The device management company introduced a Fleet Hardening Score and Privilege Escalation (the good kind) to its endpoint security platform for Apple devices.

Source: baosheng feng via Alamy Stock Photo

Enterprise IT teams responsible for managing Macs and iOS devices are getting new compliance and security tools, device management company Jamf said during its Spring Event. A new capability in Jamf Connect allows the granting of temporary administrative privileges to a local Mac user. That activity data feeds Jamf Protect, which has added a compliance dashboard that presents overall fleet compliance and drills down to individual devices.

Jamf Connect creates a cloud-based identity for each user that, when authenticated, allows them to set up access to the tools and applications they need via VPN. The new feature, Privilege Escalation, temporarily grants end users elevated administrator privileges to perform tasks such as updating device drivers, installing printers, and adding software that's not managed by Self-Service. Once the time IT set for the escalated privileges expires, the user automatically defaults back to the standard user role.

Jamf has also added a compliance dashboard to Jamf Protect, which provides anti-malware tools, threat defense, and metrics for a fleet of macOS and iOS devices. From the dashboard, an administrator can view which devices fall out of compliance with guidelines; update any software, including the OS version, that needs it; and quarantine suspect files automatically. The new Fleet Hardening Score in Jamf Protect is an aggregate baseline score quantifying the organization's overall endpoint security posture. Administrators can drill down to individual devices to understand and remediate issues.

The integration between Jamf Connect and Jamf Protect provides administrators with detailed telemetry about the privileged tasks being performed on the device. Administrators can use the telemetry to audit endpoints and as part of intrusion detection and response.

Apple devices have long established their presence in business. Enterprise-level tools like Jamf's help ensure that those devices stay compliant with expectations for corporate standards in security.

**About the Author(s)**

New Jamf Tools Give Enterprise IT Security and Compliance Controls

We are potentially encroaching on a water supply crisis if data center operators, utilities, and the government don't implement preventative measures now.

Mark Trump, IT/IoT Defense Adviser, Cybersecurity Center of Excellence, Capgemini

April 9, 2024

5 Min Read

Source: stockphoto-graf via Alamy Stock Photo

COMMENTARY

In our digitally driven world, data has become an invaluable asset to companies across sectors. Data enables intelligent products, services, and operations. Data is also the unsung hero in today's "age of AI." By 2030, the AI market will be worth more than $1.3 billion in revenue — growing 36.8% from 2023's market size of $150.2 billion, and data is arguably the catalyzer driving this immense growth.

**The Current State of Data Centers**

Data is not just an intangible asset that's stored in the virtual ether of "the cloud." In reality, data, and data storage, is very much tied to the physical world. With the increasing introduction of artificial intelligence models, more data will be needed, and therefore stored in data centers.

These centers allow for data to be kept secure, accurate, available, and, for all practical purposes, "alive." Using switches, storage systems, servers, routers, and other equipment, data centers can store essential data sets around the clock. However, the extreme warmth produced by the energy used to process and store data causes overheating concerns. Data centers therefore require energy-intensive cooling systems to ensure the equipment does not fail. Such failures can lead to data losses, and vital workload and service outages — which occurred at a major tech company's Australian-based data center when a regional utility's power outage shut down the center's cooling mechanism. 

Unfortunately, cooling comes at a steep price, accounting for nearly 40% of an average data center's electricity usage. Many operators recognize the strain traditional air-based cooling methods put on its finances and net-zero pledges, which is why some are opting for liquid cooling systems. Although liquid cooling is technically more energy efficient than air cooling, it can still negatively impact the environment — and opens other door for potential outages. 

**Data's Dependence on Water**

When we say "liquid" cooling systems, we're actually referring to water in most cases. Just like living beings, data needs water to survive — and, therefore, so do AI models, software, and countless other technologies that rely on data.

Most data centers in the United States use freshwater supplied by utilities — the same water supply that humans rely on. The average data center uses 1 million to 5 million gallons of water a day (paywalled article), and considering that 30% of the world's data centers are located in America, that means Americans are losing access to a significant amount of safe drinking water. 

The US is already experiencing alarming water shortages as a result of low precipitation fueled by climate change and increased demand from a growing population. Now, add the increased demand from data centers as operators try to cool facilities overrun with AI-associated data, and America could experience a water crisis.

To make matters worse, the American water supply is facing an additional threat: cybersecurity attacks. Bad actors are increasingly targeting US water infrastructure. The main concern is the health and safety of Americans, but these attacks also threaten data centers — and the technology that depend on data. Hackers have historically targeted cooling systems, and they will undoubtedly continue to do so by finding weak points in data centers' water infrastructure, as well as security gaps in the regional water utilities that serve data centers across the US.

**Two-Pronged Approach: Sustainability and Security**

So, how can data center operators effectively store data that is essential to the booming AI market and virtually every aspect of the digital world while limiting their water consumption and protecting their water infrastructure? 

From an environmental standpoint, it will mean utilizing other water sources beyond freshwater provided by American utilities. Some operators are exploring the use of wastewater, industrial water, and seawater to lessen their strain on the United States' depleting freshwater supply. Improving liquid cooling system monitoring tools to track water consumption is also key. And companies are wisely utilizing federal funds to explore efficient cooling options and should continue partnering with the public sector moving forward.

What's more, operators should consider introducing new liquid cooling systems entirely, as there are now more advanced designs that use less water. And as new data centers become necessary — which we know they will — companies should consider building these facilities in cooler climates as well as in areas with water basins that are not overstrained. 

From a cybersecurity standpoint, many operators will have to prioritize defensive measures that specifically protect water infrastructure — which arguably has not been a key security prerogative in previous years. This will require a strategic reset in which leaders identify water, energy, and other external dependencies and extend risk assessments to environmental and other resources beyond the "logistics-based supply chain" that could interrupt business or operations. If enterprises have not done so already, then they should also apply zero-trust principles to all water-based infrastructure that they are dependent upon. 

Organizations must prepare themselves for a variety of scenarios: What would happen if the data centers you rely on for business viability had a water shortage that forced a shut down? Does your crisis plan consider catastrophic loss of water, and therefore data? If water resources and infrastructure sit outside of your security programs, then chances are you could very well face these scenarios. 

To avoid such potential threats, keep in mind this simple mantra: Define. Protect. Defend. Assess your risk so you can mitigate it, and monitor and maintain your defenses.

That said, water utilities must also do their part to help prevent attacks that could severely impact critical data centers and compromise water supply. Experts point to a renewed focus on cyber resiliency through public-private partnerships, improved centralized patch management systems, risk assessments, and temporary controls to address immediate vulnerabilities in critical systems and legacy infrastructure.

**Change Is Needed Now **

Data center operators are faced with a considerable challenge. They must meet the demands of storing an astonishingly increasing quantity of data while utilizing a decreasing supply of water to cool their facilities. Business, technology, and sustainability leaders must work together to formulate strategies that not only protect the environment, but also protect their data.

There's no future for humans or the life-changing technology we've come to rely on without water. And make no mistake, we are potentially encroaching on a water supply crisis if data center operators, utilities, and the American government do not implement preventative measures now.

**About the Author(s)**

IT/IoT Defense Adviser, Cybersecurity Center of Excellence, Capgemini

Mark Trump is a physical security knowledge leader and defense adviser. He has more than 35 years’ experience with advanced technologies, cybersecurity and application of best defensive practices across industrial, commercial, governmental and defense industries specializing in cybersecurity modernizations for critical infrastructure and operational technologies OT/IoT and other infrastructure critical to business and safety.

Why Liquid Cooling Systems Threaten Data Center Security &amp; Our Water Supply

Ad trackers are out of control. Use a browser that reins them in.

Google's admission that, yes, it does track you while you're in Chrome's Incognito mode, is just the latest in a long line of unsettling revelations about just how keenly Big Tech keeps an eye on our movements every time we connect to the internet. Billions of data records will now be deleted as part of a settlement to a class action lawsuit brought against Google.

As we've written before, Incognito mode and the equivalent modes offered by other browsers aren't as secure as you might think, particularly if you start signing into accounts like Google or Facebook. Your activities and searches as a logged-in user on large platforms can still be recorded, primarily to create advertising that's more accurately targeted toward your demographic.

Google, for its part, says it’s transparent about what data it’s storing and why—and in recent years it has made it easier for users to see and delete the information held about them. To really lock down your privacy and security, though, it’s best to switch to a browser not made by a company that earns billions of dollars selling ads.

And there are alternatives: Below we recommend several browsers built with user privacy and security as a priority. Even better, in many cases they can import data such as bookmarks and passwords from your current browser—Google Chrome, for example.

**DuckDuckGo (Android, iOS, Windows, macOS)**

The DuckDuckGo browser blocks trackers at their source.

DuckDuckGo via David Nield

You might know DuckDuckGo as the anti-Google search engine, but the parent company has branched out to make its own browsers too. They keep you well protected online and at the same time give you plenty of information about the tracking technologies being proactively blocked.

DuckDuckGo starts by enforcing encrypted HTTPS connections when websites offer them, and gives each page you visit a grade based on how aggressively it's trying to mine your data. It'll even scan and rank site privacy policies for you.

When it comes to browsing data, this can be cleared automatically at the end of each session or after a certain period of time. Pop-ups and ads are snuffed out, and of course the DuckDuckGo search engine is built in, free of the Google trappings.

You also get extras like throwaway email aliases you can use in place of your real email address to protect your privacy, and everything about the browser and its features is simple to use: You don't really need to do anything except install them, so you're getting maximum protection with minimal effort.

**Ghostery (Android, iOS, Windows, macOS)**

Ghostery comes with a range of tools to protect your privacy.

Ghostery via David Nield

Install Ghostery on your mobile device or your computer, and straight away it gets to work blocking adverts and tracking cookies that will attempt to keep tabs on what you're up to on the web. There are no complicated setup screens or configurations to manage.

Like DuckDuckGo, Ghostery tells you exactly which trackers and ads it's blocking and how many monitoring tools each website has installed. If you do come across certain sites that are well behaved, you can mark them as trusted with a tap.

Or, if you find a site that's packed full of tracking systems, you can block every single bit of cookie technology on it (for commenting systems, media players, and so on), even if the site ends up breaking. A simple, private search engine is built in to replace Google too.

Ghostery's tools are a little more in-depth and advanced than the ones offered by DuckDuckGo, so you might consider it if you want to take extra control over which trackers are blocked on which sites—but it's simple enough for anyone to use.

**Tor Browser (Android, Windows, macOS)**

Tor connects you to the Tor network, to keep your online activities more private.

Tor via David Nield

Tor Browser markets itself as a browsing option "without tracking, surveillance, or censorship." It is worth a look if you want the ultimate in anonymized, tracker-free browsing—unless you're on iOS, where it isn't available (Tor recommends the Onion Browser instead).

The browser is part of a bigger project to keep internet browsing anonymous: Use Tor and you use the Tor Project network, a complex, encrypted relay system managed by the Tor community, making it much harder for anyone else to follow your activities online.

As well as this additional layer of anonymity, Tor Browser is super-strict on the background scripts and tracking tech that sites can run. It also blocks fingerprinting, a method where advertisers attempt to recognize the unique characteristics of your device.

At the end of each browsing session, everything gets wiped, including cookies left behind by sites and the browsing history inside the Tor Browser app itself. In other words, private browsing that leaves no trace is the default—and indeed the only option.

**Brave (Android, iOS, Windows, macOS)**

Brave gives you a clean, speedy browsing experience.

Brave via David Nield

Brave comes with all the tracking protection features you would expect: Ads are completely blocked, there are tight restrictions on the data that sites can gather through cookies and tracking scripts, and you're always kept informed about what's happening.

The browser comes with an optional built-in VPN, though it costs extra ($10 a month). You can also, if you want, use Brave to access the Tor network we mentioned with the Tor browser and take advantage of its anonymizing relay service that hides your location and browsing data.

There's no doubt about the effectiveness of Brave's tracker-blocking technologies, and getting around the web in Brave is quick and snappy. It's a comprehensive package and one that strikes a well-judged balance between simplicity and power for the majority of users.

Brave has regularly pioneered features related to innovative web technologies, including cryptocurrencies, NFTs, and (most recently) artificial intelligence; there's actually a new AI assistant built into it. In other words, it's not exclusively focused on security and privacy.

**Firefox (Android, iOS, Windows, macOS)**

Firefox is part of a suite of privacy products from Mozilla.

Firefox via David Nield

Firefox has long been at the forefront of online privacy—blocking tracking cookies across sites by default, for example—and it continues to be one of the best options for making sure you're giving away as little data as possible as you make your way across the web.

Firefox also gives you a ton of information on each website you visit regarding the trackers and cookies that pages have attempted to leave, and which ones Firefox has blocked. Permissions for access to your location and microphone can be easily managed as well.

Aside from looking after the interests of its users, Firefox also scores highly for user customization. You can change the look and behavior of the browser in a variety of ways, and there are useful integrations like the built-in Pocket utility that saves web stories on your device so you can read them later.

Firefox developer Mozilla offers plenty of extras, including a free data-breach monitor that tells you when your usernames and passwords may have been exposed somewhere online, a free email alias system to keep your actual email address protected, and a VPN that costs $10 per month. It all adds up to a comprehensive package for keeping you safe online.

**Safari (iOS, macOS)**

Safari has been blocking tracking cookies for some time.

Safari via David Nield

Apple continues to add privacy tech to Safari with each release on iOS and macOS—like requiring user authentication (such as a Face ID scan) when returning to a browsing session—though it's obviously not a browsing option if you're on Android or Windows.

Safari has long been blocking third-party tracking cookies that try to connect the dots on your web activity across multiple sites. It also blocks device fingerprinting techniques that try to identify your devices, and it reports back on the trackers it has disabled.

The browser can now also warn you when you try to use a password that's too weak on a new website or service, and it will make a suggestion of a stronger password if needed. Recent browser updates added support for logging in with passkeys too.

Safari operates against the backdrop of Apple's commitment to collect as little information about you as possible and to keep most of that information locked away locally on your device rather than on Apple's servers.

_Update: April 6, 2024, 8:30 am: This guide was updated to include new guidance for DuckDuckGo and Ghostery, as well as to bring some descriptions of browser providers' data collection policies up to date._

Best Privacy Browsers (2024): Brave, Safari, Ghostery, Firefox, DuckDuckGo

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in inc/kiosks.inc.

CVE ID: CVE-2024-30926

Description:  
A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, affecting the `./inc/kiosks.inc` component. This vulnerability permits remote attackers to execute arbitrary code by exploiting the `address_for_current_kiosk()` function. The issue stems from the improper sanitization of user-supplied input via the URL parameters `id` and `address`, which are directly utilized without validation. This oversight allows the execution of malicious JavaScript code through crafted URLs.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: ./inc/kiosks.inc

Attack Type: Remote

Impact: Code execution

Attack Vectors:  
The vulnerability can be exploited by manipulating URL parameters to inject malicious scripts. Examples include:  
- `http://127.0.0.1:8000/kiosk.php?id=<script>alert(1)</script>`  
- `http://127.0.0.1:8000/kiosk.php?address=<script>alert(1)</script>`

These manipulations demonstrate how an attacker could leverage unsanitized input to execute arbitrary JavaScript in the context of a user's session.

Discoverer: Valentin Lobstein

References:  
- Official website: http://derbynet.com  
- Source code on GitHub: https://github.com/jeffpiazza/derbynet

DerbyNet 9.0 inc/kisosks.inc Cross Site Scripting

By Uzair Amir
The partnership will bring millions of players into the Immutable web3 ecosystem while providing GAM3S.GG with the leading web3 gaming platform on the market.
This is a post from HackRead.com Read the original post: GAM3S.GG and Immutable Announce Partnership for Web3 Gaming Expansion

GAM3S.GG, a web3 gaming onboarding and news platform that aims to bring over 100 million players to web3, and Immutable, the leading web3 gaming platform, today announced a strategic partnership that will bring key Immutable functionality to GAM3S.GG users and introduce millions of players to the Immutable ecosystem via GAM3S.GG’s growing community. 

Notably, the partnership will incorporate multiple GAM3S.GG and Immutable zkEVM platform features, including the integration of Immutable Passport and Immutable Checkout, which will provide a streamlined onboarding and purchasing experience.

Additionally, GAM3S.GG will fund exclusive rewards and questing services to games that are building on Immutable zkEVM, while the integration of the $G3 token on Immutable zkEVM will provide even more choice and utility for gamers and games. 

“It’s been clear to our team since we first started working with GAM3S.GG that we share the same goal – to spearhead the onboarding of millions of gamers into a premiere web3 ecosystem,” said Robbie Ferguson, CEO of Immutable. “We’ve worked closely with them on some of our most popular titles, and now will work together with their team to create the best shared web3 gaming ecosystem in the industry.”

Collaborative efforts between the two companies are already underway. Earlier this year, Immutable and GAM3S.GG launched exclusive quests, community tournaments and in-game content for _Blast Royale_ and _MetalCore_, helping drive player growth and anticipation for both titles. 

“It’s clear that web3 gaming is poised to explode, and we plan to drive this explosion alongside Immutable as a key partner,” said Omar Ghanem, CEO of GAM3S.GG. “We’re incredibly excited to combine our rapidly growing web3 gaming community with the full power of the Immutable ecosystem to bring millions of gamers into the fold and drive the next evolution of the entire games industry.”

Immutable and GAM3S.GG plans to announce future integrations and exclusive content in the coming months, with key support for the launch of several industry-firsts for web3 gaming.

****About GAM3S.GG****

GAM3S.GG is a web3 gaming super app with over 500,000+ registered users that curates and creates content to spotlight the top games and showcase reviews, guides, news, quests, annual awards, and more. Its vision is to become the one-stop-shop for web3 gaming to help onboard millions of gamers, allowing them to engage with blockchain-powered games in unprecedented ways and becoming the ultimate bookmark on every gamer’s device.

GAM3S.GG has built the #1 web3 gaming discovery platform over the past 2 years and is backed by prominent investors such as Mechanism Capital, Polygon Ventures, Merit Circle, Hyperithm, LD Capital, ROK Capital, ArkStream Capital, Double Peak, WWVentures and more.

****About Immutable****

Immutable is a global leader in gaming on a mission to bring digital ownership to every player by making it safe and easy to build great games with blockchain technology. Co-founded by James Ferguson, Robbie Ferguson and Alex Connolly in 2018, Immutable is headquartered in Sydney with a 250+ team, and backed by top transformational tech investors like Temasek, Tencent, Coinbase, BITKRAFT Ventures, King River Capital, Galaxy Interactive and more.  

The Immutable gaming platform makes it easy for game studios and independent developers to safely and confidently build and launch successful games on Ethereum. The product suite includes pre-built solutions, optimised for usability, that help developers get to market faster without sacrificing security or player experience. Builders get personalised web3 guidance, live support for their communities, and access to the largest ecosystem in gaming.

Immutable was the first gaming platform to deliver a zero-knowledge (zk) scaling solution to the Ethereum community and provides developers with multiple zk-based scaling options, including Immutable X, a rollup based on StarkWare technology, and Immutable zkEVM, powered by Polygon.

Immutable Games is a global leader in web3 game development and publishing, backed by a world-class team who have a proven track record of bringing games to millions of players. The studio pioneered the world’s first blockbuster NFT trading-card game Gods Unchained and is currently building the highly anticipated mobile RPG Guild of Guardians.

Alongside its high-quality titles, Immutable Games partners with third-party game developers to provide them with best-in-class strategy and execution expertise to ensure the success of every web3 game deployed within the Immutable ecosystem.

1.  Wilder World Launches The First ‘GTA of Web3’ Game
2.  What is Blockchain Gaming and its Play-to-Earn Model?
3.  Exploring Data Privacy and Security in B2B Gaming Data
4.  Gomble Games Secures $10M Funding for Web3 Gaming
5.  The Rise of Blockchain Gaming and Secure Marketplaces

GAM3S.GG and Immutable Announce Partnership for Web3 Gaming Expansion

Cloud-native application protection platforms (CNAPPs) sidestep siloed security and embed security into the earliest stages of application development.

Source: John Williams RF via Alamy

Multicloud security is an enormously complex undertaking, requiring security teams to correlate thousands of daily security alerts across disparate platforms to efficiently and accurately respond to emergent threats. Rather than relying on a series of third-party point solutions — which often struggle to integrate and communicate with one another — to protect your multicloud environment, we recommend prioritizing native security solutions that can embed seamlessly within your environment.

A cloud-native application protection platform (CNAPP) is a unified platform that simplifies securing cloud applications throughout their life cycles. Originally coined by Gartner, this all-in-one platform connects traditionally siloed security and compliance capabilities into a single user interface. At their core, CNAPPs allow security teams to embed security into the earliest stages of the application development process and deploy more robust protections for cloud workloads and data.

There are many use cases where a cloud-native solution will have a natural edge over third-party solutions. We have picked a few common scenarios to showcase capabilities that are hard to replicate with a customized or third-party solution. This list is meant to be representative, not exhaustive.

**1\. Monitoring Your Cloud Management Layer**

The cloud management layer is a crucial service connected to all of your cloud resources. That also makes it a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely.

Since cloud service providers (CSPs) do not allow integration with this layer, the capabilities provided by third-party solutions are severely limited and rely solely on the availability of logs/events, like Azure Diagnostics and AWS CloudTrail.

**2\. Detecting Near Real-Time Threats With Zero or Minimal Impact on Workloads**

As you leverage more native architecture patterns, your usage of native storage, like object storage and native SQL, will grow. As a result, these services often represent an attack target.

Because CSPs do not allow native integration with these services, organizations often struggle to detect malware as soon as an object is uploaded to a storage account without introducing latency or further risks to their workloads. We also see this same issue present when trying to detect sensitive data across databases and object stores without allowing access to a third-party solution. Native cloud security offerings do not have these limitations.

**3\. Inherent Coverage of Workloads as You Scale or Modernize**

Native solutions are deployed at the account or subscription level, integrate natively with other cloud services, and cover a vast variety of usage patterns. Often, these solutions do not require any agent and are push-button. When cloud architecture teams decide to migrate from a virtual machine-based deployment to one that's container-based, organizations can rest assured that the workload is protected from the start.

**4\. Integrating with Your Native Pipelines**

When organizations deploy cloud workloads, they can integrate the native solution at the code repository level. This ensures they are checking appropriate risks at each level — for example, code scanning as part of code merges or image scanning on push. Native solutions also allow organizations to manifest validation before container deployment.

**5\. Maintaining Your Access-Related Blast Radius**

When organizations deploy a third-party solution, that solution requires its own set of roles that need to be monitored. Users will also most likely need to be managed within the third-party solution itself. This adds additional monitoring requirements for security teams that are not needed when deploying native solutions. Because native solutions already integrate with other cloud services and leverage predefined roles, security teams don't need to worry about any additional risks being introduced into their environments.

As we have seen, CNAPPs have a unique value proposition for integrating in your cloud security portfolio, either as the primary solution or as a complement to your existing cloud security posture management (CSPM).

— Read more Partner Perspectives from Microsoft Security

**About the Author(s)**

Microsoft

Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Reconsider Your CNAPP Strategy Using These 5 Scenarios

Cybersecurity is far more than a check-the-box exercise. To create companywide buy-in, CISOs need to secure board support, up their communication game, and offer awareness-training programs to fight social engineering and help employees apply what they've learned.

Source: Lev Dolgachov via Alamy Stock Photo

COMMENTARY

Cybersecurity has never been more critical for responsible corporate governance, as cyberattacks are among the gravest threats to companies' customers, operations, and reputations. 

Boards must invest in cybersecurity-awareness training programs to prepare the entire workforce for evolving cyber threats, and chief information security officer’s (CISO) have to champion this effort.

CISOs play a vital role in building stakeholder support for cybersecurity across the company — particularly on the board. Board members often lack the necessary knowledge to make informed decisions about the company's cybersecurity posture, and it's the CISO's job to educate them in a clear and compelling way. CISOs must demonstrate how much damage cyberattacks can cause, the ways employees can be equipped to identify and prevent these attacks, and how to maintain accountability for their risk-mitigation program.

**5 Top CISO Communication Strategies**

There are several strategies that will help CISOs earn long-term support for awareness training from their boards, from communicating cybersecurity concepts in an engaging and non-technical way to showing board members that cybersecurity programs offer significant ROI. Let's take a closer look at the top five ways CISOs can show boards that it's time to prioritize cybersecurity.

**1\. Know how to communicate with non-technical audiences.**

While almost three-quarters of CISOs say they have "adequate exposure to the board," a majority of CISOs report that their board lacks "knowledge or expertise to respond effectively to their presentations." CISOs must do more to address this disconnect — a process that begins with evaluating how they communicate with board members.

Cybersecurity is an intimidating subject for non-technical audiences, but it doesn't have to be. CISOs can make a comprehensible and convincing case for cybersecurity by pointing to the devastating real-world consequences of successful cyberattacks, revealing how cybercriminals deceive and manipulate their victims, and explaining that the right behavioral interventions can enable all employees to resist cyberattacks. CISOs can also highlight concrete examples of cyberattacks.

With boards planning to increase their cybersecurity investments, it's essential for CISOs to clearly highlight the value of risk mitigation strategies like awareness training.

**2\. Focus on the entire cyber-impact chain.**

According to IBM, the average cost of a data breach surged to $4.45 million in 2023. Cyberattacks can also lead to severe reputational damage, disrupted operations, legal and regulatory consequences, and crippling effects on the health of the company's workforce. This is known as the cyber-impact chain — a crucial concept for CISOs to discuss with board members.

Boards need to be aware that the effects of cyberattacks extend well beyond immediate financial burdens. At a time when 86% of consumers are worried about data privacy, a major cyberattack can undermine trust for years. As data regulations become increasingly strict, companies will be held accountable for compromised customer information.

CISOs have all the information they need to educate boards about the consequences of cyberattacks. They just have to present that information in a way that will hold board members' attention.

**3\. Stress the human element.**

CISOs have the knowledge to explain how prominent cybercriminal tactics are thwarted. For example, 74% of all breaches involve a human element — an alarming reminder that social engineering remains one of the most powerful weapons in the cybercriminal arsenal.

There are several ways for CISOs to productively discuss the threat of social engineering with their boards. They can provide hard evidence for the impact of social engineering attacks, explain how awareness training arms the company to prevent these attacks, and emphasize the most effective ways to educate employees. Cybersecurity is everyone's responsibility, which is why CISOs must make the case for fully engaging employees with consistent, entertaining, and relevant awareness training content.

Awareness training is one of the best ways to mitigate the financial impact of data breaches as it can help companies keep pace with emerging cyber threats and be personalized to account for individual psychological susceptibilities and learning styles. As long as social engineering remains integral to the majority of cyberattacks, CISOs will need to prioritize human-oriented cybersecurity.

**4\. Outline how awareness-training programs can be measured.**

As investments in cybersecurity rise, CISOs need to make accountability a central pillar of their case for awareness training. When board members see that cybersecurity spending is paying off, CISOs will be able to maintain support.

CISOs must make sure employees are learning what they need to know about the most urgent cyberthreats and tactics. Companies can use assessments such as simulated phishing to expose vulnerabilities and determine whether employees are able to apply what they've learned in real-world scenarios. These tests are especially valuable considering that phishing is the most frequent and second-costliest initial attack vector, according to IBM.

Beyond simulated phishing, CISOs can outline other forms of accountability to the board: employee-specific behavioral risk profiles, organizationwide security evaluations, and proactive incident reporting. These are all ways to reassure the board that resources allocated to cybersecurity are being put to good use.

**5\. Secure long-term support.**

Despite the growing concern about cyberattacks, too many companies still treat cybersecurity as a check-the-box exercise. They rely on a few email PSAs or perfunctory cybersecurity presentations a couple times a year, which fail to provide employees with consistent and engaging content that will secure sustainable behavioral change.

Because the cyber threat landscape is always shifting, companies have to keep employees updated on the latest cybercriminal tactics — such as the use of AI to craft convincing and targeted phishing messages at scale. Consistency is also necessary to reinforce what employees learn and identify weaknesses, such as the psychological vulnerabilities cybercriminals exploit. The goal of a security-awareness training program is to create a culture of cybersecurity at every level of the organization which can adapt to these challenges.

Cybercriminals are constantly developing increasingly sophisticated and effective ways to infiltrate companies by manipulating employees. This is why CISOs must secure long-term support for effective cybersecurity initiatives like a customer-satisfaction score (CSAT) from their boards — the threat is only becoming more dire, and companies have a responsibility to be prepared.

**About the Author(s)**

CEO, NINJIO

Dr. Shaun McAlmont is CEO of NINJIO Cybersecurity Awareness Training, and is one of the nation's leading education and training executives. Prior to NINJIO he served as President of Career and Workforce Training at Stride, Inc., had a decade-long tenure at Lincoln Educational Services, where he was President and CEO, and also served as CEO of Neumont College of Computer Science. His workforce and ed tech experience is supported by early student development roles at Stanford and Brigham Young Universities. He is a former NCAA and international athlete, and serves on the BorgWarner and Lee Enterprises boards of directors. He earned his doctoral degree in higher education, with distinction, from the University of Pennsylvania, a master's degree from the University of San Francisco, and his bachelor's degree from BYU.

How CISOs Can Make Cybersecurity a Long-Term Priority for Boards

Google has issued patches for 28 security vulnerabilities, including a critical patch for Androids with Qualcomm chips.

In April’s update for the Android operating system (OS), Google has patched 28 vulnerabilities, one of which is rated critical for Android devices equipped with Qualcomm chips.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

If your Android phone is at patch level 2024-04-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Qualcomm CVE is listed as CVE-2023-28582. It has a CVSS score of 9.8 out of 20 and is described as a memory corruption in Data Modem while verifying hello-verify message during the Datagram Transport Layer Security (DTLS) handshake.

The cause of the memory corruption lies in a buffer copy without checking the size of the input. Practically, this means that a remote attacker can cause a buffer overflow during the verification of a DTLS handshake, allowing them to execute code on the affected device.

Another vulnerability highlighted by Google is CVE-2024-23704, an elevation of privilege (EoP) vulnerability in the System component that affects Android 13 and Android 14.

This vulnerability could lead to local escalation of privilege with no additional execution privileges needed. Local privilege escalation happens when one user acquires the system rights of another user. This could allow an attacker to access information they shouldn’t have access to, or perform actions at a higher level of permissions.

**Pixel users**

Google warns Pixel users that there are indications that two high severity vulnerabilities may be under limited, targeted exploitation. These vulnerabilities are:

*   CVE-2024-29745: An information disclosure vulnerability in the bootloader component. Bootloaders are one of the first programs to load and ensure that all relevant operating system data is loaded into the main memory when a device is started.
*   CVE-2024-29748: An elevation of privilege (EoP) vulnerability in the Pixel firmware. Firmware is device-specific software that provides basic machine instructions that allow the hardware to function and communicate with other software running on the device.

On Pixel devices, a security patch level of 2024-04-05 resolves all these security vulnerabilities.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Google patches critical vulnerability for Androids with Qualcomm chips 

Red Hat Security Advisory 2024-1640-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, denial of service, local file inclusion, memory leak, and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1640.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2024:1640-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1640Issue date:         2024-04-03Revision:           03CVE Names:          CVE-2023-39326====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* automation-controller: Django: denial-of-service in 'intcomma' template filter (CVE-2024-24680)* automation-controller: aiohttp: http request smuggling (CVE-2024-23829)* automation-controller: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)* automation-controller: Jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)* automation-controller: cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)* automation-controller: aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)* automation-controller: Twisted: disordered HTTP pipeline response in twisted.web (CVE-2023-46137)* automation-controller: axios: exposure of confidential data stored in cookies (CVE-2023-45857)* automation-controller: GitPython: Blind local file inclusion (CVE-2023-41040)* python3-aiohttp/python39-aiohttp: http request smuggling (CVE-2024-23829)* python3-aiohttp/python39-aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)* python3-django/python39-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words() (CVE-2024-27351)* receptor: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)* receptor: golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* Fixed bug where schedule prompted variables and survey answers were reset on edit when changing one of the basic form fields (AAP-20967)* Fixed the update execution environment image to no longer fail jobs that use the previous image (AAP-21733)* Removed string validation using comparisons of English literals for comparison, replacing validation with error/op codes as a universal approach to validation and comparison (AAP-21721)* Fixed dispatcher to appropriately terminate child processes when dispatcher terminates (AAP-21049)* Fixed upgrade from Ansible Tower 3.8.6 to AAP 2.4 to no longer fail upon database schema migration (AAP-19738)* automation-controller has been updated to 4.5.5Updates and fixes for receptor:* Fixes a receptor dialing issue where the connection attempt is timed out too aggressively (AAP-21838, AAP-21828)* receptor has been updated to 1.4.5Additional fixes:* ansible-core has been updated to 2.15.10* ansible-runner has been updated to 2.3.6* python3-aiohttp/python39-aiohttp has been updated to 3.9.3* python3-django/python39-django has been updated  4.2.11* python3-pulpcore/python39-pulpcore has been updated 3.28.24Solution:CVEs:CVE-2023-39326References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2246264https://bugzilla.redhat.com/show_bug.cgi?id=2247040https://bugzilla.redhat.com/show_bug.cgi?id=2248979https://bugzilla.redhat.com/show_bug.cgi?id=2249825https://bugzilla.redhat.com/show_bug.cgi?id=2253330https://bugzilla.redhat.com/show_bug.cgi?id=2255331https://bugzilla.redhat.com/show_bug.cgi?id=2257854https://bugzilla.redhat.com/show_bug.cgi?id=2261856https://bugzilla.redhat.com/show_bug.cgi?id=2261887https://bugzilla.redhat.com/show_bug.cgi?id=2261909https://bugzilla.redhat.com/show_bug.cgi?id=2262921https://bugzilla.redhat.com/show_bug.cgi?id=2266045

Red Hat Security Advisory 2024-1640-03

UNAPIMON works by meticulously disabling hooks in Windows APIs for detecting malicious processes.

Source: Panchenko Vladimir via Shutterstock

Researchers have spotted Earth Freybug, a China-linked threat actor, using a new malware tool to bypass mechanisms organizations might have put in place to monitor Windows application programming interfaces (APIs) for malicious activity.

The malware, which researchers at Trend Micro discovered and named UNAPIMON, works by disabling hooks in Windows APIs for inspecting and analyzing API-related processes for security issues.

**Unhooking APIs**

The goal is to prevent any processes that the malware spawns from being detected or inspected by antivirus tools, sandboxing products, and other threat detection mechanisms.

"Looking at the behavior of UNAPIMON and how it was used in the attack, we can infer that its primary purpose is to unhook critical API functions in any child process," Trend Micro said in a report this week.

"For environments that implement API monitoring through hooking, such as sandboxing systems, UNAPIMON will prevent child processes from being monitored," the security vendor said. This allows malicious programs to run without being detected.

Trend Micro assessed Earth Freybug as being a subset of APT41, a collective of Chinese threat groups variously referred to as Winnti, Wicked Panda, Barium, and Suckfly. The group is known for using a collection of custom tools and so-called living-off-the-land binaries (LOLbins) that manipulate legitimate system binaries such as PowerShell and Windows Management Instrumentation (WMI).

APT41 itself has been active since at least 2012 and is linked to numerous cyber espionage campaigns, supply chain attacks, and financially motivated cybercrime. In 2022, researchers at Cybereason identified the threat actor as stealing large volumes of trade secrets and intellectual property from companies in the US and Asia for years. Its victims have included manufacturing and IT organizations, governments, and critical infrastructure targets in the US, East Asia, and Europe. In 2020, the US government charged five members believed to be associated with the group for their role in attacks against more than 100 organizations globally.

**Attack Chain**

In the recent incident that Trend Micro observed, Earth Freybug actors used a multistaged approach to delivering UNAPIMON on target systems. In the first stage, the attackers injected malicious code of unknown origin into vmstools.exe, a process associated with a set of utilities for facilitating communications between a guest virtual machine and the underlying host machine. The malicious code created a scheduled task on the host machine to run a batch script file (cc.bat) on the host system.

The batch file's task is to collect a range of system information and initiate a second scheduled task to run a cc.bat file on the infected host. The second batch script file leverages SessionEnv, a Windows service for managing remote desktop services, to side-load a malicious dynamic link library (DLL) on the infected host. "The second cc.bat is notable for leveraging a service that loads a nonexistent library to side-load a malicious DLL. In this case, the service is SessionEnv," Trend Micro said.

The malicious DLL then drops UNAPIMON on the Windows service for defense evasion purposes and also on a cmd.exe process that quietly executes commands. "UNAPIMON itself is straightforward: It is a DLL malware written in C++ and is neither packed nor obfuscated; it is not encrypted save for a single string," Trend Micro said. What makes it "peculiar" is its defense evasion technique of unhooking APIs so that the malware's malicious processes remain invisible to threat detection tools. "In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case," Trend Micro said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#ios