CISA outlines how modern cybersecurity relies on network visibility to defend against threats and scams.

Source: The X FilePhoto via Adope Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and similar entities in New Zealand, has issued guidance on modern approaches to network access security. With the growing number of breaches and data incidents, organizations need to be thinking about, and planning to adopt, modern firewall and network access management technologies to gain visibility over the network.

CISA lays out three specific approaches its guidance: zero trust, secure service edge (SSE), and secure access service edge (SASE). The guidance also tackles remote access, virtual private network (VPN) deployment, and remote access misconfiguration, as well as threats and vulnerabilities associated with VPN and conventional remote access deployments.

*   Zero trust: Based on the principle "never trust, always verify," the zero-trust approach focuses on making sure users are authenticated, authorized, and validated before providing access to data and applications. Implementing zero trust can cut the risk of data breaches by around 50%, CISA said.
    
*   SSE: SSE combines features such as cloud access security brokers (CASBs), secure Web gateways (SWGs), and zero-trust network access (ZTNA). Organizations using SSE witnessed a 40% reduction in security incidents and a 30% improvement in network performance, CISA said.
    
*   SASE: SASE broadens SSE's functionality to provide users with secure, optimized access to data and applications, regardless of their physical locations. Deploying SASE improves network agility by 35% and reduces operational costs by 25%, according to CISA.
    

**Network Best Practices**

CISA and its partners also recommended ways to optimize network security:

*   Continuous monitoring and assessment: Organizations need to implement continuous monitoring to identify user activity and network traffic to detect and respond to threats in real time.
    
*   Multifactor authentication (MFA): As several recent breaches have shown, adding MFA for an extra layer of user authentication will help block many security threats.
    
*   Regular security audits: Look for vulnerabilities by conducting regular security audits and penetration testing on the network.
    

**About the Author(s)**

CISA Releases Guidance on Network Access, VPNs

By committing to build secure habits at work and in our personal lives, and to helping others do the same, our personal information will be much better protected.

Source: Aleksey Funtap via Alamy Stock Photo

COMMENTARY

In the world of cybersecurity, we often hear the saying, "It's not a matter of if, but when." While this is said mostly in reference to security breaches, it could also be used to remind us that secure social habits reduce the likelihood of those breaches happening in the first place.

Throughout my career in cybersecurity, I've observed a high level of security carelessness, even among security professionals. This is problematic because one individual's insecure behavior can cause others to be less secure as well. Remember the human behavior studies that showed the tendency to litter is higher if a person sees litter all around them? It's the same for cybersecurity. If we see insecure behaviors all around us, we are less motivated to improve security practices.

The good news is that change can truly happen, and it can start with one person: you.

**What Are Secure Social Norms, and Why Create Them?**

Social norms typically are informal, unwritten rules that guide acceptable behavior among members of a group or society. Secure social norms can be established at two levels: The general level that focuses on what everyone needs to know about protecting information, and the role-based level that pertains to groups of people performing specific tasks.

Consider the example of protecting personal identifiable information (PII). While organizations are bound to protect the personal information of their employees and customers, it is up to individuals to take action to secure their data, and to help others learn how to do so as well. Not doing this can lead to financial loss, identity theft, and so much more.

Security professionals have a unique opportunity to transform security awareness concepts into social norms and actions. By doing so, we elevate the security culture all around us. Now is the time to step up and become the team member who practices secure behaviors and inspires others to do the same.

**Steps for Establishing Secure Social Norms**

Below are some practices security practitioners can adopt to establish secure social norms for ourselves and everyone around us.

**1\. Make data security relatable and actionable.**

Launching a security awareness campaign that helps people understand PII in tangible, everyday terms can be a great way to teach people how to protect their personal data. Always use brief, clear language to explain security words and topics. When sharing tips and best practices, provide examples. And be sure to spell out the specific actions to take to be more secure, as well as the positive impact it can have.

**2\. Educate people on what constitutes PII and how to protect it.**

The more we use apps and websites, the more important it is to know how our personal information can be accessed, how it might be used, and when we should not share it. Below are some key examples to help develop a security mindset:

*   Safeguard the primary identifier. A Social Security number is the critical primary identifier of an individual within the United States. If you reside outside the US, find out what the primary identifier is for your country.
    
*   Protect your banking information. Your bank account number should be carefully protected. A stolen bank account number can be used to commit fraud on fintech platforms.
    
*   Know other elements that can be considered PII. Your IP address, school, and degree are all PII. When isolated, this information may not be used to identify you. However, when collected and used together, it can pinpoint you.
    
*   Set up multifactor authentication. Adding multifactor authentication is an easy way to protect your accounts. However, numerous organizations ask only for usernames and passwords. This lack of focus on using strong credentials is disappointing. Stolen PII can be used to take over an individual's identity in order to open bank accounts, apply for loans, and more. 
    
*   Beware of social engineering scams. Phishing messages from senders who impersonate close friends and family are common ways fraudsters target individuals. Read the Federal Trade Commission's guidance to learn how to protect yourself.
    
*   Build consistent and secure social norms at places you frequent often. You might not think about protecting your data when going to the supermarket. However, be wary when the checkout clerk asks for your phone number or email address. Don't be embarrassed to ask why they need this information. Develop a habit of being inquisitive about such requests.
    
*   Protect your data when seeking expert advice. If you are looking for professional support like tax or legal services, ask them how they protect your information. Some services may not have the bandwidth to focus on customer data security. Go with a reputable firm that has a lot at stake.
    
*   Safeguard protected health information (PHI). PHI is information in a medical record or designated record set that was created, used, or disclosed in the course of providing a health care service and can be used to identify an individual. 
    
*   Develop a habit of knowing the privacy policy of any website where you open an account. Most websites are required to ask how you want your data to be shared. Choose the option that protects you the most.
    
*   Obtain an identity protection service. It's a no-brainer. It's advisable to freeze your credit in all three credit bureaus: Equifax, Experian, and Transunion. This option is available free of charge and ensures that no new accounts can be fraudulently opened. It isn't sufficient to get protection from just one of the credit bureaus — you need all three.
    

**You Can Make a Difference**

We know much more about security today; the issue is that we don't act on it. If we commit to build secure habits and help others do the same, we can be much better protected. If we don't take action, the costs and its outcome will be significant. Instead of simply hearing about someone else's security breach, we will be the ones affected. Remember, it's not a matter of if, but when.

This content is not intended to provide tax, legal, or financial advice. Please consult your adviser with any questions.

**About the Author(s)**

Director of Information Security, BILL

Sriram Dandapani is a seasoned cybersecurity leader with a strong engineering background and a passion for executing enterprise-wide initiatives critical to the infrastructure. Sriram also enjoys mentoring early-in-career security practitioners and dedicates his time to building security awareness with the engineering community. Before joining BILL, Sriram held leadership and senior technical positions at Lifelock, Nimble Storage, and BT Counterpane. Sriram has a master's in computer science (data science) from the University of Illinois Urbana, Champaign, and has obtained the Stanford LEAD professional certificate for driving innovation and change.

Achieve Next-Level Security Awareness by Creating Secure Social Norms

PRESS RELEASE

DENVER — June 25, 2024 — Optiv, the cyber advisory and solutions leader, has published its 2024 Threat and Risk Management Report, which examines how organizations’ cybersecurity investments and governance priorities are keeping up with the evolving threat landscape. 

Based on an independent Ponemon Institute survey, the report reveals a 59% increase in cyber budgets year-over-year. Additionally, 63% of organizations with more than 5,000 employees had an average of $26 million allocated to cybersecurity investments in 2024.

The report shows a significant rise in data breaches and security incidents, with 61% of respondents experiencing a data breach or cybersecurity incident in the past two years, and 55% of respondents experiencing four or more incidents in that timeframe. These numbers highlight the urgent need for organizations to further prioritize cybersecurity investments and strategies.

Download the full report: 2024 Cybersecurity Threat and Risk Management Report

“Cyber incidents are not slowing down, which means organizations must work at a speed above those of the threat actors attacking their environments. As we see security budgets increasing, many organizations are also recognizing the need to make smart investments in process and governance assessments to ensure compliance,” says Jason Lewkowicz, executive vice president and chief services officer at Optiv. “Establishing a more consistent, strategic approach to security technology, process and people management will be essential for organizational risk management and resilience.”

Additional key findings include:

*   Security Tool Overload — While organizations are investing in more technologies, 40% of respondents believe they have too many, hindering overall effectiveness. By contrast, only 29% feel that they have the right number of tools. This underscores the need for a strategic approach to cybersecurity investment, focusing on streamlining existing tools and ensuring a seamless technology stack integration.
    
*   Top Investment Areas — The top three areas of investment for 2024 cybersecurity budgets are internal security assessments (60%), identity and access management (IAM) programs (58%) and the acquisition of additional cybersecurity tools (51%).
    
*   Lack of Formal Budgeting Practices — Despite increasing budgets, only 36% of respondents have a formal approach to determining cybersecurity budgets. This lack of formal budgeting practices can lead to inefficiencies and missed opportunities to address critical security gaps.
    
*   Rising SOAR Adoption — The use of security orchestration automation and response (SOAR) technology is increasing, with 73% of respondents leveraging SOAR to automate incident response activities. This automation can help security teams respond more efficiently to threats. 
    

Artificial intelligence (AI) and machine learning (ML) capabilities are another growing focal area for cybersecurity organizations looking for ways to accelerate their threat detection, prevention and process automation capabilities to keep up with threat actors who are also using these tools.

More companies are leveraging AI in the form of use and prevention:

*   44% of respondents use AI/ML to prevent cyberattacks
    
*   35% purchased use-case specific tools
    

*   34% use automated processes and audits
    

Optiv’s report delves deeper into best practices employed by high-performing organizations, offering valuable insights for those seeking to strengthen their cyber defenses. It also explores additional challenges, such as the inconsistency of cybersecurity incident response plans (CSIRPs), navigating cyber insurance/governance requirements and the need for improved communication of cybersecurity risks to senior management.

“Our independent research for Optiv reveals the positive steps organizations are taking to reduce risk, while also addressing the challenges they face in the evolving cyber threat landscape,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Part of the complexity organizations continue to face in dealing with threats is due to the number of ineffective technology tools. Recognizing this, IT professionals and senior leadership are becoming more cognizant of the importance in strengthening their security posture, resulting in the increase of cybersecurity budgets and allocating funds based on proven effectiveness in reducing security incidents.”

Findings from Optiv’s report are based on responses from 650 IT and cybersecurity professionals.

For the latest news and updates from Optiv, visit https://www.optiv.com/company/optiv-newsroom.

You May Also Like

Optiv Report Shows Nearly 60% Increase in Security Budgets as Most Organizations Report Cyber Breaches and Incidents

In this Black Hat USA preview, scholar Jason Healey examines strategies for measuring and shifting the balance of cyber defense.

Source: Ronstik via Alamy

Defenders are perpetually playing catch-up to attackers. For every security innovation or new technology introduced, cybercriminals develop just as many tricks to bypass them. This ongoing struggle will be the focus of an upcoming presentation at Black Hat USA 2024, this August in Las Vegas, by Jason Healey, a senior research scholar at Columbia University.

"For over 50 years, we've known that the red team always gets through," Healey says. "Despite the billions of dollars spent, thousands of patents filed, and countless hours worked, defense hasn't notably improved relative to offense."

Last year's publication of the US National Cybersecurity Strategy marked a significant milestone, setting a new goal to enhance defense at the largest scale and least cost. However, Healey argues that progress means little without measurable indicators to determine whether defense is gaining relative advantages over offense.

Healey's session at Black Hat — titled "Is Defense Winning?" — will introduce several key indicators to assess whether the balance is shifting in favor of defense.

"Many of these indicators, such as changes to mean time to detect \[MTTD\], are already collected by the community," he says. "Others, like measuring the mean time between catastrophes, might need to be fresh."

Drawing parallels with climate change metrics, Healey says there is a need for a similar holistic approach to security as well.

"Just as climate experts track CO2 levels and temperature changes, we need macro-level indicators to understand cyberspace as a whole," he says.

**Measuring Success in Cyber Defense**

Healey played a role in drafting the National Cybersecurity Strategy, which incorporates the concept of defensibility and leverage. He believes systemic changes, such as automated updates, over individual actions, like user education or isolated security measures, will be more important in affecting change for defenders.

"We need to find areas where the smallest turn of the screwdriver will have the largest impact," he says.

One of the critical challenges Healey addresses is how to measure success in cyber defense. He proposes several propositions and indicators to gauge progress, including the ability of threat actors to adapt their tactics, techniques, and procedures (TTPs).

"We would want to see them having to rapidly change their TTPs because we're thwarting them," he says.

Healey also calls for the cybersecurity community to leverage existing reports, such as Verizon's annual data breach report and Google's zero-day reports, to establish defensibility metrics.

"Companies like Veracode already report relevant metrics, but they need to be presented in time series to track trends," he says.

**Achieving New Indicators for Defense**

Healey's ultimate goal is to inspire the cybersecurity community to strive for measurable improvements. His presentation aims to spark a crucial conversation about the effectiveness of current strategies and the importance of setting tangible goals, challenging attendees to reflect on their collective impact.

"We need to set reasonable targets, like reducing the mean time to detect and dwell time to less than 24 hours by 2030," Healey says. "Are we actually making the difference we say we want to have in the world?"

By introducing new indicators and drawing on lessons from other fields, Healey aims to equip defenders with the tools they need to shift the balance in their favor. The date and time for Healey's presentation will be published soon.

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Is Defense Winning? A Look at Decades of Playing Catch-up

PRESS RELEASE

SANTA CLARA, Calif., June 25, 2024 /PRNewswire/ -- Netskope, a leader in Secure Access Service Edge (SASE), today published new global research that finds that shifts in the cyber threats landscape have changed the way today's Chief Information Security Officers (CISO) evaluate their business' risk appetite. Specifically, 92% of CISOs report that these changes are creating tensions with their CEO and other members of the C-suite, and two-thirds (66%) say they are "walking a tightrope" between what the business wants and what makes sense from a security perspective.

The research surveyed more than 1,000 CISOs around the world to explore the evolution of the CISO role as a strategic member of the executive team. Contradicting legacy stereotypes of the CISO as inherently risk averse, only 16% of today's CISOs classified their current risk appetite as low. In fact, CISOs see their CEOs as much more risk averse than themselves, with twice as many respondents (32%) perceiving their CEO as having a low-risk appetite.

Other findings expand upon the changing role of the CISO:

*   Over half of the CISOs who participated in the research (57%) said their appetite for risk has increased in the last five years. This may be despite the increasing volume and sophistication of cyber threats, or because of it: 74% state that a first-hand experience of a cyber security incident was important in impacting their risk comfort levels.
    
*   Better access to data and analytics (76%) was the top reason given for their shift in risk appetite.
    
*   Two thirds of CISOs (65%) now describe their responsibility in terms of improving business resilience, rather than managing cyber risk.
    
*   However, 23% of participating CISOs strongly agree that other members of the C-suite currently fail to see that the CISO role makes innovation possible.
    

The rise of the progressive CISO

Two thirds (65%) of CISOs surveyed believe the CISO role is changing rapidly, and they report becoming more proactive and progressive, a trend driven by the adoption of modern technology that creates new possibilities for driving innovation and business impact: 

*   Just 36% of CISOs see themselves playing a "protector" role primarily focused on defending the organization.
    
*   In contrast, 59% of CISOs now consider themselves to be business enablers, with 67% stating that they want to play an even more active role going forward.
    
*   66% wish they could say "yes" to the business more often.
    

James Robinson, Netskope's own CISO commented:

"The research makes it clear that CISOs are generally hungry to play a more proactive role that enables innovation while also protecting the business. In my experience, the best way to make CISOs more proactive partners across the C-suite is to gain deep understanding of the business challenges C-suite colleagues are focused on solving and align those to security strategies, rather than attempt to assert security strategy - or individual technology choices - on what is perceived to be C-suite risk appetite."

"Too often this alignment doesn't occur among enterprise teams. But CISOs who are able to define the ways in which they are helping their C-suite peers to acquire new revenues, drive efficiencies, and navigate regulatory requirements will be recognized as valuable contributors at the highest levels." 

Discussing the research, Steve Riley, Field CTO at Netskope, said:

"With business technology and cyber threats evolving at a faster pace than ever, it is encouraging to see that CISOs are increasingly progressive in their thinking. CISOs clearly no longer feel the need to lock down access completely if it is to the detriment of the business."

"However, our findings show that the wider C-suite is not always ready for CISOs to break out of their traditional role as the protector of the business. To truly enable secure innovation and business transformation, security leaders need to bring their colleagues on the journey with them and help them to understand how buzz phrases like zero trust actually contribute to strategies that strike a balance between staying secure and getting work done."

The research was conducted on behalf of Netskope by Censuswide and interviewed 1,031 CISOs worldwide across five markets (UK, North America, France, Germany, Japan) in a wide range of sectors including healthcare, retail, finance, and industry.

Please find the full report including additional insights into CISOs attitudes of industry trends here.

About Netskope  
Netskope, a global SASE leader, helps organizations apply zero trust principles and AI/ML innovations to protect data and defend against cyber threats. Fast and easy to use, the Netskope One platform and its patented Zero Trust Engine provide optimized access and real-time security for people, devices, and data anywhere they go. Thousands of customers trust Netskope and its powerful NewEdge network to reduce risk and gain unrivaled visibility into any cloud, web, and private application activity—providing security and accelerating performance without trade-offs. Learn more at netskope.com.

CISOs Growing More Comfortable With Risk, But Better C-Suite Alignment Needed

PRESS RELEASE

CAMBRIDGE, Mass., June 25, 2024 /PRNewswire/ -- Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, announces the company has completed its acquisition of application programming interface (API) security company, Noname Security. On May 7, Akamai announced an agreement between the two parties for Akamai to acquire the company in exchange for approximately $450 million.

Noname, one of the top API security vendors in the market, is expected to accelerate Akamai's ability to meet growing customer demand and market requirements as the use of APIs continues to expand. Specifically, Akamai will be able to extend protection across all API traffic locations, no matter the business, integration, or deployment requirements customers may have. Akamai also expects to gain greater scale with Noname's additional sales and marketing resources, and established channel and alliance relationships.

For more information, visit the Akamai application and API security page and the Akamai blog.

About Akamai

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away. Learn more about Akamai's cloud computing, security, and content delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on X, formerly known as Twitter, and LinkedIn.

You May Also Like

Akamai Completes Acquisition of API Security Company Noname

Microsoft, OpenAI, Google, Meta genAI models could be convinced to ditch their guardrails, opening the door to chatbots giving unfettered answers on building bombs, creating malware, and much more.

Source: jefftakespics2 via Alamy Stock Photo

A new type of direct prompt injection attack dubbed "Skeleton Key" could allow users to bypass the ethical and safety guardrails built into generative AI models like ChatGPT, Microsoft is warning. It works by providing context around normally forbidden chatbot requests, allowing users to access offensive, harmful, or illegal content.

For instance, if a user asked for instructions on how to make a dangerous wiper malware that could bring down power plants, most commercial chatbots would first refuse. But, after revising the prompt to note that the request is for "a safe education context with advanced researchers trained on ethics and safety" and to provide the requested information with a "warning" disclaimer, then it's very likely that the AI would then provide the uncensored content.

In other words, Microsoft found it was possible to convince most top AIs that a malicious request is for perfectly legal, if not noble, causes — just by telling them that the information is for "research purposes."

"Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other," explained Mark Russinovich, CTO for Microsoft Azure, in a post today on the tactic. "Because of its full bypass abilities, we have named this jailbreak technique Skeleton Key."

He added, "Further, the model's output appears to be completely unfiltered and reveals the extent of a model's knowledge or ability to produce the requested content."

**Remediation for Skeleton Key**

The technique affects multiple genAI models that Microsoft researchers tested, including Microsoft Azure AI-managed models, and those from Meta, Google Gemini, Open AI, Mistral, Anthropic, and Cohere.

"All the affected models complied fully and without censorship for \[multiple forbidden\] tasks," Russinovich noted.

The computing giant fixed the problem in Azure by introducing new prompt shields to detect and block the tactic, and making a few software updates to the large language model (LLM) that powers Azure AI. It also disclosed the issue to the other vendors affected.

Admins still need to update their models to implement any fixes that those vendors may have rolled out. And those who are building their own AI models can also use the following mitigations, according to Microsoft:

*   Input filtering to identify any requests that contain harmful or malicious intent, regardless of any disclaimers that accompany them.
    
*   An additional guardrail that specifies that any attempts to undermine safety guardrail instructions should be prevented.
    
*   And output filtering that identifies and prevents responses that breach safety criteria.
    

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Dangerous AI Workaround: 'Skeleton Key' Unlocks Malicious Content

The vulnerability affects not only AirPods, but also AirPods Max, Powerbeats Pro, Beats Fit Pro, and all models of AirPods Pro.

Source: Hoor Aloraidh via Alamy Stock Photo

Apple released its latest firmware update for its AirPods products to address a vulnerability that could give a threat actor unauthorized access.

The vulnerability is tracked as CVE-2024-27867 and affects AirPods (second generation and later) and AirPods Pro (all models), as well as AirPods Max, Powerbeats Pro, and Beats Fit Pro.

"When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," reported Apple in an advisory.

To fix for the issue, Apple said that an "authentication issue was addressed with improved state management" in AirPods firmware update 6A326, AirPods firmware update 6F8, and Beats firmware update 6F8. These firmware updates are automatically delivered to a user's device while the headphones or AirPods are in Bluetooth range of an iPhone, iPad, or Mac.

Apple credited Jonas Dreßler for the discovery of the flaw as with well as reporting the bug to the company.

**About the Author(s)**

Apple AirPods Bug Allows Eavesdropping

The site is supplying malicious code that delivers dynamically generated payloads and can lead to other attacks, after a Chinese organization bought it earlier this year.

Source: Bleakstar via Shutterstock

A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for a Web supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. The malicious activity follows the sale of the domain polyfill\[.\]io to a Chinese organization earlier this year.

Security researchers are warning that the cdn\[.\]polyfill\[.\]io domain has been compromised to serve malicious code in scripts to end users in a widespread attack. The site allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user's browser.

Researchers from security monitoring firm c/side sounded the alarm about the attack in an advisory by founder Simon Wijckmans warning website owners to "check your code for any use of the polyfill\[.\]io domain and remove it from your applications."

"This attack places an estimated +100k websites at immediate risk," he wrote. "When a once-safe domain is embedded in thousands of websites and concealed like JavaScript threats are, it becomes a tempting path for malicious actors."

**Dynamically Generated Payloads**

Specifically, researchers discovered malicious, obfuscated code that "dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution" being injected into devices via websites using cdn\[.\]polyfill\[.\]io, Wijckmans wrote.

"In some instances, users receive tampered JavaScript files, which include a fake Google Analytics link," he wrote. "This fake link redirects users to various sports betting and pornographic websites, seemingly based on their region."

Given that the malicious code is JavaScript, it also could "at any moment introduce new attacks like formjacking, clickjacking, and broader data theft," Wijkmans noted.

**Polyfill Users Were Forewarned**

Polyfill users were already clued in back in February of the potential for malicious activity and were advised to stop using the polyfill\[.\]io domain after it was purchased by Funnull, a Chinese company. Following the sale, the developer of the open source Polyfill project, Andrew Betts, urged users in a post on X to remove references to the content delivery network (CDN), in part because he never owned the site.

"I created the Polyfill service project but I have never owned the domain name and I have had no influence over its sale," he wrote.

A site called Pollykill was even created on Feb. 27 "to bring awareness to a major JavaScript supply chain vulnerability," since Polyfill was sold and all Polyfill traffic was pointed "to the Baishan Cloud CDN."

Pollykill also provides users with alternatives to using the site to deliver JavaScript to their websites, warning users of the "many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application."

"They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the Web browser," according to the site.

**Immediate Action Required**

Supply chain attacks that compromise website scripts and other code that's used widely across applications or Web properties are serious business, which means anyone using Polyfill needs to take action now, Wijkmans said.

"Third-party resources are in a very powerful position and thus a high value target for bad actors," he wrote, adding that CDNs hosting third-party scripts are especially subject to attack.

However, one thing that's important to note is that "the Polyfill service itself is still solid," Wijkmans said. "You can host your own version in a safe and controlled environment without issue."

As the problem lies in the domain cdn\[.\]polyfill\[.\]io, it should immediately be removed from any site using it. Moreover, threat feeds currenty don't flag the domain, so administrators should not rely on that, Wijkmans added.

The Polykill website also advises developers to use a code search tool or integrated development environment (IDE) to search for instances of the malicious domain in source code across all projects within an organization. It cites resources by the developer community Fastly Connect that also can help them secure websites that use Polyfill; these include polyfill-fastly\[.\]net and polyfill-fastly\[.\]io, which are free drop-in replacements for polyfill\[.\]io in a website's code.

Fastly’s fork of the open source code 223 also can be used to self-host the service to maintain full control over the code delivered to users, according to Fastly.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites

The high-end retailer is the latest company to confirm it was affected by the wide-ranging Snowflake data breach, which impacted more than 165 organizations.

Source: mauritius images GmbH via Alamy Stock Photo

Luxury department store chain Neiman Marcus confirmed that nearly 65,000 customers were impacted by the theft of its database during recent attacks on the cloud-based data warehousing platform Snowflake.

In a notification filed with the Office of the Maine Attorney General, Neiman Marcus revealed it learned in May of the attack, part of a series of attacks on the data platform between April and May.

"Based on our investigation, the unauthorized third party obtained certain personal information stored in the database platform," Neiman Marcus cautioned in the statement.

As reported by Hackmanac, the attacker known as "Sp1d3r" allegedly sold the stolen information for $150,000 after accessing the company's Snowflake account credentials.  

"The types of personal information affected varied by individual, and included information such as name, contact information, date of birth, and Neiman Marcus or Bergdorf Goodman gift card number(s) (without gift card PINs)," the statement continued.

Overall, more than 70 million transactions, 50 million customer emails, and 12 million gift card numbers were up for sale, along with employee info, and customer shopping data.

With the Dallas-based department store catering to high-end customers, "Sp1d3r" was quick to mention the data included "High Value Rich Targets! Big Spenders!"

This is not the first time the company has been victim of a data breach. In an attack in May 2020, the personal information of around 4.6 million online customers was exposed.

Neiman Marcus became aware of the breach — and then notified those affected — only more than a year later.

**Strengthening MFA a Must**

The admission by Neiman Marcus is the latest fallout from the Snowflake breach reported earlier this month, which impacted data belonging to at least 165 organizations, including Ticketmaster and Santander Bank.

A Mandiant investigation into the account compromises revealed the breaches occurred due to customers failing to implement multifactor authentication (MFA) and proper access control.

The financially motivated threat actor was identified as UNC5537 and accessed accounts using valid credentials obtained from other sources.

Dirk Schrader, vice president of security research at Netwrix, says organizations should embrace the use of MFA and password management solutions, implement a just-in-time privilege approach to identity security, and ensure detailed monitoring.

"MFA ensures another level of identification between a malicious actor and access to an organization's system, making it much more difficult to compromise identities," he explains.

A password-management solution helps ensure the use of complex, hard-to-crack passwords in place, restricts reusing passwords for multiple accounts, and relieves users from the burden of remembering them.

"For sensitive systems, organizations should go for just-in-time access management so that accounts only exist as long as they are needed, drastically reducing an attacker's options for credential abuse," Schrader adds.

Gunnar Braun, technical manager at Synopsys Software Integrity Group, says the incident demonstrates that literally every company is a potential target for an attack, and every organization that stores data in any shape or form must take measures to protect that data.

"Retailers are likely an easier target, as they are not subject to strict security regulations and often have a lower IT investment," he says.

He says for Neiman Marcus — and all other Snowflake customers — it comes down to protecting their credentials, like everyone should do for their PayPal, Gmail, and any other accounts.

Darren Williams, CEO and founder of BlackFog, warns the long-term effects of the breaches is unfortunate for customers, given how data is often leveraged for many years to come and sold on the Dark Web.

"The fact that Neimans failed to pay the ransom, while a good approach, has forced the attackers to make revenue other ways by selling the data online and targeting individuals," he says. "Unfortunately, most organizations are still unprepared to deal with these types of attacks."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Source

DARKReading