The peer-to-peer network IPFS offers an ingenious base for cyberattacks and is seeing a stratospheric increase in malicious hosting.

The distributed, peer-to-peer (P2P) InterPlanetary File System (IPFS) has become a hotbed of phishing-site storage: Thousands of emails containing phishing URLs utilizing IPFS are showing up in corporate inboxes.

According to a report from Trustwave SpiderLabs, the company found more than 3,000 of these emails within its customer telemetry in the last three months. They lead victims to fake Microsoft Outlook login pages and other phishing webpages.

**The Astronomical Advantages of IPFS**

IPFS uses P2P connections for file- and service-sharing instead of a static URI resource demarked by a HTTP host and path, according to the Thursday analysis — which offers big benefits for malicious users.

For once, IPFS is designed to be resistant to censorship by making content available in multiple places — meaning that even if a phishing site is taken down in one place, it can quickly be distributed to other locations. This makes it very difficult to stop a phishing campaign once it's started.

"In a centralized network, data is not accessible if the server is down or if a link gets broken. Whereas with IPFS, data is persistent," the report notes. "Naturally, this extends to the malicious content stored in the network."  

P2P also gives those phishers an additional layer (and potentially multiple layers) of obfuscation because the content doesn't have a static, blockable address — and this bolsters a greater likelihood of phishing emails evading scanners and arriving in a victim's inbox.

"So, in addition to the benefits for attackers \[related to\] 'traditional cloud services,' this layer of obfuscation provides the attackers with additional benefits," Karl Sigler, senior security research manager at Trustwave SpiderLabs, tells Dark Reading.

Furthermore, because IPFS is a decentralized system, it means there is no central authority that can take down a phishing site. This makes it much harder for law enforcement and security researchers to take down phishing sites hosted on IPFS.

"This represents a significant evolution in phishing, as it's now much harder to take down phishing sites and block access to them," says Atif Mushtaq, founder and chief product officer at SlashNext, an anti-phishing company. "Organizations need to be aware of this new development and adjust their defenses accordingly."

He explains that one way to do this is to use DNS sinkholing to block access to IPFS-based phishing sites. That's a technique where DNS requests for a phishing site are redirected to a dummy server.

"This prevents users from accessing the phishing site, as they will only be able to reach the dummy server," Mushtaq says. "Organizations can also use Web filters to block access to IPFS-based phishing sites."

**More Sophisticated IPFS Tactics Likely to Emerge**

Mushtaq warns that phishers may start using even more sophisticated methods for replicating sites, such as using distributed hash tables (DHTs), a type of data structure that is often used in P2P systems, which provide a way to distribute data across many different machines.

Sigler says there will likely be greater adoption of IPFS by malicious actors, which will have the effect of making the technique more common and likely easier to spot.

"However, with more focus from those attackers, we will likely see more creativity brought to the table and IPFS utilized in ways we haven't see yet," he adds.

**Phishing Overwhelms Orgs**

Phishing attacks are already causing massive security headaches for organizations: Just this week, Ducktail was discovered targeting marketing and HR professionals through LinkedIn to hijack Facebook accounts. And earlier this month, Microsoft announced that 10,000 organizations were targeted in a phishing attack that spoofed an Office 365 authentication page to steal credentials.

Sigler explains that using IPFS for obfuscation can provide security admins with a new attack vector that they may not have considered before.  

"We recommend educating yourselves and your staff about how IPFS works and take a look at the specific examples in the blog post for how IPFS is utilized in specific ways," he says. "Given how it's being utilized by phishing campaigns right now, we also recommend monitoring for unexpected email for URLs that contain IPFS pointers."

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says the first response with phishing is always the same: better user education.

"A phisher, in any of their myriad forms, relies on a target not being attentive and falling for their bait," he explains. "Here, the attackers are using IPFS to help conceal their origin, but a prepared user should be able to see through the ruse and not take the bait."

He points out it's hard to say how threat actors will alter their techniques going forward.

"As defensive tools get better, the attackers adapt and improve their game. The challenge is getting the users educated to recognize these attacks and not take the bait," he explains. "Moving to IPFS for distribution gives threat actors some advantages but doesn't change the fact that a lot of these attacks rely on the victim not realizing they are being attacked."

1,000s of Phishing Attacks Blast Off From InterPlanetary File System

With Microsoft disabling Office macros by default, threat actors are increasingly using ISO, RAR, LNK, and similar files to deliver malware because they can get around Windows protections.

Threat actors have sharply reduced the use of one of their favorite malware distribution tactics following Microsoft's decision earlier this year to disable Office macros in documents downloaded from the Internet. However, container files have risen to help cyberattackers get around the issue.  

This pivot is clear: In the months since Microsoft's Oct. 21 announcement that it would disable macros by default, there's been a 66% decline in threat actor use of VBA and XL4 macros, according to Proofpoint.

Other security vendors such as Netskope have also observed a substantial drop in Office-based attacks following Microsoft's move. In July 2022, the percentage of Office malware that the security vendor's cloud security platform detected was less than 10% of all malware activity, compared with 35% a year ago.  

Researchers at Proofpoint who have been tracking the pivot to container files said this week that attackers have begun using a variety of new file types as alternatives to hiding malware in macro-enabled documents attached to email messages. This particularly includes switching to using files such as LNK, RAR, IMG and ISO files in their recent campaigns, according to the security vendor.

Patrick Tiquet, vice president of security and architecture at Keeper Security, says researchers at his company have noticed, for instance, an increase in attacks using ISO files. Often these attacks have targeted non-technical staff such as sales or customer service representatives, he says. Usually, the attackers try to convince the victim to download and open the ISO file under the guise of scheduling a meeting  

**Same Tactics, Evolving Delivery Mechanisms**

"Generally speaking, these other file types are directly attached to an email in the same way we would previously observe a macro-laden document," says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. 

However, there are also cases where the attack chains are more convoluted, she says. For example, with some recent QakBot (aka Qbot) banking Trojan campaigns, threat actors embedded a zip file containing an ISO within an HTML file that was directly attached to a message. 

But, "as for getting intended victims to open and click, the methods are the same: a wide array of social-engineering tactics," DeGrippo says.

In addition, she notes that before Microsoft's macros announcement, a variety of actors were already using archives and image files to distribute malware, so this is not new technique by any means. "\[The increased use of container files should be seen as\] more of a realignment or pivot to existing techniques that should already be accounted for in a defensive posture," she says.

**Getting Past Mark of the Web Protections**

Attackers have made the switch because container files give them a way to sneak malware through the so-called Mark of the Web (MOTW) attribute that Windows uses to tag files downloaded from the Internet, DeGrippo says. 

Such files are restricted in what they can do and — starting with Microsoft Office 10 — are opened in Protected View by default. 

Executables that have been tagged with the attribute are checked against a list of known trusted files and prevented from executing automatically if the check shows the file to be unknown or untrusted. Instead, users get a warning about the file being potentially dangerous.

"MOTW is metadata stored in an alternate data stream, and generally speaking, that data only exists for the outermost container: the file directly downloaded," DeGrippo tells Dark Reading. 

The key is that the document inside a container file — a macro-enabled spreadsheet, for instance — will not be tagged the same way. 

"The interior or archived files were not downloaded and, in many cases, will then not have any MOTW metadata associated with them," she says. In these instances, a user would still need to enable macros for the malicious code to run, but the file would not be identified as having come from the Web and therefore would not be considered untrusted.

MITRE's ATT$CK database also identifies container files as one way threat actors can bypass MOTW to deliver malicious payloads on target systems. 

"MOTW is a New Technology File System (NTFS) feature and many container files do not support NTFS-alternative data streams," MITRE has noted. "After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections."

Russia's APT29 gang (aka Cozy Bear) and the TA505 group (the threat actor behind the Locky ransomware variant and the Dridex banking Trojan), are both examples of cyberattackers that have used container files to subvert MOTW protections and deploy malicious payloads, according to MITRE.

**Easier to Block**

Security researchers have widely welcomed Microsoft's decision to disable macros in files from the Internet. Attackers have long used macros to distribute malware, relying on the fact that users often leave macros enabled by default, therefore giving them a relatively straightforward to execute malicious payloads on victim systems. Microsoft itself has urged users to disable Office macros when not needed citing security concerns. But the company did not make it a default setting until earlier this year.  

DeGrippo says Microsoft’s decision to disable macros as default behavior impacts defenders in a positive way even if threat actors are looking at other ways to distribute malware. 

"Organizations generally have a hard time blacklisting filetypes like Word and Excel documents," she says. "But something like ISOs are often less essential to a company’s day-to-day operations," and can therefore be more easily put on a block list.

Keeper Security's Tiquet agrees. Current endpoint security systems can block most of these attacks, but "users must be aware of and trained about this kind of attack," he says.

In a Post-Macro World, Container Files Emerge as Malware-Delivery Replacement

Dark Reading's analysis suggests that the merger between Human Security and PerimeterX will bring modern defense strategies to disrupt cybercrime and fraud.

Human Security, a company focused on bot mitigation and fraud detection, announced its merger with PerimeterX, a company focused on safeguarding Web apps from account takeover and automated fraud.

Dark Reading analyzed the two companies in order to assess the impact the merger will have on customers and on the overall bot defense market. Our assessment is that, separately, the two companies addressed different parts of the bot, account abuse, and fraud problem. Going forward, the merged company, operating under the existing Human Security name, will offer a strong product portfolio showcasing Human's bot defense capabilities and PerimeterX's comprehensive account protection capabilities. Enterprises will be able to safeguard against bot attacks via a single Human Defense Platform, which would be attractive to both features-focused CISOs and managers interested in consolidating the number of vendors they are working with.

The new company, Human, will serve more than 500 customers and have more than $100 million in ARR (revenue). Human Security's CEO Tamer Hassan will continue as CEO of the combined company, while Omri Iluz, the CEO and co-founder of PerimeterX, will become general manager of the Enterprise security division and join the board. Ido Safruti, PerimeterX's co-founder and CTO, will join as CTO of the Enterprise security division at Human. Financial terms of the merger were not disclosed.

**The Bot Problem**

Bot management and defense is often viewed as an extension of the Web application firewall, as it handles an array of Web application and business-logic abuse attacks. Business-logic abuse, or Web attacks that abuse the legitimate processing flow of an application, is a growing problem for enterprises and a difficult one to mitigate.

Many attack surface management and detection products fail to see business-logic attacks because they look like normal user activity. An attack-focused CISO may overlook these attacks because they don't look like a direct attack on the organization the way a SQL injection or cross-scripting attack would. A compliance or governance-focused CISO could also miss these attacks because they typically don't violate regulatory standards.

In fact, these types of attacks are often discovered by the CMO examining business performance and finding that website activity did not correlate with forecasted results. Business-logic abuse attacks show up in situations where bots buy up popular items and scalp them as part of an unauthorized secondary market, consume content to make it look like there is user engagement when there isn't, use stolen payment cards or gift cards to make purchases, and fraudulently take over accounts via credential-stuffing attacks, to name a few.

CISOs looking at bot defense, account abuse, and fraud protection want to be able to detect undesirable or unwanted actor behavior and make it uneconomic for an attacker to misuse e-commerce processes without impacting legitimate user activity.

**Analysis: Strength, Weakness, and Opportunity**

Human's platform addresses an array of media security challenges: digital advertising fraud, CTV fraud and misrepresentation, mobile app and malware, abuse and spoofing, paid marketing manipulation, lead generation fraud, loyalty program abuse, and coupon and promotion fraud. Both Human and PerimeterX also address enterprise security risks such as account takeover, fake account creation, carding, client-side supply chain attacks, digital skimming, PII harvesting, Web scraping, scalping, and denial of inventory.

Dark Reading's analysis suggests that a specialist like the combined company of Human will be able to expand its abilities to detect, identify, and actually disrupt sophisticated cybercriminals. The wider product portfolio means more signal and visibility across the Internet, giving the new company richer data assets. Human's platform gives insight into front-wave activity and identity through ad-tech signals, whereas PerimeterX gives insight into BLA attack patterns. Data collected by each product will complement the other product's capabilities.

With the merger, the companies will be able to invest even more in research and development efforts to develop new capabilities for the platform and new products. The combined company will be able to expand into adjacent product areas such as fraud analytics, identity verification, and authentication.

However, a wider product portfolio increases the chance that enterprises already have deployed some of the elements, potentially increasing the customer's resistance to buying into this portfolio.

It doesn't appear, according to Dark Reading's analysis, that customers will see much — if any — immediate disruption as a result of the merger. Both companies have similar customer acquisition and retention models. While Human's customers tend to be ad tech, performance marketing, and cybersecurity/application security teams in organizations, PerimeterX has worked mostly with security and e-commerce digital teams with e-commerce companies. Joining these silos means that customers will have a fully articulated solution addressing key business needs. Both organizations have Client Success Teams and dedicated sales leads that focus on retention.

"Our advanced technology, combined resources, mission-focused teams, and industry-leading strengths will enable us to create the most comprehensive Human Defense Platform that offers the most complete protection for enterprises and internet platforms across advertising, marketing, ecommerce, and cybersecurity," says Hassan.

When Human Security Meets PerimeterX

HARTLAND, Wis., July 27, 2022 /PRNewswire/ -- OneTouchPoint, Inc. ("OTP") is providing notice of an incident that may affect the privacy of certain individuals' personal information. OTP is a vendor who provides printing and mailing services to various health insurance carriers and medical providers. To perform these services, OTP was provided certain information by its customers. OTP is providing details of the incident, its response, and steps individuals may take to better protect their personal information, should they feel it appropriate to do so. This notice is made on behalf of the impacted covered entities listed at the website referenced below.

**What Happened?** On April 28, 2022, OTP discovered encrypted files on certain computer systems. OTP immediately launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the activity. The investigation determined that there was unauthorized access to certain OTP servers beginning on April 27, 2022. On June 1, 2022, OTP learned that it would be unable to determine what specific files the unauthorized actor viewed within the OTP network. OTP provided a summary of the investigation to its customers beginning on June 3, 2022. OTP later determined that the impacted systems contained certain information related to individuals provided by its customers. While OTP is unable to say definitively what personal information was accessed by the unauthorized actor, OTP worked with their customers to determine what personal information related to individuals was stored on the OTP network, to whom that information related and OTP offered to mail letters to potentially impacted individuals on behalf of these customers. OTP has seen no evidence of misuse of any information related to this incident.

While the specific data elements vary for each potentially affected individual, the scope of information potentially involved includes an individual's name and one or more of member identification number, information provided as part of a health assessment, address, date of birth, description of service, date of service and diagnosis codes. One covered entity had Social Security numbers of members impacted.

OTP takes the confidentiality, privacy, and security of personal information in its care seriously. Upon discovery, OTP immediately commenced an investigation to confirm the nature and scope of the incident. OTP reported this incident to law enforcement and appropriate regulatory authorities, and OTP is taking steps to implement additional safeguards and review policies and procedures relating to data privacy and security.

OTP encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and monitoring free credit reports for suspicious activity, and detect errors.

Individuals who want additional information about this event or to see a list of impacted customers can visit OTP's website at 1touchpoint.com.

SOURCE ONETOUCHPOINT

OneTouchPoint, Inc. Provides Notice of Data Privacy Event

Ahead of their Black Hat USA talk in August, Simon Pavitt and Stephen Dewsnip explain the value of helping people practice cyber defense via a "malicious floorwalker" exercise.

Once we acknowledge that one of the weak links in cybersecurity is us humans, the natural next step is shore up that vulnerability, usually through training. But does watching a video or clicking through a quiz help you know what to do when you're actually faced with a security threat in the flesh? Probably not. So logically, you have to practice with a physical threat to learn how to deal with them — even when it comes in the form of a fellow who smiles at you in a goofy t-shirt.

    

Don't let this man use your computer, even if he asks nicely. (Source: Atkins)

The United Kingdom's Ministry of Defence (MOD), like most organizations concerned with matters of war and national security, is well aware of the importance of a security-savvy workforce. Military-affiliated organizations also have a strong built-in hierarchy that emphasizes compliance and makes it difficult for workers to contradict authority, sometimes known as the fail-to-challenge vulnerability. MOD needed its workforce to be able to assert themselves when they see a potential problem. To that end, the ministry teamed up with outside experts to create a program that gives people opportunities to practice recognizing — and even more importantly, responding to — physical security risks in what the UK MOD Cyber Awareness, Behaviours & Culture team (CyAB&C) calls a "malicious floorwalker" exercise.

Essentially, someone walks into a workplace and wanders around, trying to get people to do risky things like letting them borrow a computer or scan a USB key.

"Grounded in robust psychological theory interwoven with social engineering practice, it is a way to manage human vulnerability rather than just uncover it," behavioral scientists Simon Pavitt and Stephen Dewsnip wrote in their Black Hat presentation. "By making it as obvious as possible that a challenge is required it leverages the social cues and psychological tensions felt by the individual, leaving them with no option but to raise a challenge."

**Exercise Makes You Stronger**

Back in 2020, Pavitt, a UK army veteran and civilian employee of MOD, solicited proposals for contractors to "help improve cyber awareness, behaviors, and culture" at the government agency. A consultancy called Atkins won the contract, which became the CyAB&C project.

The project's malicious floorwalker exercises involved a person wandering around an office site trying to provoke workers into challenging his conduct and presence. "Lots of people have done penetration type tests where they try not to get caught doing something risky – but we've not yet seen anything else where people are actively trying to get caught and in a lighthearted and humorous way," Dewsnip, the Atkins consultant co-presenting at Black Hat, tells Dark Reading.

Far from a tabletop exercise, the malicious floorwalker is an in-person effort that aims to get people more comfortable with the idea and practice of challenging other people's unsafe behaviors. Dewsnip adds, "We are using all the techniques of a social engineer, and the things that an SE would use to manipulate people, but we're doing it for good, not evil."

"What we do is not a test — it's an opportunity to practice a set of behaviors, in a safe space, that we're rarely given the opportunity to practice," Dewsnip says. He is careful to point out that nobody fails this exercise since the focus is on getting workers comfortable with new actions, and not to assess their current state of security knowledge. "We leave people with a positive sentiment towards challenging \[unsafe behaviors\]."

And the data bears that assertion out. According to post-exercise questionnaires, 91% of the people who engaged directly with the floorwalker said they would now directly challenge things they thought were a risk.

**'What Are You Lot Up to Now?'**

While training employees to improve their security practices at a defense office is serious business, this lighthearted exercise prompted some hilarious interactions. For example, after one exercise, Dewsnip says that when the floorwalk team went outside to have their lunch, "we were suddenly heckled from that second story with people shouting things like 'what are you lot up to now?' and 'we can still see you!'"

Some people, especially those who were already confident in their security practices, took things more seriously, he adds. "We have had cyber policy quoted at us to prevent us from getting our way, we have been marched to security offices, and have had others contacting the security team in secret via MS Teams, whilst keeping us occupied so that we couldn't leave."

Dewsnip points out that the funny reactions showed that the exercise was working. "People are engaging with the floorwalker," he says. "They understand that the floorwalker is there to be challenged and in a safe space, and in doing so, they're ... building that mental script required to challenge successfully and are beginning to become comfortable with it, overcoming some of the social anxieties or uncertainties that exist with challenging in the workplace."

**Learning Lessons All Around**

So almost everyone who engaged with the floorwalker felt more confident in challenging the next dodgy visitor. What other benefits has this project sown? Dewsnip says that managers of the sites they visited report that personnel there "have successfully challenged others on things they were doing that could have been risky – including people challenging upwards (i.e., challenging those more senior than them, which in a military setting is a big deal!)."

The project emphasized making the exercise fun, giving people a chance to practice free from fear and punishment. Hence the amiable floorwalker in the picture above, who has helpfully labeled himself "Cyber Threat." This reassuring attitude dovetails with the push in other sectors to create a culture in which people feel secure enough to admit when they've made an error.

"Far too often security and IT professionals assume employees know better or that they'll know how to act on or report suspicious behavior," Brian Wrozek, CISO at Optiv Security, told Dark Reading earlier this year. "Organizations can institutionalize a healthier security culture by conducting tabletop exercises to ensure employees receive hands-on practice in responding to different scenarios."

A security culture like that is especially important in life-or-death industries like medicine and aeronautics — and defense.

Overcoming the Fail-to-Challenge Vulnerability With a Friendly Face

Microsoft flagged the company's Subzero tool set as on offer to unscrupulous governments and shady business interests.

A cyber-weapons broker dubbed Knotweed has been outed, with Microsoft flagging it as being behind numerous spyware attacks on law firms, banks, and strategic consultancies in countries around the world.

To boot, Knotweed has made a habit of incorporating rafts of Windows and Adobe zero-day exploits into its spyware since at least 2021, according to Microsoft.

Knotweed falls into a murky category of so-called "private sector offensive actors" (PSOAs, aka commercial spyware vendors) that hawk their wares to unscrupulous governments and business interests. These ultrasophisticated (and expensive) tools are often used against dissidents, journalists, and other members of civil society, but they've been known to enable straightforward corporate espionage too.  

**In the Shadows**

The breed is best exemplified by the infamous NSO Group and Pegasus mobile spyware, but many others lurk in the shadows, Microsoft warned.

One such is Knotweed, which is an alias for an Austrian outfit called DSIRF. It's a company that, as Microsoft explained in a post on Wednesday, "ostensibly sells general security and information analysis services to commercial customers." But that's only part of the story, according to the computing giant.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure and internet-connected devices," according to the analysis.

The aforementioned Microsoft and Adobe bugs in the tool set (detailed in a technical breakdown) have been seen in recent cyberattacks against targets in Austria, Panama, and the United Kingdom. In addition to publishing software updates to plug the holes on a regular basis, Microsoft has also published a Subzero malware signature for defense.

More action is needed on a broader level, given that DSIRF will not be the last PSOA to come to light, as Microsoft researchers explained in a brief sent to Congress on Wednesday.

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," according to the brief (PDF). "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware

North Korean state-sponsored actors, who help economically prop up Kim Jong Un's dictatorship, continue to pummel US infrastructure.

The federal Rewards for Justice program has doubled, to $10 million, the available reward for useful information about North Korean state-sponsored actors' attacks on US healthcare systems and other critical infrastructure.

The State Department has a Tor-based tip line where anyone can submit information they have on North Korean-sponsored threat actors, including Lazarus Group, Kimsuky, BlueNoroff, and Andariel, all linked to the DPRK government apparatus.

Earlier this month, the FBI, US Cybersecurity and Infrastructure Agency (CISA), and the Treasury Department issued a warning that North Korean state-sponsored actors are attacking the US healthcare and public health sectors with a new ransomware tool called Maui.

Also in July, Microsoft warned that a North Korean APT threat it calls DEV-0530 has been using a custom ransomware dubbed H0lyGh0st to successfully compromise small businesses in multiple countries.

The hefty reward signals the success the DPRK has had using cybercrime to fund its activities as a way to work around stringent international sanctions, according to Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

"This money is being funneled directly into weapons programs, and cybercrime has become an essential cog in the ongoing survival of Kim Jong Un's dictatorship," Bocek said via email, in reaction to the reward hike announcement. "Worryingly, this blueprint is also being mimicked by other rogue states. So, cutting North Korean cybercrime off at the source is essential to the national security of the U.S. and its allies."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

US Offers $10M Double-Reward for North Korea Cyberattacker Info

Call it a "cyber tax": Those costs are usually passed on to consumers, not investors, as compromised businesses raise prices for goods and services.

Sixty percent of breaches have resulted in companies recouping the cost of fines, clean-up, and technological improvements by increasing prices, essentially making consumers pay for breaches and companies' lack of preparedness, according to an annual report published on July 27.

The "Cost of Data Breach Report 2022" report, based on a survey of executives and security professionals at 550 companies, says the average cost of a data breach continued to rise in 2022, reaching an average of $4.4 million globally (up 13% since 2020) and $9.4 million in the United States. On average, companies required 277 days to identify and contain data breaches, down from 287 days in 2021, and 83% of companies had suffered more than one breach.  

"It is clear that cyberattacks are evolving into market stressors that are triggering chain reactions, \[and\] we see that these breaches are contributing to those inflationary pressures," says John Hendley, head of strategy for IBM Security's X-Force research team. "We have to think about cyber events as factors that are capable of straining the economy, similar to COVID, the war in Ukraine, gas prices, all of that."

    

Business email compromise and phishing attacks led to the most costly breaches (in millions of US$). Source: IBM Cost of Data Breach Report 2022

The annual report, based on surveys conducted by the Ponemon Institute, is not the first attempt to gauge the impact of breaches on businesses' balance sheets. Last year, a survey by security-operations firm IronNet found that most companies were affected by the supply chain attack on network management firm SolarWinds, with the average firm seeing an 11% drop in revenue due to dealing with the incident. 

Overall, experts estimated that the incident would cost SolarWinds about $18 million but would cost the 18,000 affected businesses and government agencies as much as $100 billion in clean-up costs.

**A "Cyber Tax" on Consumers**

While cybersecurity experts have increasingly urged companies to count on having their systems compromised, they continue to have problems stopping attackers, and they are passing costs onto consumers, Hendley notes. This suggests that data breaches and cyberattacks are creating a cyber tax, he argues, increasing costs for downstream consumers and clients.

"When you think about the fact that 83% of businesses have been breached at least once in their lifetime, I think it becomes difficult to say that we need to apply punitive damages to help prevent breaches," Hendley says. "There is always going to be a way in, so I think the best investment that we can have is to try to shift the line from protecting the perimeter to thinking like the attacker."

In addition to the labeling of breaches and fines as a cyber tax, the report highlighted various trends among industries dealing with cyberattacks. Companies that could reduce the overall breach detection and response time to less than 200 days saved $1.1 million, or 23% of the cost of the average breach.

**Data Breach Costs Worst in Healthcare **

The cost of a single data breach varied significantly based on the type of industry affected. The heavily regulated healthcare sector continued to pay out the highest amount for compromises of data, reaching an average of $10 million per breach in 2022, compared with financial firms that paid an average of $6 million per breach, the second most expensive breach cost. Pharmaceutical companies and technology firms essentially tied for third place, paying about $5 million for each breach.

Ransomware continued to have a significant impact on business, despite signs that — so far this year — ransomware attacks have declined somewhat. The survey found that companies that pay ransoms spend less on clean-up costs, but high ransom totals negate most savings. In addition, 80% of companies that pay ransoms are attacked again, according to the "Ransomware: The True Cost to Business" report published by security firm CyberReason last year.

**Ransomware Not as Costly as Phishing Attacks**

Other research has highlighted the impact of ransomware on companies that have not adequately prepared for destructive attacks. Two-thirds of global firms hit with ransomware suffered a significant revenue loss, they said, as did 58% of those surveyed at US companies specifically. The attacks overall have led to 31% of global companies shuttering some part of their businesses.

"It is interesting to see the cost difference between ransomware victims who chose to pay and those who chose not to," Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, a digital-risk protection firm. "Those who pay are often targeted again within months of the original attack, which would increase financial losses significantly. These factors are important to consider when making the challenging business decision of whether or not to pay."

That said, the initial vector of the attack also had a significant impact on cost. Business email compromise (BEC) and phishing attacks led to the highest average breach costs — about $4.9 million per incident — with third-party vulnerabilities and compromised credentials accounting for damages of approximately $4.5 million per incident.

The IBM-Ponemon report also highlighted technologies that could have the largest impact on data breach costs. Companies that use artificial intelligence and machine learning (AI/ML) technologies, DevSecOps processes, and formed an incident-response team saved about $300,000, $276,000, and $253,000 per incident, respectively. 

In contrast, companies that suffered from security system complexity, were migrating the business to the cloud, and had compliance failures saw the largest increases in cost per incident.

The report is based on more than 3,600 interviews with individuals from 550 companies of various sizes, focusing on breaches that involved anywhere from 2,200 to 102,000 records. Breaches outside that range were not included.

Average Data Breach Costs Soar to $4.4M in 2022

Did you know that the standard router relied upon in homes and by thousands of small businesses is the most frequently attacked IoT device? James Willison, Project and Engagement Manager, IoT Security Foundation, explores the issue and reveals an ongoing initiative from the foundation that is designed to better secure the devices.

_This article is by James Willison, Project & Engagement Manager, IoT Security Foundation_  

Few of us realize that our Internet connection relies on the strength of our router's security. So much of what we depend on in our modern day lives comes into our homes and businesses via that box sitting near the front door. We pay attention to our front door and try and ensure it is locked and bolted. but what about that box supplied by the broadband provider?

Well, I am sorry to warn you that it is the most targeted IoT device – if an attacker can control it, then it's really game over for the rest of your home and small business. Software company Symantec has advised that 75% of all IoT attacks are on infected routers, with 15% against webcams, so that’s a concern to some of us too! Of course, everything comes through the trusty box at the front door.

So, while your house might be built on solid ground and the physical foundations are firm, it is unlikely that the Internet connection is as strong as you think. There are people who are entering your home and you have opened it to them. In the words of the song, "Who are you? I really want to know!"

Our problem is that we don't ask this question on a regular basis regarding our networks because we assume our broadband provider is looking after that for us. While they will of course be doing security at various levels, there is much on our networks which is simply not secure and should be of concern to us.

I have been aware of IoT security issues in the home, small business and the enterprise for some time, as I have worked closely with my good friend and colleague Sarb Sembhi for many years. It was when I met Dr. Nick Allott in November 2018 that I became more aware of the severity of the problem, as he explained that most of the home routers we use today are not secure and that the devices they manage have little or no security either. This is not to mention other complications like wireless extenders, smart speakers, and applications on your network to add to the mix.

**Join the Project to Help Protect Home Networks**

The great news is that for over two years, Nick's company, Nquiringminds, has led an Innovate UK consortium of partners including the University of Oxford Cyber Security Centre, Cisco, the IoT Security Foundation and recently BT to develop a range of solutions to improve the situation. The project is called "manysecured" and its objectives are to detect and protect against IoT vulnerabilities on the router and the network. It is a truly international collaboration based on open source software and has gained the interest of NIST and US government's CISA. I was privileged to join the project in March this year, and we are seeking to involve other professional stakeholders such as IoT manufacturers and security professionals.

I am confident that given the collaborative nature of the various solutions which comprise the manysecured project that the prototype will be launched at the IoT Security Foundation’s conference on Oct. 5.

In essence, there are five functions within the project's special interest group.

*   The first has produced a set of requirements for ISPs to ensure best practices for the router itself.
*   The second has proposed a secure user Internet browser which will help when you log on and configure your router
*   The third seeks to identify devices on your network. This includes describing what they are. We are looking for IoT manufacturers to help us with this. Many of our readers have been actively seeking to develop the cybersecurity of physical security devices and systems and so we appeal to you to join us to ensure we get this right.
*   The fourth solution monitors the security events and raises alerts for the hub
*   The fifth controls the threats

Most importantly, all these processes are interoperable such that the home network is protected. It seeks to address the principles of secure boot, storage, and secure processing. The place of AI is important because of the volume of data and the difficulty in knowing who and what is on your network. Hence concepts like "zero trust," which Nick has helpfully defined as "multifactor continuous verification," are foundational. Similarly, "cognitive security," which he summarizes as "AI based on human thought patterns to protect physical and digital devices and systems" is a cornerstone of the project.

As security convergence is a response to IoT risk, an area for all of us to improve is the security of the physical devices and systems in the supply chain and the business. If we can get the router, the front end of so many of our homes and small businesses and therefore 90% of the environment, into a better state than it is right now, then we will be on our way to rebuilding that wall which, at the moment, has a massive hole in it.

As J.R.R Tolkein wrote in _The Lord of the Rings_ : "A gaping hole was blasted in the wall. A host of dark shapes poured in." The response required an alliance of several large armies for victory to be achieved. The same is needed today if we are to secure our internet gateways and devices.

**Please get in touch with me and the IoT Security Foundation to join our cause and make a difference. You can reach me at the IoT Security Foundation or via my LinkedIn profile.**

**__This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.__  
**

Is Your Home or Small Business Built on Secure Foundations? Think Again…

New careers in IT open up for former footballers.

Friday 22nd July saw the very first students graduate from the PSM Cyber Stars Programme at an event held at the AXA Training Centre, the training facility for one the world’s most iconic football clubs, Liverpool FC.

For those young players who do not go on to have a career in the professional game, career paths can be difficult. Recognising the issue, Phoenix Sport and Media Group (PSMG) have opened the ‘state of the art’ PSM Digital Academy which is designed to help current and retired players into a career in cyber security. This week saw the first seven students graduate with many of them already lined up with their first roles in the sector.

Founded by a group of Premier League players who are determined to make a positive difference, PSM Digital Academy and the Cyber Star Programme will be providing technical skills training as well as help in transitioning from sport. Located at Silverstone race circuit, the courses will be delivered in a modern training facility on site, or virtually, dependent on the preference of the learner. The courses will be in offensive, defensive and threat intelligence and will help plug a significant skills gap in this specific area of the cyber industry.

This is a new partnership between PSMG, CompTIA, BIT Training and Hack The Box and it’s tasked with delivering the programme under the name Cyber Stars.

The first cohort launched in late April 2022 and was oversubscribed which is an indication of the level of demand for this type of learning. Looking forward, the Academy will be inviting applications from other sports and focus groups including cricket, rugby, and athletics. As part of its commitment to diversity and inclusion, they are also hoping to offer focused cohorts for female players and for Paralympians.

The course has been designed to go beyond traditional training and has been tailored to help sports stars excel. PSM Cyber Stars Programme has also entered into partnerships with cyber employers who are looking to interview successful graduates for roles in this fast-growing sector.

Commenting on the new projects, Carly Barnes CEO of PSMG said: “We’re incredibly proud to have successfully launched this course and even more proud to see the very first students graduate at such a well renowned venue. These new graduates are about to start on brand new career paths in the IT industry and we look forward to seeing how they progress as the months and years move on.”

One former Liverpool FC Academy player that graduated from the course this week is Josh Sumner, who said: “It was devastating to leave Liverpool FC at the age of 19 after being there for seven years because football was all I knew. I’m now 28 years old and I can safely say that the PSM Cyber Stars Programme has set me on a new and exciting career path in IT. It was always something that I was interested in but this have given me the opportunity to take the first real life step in to the sector.”

Commenting on the initiative, Caitlin Hawkins, Academy Education Manager, Liverpool Football Club said: “This is an amazing initiative, and we are fully behind it at LFC. The workshop delivered by PSM, BIT Training, Hack The Box and CompTIA is impressive and we’ve had real interest in this course from our alumni. We’re delighted to see that the graduates from this week include former LFC player Josh Sumner and we look forward to giving our continued support to the course and these former players as they embark on new career paths.”

**Background information:**

**_CompTIA_**

The Computing Technology Industry Association (CompTIA) is a leading voice and advocate for the $5 trillion global information technology ecosystem; and the estimated 75 million industry and tech professionals who design, implement, manage, and safeguard the technology that powers the world’s economy. Through education, training, certifications, advocacy, philanthropy, and market research, CompTIA is the hub for unlocking the potential of the tech industry and its workforce. Visit https://www.comptia.org/

“The number of open job roles in the cyber security sector in the UK is increasing, yet the number of skilled people to fill them still lags behind. Globally, we are facing a huge skills gap and a shortage of millions of skilled professionals in the coming years. Our mission at CompTIA is to close the IT skills gap and improve the talent pipeline for IT employers.

The PSMG Cyber Stars programme does just that. The programme is different and engaging and helps us attract a new demographic of talent to become a part of this booming industry. The students are able to bring something new with the transferrable skills they have picked up in their years of professional training in sport. Skills such as Leadership, Team work, Problem Solving and Commitment are all skills that can be used in Tech.

We are demystifying the idea of needing to be a 'rocket scientist' or 'mathematician' to get into to work in Tech and Cyber roles. We are thrilled to support the academy alumni as they reskill, certify and transition into their new careers in cyber security and help us achieve our mission of supporting a skilled workforce into industry.

**Luke Barton, Senior Manager, CompTIA**

**_Hack The Box_**

Hack The Box is an online cybersecurity training and upskilling platform that allows individuals, businesses, universities, and all kinds of organizations all around the world to level up their offensive and defensive security skills through the most gamified and engaging learning environment. Join a massive hacking playground and infosec community of 1.5 million platform members who learn, hack, level up, and exchange ideas and methodologies.

“At Hack The Box we are committed to creating a safer cyber world by making cybersecurity training accessible to everyone. Everyone can join and start learning and practicing cybersecurity, from theory to action. With that in mind, Hack The Box supported the PSM Cyber Stars Programme, providing cyber security training to a selected group of athletes - willing to explore a new line of work - and as such offer a pathway for these individuals to a new career opportunity.”

**Harris Pylarinos, Hack The Box, Founder & CEO**

**_BIT Training_**

Since 2004, BIT Training has provided award-winning commercial IT and Cyber Security training to support organisations and IT professionals across the world. Their dedicated team of in-house expert instructors, online platforms and learning partners provide cost-effective, flexible training solutions. They provide customers with the opportunity to learn ‘whenever’ and ‘wherever’ they need to achieve their learning goals.

“The PSM Cyber Stars Programme is unique and we’re proud to be involved. We’ve broken down the learning pathway so that academic and social backgrounds are unimportant; it’s all about talent and aptitude. We’re very excited to partner with PSMG, CompTIA and Hack The Box to grow the partnership as market demand for our courses grows.”

Source

DARKReading