A contrarian mindset with applied imagination allows security professionals to assess problems in their organizations, prevent failures, and mitigate vulnerabilities.

During the global war on terror, a group of commissioned and noncommissioned officers in the United States military participated in a unique training event. Soldiers of various ranks, all with different specialties, assembled in a remote location where they were stripped of rank and other identifying markers. They changed clothes, adopted new names, and modified the very rhythm of their daily lives. And from there, they began planning a simulated attack on their own forces.

The exercise, an ongoing training opportunity called "Mirror Image" being conducted by the Terrorism Research Center, is part of a greater philosophy called red teaming. The simulation helped participants explore their predispositions and organizational weaknesses. Changing routines helped them better understand enemy motivations and anticipate possible insurgent attacks. It also revealed how biases and expectations interfered with reality.

In the business world, cybersecurity professionals use red teaming to test their organizations' defenses before something happens. But other groups can utilize the concept to test resilience, blind spots, and continuity in the face of a crisis.

Organizations should conduct red-teaming exercises at scale to manage risk holistically. The idea is to understand potential outcomes based on multiple strategic options, utilizing scenarios to identify blind spots and model threats to eliminate weaknesses before adversaries exploit them. It is a valuable tool in both policy and decision-making.

**Make the Most of Your Red-Teaming Exercise**

Here are some actions to take to ensure your organization gets the most out of red teaming:

**Ask where the enemy is going.** An effective red-team exercise reveals exploits in your security systems and processes. The entire point is to find failures. This isn't always easy for professionals to accept and encourage. Foster an environment of openness that allows teams to explore threats and how they'll try to overcome defenses in place. Ultimately, red teaming provides growth opportunities that improve threat response when the time comes.

**Evaluate the response, not just the defense.** Red teaming is more than a penetration test. Knowing where your gaps are is crucial, but knowing how your team reacts to a crisis is far more valuable. While defense, mitigation, and deterrence are essential, sometimes defenses fail or plans go awry. It's useful to model a scenario where your defenses or mitigation strategies fail, so your company can react and prepare for something similar in real life.

**Model information flow.** Critical information doesn't always get to the right people in a crisis. According to a recent survey, 51% of threats that disrupted business continuity or resulted in harm or death in 2022 could have been avoided if all functions shared risk intelligence and viewed it with a common approach and platform.

**Test your assumptions.** Many defensive measures are built on a set of assumptions about risk and their likelihood. However, our study reveals disagreement within companies and departments over which events threaten business continuity. Security gaps are more likely to occur when teams aren't on the same page. In such situations, people overlook problems or assume someone else will handle an issue. Red teaming clears up questions around responsibility and how to weigh risks.

**Test your processes.** Red teaming can be used to test physical defenses and cybersecurity, but it is also a useful tool to assess processes. In security, an overly complicated or ill-defined process can be just as harmful as inadequate barriers or cameras. Tabletop exercises or war games force organizations through their processes to see how well they work.

**Explore alternative futures.** Structural analytic techniques help business organizations and security professionals apply imagination to forecast alternative futures for their decisions. This kind of exercise is not about prognostication but expanding one's critical mindset to understand the many variables that impact the organization and possibilities for the future. This red-team approach offers organizations insight used for decision-making by recognizing the complexity of choices and their impacts on the company or security.

**Adopt a Holistic Viewpoint**

The concept of red teaming is based on the Catholic Church office of the devil's advocate, but it was greatly expanded to assess Soviet intentions and capabilities. That's where it got its name: The US adversary during the Cold War was the Soviet Union, aka the Reds. Recently, cybersecurity teams adopted red teaming to expose weaknesses in their systems and prevent threat exposure.

The fact is that enterprises face a wide variety of threats — from lawsuits, activists, insider threats, and even workplace violence. Yet nearly every Google search result for red teaming today relates to cybersecurity. As a result, few people know whether their crisis plans are up to date or how a crisis will test them and their teams.

Red teaming is a holistic, multidisciplinary effort that arms teams with practical enterprise risk-mitigation software and other tools across the entire threat landscape. At a minimum, risk-focused teams can use it to test defenses against a wide range of threat actors and identify unseen security gaps influenced by biases and assumptions.

However, its actual value is how it shapes the ways organizations prepare for crises and unforeseen events. Red teaming opens a window to how your organization will perform under duress, making it a valuable exercise to recognize and gauge real and potential risks.

Most importantly, red teaming is a mindset, not just a set of tools or putting security on offense. Red teams are the contrarians in the room, willingly saying what other people will not to challenge the status quo. That is the essence of red teaming, and any security professional can adopt that attitude to assess problems in their organization, prevent failure, or mitigate vulnerabilities. The mindset of a red teamer is what shapes organizations for the better.

Red Teaming at Scale to Uncover Your Big Unknowns

If you haven't done so already, it's time to take the first step toward solving this application security dilemma.

We are seeing a significant surge in attacks against applications such as cross-site scripting, brute-force attacks, and SQL injections, which is raising significant concerns. So much so that application security has been labeled "nonnegotiable" and has appropriately become a priority for many, while Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), is campaigning for the tech industry to take responsibility for secure products.

Technology solutions like penetration testing and code scanning are undeniably valuable for mitigating insecure software, but in themselves they are not enough. As many as 70% of organizations are missing critical security steps in their software development life cycle (SDLC) and vulnerabilities are rising exponentially. To solve this dilemma, enterprises need to shift their focus from finding, patching, and fixing vulnerabilities to proactively ensuring they don't deliver insecure code in the first place. This requires human foresight, and as a result, greater investment in education for all those responsible for developing software to ensure they can not only recognize key security principles and vulnerabilities, but also apply their knowledge to novel situations to better secure applications.

**Going Beyond Code Scanning**

An overdependence on code-scanning tools, or source code analysis tools, is an example of security being left too late in the SDLC. Code scanning to identify vulnerabilities before an application goes live is a key cog in the secure software development machine, yet prevention is always better than cure (as we know from Boehm's law that flaws become more costly to fix over time).

The main issue is that code-scanning tools run the risk of large numbers of false positives, eventually leading to "alert fatigue," where developers ignore any flaws flagged, eventually creating a false sense of security. What's more, when critical issues are highlighted, it likely becomes the developer's responsibility to identify and fix this insecure code, and they need the knowledge to actually apply these fixes.

This is where greater investment in secure coding training and continuous education for the developer and everyone that supports them across the SDLC comes in. Code scanning still has a significant role to play, yet it would be far more valuable if supported by programmatic training on security principles and best practices. This is not simply to raise "awareness" of key vulnerabilities but to empower teams with the knowledge to code securely and prevent critical issues before they reach scanning tools or even production. It can also reduce the burden on developers by avoiding added pressure to patch at the last stage. Instead, the approach should be to "start left" and ensure security is baked in from the beginning (as advocated by Easterly).

Research backs this up; an EMA survey of software development professionals found only 10% of organizations utilizing code scanning tools prevented more vulnerabilities than those that don't, however, continuous training greatly improved code security for over 60% of organizations that adopted it. But it is not necessarily the case of one or the other: EMA argues that a combination of code scanning, code reviews, and continuous, third-party training is the best approach to more secure software development.

**Embracing More Secure Habits**

Coding securely essentially needs to become a more lasting and ingrained habit. Yet behavioral change is challenging without the knowledge and education to support it. Truly enacting change to ensure application security becomes nonnegotiable means investing in developer and SDLC team training that encourages and enables more secure habits. And it's important to recognize that these secure habits will change depending on the role of each professional.

For example, development leaders will not be personally responsible for developing code, so instead will need to look at how they become accountable for developing applications with fewer vulnerabilities. Ensuring security features are considered "lifeboat" features — an essential before releasing code — may require a shift in habits but will be invaluable for boosting application security. For software developers themselves, their secure habits may be embracing those all-important code scans or reviews earlier along in the development process, but this will only be relevant if they can recognize the value of secure coding and have the knowledge to reduce as many vulnerabilities as they can in the first place.

If you haven't done so already, it's time to take the first step toward solving this application security dilemma. Yet the SDLC needs to go far beyond reactive patching and code scanning, and instead look at how to empower teams, reduce late-stage burdens, and invest in continuous education if we're really to turn the tide on rising application vulnerabilities.

Application Security Requires More Investment in Developer Education

Open source software continues to pose a challenge for companies. With the proper security practices, you can reduce your open source risk and manage it.

Across all industry sectors, open source software continues to pose a challenge for software security. We're all aware that vulnerabilities in commercial and open source software, applications, and operating systems can result in software supply chain breaches, but now we're seeing attackers who are targeting Web applications, API servers, mobile devices, and the software components required to build them.

The latest edition of Synopsys' annual study on open source security has just been released. The "Open Source Security and Risk Analysis" (OSSRA) study from Synopsys looks at the findings of more than 1,700 commercial codebase audits,.

Of the 1,703 codebases that Synopsys audited in 2022, 96% of them contained open source. Aerospace, Aviation, Automotive, Transportation, and Logistics; EdTech; and Internet of Things were three of the 17 industry sectors included in the 2023 OSSRA report that had open source in 100% of their audited codebases. In the remaining verticals, over 92% of the codebases contained open source.

**High-Risk Vulnerabilities Persist in Code**

Since 2019, high-risk vulnerabilities have increased by at least 42% across all 17 OSSRA businesses, with surges soaring to +557% in the retail and e-commerce sectors and +317% in the computer hardware and semiconductors sector.

A five-year retrospective, new to the OSSRA report this year, gives a more comprehensive picture of open source and security trends. Despite variations by industry, the overall open source content of audited codebases grew across the board. Several industries also showed alarming increases in the number of vulnerabilities found in their codebases, indicating a concerning lack of vulnerability mitigation.

One significant area that continues to be a challenge is patch management. Of the 1,703 codebases audited, 89% contained open source that was more than four years out of date (a 5% increase from 2022's report). And 91% used components that were not the latest available version. That is, an update or patch was available but not applied. Along with patch management, license conflicts continue to pose security problems. This year, 54% of audited codebases contained codebases with license conflicts, up 2% from last year.

There are valid reasons for not updating software, but a significant portion of the 91% figure is probably attributable to development teams not being aware that a newer version of an open source component is available. If a company doesn't maintain a precise and current inventory of the open source utilized in its code, a component may go unnoticed until it is exposed to a high-risk exploit.

That's exactly what happened with Log4j, and it's still an issue more than a year later. Despite the public attention it garnered and the many steps businesses may take to verify and fix Log4j's presence in their codebase, it persists in 5% of all codebases and 11% of audited Java codebases.

**Establish Open Source Best Practices for Security**

Establishing software governance best practices can help you launch an open source software management program to protect your resources and data from zero-day vulnerabilities.

**1\. Define your policy.**

Building an open source policy for your organization minimizes your legal, technical, and business risks. You want to identify your key stakeholders, then define your organization's open source software goals, existing utilization, and target usage. The policy should cover open source patches and licenses as well as identifying who will be responsible for maintaining them.

**2\. Create an approval process.**

Establish an approval process to assess if a software package fulfills your organization's needs and quality standards. Consider code quality, support, project maturity, contributor reputation, and vulnerability patterns. An approval process that considers these criteria will prevent teams from having multiple versions of the same software package in your organization's code, some of which may not have been patched or upgraded.

**3\. Audit for open source software.**

Audits reveal your open source software and ensure compliance with company regulations. This can help you locate components for open source license compliance and vulnerability disclosure. You should perform open source scans throughout the software development life cycle (SDLC), but you should ensure that a final scan is done every time an application is built into a release candidate that utilizes open source software, especially if you rely on components from third parties.

**4\. Build an SBOM**

A software bill of materials (SBOM) is a list of all the open source and third-party components present in a codebase. An SBOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status, which allows security teams to quickly identify any associated security or license risks. Automating this operation eliminates manual, inaccurate open source inventories.

By putting in place the proper security practices, you can stay on top of your open source vulnerability risk and build a robust system for managing it.

**About the Author**

    

Charlotte Freeman has been writing about tech and security for over 20 years. She's currently a senior security writer for the Synopsys Software Integrity Group.

Open Source Vulnerabilities Still Pose a Big Challenge for Security Teams

Nexus, offered in a malware-as-a-service model, is the latest in a vast and growing array of trojans targeting mobile banking and cryptocurrency applications.

A threat actor is targeting customers of 450 banks and cryptocurrency services worldwide with a dangerous Android trojan that has multiple features for hijacking online accounts and potentially siphoning funds out of them.

The authors of the so-called "Nexus" Android Trojan have made the malware available to other threat actors via a newly announced malware-as-a-service (MaaS) program, where individuals and groups can rent or subscribe to the malware and use it in their own attacks.

Researchers at Italian cybersecurity firm Cleafy first spotted Nexus last June, but at the time assessed it to be a rapidly evolving variant of another Android banking Trojan they were tracking as "Sova.. The malware contained several chunks of Sova code and had capabilities at the time for targeting more than 200 mobile banking, cryptocurrency and other financial apps. Cleafy researchers observed what they assumed was the Sova variant hidden in fake apps with logos that suggested they were Amazon, Chrome, NFT and other trusted apps.

But in January, Cleafy researchers spotted the malware—now more evolved—surfacing on multiple hacking forums under the name Nexus. Shortly thereafter, the malware authors began making the malware available to other threat actors via its new MaaS program for the relatively price of $3,000 a month.

Federico Valentini, head of Cleafy's threat intelligence team, says it's unclear how threat actors are delivering Nexus on Android devices. "We didn't have access to specific details on Nexus's initial infection vector, as our research was mainly focused on analyzing its behavior and capabilities," Valentini says. "However, based on our experience and knowledge of similar malware, it is common for banking trojans to be delivered through social engineering schemes such as smishing," he says referring to phishing via SMS text messages.

**Multiple Features for Account Takeover  
**

Cleafy's analysis of Nexus showed the malware to contain several features for enabling account takeover. Among them is a function for performing overlay attacks and logging keystrokes to steal user credentials. When a customer of a target banking or cryptocurrency app, for instance, attempts to access their account using a compromised Android device, Nexus serves up a page that looks and functions exactly like the login page for the real app. The malware then uses its keylogging feature to grab the victim's credentials as entered in the login page.

Like many banking Trojans, Nexus can intercept SMS messages to grab two-factor authentication codes for accessing online accounts. Cleafy found Nexus capable of abusing Android's Accessibility Services feature to steal seeds and balance information from cryptocurrency wallets, cookies from websites of interest, and two-factor codes of Google's Authenticator app.

The malware authors also appear to have added new functionalities to Nexus that were not present in the version that Cleafy observed last year and initially assumed was a Sova variant. One of them is a feature that quietly deletes received SMS two-factor authentication messages and another is a function for stopping or activating the module for stealing Google Authenticator 2FA codes. The latest Nexus variant also has a function for periodically checking its command-and-control server (C2) for updates and for automatically installing any that might become available. A module that appears to be still under development suggests that the authors might implement an encryption capability in the malware, most likely to obfuscate its tracks after completing an account takeover.

**Nexus: A Work in Progress?**

Valentini says Cleafy's research suggests that Nexus has compromised potentially hundreds of systems. "What's particularly noteworthy is that the victims do not appear to be concentrated in a particular geographical region but are well distributed globally."

Despite the malware's many functions for taking over online financial accounts, Cleafy's researchers assessed Nexus to still be a work-in-progress. One indication, according to the security vendor, is the presence of debugging strings and the lack of usage references in certain modules of the malware. Another giveaway is the relatively high number of logging messages in the code which suggest the authors are still in the process of tracking and reporting on all actions the malware performs, Cleafy said.

Notably, the malware in its present avatar does not include a Virtual Network Computing, or VNC, module that would give the attacker a way to take complete remote control of a Nexus-infected device. "The VNC module allows threat actors to perform on-device fraud, one of the most dangerous types of fraud since money transfers are initiated from the same device used by victims daily."

**One of Many Android Banking Trojans**

Nexus is one of several Android banking trojans that have surfaced just over the past few months and have added to the already large number of similar tools in the wild currently. Earlier this month for instance, researchers from Cyble reported observing new Android malware dubbed GoatRAT targeting a recently introduced mobile automated payment system in Brazil. In December 2022, Cyble spotted another Android banking trojan tracked as "Godfather" resurfacing after a hiatus, with advanced new obfuscation and anti-detection features. Cyble cyber-researchers found the malware masquerading as legitimate software on the Google Play store.

Those two malware variants are barely even the tip of the iceberg. A Kaspersky analysis showed that some 200,000 new banking trojans surfaced in 2022, representing a 100% increase over 2021.

'Nexus' Android Malware Targets Customers of 450 Financial Institutions Worldwide

With shades of the Cambridge Analytica scandal, German political parties skirted consumer data privacy regulations during the country's last parliamentary election, a privacy watchdog warns.

German politicians and political parties have been using data about Facebook users' political preferences to deliver microtargeted advertisements, a watchdog group is alleging — in direct violation of the European Union's General Data Protection Regulation.

On March 21, the European Center for Digital Rights (or "NOYB," short for "none of your business") filed complaints against six of the eight parties represented in the German parliament — the Bundestag — for various violations of Article 9 of GDPR. Article 9 states that:

_Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited._

Put simply: Political advertising is perfectly legal in Europe, but collecting data about, and delivering advertisements based on, users' perceived political opinions is not.

"Any data on a person's political views is protected particularly strictly by the GDPR," wrote Felix Mikolasch, privacy lawyer at NOYB. "Such data is not only extremely sensitive, but also allows large-scale manipulation of voters, as Cambridge Analytica has shown."

Infamously, Cambridge Analytica was a digital marketing firm whose covert data mining app wormed its way through Facebook in the mid-2010s, collecting information relevant to the political preferences of hundreds of millions of Americans and fueling the presidential campaign of Donald Trump.

**How We Got Here**

It wasn't regulators, security analysts, or activists who discovered the data privacy problem in German politics.

In April 2021, NOYB founder Max Schrems teamed up with the late-night talk show ZDF Magazin Royale, prompting the audience to download Who Targets Me, a browser extension for tracking targeted political advertising. According to ZDF, more than 17,451 German citizens heeded that call during their country's 2021 election cycle, with the extensions collectively counting 2 million targeted ads in all.

In its Sept. 24, 2021 episode, ZDF revealed some of the more shocking results of an analysis of the browser extension's tracking.

For example, Diether Dehm — former Stasi collaborator and current member of the Left Party — ran ads "directed at people who are interested in the Russian propaganda channel 'Russia Today' or the conspiracy theorist Ken Jebsen," ZDF explained (translated via Google Translate), "in which he sows doubts about corona vaccines developed in the West."

The results also showed official government agencies participating in the game. "It is obvious that some authorities are thereby violating a judgment of the Federal Constitutional Court," ZDF explained, which "prohibits state organs 'using state resources' to support or fight political parties, in particular, to influence the voter's decision through advertising."

In one more humorous instance, the Free Democratic Party (FDP) "placed Facebook ads that contradict each other in terms of content. For people with 'green' interests, the FDP showed an advertisement according to which the party is committed to 'more climate protection' with the help of a state CO2 limit. At the same time, the FDP placed a Facebook ad on the target group 'frequent travelers' with a different message: No 'state measures, restrictions on freedom or bans' when it comes to 'major challenges such as climate change.'"

For their clear violations of GDPR and German law, NOYB, on March 21, filed formal complaints with six political parties: the AfD, Bündnis 90/Die Grünen, CDU, Die Linke, ÖDP, and SPD.

**Are Global Data Privacy Regulations Clear Enough?**

That data privacy compromise is so common across German politics may be due to disregard for the law. But, for many organizations, the same failures occur more often due to misunderstandings.

For as much as regulations like GDPR, the California Consumer Privacy Act, and other regulatory standards in recent years have done for consumers, they've also created a maze for organizations.

"Despite the intent of creating a comprehensive and clear EU-wide standard," says Dena Kozanas, associate general counsel and chief privacy official for MITRE, "there can remain confusion in how it is enforced with each individual Data Protection Authority."

Multinational enterprises have the most to deal with here, as the rules in the EU and around the world are vastly different. Even within the US, small and midsized businesses can struggle with different policies across states.

There are a few ways to address the problem, experts say.

A wealthy enough corporation might simply ignore the rules and eat the fines. Facebook has chosen this option many times before.

Most enterprises and governments will need to act with more tact, potentially investing into legal, operational, and software protections unique to each set of standards.

Alternatively, "what you will see in many enterprises is that they look to the country with the highest standard and aim to meet that," Kozanas says, "even if it is not required in all countries or states. Typically, hitting that high water mark can inoculate an enterprise from various regulatory regimes."

"Regardless of the legal matter being litigated," she concludes, "the fact is that this law was intended to reduce confusion but has not yet fulfilled that promise."

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

Help the board understand where the business is vulnerable, where controls end, and where exposure begins.

For more than 15 years, the cybersecurity industry has been talking about communicating with the board of directors. It's common practice for vendors to have e-books, webinars, and presentations about how and what chief information security officers (CISOs) should present to their boards — when they get the chance.

Along with lack of opportunity, CISOs might have anxiety about presenting to the board because they are the only C-level executives without a tool of their own to measure ROI. From Salesforce to Workday to Marketo, C-suite executives have platform solutions aggregating, analyzing, and reporting on every aspect of the operation. There is no such solution for the CISO, making it harder to measure security program ROI or to demonstrate business value.

The irony is that, despite all the interest in presenting to them, to say cybersecurity is not a core competency of the board is an understatement. WSJ Pro Cybersecurity Research investigated the professional background of all S&P 500 board members and found that less than 2% "had relevant professional experience in cybersecurity in the last 10 years."

No matter who you are, it's difficult to have great interest in something you don't understand. That is, until you're motivated to learn. What we have in front of us now is a great awakening for boards and cybersecurity, courtesy of the Securities and Exchange Commission (SEC).

According to Harvard Business Review, "a proposed SEC rule will require companies to disclose their cybersecurity governance capabilities, including the board's oversight of cyber risk, a description of management's role in assessing and managing cyber risks, the relevant expertise of such management, and management's role in implementing the company's cybersecurity policies, procedures, and strategies."

I would expect more boards to be looking for experienced executives with a background in cybersecurity, starting right now. In the meantime, what does this mean for CISOs?

**A Great Opportunity**

With a sudden interest in cybersecurity, but little knowledge of it, what the board members want to know versus what they need to know may be quite different. For example, focusing too much on the latest attack in the headlines or focusing too much on compliance. Like teaching to the test, achieving compliance may be a good step in the right direction but is not always the same as striving to implement the best possible security measures. When achieving compliance becomes the security goal instead of minimizing risk and protecting the most critical assets, we've missed the point.

What an opportunity for the CISO to create a "cybersecurity as a business enabler" narrative for their organization. Your place in the boardroom is now secured. Instead of the occasional one-off update, you are now part of the business conversation on an ongoing basis. This is an opportunity to place cybersecurity in the context of business decisions that the board understands. Ditch acronyms and technical talk of threats, vulnerabilities, and attacks. Be fluent in the language of business and talk about the cyber consequences of business decisions that are made every day.

The use of SaaS apps that make employees more productive in a hybrid work environment also leaves the organization more exposed to risk, as critical business data is now in control of a third party. Business partnerships that drive geographic expansion, rushing new apps to market as fast as possible to capture market share, or acquiring to scale the engineering team all have tremendous cybersecurity consequences. For example, when you acquire a company, you also inherit its attack surface. It is not only a new group of employees who need access to enterprise resources, but all their contractors, partners, suppliers, and so on. It is a tangled, extended digital web of connected assets and implications.

Security leaders would be well advised to make cybersecurity tangible in a business context. Like any other part of the business, there are decisions to be made and trade-offs to consider, all related to what is the acceptable level of risk the organization is willing to expose itself to.

**Automation and Evidence**

Under the eyes of the SEC, the board needs evidence of what assets it is responsible for and how it is being monitored and proactively protected. In the event of a breach, when did the board know about it, and how fast did it respond and disclose the incident?

It starts with knowing what you are protecting and how you are doing that. Discovery of critical assets becomes a core competency that underpins visibility, classification, and remediation efforts in a modern cybersecurity program. Discovery and classification must be automated to deal with the size, movement, and growth of data and enterprise-connected assets across hybrid clouds, SaaS partners, and digital supply chains. Protection starts with complete visibility of this sprawling attack surface, including every dependency, connection, and vulnerability across all public-facing assets. From there, you can prioritize protections against the most critical threats to your most valuable assets.

Automated discovery can also identify assets that are dormant, unused, and unnecessary. In that way, they can be effectively decommissioned to reduce cyber-risk and attack surface sprawl at the same time.

**Conclusion**

Now is not the time to educate the board about the difference between malware and ransomware. It is about painting a complete picture of the threat landscape and the specific risks and exposures facing the organization. CISOs should be talking about the overall security program and strategic initiatives to enable the business while measuring and reducing risk.

Help the board understand where the business is vulnerable, where controls end, and where exposure begins. What are the consequences and protection options? At the end of the day, cybersecurity is a business challenge, like growing margins and market share. Strategic priorities and investments aligned to business objectives. Sounds so simple.

The Board of Directors Will See You Now

Enterprise storage devices have 14 security weaknesses on average, putting them at risk of compromise by cyberattackers and especially ransomware attacks.

Companies in every industry continue to leave backup and storage platforms unsecured, with more than a dozen issues, including insecure network settings and unaddressed CVEs, affecting the average device. That leaves these repositories — often the first line of protection in the event of a ransomware attack — as sitting ducks for cybercriminals.

That's according to a data analysis published on March 22 by storage security firm Continuity Software, which found that the average device had 14 security risks, including three critical issues, which are considered those capable of allowing a significant compromise. The top three risks affecting companies' storage systems are insecure network settings, unaddressed vulnerabilities, and lax access privileges. 

Overall, the data suggests that even companies with significant security maturity may not give their backup systems as much scrutiny as other systems, the Continuity report stated. The statistics are concerning given that network-attached storage, cloud storage, and backup devices are increasingly coming under attack. In 2021, threat groups targeted a flaw in certain network-attached storage systems made by Western Digital, such as the MyBook and other devices common in smaller businesses, taking advantage of the devices lack of support due to the products reaching their end of life. Attackers have also targeted large enterprises with a ransomware attack known as Deadbolt, which targets QNAP network-attacked storage, as well as other ransomware campaigns over the last few years.

Continuity's "2023 State of Storage and Backup Security Report" also found that the lack of security surrounding storage networks and backup servers affects most companies, across all industries. 

"Although it is commonly accepted that certain industries, like financial services, tend to have more mature security strategies, this report shows that the entire field of storage \[and\] backup security across all industries is still overlooked," the report stated. "While this was similar to the last report, it is still very surprising, given the severity of recent-years data-targeted attacks, and the amount of time the industry had to develop more robust security measures."

Gil Hecht, CEO of Continuity, says that certain industry segments have surprisingly lax cyber defenses for these corporate assets.

"In more than half of the banks in the US, you will find devices that still have factory default passwords — which is unbelievable, unacceptable, makes no sense whatsoever," he says. "But the reason it happens is because storage and backup are considered to be ... back-office devices that don't need security."

**With Ransomware Comes More Risk**

The study shows that large organizations and enterprises are still catching up with the change in perspective that came along with the rise in ransomware over the past decade. In the past, storage systems and backup servers were considered protected because they were behind the firewall and often did not play a role in daily operations.

Yet ransomware is increasingly targeting backup systems so that victims have fewer recovery options, and companies that do not check the defensive posture of their storage and backup devices run serious risks, Continuity's Hecht says.

"The most terrifying thing is if you lose all the data and you cannot recover it — that is 'game over' for most companies," he says. "The second worst thing is to have all your data made public."

Recovering data from backup systems is a time intensive process, but not having the data from which to recover is worse, so companies should make sure to take defensive steps, GigaOm stated in a report on primary storage ransomware protection.

"Ransomware does not discriminate among infrastructure layers; once in, it will attempt to encrypt all of an organization’s assets within reach, which is why proper segmentation of access and networks is important," GigaOm analysts Max Mortillaro and Arjan Timmerman stated. "Losing primary data and having to restore it from data protection platforms is a time-intensive process, limited by the throughput of the backup media and network bandwidth, especially if protected data resides on the cloud."

**Patching Storage Gives Pause to IT Teams**

A major problem affecting data storage and backup devices is that they are difficult to patch — a problem that companies need to work around in their business planning, Continuity's Hecht says.

"A typical storage array in an enterprise will support, let's say, 1,000 servers," he says. "Patching a server requires downtime for the server being patched, but patching a storage array requires downtime for all 1,000 servers, and ... if there is a problem during the upgrade, you just cause a failure of all 1,000 servers."

While the need to patch can cause downtime that can broadly affect the business, having up-to-date devices is critical to a strong defensive posture, he says.

A number of technologies have been positioned as strong defenses against ransomware, such as immutable data storage, but Continuity stressed that the technologies still need to be regularly scanned to make sure they are functional and properly configured.

"This \[immutable data copy\] is an important capability," the report stated. "However, it can lead to a false sense of security if not implemented properly, and unfortunately, we did detect a significant number of misconfiguration issues specific to these features."

The Continuity report used scans from actual networks and devices to determine the subjects' defensive posture, whether the devices were properly configured and if their access controls were appropriately limited.

Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Cloud-based System of Trust application now available for test-driving quantitative risk assessment of suppliers of hardware, software, services.

MITRE has quietly released a cloud-based prototype platform for its new System of Trust (SoT) framework that defines and quantifies risks and cybersecurity concerns for the supply chain.

The so-called Risk Model Manager (RMM) platform is now available for organizations to assess supply chain risk and security, as well as to view, edit, and customize the SoT framework content, or export it for use as a subset framework. MITRE first debuted the SoT framework concept at the 2022 RSA Conference (RSAC), and it will officially announce the RMM prototype platform next month at RSAC 2023 in San Francisco.

Software supply chain risk and security received a loud wake-up call after high-profile attacks like SolarWinds and Log4j painfully punctuated the dangers of threat actors compromising vendors' software and then in turn compromising customers' software installations. There has been no common, agreed-upon way to define or measure these risks to date. Enter MITRE's SoT, a framework for providing a sort of standard way to evaluate suppliers, service providers, and supplies that can be used by cybersecurity teams as well across the business for assessing a vendor or a software product.

The SoT framework, which is a cloud-native app hosted on AWS, is centered around 14 top-level risk areas related to suppliers, service providers, and supplies, including the financial stability and cybersecurity practices of the supplier, as well as risk of counterfeit and compromise to products. These risk categories are then used to evaluate a supplier or product during the acquisition process, digging into detailed questions on how a supplier tracks and ensures the security of third-party software components used in their product, for example.

"The System of Trust is very appealing because it gives a structure that's more comprehensive, well laid-out, and explains what kinds of risks" you have in your supply chain, in detail, explains Robert Martin, senior software and supply chain assurance principal engineer at MITRE Labs. That goes beyond traditional risk measurement and assessment tools, he notes.

There are some 40 organizations currently involved in shaping the SoT platform, which now includes some 660 specific supply chain categories and risk factors. MITRE is gathering input to flesh out the tool from businesses with supply chains, supply chain security vendors, and standards groups that touch some elements of supply chain operations. Among some of the big name members of the SoT community are Microsoft, BlackBerry, CISA, Cisco, Dell Technologies, Intel, Mastercard, NASA, Raytheon, Schneider Electric, Siemens, and The Open Group.

SoT is yet another project by MITRE that builds a reference framework for the cybersecurity industry: its wildly popular ATT&CK framework, for instance, maps the common steps threat groups use to infiltrate networks and breach systems, while its newer D3FEND model specifies a common way to define defensive capabilities and technologies. But SoT provides a wider lens of risk than just cybersecurity — factoring in financial, quality, and integrity risk as well, for example.

"The big thing they have here is they are doing what they have done with ATT&CK and D3FEND: provide a common language for everyone to use when we are talking about not only the position in the chain but the specific vulnerabilities or attack methods and defenses," says Curt Franklin, principal analyst for enterprise security management at Omdia.

Franklin says MITRE's pedigree with its other cybersecurity programs should help propel the SoT, but wide adoption likely will take time. "I can imagine some of the third-party risk assessment \[vendors\] building SoT into their products like they build FAIR \[Factor Analysis of Information Risk\] or ATT&CK into theirs," Franklin says. "I think the odds are good that \[SoT\] will be more widely adopted. I think the odds are just as good that it will take a while."

That's because there still are multiple ways to define and measure risk in cybersecurity, and no two models work together, he says. "It's very difficult to say how my risk posture compares to my peers in the industry. What something like this does is provide a particular framework for some common quantification of risk."

**How SoT Works**

Each risk item in the RMM is scored using data measurements that are then applied to a scoring algorithm. The resulting scores identify the strengths and weaknesses of a supplier, for example, against the specific risk categories. That would allow a business to assess quantitatively the security risk of a software vendor or its product, for example.

One of the organizations closely working the project is Schneider Electric, whose vice president of supply chain security Cassie Crossley will join Martin in an RSAC 2023 session on SoT called "Creating the Standard for Supply Chain Risk — MITRE's System of Trust." Crossley says Schneider has multiple, comprehensive supply chain risk assessment processes currently in place across different parts of the company, and Schneider plans to provide input and feedback to the SoT based on its own requirements and metrics.

"We would want to work with those teams \[across Schneider\] to identify some areas where we can provide suggestions and also see how we can better align or sort of adopt more of the \[SoT\] framework," Crossley says. "I don't know yet if we will have a full, 'hey, we are 100% SoT.' But we would make our own processes and identify areas where we want to incorporate more of a structure" for supply chain risk assessment, she says.

For Schneider, supply chain risk and security issues apply both to its own products and ones it buys for internal use, including the "third and fourth parties we work with," she says. She sees SoT possibly helping with visibility into risks associated with "upstream" suppliers that aren't typically part of a supplier evaluation process.

"I think by using SOT, if it could become a common model for a lot, we can get those answers faster for those upstream" suppliers, she says, if an organization can ask vendors to map it to their upstream suppliers.

**MITRE's Open Source Plan**

Martin says the main challenges for SoT to become the go-to standard for supply chain assessments are enough bandwidth to expand the project as it catches on, as well as getting the word out to avoid duplication of effort. "I'm worried about people not being aware of this and off trying to solve something that overlaps. We are making sure people are aware" and can help contribute to SoT, he says.

MITRE plans to offer RMM as an open source tool when it's fully baked. For now, Martin says, organizations can use it to assist MITRE in fleshing out the tool itself or for their own internal use. "They can take it offline," he says, "and do an assessment against" the SoT.

MITRE Rolls Out Supply Chain Security Prototype

Jelle Wieringa analyzes the differences between HDR and security awareness training and how HDR addresses the security layer of human risk management.

Human detection and response (HDR) is a new approach to cybersecurity that focuses on identifying and responding to threats that originate from human activity, such as phishing attacks or social engineering tactics. Traditional security awareness training (SAT), on the other hand, aims to educate employees on best practices for staying secure online and avoiding common cybersecurity risks.

A key difference between HDR and SAT is what they focus on. While SAT typically emphasizes prevention, HDR focuses on analyzing and responding to security incidents that have already infiltrated an organization. This can include monitoring network traffic for unusual behavior, analyzing user behavior to identify potential insider threats, and users neglecting to follow an organization’s IT policies.

These events typically consist of security alerts, based on indicators of compromise (IoCs), that are collected by an organization's existing security stack. These are used as triggers to generate an alert to dedicated technologies that sit alongside traditional security categories within the security stack, such as firewalls, intrusion prevention, extended detection and response tools, and security event and information management systems. These dedicated technologies are uniquely positioned to monitor, identify, detect, and respond to user-related security activity and behavior.

HDR and traditional SAT are complementary. By enabling users to make better security decisions, security awareness training helps prevent many common social engineering threats. Meanwhile, HDR provides an added automated layer of protection by analyzing and responding to threats that may have slipped through the cracks. Combined, SAT and HDR help to actively reduce risk to organizations.

**A Multifaceted Approach to Building a Security Culture**

HDR is an effective tool for building a strong security culture within an organization. By emphasizing the importance of analyzing and responding to security threats, HDR helps employees understand the critical role they play in protecting sensitive data and systems. This creates a sense of ownership and responsibility around cybersecurity, encouraging employees to take a proactive approach to security.

HDR integrates a mindset of security into the daily operations of employees. It fuels an intrinsic motivation in employees to make better security decisions by employing nonintrusive, behavior-boosting techniques that increase the user's awareness and responsibility levels.

Additionally, HDR helps reinforce the message that security is everyone's responsibility, not just the job of the IT department. By involving employees in the detection and response process, organizations create a culture of vigilance and collaboration that encourages individuals to watch out for one another.

By integrating HDR into a broader security awareness program, organizations create a culture of security that permeates all levels of the organization, from frontline employees to executives. This leads to a more secure and resilient organization that is better equipped to protect against a wide range of cyber threats that target an organization’s largest attack surface: their employees.

**Addressing the Security Layer of Human Risk Management**

HDR significantly improves an organization's ability to manage human risk by automatically responding to threats that arise from human activity. By monitoring user behavior and analyzing data for anomalies, HDR detects and mitigates risks such as insider threats, phishing attacks, and other social engineering tactics. This helps organizations address human risk, minimize the impact of security incidents, and ultimately protect sensitive data and systems from compromise.

Because of the automated nature of HDR technologies and their integration in an existing security stack of an organization, they provide a proactive form of security. Where traditional security measures that focus on the human factor often take an approach of trying to prevent attacks, HDR acts at the moment an attack has slipped through these prevention methods. It provides an additional layer of security through real-time detection and response, thereby increasing the organization’s resilience and reducing risk.

**The Three Big Benefits**

The three biggest benefits are increased visibility for security operations through specialized threat detection and response, improved incident response times, and enhanced visibility and control by giving security operations the ability to enable response mechanisms in response to risky user behavior.

First, HDR enables organizations to analyze and respond to attacks that originate from human activity, like phishing attacks or social engineering tactics that have successfully escaped the users’ notice.

Second, by automating the detection and response process, HDR significantly reduces security operations center (SOC) alert noise and incident response times, minimizing the impact and damages of security incidents on the organization.

Finally, by providing enhanced visibility and control over user intended and unintended behavior, HDR helps organizations manage human risk and protect sensitive data and systems from compromise.

**About the Author**

    

Jelle Wieringa has over 20 years of experience in business development, sales, management, and marketing. In his current role as security awareness advocate for EMEA for KnowBe4, he helps organizations of all sizes understand why more emphasis is needed on the human factor, and how to manage the ongoing problem of social engineering. Previously, Wieringa was responsible for building an AI-driven platform for security operations at a leading managed security provider. Wieringa holds the SACP certification.

Human Detection and Response: A New Approach to Building a Strong Security Culture

Accidentally typing a password in the username field of the platform saves them to audit logs, to which threat actors can gain access and use to compromise enterprise services.

A post-exploitation attack method has been uncovered that allows adversaries to read cleartext user passwords for Okta, the identity access and management (IAM) provider — and gain far-ranging access into a corporate environment.

Researchers from Mitiga discovered that the IAM system saves Okta user passwords to audit logs if a user accidentally types them in the "username" field when logging in. Threat actors who have gained access to a company's system can then easily harvest them, elevate privileges, and gain access across multiple enterprise assets that use Okta, the researchers said.

"In our research, we could easily use the logs to match the password with the valid user, resulting in gaining credentials to the Okta user account," Okta senior security researcher Doron Karmi and principal security researcher and developer Or Aspir wrote in the post. When adversaries login to Okta as those users, it "expands the blast radius of the attack to the many platforms that Okta secures, and gaining further access to systems," they wrote.

The vulnerability exists because Okta audit logs supply detailed information about user activity, including usernames, IP addresses, and login timestamps. The logs also provide insights into successful and unsuccessful login attempts and whether they were performed via Web browser or mobile app.

**In Defense of Okta Features**

Okta is a cloud-based enterprise-grade IAM service that connects enterprise users across applications and devices and is used by more than 17,000 customers globally. While it was built for cloud-based systems, it also is compatible with many on-premises applications.

Representatives from Okta confirm that saving cleartext passwords in audit logs is "expected behavior when users mistakenly enter their password in the username field," according to a statement by the company provided by Mitiga. They also said that only platform administrators — the most privileged users in the system — have access to audit logs that save cleartext passwords, and those users "should be trusted not to engage in malicious activities."

It's not the first time the company has had to defend a built-in feature of the platform's regarding how it handles user passwords. The company posted a blog post last July in response to a report by Authomize researchers that Okta's architecture for password synching allows malicious actors signed on as an app administrator of a downstream app to access passwords in plaintext, including admin credentials, even over encrypted channels.

That report came after threat group Lapsus$ claimed to have breached Okta with "superuser" account credentials, posting screenshots they claimed to have grabbed from internal systems. It was determined that 366 Okta customers were potentially impacted in that incident, though Okta later said it determined only two actual breaches.

**What Happens if Untrusted Users Gain Access**

Mitiga's research is relevant if someone other than a trusted administrator gains access to these logs and can access the data, which can happen in a number of ways, the researchers said.

One way would be if an attacker has permission to read the logs in an organization's SIEM solution such as Splunk, as the logs are saved in this solution, they said. Moreover, in such a scenario, every user with read-only access to the SIEM solution potentially could have access the passwords, including Okta admins.

Attackers also could gain access to the logs and thus user passwords through third party-services that have permissions to read Okta configurations, such as cloud security posture management (CSPM) products that request a "read-only" admin role, the researchers said. "The role includes the ability to read the audit logs, which means those products/services could read users' credentials," they said.

Once attackers have gained access to user credentials, they can try to log in as those users to any of the organization's different platforms that use Okta single sign-on. This data also could be used to escalate privileges in the case of exposed administrator' passwords, the researchers said.

**Avoid Leaking Okta Passwords**

Both Mitiga researchers and Okta provided recommendations for how enterprises can avoid inadvertently exposing Okta credentials to threat actors, with the latter also advising how platform users can avoid typing their password in the username field in the first place.

Mitiga advised enterprises to use an SQL query, which can be found on Mitiga's GitHub, to detect potential users that enter their password by mistake, and also consider rotating user passwords. They also should train employees to avoid entering passwords in the username field on the Okta login page, and continuously monitor Okta audit logs for suspicious activities, including failed login attempts, following up with investigations if necessary.

Implementing multifactor authentication (MFA) also can prevent unauthorized access even if attackers obtain users' credentials, according to Mitiga, a feature that Okta said is enforced by default when accessing the Okta admin console.

"Similarly, admins can set up an Authentication Policy that requires additional MFA when logging in to specific applications, which would further restrict what actions a bad actor can perform," according to Okta.

To avoid inadvertently logging passwords in the username field, Okta users should implement field validation to check that the input in each field matches the expected format. They can also implement Okta's FastPass feature that uses biometric features or device activation to allow users to sign in with a single click or tap without even entering a username or password at all. Clearly labeling the "username" and "password" fields in Okta with placeholder text within each field, the company said, can also help users avoid this mistake.

Source

DARKReading