Red Hat Security Advisory 2023-1202-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include denial of service, integer overflow, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:1202-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1202  
Issue date:        2023-03-14  
CVE Names:         CVE-2022-3564 CVE-2022-4269 CVE-2022-4378   
                   CVE-2022-4379 CVE-2023-0179 CVE-2023-0266   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: use-after-free caused by l2cap_reassemble_sdu() in  
net/bluetooth/l2cap_core.c (CVE-2022-3564)

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

* kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading  
to remote Denial of Service attack (CVE-2022-4379)

* kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan  
(CVE-2023-0179)

* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF  
(CVE-2023-0266)

* kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
(CVE-2022-4269)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* RHEL9:[P10] With Guest Secure Boot and lockdown enabled, DLPAR operations  
can't be done (Rainier) (BZ#2107480)

* [RHEL 9.0] LTP Test failure and crash at fork14 on Sapphire Rapids  
Platinum 8280+ (BZ#2133084)

* RHEL9.0 - boot: Add secure boot trailer (BZ#2151529)

* 'date' command shows wrong time in nested KVM s390x guest (BZ#2158816)

* Kernel FIPS-140-3 requirements - part 3 - AES-XTS (BZ#2160176)

* RHEL 9.0.0 soft quota cannot exceed more the 5 warns which breaks timer  
functionality (BZ#2164263)

* In FIPS mode, the kernel should reject SHA-224, SHA-384, SHA-512-224, and  
SHA-512-256 as hashes for hash-based DRBGs, or provide an indicator after  
2023-05-16 (BZ#2165131)

* [RHEL 9] FIPS: deadlock between PID 1 and "modprobe  
crypto-jitterentropy_rng" at boot, preventing system to boot. (BZ#2167762)

Enhancement(s):

* [Intel 9.2 FEAT] [SPR] CPU: AMX: Improve the init_fpstate setup code  
(BZ#2168383)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2150272 - CVE-2022-4269 kernel: net: CPU soft lockup in TC mirred egress-to-ingress action  
2150999 - CVE-2022-3564 kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c  
2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
2152807 - CVE-2022-4379 kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading to remote Denial of Service attack  
2161713 - CVE-2023-0179 kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan  
2163379 - CVE-2023-0266 ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm

noarch:  
kernel-doc-5.14.0-70.49.1.el9_0.noarch.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-devel-matched-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-devel-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-devel-matched-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-devel-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-devel-matched-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-headers-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS EUS (v.9.0):

Source:  
kernel-5.14.0-70.49.1.el9_0.src.rpm

aarch64:  
bpftool-5.14.0-70.49.1.el9_0.aarch64.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-core-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-libs-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm

noarch:  
kernel-abi-stablelists-5.14.0-70.49.1.el9_0.noarch.rpm

ppc64le:  
bpftool-5.14.0-70.49.1.el9_0.ppc64le.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-core-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-libs-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm

s390x:  
bpftool-5.14.0-70.49.1.el9_0.s390x.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-core-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-core-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-modules-extra-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm

x86_64:  
bpftool-5.14.0-70.49.1.el9_0.x86_64.rpm  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-core-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-core-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-modules-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-modules-extra-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-modules-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-modules-extra-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-libs-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder EUS (v.9.0):

aarch64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-debuginfo-common-aarch64-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
kernel-tools-libs-devel-5.14.0-70.49.1.el9_0.aarch64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.aarch64.rpm

ppc64le:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
kernel-tools-libs-devel-5.14.0-70.49.1.el9_0.ppc64le.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.ppc64le.rpm

s390x:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-debuginfo-common-s390x-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
kernel-zfcpdump-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.s390x.rpm

x86_64:  
bpftool-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-cross-headers-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debug-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-debuginfo-common-x86_64-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
kernel-tools-libs-devel-5.14.0-70.49.1.el9_0.x86_64.rpm  
perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm  
python3-perf-debuginfo-5.14.0-70.49.1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-3564  
https://access.redhat.com/security/cve/CVE-2022-4269  
https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/cve/CVE-2022-4379  
https://access.redhat.com/security/cve/CVE-2023-0179  
https://access.redhat.com/security/cve/CVE-2023-0266  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBCPddzjgjWX9erEAQiUYA//eHB1lFUQOziIVT+e7Eveh/CxB+oBYKQd  
qahqIC8RGCNzfhKszn/E76Pp9nCmuajBUWStb6f07R+vwQaGe/cQ2SS8Zfhj7Fo0  
MS5bW3udIWqqSIoSD6zHKQn8rouFzsJ2PuP1nomV3w7C+/nWk8G2y7ulWvuRIQxw  
anWwsA2FI3m/ymDkqDhwF/zF4cfosOvd/XARC6PL0+uyJHigp4egLr6XBqlY9Gh6  
P36zjfZdTyZ8MfqgFj7K4wEOr41HLaIPEeelPSmsOj+rx4IsXm+T5wu20oFoSVwr  
E9RX72wKxAblHUvVlCMBIGLeATbfO2XmqU1392+WUFysTjGTPib836+STh2PPK+p  
c6NA/rr90g59PFyTpdHCR54GZLjTrOPYNDiinvXDFiyTbkwWIZq5Qm1LoVOSUuUi  
DA+NpnB09Kglx1taqnknbt0o1G+0nkcblajZhC0LnqcqMBUfI1rQvedT7JOGlJhy  
a7W9JgIaFc5qTh1MR2dhBEbxAwbxVJaaFUmD3HASCfxJviED915IOdOM+SjkLKS1  
RPW2SmxZ8lWk46GyQLN/xHIsAL4ucntjP9SMLhwM+KDTjDRYgEjqiVUvgMgYNn7o  
miFyM1PT3sALFo2EGb+AyqXHlW8MyI0dJtEv5EV2PMegCDCf54ISQiUlMY4EKcFJ  
IwHZx9iW7VY=  
=yYLi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1202-01

Organizations are coming under pressure to protect their data, but does all data need the same security? To secure it, you first need to know what and where it is.

Let's start by examining those two broad-brush data categories: structured and unstructured.

Structured data refers to the data resident within relational databases, often presented via customer relationship management (CRM) systems and corporate applications. Tables and rows of related information in limited formats, structured and only accessible to users with suitable authorization.

Unstructured data is much less easy to ring-fence, being comprised of all the different, unrelated files present on end-user devices. The data is stored in a wide array of locations locally, across the network and in cloud-based services. When considering all these formats and types on local and network-based devices, it is easy to see how vital it is to include all this data into the overall data security equation. Omdia estimates that as much as 80% of an organization's data is resident in this unstructured category.

Now let's consider how all the data needs to be protected.

Due to the general level of sensitivity of structured data (personally identifiable information, payroll, financials, legal, etc.) security strategies will often focus on this tier. Organizations typically separate and secure the various types of data here. However, even these measures are potentially far from sufficient to protect against a determined hacker. Can any organization really say with confidence that it is adequately protected when the next attack could be from an entirely unknown quarter?

Questions of security robustness aside, for structured data, organizations do tend to treat data differently, considering the actual content (and risk to the business if it were lost) and thus appropriate controls are reasonably applied.

Given the sheer volumes, can it be said that unstructured data receives proportional (or even anything like) the same consideration structured data receives? The answer is most likely "no."

First, let's ask a more fundamental question. Can an organization, hand on heart, say it even knows where all its unstructured data is? Most organizations may struggle here. File authors may have difficulty remembering a specific file or what they did with it, or even may have left the business altogether.

This then presents this challenge: "If the organization doesn't know where a file is or what it contains, how can it be protected?"

**Discovery Solutions**

Data discovery solutions can make retrospective retrieval more palatable, but it's better to be able to classify documents at time of creation and then store them clearly and appropriately according to their value (or risk) to the business.

Omdia argues that the authors of these documents are best placed to apply a suitable mark, but artificial intelligence (AI) tools can also be employed. Today, organizational culture tends to determine if the preference is for a user or AI-centric approach. Either way, a visual and a similar embedded mark classifying the document, working in tandem with a data loss prevention (DLP) tool, will not only indicate the sensitivity of the document and with it how it should be handled, the labels will also dictate how the document can be distributed. This is the foundation to protecting unstructured data.

A consideration here. Adopting a one-size-does-not-fit-all approach does get granular quite quickly when considering all the different types and levels of data sensitivity circulating within a business. This is a necessary part of the planning process, however, and clarity and time taken to construct a hierarchical data framework at this stage will bear dividends later. Thorough and well-defined data type definition and a prioritization strategy mapped across all the various data types will not only deliver enhanced security, but also ensure that if, or when, an attack occurs, the regulators can be subsequently assured that every possible measure was in place to preserve the security of an organization's data, and, moreover, that all data was being handled in the right way. It is also worth considering at this point that highly restricted, legally sensitive data one day can become public information the next.

In terms of working with end users, views about this group and security of any type are highly polarized. Omdia firmly believes in thorough cybersecurity training for the workforce. It is vital to include users in an organization's security posture, employing them as a resilient part of the data security defensive fortification rather than sideline them as a part of the problem. Cybersecurity training is vital, but it should be ongoing and frequent to create a "security culture" within the organization.

No organization can claim to be 100% secure against the ever-evolving threat landscape. By working to understand data and accordingly implementing appropriate security controls across the varying types and sensitivities, together with proactive involvement of the end users, both the impact of unauthorized or malicious data loss can be mitigated and expensive costs associated with a blanket data security approach can be avoided.

Are We Doing Enough to Protect Our Unstructured Data?

The threat of scammers using voice deepfakes in their cons is real, but researchers say old-school voice-impersonation attacks are still the more pressing concern.

Amid the generative-artificial-intelligence frenzy of the last few months, security researchers have been revisiting the concern that AI-generated voices, or voice deepfakes, have gotten convincing enough and easy enough to produce that scammers will start using them en masse. 

There have been a couple of high-profile incidents in recent years in which cybercriminals have reportedly used voice deepfakes of company CEOs in attempts to steal large amounts of money—not to mention that documentarians posthumously created voice deepfakes of Anthony Bourdain. But are criminals at the turning point where any given spam call could contain your sibling's cloned voice desperately seeking “bail money?" No, researchers say—at least not yet.

The technology to create convincing, robust voice deepfakes is powerful and increasingly prevalent in controlled settings or situations where extensive recordings of a person's voice are available. At the end of February, Motherboard reporter Joseph Cox published findings that he had recorded five minutes of himself talking and then used a publicly available generative AI service, ElevenLabs, to create voice deepfakes that defeated a bank's voice-authentication system. But like generative AI's shortcomings in other mediums, including limitations of text-generation chatbots, voice deepfake services still can't consistently produce perfect results. 

“Depending on the attack scenario, real-time capabilities and the quality of the stolen voice sample must be considered,” says Lea Schönherr, a security and adversarial machine learning researcher at the CISPA Helmholtz Center for Information Security in Germany. “Although it is often said that only a few seconds of the stolen voice are needed, the quality and the length have a big impact on the result of the audio deepfake.”

Digital scams and social engineering attacks like phishing are a seemingly ever-growing threat, but researchers note that scams have existed for decades in which attackers call a victim and attempt to impersonate someone the target knows—no AI necessary. The very fact of their longevity means that these hustles are at least somewhat effective at tricking people into sending attackers money.

“These scams have been around forever. Most of the time, it doesn’t work, but sometimes they get a victim who is primed to believe what they’re saying, for whatever reason,” says Crane Hassold a longtime social engineering researcher and former digital behavior analyst for the FBI. “Many times those victims will swear the person they were talking to was the impersonated person when, in reality, it’s just their brain filling in gaps.”

Hassold says that his grandmother was a victim of an impersonation scam in the mid-2000s when attackers called and pretended to be him, persuading her to send them $1,500.

“With my grandmother, the scammer didn’t say who was calling initially, they just started talking about how they had been arrested while attending a music festival in Canada and needed her to send money for bail. Her response was ‘Crane, is that you?’ and then they had exactly what they needed,” he says. “Scammers are essentially priming their victims into believing what they want them to believe.”

As with many social engineering scams, voice-impersonation cons work best when the target is caught up in a sense of urgency and just trying to help someone or complete a task they believe is their responsibility.

“My grandmother left me a voicemail while I was driving to work saying something like ‘I hope you’re OK. Don’t worry, I sent the money, and I won’t tell anyone,’” Hassold says.

Justin Hutchens, director of research and development at the cybersecurity firm Set Solutions, says he sees deepfake voice scams as a rising concern, but he's also worried about a future in which AI-powered scams become even more automated.

“I expect that in the near future, we will start seeing threat actors combining deepfake voice technology with the conversational interactions supported by large language models,” Hutchens says of platforms like Open AI's ChatGPT.

For now, though, Hassold cautions against being too quick to assume that voice-impersonation scams are being driven by deepfakes. After all, the analog version of the scam is still out there and still compelling to the right target at the right time.

AI-Generated Voice Deepfakes Aren’t Scary Good—Yet

Russia, North Korea, Iran, and China have been caught using fake profiles to gather information. But the platform’s tools to weed them out only go so far.

There is nothing immediately suspicious about Camille Lons’ LinkedIn page. The politics and security researcher’s profile photo is of her giving a talk. Her professional network is made up of almost 400 people; she has a detailed career history and biography. Lons has also shared a link to a recent podcast appearance—“always enjoying these conversations”—and liked posts from diplomats across the Middle East.

So when Lons got in touch with freelance journalist Anahita Saymidinova last fall, her offer of work appeared genuine. They swapped messages on LinkedIn before Lons asked to share more details of a project she was working on via email. “I just shoot an email to your inbox,” she wrote.

What Saymidinova didn’t know at the time was that the person messaging her wasn’t Lons at all. Saymidinova, who does work for Iran International, a Persian-language news outlet that has been harassed and threatened by Iranian government officials, was being targeted by a state-backed actor. The account was an imposter that researchers have since linked to Iranian hacking group Charming Kitten. (The real Camille Lons is a politics and security researcher, and a LinkedIn profile with verified contact details has existed since 2014. The real Lons did not respond to WIRED’s requests for comment.)

When the fake account emailed Saymidinova, her suspicions were raised by a PDF that said the US State Department had provided $500,000 to fund a research project. “When I saw the budget, it was so unrealistic,” Saymidinova says.

But the attackers were persistent and asked the journalist to join a Zoom call to discuss the proposal further, as well as sending some links to review. Saymidinova, now on high alert, says she told an Iran International IT staff member about the approach and stopped replying. “It was very clear that they wanted to hack my computer,” she says. Amin Sabeti, the founder of Certfa Lab, a security organization that researches threats from Iran, analyzed the fake profile’s behavior and correspondence with Saymidinova and says the incident closely mimics other approaches on LinkedIn from Charming Kitten.

The Lons incident, which has not been previously reported, is at the murkiest end of LinkedIn’s problem with fake accounts. Sophisticated state-backed groups from Iran, North Korea, Russia, and China regularly leverage LinkedIn to connect with targets in an attempt to steal information through phishing scams or by using malware. The episode highlights LinkedIn’s ongoing battle against “inauthentic behavior,” which includes everything from irritating spam to shady espionage. 

Missing Links

LinkedIn is an immensely valuable tool for research, networking, and finding work. But the amount of personal information people share on LinkedIn—from location and languages spoken to work history and professional connections—makes it ideal for state-sponsored espionage and weird marketing schemes. False accounts are often used to hawk cryptocurrency, trick people into reshipping schemes, and steal identities.  

Sabeti, who’s been analyzing Charming Kitten profiles on LinkedIn since 2019, says the group has a clear strategy for the platform. “Before they initiate conversation, they know who they are contacting, they know the full details,” Sabeti says. In one instance, the attackers got as far as hosting a Zoom call with someone they were targeting and used static pictures of the scientist they were impersonating.

The fake Lons LinkedIn profile, which was created in May 2022, listed the real Lons’ correct work and education histories and used the same image from her real Twitter and LinkedIn accounts. Much of the biography text on the fake page had been copied from profiles of the real Lons as well. Sabeti says the group ultimately wants to gain access to people’s Gmail or Twitter accounts to gather private information. “They can collect intelligence,” Sabeti says. “And then they use it for other targets.” 

The UK government said in May 2022 that “foreign spies and other malicious actors” had approached 10,000 people on LinkedIn or Facebook over 12 months. One person acting on behalf of China, according to court documents, found that the algorithm of one “professional networking website” was “relentless” in suggesting potential new targets to approach. Often these approaches start on LinkedIn but move to WhatsApp or email, where it may be easier to send phishing links or malware.

In one previously unreported example, a fake account connected to North Korea’s Lazarus hacking group, pretended to be a recruiter at Meta. They started by asking the target how their weekend was before inviting them to complete a programming challenge to continue the hiring process, says Peter Kalnai, the senior malware researcher at security firm ESET who discovered the account. But the programming challenge was a scam designed to deploy malware to the target’s computer, Kalnai says. The LinkedIn messages sent by the scammers didn’t contain many grammatical errors or other typos, he says, which made the attack more difficult to catch. “Those communications were convincing. No red flags in the messages.”

It’s likely that scam and spam accounts are much more common on LinkedIn than those connected to any nation or government-backed groups. In September last year, security reporter Brian Krebs found a flood of fake chief information security officers on the platform and thousands of false accounts linked to legitimate companies. Following the reporting, Apple and Amazon’s profile pages were purged of hundreds of thousands of fake accounts. But due to LinkedIn’s privacy settings, which make certain profiles inaccessible to users who don’t share connections, it’s difficult to gauge the scope of the problem across the platform. 

The picture gets clearer at an individual company level. An analysis of WIRED’s company profile in January showed 577 people listing WIRED as their current employer—a figure well above the actual number of staff. Several of the accounts appeared to use profile images generated by AI, and 88 profiles claimed to be based in India. (WIRED does not have an India office, although its parent company, Condé Nast, does.) One account, listed as WIRED’s “co-owner,” used the name of a senior member of WIRED’s editorial staff and was advertising a suspicious financial scheme. 

In late February, soon after we told LinkedIn about suspicious accounts linked to WIRED, approximately 250 accounts were removed from WIRED’s page. The total employee count dropped to 225, with 15 people based in India—more in line with the real number of employees. The purpose of these removed accounts remains a mystery.

“If people were using fake accounts to impersonate WIRED journalists, that would be a major issue. In the disinformation space, we have seen propagandists pretend to be journalists to gain credibility with their target audiences,” says Josh Goldstein, a research fellow with the CyberAI Project at Georgetown University’s Center for Security and Emerging Technology. “But the accounts you shared with me don’t seem to be of that type.” 

Without more information, Goldstein says, it’s impossible to know what the fake accounts linked to WIRED may have been up to. Oscar Rodriguez, LinkedIn’s vice president in charge of trust, privacy, and equity, says the company does not go into detail about why it removes specific accounts. But he says many of the accounts linked to WIRED were dormant. 

Fighting Fakes

In October 2022, LinkedIn introduced several features meant to clamp down on fake and scam profiles. These included tools to detect AI-generated profile photos and filters that flag messages as potential scams. LinkedIn also rolled out an “About” section for individual profiles that shows when an account was created and whether the account has been verified with a work phone number or email address. 

In its most recent transparency report, covering January to June 2022, LinkedIn said that 95.3 percent of the fake accounts it discovered were blocked by “automated defenses,” including 16.4 million that were blocked at the time of registration. LinkedIn’s Rodriguez says the company has identified a number of signs it looks for when hunting fake accounts. For instance, commenting or leaving messages with super-human speed—a potential sign of automation—might cue LinkedIn to ask the account to provide a state-issued ID and make the account inaccessible to other users.

Similarly, when an account is being created, a mismatch between its IP address and listed location wouldn’t automatically be a trigger—someone could be traveling or using a VPN—but it might be a “yellow flag,” Rodriguez says. If the account shares other characteristics with previously removed accounts from a particular region or set of devices, he adds, that might be a clearer signal that the account is fraudulent.

“For the very small percent of accounts that managed to interact with members, we retrace our steps to understand the common characteristics across the different accounts,” Rodriguez says. The information is then used to “cluster” groups of accounts that may be fraudulent. Sabeti says LinkedIn is “very proactive” when human rights or security organizations report suspicious accounts. “It’s good in comparison with the other tech companies,” he says.

In some cases, LinkedIn’s new defenses appear to be working. In December, WIRED created two fake profiles using AI text generators. “Robert Tolbert,” a mechanical engineering professor at Oxford University, had an AI-generated profile photo and a resume written by ChatGPT, complete with fake journal articles. The day after the account was created, LinkedIn asked for ID verification. A second fake profile attempt—a “software developer” with Silicon Valley credentials and no photo—also received a request for an ID the following day. Rodriguez declined to comment on why these accounts were flagged, but both accounts were inaccessible on LinkedIn after they received the request for ID.

But detecting fake accounts is tricky—and scammers and spies are always trying to stay ahead of systems designed to catch them. Accounts that slip past initial filters but haven’t started messaging other people—like many of the scam accounts claiming to be WIRED staff—seem to be particularly hard to catch. Rodriguez says dormant accounts are generally removed through user reports or when LinkedIn discovers a fraudulent cluster. 

Today, WIRED’s page is a fairly accurate snapshot of its current staff. The fake Camille Lons profile was removed after we began reporting this story—Rodriguez did not say why. But in a process similar to the Lons impersonators, we conducted one additional experiment to try to slip past LinkedIn’s filters. 

With his permission, we created an exact duplicate of the profile for Andrew Couts, the editor of this story, only swapping out his photo for an alternative. The only contact information we provided when creating the account was a free ProtonMail account. Before we deleted the account, Fake Couts floated around on LinkedIn for more than two months, accepting connections, sending and receiving messages, browsing job listings, and promoting the occasional WIRED story. Then, one day, Fake Couts received a message from a marketer with an offer that seems too good to be true: a custom-built “professional WordPress website at no cost.”

A Spy Wants to Connect With You on LinkedIn

The stakes could not be higher for cyber defenders. With the vast amounts of sensitive information, intellectual property, and financial data at risk, the consequences of a data breach can be devastating. According to a report released by Ponemon institute, the cost of data breaches has reached an all-time high, averaging $4.35 million in 2022.
Vulnerabilities in web applications are often the

Penetration Testing / Cyber Security

The stakes could not be higher for cyber defenders. With the vast amounts of sensitive information, intellectual property, and financial data at risk, the consequences of a data breach can be devastating. According to a report released by Ponemon institute, the cost of data breaches has reached an all-time high, averaging $4.35 million in 2022.

Vulnerabilities in web applications are often the primary gateway for attackers. According to a World Economic Forum report, just one week after discovering a critical security flaw in a widely used software library (Log4j), more than 100 attempts at exploiting the vulnerability were detected every minute. This illustrates how quickly malicious actors can take advantage of vulnerabilities, highlighting the urgency of regularly assessing and monitoring your system for any vulnerabilities or weak points.

The complexity of addressing security challenges in today's digital world is further compounded by the rising use of open-source components, accelerating software delivery cycles, and rapidly expanding attack surface.

One key way organizations can protect themselves from cyber threats is by conducting penetration tests. Pen testing is a proactive security measure that involves simulating real-life cyber-attacks on networks, servers, applications, and other systems to discover and address any potential weaknesses or vulnerabilities before they can be exploited.

**Which type of pen testing does my organization need?**

Penetration testing is an essential tool for identifying, analyzing, and mitigating security risks. It enables cyber defense teams to assess their environment's susceptibility to attack and determine the effectiveness of existing security measures.

Pen tests range from simple assessments to more complex, multi-stage engagements. Here are some of the more common types of pen testing:

*   Network penetration testing: examines the organization's external and internal networks, as well as its software infrastructure, and wireless networks to identify potential weaknesses and vulnerabilities.
*   Web application and API penetration testing: focuses on web applications and looks for technical and business logic flaws in their design, code, or implementation against OWASP Top 10 that could be exploited by malicious attackers.
*   Social engineering penetration testing: simulates a cyber-attack using social engineering techniques, such as phishing emails or phone calls, to gain access to an organization's confidential information.
*   Physical penetration testing: evaluates physical security measures, such as access controls and CCTV systems, to identify vulnerabilities that could potentially be exploited by attackers.
*   Cloud penetration testing: evaluates the security of an organization's cloud infrastructure and applications.
*   Mobile app penetration testing: analyzes the security of an organization's mobile applications, looking for mobile-specific security issues that could be used by attackers.

**Stages of the Pen Testing process**

No matter the type of pen testing conducted, there are typically several stages to go through:

*   Planning and scoping: involves defining the test objectives, determining the scope, and setting a timeline.
*   Reconnaissance and foot printing: gathering information about the target systems and networks, such as open ports and services.
*   Scanning and enumeration: gaining a better understanding of the target system, such as user accounts and services running.
*   Exploiting any identified weaknesses: attempting to exploit any identified vulnerabilities.
*   Post-testing analysis and reporting: analyzing the results, documenting any findings, and creating a report about the engagement.

Pen testing is an essential part of any organization's security strategy, and by understanding the different types of testing available as well as the stages of the process, organizations can ensure their systems are adequately protected against cyber threats.

**Why organizations should use PTaaS to prevent cyber-attacks**

Traditional pen testing is a lengthy and labor-intensive process. It requires specialized and often laser-focused expertise to identify and exploit security flaws. Hiring, training, and retaining security professionals is costly, time-consuming, and challenging.

Moreover, point-in-time remediation does not ensure protection against future threats, leaving organizations exposed to risks.

The key lies in combining the power of automation with the hands-on involvement of expert security professionals. Penetration Testing as a Service (PTaaS) solutions combine automation tools that continuously monitor networks and applications for potential vulnerabilities with expert consulting services.

Penetration Testing as a Service (PTaaS) by Outpost24 provides organizations an end-to-end solution to identify, assess, and remediate security risks on an ongoing basis:

1.  Hands-on Expertise: Outpost24's team of certified security experts uses the latest techniques and tools to deliver accurate and thorough pen testing results.
2.  Convenience: Fully managed pen testing service so that organizations can focus on their core business without allocating resources to manage the testing process.
3.  Cost-effectiveness: By outsourcing pen testing to Outpost24, organizations can save on hiring and training a dedicated in-house team.
4.  Frequent testing: With regular testing cycles, organizations can stay ahead of the ever-evolving threat landscape and continuously improve their cybersecurity posture.
5.  Compliance: Regular pen testing is often a requirement for industry regulations and standards such as PCI DSS, HIPAA, and ISO 27001. Outpost24's solution helps organizations meet these requirements with ease.

With the cost of breaches reaching an all-time high, organizations must continuously assess and monitor their system for any vulnerabilities or weak points. Doing so will help them stay one step ahead of cybercriminals, ensuring their digital assets are adequately protected.

PTaaS by Outpost24 provides a comprehensive solution that helps organizations identify, assess, and remediate security risks on an ongoing basis. By leveraging the power of automation combined with the expertise of seasoned security professionals, PTaaS helps organizations to stay secure and compliant.

For more information about how Outpost24's penetration testing solutions can help your organization, visit Outpost24.com.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Different Methods and Stages of Penetration Testing

Two U.S. men have been charged with hacking into a U.S. Drug Enforcement Agency (DEA) online portal that taps into 16 different federal law enforcement databases. Both are alleged to be part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government email accounts to publicly threaten and extort their victims.

Two U.S. men have been charged with hacking into a **U.S. Drug Enforcement Agency** (DEA) online portal that taps into 16 different federal law enforcement databases. Both are alleged to be part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government email accounts to publicly threaten and extort their victims.

Prosecutors for the Eastern District of New York today unsealed criminal complaints against **Sagar Steven Singh** — also known as “**Weep**” — a 19-year-old from Pawtucket, Rhode Island; and **Nicholas Ceraolo**, 25, of Queens, NY, who allegedly also went by the handles “**Convict**” and “**Ominus**.”

The Justice Department says Singh and Ceraolo belong to a group of cybercriminals known to its members as “**ViLE**,” who specialize in obtaining personal information about third-party victims, which they then use to harass, threaten or extort the victims, a practice known as “doxing.”

“ViLE is collaborative, and the members routinely share tactics and illicitly obtained information with each other,” prosecutors charged.

The government alleges the defendants and other members of ViLE use various methods to obtain victims’ personal information, including:

\-tricking customer service employees;  
\-submitting fraudulent legal process to social media companies to elicit users’ registration information;  
\-co-opting and corrupting corporate insiders;  
\-searching public and private online databases;  
\-accessing a nonpublic United States government database without authorization  
\-unlawfully using official email accounts belonging to other countries.

The complaint says once they obtained a victim’s information, Singh and Ceraolo would post the information in an online forum. The government refers to this community only as “**Forum-1**,” saying that it is administered by the leader of ViLE (referenced in the complaint at CC-1).

“Victims are extorted into paying CC-1 to have their information removed from Forum-1,” prosecutors allege. “Singh also uses the threat of revealing personal information to extort victims into giving him access to their social media accounts, which Singh then resells.”

Sources tell KrebsOnSecurity in addition to being members of ViLE, both Weep and Ominous are or were staff members for **Doxbin**, a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly. This is supported by the Doxbin administrator’s claimed responsibility for a high-profile intrusion at the DEA’s law enforcement data sharing portal last year.

A screenshot of alleged access to the Drug Enforcement Agency’s intelligence sharing portal, shared by “KT,” the current administrator of the doxing and harassment community Doxbin.

The government alleges that on May 7, 2022, Singh used stolen credentials to log into a U.S. federal government portal without authorization. The complaint doesn’t specify which agency portal was hacked, but it does state that the portal included access to law enforcement databases that track narcotics seizures in the United States.

On May 12, 2022, KrebsOnSecurity broke the news that hackers had gained access to a DEA portal that taps into 16 different federal law enforcement databases. As reported at the time, the inside scoop on how that hack went down came from **KT**, the current administrator of the Doxbin and the individual referenced in the government’s complaint as “CC-1.”

Indeed, a screenshot of the ViLE group website includes the group’s official roster, which lists KT at the top, followed by Weep and Ominus.

A screenshot of the website for the cybercriminal group “ViLE.” Image: USDOJ.

In March 2022, KrebsOnSecurity warned that multiple cybercrime groups were finding success with fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms and mobile telephony providers, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.

That story showed that the previous owner of the Doxbin also was part of a teenage hacking group that specialized in offering fake EDRs as a service on the dark web.

Prosecutors say they tied Singh to the government portal hack because he connected to it from an Internet address that he’d previously used to access a social media account registered in his name. When they raided Singh’s residence on Sept. 8, 2022 and seized his devices, investigators with Homeland Security found a cellular phone and laptop that allegedly “contained extensive evidence of access to the Portal.”

The complaint alleges that between February 2022 and May 2022, Ceraolo used an official email account belonging to a Bangladeshi police official to pose as a police officer in communication with U.S.-based social media platforms.

“In these communications, Ceraolo requested personal information about users of these platforms, under the false pretense that the users were committing crimes or in life-threatening danger,” the complaint states.

For example, on or about March 13, 2022, Ceraolo allegedly used the Bangladeshi police email account to falsely claim that the target of the EDR had sent bomb threats, distributed child pornography and threatened officials of the Bangladeshi government.

On or about May 9, 2022, the government says, Singh sent a friend screenshots of text messages between himself and someone he had doxed on the Doxbin and was trying to extort for their Instagram handle. The data included the victim’s Social Security number, driver’s license number, cellphone number, and home address.

“Look familiar?” Singh allegedly wrote to the victim. “You’re gonna comply to me if you don’t want anything negative to happen to your parents. . . I have every detail involving your parents . . . allowing me to do whatever I desire to them in malicious ways.”

Neither of the defendants could be immediately reached for comment. KT, the current administrator of Doxbin, declined a request for comment on the charges.

Ceraolo is a self-described security researcher who has been credited in many news stories over the years with discovering security vulnerabilities at **AT&T**, **T-Mobile**, **Comcast** and **Cox Communications**.

Ceraolo’s stated partner in most of these discoveries — a 30-year-old Connecticut man named **Ryan “Phobia” Stevenson** — was charged in 2019 with being part of a group that stole millions of dollars worth of cryptocurrencies via SIM-swapping, a crime that involves tricking a mobile provider into routing a target’s calls and text messages to another device.

In 2018, KrebsOnSecurity detailed how Stevenson earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their websites, all the while secretly peddling those same vulnerabilities to cybercriminals.

According to the Justice Department, if convicted Ceraolo faces up to 20 years’ imprisonment for conspiracy to commit wire fraud; both Ceraolo and Singh face five years’ imprisonment for conspiracy to commit computer intrusions.

A copy of the complaint against Ceraolo and Singh is here (PDF).

Two U.S. Men Charged in 2022 Hacking of DEA Portal

Patch Tuesday turned security updates from chaotic events into a routine. Here's how we got here and where things might be heading.

On Oct. 9, 2003, Microsoft CEO Steve Ballmer announced that the company would issue security patches only once a month to "reduce the burden on IT administrators by adding a level of increased predictability and manageability."

Two decades later, Microsoft continues to issue its security updates on the second Tuesday of every month, with occasional exceptions for emergency situations. Many other companies, like Oracle and Adobe, follow similar rules.

Patch Tuesday turned risk management into a monthly appointment, but like many innovations it was founded from crisis. At the beginning of 2002, shortly after the world experienced two of its first cyber doomsdays, Code Red and Nimda, Microsoft decided to change its philosophy around security. The two worms, which infected hundreds of thousands of machines in a matter of hours, exploited vulnerabilities for which patches were available.

"The problem was not that we weren't building patches; the problem was that people weren't deploying them quickly enough," says Christopher Budd, who was with Microsoft from 2000 to 2010 and is now a senior manager for threat research at Sophos.

At that time, the trauma of 9/11 was palpable in North America, and there was a growing concern within Microsoft regarding security. On Jan. 15, 2002, Bill Gates sent his famous Trustworthy Computing memo, highlighting the importance of protecting customers and their systems.

One way to improve security was to change how patches were delivered. So instead of announcing them unpredictably, on a ship-when-ready basis, several times during a week, Microsoft began to stack them together to make it easier for customers to keep up.

At first, the idea was implemented as a "silent pilot project," Budd says. But as it showed promising results, it was soon made official. The first official Patch Tuesday report was published on Oct. 14, 2003, and it included seven vulnerabilities, five of which were seen as critical.

"Tuesday was the earliest day in the week that we felt we could sustainably offer these," says Budd, who helped build Patch Tuesday.

This fixed-schedule approach has become a standard industry practice. But the road was not always smooth.

**The Early Days of Patch Tuesday**

Throughout the years, Microsoft has evolved and refined its approach to security patches, adapting to changing threats. Notable worms that followed Code Red, such as Sasser and Blaster, helped Patch Tuesday to grow and eventually mature.

Budd and his colleagues in the Microsoft Security Response Center, who "suddenly became incredibly important" after the Trustworthy Computing memo, tried to make improvements around patch deployment and detection. One key achievement was to build tools that enabled admins to do a scan and identify the systems that needed security updates — an idea that, while simple, proved to be a game-changer.

The entire process of releasing patches required extensive work, particularly on the Monday before Patch Tuesday, when everything had to be checked. Security experts put in long hours, missed birthday parties, and even showered in Microsoft's headquarters because they didn't have the time to go home.

It is why the releases of the bulletins were celebrated with music blasting over loudspeakers. "When the bulletins were live, it was a big deal for us," says Dustin Childs, who was with Microsoft between 2008 to 2014 and is now the head of threat awareness at Trend Micro's Zero Day Initiative.

Typically, the music was picked by the release manager for that bulletin. "I remember one month it was Klingon music, but it was usually rock and roll," Childs says.

Occasionally, soon after the music stopped, chaos would ensue because some patches caused unintended consequences. One notable incident happened in February 2010, when thousands of customers reported blue screens almost immediately.

When security experts in Redmond heard about the issue, they tried to replicate it but were unsuccessful. For the lack of a better solution, Microsoft bought the computer of a customer who called a support center near Dallas to report the issue.

"And as soon as we got that computer, we found that it had a rootkit installed in it," Childs says.

The Alureon rootkit made modifications to Windows Kernel binaries, which caused the systems to be unstable. The company reissued the patch and fixed the problem.

"The really funny part, though, was that the people who made the rootkit figured it out faster than we did, and they had updated their rootkit to avoid the patch within 48 hours \[of the release\]," Childs says. "It took us a week to fix it!"

And it wasn't the only bizarre episode in Patch Tuesday's history. For instance, Childs remembers that an Internet Explorer patch crashed online banking in South Korea, while a Windows Media Player patch broke an entire country — twice.

"For some reason, on systems in Denmark, it blue-screened," he says. "So we had to recall that patch, fix it and re-release it. And then, the very next month, the same thing happened again. I don't know what was specific about the systems in Denmark."

Even today, some patches released by software companies in general, not just Microsoft, can cause issues, which can be frustrating for those installing them. Childs argues that if vendors improve the reliability of these fixes, customers might be more willing to apply them promptly, as opposed to waiting weeks or months to see if others experienced issues.

Taking the waiting approach can be risky, as it leaves their systems vulnerable to known vulnerabilities. It is why Childs recommends users apply patches as soon as possible. He also tells them to call attention to poor-quality patches.

"Let's hold vendors accountable," Childs says. "Let's make sure that they're producing good patches."

Aanchal Gupta, deputy CISO at Microsoft, says the company is doing "extensive testing" of patches.

"Before we issue any patch to our customers, it goes through rigorous testing not just within Microsoft. ... \[W\]e also have a set of beta testers, external companies, and they get the patches early on before these are actually made public," she says. "They can test in their environment and report back to us whether there is something unique in their environment which could make the patch not work."

**Patch Tuesday Today**

Patch Tuesday has come a long way since those early days when Klingon music blasted from the speakers. Over time, the releases have become quieter and even automated, becoming invisible to some users.

In the past decade, Microsoft has made several changes to streamline the process. In the mid-2010s, for instance, it announced cumulative updates so that a customer who missed, for instance, five patches only needed to apply the last one because the other ones were included in it. The company also launched machine-readable Security Update Guides, which meant that organizations with huge fleet deployments could rely on automation.

But not every change was welcomed by the community. When Microsoft decided to eliminate security bulletins and replace them with Security Update Guides, customers complained that the information they received was less intuitive. Something similar happened in the fall of 2020, when the tech giant removed executive summaries that included detailed information on vulnerabilities. Once again, many in the industry argued that they didn't receive enough information, which made their decision-making processes difficult.

That was "probably the most disruptive" decision Microsoft made, says security researcher Claire Tills. "I know some defenders also really had trouble with that."

More recently, in 2022 Microsoft took yet another step toward making Patch Tuesday a regular Tuesday, when it announced Autopatch, which promised to ease the process of addressing vulns for customers with Windows Enterprise E3 and E5 licenses. The move made organizations wonder whether Patch Tuesday as we know it might disappear — a rumor Microsoft denied.

The publicity around Patch Tuesday is getting smaller and the number of Patch Tuesday vulnerabilities may have peaked. In 2020, a particularly "aggressive year," Tills counted around 1,200 vulns, while in 2022, she saw 663.

"In terms of the types of vulnerabilities, it's consistently elevation of privilege and remote code execution," she says. "Every once in a while, we'll get peaks in information disclosures and security feature bypass — those two also pop up."

But despite the features meant to streamline the process of applying patches, this task can still be daunting for small businesses that can't afford a dedicated tech support team. It is why Gupta recommends these clients to move to the cloud.

"Then you can purely focus on your business and you don't have to worry about patching and managing systems," she says. "I also encourage people to not disable the default upgrades."

But as we transition toward automating the processes, is dedicating one day for updates obsolete?

**Is Patch Tuesday Becoming Obsolete?**

It is hard to fathom a world of cybersecurity without Patch Tuesday, which has been an integral part of the industry for two decades. As threats become more sophisticated and geopolitics becomes more volatile, however, the traditional model of Patch Tuesday may no longer be sufficient to keep systems secure.

Organizations operating in complex environments, such as in those competitive fields or based in hot areas like Ukraine, cannot afford to make mistakes when it comes to patch management. Threat actors often "targeted technical vulnerabilities rather than specific individuals or organizations," says Nazar Tymoshyk, founder and CEO of cybersecurity startup UnderDefense, which has protected several organizations during the ongoing war with Russia.

"The exploitation of unpatched vulnerabilities in technology stacks or outdated Web resources still accounts for 50% of \[Russia's\] success in cyber-intelligence operations," he says.

Tymoshyk believes that Patch Tuesday is still necessary and should not be retired. However, organizations should build on top of it, adopting additional patching routines depending on the size and complexity of their infrastructure or the types of software and systems they use.

Satnam Narang, senior staff research engineer at Tenable, also favors keeping Patch Tuesday alive because routines can help organizations foster a security-focused culture.

"Each week the folks come to pick up the trash from our street, and we know that that's happening every week on a specific day," he says. "The reason why Patch Tuesday is a valuable resource is that it happens every month on a specific day, so it allows organizations to carve out the time necessary to patch these vulnerabilities."

A chaotic patching system might not work, Narang says, because security teams are already overwhelmed. Aviv Grafi, CTO and founder at Votiro, agrees. "Time is of the essence, and we need to focus on leveraging technologies and software that give security teams more time back in their day," Grafi says.

Security researchers also add that continual patch cycles and automatic updates might not always be feasible at enterprise level in some cases. "In the event of a problem, large organizations need to be able to revert systems to a known state, and that requires planning," says David Farquhar, solutions architect at Nucleus.

Patch Tuesday is a crucial element in the routines of many organizations, but despite that, it can be unpredictable. The past years have shown that its structure can change without prior warnings. "Even though Patch Tuesday feels so foundational and so solid, it can change at the drop of a hat," Tills says. "The end of Patch Tuesday could feel disastrous for a lot of organizations."

For the time being, though, it appears that Microsoft will keep the program running. "I wouldn't worry about Patch Tuesday going away anytime soon," Gupta says.

How Patch Tuesday Keeps the Beat After 20 Years

Convergence of two leading cybersecurity companies creates federal sector powerhouse.

**DENVER — March 14, 2023 —** Optiv, the cyber advisory and solutions leader, today announced it has acquired Maryland-based ClearShark LLC and ClearShark Services, Inc. (collectively ClearShark), a premier advisor and top value-added reseller of cybersecurity and modernization technology to the United States federal government. The transaction more-than doubles Optiv’s federal presence, while significantly deepening its bench of government expertise and expanding the breadth of its federal capabilities.

“ClearShark is now the cornerstone of a vibrant Optiv federal business where we will together bring a new level of world-class federal capabilities to the market at scale,” said Optiv CEO Kevin Lynch. “Between the uptick in cyberattacks, the recentBiden-Harris Administration’s National Cybersecurity Strategy and other security regulations, cybersecurity has never been more vital. Together with ClearShark, we are primed to better help federal agencies and contractors ensure a strong cybersecurity posture and build a lasting legacy in the public sector space.”

“Joining forces with the largest pure-play cybersecurity company in the world provides us, our clients and partners with a tremendous growth opportunity. We couldn’t be more excited about this partnership or more bullish on the future,” said Brian Strosser, ClearShark LLC president.

ClearShark Services President Marshall Bailey added, “Leveraging Optiv’s comprehensive suite of cybersecurity solutions and services, we can continue to expand our already dominate delivery capabilities and operate at scale while also providing employees with new career opportunities.” 

The acquisition brings together two leading cybersecurity companies to create a powerhouse partnership that will better serve current and new clients by providing:

*   An expanded federal presence with more direct connections to the public sector.
*   An even broader federal team that builds on the exceptional Optiv service and expertise clients and partners have come to depend on.
*   A vast and comprehensive portfolio of cybersecurity services and solutions, technical capabilities and federal resources.
*   Exceptional relationships with the industry’s leading security technology companies and product manufacturers.

The terms of the transaction are not being disclosed.Holland & Hart LLP provided counsel to Optiv during the transaction.IzenbergLaw PLLC,Fontana Law GroupandPilieroMazza PLLC provided counsel to ClearShark.

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom

**Follow Optiv**

Twitter: www.twitter.com/optiv

LinkedIn: www.linkedin.com/company/optiv-inc

Facebook: www.facebook.com/optivinc

YouTube: www.youtube.com/c/OptivInc

Blog: www.optiv.com/explore-optiv-insights/blog

**Optiv Security: Secure greatness.****®**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

**ClearShark**

ClearShark is an IT solutions provider, comprised of ClearShark LLC (including FedBiz) and ClearShark Services, Inc., focusing on providing cybersecurity, datacenter and cloud infrastructure, AI and data analytics and DevSecOps solutions and services. Our first-class engineering team is made up of mission-focused, results-driven subject matter experts from the intelligence community, Department of Defense and Department of Energy. We are focused and innovative, making investments in technologies we believe in, and being free to pivot and find disruptive technologies. For more information, visit www.clearshark.com.

Optiv More Than Doubles Federal Presence With ClearShark Acquisition

By Mor Ahuvia - SASE Solution Expert, Check Point Software
The pandemic. A growing gig economy. Rounds of layoffs across industries. It’s no wonder the workforce looks nothing…
This is a post from HackRead.com Read the original post: From Power Plants to eWallets: The role of ZTNA in the gig economy

The pandemic. A growing gig economy. Rounds of layoffs across industries. It’s no wonder the workforce looks nothing as it did just three years ago. According to Layoffs.fyi, technology companies alone have cut 24,151 jobs in just the first 15 days of 2023—and that’s on top of another 154,256 workers laid off in 2022.

Some of these workers will join the gig economy, working in temporary or freelance roles. Others will join companies providing outsourced and shared services to organizations around the world that seek specialized talent to fulfill a wide variety of business, technical, and creative needs.

Market research firm Mordor Intelligence LLP says that the global IT outsourcing market alone was valued at $526.6 billion in 2021 and is expected to reach $682.3 billion by 2027. 

No matter which side of the table you’re on—contractor or hiring organization—the one thing that has to be in place for both parties to succeed is secure remote access. In the past, traditional VPN access was sufficient for the small percentage of employees who occasionally worked remotely. Now, however, organizations are relying on BYOD workers and third parties to operate, and with that comes a new set of security challenges.

**Who Can You Trust?**

With talent (especially engineering and DevOps talent) at a premium, organizations must enable access to internal company data and assets. This can mean enabling access to the cloud, on-premises systems, or SaaS solutions from anywhere in the world. However, from a security standpoint:

*   Contracted teams are not employees, yet they need remote access to sensitive corporate cloud environments, servers, and data. 
*   Third-party devices are not managed by the company’s IT team, so they can’t be completely trusted.
*   Regulatory compliance requires tight control over which data is accessed, how it is accessed, and the purposes for which it is accessed.
*   Multiple third-party users and devices coming into and leaving projects at various phases must be onboarded and de-provisioned quickly and securely. 

As organizations increase their use of external resources, all of these demands are converging to require a new approach to secure remote access. Here are two examples of the complex challenges that organizations faced in enabling secure remote access.

*   **Securing Remote Access in a Critical Infrastructure Environment**: A European power plant serving more than two million customers had routinely outsourced projects to a third-party engineering firm. In the past, standard security measures were sufficient. Now, however, new nation-state threats and cyberbullies had become significant threats. At the same time, new energy industry regulations demanded a hyper-granular approach to securing power generation and distribution systems. The power plant needed the ability to control and restrict all activities of third-party users with BYOD access. 
*   **A Financial Organization Goes Global for DevOps Talent**: A mobile wallet company relies on a global base of developers who connect to cloud-based production and development environments. Because its products perform financial transactions, transfer money, and require the use of PII, the company is highly regulated. Developer activities must be strictly controlled. 

**Securing Access with Zero Trust**

Zero Trust Network Access (ZTNA) is being adopted as the best way to ensure the Fleast privileged access to sensitive environments for outsourced teams. By “never trusting and always verifying,” ZTNA enables SMB and corporate IT and security teams to tailor secure access exactly as needed for protecting assets and systems while supporting a range of development, engineering, and other business goals.

ZTNA limits access on an application-by-application basis. It authenticates every user, no matter where they’re located. It simplifies security by enabling remote access to complex environments, and it provides a way to record and audit all activities by contracted teams.

**Six Practices for a Successful ZTNA Implementation**

1.  **Know project requirements:** Begin by understanding exactly what contracted teams need to do their jobs. Which applications? Which resources? Which protocols and permissions? Understanding requirements enables you to create usage “silos” and apply precise permissions to specific groups. 
2.  **Reduce the attack surface:** ZTNA can help reduce the attack surface by allowing Layer 7 access through reverse proxies to limit exposure to sensitive assets and applications. This ensures that users will only be able to see the resources that they are allowed to access and will have no visibility into other internal resources. Layer 7 access helps “darken the data centre” to limit visibility into the organization’s networks, applications and assets, which deters attackers and DDoS attacks.
3.  **Simplify provisioning:** Outsourced teams need quick, secure access to resources, regardless of where they are hosted and which device is used. Clientless connections that don’t require you to install a security client on a freelancer’s devices simplify the rollout of zero trust access, while letting you maintain regulatory compliance. You might also want to manage external users’ identities separately from employee user directories using a cloud-based directory. 
4.  **Go granular:** Implement authorization down to the most granular levels. Control each asset by restricting policies for each user or user group. Apply granular permissions to apps themselves and also within apps—controlling access and usage of specific commands and queries. 
5.  **Use PAM-as-a-service:** This simplifies access management for multi-cloud and private servers, allowing authorized users to easily access privileged production and administrative environments. Automated features like single sign-on, key management, and credential vaulting save time while ensuring best practices are followed. 
6.  **Maintain visibility:** Monitoring, real-time policy enforcement, video session recording, and full audit capabilities deliver full visibility and forensics to accelerate investigation and response in the event of a cyber incident.  And of course, they’re key to addressing industry regulations.

**How Did They Do It?**

Both organizations mentioned earlier chose a clientless ZTNA solution to address their challenges:

**Securing Energy Supplies with Zero Trust **

Using clientless zero trust access, the power plant implemented a secure remote access architecture. Third-party users have agentless access to terminals, remote servers and applications. This significantly reduces the power plant’s attack surface by eliminating direct network connections.

Sanctioned applications, including Jenkins, ACT, Solar Putty, and RDP, are published through Layer 7 reverse proxies. They are further protected by granular access controls—such as permitting or blocking commands. Role-based controls make it easy for system administrators to grant and revoke access to—and within—applications without complex workflows. Video session recording delivers complete visibility alongside full activity audit trails.

**Protecting e-wallet customer PII**

The fintech company also opted for a ZTNA architecture to ensure the least privileged access and audit all activities. Clientless access eliminated the need to install agents on developers’ BYOD devices. Databases containing customer details and financial assets are published through Layer 7 reverse proxies.

The cloud ZTNA service enabled the fintech company to precisely create policies that control access to specific databases and allowable queries. The service enabled access to PostgreSQL and Jenkins in an Azure cloud, as well as MySQL and Jenkins in AWS. All sessions are video recorded and documented by full audit trails.

A clientless ZTNA architecture delivers a breezy SaaS-like user experience from any device. At the same time, it enforces granular app-level and in-app controls for any internal resource—on-premises or in the cloud—without requiring an agent. Role-based controls allow administrators to easily provision and de-provision access to (and within) internal applications—as well as limit access in scope.

Moreover, administrators receive full activity logs that provide visibility on all third-party activity. Security teams no longer have to waste valuable time trying to set up and manage complex workflows.

_Ready to get started with clientless zero-trust access? Learn about ZTNA from Check Point Harmony Connect SASE  or watch a demo on TheDemoForum.com._

1.  How Big Tech Leveraged Agile Principles to Build Empires
2.  Growing security problem of Bring Your Own Device (BYOD)
3.  Lessons from COVID-19 Cyberattacks: Where Do We Go Next?

I write about how to stay safe and keep connected. Long version: The dark web, a Trojan reverse engineering team and a phishing 24x7 SOC are where I started my cyber security journey. Fast forward 15 years, and I’m still privy to new security tools taking flesh to keep people safe, data protected, networks clean and IR teams in good shape with innovations for the unique needs of mobile, IoT, remote work and cloud.

From Power Plants to eWallets: The role of ZTNA in the gig economy

Organizations need to take steps now to strengthen their cyber defenses.

Anxiety over an artificial intelligence tool called ChatGPT is spreading across a wide range of sectors, from education to business to cybersecurity circles. Numerous articles have shown ChatGPT's efficiency in creating phishing emails, as well as passing medical and business school tests. Its ability to write, speak, and answer queries across a wide range of subjects as competently as many humans do, as well as its ability to find vulnerabilities in computer systems, has raised legitimate concerns over how it may be used to create effective phishing campaigns on a large scale.

While today it's a toy, a parlor trick that people take out to show how much AI has improved, businesses and government institutions should be worried about what's going to happen in two to five years, as AI models continue to improve and bad actors take advantage of what it can do. Organizations need to take steps now to strengthen their cyber defenses, against both current threats and what's lurking around the corner.

**AI's Versatility Creates Risks**

ChatGPT, created by OpenAI, has been available for queries since November 2022, in an open-ended beta testing period. OpenAI, a research and deployment company that pursues innovations in AI, says it created the chatbot to interact in a conversational way, study user feedback, and learn its own strengths and weaknesses. It's been used to explore scientific subjects, help write a poem or a song, and even apply for a job. ChatGPT does make mistakes. The coding platform StackOverflow temporarily banned ChatGPT because its answers to questions were often incorrect, deciding that posting those answers would be "substantially harmful" to StackOverflow users. But it is learning and improving.

**The Next Stage of AI Threats**

The most immediate cybersecurity concerns over ChatGPT are that it can give neophyte cyberattackers the ability to write phishing emails, exploit buffer overflows, and carry out other basic cyberattacks. But in a few years, these threats will become much more serious.

AI tools will make it easier for malicious insiders or cybercriminals who gained brokered access to engineer and manipulate intracompany dialogue, sending precisely targeted phishing emails that look like legitimate requests from a person inside the company.

**What Businesses Can Do to Protect Themselves**

There are several steps businesses can take to adopt a security-first culture and protect themselves from the kind of threats AI poses, now and in the future:

1.  **Make sure the business leans toward skepticism.** People at every level of a company should question what they see in email or any other communication channels. Phishing is so pervasive because it has so often worked, accounting for 73% of social engineering attacks in North America, according to Verizon's "2022 Data Breach Investigations Report." Employees should be trained to look at any email, Slack invitation, or other communication with a critical eye. They need to be aware of the signs that it's fraudulent.
2.  **Deliver continuous, real-time cybersecurity training.** Almost every organization has a cybersecurity training program that their employees must take annually. Given the number of breaches we've seen based on phishing attacks, it's clear this is not enough. Organizations need to help employees identify phishing attacks in real-time, pointing out as it happens when employees click on fraudulent links or download privileged information onto a thumb drive. For the sake of productivity, employees try to find workarounds, and cybersecurity training needs to happen in the moment to remind employees why protocols are there in the first place.
3.  **Establish some Internet borders to reduce unnecessary use.** Workplaces already do this to some extent, such as by blocking offensive websites or forbidding Internet use that could put company data in jeopardy. If they have not done it already, businesses can establish a written policy detailing acceptable and forbidden Internet use. Programs are available that will limit Internet use to approved websites, and routers can be used to block sites. Tracking and logging Internet use also can act as a deterrent.
4.  **Improve corporate security policies and actually enforce them.** Security transformation does not happen in days. It happens over months and years, requiring a cultural change in how everyone in the organization thinks about cybersecurity. The best practices in security today can be effective, but only if fully implemented and followed. As with other security steps, businesses should communicate consistently about security, reminding staff of what's expected from them.
5.  **Question current standard practices.** One of the most common explanations used in IT has always been, "We've always done it that way." This is the worst explanation possible for any security practice. An essential component of a security-minded culture is a willingness to change processes and implement new tools to keep up with the ever-changing cyber threat landscape. Be ready to consider more secure and efficient modes of cybersecurity protocol.

**Building a Culture Around Security**

Many organizations begin to see greater success against advanced AI threats when they empower their workforce, which begins with strengthening communication between IT, HR, security teams, and employees about anything and everything concerning risk, data privacy, Internet use, and more. In today's threat environment, security is everyone's responsibility.

Tag

#intel