The settlement between the SEC and the owner of the New York Stock Exchange is a critical reminder of the vulnerabilities within financial institutions' cybersecurity frameworks as well as the importance of regulatory oversight.

Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

June 24, 2024

3 Min Read

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

The recent settlement between the US Securities and Exchange Commission (SEC) and Intercontinental Exchange Inc. (ICE), the owner of the New York Stock Exchange (NYSE), highlights significant issues within the realm of cybersecurity and corporate accountability. Below, we'll dissect the incident, scrutinize the involved parties' actions and responsibilities, and suggest practical measures to prevent future occurrences.

In 2018, a severe cyberattack on a subsidiary of ICE exposed highly sensitive information. The SEC's subsequent investigation revealed that ICE failed to implement adequate cybersecurity measures, compromising its systems. As a result, ICE was required to pay a $10 million settlement. This incident is a stark reminder of the critical need for robust cybersecurity practices, particularly for entities handling such vital financial data.

The primary accountability lies with ICE, which neglected to enforce stringent cybersecurity protocols. The SEC's findings indicate that ICE's subsidiary had multiple vulnerabilities that must be addressed adequately. This lack of preparedness is a significant breach of fiduciary duty to protect sensitive financial information.

The SEC's role in this scenario is crucial but paramount. It is responsible for regulatory oversight and enforcement, ensuring the market's integrity. The commission's proactive investigation and subsequent action against ICE demonstrate its unwavering commitment. However, the $10 million fine, while significant, raises questions about whether it is enough to deter future negligence by major financial institutions.

The primary gap lies in ICE's cybersecurity framework. Despite the known threats to financial institutions, ICE's subsidiary needed to prepare for a cyberattack. This highlights a broader issue within the industry, where cybersecurity is often deprioritized in favor of operational and financial concerns.

**An Inadequate Response**

The response to the cyberattack was inadequate. A well-prepared organization should have an incident response plan with immediate containment, investigation, and remediation steps. ICE's delayed and insufficient response allowed the attackers to exploit vulnerabilities extensively.

While the SEC's enforcement action is justifiable, it also reveals the pressing need for regulatory enhancements. The SEC should consider implementing more stringent guidelines and conducting regular audits to ensure financial institutions adhere to robust cybersecurity practices. This will help prevent similar incidents in the future.

Implementing a comprehensive cybersecurity strategy is necessary and practical for ICE and similar institutions. This includes regular vulnerability assessments, penetration testing, and advanced threat-detection systems. Adopting a zero-trust architecture, a security model that requires strict identity verification for every user and device attempting to access resources on a network, can significantly reduce the risk of unauthorized access, providing a practical and effective solution.

Human error is a critical factor in cybersecurity breaches. Regular employee training and awareness programs can reduce the risk of phishing and other social engineering attacks. Employees should be educated about the latest threats and the importance of following security protocols.

**Have a Clear Response Plan**

Organizations must develop and regularly update their incident response plans. These plans should outline clear steps for detecting, responding to, and recovering from cyberattacks. Regular drills and simulations can ensure that all stakeholders are prepared to act swiftly during a breach.

The SEC should consider implementing more rigorous cybersecurity requirements for financial institutions. Regular audits and compliance checks can ensure that these entities maintain high-security standards. Additionally, increasing penalties for non-compliance can serve as a stronger deterrent.

Financial institutions must unite and share information about threats and vulnerabilities. Establishing industry-wide forums or joining existing ones can help organizations stay informed about the latest cyber threats and best practices for mitigating them. This collaborative approach is not just beneficial but essential in the fight against cyber threats.

The $10 million settlement between the SEC and ICE is a critical reminder of the vulnerabilities within financial institutions' cybersecurity frameworks. While the SEC's actions highlight the importance of regulatory oversight, there is a clear need for enhanced cybersecurity measures, better incident response strategies, and more stringent regulatory requirements. By addressing these gaps, financial institutions can better protect sensitive information and maintain the integrity of the financial markets. 

Ensuring robust cybersecurity is a regulatory requirement and a fundamental aspect of modern business operations that demands continuous attention and improvement. Financial institutions must not establish only strong cybersecurity measures, but also regularly update and enhance them to keep pace with evolving threats.

**About the Author(s)**

Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

Jeffrey Wells is a distinguished cybersecurity, technology, and geopolitical risk leader with over 35 years of experience. His expertise is crucial in addressing cyber threats with significant geopolitical and security implications. Wells is a Visiting Fellow at George Mason University's Cyber and Tech Center (CTC) and a Truman National Security Project Defense Council Fellow.

He has extensive experience helping organizations design and operationalize cyber resiliency strategies, programs, incident response, and instituting business continuity worldwide.

As a founding partner of the NIST's National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

The NYSE's $10M Wake-up Call

After Sept. 29, 2024, organizations and individuals that continue using the vendor's products will no longer receive any updates or support.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

US businesses and consumers using Kaspersky's antivirus software products and services have until Sept. 29 to stop using them, following a Biden Administration ban earlier this week on sales of the company's technologies in the country over national security concerns.

Companies and individuals that continue to use Kaspersky products past that date will be doing so at their own — considerable — risk, because Kaspersky will no longer be able to offer any support or updates for its products after the deadline.

"It's a good time for CISOs along with other C-suite executives and board members to revisit their organizational use of the software and, frankly, to begin preparing for this to be a long-term aspect of government commercial cybersecurity regulation," says Andrew Borene, executive director at threat intelligence firm Flashpoint. "That means immediately evaluating the scope of any Kaspersky deployment, capturing current requirements, and identifying alternatives for delivering on those requirements once the ban takes full effect at the end of September."

**US Concerns About Kaspersky's Moscow Ties**

In a first-of-its-kind move, the US Department of Commerce, on June 20 formally banned Kaspersky from selling its products and services in the US, citing continued use of the company's software as presenting an "undue or unacceptable national security risk."

The Commerce Department's concerns have to do with Kaspersky being a Russian company and therefore apparently being obligated to turn over customer data to the government there, whenever asked for it.

"Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive US information," the Commerce department said.

The ban marks the first time the Commerce Department has used its authority under a Trump Administration 2019 Executive Order on Securing the Information and Communications Technology and Services Supply Chain (ICT).

As part of its action, the department also "designated" Kaspersky entities in Russia and the UK, meaning that US organizations and individuals are restricted from transacting business with them. In a related announcement, the US Department of Treasury placed similar restrictions on 12 key executives at Kaspersky, but notably not on the company's founder Eugene Kaspersky.

A Kaspersky spokesman described the Department of Commerce decision as likely motivated by the "current geopolitical climate and theoretical concerns rather than on a comprehensive evaluation of the integrity of Kaspersky's products and services." Kaspersky will pursue all available legal options to fight the decision, the spokesman said in an emailed statement. He added, "Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interests and allies."

The US government decision does not impact Kaspersky's ability to continue selling its threat intelligence services or its cybersecurity training programs in the US, the statement noted.

**Death Knell for Kaspersky in the US?**

Even so, the US government's moves this week could effectively mean the end for Kaspersky in the country. In September 2017 the US Department of Homeland Security banned Kaspersky from selling to US federal civilian executive branch agencies over similar national security concerns. Though the company appealed that decision, the Federal Acquisition Regulation Council made it an official and permanent ban in September 2019. With this week's actions, the US government has formally blocked it from selling to US private sector companies and individuals as well.

"The US government has had its eye on Kaspersky for quite a while, so the ban is not particularly surprising," says Eric Parizo, an analyst with Omdia. The 2019 Executive Order bans the use of IT products and services that are owned or directed by a foreign adversary and pose an unacceptable risk to US national security, he says.

This week's US government action does not explicitly prohibit US individuals and organizations from using Kaspersky products after Sept. 29, 2024. But since the vendor cannot provide software updates for existing customers after that date, continued use of the product would represent a clear security risk, Parizo says. "In light of these events, it would be prudent for Kaspersky customers in the US to immediately seek alternatives." What heightens the urgency is the fact that Kaspersky's software products — like all anti-virus tools — have a lot of access to sensitive data on systems on which they are installed, he says.

**Countdown to Kaspersky Sunset**

Adam Maruyama, field CTO at Garrison Technology, recommends that companies which need to replace Kaspersky software make sure to catalog and identify unmanaged corporate devices that may be running the company's software. This includes looking at systems belonging to contractors on the corporate network as well as employees using personal devices at work.

"In the longer term, companies need to be conscious that a 'rip and replace' of antivirus software may not fully remove root-level access points from their systems, as antivirus programs often require root level access that is not easily removed by uninstallers," Maruyama cautions.

Given the concerns that the Commerce Department has raised about data theft and the potential weaponization of Kaspersky software, organizations should closely monitor network security suites and technical behavior of systems where Kaspersky was previously installed, he says.

The focus should be on anomalous behavior such as continued callbacks to Kaspersky or other unidentified servers. "For users with the highest levels of access to high-risk data and administrative privileges, organizations with a critical infrastructure mission may even want to consider replacing devices that previously used Kaspersky antivirus products to guard against residual risk," he says.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Kaspersky's US Customers Face Tight Deadline Following Govt. Ban

PRESS RELEASE

SAN FRANCISCO, June 20, 2024 /PRNewswire/ -- Abstract Security, crafted by category creators who have consistently redefined the cybersecurity landscape, today announced general availability (GA) of its revolutionary platform designed for the future of security operations. Already in use by customers, Abstract's platform helps security analysts and operations teams navigate the complexities of data pipelines, increase security effectiveness and lower costs.

"Since the inception of Abstract, we've been working tirelessly to combat the challenges of security operations today, offering a tool that focuses on the data that matters and ties security back to business value," said Ryan Clough, co-founder and CPO of Abstract Security. "With the explosion of data over the last few years, customers need a more customizable approach that moves beyond saved searches and dashboards. We're excited to reach this GA milestone as we bring the future security operations platform to more customers."

A key feature of Abstract's platform is the Abstract Security Engineer (ASE), which leverages a combination of AI, expert systems, machine learning, and subject matter expertise and connects to data sources across an organization, delivering instant data and detection capabilities. The security data fabric approach enables:

*   Advanced analytics and correlation: Abstract's platform enables customers to surface threats across their enterprise and cloud infrastructure in real-time. It's powered by out-of-the-box detection content provided by the Abstract research team, which is purpose-built for cloud and SaaS threats.
    
*   Security pipelines: With data routing, transformation and enrichment that is geared for security telemetry, customers can reduce the volume and cost of log data sent to their SIEM. A single point of collection enables drag-and-drop routing of data to any number of sources, including cloud storage, SIEMs, and data platforms.
    
*   Optimized storage: 95% of collected log data is not usable for detection. Abstract's platform intelligently divides hot, warm, and cold storage tiers to automatically optimize storage and compute costs and make the data relevant to security analytics accessible via instant queries.
    

Since emerging from stealth and announcing its Seed funding earlier this year, Abstract Security has expanded its global footprint, hired an experienced technology leader as CTO, and appointed a long-time industry expert to its Board of Directors. To aid in the continued development of the Abstract Security platform, the team has added visionary and innovator Jon Oltsik to its Advisory Board. With over 35 years of technology industry experience, Jon founded the cybersecurity practice at the Enterprise Strategy Group (ESG) in 2003 and has spent the subsequent 20 years studying cyber threats, cyber-risk management, technical defenses, and CISO strategies. Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective. Jon is a founding member of the Cybersecurity Canon, a project dedicated to identifying a list of must-read books for all cybersecurity practitioners, and he was named one of the top 100 cybersecurity influencers by Onalytica.

"Defending against cyber-attacks is more difficult today than it's ever been. With the complexity of infrastructure and sheer volume of data that organizations must manage, today's security analytics teams are tired of the status quo," said Jon Oltsik, Advisory Board member of Abstract Security. "Working as an analyst and advisor has given me a unique perspective into the pain points of industry leaders, and that's why I'm so excited about the unique approach that Abstract Security is taking to solve the problems in the SIEM marketplace, and have the opportunity to support and guide the team as they grow."

In the past several months, Abstract has also been recognized by notable industry awards including a Global Infosec Award for "Pioneering Cybersecurity Startup" at RSA Conference 2024, and most recently, a 2024 Cybersecurity Excellence Award in both "Best Cybersecurity Startup" and "SIEM" categories. The team's commitment to crafting an excellent platform for customers, keeping their sights on innovation, and thoughtful leadership won Abstract the award in both categories, beating out more than 600 applicants.

To learn more about Abstract Security's growing team and accomplishments, visit https://www.abstract.security/our-team or watch this Q&A with Jon Oltsik and CEO Colby DeRodeff. To book a demo, please contact \[email protected\].

About Abstract Security  
Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

Co-founders Colby DeRodeff, Ryan Clough, Aaron Shelmire, and Chris Camacho bring a unique set of experiences and backgrounds in product development and company-building expertise, formerly at companies like ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and others. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

Abstract Security Announces General Availability of its AI-Powered Data Streaming Platform for Security

Government ministries keep falling victim to relatively standard-fare cyber-espionage attacks, like this latest campaign with hazy Chinese links.

Source: Mint Images Limited via Alamy Stock Photo

A Chinese-language advanced persistent threat (APT) has been spying on government ministries across the eastern hemisphere.

The first signs of it date back to late August of last year. Back then, the as-yet-unidentified group began to use a modified version of Gh0st RAT, nicknamed "SugarGh0st RAT," to spy on targets in South Korea, as well as the Ministry of Foreign Affairs in Uzbekistan. Since then, Cisco Talos revealed in a new blog post, the group now called "SneakyChef" has been cooking up new campaigns across more countries.

Based on its lure documents, likely targets for the campaign have included:

*   Ministries of foreign affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan
    
*   The ministries of agriculture and forestry, and fisheries and marine resources in Angola
    
*   The Saudi Arabian embassy in Abu Dhabi
    

Talos has not attributed SneakyChef to any particular government itself. They did note, however, the Chinese language preferences present in its code, its use of SugarGh0st RAT — particularly, though not exclusively popular among Chinese threat actors — and the similar profile of its targets.

**Sneaky Chef's Latest Servings**

Where early campaigns utilized malicious RAR files embedded in LNK files for initial infection, now SneakyChef prefers self-extracting RARs (SFX RAR). The shift offers some modest benefits.

"RAR files just got official support in Windows 11, so for anything prior to Windows 11, you need to have extra software to be able to extract the file," explains Nick Biasani, Cisco Talos' head of outreach. "A self-extracting RAR file eliminates the need for extra software, so it probably increases the likelihood of infection."

Among the goodies SFX RAR drops: a decoy document, a dynamic link library (DLL) loader, some encrypted malware — either SugarGh0st RAT or SneakyChef's newest tool, SpiceRAT — and a malicious Visual Basic (VB) script for establishing persistence.

The decoys are legitimate, scanned documents relating in some way to the targeted ministry or embassy. They'll describe some kind of government business, most often an upcoming meeting or conference. Notably, Talos was unable to find any of the documents used in recent campaigns on the open web. (This might indicate they were themselves obtained via espionage.)

When it comes to government cyberespionage, "What we commonly see is that this would be the 'first wave.' This actor is not typically highly sophisticated, they're more aiming to send a lot of lures and get a lot of people infected so they can get initial footholds and start gathering data," Biasani says. Then, when they need access to a specific, extra-secured government body. "That's when you start seeing the more sophisticated elements of these attacks play out."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'SneakyChef' APT Slices Up Foreign Affairs With SugarGh0st

PRESS RELEASE

June 18, 2024 – FS-ISAC, the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, today announced its 2024 Board of Directors.

Four new Directors and two incumbents have been named to join nine existing Board Directors. The Board oversees FS-ISAC’s global activity and coordinates with FS-ISAC’s Europe Board of Directors and UK Strategic Subsidiary Board. Kris Fador, Chief Information Security Officer for Bank of America, will serve as the Board’s Chair.

The newly elected Directors are:

*   Kristina Dorville, Chief Information Security Officer, Truist Insurance Holdings
    
*   Debbie Janeczek, Chief Security Officer, Technology Executive, Swift
    
*   Susan Koski, Chief Information Security Officer and Head of Enterprise Information Security, PNC
    
*   Bethany Netzel, Managing Director, Operational Resilience and Global Security, CME Group
    
*   The two re-elected incumbents are:
    
*   Kyle Davis, Cyber Fusion Center Principal, Target Corporation
    
*   Steve Sparkes, Chief Information Security Officer, Scotiabank
    

“FS-ISAC’s work is critical in educating the financial services industry on the latest cybersecurity threats and developing best practices to ensure the trust of clients, customers, regulators, investors and other key stakeholders,” said Kris Fador, Chief Information Security Officer for Bank of America. “It’s a privilege to chair this important organization and have this elite group of top security experts join the FS-ISAC Board of Directors to help strengthen the security of the global financial system.”

"The financial services sector is extremely dynamic and FS-ISAC provides critical information and intelligence sharing that strengthens our collective practices and resilience," said Bethany Netzel, Managing Director of Operational Resilience and Global Security at CME Group. "I am pleased to join the FS-ISAC board and work alongside other industry leaders to maintain our strong relationships and manage evolving risks."

Elections took place during a critical year for the financial services industry, marked by rapidly evolving technology and rising geopolitical tension. The deep cybersecurity and resilience expertise of the Board will directly support FS-ISAC’s work in real-time information sharing, strategic incident response, and managing emerging risks. 

“Through nearly a decade of working with FS-ISAC, I’ve seen first-hand the value of global information sharing in defending the sector from escalating cyber threats,” said Debbie Janeczek, Chief Security Officer, Swift. “We must employ a multifaceted approach that encompasses technical solutions, strategic preparation, and industry collaboration to defend against the changing threat landscape. I look forward to continuing my service of protecting the financial sector in this capacity.”

“With the increased use of digital technology in the financial services industry, the work of FS-ISAC is paramount to protecting financial institutions and their clients against global cyber threats,” said Steve Sparkes, EVP, Chief Information Security Officer and Enterprise Platforms, Scotiabank. “I am proud to have been re-elected to the FS-ISAC board, which brings together professionals in support of cyber resilience through the shared commitment of protecting client data.”

“The complexity of the risks facing the financial sector continues to grow, and our Board of Directors ensures our work evolves in accordance with the needs of our member firms and the people they serve,” said Steven Silberstein, CEO, FS-ISAC. “I welcome the new additions to the Board as we work together to reinforce trust in the global financial system.”

Board candidates submit applications to the Board Nominating Committee, who then nominate a slate chosen for leadership qualifications, demonstrated commitment to FS-ISAC’s work, and diversity of skillset, experience, sub-sector, geography, and background. The nominees are then elected by FS-ISAC’s membership. 

FS-ISAC thanks the Directors at the end of their term for their contributions and continued commitment to ensuring the security of the global financial services sector. 

Join the new Board of Directors at FS-ISAC’s Americas Fall Summit in Atlanta, October 27 – 30, 2024. To register, click here. 

About FS-ISAC

FS-ISAC is the member-driven, not-for-profit organization that advances cybersecurity and resilience in the global financial system, protecting the financial institutions and the people they serve. Founded in 1999, the organization’s real-time information sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector’s collective security and defenses. Member financial firms represent $100 trillion in assets in 75 countries.

FS-ISAC Announces Appointments to Global Board of Directors

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: Inside China's civilian hacker army; outer space threats; and NIST 2.0 Framework secrets for success.

Source: Emre Akkoyun via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner:**

*   France Seeks to Protect National Interests With Bid for Atos Cybersec
    
*   Multifactor Authentication Is Not Enough to Protect Cloud Data
    
*   Global: Bug Bounty Programs, Hacking Contests Power China's Cyber Offense
    
*   Catching Up on Innovation With NIST CSF 2.0
    
*   Space: The Final Frontier for Cyberattacks
    
*   Addressing Misinformation in Critical Infrastructure Security
    

**France Seeks to Protect National Interests With Bid for Atos Cybersec**

By Jai Vijayan, Contributing Writer, Dark Reading

By offering to buy Atos' big data and cybersecurity operations. Paris is trying to make sure key technologies do not fall under foreign control.

The government of France's recent bid to acquire the big data and cybersecurity division of Atos for some $750 million is an indication of the financially beleaguered company's vital importance to the country's defense interests.

It's a move that analysts say is about retaining domestic control over technology integrated into sensitive government, defense industrial base systems, supercomputers for simulating nuclear bomb tests, and a range of other critical infrastructure. Atos is also the primary cybersecurity provider to the upcoming Olympic Games in Paris.

Importantly, if the deal goes through, the French government will have a direct stake in a company that can help significantly bolster its technology and cybersecurity capabilities. "It makes sense for the French government to upgrade its defenses," says Mike Janke, co-founder of DataTribe. "For years, we have seen governments invest in critical companies through numerous means, but it has been rare for them to buy a company. We'll see if this emerges as a trend."

Read more: France Seeks to Protect National Interests With Bid for Atos Cybersec

Related: Airbus Calls Off Planned Acquisition of Atos Cybersecurity Group

**Multifactor Authentication Is Not Enough to Protect Cloud Data**

By Robert Lemos, Contributing Writer, Dark Reading

Ticketmaster, Santander Bank, and other large firms have suffered data leaks from a large cloud-based service, underscoring that companies need to pay attention to authentication.

Over the past month a ransom gang possibly related to ShinyHunters or Scattered Spider, stole reams of customer records from Ticketmaster and Santander Bank and put it up for sale, asking for millions for the data. Both companies acknowledged the breaches after the postings.

The cause of the data leaks — and at least 163 other breaches — appears not be the use of stolen credentials and poor controls on multifactor authentication (MFA) for Snowflake cloud accounts.

But, while the theft of data from Snowflake's systems could have been prevented by MFA, the companies' failures go beyond the lack of that single control. Businesses using cloud services can learn important lessons from the latest spate of cloud breaches, researchers stress.

Read more: Multifactor Authentication Is Not Enough to Protect Cloud Data

Related: Snowflake Cloud Accounts Felled by Rampant Credential Issues

**Global: Bug Bounty Programs, Hacking Contests Power China's Cyber Offense**

By Robert Lemos, Contributing Writer, Dark Reading

With the requirement that all vulnerabilities first get reported to the Chinese government, once-private vulnerability research has become a goldmine for China's offensive cybersecurity programs.

China's cybersecurity experts over the past decade have evolved from hesitant participants in global capture-the-flag competitions, exploit contests, and bug bounty programs to dominant players in these arenas — and the Chinese government is applying those spoils toward stronger cyber-offensive capabilities for the nation.

Its civilian hackers have directly benefited China's cyber-offensive programs and are one example of the success of China's cybersecurity pipeline, which the government created through its requirement that all vulnerabilities be directly reported to government authorities, says Eugenio Benincasa, senior researcher at the Center for Security Studies (CSS) at ETH Zurich, in a new report.

"By strategically positioning itself as the final recipient in the vulnerability disclosure processes of civilian researchers, the Chinese government leverages its civilian vulnerability researchers, among the best globally, on a large scale and at no cost," he says.

Read more: Bug Bounty Programs, Hacking Contests Power China's Cyber Offense

Related: China APT Stole Geopolitical Secrets From Middle East, Africa & Asia

**Catching Up on Innovation With NIST CSF 2.0**

Commentary by Jamie Moles, Senior Technical Manager, ExtraHop

The updated framework is an equalizer for smaller organizations to meet the industry at its breakneck pace of innovation.

The National Institute of Standards and Technology's Cybersecurity Framework 2.0 (NIST CSF 2.0) provides an important roadmap for reexamining security initiatives, fending off evolving threats, and preparing to meet today's innovations with a more guided approach. While just a framework, it can be used to inform three critical changes all organizations should make in the year ahead.

1\. Building a New Approach to Securing Infrastructure: A strong governance strategy establishes all people, process, and organizational concerns for cybersecurity. This includes the development of a cybersecurity strategy and policies, oversight for the strategy and policies, controls for supply chain, and more.

2\. Investing to Fit Specific Business Needs: NIST CSF 2.0 can help determine areas and levels of risk, and from there, organizations can decide on the right solutions.

3\. Developing an Organizationwide Approach to Security Hygiene: While the right tools are essential, a critical part of NIST CSF 2.0's "Protect" focuses on awareness, training, and identity and access management as critical safeguards to managing risk.

Read more: Catching Up on Innovation With NIST CSF 2.0

Related: NIST Releases Cybersecurity Framework 2.0

**Space: The Final Frontier for Cyberattacks**

By Jai Vijayan, Contributing Writer, Dark Reading

A failure to imagine — and prepare for — threats to outer-space related assets could be a huge mistake at a time when nation-states and private companies are rushing to deploy devices in a frantic new space race.

A distributed denial-of-service (DDoS) attack this week disabled electronic door locks across a major lunar settlement, trapping dozens of people indoors and locking out many more in lethal cold. The threat actor behind the attack is believed responsible for also commandeering a swarm of decades-old CubeSats last year and attempting to use them to trigger a chain reaction of potentially devastating satellite crashes.

Neither "incident" has happened, of course. Yet. But they well could, sometime in the not-too-distant future, and now is the time to start thinking about and planning for them.

Assessing capabilities in cybersecurity is never easy, and it’s even worse for the space domain because of the inherent national-security concerns that may classify much of that information. Space cybersecurity is shrouded in mystery from the start, which isn't surprising since space launches started as military missions.

But security by obscurity will not be an option for long.

Read more: Space: The Final Frontier for Cyberattacks

Related: The European Space Agency Explores Cybersecurity for Space Industry

**Addressing Misinformation in Critical Infrastructure Security**

By Roman Arutyunov, Co-Founder & Senior Vice President, Products, Xage Security

As the lines between the physical and digital realms blur, widespread understanding of cyber threats to critical infrastructure is of paramount importance.

The Francis Scott Key Bridge collapse in Baltimore, Md., in late March sent shockwaves through the country. Almost immediately, there was widespread speculation and conspiracy theories regarding its cause, including fears of a cyberattack. Although investigations ruled out deliberate sabotage, the incident raised public concern about the vulnerability of physical infrastructure. Some members of Congress even called for further investigation into the possibility of malicious code being involved.

The incident highlighted a general lack of awareness regarding the reality and scale of cyber-risks to critical infrastructure. While physical incidents capture headlines and public attention, silent, invisible attacks on critical infrastructure remain poorly understood.

Theorizing can distort public understanding of cyber threats, undermine trust in legitimate news sources, and complicate efforts to educate the public and stakeholders about the fundamental nature of cyber threats and the necessary precautions to mitigate them. The public's reaction to the Francis Scott Key Bridge collapse demonstrates the collective anxiety about cyber threats to critical infrastructure.

Read more: Addressing Misinformation in Critical Infrastructure Security

Related: Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

CISO Corner: Critical Infrastructure Misinformation; France's Atos Bid

PRESS RELEASE

DALLAS and TOKYO, June 18, 2024— VicOne, an automotive cybersecurity solutions leader, today announced that its xNexus and xZETA solutions are available in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS). xNexus is a next-generation vehicle security operations center (VSOC) platform and xZETA is an automotive vulnerability and software bill of materials (SBOM) management system. These safeguard the automotive software supply chain with unique zero-day threat intelligence, providing accurate, contextualized, and actionable insights for risk assessment.

AWS customers will now have access to VicOne’s solutions directly within AWS Marketplace. VicOne provides AWS customers with the ability to streamline the purchase and management of xNexus and xZETA within their AWS Marketplace account. 

“In various ways, our listing in AWS Marketplace is another of our efforts to help automotive manufacturers to securely put in place all of the many high-quality solutions they need across a globally scoped software supply chain for SDVs (software-defined vehicles),” said Max Cheng, chief executive officer of VicOne. “By accessing VicOne solutions, customers, MSSPs (managed security service providers) and other partners can more efficiently and simply offer our products to protect the automotive software supply chain against zero-day vulnerabilities and cyberattacks.” 

xNexus integrates with VicOne’s in-vehicle VSOC sensor, leveraging a unique large language modeling (LLM) approach to provide customized reporting to support VSOC teams. xNexus provides VSOC teams with actionable and contextualized attack paths based on different stakeholders’ needs. The capabilities delivered by VicOne’s next-gen VSOC platform accelerate threat investigations, enable confident response to attacks, and effectively reduce the burden of chasing false alarms. 

xZETA is an automotive vulnerability and SBOM management system that scans vehicle software to identify zero-day, undisclosed, known, and customer-discovered vulnerabilities, along with CWE, malware, and advanced persistent threats. Through xZETA’s patent-pending VicOne Vulnerability Impact Rating (VVIR) technology, external and internal insights are integrated to prioritize high-risk vulnerabilities. This enables swift identification of high-risk issues and formulation of corresponding strategies. Information feeds back into Threat Analysis and Risk Assessment (TARA) results to ensure alignment with ISO/SAE 21434 processes and maintain continuous monitoring.

Services will be available in Japan as soon as it is ready.

To learn more about the VicOne solutions available in AWS Marketplace, please visit here.

About VicOne

With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers and suppliers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro’s 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles. For more information, visit vicone.com.

You May Also Like

VicOne Solutions for Detection of Zero-Day Vulnerabilities and Contextualized Attack Paths

The nonprofit Security Alliance is providing funds to protect security researchers who illegally access crypto assets with the aim of improving security.

Source: Nazarii Karkhut via Alamy Stock Photo

Thieves have stolen cryptocurrency worth billions of dollars from cryptocurrency exchanges and wallets. As security researchers probe the defenses of cryptocurrency platforms, an industry group is partnering with the Security Research Legal Defense Fund to ensure that these researchers are protected from legal threats.

In February, platforms including the Ethereum and Filecoin foundations; crypto-focused venture funds, like Paradigm and a16z crypto; and others — which have been battered by successive years with multibillion-dollar heists — formed the nonprofit Security Alliance to address the specific security needs of their industry. The group has launched various initiatives to improve companies' resilience, such as the emergency response bot Seal 911, the Security Alliance Information Sharing and Analysis Center, and now the Whitehat Legal Defense Fund.

Researchers who follow the principles of the Whitehat Safe Harbor Agreement and face legal expenses incurred by their actions can apply to the Security Research Legal Defense Fund (SRLDF) for money earmarked by crypto donors. To be eligible, the researcher must show financial need, have hacked in good faith for the purposes of vulnerability disclosure, and aimed to avoid harm to the public with the goal of improving the security of computers or software. The SRLDF board must approve any funding decisions.

While discerning the difference between good-faith and bad-faith efforts might, in theory, seem difficult, in practice bad-faith actors tend to make themselves clear. Earlier this week, for example, the Kraken crypto-trading platform alleged that a security researcher found a security flaw and filed for a bug bounty, but also refused to return funds stolen as part of testing the concept. That application for legal funding would probably not fare well.

**About the Author(s)**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Legal Defense Fund Covers Crypto Research

Ticketmaster, Santander Bank, and other large firms have suffered data leaks from a large cloud-based service, underscoring that companies need to pay attention to authentication.

Source: Frost79 via Shutterstock

A cybercriminals group known as UNC5537 has been on a tear.

Over the past month, the ransom gang, possibly related to ShinyHunters or Scattered Spider, stole more than 560 million customer records from Ticketmaster and posted it for sale on its reconstituted leak site, BreachForums, on May 28, asking for $500,000. Two days later, the group claimed to have stolen 30 millions account records from Spain-based Santander Bank, asking for a cool $2 million. Both companies acknowledged the breaches after the postings.

The cause of the data leaks — and at least 163 other breaches — appears not to be a vulnerability but the use of stolen credentials and poor controls on multifactor authentication (MFA), according to a June 10 analysis by incident-response firm Mandiant, part of Google.

"Mandiant's investigation has not found any evidence to suggest that unauthorized access to Snowflake customer accounts stemmed from a breach of Snowflake's enterprise environment," Mandiant stated in its analysis. "Instead, every incident Mandiant responded to associated with this campaign was traced back to compromised customer credentials."

While the theft of data from Snowflake's systems could have been prevented by MFA, the companies' failures go beyond the lack of that single control. Businesses using cloud services need to make sure that they have visibility into their attack surfaces, quickly removing the accounts of former employees and contractors and reducing the avenues through which opportunistic attackers could compromise systems, networks, or services, says Chris Morgan, senior cyber threat intelligence analyst at cloud-native security platform provider ReliaQuest.

"The biggest lesson learned is that threat actors do not need to employ sophisticated techniques," he says. "Targeting the low-hanging fruit — in this case, insecure credentials — can be achieved with little effort from the threat actor but provides ample opportunities."

Here are five lessons from the latest spate of cloud breaches.

**1\. Start With MFA and Then Go Beyond**

There is a lot of room for growth in the adoption of MFA. While 64% of workers and 90% of administrators used MFA, according to a report released a year ago, more than six out of every 10 organizations have at least one root user or administrator without MFA enabled on an account, according to Orca Security's "2024 State of Cloud report."

Businesses need to get to a consistent — and verifiable — 100%, says Ofer Maor, co-founder and chief technology officer at cloud-security firm Mitiga.

Companies should "make sure MFA is enforced and required, and if using \[single sign-on\], make sure non-SSO login is disabled," he says. "Go beyond traditional MFA \[and\] turn on additional security measures, such as device- \[or\] hardware-based authentication for sensitive infrastructure."

Organizations should also put access control lists (ACLs) in place, restricting where users can access a cloud service or at least enabling reviews of access logs on a daily basis to spot any anomalies.

This further limits the ability of cyberattackers, says Jake Williams, faculty analyst and cybersecurity practitioner at analyst firm IANS Research.

"Really, for pretty much any cloud infrastructure ... it is a best practice to restrict what IP addresses folks can come from," he says. "If you can't, then access reviews are all the more important to make sure that people aren't coming from someplace you don't expect."

**3\. Maximize Visibility Into Cloud Services**

Companies need to also have a meaningful way of continuously monitoring for applications. Log data, access activity, and services that aggregate data sources into a complete picture can help companies detect and prevent attacks, like those on Snowflake.

In addition, organizations need to be able to alert on specific behavior or threat detections — an approach that would have detected the cybercriminals' attempts at accessing their cloud data, says Brian Soby, CTO and co-founder at AppOmni, a software-as-a-service security posture management firm.

"While security operations teams are spread thin and generally don't have the opportunity to develop deep expertise in the various applications used by their companies, their tooling and security platforms should have quickly identified these issues," he says. "In this scenario, there were certainly anomalous logins from unusual locations and the connection of highly questionable attacker applications to customer Snowflake instances."

**4\. Don't Rely on Your Cloud Providers' Defaults**

While cloud-service providers like to emphasize that security is a shared responsibility model, unless an attacker breaches the cloud provider's infrastructure or software — such as in last year's vulnerabilities in Progress Software's MoveIT Cloud service and MoveIT Transfer software — the responsibility almost always falls onto the customer.

Yet, often cloud providers prioritize usability over security, so companies should not rely on their providers' defaults to be secure. There is a lot that Snowflake, for example, could have done to make managing MFA easier, include turning on the security control by default, says Mitiga's Maor.

"What enables this attack to be successful, and at this scale, is that the default setting of Snowflake accounts does not require MFA, meaning once you get a compromised username and password, you can get full access immediately," he says. "Normally, high-sensitivity platforms would require users to enable MFA. Snowflake not only does not require MFA but also makes it very hard for administrators to enforce this."

**5\. Check Your Third Parties**

Finally, companies should also note that — even if they are not using Snowflake or another cloud service — a third-party provider may use the service for its back end, exposing their data to risk, says IANS Research's Williams.

"Your data may be in Snowflake, even if you're not using it," he says. "That's the complexities of supply chains today ... you're giving your data to a third-party service provider, who is then putting it into Snowflake and may or may not be using best practices."

Organizations should reach out to all of their service providers with access to their data and ensure that they are taking the proper steps to protect that information, Williams says.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Multifactor Authentication Is Not Enough to Protect Cloud Data

Audit compliance not only demonstrates commitment to data security and privacy but also builds trust with customers and stakeholders.

Jason Miller, No-code Evangelist & Principal Consultant, Creatio

June 21, 2024

4 Min Read

Source: NicoElNino via Alamy Stock Photo

COMMENTARY

The data collected through the growing adoption of digital technologies presents enterprises with a chance to enhance their engagement strategies and a gives them a duty to ensure the security of customer information.  

A recent survey conducted by McKinsey shows the growing awareness among consumers about privacy rights, with 87% of respondents indicating they would not do business with an organization if they had concerns about its security practices. Given this increasing public awareness, the approach businesses take toward managing data and privacy can serve as a key differentiator and even provide a strategic advantage in the marketplace.  

Service Organization Control 2 (SOC 2) is an auditing procedure that ensures service providers securely manage data to protect the privacy of their clients and the interests of the organization. It serves as a benchmark for service-oriented businesses to showcase their dedication to the highest standards of data security. 

**Steps Toward SOC 2 Type II Compliance**

Achieving SOC 2 Type II compliance can be a daunting task. Here's a comprehensive road map to assist companies in navigating this journey more smoothly: 

**1\. Understand the Requirements  **

Understanding the specific requirements of SOC 2 Type II involves familiarizing yourself with the five trust service criteria (TSC) — security, availability, processing integrity, confidentiality, and privacy — and determining which apply to your organization's operations. 

**2\. Conduct a Gap Analysis **

A thorough gap analysis, covering all aspects of your operations, from IT infrastructure to employee training programs, helps identify areas where your current controls may fall short of SOC 2 standards. Automate this process by collecting data across various systems and generating reports that highlight discrepancies between current practices and SOC 2 standards. 

**3\. Develop and Implement Controls **

Following your gap analysis, develop applications or workflows that address identified gaps without the need for extensive coding — including automating compliance processes, enhancing data protection measures, or streamlining access controls — making it easier to tailor solutions to your organization's specific needs.  

**4\. Document Policies and Procedures **

Documentation is a critical component of SOC 2 Type II compliance. It's not enough to have controls in place; you must also have documented policies and procedures that describe how these controls are implemented and maintained. Creating and managing documentation can help organize policies and procedures in an easily accessible manner, ensuring that they are up to date and readily available for both your team and auditors. 

**5\. Engage in Continuous Monitoring **

SOC 2 Type II requires evidence of continuous monitoring and effectiveness of controls over time. Set up automated monitoring systems to track the performance of your controls in real-time, alerting you to any issues immediately, which helps in maintaining continuous compliance and addressing problems promptly.

**6\. Choose a Qualified Auditor **

Selecting the right auditor is crucial for a successful SOC 2 Type II audit. Look for auditors with experience in your industry and a deep understanding of the SOC 2 framework. The right auditor will not only assess your compliance but can also provide insights that help improve your security posture. 

**7\. Prepare for the Audit **

Preparation is key to a successful audit. Organize documentation, controls evidence, and compliance reports in a centralized database. This ensures that all necessary information is easily accessible and can be presented efficiently during the audit. 

**8\. Continuous Improvement **

Compliance with SOC 2 Type II is not a one-time event but an ongoing commitment. By automating this process, you can enable quick adjustments to workflows, policies, and controls, allowing your organization to stay agile and adapt to new threats, regulatory changes, or business growth, without the need for extensive coding resources.  

**Secure the Future with Customers' Trust  **

Achieving SOC 2 Type II compliance is a significant undertaking, but enterprises can improve the efficiency and accuracy of audits by streamlining data collection, verification, and anomaly detection processes via unified workflow automation, automated reports and dashboards, and single-source data storage that eliminates out-of-sync or duplicate data. Audit compliance is an investment in a company's future. It not only demonstrates the commitment to data security and privacy but also builds trust with customers and stakeholders. By following these steps and fostering a culture of continuous improvement, organizations can navigate the SOC 2 Type II compliance process more effectively and establish themselves as leaders in data security.

**About the Author(s)**

No-code Evangelist & Principal Consultant, Creatio

Jason Miller is a digital leader and no-code evangelist who enables companies to improve their operations through no-code technology and helps drive value in their business workflows with a focus on productivity, automation, and higher customer engagement. With more than 15 years of experience in technological solutions spanning various industries, he has helped numerous organizations bring their projects to life by delivering a unique view into how the advent of digital technologies can vastly increase the pace of change in business environments.

Source

DARKReading