particular application. "Overall, our assessment is that the vulnerability is potentially serious," he says. "It is certainly important to patch affected applications as those patches become available, but not worth panicking over."

The severity is really a function of how the vulnerable object — the Commons Text StringSubstitutor interpolator — is used. "If there's an application out there that is using the interpolator on arbitrary untrusted input, a user of that application is going to have a bad time," he says. 

But based on initial research, the vulnerable object isn't very common, and it is implausible for an unprivileged attacker to actually gain control of the relevant strings. "That said, there may still be some application using this in a way that is risky, and in that case, the potential for code execution is very high," Galinkin said.

He adds that the ability for an attacker to discover vulnerable targets depends on how an organization might have implemented the vulnerable component. "Many of the proofs-of-concept for the vulnerability, including ours, just involve passing a crafted string to the interpolator — so in that sense, it is extremely easy to exploit," he says. In many other implementations an attacker would need to already have some level of access, making it difficult to exploit.

Menashe notes that JFrog has written an open source tool to detect Java binaries that are vulnerable to this issue. The tool can help organizations determine whether the version of commons-text is vulnerable.

He adds: "The tool also locates the calls to the vulnerable functions in compiled \[.jar files\] and reports the findings as class name and method names in which each vulnerable call appears."

Apache Commons Vulnerability: Patch but Don't Panic

We need more than the incomplete snapshot SBOMs provide to have real impact.

With Executive Order 14028, a large regulatory push toward mandating the production of a software bill of materials (SBOM) began. As this new buzzword spreads, you'd think it was a miracle cure for securing the software supply chain. Conceptually, it makes sense — knowing what is in a product is a reasonable expectation. However, it is important to understand what exactly an SBOM is and whether or not it can objectively be useful as a security tool.

**Understanding SBOMs**

SBOMs are meant to be something like a nutrition label on the back of a grocery store item listing all of the ingredients that went into making the product. While there currently is no official SBOM standard, a few guideline formats have emerged as top candidates. By far, the most popular is the Software Data Package Exchange (SPDX), sponsored by the Linux Foundation.

SPDX, as with most other formats, attempts to provide a common way to represent basic information about the ingredients that go into the production of software: names, versions, hashes, ecosystems, ancillary data like known flaws and license information, and relevant external assets. However, software is not as simple as a box of cereal, and there is no equivalent to the Food and Drug Administration enforcing compliance to any recommended guidelines.

**Everything Is Optional, Therefore Nothing Is Required**

One of the biggest and most obvious gaps in SPDX and other standards is that, like the open source ecosystem at large, it is a set of communities built on general guidelines, not verified standards. Open source communities are wide and sprawling, with contributors from across the globe. Often, package managers and hosting environments are designed by separate committees, each operating in isolation. While SBOM mandates represent an early attempt to unify these many silos of information, they suffer from some of the fundamental limitations of applying a standard retroactively.

First and foremost, the cracks begin to show when we consider what SPDX actually provides. As it turns out, nearly every field in the standard is optional. While this optionality of fields is clearly an artifact of how different the many software ecosystems the format attempts to cover really are, an SBOM loses its value as a real source of truth if there is no requirement for cryptographic hashes or other information that would allow us to positively associate the library with the information presented in the SBOM document.

**SBOMs Miss the Mark on Provenance**

In addition to being incomplete, many of the inputs cannot be properly represented in the current formats, especially from places like version control system repositories. While some emerging frameworks like SLSA attempt to apply notions of provenance, no format hits the mark. We must incorporate accurate provenance data into the SBOM format in order to ensure that we get a reasonable view of what is inside the software we are consuming. This should include the following, at minimum:

*   **Author identity information:** Both maintainers and contributors are a critical part of the software supply chain. They hold the proverbial keys to the kingdom, and choose how the software we consume downstream is released. Even if complete data cannot be captured, we can absolutely do better than what is provided today, which is nothing at all.
*   **Development tools:** This includes build tools, CI/CD infrastructure, and tools used during the development of upstream software. What good is securing your internal development infrastructure if a compromise in any library you use could still cause an internal compromise?
*   **Controls and protections:** If one of the goals is third-party risk management, we must ask: What does the security posture of the development team look like? Is branch protection being used? What sort of review processes are applied?
*   **Artifact attestation:** We absolutely must be able to tie an entry within an SBOM document back to an actual artifact. This should include both an actual build artifact, such as a compiled package, as well as continuously developed artifacts such as tagged branches in a version control system.

Realistically, we must build an understanding of each of these elements to comprehend what goes into the software we are utilizing before even considering how an SBOM may be operationalized.

**We Can't Rely On a Simple Snapshot in Time**

Finally, the biggest challenge with broad SBOM adoption is that the static format only provides the truth in that moment. In order to be meaningful, SBOMs must have the ability to be delivered and accessed continuously.

Consider, for instance, that you were to receive a vendor SBOM from your cloud storage provider. Not only would this SBOM be a document containing tens of thousands of individual pieces of software, but it would also contain many multiples of versions of those software packages. Now, consider that by the time you receive that information, it is likely already out of date. This is because large enterprises often ship hundreds or thousands of builds per day. By the time you have processed, consumed, and reasoned about an SBOM for any large vendor, the data is already stale.

Versions will have changed, new packages will have been added, and some packages may have been removed. Modern development best practices mean that builds and delivers are meant to be continuous, which leads to faster iteration and faster release cycles. It also means that the delivery of a single SBOM is all but meaningless. What this really implies is that there is a strong requirement for scalable automation around SBOMs in order for them to provide true value.

The intent behind SBOMs is to pave the way to improved visibility, both internally and externally. However, don't be fooled into thinking they will secure your software supply chain. We need more than an incomplete snapshot in time to have real impact.

SBOMs: An Overhyped Concept That Won't Secure Your Software Supply Chain

New data-protection innovations mitigate security risks by expediting deployment cycles and simplifying operational complexity.

**SAN JO****SE, Oct. 18,** **2022** — Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today announced new data protection innovations that build upon a rich heritage of securing data across all cloud apps for data in motion, data at rest, and BYOD assets with unprecedented accuracy and scale. The new advancements accelerate data protection programs from months to hours with zero configuration for data loss prevention (DLP). This mitigates security risks by unifying data protection across all channels, simplifying operations by automating workflows.

In today’s highly mobile and cloud-centric world, data is created and distributed across hundreds of applications and workloads, escalating organizations’ risk of data loss. Enterprises’ inability to protect distributed data is reinforced in the findings of the new 2022 Data Loss Report by the Zscaler ThreatLabz research team. ThreatLabz found that 36% of cloud application data is accessible via the open internet. Analysis of nearly 6 billion data loss policy violations revealed that organizations experience an average of 10,000 potential data loss events daily resulting in losses greater than $4.35 million.¹

Traditional DLP solutions can't secure distributed data and require a massive amount of resources to configure, maintain and manage, which can be costly and result in months to implement, putting organizations at risk. Concurrently, the lack of automated workflows prevents security teams from managing critical risks leading to elongated mitigation timelines and unresolved incidents. To make matters worse, the reliance on separate point products for different channels causes increased risk, reduced visibility and inconsistent policies. Organizations that have not deployed a unified zero trust strategy suffer an additional $1 million loss on average¹, indicating that data protection can not be a standalone endeavor.

“Building on eight years of data protection innovations, Zscaler has employed advanced auto-classification capabilities to accelerate setup and reduce security team overhead and costs,” said Moinul Khan, Vice President & General Manager, Data Protection, Zscaler. “Unlike other data protection solutions, this ensures that Zscaler Data Protection works for the IT administrator, rather than having the IT administrator work for it. In addition, the technology we acquired from the recently announced ShiftRight acquisition allows organizations to manage hundreds of potential risks and incidents in a simple yet very sophisticated way to reduce case resolution time significantly."

The recently introduced security category, security service edge (SSE), reinforces the market’s need for unified data protection as part of a larger, purpose-built security platform. These advancements to the Zero Trust Exchange, aligned to SSE principles, further Zscaler’s position as a leader in data protection by empowering security teams with:

  

*   **_Expedited Deployment Cycles with_** **_Zero Configuration DLP_****:** Utilizing the scale of the world’s largest security cloud that processes 170 million files per day, the new zero configuration DLP capabilities auto classify all organizational data, thereby accelerating the deployment of data protection programs.
*   **_Mitigated Security Risks by Unifying_** **_Data Protection Across all Channels:_** The addition of endpoint, and email data protection capabilities adds to the existing support of web, SaaS, IaaS, PaaS and private apps. This removes the need for point products, decreasing security risks and management complexity by unifying policies across channels.
*   **_Simplified Operations through_** **_Automated Workflows_****:** Advanced closed-loop incident management delivers actionable insights and automates workflows to respond to potential security risks in a timely and effective manner.

“Securing data is always a challenge due to complex workflows and inconsistent protection strategies and coverage across users and devices," said Bashar Abouseido, CISO, Charles Schwab. "With Zscaler, that has all changed, as we now have one unified platform with full visibility and policy control while drastically streamlining our processes.”

"Zscaler is one of the most seamless, straightforward deployments I've seen in a while,” said Thomas Likas, Head of Cyber & Digital Trust Enterprise Architecture, Takeda. “Their comprehensive and unified approach to protecting data across all channels helps us transform and evolve our data protection program, ensuring sensitive data remains secure from accidental loss or malicious exfiltration.”

“The DLP market has long suffered from complexity and efficacy issues due to the need for time-intensive, manual configuration and management,” said John Grady, Senior Analyst, Enterprise Strategy Group (ESG). “Zscaler’s massive data set, garnered from the 250 billion transactions its security cloud processes every day, provides impressive scale and a key differentiation in the market. This scale enables greater visibility and accuracy, which translates into ease of use, better efficiencies, and lower costs for customers.”

1\. Zscaler, 2022 ThreatLabz Data Loss Report, Oct. 18, 2022

**Additional Resources**

For a deeper dive into the new Data Protection features, please visit.

The 2022 ThreatLabz Data Loss Report, in which the Zscaler ThreatLabz research team has analyzed nearly 6 billion data loss policy violations from November 2021 through July 2022, can be downloaded here.

**About Zscaler**

Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange is the world’s largest inline cloud security platform.

_Zscaler™ and the other trademarks listed at_ _https://www.zscaler.com/legal/trademarks_ _are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the properties of their respective owners._

Zscaler Advances Enterprise Data Security With Zero-Configuration Data Protection

New version boosts VPN tunnel performance and lets users prioritize secure connection traffic for certain services.

**Woburn, Mass., Oct. 19, 2022** — Today Kaspersky unveiled a new version of Kaspersky VPN Secure Connection, which introduces a dramatic 200% boost in VPN tunnel performance, compared to 2020. A split-tunneling feature grants users the ability to prioritize secure connection traffic for certain services, while a VPN-for-routers capability automatically re-routes any connected device at home.

Global VPN usage is on the rise, with the market set to reach a colossal $77.1 billion by 2026. This comes as no surprise, since installing a VPN provides a quick and easy way to improve security and prevent data from falling into the wrong hands. It does this by routing data through an encrypted tunnel, which hides the IP address and makes it look as though the connection has come from elsewhere.

Alongside the performance increase, the updated Kaspersky VPN Secure Connection’s split-tunnelling feature allows users to select exactly what traffic goes through the VPN. This will help to achieve better performance, letting the user prioritize high-bandwidth traffic, focus on data in sensitive apps, and disable the VPN for other apps that might be reliant on location data.

The geography of servers within Kaspersky VPN Secure Connection has also been greatly increased, now offering 86 locations across 68 regions. This lets users access a wider range of content on the biggest global streaming services, including Netflix, Hulu, Amazon Prime, HBO Max, Disney+ and BBC iPlayer. An intuitive new function of the VPN helps customers to pick the best location for a particular task by recommending the one that provides the best performance level for either streaming or torrenting.

Additionally, the VPN for routers now allows all devices connected to home Wi-Fi to run through the VPN automatically, without having to set up each one individually. This feature is particularly useful for smart TVs, smart locks, and other smart home gadgets, on which a user cannot install a VPN directly, therefore providing uninterrupted privacy and security to these devices.

“As people continue to work from home and spend more time online, an increased importance is placed on keeping their data private as well as securing connected home devices,” said Marina Titova, vice president, consumer product marketing at Kaspersky. “To support consumers with their needs, we’ve invested a lot into improvement of our Kaspersky VPN. As a result, consumers can experience boosted VPN tunnel performance, with a 200% increase compared to 2020. The VPN also sees new features and better UX to ensure speed, privacy and high performance across all home devices.”

The new Kaspersky VPN Secure Connection is available now. To find out more about the product, visit this page.

****About Kaspersky****

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Kaspersky Launches New VPN to Amplify Speed and Convenience

Training service prepares ransomware response teams for successful threat actor engagement to mitigate damage, protect brand reputation, anticipate emerging threats, and more.

**Arlington, Va., Oct. 19, 2022 –** GroupSense, a digital risk protection services company, today announced the launch of a new Ransomware Negotiation Training service offering. During an immersive three-day, in-person training session, participants will learn the proper strategies to combat the negative consequences of an attack from negotiation experts at both GroupSense and Max Negotiating, a negotiation advisory firm that specializes in training lawyers and legal professionals. As a result of the training, participants will be able to help their client organizations identify threat actors, learn key cyber negotiation principles and strategies, protect brand reputation, avoid unnecessary business losses and stay ahead of emerging threats.

According to the Federal Bureau of Investigation’s Internet Crime Complaint Center, ransomware complaints increased 62% from 2020 to 2021. The increase in attacks makes negotiation with threat actors a crucial part of enabling an organization to resume operations, reducing permanent data loss and eliminating regulatory fines and penalties. While response teams, typically led by lawyers, are accustomed to negotiating on their client’s behalf, many have never communicated directly with threat actors or conducted negotiations under the constraints they impose. With GroupSense’s Ransomware Negotiation Training, participants will discover the ins-and-outs of ransomware attacks, the intricacies of threat actor engagement, discern their role in a ransomware negotiation and master a proactive ransomware response strategy.

“The business impact of a ransomware attack can be severe – revenue loss, brand and reputation damage, operational and business disruption, increased cyber insurance premiums and legal consequences,” said Maxwell Bevilacqua, chief negotiating officer of Max Negotiating. “By teaming up with GroupSense, we’re able to pair their expert ransomware negotiators with our negotiation experts to help clients - such as lawyers and law firms with cybersecurity practices - better understand the art and science of negotiation with threat actors so they can minimize damage to their companies.”

As part of the three-day training, GroupSense and Max Negotiating design a case simulation according to the structure of the client’s organization, putting the client’s response team through a fire drill to consolidate their strengths and highlight vulnerabilities, and prepare the team for worst-case scenarios. The agenda for the training is as follows:

*   **Day 1** – Participants begin by learning the anatomy of a ransomware attack, including how they are conducted, the roles involved and the ransomware ecosystem. Next, the GroupSense and Max Negotiating team provides a framework for conducting ransomware negotiations and delves into core principles as they apply to cybercrime and ransomware.
*   **Day 2** – The framework is then put to the test in a complex, dynamic, multi-party simulation of a ransomware attack. The simulation is recorded for future review and coaching on the third day.
*   **Day 3** – The team provides feedback as participants review recordings of the previous day’s negotiation simulation. The team leads participants in exercises to strengthen the vulnerabilities identified in the simulation. The training is then concluded by building out a team response plan.

After the training program, client organizations will have access to the video recordings as well as the Max Negotiating digital toolkit. They will also have the opportunity to engage in additional ransomware negotiation training and coaching opportunities from both GroupSense and Max Negotiating.

“Over the last three years, our ransomware experts have conducted some of the world’s largest ransomware and extortion negotiations, giving them in-depth practical knowledge of the process and the ability to develop a proven negotiation method that has garnered best-case outcomes for our clients,” said Kurtis Minder, co-founder and CEO, GroupSense. “We partnered with Max Negotiating to combine our field experience with their deep knowledge of the negotiation process to help response teams reduce panic and decision fatigue during a ransomware attack, to arm them with the skills to remain in control of the situation, and to provide the tools they need to engage successfully with threat actors and facilitate a positive outcome.”

In addition to the new Ransomware Negotiation Training offering, GroupSense has additional ransomware offerings, including its Ransomware Response Readiness Assessment (R3A) and Ransomware Negotiation Services. Additional services include ransomware incident support, post-incident monitoring and breach notification services. GroupSense also provides a ransomware hotline (1-800-484-9426) for companies to speak to an expert negotiator if they’ve been affected by ransomware.

For more information about GroupSense’s Ransomware Negotiation Training offering, download the data sheet, and to inquire about pricing, please contact \[email protected\].

**About GroupSense**

GroupSense is a digital risk protection services company delivering customer-specific intelligence to dramatically improve enterprise cybersecurity and fraud-management operations. Unlike generic cyber-intelligence vendors, GroupSense uses a combination of automated and human reconnaissance to create finished intelligence mapping each customer’s specific digital business footprint and risk profile. This enables customers to immediately use GroupSense’s intelligence to reduce enterprise risk, without requiring any additional processing or management by overstretched security and fraud-prevention teams. GroupSense is based in Arlington, Va., with a growing customer base that includes large enterprises, state and municipal governments, law enforcement agencies and more.

GroupSense Delivers New Ransomware Negotiation Training Service

Former Zscaler president to lead DigiCert's next stage of growth as the company accelerates its strategy, expands its product offering, and works to become the de facto standard for digital trust.

**LEHI, Utah, Oct. 19, 2022** – DigiCert, Inc., ("DigiCert" or the "Company") a leading global provider of digital trust, has named Amit Sinha as the Company's Chief Executive Officer, and a member of the DigiCert Board of Directors. Sinha joins DigiCert from Zscaler, Inc. ("Zscaler") where he served as President and a member of the Board of Directors. During his 12-year tenure, Zscaler grew from a startup to a NASDAQ-100 company and established itself as a leader in enterprise security. DigiCert is backed by Clearlake Capital Group, L.P. (together with its affiliates, "Clearlake"), Crosspoint Capital Partners ("Crosspoint"), and TA Associates ("TA").

"I'm honored and grateful for the opportunity to lead the DigiCert team," said Amit Sinha. "Digital trust is the cornerstone of our connected world and DigiCert has built a foundation with global enterprises by delivering comprehensive security solutions. As we look ahead, the Company is positioned to accelerate its leadership in digital trust for connected device and user authentication, secure software, documents, digital content and data integrity."

"Amit has a track record of delivering technology innovation, operational excellence, and customer value," said Behdad Eghbali, Co-Founder and Managing Partner, and Prashant Mehrotra, Partner and Managing Director, of Clearlake. "We look forward to partnering with Amit, and the DigiCert leadership team, as the Company embarks on its next phase of accelerated growth and expansion."

"Amit is a seasoned industry leader with deep security domain expertise and business acumen," said Greg Clark, Managing Partner of Crosspoint Capital and Chair of DigiCert's Board of Directors. "With Amit at the helm, we believe we can drive increasing market adoption of our core platform and deliver innovative new products and services to strengthen DigiCert’s position as the dominant provider of digital trust."

"Amit’s years of experience and passion for continuous technological innovation have positioned him well to guide DigiCert through its next strategic growth phase," said Jason Werlin, a Managing Director at TA. "We believe Amit will be a valuable addition to DigiCert’s talented management team and are excited to work closely with him as we aim to further DigiCert’s industry leadership."

Mr. Sinha brings over 20 years of technology, strategy, and operational experience from leading category-creating businesses at Zscaler, Motorola, AirDefense, and Engim. He has a doctorate in electrical engineering and computer science from the Massachusetts Institute of Technology and a Bachelor of Technology in electrical engineering from the Indian Institute of Technology, Delhi, where he graduated summa cum laude and was awarded the President of India Gold Medal. Mr. Sinha has authored over 25 journal/conference papers, contributed to three books, and is the inventor of 39 US patents, granted or pending.

**About DigiCert, Inc.**

DigiCert is a leading global provider of digital trust, enabling individuals and businesses to engage online with the confidence that their footprint in the digital world is secure. DigiCert® ONE, the platform for digital trust, provides organizations with centralized visibility and control over a broad range of public and private trust needs, securing websites, enterprise access and communication, software, identity, content and devices. DigiCert pairs its award-winning software with its industry leadership in standards, support and operations, and is the digital trust provider of choice for leading companies around the world. For more information, visit www.digicert.com or follow @digicert.

**About Clearlake**

Clearlake Capital Group, L.P. is an investment firm founded in 2006 operating integrated businesses across private equity, credit and other related strategies. With a sector-focused approach, the firm seeks to partner with management teams by providing patient, long-term capital to businesses that can benefit from Clearlake’s operational improvement approach, _O.P.S._® The firm’s core target sectors are technology, industrials, and consumer. Clearlake currently has over $70 billion of assets under management, and its senior investment principals have led or co-led over 400 investments. The firm is headquartered in Santa Monica, CA with affiliates in Dallas, TX, London, UK and Dublin. More information is available at www.clearlake.com and on Twitter @Clearlake.

**About Crosspoint Capital**

Crosspoint Capital Partners is a private equity investment firm focused on the cybersecurity, privacy and infrastructure software markets. Crosspoint has assembled a group of highly successful operators, investors and sector experts to partner with foundational technology companies. Crosspoint has offices in Menlo Park, CA, and Boston, MA. For more information visit: www.crosspointcapital.com.

**About TA**

TA Associates ("TA") is a leading global growth private equity firm. Focused on targeted sectors within five industries — technology, healthcare, financial services, consumer and business services — the firm invests in profitable, growing companies with opportunities for sustained growth, and has invested in more than 560 companies around the world. Investing as either a majority or minority investor, TA employs a long-term approach, utilizing its strategic resources to help management teams build lasting value in high quality growth companies. TA has raised $48.6 billion in capital since its founding in 1968. The firm's more than 110 investment professionals are based in Boston, Menlo Park, Austin, London, Mumbai and Hong Kong. More information about TA can be found at www.ta.com.

Source

DARKReading