CISOs in consumer and retail organizations appear to accept greater risks to allow for more innovation, which could be a model for future growth.

Source: FOTOGRIN via Shutterstock

Chief information security officers (CISOs) have long borne the reputation of blocking innovation to keep their organization and all its data safe and sound.

However, those competing priorities appear to be shifting, especially in the retail and consumer sectors. While the majority of CISOs (59%) across all sectors see themselves as "enablers" — as opposed to just managers of cyber-risk — nearly all (97%) CISOs in the retail segment view their role as an enabler, according to a survey of more than 1,000 global CISOs conducted by cybersecurity firm Netskope. As a result, CISOs' acceptance of risk has grown, with the majority of all CISOs ready to take on more risk compared with five years ago. For the retail sector, the share of risk-embracing CISOs is even higher (74%).

The pressure on companies to innovate — and CISOs' understanding of their role in making that happen — are driving CISOs to become risk-takers, Netskope CISO James Robinson says.

"Typically, you had someone who was really, really technical, and they were working through things, but they really didn't have that business side of the brain — knowing the business metrics and data," he says. "CISOs have moved from the need to say no and maybe even taken it a step further — saying the answer is always, "Yes, just how do we get there?'"

From gift-card scams to brand hijacking for phishing attacks to devastating ransomware, retailers are a popular target for cybercriminals and fraudsters. At the same time, the retail sector has had to weather the chaos caused by the pandemic and supply-chain disruptions, which led to demand fluctuations and a loss of brand loyalty. The subsequent spike in inflation over the past two years left many consumers prioritizing price. Most retail executives (67%) expect consumers to purchase fewer products in 2024, and so retailers are increasingly focused on winning loyalty, according to consultancy Deloitte's "2024 US Retail Industry Outlook" report.

**Security in the Era of Amazon and AI**

With all those disruptive forces in the market, retailers have had to transform themselves to compete, morphing from just focused on selling products to becoming data companies. Consequently, CISOs at retail companies can no longer afford to focus solely on putting a wall around their information, says Netskope's Robinson.

Like other members of the C-suite, CISOs have to be thinking about the business more holistically, Robinson says.

"Retailers now have to ask, 'What's the next innovation? What's the next thing we have to do?'" he says. "And all of those decisions are data driven ... they're being led by this wealth of data that they're collecting, so that they can have targeted experiences for their customers."

Artificial intelligence is one obvious way to innovate. A great deal of the pressure to change over the past two years has come from the development of AI capabilities and businesses' fear of missing out on any innovations — and competitive advantages. In-store cameras paired with AI analysis can determine consumer interest in products, ecommerce platforms can better predict inventory, and stores can even use recognition of facial expressions to gauge consumer sentiment.

While most companies have slowly tested the waters of AI, many will be putting their first AI-powered applications into product in the next 12 months, Robinson says.

"This is the first year also that we're really seeing GenAI projects kick off, and in the next year, we'll start to really see kind of the value of some of these projects," he says. "So I think that's probably what's shaping it even more."

**The Business-Focused CISO**

Yet, AI and cybersecurity are two technology areas that are least likely to have positive returns on investments for retailers, according to consultancy KPMG's 2023 "US Consumer and Retail Sector Insights Report." Only 46% of survey respondents noted an increase in profitability or performance due to AI — and 45% from cybersecurity. But the consumer and retail sector fell even short of that threshold, with 38% and 37% of respondents, respectively, in those industries seeing a return on investment from AI or cybersecurity.

"For many consumer and retail organizations, getting data right is still a work in progress," KPMG stated in the report.

Understandably, there are still some risks where CISOs are unwilling to compromise. Sharing information with outside parties or third parties without the proper review and without the proper agreement in place — a threat becoming more common in the era of AI — is just not possible, says Robinson.

"We knew how to data warehouse, and it's got business value — even more now with the development of GenAI," he says. "I think all of those things have kind of started to come together at this point, allowing the retail CISO to really have a leg to stand on. Now they just also have kind of the business knowledge, because they're being brought into more of these conversations at this point."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Retail CISOs Take on More Risk to Foster Innovation

The bug is already being exploited in the wild, but Firefox has provided patches for those who may be vulnerable.

Source: 2020WEB via Alamy Stock Photo

Mozilla has patched a critical security vulnerability in its Firefox Web browser that's being actively exploited in the wild.

Tracked as CVE-2024-9680, the vulnerability is a use-after-free issue in Animation timelines, with attackers exploiting it to execute arbitrary code, according to Mozilla's advisory. It carries a CVSSv3 vulnerability-severity rating of 9.8 out of 10 and a low attack complexity (no privileges or user interaction is needed to successfully exploit the flaw), and translates into high risk in the event of a successful attack.

Critical bugs in Firefox, which is used by around 178 million people worldwide, are few and far between. The Web browser hasn't had to offer patches for such a severe flaw since March, and only a small number have been discovered in the past few years.

The disclosure sparked a flurry of alerts from international cyber agencies, including Dutch national cyber center Nationaal Cyber Security Centrum, and the cybersecurity centers of Canada and Italy.

The Web browser vulnerability affects Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Users should upgrade to version 131.0.2 in Firefox and to versions 115.16.1 or 128.3.1 for Firefox ESR to fix the vulnerability and thwart potential exploitation.

**About the Author**

Critical Mozilla Firefox Zero-Day Allows Code Execution

The third-party actor had access for two days, in the financial services company's second major breach of the year.

Source: Ryan McGinnis via Alamy Stock Photo

Just over 77,000 individuals will be receiving news from Fidelity Investments that their personal information has been compromised in a data security incident. 

The breach itself occurred between Aug. 17 and Aug. 19, when an unauthorized third-party gained access to two customer accounts and obtained private information. When the activity was detected on Aug. 19, access was terminated and an investigation began.

According to Fidelity's notification letter, the incident did not involve any access to Fidelity accounts and the information obtained by the threat actors "related to a small subset of our customers."

"While the attackers' specific motives remain unclear, it's likely that information gathering was a primary objective," said Sarah Jones, cyber threat intelligence research analyst at Critical Start, in an emailed statement to Dark Reading. "The 'beachhead' theory, where attackers establish a foothold to launch further attacks, is a common tactic in such incidents. Although Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities."

Indeed, though Fidelity iterates that it is unaware of any misuse of its customers' personal information obtained in this breach, this is the second time this year that it has faced a data breach. In March, Fidelity notified roughly 30,000 individuals that their information had been compromised in a third-party breach involving service provider Infosys McCamish (IMS).

Fidelity is providing free credit monitoring and identity restoration services for those impacted by this breach through TransUnion Interactive for 24 months.

It also encourages individuals to remain vigilant and review their financial statements often, reporting any suspicious or fraudulent activity.

Fidelity Notifies 77K Customers of Data Breach

The European Union's new sanctions framework will target individuals and organizations engaging in pro-Russian activities such as cyberattacks and information manipulation to undermine EU support for Ukraine.

Source: Daniren via Alamy Stock Photo

In an effort to thwart adversaries launching cyberattacks, information manipulation, and interference campaigns on Russia's behalf, representatives from 27 European Union member states approved a sanctions mechanism. This new framework will allow the EU to target individuals, agencies or organizations that attempt to undermine the values of the member states or their "security, independence and integrity."

The EU said in a statement it had detected an increasing number of these pro-Russian activities: Targets included critical infrastructure as well as "instrumentalisation of migration and other disruption actions."

Earlier this year NATO warned of Russian "hostile state activity," against several EU nations, including Germany, the United Kingdom, Poland, the Czech Republic, Estonia, Latvia, and Lithuania. Many of the activities meant to undermine support for Ukraine wouldn't merit a military response, which left the EU countries and NATO trying to figure out how best to respond to these attacks.

The EU now has to determine which sanctions would be imposed for which types of actions. For example, hybrid threats including undermining elections, democratic institutions or the economy, or critical infrastructure attacks could result in asset freezes or travel bans. Hybrid in this context refers to actions carried out on behalf of a state to undermine the functioning of another country. As of now, no actual sanctions have been imposed using this system.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

EU Plans Sanctions for Cyberattackers Acting on Behalf of Russia

In its latest Windows preview, Microsoft adds a feature — Administrator Protection — designed to prevent threat actors from easily escalating privileges and restrict lateral movement.

Source: Mundissima via Shutterstock

Microsoft has introduced a significant security upgrade in its latest preview edition of Windows that aims to lock down local administrator privileges, making it much harder for cyberattackers to exploit privilege escalation issues.

The feature, Administrator Protection, changes the ability to elevate privileges from a free-floating capability to a "just-in-time" event that is much more limited in scope. The coming feature shifts the way Windows handles administrator permissions, moving from a split-token model gated by the User Account Control (UAC) prompt to an isolated, shadow environment managed by the system. This shadow administrator account disappears as soon as the designated task is completed, making it much harder for a cyberattacker to abuse the administrator's elevated privileges for malicious actions.

The feature will limit the scope of an elevation of privileges for administrator-enabled accounts, says Rudy Ooms, a technical content creator at Patch My PC, who published a technical analysis of the feature.

"The old legacy concept is that you have a split token, and it's not that secure," Ooms says. "With the new Administrator Protection, things change, and it completely reimagines this approach by eliminating the direct use of the split tokens and replacing it with a hidden system, managed account."

The feature should make it much harder for cyberattackers using living-off-the-land techniques to elevate their privileges and co-opt administrator access on compromised systems. Post-compromise, most attackers use common applications — such as PowerShell and system services — paired with administrative privileges to move laterally.

The Administrator Protection feature is the latest tactic in software firms' push toward eliminating poor trust models in their software. It's also a dramatic improvement from the days of pass-the-hash attacks, where attackers could gain elevated privileges without knowing the administrator's credentials. With this new feature, attackers can still use the administrator's credentials to try to escalate privileges, but the window to do so is much smaller.

"Attackers have to rethink all their old tricks," says Jason Soroko, a senior fellow at certificate management firm Sectigo. "It impacts the ability for an attacker to be able to walk around as the administrator, and so living off the land is \[less of a threat\] because organizations have a lot of tools that are installed that are of great usage to the attacker."

**Administrators' Split Personalities on Windows**

Microsoft's current approach to handling elevated privileges is to give administrator accounts a "split token." The user account will by default be treated as a standard user — and with the same token, "TokenElevationTypeDefault" — limiting privileges. When a user attempts an action requiring administrative privileges, they must use the UAC feature to elevate their token to "TokenElevationTypeFull."

The split-token concept is a good approach, but it has problems, says Ooms.

"The problem here is this approach keeps admin rights relatively hidden but not inaccessible," he says. "Once the elevated admin token is activated, any malware running in the background can potentially hijack it and perform malicious actions. Essentially, while split tokens are better than running as an 'always-on' admin, they are still vulnerable to those kinds of attacks."

If Administrator Protection is enabled, users who elevate their privilege will switch to an isolated, managed system administrator account that protects the administrator token, according to Ooms's technical analysis.

"In my opinion, it will increase the security posture a lot because it reduces the attack surface," he says.

**Purpose-Built Accounts, Better Monitoring**

Microsoft declined to comment on the feature, but a spokesperson says the company plans to share more information at its Microsoft Ignite technology conference in November.

In the release notes for its Windows Preview, the company stated: "Administrator protection is an upcoming platform security feature in Windows 11, which aims to protect free floating admin rights for administrator users allowing them to still perform all admin functions with just-in-time admin privileges. This feature is off by default and needs to be enabled via group policy."

While the feature will significantly improve system security, the instantiation and destruction of a shadow administrator account for specific tasks is also a boon to companies monitoring account activity, says Sectigo's Soroko.

"If you're monitoring privileged accounts, then your ability to monitor these short-lived privileged accounts and make sure they're not walking around doing something that they shouldn't \[is much better\]," he says. "You are able to contextualize what that account was created for, there's now new opportunities for people who are defending."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Microsoft Previews New Windows Feature to Limit Admin Privileges

When employees and leaders engage with CISOs early in innovation projects, security concerns are addressed proactively, building trust and ensuring innovation and security coexist.

Source: lorenzo rossi via Alamy Stock Photo

COMMENTARY

July's CrowdStrike incident serves as a stark reminder of the unintended consequences organizations face when innovating to enhance security and streamline operations. Using best-in-class technology is usually a safe bet for chief information security officers (CISOs) when selecting a security vendor, but it's equally important to be cognizant of how that technology will be deployed and the amount of risk it can create. I've deployed CrowdStrike as one of my endpoint security tools, and standardizing on this solution allowed for my security operations to be automated, and created muscle memory among my security engineers. This resulted in a faster and more streamlined response to security alerts.  

However, the CrowdStrike incident served as a sobering lesson about the potential consequences of real-time misconfigured updates on critical business operations. This has opened my eyes to thinking about risk and innovation in a slightly different way. It's not just about selecting a vendor with a strong security program, but also about considering the breadth of the implementation of the vendor product, as well as the way the product is updated across an environment. By understanding these different elements, enterprises can make more informed decisions to manage innovation against risk in a controlled manner. 

Interestingly, some companies' reliance on older operational systems shielded them from the direct effects of the CrowdStrike incident. While their outdated technology was once viewed as a liability, it became a surprising advantage in this case. This scenario suggests that the trade-off between innovation and risk may be inevitable. However, both are achievable. So, how can CISOs strategically balance both to ensure secure, forward-thinking operations? 

**Bridge the Barrier in the Boardroom **

CISOs often face the misconception of being barriers to innovation within the boardroom. To dispel this, we must reframe the discussion from a "security versus innovation" perspective to one of "secure innovation."  

Security and innovation are not mutually exclusive, nor should they be. When security is integrated early in the development process, it ensures that innovations are both groundbreaking and secure. CISOs must proactively reach out to other leaders across the organization, from the chief technology officer (CTO) to the chief financial officer (CFO), to ensure security is factored into strategic decisions from the beginning. It's about building relationships, where security becomes as natural as brakes on a car — essential for control but enabling speed and progress. 

**Foster a Culture of Security**

One of the most important roles for a CISO is to be viewed as an enabler to innovation instead of a blocker. In reality, the role of a CISO extends far beyond protecting systems; it involves communicating risks at a business level and ensuring that security enables progress rather than stifles it. The key to achieving this lies in fostering a culture of security involving the entire organization, from leadership to employees in the field. 

As the first line of defense, employees are crucial to establishing a security-first culture. Daily interactions with third-party vendors and potentially malicious content expose them to risks that can compromise the entire organization. 

A powerful way to engage employees in this mission is by making security personal. Phishing attacks, data breaches, and threats to personal banking information are tangible examples that resonate with employees. When people understand that their actions can directly affect their own security, as well as the company's, they become more motivated to adopt secure practices. With a security-aware employee culture, defense strategies are baked into innovation efforts from the start. 

**You're Secure, but Are Your Vendors?**

The sheer volume of the third-party relationships we manage keeps me on my toes. A single compromised user from any vendor could trigger a company-wide incident. After all, hackers only need one successful attack while security teams must be right every time. 

For CISOs, this means that secure innovation doesn't stop at internal processes — it must extend to the vendors that support their IT landscape. Collaborating with technology peers to better understand and mitigate risks is key to fostering innovation without increasing the cyber-risk. Equally important is building strong, proactive partnerships with third-party vendors to verify they are prepared to respond at scale when disruptions occur. 

To optimize this process, CISOs should focus on understanding which vendors are critical to the corporate infrastructure, particularly those involved in environments that require frequent updates. By ensuring these vendors follow rigorous testing protocols before rolling out changes, companies can better manage the trade-offs between innovation and operational stability.  

**Security-First Innovation**

CISOs must lead the charge in integrating security-first practices into the heart of innovation, positioning themselves as trusted advisers who enhance the company's overall objectives. By coming to the table with solutions rather than simply highlighting risks, we can shift the dialogue from "security will never approve" to "security can help make this better."  

This cultural shift fosters collaboration with executives and third-party vendors, embedding security into every phase of the organization's growth. When employees and leaders engage with CISOs early in innovation projects, security concerns are addressed proactively, building trust and ensuring that innovation and security coexist.  

**About the Author**

CISO, BlackLine

Jill leads all information security programs at BlackLine, including promoting information security awareness within the company, ensuring the confidentiality, integrity and availability of clients’ data, as well as BlackLine’s internal information resources, managing incident response teams and also facilitating adherence to security industry best practices and regulatory compliance requirements. 

Jill came to BlackLine in April 2022 with more than 25 years of cybersecurity experience working in both internal and customer-facing roles including serving over 15 years in CISO positions at Cheetah Digital, Mattel and BT Global Services. Previously, Jill served as a Special Agent for the FBI, assigned to the Cyber Crime Squad in the Los Angeles field office where she was the lead case agent for several high-profile cases, including the infamous Kevin Mitnick and MafiaBoy investigations.

Walking the Tightrope Between Innovation &amp; Risk

Vulnerability prioritization has evolved over the years. Several frameworks exist to help organizations make the right decisions when it comes to deciding which patches to apply and when. But are these better than a Magic 8 Ball?

Source: olga Yastremska via Alamy Stock Photo

COMMENTARY

Last month marks 25 years of operation for the CVE (Common Vulnerabilities and Exposures) program, launched in September 1999. It's difficult to imagine a world without CVEs. Much of the "vulnerability management" activities, before the CVE program became popular, relied on matching version numbers from remote scans and executing shady exploits found in dark places on the Internet to validate findings. We've come a long way when it comes to vulnerability tracking. Our journey has been fraught with peril, however, and we still have many challenges to overcome, including:

*   Volume: To keep pace with the sheer number of CVEs being created each year, we've had to increase the numbering format and assign CNAs (CVE Numbering Authority), spreading the responsibility and making it difficult to be consistent.
    
*   Date tracking: In certain circumstances, CVEs will be issued in the current year but with a previous year in the designation. Sometimes this is due to CNAs being pre-assigned CVEs for future use. However, this can make tracking and analyzing vulnerabilities in the CVE database by year inaccurate. This is rare but problematic, because it leads security practitioners to believe it's an older vulnerability, and some may not pay attention to it.
    
*   Free market: While there are some guidelines and barriers, for the most part, anyone can get a CVE issued. While it's important we not limit the creation of CVEs to prevent people from trying to hide a vulnerability, the free-market concept has caused issues. There are recent reports of folks automating the process of creating CVEs — hundreds of them — based on previously fixed bugs in GitHub repositories.
    

While the creation of formal tracking for vulnerabilities was huge for the industry, it wasn't until 2005 that we began to assign a severity rating using CVSS. This, too, is not without challenges, such as:

*   Subjective scoring: Anyone can score a vulnerability using CVSS and publish the results. We need checks and balances. If the security researchers who found the bug believe the severity to be different from the vendor that created the software, we should be able to see both scores.
    
*   It reflects only the vulnerability: While you can use CVSS to customize the score for your environment and take into consideration compensating controls, most users will just go by what has been published. Often, vulnerabilities are scored by the CNA that owns the software, and its incentives are not to score vulnerabilities on the high side.
    
*   Multiple versions of CVSS: Since CVSS version 1 was released in 2005, three subsequent versions have been released through November 2023. A CVE entry scored with a previous version may not be updated to the latest version. CVSS scores should also be updated due to changes in the security research landscape or new information about the vulnerability. These changes, if they happen at all, can be difficult to track.
    

**What Do We Do Now?**

Given there are pros and cons to each of these programs whose intentions are to help organizations make informed risk-based decisions, how do we know what to patch first? Many will rely on one mechanism, likely CVSS, pick a magic number, and patch everything that scores above that magic number. The problem is this is a very limited view of the vulnerability world. Everything that needs to be patched will not have a high CVSS score, or even a low score for that matter. We can choose to follow one or more of the above frameworks, such as MITRE ATT&CK, CISA KEV, and EPSS. Following these individually can be tricky, and you'd miss pieces of the larger picture. If you only patched the CISA KEV, you'd miss out on select attacker techniques that don't deal with vulnerabilities and CVEs. A blended approach isn't a bad idea, but solely relying on guidance external to your organization is the equivalent of just shaking a Magic 8 Ball and using that as the guidance to patch.

What matters most when it comes to patching is the impact on your organization. My best advice is to identify the most critical parts of your business, tie that back to systems and applications, patch those first, and patch as much as you can on those systems.

**Conclusion**

Too often, I hear folks dismissing vulnerabilities that could be devastating for various reasons, such as "No one is attacking those vulnerabilities today," "I am not the target of nation-state-level attacks," and "An attacker would have to already be on the system." None of these things matter when a clever group of attackers is determined to be successful. They will target every weakness in your attack surface: hardware, firmware, and software, from bare metal all the way to the cloud. Pre-operating system attacks could render a system permanently damaged or inoperable, such as if an attacker were to gain access to the baseboard management controller (BMC) and cause an infinite reboot loop. Through low-level firmware attacks, malicious actors can permanently damage the hardware. Attackers can utilize the Unified Extensible Firmware Interface (UEFI) to bypass OS protections, be persistent on the system (think of ransomware that just won't go away), and allow attackers to be stealthy. At this point, every vulnerability is now available for exploit. 

Remediating vulnerabilities is a complex process, and several factors go into the decision as to whether or not to apply a patch, or thousands of patches to thousands of systems. As complex as this task may be, it's something we must continue to improve upon, or attackers will greatly benefit. Oh, and put down the Magic 8 Ball, please.

**About the Author**

Principal Security Evangelist, Eclypsium

Paul Asadoorian is the principal security evangelist at Eclypsium, focused on supply chain security awareness. Paul's passion for security extends back many years, to the WRT54G hacking days and reverse-engineering firmware on IoT devices for fun. He co-authored the book WRTG54G Ultimate Hacking in 2007, which fueled the firmware hacking fire even more. Asadoorian has worked in technology and information security for more than 20 years, holding various security and engineering roles at a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005, he founded Security Weekly, a weekly podcast dedicated to hacking and information security. Asadoorian is still the host of one of the longest-running security podcasts, Paul's Security Weekly. He enjoys coding in Python, telling everyone he uses Linux as his daily driver, poking at the supply chain, and reading about UEFI and other firmware-related technical topics.

Vulnerability Prioritization &amp; the Magic 8 Ball

The average higher education institution is getting hit once a week now, and as one University of Oregon attack shows, the sector often lacks the resources to keep pace.

Source: Simon Turner via Alamy Stock Photo

The education sector is facing thousands of cyberattacks per week these days — especially universities, a good portion of which experience at least one incident per week.

Education was the third most targeted industry in second quarter of 2024, according to Microsoft's latest "Cyber Signals" report. This finding corroborates data from Check Point Software, indicating that the education and research sectors now face more than 2,500 attacks weekly, up 15% over the past couple of years.

The US has it the worst, but schools and related organizations across the world face the same sorts of risks. In Europe, for example, 43% of institutes of higher education report experiencing a cyber incident at least once a week, if not more often. Schools for earlier age groups faced significantly less frequent attacks (13% to 16%).

As Microsoft explained, education makes for a uniquely soft target, combining the vulnerabilities, blind spots, and legacy infrastructure issues endemic to various other major industries, but all in one package.

**Education Sector Is an "Industry of Industries"**

Schools — in particular, universities — tend to combine the functions of many kinds of organizations in one package.

A university is also a financial institution with lending capabilities (sometimes even more the latter than the former), and a healthcare and housing provider to its students and faculty. Schools at every level host payment processing systems, websites and email domains, and networks that, especially since the COVID-19 pandemic, can resemble Internet service providers. They employ food service and athletics staff, and host events. They might be in possession of potentially sensitive research data, and all of them have to manage the full spectrum of personally identifiable information (PII) belonging to usually thousands of people at once.

It follows, then, that educational institutions enjoy all of the cybersecurity challenges any other industry faces. New and legacy technologies commingle. Public schools struggle with funding. Cybersecurity talent is tough to find and retain. Students and teachers bring their own devices on and off campus every day, each one potentially carrying malware. And virtual learning extends the attack surface outward.

In some ways, these issues affect schools to a greater degree than they do other industries. For instance, bring your own device (BYOD) risk is one thing in a corporate environment, where employees can be educated in cyber-risk, but it's an entirely different beast at schools, where those devices belong to children.

Or, consider QR codes. According to Microsoft's telemetry, more than 15,000 malicious phishing and spam messages are directed to educational institutions every day, with so-called "quishing" on the rise.

In open and collaborative environments like schools, "defenses that typically would be in place to help reduce the noise and create more effective defenses don't always work," explains Corey Lee, security chief technology officer (CTO) for Microsoft's M365 Security.

Schools tend to pass around lots of QR codes, but lack the same rigor in vetting the messages they travel with. "A lot of that has to do with the fact that email filters are not the same in education environments. Post-detection and response capabilities aren't always the same in education environments. So when we have business email compromise attacks that use advanced lures like QR codes, it becomes very hard to detect and respond to," Lee says.

**Taking Hackers to School**

In 2021, Oregon State University experienced a cyberattack "unlike anything before," Microsoft wrote. In the aftermath, it established its own security operations center.

A number of universities have done the same, or more. Louisiana State University (LSU), the University of Cincinnati, and California Polytechnic State University all operate SOCs. In Texas, the state's Department of Information Resources (DIR) oversees a Regional Security Operations Center in collaboration with Angelo State University in San Angelo.

"Education, as a sector, doesn't necessarily have lots of advanced personnel just sitting around, not doing anything. Oftentimes, \[security staff\] wear multiple hats, and they're limited," Lee explains. Luckily, universities have a significant, untapped pool of potential talent waiting to be activated.

"The challenge oftentimes is being addressed by scaling through students — being able to activate students to help them join in on the fight and be effective and efficient security defenders for the school."

Student-staffed SOCs serve multiple functions at once: not only helping to protect universities, but also other nearby educational, government, or even private organizations, all while training a new generation of cybersecurity talent. As Lee says, "They're helping to address the security skill shortage, while defending home base."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft: BYOD, QR Codes Lead Rampant Education Attacks

All across the Asia-Pacific region, large and diverse marketplaces for AI cybercrime tools have developed, with deepfakes proving most popular.

Source: dpa picture alliance via Alamy Stock Photo

Artificial intelligence-powered cyberattacks are rising exponentially in the Asia-Pacific region, particularly those involving deepfakes.

The United Nations Office on Drugs and Crime (UNODC) tracked a panoply of AI threats in its new report covering cybercrime in Southeast Asia. Cybercrime gangs have been using generative AI (GenAI) to create phishing messages in multiple languages, chatbots that manipulate victims, social media disinformation en masse, and fake documents for bypassing know-your-customer (KYC) checks. They've been using it to power polymorphic malware capable of evading security software, and to identify ideal targets, among other nefarious activities.

The standout threat, though, is deepfakes. From February to June 2024, UNODC tracked a 600% increase in mentions of deepfakes in cybercriminal Telegram channels and underground forums. And that's above and beyond the heavy activity from 2023, when deepfake crimes rose more than 1,500% compared with the year prior, and face swap injections rose 704% in the second half of the year compared with the first.

**Deepfake Attacks Proliferate**

Cybersecurity leaders in the Asia-Pacific are, like those around the world, anticipating a wave of AI-driven cyber troubles. In an Asia-focused Cloudflare survey published on Oct. 9, 50% of respondents said they expect AI will be used to crack passwords and encryption, 47% expect it will boost phishing and social engineering, 44% think it will boost distributed denial-of-service (DDoS) attacks too, and 40% see it being used to create deepfakes and support privacy breaches.

Most, if not all, of those concerns, though, are no longer theoretical, as some organizations can attest.

In January, for example, an employee at the Hong Kong office of Arup, a British engineering firm, received an email purporting to come from the company's chief financial officer (CFO) in London. The CFO instructed the employee to conduct a secret financial transaction. The employee later joined a videoconference with the CFO and other participants purporting to be from senior management, all of whom were, in fact, deepfakes. The result: In May, Arup reported losing 200 million Hong Kong dollars ($25.6 million).

Deepfakes of major political figures have spread widely, like the fake video and audio recordings of Singapore's prime minister and deputy prime minister in December 2023, and the fake video this past July showing a Southeast Asian head of state with illicit drugs. In Thailand, a female police officer was deepfaked in a campaign tricking victims into thinking they were speaking with actual law enforcement.

According to UNODC, half of all deepfake crimes reported in Asia in 2023 came from Vietnam (25.3%) and Japan (23.4%), but the most rapid rise in cases came from the Philippines, which experienced 4,500% more in 2023 than 2022.

It's all underpinned by a large ecosystem of malicious developers and buyers, on Telegram and in even shadier corners of the Deep Web. UNODC identified more than 10 deepfake software vendors that specifically serve cybercriminal groups in Southeast Asia. Their offerings sport the latest and greatest in deepfake tech, like Google's MediaPipe Face Landmarker — which captures detailed facial expressions in real time — the You Only Look Once v5 (YOLOv5) object detection model, and much more.

**Why Asia Suffers**

Though AI-driven cybercrime threatens organizations in every part of the world, it enjoys some particular advantages in Asia.

"Southeast Asia is very densely populated, and a large portion of the population doesn't know English, or English is not their first language," notes Shashank Shekhar, managing editor at India-based CloudSEK. The typical signs that might indicate a scam to a native English speaker might not translate to a non-native speaker. Besides that, he notes, "A lot of people are unemployed, looking for jobs, looking for opportunity."

Desperation has the effect of lowering victims' defenses. "There are some kinds of scams which only work well in this part of the world," says CloudSEK threat researcher Anirudh Batra. "Simpler scams are particularly prevalent because of the poverty that this region of the world has seen."

In the face of intractable socioeconomic forces, those old, tired lines about cyber education and hygiene may not feel like enough. Instead, cybercriminals will need to be stymied at the source: in those underground forums and channels where they trade their deepfake tools and cryptocurrency winnings. It's been done before.

"It's possible by collaborating: different countries coming together, sharing intelligence," Batra says. Though he warns, "Unless these guys are caught, another forum will come up tomorrow. It becomes really difficult to stop them, because the threat actors know that all three letter agencies are looking at the forums — everybody's crawling everything. So they keep a lot of backups. At any point of time, if \[their assets are\] seized, they'll start again with the mirror."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

AI-Powered Cybercrime Cartels on the Rise in Asia

Global Signal Exchange will act as a global clearing house for online scams and fraud signals.

Source: Photo by Photo Boy via Adobe Stock Photo

Google has announced Global Signal Exchange (GSE), a new project to facilitate the collection and sharing of data related to online scams and fraud. While the company is already blocking millions of attempted scams daily across all its products and services, this project will provide organizations with the necessary information they need to identify and block scams.

"We know from experience that fighting scams and the criminal organizations behind them requires strong collaboration among industry, businesses, civil society and governments to combat bad actors and protect users," wrote Amanda Storey, senior director of trust and safety at Google, and Nafis Zebarjadi, product manager of account security at Google, in a post announcing the project. 

Google is partnering with the Global Anti-Scam Alliance (GASA) and DNS Research Federation to launch GSE. The project will benefit from GASA's extensive network of stakeholders and expand on the DNS Research Federation's robust data platform, which already has over 40 million fraud signals. The company is providing the funding to launch GSE and will hold the centralized data engine on Google Cloud, the company said.

Participants will be able to share and ingest signals, while leveraging artificial intelligence to find patterns and match signals. GASA and the DNS Research Federation will manage access for qualifying organizations.

As part of a pilot program, GSE was able to share over 100,000 URLs of bad merchants and receive roughly 1 million signals. The company plans to start by sharing Google Shopping URLs that have already been flagged as scams and then eventually add data from other product areas.

"By joining forces and establishing a centralized platform, GSE aims to improve the exchange of abuse signals, enabling faster identification and disruption of fraudulent activities across various sectors, platforms and services," the company said.

Source

DARKReading