Cisco's TK Keanini and the NFL's Tomás Maldonado join Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about end-to-end security.

Whether you're locking down a network or facing fourth down with mere inches, resilience is key, according to Cisco's TK Keanini and Tomás Maldonado, CISO for the National Football League. In both cases, protection isn't optional — it's critical to ensuring smooth operations and success. Keanini and Maldonado also talk about the elements of successful partnering where design, implementation, and operation of the NFL's end-to-end security platform are concerned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How to Secure a High-Profile Event Like the Super Bowl

Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.

RSA CONFERENCE — San Francisco — Security hygiene and software supply-chain/vendor risk have emerged as the top two security priorities for chief information security officers (CISOs) at medium-sized organizations, new research has revealed.

That's according to Forgepoint Capital, which surveyed CISOs across a spectrum of industries and sizes. For organizations with 50 to 1,000 employees, security hygiene is seen as particularly critical, according to the data.

"Most breaches are due to unpatched systems, misconfigurations, poor passwords, and other easily avoidable issues," the report, shared with Dark Reading at the 2022 RSA Conference this week, pointed out. "Typically, organizations of this size don’t have the budget to build multiple backups and failovers, with real scenarios where a security incident can put the company out of business."

That said, there was notable variance across industry segments. For instance, zero percent of respondents in the healthcare vertical cited security hygiene as a priority.

"It's not that they think that nurses don't need to worry about passwords," says Will Lin, managing director of Forgepoint. "It's that security responsibility is much more distributed than in other industries. If I'm, say, BlueCross BlueShield, I can't control the password requirements and security hygiene of all the subsidiaries I have. It's each one's own responsibility to do it. I have to prioritize what I can actually solve."

There's a different narrative for professional services firms, where more than 80% said security hygiene is a top focus.

"They're exactly the opposite from healthcare," Lin says. "They're responsible for the security of all their consultants. These are all my employees, I need to do it. So that's why it becomes the highest priority for this group."

**Cybersecurity Workforce Shortage**

Meanwhile, CISOs at organizations with less than 50 employees cited talent development and social-engineering awareness as their top two priorities, with the ongoing cybersecurity workforce shortage of particular concern.

"Talent departure and social-engineering attacks can have major ramifications," according to the report. "Due to the small size of their employee base, these companies can realistically affect more change by focusing on human capital than a large organization can. As companies grow larger, no matter how much access control is established, threat vectors will remain. Thus, the focus shifts from personnel to security automation and incident response."

When examining CISOs' views of security prioritization by industry, the survey found that all security professionals prioritize areas with the highest return on investment (ROI). For example, 50% of professional services companies marked security hygiene as an essential focus, but healthcare professionals are focused more on the software supply chain and third-party vendor risk, such as the security of connected medical devices, given its bigger tie to ROI in their field.

**Cloud Migration and Digital Transformation**

Forgepoint also found that cloud migration is driving security prioritization for medium-sized businesses in particular, with 73% of survey respondents noting that it's a factor in 75% or more of their efforts. In contrast, just 13% of very large businesses (more than 10,000 employees) and 43% of large businesses (1,000 to 10,000 employees) said the same. For businesses with fewer than 50 employees, half of them said the move to the cloud is driving 75% of their security choices.

"Very large companies, surprisingly enough, are actually the furthest behind cloud migration," Lin tells Dark Reading. "And the smaller companies are further along in cloud migration. The big companies have a lot of legacy infrastructure, so it's going to take them a much longer time to move to the cloud, while smaller companies are more cloud native, and they're trying to cut costs, which the cloud helps with."

Digital transformation also emerged as a top security motivator for CISOs in every industry except for professional services — likely due to the ongoing reality of remote working forcing businesses to embrace software-as-a-service and other corporate working apps.

This is driving a new security focus on securing application programming interfaces (APIs, cited by 62% of all respondents) and DevSecOps for embedding security into application development (cited by 54%).

**Areas of Control and Cyber Insurance**

Survey respondents said traditional access control areas like data security (40%) and identity (41%) are still top priorities for organizations. But more than a quarter (28%) of CISOs highlighted an emerging area, cyber insurance, as a top control area of interest.

With ransomware, malware, APTs, and other cyberattacks at all-time highs, organizations of all sizes are considering investing in cyber insurance — however, it's a painful process, Lin says, especially as many insurance firms don't cover ransomware incidents, and the application process can be onerous and dictate where precious security dollars are invested.

"The cost of cyber insurance is going up, and the coverage is going down," Lin says. "And perhaps most of all, the questionnaires that cyber insurance companies give companies to fill out in order to determine how expensive coverage will be don't provide a representational picture of how good of a bet insuring a company is."

For instance, many require companies to have multifactor authentication (MFA) on all accounts in order to qualify for affordable coverage — but its across-the-board implementation at the expense of other efforts (patching, for instance) may not be the best approach for defending the business.

"Companies themselves often don't know how effective their controls are, so how could a cyber insurance underwriter be predictive?" Lin says. "If the question is, do you have an MFA on everything, companies can never check yes to that. Because there are some places where you can't have MFA. It's just not physically possible. Or, in some cases the app that's doing all the authentication might not have an MFA feature enabled. So they have to click no, and when they do, they immediately see a premium increase."

Meanwhile, just 24% of all respondents cited monitoring threat intelligence as a priority — which is a function of it being perceived as difficult to operationalize, Lin says.

"The key issue is, even like organizations like Google have no idea what to do with all of the telemetry and data," Lin said. "Companies simply have a tough time figuring out what to do with their threat intel — it's just the actionability of it."

Overall, the survey also found that three-quarters (76%) of CISO survey respondents say they expect security budgets to increase this year.

"As cybersecurity budgets increase, it’s expected that budgets will become more flexible to accommodate new and emerging products that defy the limitations of the currently identified categories," Forgepoint concluded.

In a Quickly Evolving Landscape, CISOs Shift Their 2022 Priorities

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Another week, another conference. We’re heading a few miles southeast from San Francisco to Las Vegas for Cisco Live. I hope everyone had a safe, healthy and enjoyable RSA, but the fun isn’t over just...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Another week, another conference. We’re heading a few miles southeast from San Francisco to Las Vegas for Cisco Live. I hope everyone had a safe, healthy and enjoyable RSA, but the fun isn’t over just yet. 

We’ve got another week chock full of talks, meet-and-greets, podcasts and much more at Cisco Live this week. Come find us at the center of the Cisco Secure booth where we have something awesome planned (it’s a surprise!). I’ve also got a few other highlights from Talos at Cisco Live to know about this week.  

I’ll personally be giving my first-ever talk at the Cisco Secure Pub on Wednesday, so come by and say hi and tell me how much you love the newsletter.  

**Cisco Secure Pub **

The best place to find us is at the Cisco Secure Pub on the show floor. The Pub will be serving coffee in the morning and alcoholic drinks in the afternoon. Every day, we’ll be represented in lightning talks at the booth on a wide variety of topics, including Talos’ work in Ukraine, securing industrial control systems and a look back at Log4j. 

And since this is my newsletter, I’m also going to plug my talk on Wednesday at 2:30 p.m. local time when I’ll be discussing disinformation and propaganda campaigns in the age of social media, especially as it relates to Russia’s invasion of Ukraine. 

**Talos Insights: The State of Cybersecurity **

This is our annual overview of the threat landscape, this year delivered by Nick Biasini from our Outreach team. In this talk on the 15th, Nick will talk about the threats and trends Talos has uncovered in the past 12 months and provide the technical details on how they operate. Use the Cisco Live Session Catalog for more details on location. 

**Interactive sessions **

Talos and Cisco Talos Incident Responses are hosting several interactive sessions throughout the conference where attendees will get a chance to work face-to-face with our researchers and work hands-on with Cisco Secure products. 

I’ve created a personal filter here in the Session Catalog so you can easily find all our interactive sessions throughout the week.    

**The one big thing **

Attackers are actively exploiting a zero-day vulnerability in Atlassian Confluence Data Center and Server to execute remote code on targeted machines. The attacks delivered several payloads, including the in-memory BEHINDER implant as well as web shells, including China Chopper. In addition to the initial attacks outlined in the report, researchers confirmed additional, continued exploitation is ongoing. There is now a Proof of Concept (PoC) available so exploitation could increase in the near term.  

> **Why do I care? **If an attacker exploited this vulnerability, they could completely take over the targeted host and execute remote code on the targeted machine. And although a patch is available for this vulnerability, many instances remain unpatched, and reports continue to pour in that attackers are using exploit code available in the wild. This is all a bad recipe for a vulnerability that I relatively easy for attackers to exploit and we know they’re scanning for. Attackers are also exploiting this issue to spread China Chopper, a longstanding malware that can act as a backdoor on targeted machines and essentially be a backup plan for threat actors to retain access.    
> **So now what? **Atlassian has released a set of patches to mitigate the vulnerability. Enterprises are encouraged to test and apply the patch immediately to mitigate the ongoing attacks, patched versions include: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1. Additionally, they have provided a series of steps to be performed to help mitigate the risk if the patches cannot be applied for any reason. Talos has also released several Snort rules that will detect attempts to exploit this vulnerability.  

**Other news of note**

Attackers are still exploiting the Follina vulnerability in the Microsoft Support Diagnostic Tool (MSDT) to deliver Qbot, AsyncRAT and other malware families. Attackers have used these malware families for many years and are not tied to one particular threat actor. If delivered successfully, Qbot can steal sensitive information from the targeted machine. Although no official patch is available still, Microsoft has provided several workarounds for users to disable MSDT. Office Pro Plus, Office 2013, Office 2016, Office 2019 and Office 2021 have been confirmed to be affected. (SecurityWeek, Security Boulevard)

Two million people could be affected by a data breach at a large Massachusets-based health care company. Shields Health Care, which provides management and imaging services, said it "became aware of suspicious activity" on its network on March 28 and immediately began investigating the incident. The company has not discovered any evidence that any information from the data breach has been used to commit identity theft or fraud. Potential at-risk information includes addresses, Social Security numbers, billing information, insurance information and other medical treatment information. (NBC 10 Boston, ABC News)

A new form of Linux malware known as "Symbiote" is "almost impossible" to detect, according to new research. Linux malware normally tries to compromise processes running on the machines, but Symbiote instead acts as a shared object library that gets loaded onto all running processes via LD\_PRELOAD. That library then acts as a parasite to compromise the target machine by embedding itself in the system, eventually providing attackers with rootkit functionality. (ZDNet, CSO Online)

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Talos EMEA monthly update: Business email compromise
*   Threat Roundup for May 27 - June 3  
    

  

**Upcoming events where you can find Talos ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada **

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  **MD5:** a087b2e6ec57b08c0d0750c60f96a74c  **Typical Filename:** AAct.exe  **Claimed Product:** N/A    **Detection Name:** PUA.Win.Tool.Kmsauto::1201 

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049   
**MD5:** 067f9a24d630670f543d95a98cc199df **Typical Filename:** RzxDivert32.sys **Claimed Product:** WinDivert 1.4 driver   
**Detection Name:** W32.B2EF49A10D-95.SBX.TG 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 **MD5:** 8c69830a50fb85d8a794fa46643493b2   
**Typical Filename:** AAct.exe **Claimed Product:** N/A    
**Detection Name:** PUA.Win.Dropper.Generic::1201

Threat Source newsletter (June 9, 2022) — Get ready for Cisco Live

Cisco's Jeetu Patel joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss the power of information sharing.

RSA keynoter and Cisco executive Jeetu Patel talks to the Dark Reading News Desk about the power of information sharing, an integrated approach to security, and how to give users controlled, trusted access to applications and services. Patel also discusses the Security Poverty Line, how it impacts the state of cybersecurity, and how to elevate those who may fall below the line.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco Makes Resilience a Cornerstone of Security Strategy

The company's vision for the future of cloud security is based on simplified, horizontal coverage across multiple cloud platforms.

Networking giant Cisco has unveiled a plan to simplify security operations, including the debut of an open security platform called Security Cloud, conceived as a unified platform for end-to-end security across hybrid multicloud environments.

The platform offers threat prevention, detection, response, and remediation capabilities, as well as less-intrusive methods for risk-based authentication, including a Wi-Fi fingerprint.

Cisco is also emphasizing intelligent user and device identity verification checks that run continuously and in the background.

**Horizontal Coverage**

TK Keanini, CTO of Cisco Secure, explains that in an age where organizations are protecting assets across multiple clouds — be they Microsoft Azure, Amazon AWS, or Google Cloud Platform — security teams are struggling to provide uniform, horizontal coverage across this infrastructure.

"We're trying to abstract away networking and security to a layer that is completely horizontal across that which you protect — your compute and storage," Keanini says. "Where before, networking and security were sometimes living in those silos, we're now logically above it. We want to provide a function that's consistent and has the economics of cloud."

Featuring Cisco Meraki SD-WAN technology, the secure access service edge (SASE) subscription service Cisco+ Secure Connect Now streamlines deployment and management of SASE through a cloud-managed platform with a unified dashboard.

A unified Secure Client is designed to help simplify the streaming of Cisco Secure agents, including AnyConnect, Secure Endpoint, and Umbrella.

"With Secure Connect, we tried to basically abstract away the complexity and hand you an application experience," Keanini says. "We're going after a person who doesn't ever want to be a networking expert, or they just want the network to work, and they want to control it via an app."

Cisco is also leveraging the OpenID Foundation's Shared Signals and Events standards, including CAEP and RISC, to build session trust analysis by sharing information between vendors.

The company also has enhanced its Secure Cloud Analytics, which automatically promotes alerts into SecureX and maps those alerts to MITRE ATT&CK.

It also debuted the Secure Firewall 3100 Series, which features an AI-powered encrypted visibility engine, uses machine learning (ML) technology to uncover threats, and offers a custom security research service, called Talos Intelligence On-Demand.

Keanini says that the through line with all of these services, as well as with Cisco's Security Cloud vision, is simplicity — specifically, providing services that remove complexity for organizations and individuals.

"You're good if you provide security, but you're even better if you provide security and usability," he says. "If you're going to reach the common person that just never wants to be a security expert, you got to deliver an application experience. That's really simple."

Cisco Revamps Cloud Security Strategy With New Secure Access, SASE Portfolio

AI works best when security professionals and AI are complementing each other.

Artificial intelligence has advanced greatly in the past decade. On my phone, I'm reading Apple and Google news that is well-tailored to me, thanks to AI recommendation models. Self-driving cars are already picking up passengers for rides in downtown San Francisco.

The same transformation is happening in the cybersecurity world too. However, questions remain: Will AI replace security professionals? Or will AI still be as useful in the zero-trust era given that access is tightened to the minimum already?

AI was introduced to the center stage of the cybersecurity industry a few years ago, originally to tackle malware detection and anomaly detection use cases. We have come a long way to better understand both the usefulness and the limitations of applying AI to cybersecurity, especially in the zero-trust era.

**AI Is Still Needed**

First, a zero-trust architecture doesn't remove the need for AI. Though zero trust eliminates the attack surface and reduces the chance for the anomaly to happen, zero trust demands AI more.

Today, an enterprise user's security policy is typically that person's department security policy. Whether users are in a big or a small department, they all follow very similar, if not the same, security policy, including access control policy.

In the zero-trust era, we need a personalized, contextual, dynamic, and granular security policy — which is exactly what zero trust is about. Access control, for instance, is no longer based on simple rules but a set of complex policies based on your identity, your device, your posture, your intention, your risks, your content, and a lot of rich data points.

However, generating such complex, granular, and personalized policy _at scale_ can be very time-consuming if relying on human rules and heuristics. Different employees will use different applications and such application usage may need to evolve fast in a short period of time. AI is a critical technology to make such an intelligent and personalized security policy recommendation at scale.

At the same time, it is impossible for AI to capture or comprehend all the nuances and contexts of any complex environment, so AI may make recommendations that are suboptimal from experts' eyes. With ongoing human feedback, we can improve the AI model and its effectiveness.

**Threat Detection**

Second, zero trust gives the enterprise much tighter protection than it has had in the past, but no matter how tightened things are, there is always a weak link somewhere. Therefore, we want AI to assist with evasive and unknown threat detection and prevention.

Some evasive threats are undetected in time by conventional signature-based or sandbox technology. The SolarWinds supply chain attack is a good example. This global attack turned the SolarWinds Orion software into a weapon, subsequently gaining access to several government systems and thousands of private systems around the world. There was no involvement from any malware by the traditional definition, and it was hard to rely on any single layer of the conventional technology to detect such an attack ahead of time.

AI has a good potential to be the technology to do a better job with unknown threat detection because it can "predict" threats that have never been seen before.

Practically, we will want to layer multiple security technologies along with AI. For instance, in the case of malware, the tried-and-true approach of signature matching and sandbox will continue to play a key role. AI will complement greatly, but not displace, the conventional technology.

**Easily Understood**

Third, enterprise customers want to utilize AI in a way that is easily understood and digestible by security professionals. The "explainable AI" may not improve the AI model efficacy on the surface, but it will increase the adoption of AI significantly.

For instance, AI may be able to detect an unknown threat, but SecOps teams may want to see which family the threat belongs to before taking an action. For another example, AI may be able to generate intelligent and relevant security policy recommendations, but SecOps teams may still want to know the context of why certain recommendations are made before accepting them.

**Conclusion**

The cybersecurity industry needs AI to help reduce unknown attacks at scale and come up with granular and contextual security policies at scale to reduce the attack surface. We want the result to be explainable too.

AI-powered security tools and products are an amazing digital assistant to SecOps professionals. And professionals are assisting AI technology to advance, too, as we will need humans to verify many of the outputs and/or provide feedback for the AI model to improve.

AI is useful to scale the enterprise security functions, like more-intelligent policies and more-intelligent threat detection as discussed above. AI works best when security professionals and AI are complementing each other. In the end, AI is an assistant to security professionals and will not be a replacement for human effort for a long time to come.

How AI Is Useful — and Not Useful — for Cybersecurity

John Leyden 09 June 2022 at 15:18 UTC

APTs hammering unpatched vulnerabilities

Chinese state-sponsored attackers are placing a heavy reliance on known but commonly unpatched vulnerabilities to “establish a broad network of compromised infrastructure”, a US federal security agency warns.

While previously unknown (zero-day) vulnerabilities and novel exploits usually grab the most headlines, a joint advisory from the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warns that attacking “publicly known” flaws has become a mainstay of Chinese cyber-espionage.

**Hit list**

The advisory offers a list of network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020.

Flaws in small business-focused routers, SSL VPNs, and Network Attached Storage (NAS) devices from the likes of Cisco, Fortinet, Netgear and QNAP feature heavily on the list.

Some of the main attacks in play can achieve remote code execution (RCE) against unpatched systems while others achieve their aims by achieving authentication bypass or privilege elevation.

Catch up on the latest cyber-attack news and analysis

Chinese state-backed attackers are using publicly available exploit codes against virtual private network (VPN) services or public facing applications to hack into major telecommunications companies and network service providers, creating a platform for follow-up attacks.

Hacked systems “serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities”, according to the CISA’s advisory, which builds on previous US intel agency reporting.

By building a network of compromised systems that act as a platform for follow-up assaults, Chinese APTs are hiding or obfuscating the source of attacks, making detection and response more challenging.

Industry experts said that CISA’s latest advisory is designed to hammer home the importance of prompt patching.

**Slow patching peril**

Andrew Kahl, CEO of BackBox, commented: “Last month CISA released a joint advisory (PDF) that recommended prioritizing the patching of software containing known vulnerabilities.

“These two advisories within a month of each other indicates threat actors are increasingly targeting known vulnerabilities, because they understand many organizations are slow to implement patches.”

Kahl added: “One of the most common vectors for attackers is through known vulnerabilities that otherwise could have been patched. In fact, 87% of organizations have experienced an attempted exploit of an already-known, existing vulnerability.”

**Hiding in plain sight**

Terry Olaes, director of sales engineering at Skybox, said that CISA’s alert pointed towards a need to adapt enterprise vulnerability remediation strategies to provide better coverage for less severe but actively exploited vulnerabilities.

Prompt triage would help organizations to protect themselves against attacks from a wide range of potential adversaries.

“Cybercriminals are increasingly targeting known vulnerabilities hiding in plain sight and turning them into backdoors to deploy complex attacks that are increasing at record rates,” Olaes said.

“If organizations only rely on conventional approaches to vulnerability management, they may only move to patch the highest severity vulnerabilities first based on the Common Vulnerability Scoring System (CVSS).”

Olaes concluded: “Cybercriminals know this is how many companies handle their cybersecurity, so they’ve learned to take advantage of vulnerabilities seen as less critical to carry out their attacks.”

RELATED Behind the Great Firewall: Chinese cyber-espionage adapts to post-Covid world with stealthier attacks

Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns

SAN FRANCISCO – Today, in partnership with the Coalition to Reduce Cyber Risk (CR2), 37 companies and organizations have pledged to enhance cyber resiliency and counter evolving cross-border cyber threats such as the growth of ransomware. Signers to this groundbreaking pledge from eight countries have promised to:

·         encourage the development, evolution and implementation of risk-based approaches that rely on consensus-based standards and risk management best practices, such as ISO/IEC 27110 and 27103, or the NIST Cybersecurity Framework;

·         support efforts of our vendors and supply chain contributors to adopt risk-based cybersecurity approaches in order to help small businesses flourish while improving the resiliency of the cyber ecosystem;

·         incorporate ISO/IEC (or other widely accepted international) cybersecurity standards as a foundation of our cybersecurity policies and controls wherever applicable and feasible; and

·         periodically reassess our cybersecurity policies and controls against revisions to ISO/IEC cybersecurity standards and actively participate in industry-driven initiatives to improve those standards.

_“CR2 is committed to driving a globally-aligned approach for managing cyber risk. Thirty-Seven organizations from eight countries have signed the Cyber Risk Management Pledge, demonstrating the breadth of usage of international standards such as ISO/IEC 27110 and 27103, as well as the NIST Cybersecurity Framework and associated sector profiles.”_ said Benjamin Flatgard, President of CR2 and Executive Director of Technology and Cybersecurity Policy and Partnerships at J.P. Morgan Chase.  He added

_“Governments should embed widely used international standards at the core of their national cyber policies to facilitate a seamless approach to shared cyber risk.”_

For more information on the CR2 and the pledge, or if your company or organization is interested in joining the pledge, please visit https://www.crx2.org/

##

**Cyber Risk Management Pledge**

The signatories to this pledge understand that in order to enhance cyber resiliency and counter evolving cross-border cyber threats such as the growth of ransomware, we must enable the seamless implementation of risk-based approaches to cybersecurity around the world. 

Internationally recognized cybersecurity frameworks and standards that are based upon the principles of risk management and relevant across sectors support such implementation by strengthening consistency and continuity among interconnected sectors and throughout global supply chains. 

Increased and ongoing adoption of these frameworks and international standards by companies and governments around the world will mitigate cyber risks and facilitate economic growth. To further advance adoption of international approaches to cybersecurity risk management, we commit to:

·         Encourage the development, evolution and implementation of risk-based approaches based on consensus-based frameworks, standards and risk management best practices, such as ISO/IEC 27110 and 27103, or the NIST Cybersecurity Framework;

·         Support efforts of our vendors and supply chain contributors to adopt risk-based cybersecurity approaches in order to help small businesses flourish while improving the resiliency of the cyber ecosystem;

·         Incorporate ISO/IEC 27110 and 27103, the NIST Cybersecurity Framework, or other widely accepted international cybersecurity standards as a foundation of our cybersecurity policies and controls wherever applicable and feasible; and

·         Periodically reassess our cybersecurity policies and controls against revisions to such cybersecurity standards and actively participate in industry-driven initiatives to improve those standards.

A commitment to internationally recognized cyber risk management approaches and frameworks that are relevant across sectors can bring widespread economic benefits, help governments achieve their policy goals, bolster collective security, and enhance cyber resiliency across the ecosystem. 

AT&T

AWS

Cisco

Citrix

Cybastion Institute of Technology

Cybereason

Exiger

IBM

JP Morgan Chase

Lumen

Mastercard

Microsoft

NetScout

NTT

Palo Alto Networks

Rakuten Symphony

Redhat

Schneider Electric

Tenable 

Trellix

Verizon

Asia Internet Coalition (AIC)

BSA | The Software Alliance

Coalition of Service Industries (CSI)

Coalition to Reduce Cyber Risk (CR2) 

Cyber Risk Institute

CyberPeace Institute

Cybersecurity Coalition

The DCRO Institute

Health-ISAC

Information and Communications Technology Council (ICTC)

Information Technology Industry (ITI)

Telecommunications Industry Association (TIA)

U.S. Chamber of Commerce

United States Council for International Business (USCIB)

US-India Strategic Policy Forum (USISPF)

37 Major Companies and Organizations Pledge to Enhance Cyber Resiliency and Counter Evolving Global Threats

The latest edition of the Talos EMEA Monthly Update is available now on Cisco.com and Cisco's YouTube page. You can also view the episode in its entirety above.
For June, Hazel and Martin got together to discuss business email compromise. BEC has quickly become the most lucrative attack vector for...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

The latest edition of the Talos EMEA Monthly Update is available now on Cisco.com and Cisco's YouTube page. You can also view the episode in its entirety above.

For June, Hazel and Martin got together to discuss business email compromise. BEC has quickly become the most lucrative attack vector for threat actors, even surpassing ransomware. This episode provides a quick explainer of what BEC is and how organizations can be prepared for when, not if, this type of spam campaign comes for them.

Talos EMEA monthly update: Business email compromise

Compromised routers, VPNs, and NAS devices from Cisco, Citrix, Pulse, Zyxel, and others are all being used as part of an extensive cyber espionage campaign.

State-sponsored cyberattackers affiliated with China are actively building out a large network of attack infrastructure by compromising targets in the public and private spheres.

According to a joint alert from Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI, the attackers are targeting major telecom companies and network service providers with a set of exploits for known vulnerabilities in a variety of routers, VPNs, and other networking gear, as well as network-attached storage (NAS) devices.

The network devices are then being used as additional access points to route command-and-control (C2) traffic and act as midpoints to carry out network intrusions on other entities, according to the alert — all bent on stealing sensitive information.

The cyberattackers "typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based IP addresses resolving to different Chinese ISPs," the Feds noted. "The cyber-actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber-actors \[also\] use these hop points as an obfuscation technique when interacting with victim networks."

On the obfuscation front, CISA said it has observed the groups monitoring network defenders' accounts and actions, modifying their ongoing campaign as needed to remain undetected.

The groups also "often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network."

    

Commonly exploited bugs used by China-linked threat actors. (Source: NSA/CISA/FBI)

To avoid compromise, users should apply available patches, disable unnecessary ports and protocols, and replace end-of-life infrastructure, the agencies noted.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#cisco