Fortress Information Security will expand its Asset to Vendor Library to include hardware bill of materials and software bill of materials information.

One of the biggest challenges in supply chain security is being able to understand the security practices of suppliers and vendors and to assess the risks of granting them access to internal networks and client data. Organizations address this by having suppliers and vendors fill out questionnaires or complete security assessments, but items can be missed. And one of those missteps could result in an outage or a data breach.

Fortress Information Security is trying to solve this challenge by providing critical industry operators with up-to-date information about all the partners and suppliers they already work with or would potentially work with. The Asset to Vendor Library Trust Center is a central library of information from vendors and original equipment manufacturers (OEMs), such as security attestations, completed North American Transmission Forum (NATF) questionnaires, and third-party certifications. The platform helps critical industry organizations assess, manage, and address risks associated with vendors, assets, and software in their supply chains.

The idea is to give organizations access to this information without having to send over a questionnaire, and it allows vendors to provide their information once, instead of filling out the assessments over and over again for each partner relationship, says Betsy Soehren-Jones, chief operating officer at Fortress. Asset owners and suppliers can access information of over 40,000 companies and assess the impact of new cyberthreats.

There is interest in this kind of a centralized repository operated by a private entity: Fortress announced a $125 million investment from Goldman Sachs Asset Management on Tuesday to expand its archive of vendor information to include hardware and software bill of materials. The company previously raised $40 million across multiple funding rounds between 2015 and 2020.

“When we put our program together, it dawned on us that the relationships we had, other companies had as well,” Soehren-Jones says of her time at Exelon, one of the largest utility companies in the United States, before joining Fortress earlier this year. “How can we build a central library about the vendors and devices that we are all using?”

**Supply Chain Attacks in Critical Industries  
**Supply chain attacks have been on the rise in recent years, with high-profile incidents such as the SolarWinds breach and the Kaseya attack. The dangers go beyond just IT systems when the supply chain attacks affect critical industries, such as power, energy, oil, gas, and water. The ransomware attack on Colonial Pipeline was not a supply chain attack – but the resulting disruption on gas delivery and supply highlighted just how susceptible critical industries are to attack.

Attackers are increasingly shifting their attention to suppliers instead of targeting organizations directly, the European Union Agency for Cybersecurity said in a report analyzing 24 supply chain attacks last year. Attackers focused on the suppliers’ code in 66% of the reported incidents, and 62% of the attacks exploited the trust of the organization in their suppliers and vendors, the report found. Additionally, 58% of the attacks targeted the suppliers to access customer data – the organization’s data.

“An organisation could be vulnerable to a supply chain attack even when its own defences are quite good,” ENISA said in the report.

Federal authorities and regulators are scrutinizing critical supply chains. The Cybersecurity and Infrastructure Security Agency (CISA) and the North American Electric Reliability Corporation (NERC) have released supply chain cybersecurity guidelines in the past year. However, relying on regulators is not enough because some critical industries – such as solar – are not regulated, Soehren-Jones says. And there is no overlap between different sectors; the rules and standards from electric are different from gas, for example, even though the two sectors depend on each other and likely share the same vendors.

“There are only a few meter companies – we are all probably using the same ones,” Soehren-Jones says.

The Fortress platform bridges the different industry sectors – oil, energy, water, power, and gas -- and gives organizations access to a more comprehensive set of data, Soehren-Jones says. The platform secures 40% of the U.S. power grid, substantial national defense-related assets, and critical manufacturing industries.

**Expanding Risk Assessments  
**With the new investment, Fortress plans to increase the hardware bill of materials and software bill of materials information available in the library. One way is to encourage vendors to provide their own information. Another is to expand in-house lab capabilities to “tear down” each product and generating the bill of materials, Soehren-Jones says. Having the internal service is critical to having a complete set of information about the devices in use, especially since many of the devices critical industries rely on “have already been in the field for 10 years” or longer, she notes. Many of those manufacturers may not even be in business anymore.

Consider the case of a transformer. The in-house lab will look at all of the components that make up the transformer and log them in one place. If the unit has a communicative device inside, the teardown will find it, log it, and share the information with all the industry organizations using the platform. The hardware bill of materials will also be useful for finding out if the same component is being used across other devices.

"If we find out that there's a bad chip somewhere in one device, that chip most likely has been used in a lot of other devices. So not only are we going to be able to identify the manufacturer that it originally came from, but then we're going to also be able to understand the full scope of all of the devices that may have it," says Soehren-Jones.

“The depth and breadth of the Fortress platform are unmatched and we believe there is a meaningful opportunity to accelerate the expansion of the platform into compelling product adjacencies, including software and hardware bill of materials, workflow orchestration, and additional analytics and reporting capabilities,” said Will Chen, managing director within Goldman Sachs Asset Management, in a statement.

The ability to share the information will benefit organizations in two ways: to be able to make purchase decisions as well as to guide incident response activities, Soehren-Jones says. When an issue is identified, organizations have the daunting task of examining every possibility to assess their exposure. Having the bill of materials already in the library means organizations can just work down a list.

The platform will also focus on workflow orchestration, allowing organizations to get information about things that need to be fixed, provide a way to log the changes that were made, and generate an audit trail that can be shown to regulators to prove that the necessary steps were taken, Soehren-Jones says.

“Log4j is the quintessential business case \[for software bill of materials\],” Soehren-Jones says. “We are still scanning, and it can take up to a year to figure out all places we are impacted.”

Fortress Tackles Supply Chain Security, One Asset at a Time

The rebranded Microsoft Purview platform integrates Microsoft 365 Compliance and Azure Purview, and adds new capabilities and products to help manage data no matter where it resides.

The shift to a hybrid workplace has forced organizations to rapidly adopt cloud technologies and remote access tools to enable ubiquitous connectivity.

That in turn has generated more data than ever before, and organizations are faced with the prospect of securing their data, managing data governance, and keeping up with compliance requirements. Collaboration tools can result in sensitive data leaks if not properly managed. Microsoft announced changes in its data governance platform to help customers see their assets across their entire data estate, along with helping to manage risks and regulatory compliance.

Microsoft has rebranded Azure Purview, which became generally available last fall, to Microsoft Purview and brought over the products that used to make up Microsoft 365 Compliance. Microsoft Purview also features new functionality in Microsoft Purview eDiscovery to improve identification of data stored in Teams; the general availability of Microsoft Purview Data Loss Prevention for macOS; and a preview of the ability to create encrypted documents for iOS and Android platforms.

Microsoft Purview will bring "that chief data officer and their team together with the risk officer, the compliance officer, and \[have\] a unified view and ability to manage data," says Alym Rayani, general manager of compliance and privacy at Microsoft.

For organizations, getting a sense of what data they have is a growing challenge, as is making sure the data isn’t leaving the organization in an unauthorized manner. Data has become the "lifeblood" of how businesses operate, says Rayani, but knowing what the organization has, or where it is even stored, is a growing challenge. The rapid adoption of cloud applications and remote access tool have expanded the data estate. An example would be how more employees are exchanging data using Microsoft Teams — not just in the chat or conversations, but also sharing files.

"Data lives everywhere. There's a lot of it," Rayani says, noting that about 93% of customers told Microsoft they store data across multiple clouds and multiple solutions.

**Understanding the Data**  
Before organizations can do anything about their data, they have to first understand it. Toward that goal, Microsoft expanded its sensitive information type catalog with more than 50 new classifiers, such as those covering patient and healthcare data. There were already 250 classifiers, for data elements such as credit card and Social Security numbers, Rayani says. These classifiers are available for DLP, Information Protection (auto-labeling), Data Lifecycle Management, Insider Risk Management, Records Management, eDiscovery, and Microsoft Priva.

The classifiers are necessary to identify sensitive data, and to allow organizations to create policies that accommodate the specific requirements for each type. There may be patient records that are considered confidential even if payment card numbers or Social Security numbers are not included.

"One of the things we've been hearing from customers is, 'Hey, I need to get a good understanding of my data environment, my data landscape. It lives across a range of systems. It lives in apps. It lives in different platforms,'" Rayani says.

**Governance to the Forefront**  
Microsoft Purview is not just about visibility or classifying data, but can give organizations governance tools that extend all across the data environment. Data leak prevention is one example, but another important area of data governance is insider risk management, Rayani says. While the idea of a malicious insider — the person trying to steal confidential information and intellectual property — is a classic example of insider threat, there is also a lot of the "inadvertent" insider — the one who accidentally exposes data while trying to do their job.

For example, a marketing employee trying to share something over Teams may violate data leak prevention policy. With Microsoft Purview, organizations have tools to warn the user in the moment that there is a policy violation, block the action, and offer an alternative method, such as a secure SharePoint site, Rayani says.

  

    

How each of the products in the Microsoft Purview family are branded. Source: Microsoft

Organizations frequently have to stitch together multiple products to give security, governance, compliance, and legal teams a clear view of what is happening in their environment. Almost 80% of IT decision-makers in the United States purchased multiple products to do so, and a majority had purchased three or more, according to a recent Microsoft survey. This patchwork of products can expose infrastructure gaps and is both costly and complex to manage, Jessica Hawk, Microsoft's corporate vice president of data, AI and mixed reality, wrote on the Azure blog. Microsoft Purview's goal is to provide a unified view to improve security, privacy, and compliance, she wrote.

The company will continue strengthening the integration between Azure products and Microsoft 365, as well as adding new capabilities. For example, sensitivity labels — which designate the data classification — will be consistent across products, and they will be viewable in both Microsoft Purview's compliance portal (formerly Microsoft 365 Compliance) and governance portal (Azure Purview).

"We believe the new way to optimize your data strategy is to deliver a unified view of data in the organization across hybrid, multicloud environments by bringing together the business users of data with the protectors of data," Hawk wrote.

Microsoft Launches Purview Platform to Govern, Protect, and Manage Sensitive Data

Three flaws present in consumer laptops can give attackers a way to drop highly persistent malware capable of evading methods to remove it, security vendor says.

**_\[Editor's Note: This article was updated on 4/20/2022 at 12:28pmET with comments from Lenovo\]_**

More than 100 different Lenovo consumer laptop computers, used by millions of people worldwide, contain firmware-level vulnerabilities that give attackers a way to drop malware that can persist on a system even after a hard-drive replacement or operating system re-install.

Two of the vulnerabilities (CVE-2021-3971 and CVE-2021-3972) involve Unified Extensible Firmware Interface (UEFI) drivers that were meant for use only during the manufacturing process but inadvertently ended up being part of the BIOS image that shipped with the computers. The third (CVE-2021-3970) is a memory corruption bug in a function for detecting and logging system errors.

ESET discovered the vulnerabilities and reported them to Lenovo in October 2021. The hardware maker this week released BIOS updates addressing the flaws in all impacted models. However, users will have to install the updates manually unless they have Lenovo's automated tools to assist with the update.

UEFI firmware ensures system security and integrity when a computer is booting up. The firmware contains information that the computer implicitly trusts and uses while it boots up. So, any malicious code embedded in the firmware would execute before the computer even boots up and before security tools have had a chance to inspect the system for potential threats and vulnerabilities.

In recent years, a handful of malware tools have emerged that were designed to modify UEFI firmware to install malware during the supposedly secure boot-up process. One example is LoJax, a highly persistent firmware-level rootkit that ESET and others observed being deployed as part of a broader malware campaign by Russia's Sednit group. Another example is MoonBounce, a firmware level malware dropper that researchers from Kaspersky recently observed being used as part of a cyber espionage campaign.

Martin Smolár, malware analyst at ESET, says the two Lenovo drivers that were mistakenly included in the production BIOS without being properly deactivated give attackers a way to deploy similar malware on vulnerable Lenovo consumer devices.

"Exploitation of these vulnerabilities would allow attackers to directly disable crucial system security protections," Smolár says. Attackers with privileged access on a vulnerable system can simply activate the old firmware drivers and use them to turn off protections such as BIOS control register bits, protected range registers, and UEFI Secure Boot that prevent privileged users from making changes to system firmware. As a result, exploitation of these vulnerabilities would allow attackers to flash or modify firmware and execute malicious code, he says.

Meanwhile, CVE-2021-3970, the third vulnerability that ESET researchers discovered, allows arbitrary reads and writes from and into System Management RAM (SM RAM) — or memory that stores code with system management privileges. This gives attackers an opportunity to execute code with system management privileges on vulnerable systems, ESET said.

In an emailed statement, Lenovo thanked ESET for alerting the company about the vulnerabilities. "The drivers have been fixed, and customers who update as described in the Lenovo advisory are protected," the statement said. "Lenovo welcomes collaboration with BIOS researchers as we increase our investments in BIOS security to ensure our products continue to meet or exceed industry standards." 

The company's advisory described the flaws as being of medium severity and enabling privilege escalation for attackers that exploited them. The company said CVE-2021-3970 resulted from insufficient validation in some Lenovo models. Lenovo attributed the other two vulnerabilities to its failure to deactivate and remove drivers that were used in older manufacturing processes.

The advisory also includes instructions on where users with impacted devices can find the appropriate BIOS update and how they should install it.

Millions of Lenovo Laptops Contain Firmware-Level Vulnerabilities

Mandiant data also shows a dramatic drop in attacker dwell time on victim networks in the Asia-Pacific region — to 21 days in 2021 from 76 days in 2020.

The length of time attackers remained undetected on a victim's network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant.

Mandiant in its IR cases found that companies have tuned their detection capabilities to find the most dangerous attacks quickly, with ransomware detected within five days on average; non-ransomware attacks remained active for 36 days in 2021, down from 45 days in 2020. But the quicker detection of ransomware attacks may not necessarily be positive, instead being due to the activation of the payload, says Steven Stone, senior director of adversary operations for Mandiant.

In general, however, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms, and government agencies and security firms often notify victims of attacks, leading to faster detection, he says.

"We think the combination of factors like these contributes to what we already see as year-over-year improvements in these regions," Stone says. "Ultimately, initial threat vectors come down to attacker choices and the availability of different vulnerabilities. Overall, we see some attack groups use different methods concurrently, likely showing a preference per target efforts."

Companies have improved their detection times dramatically over the past decade, reducing the time to detect attackers by nearly a factor of 20, from 418 days in 2011 to 21 days in 2021, according to the Mandiant M-Trends 2022 report.

    

Source: Mandiant

The improvement in company's detection capabilities varied significantly by region, with firms in the Asia-Pacific region seeing a dramatic drop in so-called "dwell time" to 21 days in 2021, from 76 days in 2020. European companies also saw a significant decrease to 48 days, from 66 days in 2020, while North American companies' detection did not change, staying level at 17 days.

**Attackers Love Cobalt Strike**  
The most popular attack tool remained the Beacon backdoor, which accounted for 28% of all identified malware families. Beacon is a component of the Cobalt Strike penetration testing tool, which is also popular with malicious attackers. Other attack tools quickly dropped off in frequency and include the Sunburst backdoor for .NET environments, the Metasploit penetration testing platform, and SystemBC, a proxy toolkit.

Overall, two methods of initial compromise — exploiting vulnerabilities and attacks through the supply chain — accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020, according to Mandiant. The changing tactics underscore that companies need to keep informed of attackers' techniques, Jurgen Kutscher, executive vice president for service delivery at Mandiant, said in a statement announcing the report.

"In light of the continued increased use of exploits as an initial compromise vector, organizations need to maintain focus on executing on security fundamentals — such as asset, risk, and patch management," he said. "The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organizations successfully navigate an attack and quickly return to normal business operations."

**Active Directory in the Bullseye**  
In another trend, attackers are increasingly taking aim at hybrid Active Directory (AD) installations, because misconfigurations in the hybrid identity model — where credentials and keys are synchronized between on-premises AD services and Azure Active Directory in the cloud — lead to compromises, Mandiant stated in the report.

Companies should treat hybrid Active Directory servers as the most sensitive level of assets, tier 0, and only allow access from privileged workstation from a segmented network. Along with monitoring, these steps should make exploitation much more difficult, says Evan Pena, managing director of Mandiant's global red team.

Luckily, implementing best security practices for hybrid AD servers is not hard to get right, he says.

"As companies move their resources to the cloud while using hybrid models, attackers will target these hybrid servers to achieve both domain and cloud compromise," he says. "It is common for these hybrid servers to have high-level privileges to on-premises servers — \[such as\] domain controllers — and cloud resources."

Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks, says Pena.

More Than Half of Initial Infections in Cyberattacks Come Via Exploits, Supply Chain Compromises

Provides autonomous and uninterrupted monitoring of unmanned IT locations at scale.

**AUSTIN, Texas, April 19, 2022**—RF Code, a pioneer of automated, real-time physical asset lifecycle management and environmental monitoring solutions for data centers, today announced the launch of Sentry, the company's first Software-as-a-Service (SaaS) innovation for decentralized edge computing locations. Sentry provides autonomous and uninterrupted monitoring of unmanned IT locations at scale. With deep intelligence and real-time notifications, Sentry makes it easier for IT professionals to monitor all of their remote IT spaces without being on-site.

"I can honestly say the Sentry device from RF Code will be an industry game-changer," said John Fletcher, Lead Technology Analyst for a major U.S. retail IT firm. "You get three monitoring devices in one unit ... temperature, humidity, and camera monitoring. Sentry is very easy to set up and cost-effective for our team's budget. It has real-time visual access and rich data of each IT environment that we're monitoring. It also has thermal scanning so I can check any room that houses critical IT equipment for potential hotspots that would cause an outage in the future.”

With the increased adoption of IoT devices, autonomous vehicles, as well as new work-from-anywhere (WFA) models, data center functions are moving to the edge to support these compute-intensive, zero-latency applications, and the demands of an increasingly remote workforce. By implementing a decentralized architecture, organizations like retailers, hospitals, hotels, manufacturers, and banks can improve localized computing power for end-users and the applications they need to drive business.

Without real-time environmental and critical asset monitoring tools in place, these unmanned and unmonitored IT spaces can be costly. Unplanned downtime, theft, and breaches can hurt an organization's bottom line costing thousands of dollars a minute.

"We developed Sentry as a way to meet the needs of a broader, underserved edge market with a simple, scalable, and affordable real-time IT asset and environmental monitoring solution," said Dale Quayle, CEO, RF Code. "Enterprises of all sizes need the ability to see, hear, and secure these edge environments as though they're onsite and Sentry makes it easier to prevent, mitigate, or remediate IT situations that threaten to disrupt normal business operations—from air quality and overheating to unauthorized access and other potential threats."

Sentry is easy to install and can be deployed in 20 minutes—all without the need for an on-site IT team, providing real-time visibility and remote monitoring from anywhere. Sentry's SaaS model makes it more affordable for organizations to monitor several IT locations at scale.

For more information and to see how Sentry monitors and secures remote edge locations, please visit http://rfcode.com/sentry.

**About RF Code**  
RF Code is an innovator of autonomous critical asset intelligence solutions. RF Code's real-time, active RFID technology improves IT asset tracking accuracy, full lifecycle management, and inventory utilization at data centers and edge locations. Autonomous IT asset data tracking and enhancement help RF Code customers slash manual error costs, optimize processes, maintain uptime, and comply with regulatory requirements. With patented wire-free active RFID sensors, open APIs, and real-time reporting capabilities, RF Code can be easily integrated with existing IT, facilities, and business systems.

RF Code is based in Austin, TX, and serves more than 200 organizations worldwide including Fortune 500, systems integrators, and value-added resellers. Additional information can be found at http://www.rfcode.com.

  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

RF Code Announces Sentry, a New Edge Solution for Remote Locations

Over half of organizations admit their security and compliance controls for managing sensitive content communications—both internally and externally—are inadequate.

PALO ALTO, Calif., April 19, 2022 (GLOBE NEWSWIRE) -- Kiteworks, the leading platform for ensuring regulatory compliance and effectively managing risk with every send, share, receive, and save of sensitive content, found in its “2022 Sensitive Content Communications Privacy and Compliance Report” that more than half of organizations believe they are inadequately protected against third-party security and compliance risks. The report attributes various reasons for this lack of preparedness, including 53% failing to encrypt all sensitive content communications with third parties, 58% lacking content governance controls to measure third-party risk, and nearly 8 out of 10 believing their compliance reports are not completely accurate.  

Findings in the Sensitive Content Communications Privacy and Compliance Report are based on a survey of 400 IT, security, privacy, and compliance professionals from numerous industries and 15 different countries around the world. In addition to struggling to manage security and compliance risks efficiently and effectively, respondents indicated they spend significant time on manual tasks related to key management and encryption/decryption, governance controls, and compliance reporting.

“Nation-states and cybercriminals know that confidential, private data holds great value, and studies show that it is increasingly the target of cyberattacks,” said Tim Freestone, Chief Strategy Officer at Kiteworks. “At the same time, regulatory bodies see these trends and have instituted, and continue to do so, standards that help protect sensitive content. This report reveals that many organizations are ill-equipped to deal with the sophistication and volume of today’s cyberattacks as well as the breadth of compliance standards when it comes to sharing and storing sensitive content. This lack of maturity creates significant security and compliance risk exposures.”

In addition to the above findings, notable admissions in the report include:

*   Nearly two-thirds of organizations share and transfer confidential data with more than 1,000 third-party entities, including one-third that do so with over 2,500 third parties.
*   41% of organizations want to see significant improvement or even a whole new approach to managing sensitive content communications.
*   59% of organizations cited distributed denial of service (DDoS), malware, and ransomware in their top two concerns for external threats.
*   Only 21% of organizations believe their compliance reports are fully accurate.
*   Almost 8 in 10 organizations spend 20-plus hours compiling audit trails and generating reports.
*   Only 14% of organizations manage and monitor all their sensitive communications taking place in the cloud.

“The Kiteworks platform provides our customers with a Private Content Network that delivers a comprehensive security and compliance approach for sharing and storing sensitive content communications,” said Frank Balonis, CISO and SVP of Operations at Kiteworks. “Granular audit controls and reporting to the level of user, folder, and file, and capabilities such as geofencing and encryption for data at rest and in motion enable our customers to protect all of their sensitive content communications while remaining compliant with a long list of regulatory standards.”

To read the 2022 Sensitive Content Communications Privacy and Compliance Report, download your copy here. You can also register to hear a panel of privacy and compliance experts discuss the findings and pinpoint actionable recommendations in a webinar scheduled for April 13 at 10 a.m. PT.

**About Kiteworks**   
Kiteworks' mission is to empower organizations to effectively manage risk in every send, share, receive, and save of sensitive content. The Kiteworks platform provides customers with a Private Content Network that delivers content governance, compliance, and protection. The platform unifies, tracks, controls, and secures sensitive content moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all sensitive content communications.

New Kiteworks Report Reveals Significant Risk Maturity Gap

From higher standards in top-level domains to increased adoption of security controls, stepped-up measures can help fight DNS abuse and protect Web domains.

When the European Union introduced General Data Protection Regulation (GDPR) guidance several years ago to address privacy concerns, it became the genesis of a worldwide movement that led to an increased focus on privacy issues. Similarly, the EU recently released guidance on a security issue that still doesn't get the focus that it should — DNS abuse.

The Domain Name System (DNS) is a hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the Internet or other Internet Protocol (IP) networks. Specifically, DNS abuse is any activity that makes use of domain names or the DNS protocol to carry out harmful or illegal activity. Malicious activities on the DNS have been a frequent and serious issue for years, affecting online security, undermining trust on the Internet, and causing harm to users and third parties. This type of abuse also includes cybersecurity threats and the distribution of illegal and harmful materials.

While many organizations are aware of traditional approaches to cybersecurity, the one area that consistently gets ignored is maintaining and protecting Web domains. Inaction leads to issues such as DNS hijacking, which redirects employees, partners, and customers to sites that put them at risk or steal sensitive data. When legitimate domains are compromised, cybercriminals bypass traditional security, making it more difficult to identify, mitigate, and block such users. Fraudsters also use malicious domains (e.g., homoglyphs or confusingly similarly named domains or subdomains) and email spoofing to commit fraud and intellectual property abuse.

To date, there is no global consensus on what should be done to prevent or fight DNS abuse, and there are no policies in place to hold domain registrars to higher validation standards in terms of ownership. Upholding and preserving a reliable, resilient, and secure DNS is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend.

To address this, the European Commission recently conducted a study and issued this report, which assessed the scope, impact, and magnitude of DNS abuse, and also provided input for possible policy measures based on identified gaps. Analysis was completed of the available data and the report proposed a set of recommendations to prevent, detect, and mitigate DNS abuse.

**DNS Report Takeaways  
**While this report is compelling and provides guidance to follow, there are key components of it that enterprises should home in on when looking to improve the domain security posture of their organization. Specifically, the report recommends the following:  

*   **Selecting providers with more validation standards for domain registrations.  
    **We need to hold domain registrars to higher standards. They need to take a customer validation approach that verifies who the customer is to ensure abuse isn't happening. This "know your customer" strategy is used in enterprises today to mitigate fraud, and in this instance, it can bring a level of compliance to a situation where cybercriminals are currently registering any new domain whenever they want to.

*   **Initiate prevention and remediation solutions.  
    **Free hosting and subdomains, services that were originally intended for legitimate services, are commonly exploited in phishing attacks. Companies should activate proactive detection of suspicious domain names containing targeted brand keywords. Additionally, they should monitor the domain and DNS space for brand abuse, infringement, and fraud. Trusted notifier programs should be developed so that enterprises can enforce their rights through reporting and suspending offending domains.

*   **Increase adoption of security controls.  
    **Domain name system security extensions (DNSSEC) can authenticate communication between DNS servers. However, low adoption and lack of deployment can lead to hackers taking control of an Internet browsing session and redirecting users to deceptive websites. SPF and DMARC protocols should continually be adopted as the first line of defense against business email compromise (BEC) as those protocols can mitigate email spoofing. Just as crucial to security is to enable registry locks. While **t**his area wasn't discussed in the European Commission report, it's a great way to prevent attacks, as it enables end-to-end domain name transaction security to mitigate human error and third-party risk. Most large registries in Europe, such as those in Germany, France, and Sweden, have adopted this security measure, but it's not consistent, with notable exceptions such as Italy and Spain. Unlocked domains are vulnerable to social engineering tactics, which can lead to unauthorized DNS changes and domain name hijacking.

*   **Better standards in top-level domains (TLDs).  
    **A TLD is the final component of a domain name (.org, .icu). The generic TLDs (gTLDs) are the most abused domains by volume. However, some new gTLDs and country code TLDs (ccTLDs) have a higher concentration of fraud. You can get a TLD for less than a dollar these days, and phishers love this easy accessibility. There needs to be further consideration of tools and measures that safeguard intellectual property rights and consumer safety in a cost-effective and scalable way. One example is blocking programs — leveraged by the Donuts DPML program — which could reduce DNS abuse. Donuts, a part of the gTLD program, offers a blocking service for trademark holders known as the Domain Protected Marks List, or DPML.

**Building Domain Standards  
**While the EU report provides great insights into how to better mitigate threats to domains, it should serve as a foundational piece upon which companies and countries around the world can build.

As domain standards evolve, it will be important for government and industry to develop effective policies and programs to ensure that Web users aren't at risk of crime and fraud during their daily lives. Simultaneously, limiting hackers' ability to operate and maliciously commit fraud will be vital to our society and digital economy.

How to Interpret the EU's Guidance on DNS Abuse Worldwide

A large number of enterprise applications are affected by the vulnerability in Log4j, but adversaries aren't just looking for the most common applications. They are looking for targets that are easier to exploit and/or have the biggest payoff.

Not all software utilizing Log4j is equally attractive from an attacker’s point of view, and the most widely used application isn’t necessarily the one attackers will go after.

About 10% of large enterprises have an Internet-exposed instance of VMware Horizon, a desktop and application virtualization product, but it is currently the most “attackable” application using Log4j, Randori said in a report (PDF) earlier this month. In contrast, 37% of organizations have multiple instances of cPanel, a web-hosting control panel software that is visible on the Internet, but attackers are less likely to target it.

The vulnerability in the Log4j logging library was publicly disclosed a little over four months ago. 

“While some \[organizations\] felt massive blowback from Log4j exposures on their attack surfaces, others managed to weather the storm without major incident,” Randori’s team said. “By understanding how attackers choose their targets during such exposures, defenders can help put their company in the latter category.”

Randori’s approach isn’t just about looking for vulnerabilities that can be exploited, but also thinking about how attackers choose their targets. Adversaries consider several factors when picking their targets, such as where the most initial damage would likely occur and what kind of impact the intrusion would have on the environment. Adversaries are more likely to target applications that would allow them to remain in the environment, so they would be less interested in systems that have a lot of security software that would detect the intrusion. Applications that grant access to other systems or give adversaries privileged access would be a more tempting target.

VMware Horizon is considered the most attackable because if compromised, it gives adversaries access to the rest of the network. Mobile device management platform Jamf and single-sign-on platform PingFederate are used by 1% to 2% of the enterprise market but are ranked second and third on the attackable list because of what adversaries would be able to do next, Randori noted. The authentication and automation mechanisms provided by PingFederate and Jamf would allow adversaries to pivot in the network and expand operations, Randori said.

Jenkins, an automation server to build, test, and deploy software, does not even make the widespread list because the core platform does not include Log4j dependencies. However, some add-ons do use Log4j, and if those instances of Jenkins are compromised, the attackers would have the “keys to the kingdom,” Randori notes.

“Our attack team wouldn’t be surprised to \[see\] attacks in the wild abusing Log4j in Jenkins,” the company noted.

Most of the applications on the widespread list are application servers or middleware and are less interesting to attackers because not every version may have Log4j dependencies. Or if they have optional components that use Log4j, the configurations may not be as easily exploited.

Organizations need to understand software stack underlying their platform, since the dependencies will make a difference in whether they are more attractive to adversaries or not, Randori’s team concluded.

Adversaries Look for 'Attackability' When Selecting Targets

The enterprise grade solution will provide enhanced cloud security and provide new open-source tools.

WASHINGTON D.C., April 19, 2022 – Verica, the Continuous Verification company that makes systems more reliable and less vulnerable to costly incidents, and Prowler creator Toni de la Fuente today announced the launch of Prowler Pro. Prowler Pro marks the evolution of Prowler Open Source, one of the most recognizable and dependable open-source tools for AWS cloud security.

Prowler Pro puts AWS security assessments, audits, incident response, continuous monitoring, hardening, and forensics readiness in easy reach of anyone running multiple AWS services. It contains over 220 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.

Prowler Pro is now available to the public through the AWS Marketplace, and is easy to deploy in multiple AWS cloud accounts. It offers continuous monitoring, faster execution, personalized support, and customizable dashboards. With Prowler Pro, customers get compliance results out of the box.

“Uniting our technology offerings was a natural progression for both platforms. We are thrilled to welcome the Prowler team to the Verica family and bring open-source solutions to a wider audience.” said Aaron Rinehart, co-founder & CTO of Verica. “We think it's critically important to bring the practices of Continuous Verification to AWS security problems, and we look forward to rolling out more integrations to create a seamless experience for customers.”

“When I started Prowler, the AWS cloud security community didn’t have many tools, and securing AWS was complicated and confusing (and still is). It was natural for developers to start using Prowler due to its simplicity to install and run,” said de la Fuente. “This evolution of Prowler aligned with Verica’s vision makes it even easier to identify issues and threats. We are excited to offer a solution for AWS Security that will complement and make Prowler Open Source even stronger.”

Prowler Open Source will still be available on Github for cloud security professionals and developers. The team will focus on enhancing the open-source offering — expanding its database of 220+ checks — while strengthening Prowler Pro capabilities. Whether a Prowler Open Source or a Prowler Pro customer, organizations will have much to look forward to with upgrades to their tools that will make the process of securing their AWS systems significantly easier.

**About Verica and Prowler Pro**

Verica uses Continuous Verification to make systems more secure and less vulnerable to costly incidents. Verica’s Continuous Verification Platform provides out-of-the-box verifications that proactively uncover system weaknesses and security flaws before they disrupt business outcomes. All companies running complex systems experience failure, but as systems become more complex, Verica will be there to help maintain confidence in those systems. With Verica, you can trust that your software is working how it’s meant to. Learn more about Verica at www.verica.io.

Prowler Pro makes AWS Security easy and enables your team to build trusted applications. With Prowler Pro, you will get the benefits of Prowler Open Source and you will get continuous monitoring, faster execution, personalized support, and visualization of your data with customizable dashboards. Find out more about Prowler Pro at prowler.pro.

Verica Launches Prowler Pro to Make AWS Security Simpler for Customers

Study shows that more than 35% have suffered seven or more successful attacks.

Ransomware, phishing/social engineering, denial of service (DoS) attacks, and the business fallout of a data breach rank as the top concerns of global organizations, a new study shows.

The newly published Cyber Risk Index, a study by Trend Micro and the Ponemon Institute, shows that more than three-quarters of global organizations expect to suffer a cyberattack in the next 12 months — 25% of which say an attack is "very likely."

More than 80% of the 3,400 CISO and IT professionals and managers surveyed say their organizations were hit with one or more successful cyberattack in the past 12 months, and 35% suffered seven or more attacks, according to the report, which covers the second half of 2021.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading