Also, it re-certifies its data services by TÜV AUSTRIA.

**Woburn, MA – April 14, 2022 -** Kaspersky has expanded the scope of its cyberthreat-related data relocation, which now covers users in Latin America and the Middle East. The company’s commitment to following the best data security practices has been reaffirmed by TÜV AUSTRIA’s re-certification of Kaspersky’s data services with an expanded scope. In addition, the company publicly shared information on the requests for data and technical expertise received from government and law enforcement agencies as well as from users in H2 2021.

These measures reflect the company’s continuous commitment to move toward greater transparency undertaken as part of the Global Transparency Initiative (GTI). By launching GTI in 2017, Kaspersky set a benchmark for digital trust and became the first cybersecurity vendor to make its source code available for review. Committed to being a trusted partner for its users, to date, Kaspersky remains one of few international IT vendors that seek to turn transparency into an industry standard and take steps toward greater accountability.

Since March 2022, Kaspersky has been processing and storing malicious and suspicious files received from users in Latin America and the Middle East, which used to be processed by facilities in Russia, in data-centers in Zurich, Switzerland. Prior to that, the relocation of such data storage had been completed for Europe, North America and a number of Asia-Pacific countries. Swiss data centers provide world-class facilities in compliance with leading industry standards so the company’s users can be confident in the security of their data.

Moreover, Kaspersky has renewed its ISO 27001\* certification issued by independent certification body TÜV AUSTRIA, an internationally recognized applicable security standard. In addition to the audit passed in 2020, this time the scope of the certification was even extended and now covers not only the Kaspersky Security Network (KSN) system for the safe storage and access to malicious and suspicious files (called KLDFS), but also KSN systems for processing statistics (called KSNBuffer database).

Conformity with ISO/IEC 27001:2013 – internationally recognized as the best practice industry and applicable security standard – lies at the core of Kaspersky’s approach to implementing and managing information security. The certification – granted by the third-party accredited certification body, TÜV AUSTRIA – demonstrates the company’s commitment to strong information security and its Data Service’s compliance with industry leading practices.

The document can be found in the TÜV AUSTRIA Certificate Directory and is also publicly available on the Kaspersky website here.

Andrey Efremov, Kaspersky’s Chief Business Development Officer, said_: “We have relocated the cyberthreat-related data processing and storage from a number of additional countries and territories to facilities in Switzerland – a country renowned for its strict data protection legislation. These steps form just part of our Global Transparency Initiative, which also includes independent assessments of our company’s data service and engineering practice integrity, and the provision of our products’ source code for open review. Together, these measures further underline our commitment to ensuring that the way we treat our user data is as open and transparent as possible, and that we continue to provide our customers and partners with the most reliable and trustworthy solutions and services.”_

**The new edition of the Transparency report**

Kaspersky has developed an enduring practice of disclosing information on the company’s approach to dealing with data requests and releases its regular “Law Enforcement and Government Requests” report, uncovering data in two categories: user data and technical expertise\*\*. The latest report looks at this data during the second half of 2021.

In particular, during the second half of 2021, Kaspersky received 109 requests from governments and law enforcement agencies (LEAs) from 12 countries. At least 36% of those were rejected due to an absence of data or to not meeting legal verification requirements. In total, 92 of the requests received during the second half of the last year were for technical expertise.

In total, throughout 2021, Kaspersky received 214 requests, (compared to 160 requests in 2020), from governments and LEAs from 17 countries. A total of 181 of those were for technical expertise (compared to 132 in 2020). Further information on the steps for processing such requests can be found here.

At the same time, the number of user requests for details on what and where user data is stored and its provision or removal increased, reaching 2,252 in total.

To promote accountability and transparency of cybersecurity industry standards, Kaspersky seeks to share its expertise with a broader community. Thus, as part of its Global Transparency Initiative, Kaspersky further expanded its Cyber Capacity Building Program (CCBP), which aims to help organizations worldwide develop practical tools and knowledge for security assessments by launching a relevant online course — “Digital Cyber Capacity Building Program.” The online training, which is now available for an even greater audience, will ensure that more organizations and individuals will have a chance to boost their cyber-resilience by learning how to properly carry out product security assessments and evaluations.

To learn more about the Kaspersky Global Transparency Initiative, please visit the website here.

\* ISO/IEC 27001 is the most widely used information security standard, prepared and published by the International Organization for Standardization (ISO), the world’s largest developer of voluntary international standards.

\*\*User data includes information provided by users to Kaspersky when they use the company’s products and services. It depends on the services, products and features users use and is protected as described in the Kaspersky Privacy Policy.

Requests for technical expertise include non-personal technical information produced and provided by Kaspersky security researchers and machine learning algorithms. This may include the MD5 hashes of malware, indicators of compromise (IoCs), information about the modus operandi of cyberattacks, output of malware reverse engineering, statistical information and other results of investigations and research.

Kaspersky Relocates Cyberthreat-Related Data Processing for Users in Latin America and Middle East to Switzerland

The recent discovery of highly customized malware targeting programmable logic controllers has renewed concerns about the vulnerability of critical infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the NSA, FBI, and others, this week urged critical infrastructure organizations — especially in the energy sector — to implement defenses against a set of highly sophisticated cyberattack tools designed to target and disrupt industrial environments.

The warning applies particularly to ICS and OT networks using programmable logic controllers (PLCs) from Schneider Electric and Omron and servers based on Open Platform Communications Unified Architecture (OPC UA). The advisory was prompted by the recent discovery of three malware tools custom-built to target these technologies and manipulate them in dangerous and potentially destructive ways. However, the malware can be adapted to attack other ICS technologies as well.

CISA's advisory contained a series of mitigation measures that it recommended organizations implement proactively to reduce exposure to the new threat.

Mandiant analyzed the new attack tools recently in partnership with Schneider and is collectively tracking them under the name INCONTROLLER. In a report this week, the security vendor described the malware as having an "exceptionally rare and dangerous" capability and posing a critical risk to organizations that use the targeted equipment. Mandiant compared INCONTROLLER to previous ICS-specific threats such as Stuxnet, which was used to destroy hundreds of centrifuges at an Iranian nuclear-enrichment facility in 2010, and Industroyer, which caused a power outage in Ukraine in 2016.

**Work of a Russian State-Sponsored Group?**  
"We believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations," says Rob Caldwell, director of industrial control systems and operational technology at Mandiant. He says Mandiant has been unable to associate the malware with any previously tracked group but believes those behind it are most likely Russia-linked. "While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia's history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America."

Mandiant identified one of the attack tools as "Tagrun," a tool for scanning OPC environments, enumerating OPC servers, harvesting data from them, and brute-forcing credentials. The security vendor identified the tool as likely used for conducting reconnaissance on industrial networks. Mandiant has dubbed the second tool as "Codecall," which it described as a framework that uses two common industrial protocols — Modbus and Codesys — to communicate and interact with at least three Schneider PLCs. The malware can identify Schneider and other Modbus-enabled devices on a network and connect to them using the two protocols. The third tool, "Omshell," targets Omron PLCs via HTTP, Telnet, and a proprietary Omron protocol. It is designed to interact with a mechanism on Omron devices for monitoring the safe running of so-called servo motors used in industrial applications. The malware can gain shell access to Omron PLCs and take a variety of malicious actions, including wiping device memory, resetting a device, loading backup data, and executing arbitrary code on it.

Collectively the malware tools have capabilities that allow attackers to surveil and collect data from target industrial environments that they can then use to identify high-value systems and to launch potentially catastrophic attacks against them in industrial settings. Potential attack scenarios include threat actors using Omshell and/or Codecall to crash targeted PLCs and disrupt operations; sending malicious commands to PLCs to sabotage industrial processes; or disabling safety controllers to cause physical destruction in a plant or industrial setting.

"The components of INCONTROLLER contain more sophisticated methods of interacting with and attacking or modifying the targeted devices than seen in previous ICS-specific malware," Caldwell says. These components are designed to make interaction with PLC devices easy for attackers with little detailed knowledge of the targeted ICS protocols. "Further, these components are modular and could be extended to target additional devices or add additional capabilities," he says.

Mandiant said it is also tracking two other tools targeted at Windows-based systems that appear to be related to INCONTROLLER activity. One of them exploits a known vulnerability, CVE-2020-15368, to install and exploit a vulnerable driver on target systems, and the other is a backdoor that enables reconnaissance activity. The tools could be used to support a threat actor's broader goals in an industrial cyberattack, Mandiant said.

**A Clear and Present Danger to Industrial Environments**  
ICS security vendor Dragos listed a total of 16 devices and software tools from Omron and Schneider that it said the malware was designed to interact with and exploit. The technologies are used in a wide range of industry verticals. But Dragos said its analysis of the malware suggests it is targeted mostly at equipment in liquefied natural gas (LNG) and electric power environments.

Dragos is collectively tracking the attack tools as "PIPEDREAM" and the threat actors behind it as "CHERNOVITE." A whitepaper that the company released this week on the threat identified the threat actor as having the ability — among other things — to manipulate the torque and speed of Omron servo motors in a way that could cause enough physical destruction to result in loss of life. Dragos' whitepaper listed several other malicious actions that threat actors could use the malware for, including triggering denial of control and denial for view for ICS operators; disrupting operating technology by masquerading as a trusted process; disabling process controllers to extend time-to-recovery from an incident; and undermining authentication and encryption mechanisms in OT environments.

"PIPEDREAM is a clear and present threat to the availability, control, and safety of industrial control systems and processes endangering operations and lives," Dragos said.

News of the malware tools comes just days after reports of Ukraine's computer emergency response team (CERT-UA) thwarting an effort by Russia's Sandworm group to disrupt the country's power grid using Industroyer, one of the first known malware tools targeted specifically at the electric grid. So far, researchers have discovered at least seven highly sophisticated ICS-specific attack tools, which include Stuxnet, Industroyer, Triton, and BlackEnergy.

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, says the combined tools in this case were built to search for specific devices, to understand their operational parameters, to gain credentialed access, and to remotely control various legitimate functions of the devices for their intended objectives. "These are customizable based on the devices targeted but can be modified to target additional devices that leverage the same protocols," she says.

Jablanski says that options for thwarting attacks become scarce when threat actors have the credentials and know how to use devices based on their design, protocols, and features.

It's presently unclear in what host environment the newly discovered tools were found. But typically, some stop-gap measures for mitigating exposure to the threat would include disabling unnecessary functionality, introducing access controls to limit legitimate users who communicate with the device, and taking password management seriously. "Device hardening to limit the susceptibility and severity of cyber incidents is a staple of defense in depth strategies across ICS/OT environments," she says.

Eric Byres, CEO of aDolus Technology, says the new tools highlight a recent trend away from previous attacks where threat actors gained access to an OT environment by leapfrogging to it from the IT network. Those kinds of attacks have become less common with many organizations tightening OT security. So, sophisticated attackers are finding other ways to establish access to their victims' OT networks, he says pointing to Stuxnet as an example.

"Stuxnet did it through a combination of infected USB flash drives, printer sharing, and modified PLC logic files," he says. Similarly, Dragonfly, which was Russian in origin, attacked the manufacturers of OT control equipment and replaced the software they supplied to their industrial customers with trojanized versions.

"These supply chain-driven attacks are now becoming the preferred method for nation-state attackers, especially the Russian spy agencies," Byres says. "By going after OT suppliers rather than the OT systems directly, they get tremendous multiplication effects."

New Malware Tools Pose 'Clear and Present Threat' to ICS Environments

Researchers should take extra care in deploying data-science applications to the cloud, as cybercriminals are already targeting popular data-science tools such as Jupyter Notebook.

Always looking for an easy compromise, attackers are now scanning for data-science applications — such as Jupyter Notebook and JupyterLab — along with cloud servers and containers for misconfigurations, cloud-protection firm Aqua Security stated in an advisory published on April 13.

The two popular data science applications — used frequently with Python and R for data analysis — are generally secure by default, but a small fraction of instances are misconfigured, allowing attackers to access the servers with no password, according to the Aqua Security's researchers. In addition, after setting up its own server as a honeypot, the company detected in-the-wild attacks that attempted to install cryptomining tools and ransomware onto accessible instances of the software.

Signs that there are attackers targeting data-science environments is worrisome, considering that the researchers setting up those environment are largely uninformed about cybersecurity, says Assaf Morag, lead data analyst with Aqua Security.

"We know, based on our experience with application security, that developers are starting to learn more about security, but what about data scientists?" he says. "Are they gaining a proper education? My training is as a data scientist, and there were no focus on data security."

**Looking for Misconfigurations**  
In the past, threat actors have frequently scanned the Internet for servers running insecurely configured application. Last year, for example, a misconfigured Git server using default login credentials allowed attackers to steal source code for Nissan's mobile apps, market-research tools, and vehicle-connected services. Over the past five years, a significant number of data breaches have been caused by misconfigured storage servers — such as Amazon's Simple Storage Service (S3) buckets — that were found by attackers.

Research conducted in 2020 found that misconfigured cloud services, containers, and servers are attacked within hours of appearing online. The research, which used an insecurely configured Elasticsearch instance, was targeted by 175 scans over 11 days, increasing to 435 requests over the subsequent 2 weeks, including searches for particular terms such as "password" and "wallet."

The attacks on data-science tools used similar tactics, as seen through the lens of its honeypots, Aqua Security stated in its advisory.

"Most of the attacks got initial access via misconfigured environments," the company stated. "After gaining access, adversaries attempted to achieve persistence by creating a new user in the notebook or adding Secure Shell (SSH) keys. Then, most of the attacks executed a cryptominer, trying to get a quick gain."

The problem is that a small minority of the instances are configured to allow anyone to access the notebook server. During the research, for example, the Aqua Security researchers saw a novel attempt at using access gained through Jupyter Notebook to run a Python-based crypto-ransomware program.

"Normally, access to the online application should be restricted, either with a token or password or by limiting ingress traffic," Aqua Security wrote in the ransomware advisory. "However, sometimes these notebooks are left exposed to the internet with no authentication means, allowing anyone to easily access the notebook via a web browser."

**Lock Down Data Tools**  
Overall, data scientists and the Jupyter Project appear to be doing a credible job in securing the software. In total, less than 1% of the approximately 10,000 of instances of Jupyter Notebook are configured for open access, according to scans using the Shodan search engine. The fact that attackers are targeting the servers, however, should prompt defenders to focus on ensuring that the data-science tools are locked down, says Aqua Security's Morag.

"There will always be a zero-day or another misconfiguration that users did not know about, like Log4shell or Spring4 shell," he says. "While those do not apply to Jupyter Notebook, they show that you need to have another layer of protection. If you rely on the network to protect you, it is not enough these days, I think."

The Aqua research is not the first to expose vulnerabilities and misconfigurations of data-science tools. In 2021, researchers from cloud-security firm Wiz.io found that Microsoft created an insecure implementation for linking Jupyter Notebook instances to Azure Cosmos DB databases, allowing attackers to create a connection between an instance of Jupyter Notebook and the database service, which then allowed the attacker to access all other databases using the same service.

Attackers' strategy of targeting a new community of technical users is not new. Threat actors have already started targeting machine-learning researchers and the data behind artificial-intelligence and machine-learning systems, according to experts.

Data Scientists, Watch Out: Attackers Have Your Number

A power failure at a major London data center shows that a truly resilient network is flexible, not just redundant.

Volatile global dynamics like the Russia-Ukraine war, climate change driving an unprecedented surge in natural hazards, sharp peaks and rapid declines of a pandemic, out-of-control organized cybercrime syndicates … 2022 seems like a practical demonstration of Murphy's Law for enterprise networks. In the face of looming uncertainty and nation-state attacks that may result in collateral damage to facilities, remember: No matter how advanced your network infrastructure is, its resilience determines its true worth.

The strength of any network can be measured by its points of presence (PoPs), where two or more networks or communication devices share a connection. (Editor's note: The author's company is one of many cloud network providers that maintain PoPs around the world.) PoPs connect people to different networks, as well as to the greater Internet. They usually contain multiple servers and routers, and Internet service providers typically have multiple PoPs distributed over a geographic area. These physical locations allow people to be interconnected to others around the world. Having PoPs near your offices and remote and mobile users, wherever they may be, is critical for receiving services.

But just counting PoPs doesn't tell you whether the network is robust. What happens if a PoP fails? And PoPs do fail, even with good design and data center selection. Case in point is the recent Interxion outage.

**Interxion's Unexpected Power Outage**  
Earlier this year, Interxion, a leading provider of data center services across EMEA, faced an hours-long power outage at its central London campus. Being at the center of the European trading landscape and with billions in trade at stake, the facility had to have built-in redundancy and backup plans in place.

Unfortunately, even the equipment designed to switch power to an on-site backup generator failed, alongside the multiple power feeds going into the building.

My company's own PoP in the Interxion data center was unavailable for several hours. Thankfully, our customers were automatically redirected to another nearby Cato PoP for operational continuity. But the incident caused service outages for numerous customers whose networks depended solely on this data center.

**Alternate Scenario: How It Should Have Been**  
The hours-long outage could have been averted if customers had access to a global private backbone of PoPs and intelligent traffic-routing. The traffic would have been automatically redirected to another nearby PoP, and customers would have barely noticed the few seconds of outage. This alternate scenario pretty much sums up how a consolidated, cloud-native secure access service edge (SASE) service ensures resiliency and business continuity even in a situation as unlikely as the case in point.

**Achieving Multidimensional Network Resiliency**  
In a situation like Interxion's, the strategic distribution of PoPs matters more than sheer numbers. Beyond placement, the PoPs also need surplus capacity to handle the emergency traffic. Taking into account all such aspects, modern enterprise networks need to achieve multidimensional resiliency.

Such incidents have taught us what multidimensional resiliency really looks like:

**• Availability:** A globally distributed backbone of PoPs is essential for connectivity and service delivery. However, it's the density of PoPs in a region that matters in a failover plan, not the number of countries covered. If a PoP fails, you'll need another PoP nearby to reroute the traffic through.

**• Security:** This must always remain a priority, even during a crisis. That's why the full security stack must be built into the underlying network infrastructure. When all PoPs have built-in encryption and security, all endpoints — on-site, remote, and mobile users and devices — stay within the security perimeter even when redirected through backup PoPs.

**• Fault tolerance:** Modern enterprise networks need self-healing capabilities to handle disruptions, using different techniques like switching over to another PoP. Every second of downtime counts, and only intelligent, automated traffic routing can ensure rapid detection and quick transition.

**• Adaptability:** It's impossible to anticipate and prepare for all possible disruptions. Enterprise networks need to have the flexibility and agility to adapt to unexpected stressors. For instance, some of our customers couldn't benefit from our quick transition from the London PoP because they used firewalls to route traffic whose main and failover links both went only to the London site. When the London PoP failed, we had to quickly adapt and configure a new link going to a PoP in Manchester.

**• Dependability:** IT and service providers need to have full insight into the network to see how a failure impacts traffic across the network. In this situation, it would have been impossible to see exactly which customers had their failover link routed to the London PoP without complete visibility into all customer traffic. There's no way to ensure network dependability without having a complete view of the network at all times.

**Final Thoughts**  
The true strength of a network lies in its resilience in the face of unanticipated, rare-case scenarios. Redundancy itself is simply not enough, since it can fail — as it did during the Interxion outage. Multidimensional resilience ensures the network stays operational even if multiple backup plans fail.

Although a global, cloud-based SASE architecture with a unified management console checks all the resiliency boxes, you need ongoing investments to determine how things can go wrong and build the capabilities to continue operations and services during crisis situations.

Inside a Data Center Outage: Lessons About Resilience

Organizations can defend themselves from future unknows attacks by implementing targeted security hardening measures, turning on built-in security protections, and leveraging existing technology stack to achieve microsegmentation and credential hygiene.

Black swan events are considered incidents with high impact and low frequency that are impossible to predict. Whether you consider them black swan cyber events or not, the SolarWinds attack and the Log4Shell exploit stressed some of the key ways in which organizations can prepare themselves and prevent crises.  

Here are three common misconceptions around prevention of such events. 

**Misconception No. 1: There's nothing we can do about zero days and supply-chain attacks.**

One of the common misconceptions is that it's almost impossible to protect environments from critical zero-day vulnerabilities or supply-chain attacks, as they are highly stealthy and cannot be predicted. At best, this misconception will shift efforts toward enhancing the detection and response capabilities. At worst, it will promote a sense of helplessness when dealing with such events.

Contrary to common perception, these events are not the "unknown unknowns." Organizations can deploy and adjust their defenses strategically, often using their existing teams and security stack, and protect themselves from such attacks.

A simple yet powerful example is preventing egress Internet traffic from servers. Even though it may sound like a basic security practice, real-world experience demonstrates that it's not implemented by even relatively mature organizations.

Blocking servers from reaching out to the Internet will prevent attacks (or dramatically slow down attackers), where the exploit depends on the server to initiate connection to the attacker's command and control infrastructure, whether through reverse shells, malicious code in a third-party software such as SolarWinds, or a vulnerability such as Log4Shell. This leads us to the realization that even a basic security control can stop both the SolarWinds supply chain attack, one of the most sophisticated attacks in recent years, as well as mitigate the Log4Shell vulnerability, one of the most potent and ubiquitous vulnerabilities discovered recently.

Investigating and learning common tactics, techniques, and procedures (TTPs) and modus operandi of the latest breaches and exploits can provide organizations with valuable insights on how to improve and prioritize defenses in a way that will mitigate the use of future exploits.

**Misconception No. 2: Once attackers infiltrate an environment, they will fully compromise it.  
**Another misconception is that these novel exploits will inevitably allow attackers to do more than just infiltrate the perimeter.

Targeted security enhancement initiatives can be implemented to make the environment much more resilient to lateral movement and privilege escalation techniques, keeping attackers at bay, not able to leverage their initial footholds to gain access to core assets. This approach will also provide defenders with more time to detect and eliminate attacks in their early stages.

*   **Lateral** **m****ovement:** Microsegmentation is a daunting task. Many organizations procrastinate on implementing such projects as they require mapping all internal traffic, creating granular allow-lists of ports and hosts, buying expensive solutions, and investing crucial resources in deploying and then maintaining such environments. However, many of the advantages of microsegmentation can be achieved without going the full distance.
    
    Restricting ingress traffic on interactive (e.g., RDP, SSH) and noninteractive (e.g., SMB, WinRM, RPC) management protocols, by using host-based firewall policies on both servers and workstations, and then limiting management traffic to specific dedicated segments or jump boxes, can help achieve the core value provided by microsegmentation.
    
    While sometimes traffic on noninteractive management protocols toward servers is required for operational or applicative purposes, in many cases it's not required between different workstations or between servers in the DMZ. Adopting a focused deny-list approach at first will yield an immediate risk reduction, to a point where it will gradually become very challenging to move laterally within the network.
    

*   **Privilege** **e****scalation****:** One of the major challenges in reducing the risk of materializing attacks in the network is credential hygiene and prevention of privilege escalation. Nevertheless, similar to the approach taken above, focusing on high-value measures derived from real-world use of known and common TTPs can provide significant value for defenders.
    
    To achieve this, constantly search for exposed clear-text credentials, set long and complex passwords for service accounts, avoid using domain admin accounts for daily activities, and use built-in Microsoft security features such as Protected Users, LAPS, LSA Protection, and Credential Guard.
    
    Credential hygiene issues are a major contributing factor in almost every single attack that Sygnia responded to in the last couple of years. Securing privileged identities should be top priority in any security road map for 2022.
    

**Misconception No. 3: Patching is the only solution we have for novel vulnerabilities.  
**Often when a new vulnerability is published, the main (and sometimes the only) recommendation suggested by numerous advisories is patching, as if patching is the only action organizations can initiate to contain the risk. Patching is crucial, but it can take time for large enterprises to fully understand their exposure and apply patches in production environments. Occasionally, a few days after patching, new vulnerabilities are discovered by the security industry because of the attention the system or the application is drawing. Patching will not always mitigate all gaps.

Understanding the way in which the exploit is executed — and the dependencies on which the exploit is relying to execute — is imperative in responding to such events. What may be considered as only a workaround to mitigate the vulnerability can sometimes prove to be a lifesaver for organizations.

**Leverage and Optimize Your Security Stack  
**Contrary to common belief, organizations _can_ prevent or reduce the impact of novel exploits such as Log4Shell or highly sophisticated attacks like SolarWinds.

This can be achieved by organizations leveraging _and_ optimizing their current security stack, implementing surgical hardening measures, and using built-in security features that can be turned on easily without requiring additional spend.

The Misconceptions of 2021's Black Swan Cyber Events

Enterprises are more dependent than ever on open source software and need to manage the risk posed by vulnerabilities in components and third-party vendors.

FORRESTER SECURITY & RISK CONFERENCE — Companies need to take steps to minimize the risk posed by third-party software in the supply chain, which has grown significantly over the past few years, analysts advised at the Forrester Security & Risk 2021 Conference this week.

The concerns come as external attacks increasingly come through vulnerabilities in third-party software, such as open source projects or a breach of a third-party provider. More than a third of external attacks (35%) are carried out through exploiting a vulnerability, while another third (33%) come from a breach of a third-party service or software maker, according to a Forrester survey of 530 security decision-makers.

The growth of third-party risk threatens to undermine the security of enterprise applications if companies don't take steps to tame the problem, Alla Valente, senior analyst at Forrester, said during a roundtable at the conference.

"We have a lot of third-party risk and it's just escalating, and part of the reason is there are more third parties than we've ever had," she said. "If you didn't create \[a particular application\] and you are relying on someone else to maintain it, chances are ... \[ security\] is not going to get done."

The issue will become more important in 2022, as governments start to draft guidelines for secure software. The Biden administration, for example, signed an executive order in May requiring the National Institute of Standards and Technology (NIST) to draft guidelines for federal contractors to better secure software. The guidelines include providing a software bill of materials, or SBOM, to the government for their products and attesting to the security of the developers' build environments. NIST already has created draft guidelines for securing Internet of Things devices and software and held a workshop in September with industry to discuss the topics.

SBOMs are a key component for companies to understand their risk and identify software components as well as extended dependencies that could undermine an application's security, Chris Condo, principal analyst with Forrester, said during the presentation.

"Most developers just connect to a repo and they download the latest software versions of whatever packages they are using, but are those packages being scanned for vulnerabilities and is everyone even using the same version?" Condo said, adding that without a focus on such issues, companies are just delaying security problems. "You are creating more technical debt, more security issues that you will have to deal with downstream in a more expensive way."

The inconsistent nature of open source software continues to be a key issue. While major packages are typically well managed, many enterprises end up using packages — often through dependencies of more common components — that are not as well managed and may have vulnerabilities.

While the average time that open source software projects remediate vulnerabilities has dropped significantly (from 371 days in 2011 to 28 days in 2021), the number of packages hosted by the major ecosystems have grown significantly — 20% in the last year, according to a report published by software security firm Sonatype.

Companies need to delve into the packages they rely on for software development and determine if they pose a security issues, Condo said. "Understanding what you are actually depending on is really important, where is the weakest link, where are these issues going to arise, and should we use something that is a proprietary package or something that is curated," he said.

**The AI/ML Factor**  
As companies increasingly pursue analytics based on artificial intelligence and machine learning (AI/ML), they are facing on similar issues. AI/ML represents a specific facet of the open source problem because a great deal of the algorithms are encoded in open source projects. Businesses should determine whether these components pose a risk to their business, analyst Valente said.

"Organizations are leveraging AI and machine learning, and the question is not whether they are going to use AI and ML but whether they are going to buy it or build it," Valente said. "If they are going to buy ML or AI models, that is not something that they are maintaining — in many cases it is open source, and even commercial software, is 75% to 90% open source."

Finally, businesses need to focus on security issues earlier in the process. Determining that an open source dependency poses a security issues and removing it from consideration is far less expensive than attempting to close security issues found in the software after deployment, Condo said.

"You are creating more technical debt, more security issues that you will have to deal with downstream in a more expensive way," Condo said, adding that security should be part of the entire software development chain. "If you thought about really shifting left your security and designers doing threat modeling, review it with a security expert, and think about \[things like\] where data should reside and how to secure some of these APIs."

Third-Party Software Risks Grow, but So Do Solutions: Third-Party Software Risks Grow, but So Do Solutions

The Dependency Combobulator is an open source Python-based toolkit that helps developers discover malicious software components that may have accidentally been added to their projects.

New Application Security Toolkit Uncovers Dependency Confusion Attacks

Russian-speaking "Void Balaur" group's victims include politicians, dissidents, human rights activists, doctors, and journalists, security vendor discloses at Black Hat Europe 2021.

Hacker-for-Hire Group Spied on More Than 3,500 Targets in 18 Months

Wiz researchers who discovered a severe flaw in the Azure Cosmos DB database discussed the full extent of the vulnerability at Black Hat Europe.

ChaosDB: Researchers Share Technical Details of Azure Flaw

Companies are relying more heavily on third parties, remote employees, and partners, expanding their attack surface area beyond traditional boundaries.

Source

DARKReading