Cyber threats on satellite technology will persist and evolve. We need a comprehensive cybersecurity framework to protect them from attackers.

Satellite systems play a crucial role in supporting communication, weather monitoring, navigation, Internet access, and more. However, these systems face numerous threats that compromise security and integrity. To address these challenges, we must implement a robust cybersecurity framework to protect satellite operations.

**Cyber Threats to Satellites**

The threats faced by satellite systems are diverse and range from denial-of-service (DoS) attacks and malware infiltration to unauthorized access and damage from other objects in their orbit that disrupt digital communications.

For satellite systems, these critical threats can corrupt sensor systems, resulting in harmful actions based on incorrect data. For example, a corrupted sensor system could change a satellite's orbit path to collide with another satellite or natural space object. If a sensor system becomes unusable, it could cause failure of other space and terrestrial systems that depend on those sensors. Jamming or sending unauthorized commands for satellite guidance and control could also damage other orbiting space vehicles.

DoS attacks can render satellites unresponsive or, even worse, shut them down. This could create physical safety risks and damage other countries' space vehicles or the ground from satellite debris fallout. Planting malware within the systems through insufficiently secured access points could impact the satellite and spread to other systems the satellite connects with.

Many of the 45,000 satellites have been operating for many years and have little (if any) built-in cybersecurity protection. Consider the Vanguard 1 (1958 Beta 2), a small solar-powered, Earth-orbiting satellite. It was launched by the United States on March 17, 1958, and is the oldest satellite still orbiting Earth.

What would a cybersecurity vulnerability analysis of that satellite reveal today? What if hackers exploit those vulnerabilities? It's possible some already have. Could they obtain sensitive data? Modify the satellite's software code? Change the controls? Perhaps newer satellites have taken hackers' attention away from the Vanguard 1. More likely, there may have been successful hacks not reported to the public.

Looking ahead, artificial intelligence's (AI) rapid adoption across industries means it is essential to validate the accuracy of any AI used within a satellite system and thoroughly test it before putting it into production.

Given the potential threats satellites face, a comprehensive cybersecurity framework is necessary to mitigate these risks. Engineering universities and tech organizations must also collaborate with government agencies and other entities engineering and building satellites to create and implement a comprehensive cybersecurity, privacy, and resilience framework to regulate the industries expanding the use of space vehicles.

**A Cybersecurity Framework for Satellite Security**

There are five key steps within the NIST Cybersecurity Framework (CSF) necessary to mitigate common risks, including those associated with satellite systems: identify, protect, detect, respond, and recover.

**1\. Identify**

First, identify the satellite data, personnel, devices, systems, and facilities that enable the satellite's uses, goals, and objectives. Document where each satellite is located and all connections between each satellite component and other systems. Knowing what data is involved and how it's encrypted can assist contingency, continuity, and disaster-recovery planning. Finally, understand your risk landscape and any factors that may impact the mission so that you can prepare for and prevent potential incidents. This information will help effectively manage cybersecurity risk to satellite systems and associated components, assets, data, and capabilities.

**2\. Protect**

Using the identified information, choose, develop, and implement the satellite's security ecosystem to most appropriately protect all of its components and associated services. Be aware that legacy space operations and vehicles typically use proprietary software and hardware not designed specifically for a highly interconnected satellite, cyber, and data ecosystem. This means legacy components may lack certain security controls. Therefore, develop, implement, and use verification measures to prevent the loss of assurance or functionality within the physical, logical, and ground segments of satellite systems and enable a response to and recovery from cybersecurity events. Securing physical and logical components, reviewing access controls, and conducting cybersecurity training are vital for protecting satellite systems.

**3\. Detect**

Develop and deploy appropriate activities to monitor satellite systems, connections, and physical components for anomalous events and notify users and applications upon detection. Use monitoring to enable detection and employ a process for handling detected anomalies within space components. Use multiple sensors and sources to correlate events, monitor satellite information systems, and maintain access to ground segment facilities to detect potential breaches in security.

**4\. Respond**

Contain the impact of a cybersecurity attack or irregular incident on a satellite system, ground, or digital ecosystem with appropriate actions. Cybersecurity teams should communicate the event and its impact to key stakeholders. They should also implement processes to respond to and mitigate new, known, and anticipated threats or vulnerabilities and continuously improve these processes based on lessons learned.

**5\. Recover**

Develop and implement appropriate activities to maintain cybersecurity and resilience and restore all capabilities or services impaired due to a cybersecurity event. The goals are promptly recovering satellite systems and associated components to normal operations, returning the organization to its proper working state, and preventing the same type of event from recurring. Coordinate restoration activities with internal and external parties and include corrections for anomalies, calibrations, verification, and validation procedures.

NIST recently released NIST IR 8441: Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN). NIST defines an HSN as: "an aggregation of independently owned and operated terminals, antennas, satellites, payloads, or other components that comprise a satellite system." NIST IR 8441 maps the five CSF categories above into an HSN profile. This provides a valuable resource to engineers and HSN users and provides a great example to cybersecurity practitioners and other satellite network engineers to create cybersecurity profiles for other satellite networks.

As our world continues to rely on satellite technology, cyber threats will persist and evolve. It is crucial to protect these systems by implementing a comprehensive cybersecurity framework describing how to engineer, build, and use them. Such a framework enables organizations to respond effectively to incidents, recover quickly from disruptions, and stay ahead of evolving threats.

A Cybersecurity Framework for Mitigating Risks to Satellite Systems

**PRESS RELEASE**

**BOSTON****,** **Oct. 18, 2023** **/PRNewswire/ --** Tines, the trusted leader in smart, secure workflows, published the 2023 Voice of the SOC report, which examines job satisfaction and workloads among security operation center (SOC) teams, the obstacles analysts encounter, and the impact of automation on the lives of security professionals. Sixty-three percent of the security decision-makers and practitioners surveyed are experiencing burnout amid relentless cyberattacks, internal pressures, and limited resources. Nine out of 10 security teams are automating at least some of their work, and almost all (93%) of respondents believe that more automation would improve their work-life balance.

The _2023 Voice of the SOC_ report reveals that security professionals want to pursue high-impact work, but they're being held back by growing workloads, shrinking budgets, and a worsening skills shortage. This year's report surveyed 900 security decision-makers and practitioners. Tines expanded the scope beyond the United States to include Europe, and garnered perspectives from security leaders, practitioners and analysts.

According to the research, overall job satisfaction in the SOC remains high — security teams love the work they do. However, burnout is an issue. Respondents continue to feel teams are understaffed and don't have access to tools that could automate the most mundane aspects of their work. More than half (55%) of respondents say they're likely to switch jobs in the next year.

"Security practitioners love the work they do, but burnout is taking a heavy toll," said Eoin Hinchy**, co-founder and CEO of Tines**. "The _Voice of the SOC_ shows organizations need to move quickly to address the lack of resources in their SOC before their teams find the escape hatch. Leading SOC teams have found a solution in automation. Smart workflows are helping run mission-critical tasks and achieve greater productivity at scale, freeing analysts to focus on high-impact work and reinforcing the business against threats."

**Lack of budget, people, time, and effective tools are inhibiting SOC teams**

In the survey, SOC teams identified three clear challenges they face each day: too much data; too many tedious tasks; and, too many reporting requirements. These pain points are amplified by a lack of time, budget, tools and people. Asked to rank the top five most frustrating aspects of their work, security decision-makers and practitioners chose a familiar answer: Spending time on manual work (53%). A quarter of respondents are spending more than half their time on tedious tasks.

Business leaders who are focused on streamlining processes and achieving operational efficiencies have found an effective way to do so with automation. The survey discovered that most security teams are embracing the technology, with 92% of SOC teams indicating that they have already adopted automation to some extent. The study identified the tasks that security decision-makers and practitioners wish they could automate, such as intelligence analysis and threat hunting, and the high-impact tasks — like researching new tools and developing advanced detection rules — that they would work on instead if automation was deployed to full effect.

Other key findings from the _2023 Voice of the SOC_ include:

*   More than 80% of respondents said their workloads have increased in the past year.
*   Spending time on manual work is the most frustrating aspect of the job. If respondents had to spend less time on manual tasks, they would use that time to develop more advanced detection rules, research and evaluate new tools, and integrate more systems and logs.
*   Organizations could increase retention by paying more, supplying modern tools with advanced capabilities, hiring more staff, and investing in solutions that automate manual tasks.
*   The percentage of respondents satisfied with their current job rose from 88% last year to 99% in 2023, and 98% of analysts are engaged with their work.

For more information, visit https://www.tines.com/reports/voice-of-the-soc-2023 to access the full Tines _2023 Voice of the SOC_ report. Join Tines on October 26, 2023 for a live webinar on the findings.

**Research Methodology**

Tines surveyed 900 full-time security decision-makers and practitioners from companies with 200 or more employees. Nearly half (46%) work at companies with more than 1,000 employees. There were 500 U.S. respondents, along with 100 each from Benelux, Ireland, the Nordic region and the United Kingdom. The survey was conducted online by Sago, a research panel company, in May and June 2023.

**About Tines**

Tines offers a smart, secure workflow platform for systems, thinkers, and problem solvers. It's the only platform that bypasses the need for programming skills, delivering powerful workflows straight into the hands of every team within an organization. Tines brings an impact-first approach to all teams, securely building thousands of mission-critical workflows per day across a diverse range of customers, including Canva, Databricks, Elastic, Kayak, Mars, McKesson and Oak Ridge National Laboratory. The company was co-founded in 2018 in Dublin, Ireland, by former security practitioners Eoin Hinchy and Thomas Kinsella, and has raised $96.2M in funding to date from investors including, Felicis, Addition, Accel, Blossom Capital and Lux Capital.

Tines Report Finds More than Half of Security Professionals Likely To Switch Jobs Next Year

Organizations should focus on four key areas to advance employee education and "cyber smartness."

This month we celebrate the 20th anniversary of Cybersecurity Awareness Month — a dedicated time for industry, government, academia, and nonprofits to come together and raise awareness about the importance of cybersecurity for everyone.

Since its creation, Cybersecurity Awareness Month has grown from a national US initiative to a global movement that educates individuals and organizations about best practices and promotes a culture of cybersecurity. By dedicating a specific month to awareness, the industry encourages proactive measures, knowledge-sharing, and collective responsibility — ultimately helping more people envision their roles in cybersecurity and in making organizations and the world safer.

Cybersecurity knowledge-sharing is particularly important, as human risk has become one of the strongest vectors that modern security organizations must contend with. Today it accounts for more than 80% of cybersecurity incidents. Companies must find an effective way to uplevel cybersecurity education across the entire organization — not just within their security teams — if we hope to strengthen our collective security postures.

Read on to learn how technology can help security teams drive greater results, and explore key behaviors to focus on when spreading cybersecurity awareness across your organization.

**4 User Behaviors to Emphasize In Cybersecurity Education Materials**

At its core, cybersecurity awareness is about managing human risk. Companies can help advance this mission by providing cybersecurity education and skilling resources across their organizations. Education can include tips ranging from the fundamentals of cyber hygiene to day-to-day behaviors, such as identifying and avoiding tech support scams, advice on improving data and device security practices, and more.

In honor of Cybersecurity Awareness Month, here are the top four areas that Microsoft recommends focusing on to advance employee education and "cyber smartness."

**Enabling Multifactor Authentication

Multifactor authentication (MFA) can protect against 99.2% of attacks by offering stronger security than traditional passwords. As such, it's an incredible tool in the average employee's arsenal to uplevel security practices across your organization. We recommend periodically reminding users to enable MFA measures, such as biometrics or single-use codes, across their devices, apps, and account settings.

****Strengthening the Sign-In Process**

Along the same lines, it's important to remember that hackers don't break in. They sign in. If passwordless authentication is not an option, encourage employees to create stronger passwords using their browser's password generator. Length matters more than complexity here, so any passwords created should be at least 12 characters long. A password manager can be particularly helpful in tracking all current passwords.

**Updating Software**

Keeping software current with the latest security updates and patches is a vital step in protecting Internet-connected devices. On the individual user level, employees should be encouraged to set up automatic software updates to decrease the risk of vulnerabilities that can lead to ransomware and other malware. Likewise, consider creating an educational pamphlet that teaches employees how to check privacy and security settings against your desired level of information-sharing any time they register a new account, download an app, or acquire a new device.

**Recognizing and Reporting Phishing**

Finally, phishing scams are a significant threat vector that criminal actors leverage to infiltrate networks and steal sensitive data. Employees should be educated on best practices to avoid phishing scams, such as checking the sender's email address for verifiable contact information or an unrelated sender address and verifying the sender before clicking on links or opening email attachments. 

While the above tips are focused on changing user behaviors, technology has a role to play, too. Innovation is critical in creating new efficiencies for already overburdened security teams. By embracing leading technology advancements, such as generative AI, security teams can simplify complex toolsets and surface deeper insights across their entire data estates to better monitor threat activity in real time. This combination of leading technical innovations and broader user education can help empower security teams to streamline workflows and focus more of their time on the day-to-day work of cyber defense.

We invite you to leverage cybersecurity awareness not only this month, but all year round, to make sure everyone in your organizations is empowered to be cyber smart and assume a role in fighting cyber threats.

This Cybersecurity Awareness Month, Don't Lose Sight of Human Risk

**PRESS RELEASE**

**BOSTON--(****BUSINESS WIRE****)--** Corvus Insurance, the leading cyber underwriter powered by a proprietary AI-driven cyber risk platform, today released its Q3 2023 Global Ransomware Report, which analyzes data from ransomware leak sites to track evolving trends. According to the report, ransomware attacks continue at a record-breaking pace, with Q3 2023 global ransomware attack frequency up 11% over Q2 and 95% year-over-year (YoY).

In its Q2 2023 Global Ransomware Report, Corvus noted a significant resurgence in global ransomware attacks, which has continued through the third quarter. Now, with two months remaining in the year, the number of ransomware victims in 2023 has already surpassed what was observed for 2021 and 2022. If the trajectory continues, 2023 will be the first year with more than 4,000 ransomware victims posted on leak sites (2,670 in 2022).

Two key factors drove the elevated Q3 ransomware numbers.

**CL0P Mass Exploits Peaked**

The CL0P ransomware group has played a major role in this spike in 2023 ransomware activity. CL0P sprung to life in Q1 by exploiting GoAnywhere file transfer software, which impacted more than 130 victims. In Q2, CL0P struck again with the solo use of a mass zero-day exploit by a ransomware group targeting a vulnerability in the MOVEit file transfer software, which impacted 264 victims at the time of this report. The single MOVEit vulnerability accounted for 9% of victims listed in Q2 and 13% of victims listed in Q3. Even without these CL0P spikes in attack activity, ransomware numbers would still be up 5% over Q2 and 70% YoY in Q3.

**Threat Actors Cut Summer Breaks Short**

Ransomware typically follows seasonal patterns, with incidents decreasing in early May and remaining low through early August. Driven largely by CL0P, this year’s dip in attacks occurred later in June and, rather than continuing to fall, spiked and remained high through the first half of August. Even without CL0P, ransomware activity would still amount to a 70% year-over-year increase.

“It’s clear that ransomware attacks are on a record-setting pace for 2023, and based on activity at the end of Q3 and early Q4, we fully expect these numbers to surpass anything we have witnessed in previous years,” said Jason Rebholz, CISO, Corvus Insurance. “Aside from these overall numbers, this report demonstrates the impact that a single ransomware group like CL0P can have when they invest in new tactics, which is what we saw with the mass zero-day exploit that wreaked havoc over the second and third quarters.”

**Key Industries Trend Upward**

The Q3 report also examines which industries experienced the largest spikes in ransomware activity. These include:

*   Law practices – An uptick due in part to the ALPHV ransomware group, which accounted for nearly a quarter of all victims in this industry (+70%).
*   Government agencies – The impetus behind these attacks was LockBit, which tripled its government victims from Q2 to Q3 (mostly cities and municipalities) (+95%)
*   Additional Industries that experienced spikes include Manufacturing (+60%), Oil and Gas (+142%), and Transportation, Logistics and Storage (+50%).

“Ransomware actors can quickly pivot their focus, and no industry is immune. There's no better time to ensure the right security controls are in place to mitigate the threat,” said Rebholz.

Read the full Corvus Q3 2023 Global Ransomware Report here.

**About Corvus Insurance**

Corvus Insurance is building a safer world through insurance products and digital tools that reduce risk, increase transparency, and improve resilience for policyholders and program partners. Our market-leading specialty insurance products are enabled by advanced data science and include Smart Cyber Insurance® and Smart Tech E+O®. Our digital platforms and tools enable efficient quoting and binding and proactive risk mitigation. Corvus Insurance offers insurance products in the U.S., Middle East, Europe, Canada, and Australia. Current insurance program partners include Crum & Forster, Hudson Insurance Group, certain underwriters at Lloyd’s of London, R&Q Accredited, SiriusPoint, and The Travelers Companies, Inc. Corvus Insurance, Corvus London Markets, and Corvus Germany are the marketing names used to refer to Corvus Insurance Agency, LLC; Corvus Agency Limited; and Corvus Underwriting GmbH. All entities are subsidiaries of Corvus Insurance Holdings, Inc. Corvus Insurance was founded in 2017 and is headquartered in Boston, Massachusetts with offices across the U.S., in the UK, and Germany. For more information, visit corvusinsurance.com.

2023 Ransomware Attacks Up More Than 95% Over 2022, According to Corvus Insurance Q3 Report

**PRESS RELEASE**

**MEXICO CITY and NEW YORK; Oct. 23, 2023 –** Accenture (NYSE: ACN) has acquired MNEMO Mexico, a privately held company specializing in managed cybersecurity services. Financial terms were not disclosed. 

Founded in Mexico City in 2012, MNEMO Mexico has 229 cybersecurity professionals and 180 cybersecurity industry certifications with key ecosystem partners. The company’s portfolio includes advanced cyber defense and response capabilities, a cyber intelligence platform powered by generative AI and other advanced technologies and a 24/7/365 security operations center in Mexico City. Its client base spans multiple industries, including telecommunications, banking and insurance.

“The combination of MNEMO Mexico’s managed cybersecurity services, extensive industry expertise and strong client base makes them an ideal partner to complement our existing capabilities. The addition of MNEMO Mexico’s team will help us grow our business in Mexico, expand our presence in Latin America and support our North America business,” said Paolo Dal Cin, who leads Accenture Security globally. “Together, we will help organizations build more cyber-resilient businesses and secure their digital cores, technologies and supply chains.”

MNEMO Mexico’s cybersecurity professionals will join Accenture Security’s workforce of more than 19,500 professionals globally, extending Accenture’s local resources and capabilities in Mexico / Latin America while addressing the growing regional demand for managed security services.

“The constantly shifting digital world is both a source of opportunity and risk, making it essential to have a well-trained and proficient cybersecurity team,” said Julian Garrido, General Director of MNEMO Mexico. “For more than 20 years our clients have counted on us to safeguard them against destructive cyberattacks. We are excited to join Accenture Security so we can collaborate across industries to help clients in Mexico and around the world build a secure future.” 

Mexico consistently ranks among the top countries in Latin America hardest hit by cyberattacks. Additionally, a report in collaboration with the World Economic Forum’s Global Cybersecurity Outlook 2023 and Accenture revealed that 59% of business leaders and 64% of cyber leaders ranked talent recruitment and retention as a key challenge for managing cyber resilience. And less than half of respondents reported having the people and skills needed today to respond to cyberattacks.

"We are proud to welcome the MNEMO Mexico team to Accenture. Their robust cybersecurity capabilities and commitment to a collaborative work culture are essential as we look to meet the increasing demand for managed security services in the market," said Andre Fleury, who leads Accenture Security in Latin America. "We are confident that we will bring tremendous talent and capability to our clients."

Accenture recently ranked No. 1 in managed security services (MSS) market share by revenue in the Gartner® Market Share: Managed Security Services, Worldwide, 2022 report, 18 April 2023 \*. **Last year, Accenture** was recognized **as a leader in strategic security services and MSS in Brazil by ISG.**

Since 2015, Accenture Security has made 17 acquisitions. Following its January 2020 acquisition of Symantec’s Cyber Security Services business, Accenture became one of the leading global providers of MSS. Accenture further strengthened its cyber defense and MSS capabilities in Latin America through the acquisition of Brazil-based Morphus earlier this year and its 2021 acquisition of Real Protect.

**Forward-Looking Statements**

Except for the historical information and discussions contained herein, statements in this news release may constitute forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. Words such as “may,” “will,” “should,” “likely,” “anticipates,” “aspires,” “expects,” “intends,” “plans,” “projects,” “believes,” “estimates,” “positioned,” “outlook,” “goal,” “target” and similar expressions are used to identify these forward-looking statements. These statements are not guarantees of future performance nor promises that goals or targets will be met, and involve a number of risks, uncertainties and other factors that are difficult to predict and could cause actual results to differ materially from those expressed or implied. These risks include, without limitation, risks that: the transaction might not achieve the anticipated benefits for Accenture; Accenture’s results of operations have been, and may in the future be, adversely affected by volatile, negative or uncertain economic and political conditions and the effects of these conditions on the company’s clients’ businesses and levels of business activity; Accenture’s business depends on generating and maintaining client demand for the company’s services and solutions including through the adaptation and expansion of its services and solutions in response to ongoing changes in technology and offerings, and a significant reduction in such demand or an inability to respond to the evolving technological environment could materially affect the company’s results of operations; if Accenture is unable to match people and their skills with client demand around the world and attract and retain professionals with strong leadership skills, the company’s business, the utilization rate of the company’s professionals and the company’s results of operations may be materially adversely affected; Accenture faces legal, reputational and financial risks from any failure to protect client and/or company data from security incidents or cyberattacks; the markets in which Accenture operates are highly competitive, and Accenture might not be able to compete effectively; Accenture’s ability to attract and retain business and employees may depend on its reputation in the marketplace; if Accenture does not successfully manage and develop its relationships with key ecosystem partners or fails to anticipate and establish new alliances in new technologies, the company’s results of operations could be adversely affected; Accenture’s profitability could materially suffer if the company is unable to obtain favorable pricing for its services and solutions, if the company is unable to remain competitive, if its cost-management strategies are unsuccessful or if it experiences delivery inefficiencies or fail to satisfy certain agreed-upon targets or specific service levels; changes in Accenture’s level of taxes, as well as audits, investigations and tax proceedings, or changes in tax laws or in their interpretation or enforcement, could have a material adverse effect on the company’s effective tax rate, results of operations, cash flows and financial condition; Accenture’s results of operations could be materially adversely affected by fluctuations in foreign currency exchange rates; changes to accounting standards or in the estimates and assumptions Accenture makes in connection with the preparation of its consolidated financial statements could adversely affect its financial results; as a result of Accenture’s geographically diverse operations and strategy to continue to grow in key markets around the world, the company is more susceptible to certain risks; if Accenture is unable to manage the organizational challenges associated with its size, the company might be unable to achieve its business objectives; Accenture might not be successful at acquiring, investing in or integrating businesses, entering into joint ventures or divesting businesses; Accenture’s business could be materially adversely affected if the company incurs legal liability; Accenture’s global operations expose the company to numerous and sometimes conflicting legal and regulatory requirements; Accenture’s work with government clients exposes the company to additional risks inherent in the government contracting environment; if Accenture is unable to protect or enforce its intellectual property rights or if Accenture’s services or solutions infringe upon the intellectual property rights of others or the company loses its ability to utilize the intellectual property of others, its business could be adversely affected; Accenture may be subject to criticism and negative publicity related to its incorporation in Ireland; as well as the risks, uncertainties and other factors discussed under the “Risk Factors” heading in Accenture plc’s most recent Annual Report on Form 10-K and other documents filed with or furnished to the Securities and Exchange Commission. Statements in this news release speak only as of the date they were made, and Accenture undertakes no duty to update any forward-looking statements made in this news release or to conform such statements to actual results or changes in Accenture’s expectations. 

**About Accenture**    
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent- and innovation-led company with approximately 733,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology and leadership in cloud, data and AI with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients reinvent and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com. 

**Accenture Security** is a leading provider of end-to-end cybersecurity services, including strategy, protection, resilience and industry-specific cyber services. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Cyber Fusion Centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Visit us at accenture.com/security.

\*Gartner, Market Share: Managed Security Services, Worldwide, 2022, April 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Accenture Expands Cybersecurity Services Capabilities in Latin America With Acquisition of MNEMO Mexico

Okta's IAM platform finds itself in cyberattackers' sights once again, as threat actors mount a supply chain attack targeting Okta customer support engagements.

Password manager 1Password has become the second publicized victim of Okta's recent customer support breach, news of which came to light last week. It is just the latest in a string of cyberattacks aimed at gaining access to highly privileged Okta accounts.

Okta, a cloud-based, enterprise-grade identity and access management (IAM) service that connects enterprise users across applications and devices, is used by more than 17,000 customers globally. On Friday, it disclosed that a threat actor had used stolen credentials to access its customer support case management system. The attacker then leveraged its access to penetrate some of those thousands of customers via their recent customer support engagements.

This is what happened with 1Password. On Sept. 29, the password-management company observed suspicious activity within the Okta instance that it uses for managing its employee-facing apps, according to a company statement. The activity was quickly terminated, and while it didn't detail the extent of the infestation into employee apps, it did say that no user or employee data or other sensitive systems were compromised.

News of more victims may yet be coming. Okta wrote on Friday that it has informed other potentially affected customers.

This is the latest attack on Okta, which continues to be a popular target for cybercriminals because it offers access to so much sensitive information. In August, the company detailed a campaign in which threat actors used social engineering to convince IT desk personnel to reset multifactor authentication (MFA) for highly privileged Okta enterprise accounts, opening the door to lateral movement.

And the more recent, highly publicized MGM and Caesar's Palace ransomware incidents involved a subversion of Okta Agent via social engineering, leading to deep infections of the Vegas giants.

**Profile of an Okta Customer Service Breach**

The first news of Okta's latest breach was provided not by Okta, but by BeyondTrust, a separate IAM security vendor.

On October 2, the company reported, an attacker tried using a valid session cookie stolen from Okta's support system to gain access to BeyondTrust's Okta administrator account.

"They requested a HAR \[HTTP archive\] file in an email," recalls James Maude, director of research at BeyondTrust, "and within that HAR file was a session token which the attacker within 30 minutes had grabbed out of their support system. And then they used that session token to authenticate in and start to try and do malicious things."

That the attacker pounced so quickly was necessary, as session tokens expire quickly, but also suspicious. "That was one of the things that made us wonder — that someone was just sitting, waiting for these files to be uploaded," Maude says.

Logs revealed that the attacker was visiting from an IP address in Malaysia, routed through a VPN service. Like 1Password three days prior, BeyondTrust says it successfully terminated the attack before any infrastructure or customer data was damaged.

**What Affected Customers (& Everyone Else) Should Do**

Affected customers with less effective detection and response may find themselves in a great deal more trouble than Okta's first two reported victims.

"The big risk is that they wouldn't necessarily even notice they've been compromised," Maude explains. "If the attacker is able to use the token to authenticate himself with a level of privilege where he can create accounts, add users to privileged groups that are then under their control, then that's effectively a backdoor into an Okta environment. And once they're able to get into that environment, if they're able to add an identity provider, they can then impersonate other users within the organization to gain access to the apps and other technologies that Okta is the gateway to through single sign-on (SSO)."

Companies should be aware of the sensitivity in sharing data with even trusted customer service agents, and proactively protect their most sensitive accounts to prepare for a worst-case scenario.

"Even if it's not through a support portal, there are other ways that attackers will seek to compromise Okta users. Organizations really need to step up their monitoring around Okta authentication events involving admin users," Maude concludes.

1Password Becomes Latest Victim of Okta Customer Service Breach

Emerging RaaS operation uses Rhysida ransomware paired with a wicked infostealer called Lumar, researchers warn.

Operating since last May, an emerging ransomware strain called Rhysida was deployed along with new stealer malware called Lumar for a potent new one-two punch against Brazil's popular PIX payment system users.

Researchers from Kaspersky reported Rhysida is functioning as a ransomware-as-a-service (RaaS) operation with a demonstrated ability to quickly evolve.

"It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Written in C++ and compiled with MinGW and shared libraries, Rhysida showcases sophistication in its design," Kaspersky said in its findings about the group. "While relatively new, Rhysida faced initial configuration challenges with its onion server, revealing a group's rapid adaptation and learning curve."

The ransomware campaign targeting PIX has been ongoing since December 2022, the Kaspersky team noted, adding that Rhysida was deployed along with a complimentary malware-as-a-service (MaaS) infostealer called Lumar to target users of the payment system.

Lumar first emerged in July 2023, the report added, and can steal data on Telegram sessions, passwords, cookies, autofill information, desktop files, and even cryptographic wallets.

Notably, the Kaspersky team said the Lumar stealer is compact, without sacrificing functionality.

"The malware's efficient data collection is facilitated by the use of three separate threads," the report added. "The C2, hosted by the malware author as a Malware as a Service (MaaS), provides user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meet Rhysida, a New Ransomware Strain That Deletes Itself

The ex-employee claimed that he believed the shared information would benefit Russia and harm the US.

Former National Security Agency (NSA) employee Jareh Dalke has pleaded guilty on six counts after his transmission of classified government materials in an espionage attempt.

While working as an information systems security designer in the summer of 2022, Dalke used an encrypted email to transmit three documents to someone he believed was a Russian Federation agent in an attempt to display his "legitimate access and willingness to share," according to court documents. In truth, the alleged Russian agent was a covert FBI employee. The information Dalke shared contained National Defense Information (NDI).

On Aug. 26, 2022, Dalke requested $85,000 for sharing the classified information, claiming it "would be of value to Russia."

On Sept. 28, Dalke transferred five more files, four containing "Top Secret NDI," by following instructions provided by the covert FBI employee. The fifth file contained a letter reading "My friends! I am very happy to finally provide this information to you … I look forward to our friendship and shared benefit. Please let me know if there are desired documents to find and I will try when I return to my main office."

Dalke was arrested by the FBI after this second transfer of classified information. He admitted as part of a plea deal that he transferred these files believing that the information would be used to aid Russia and harm the US.

Dalke's sentencing is scheduled for April 26, 2024; he faces a maximum penalty of life in prison.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Former NSA Employee Faces Life in Prison After Espionage Attempt

Zatik takes a fractional approach to AppSec leadership to help small firms access the expertise they need to build secure-by-design software.

One of the fundamental principles of secure-by-design software development is that organizations need to account for security concerns right out of the gate. It's built into the way the applications are designed, architected, and coded. The trouble for small companies that build software is that it can be really hard for them to access and pay for the kind of application security expertise necessary to fold that kind of accountability into the engineering or DevOps process. And so small companies build and ship their software — oftentimes innovative applications upon which their whole business model is based — without much consideration for security.

By the time a startup has "grown up" and built its business big enough to feasibly hire some application security professionals, secure-by-design has already gone out the window. The software stack has already accumulated a ton of security technical debt. That new AppSec team is behind the eight ball before they even start. And without expensive refactoring, oftentimes all they can do is bolt on security controls or apply Band-Aids to security problems that may run very deep.

It's an age-old problem, and one that's simply not practical to get all preachy about to small business owners or small dev teams.

"Experienced application security people are in short supply, and they're getting hoovered up by the big companies, by the Microsofts, Amazons, Apples, and Googles of the world, and if you are a smaller company, you're just not competing on that playing field," explains Kymberlee Price, who has led product security and AppSec teams, worked as a security researcher, and run red team and incident response operations for the likes of Microsoft, Amazon, and Bugcrowd.

Price has been around the block enough to recognize that not only are best-in-class product security pros and security-aware developers still the "unicorns" of the software engineering market, but also that most small businesses aren't big enough to even have enough work to keep one of them busy for very long.

"They don't need a unicorn full time. They need a unicorn maybe for a quarter to set some strategy, and then they need 10% of a unicorn for the rest of the year," she says.

**Sharing the Unicorns**

This is the underlying problem Price hopes to alleviate with her new consulting firm, Zatik. Together with co-founder Jon Callas, another security luminary known for founding PGP and Silent Circle, Price hopes to level the software security playing field for startups and small businesses. Zatik is a fractional security consulting firm that helps companies tap into that small percentage of unicorn-level AppSec expertise that they need to get a security program up and running. It's built in the same mold as a virtual CISO (vCISOs), with a slightly different focus.

"We love virtual CISOs. But they're frequently enterprise-focused and compliance-focused. And we're more looking at, how do you build your product securely by design, the DevOps pipeline, CI/CD, security controls, and things like that," Price explains. "So it's a really nice complement to that fractional model."

For some companies, if they're early enough in their arc, they may need the full package of building out an entire cybersecurity program — something she and Callas are equipped to help them navigate.

"Our sweet spot really is securing the developer experience, but we can help them look at their tech stack, make some recommendations, and make some introductions to other partners," says Price.

She says that she and Callas currently run the company themselves, but they plan on adding more staff as Zatik scales and also leaning on a network of partners to provide additional expertise in areas as necessary for their clients.

"I mean, I can't help you secure your product if you have no employee access control," Price says. "So we wouldn't turn our nose up at other areas."

Ultimately, the goal is to help smaller companies develop that security-by-design ethos from the outset. Price sees that not only as a great business opportunity, but a way to move the needle on security across the tech world.

"One of the things I love about the kind of small companies we're talking to is we're getting in early in their maturity cycle," she says. "So as they're growing, they're growing with a secure-by-design platform where the engineers they're hiring and managing understand that this is 'just how we do it.' Of course we have branch protection, of course we do these things because it was there from day one, versus the security team showing up later and demanding that they have to change things."

Do Small Companies Need Fractional AppSec Teams Akin to Virtual CISOs?

Creating a new regulatory framework to better secure Oman's banking system against future attacks.

On the blissful dawn of Jan. 1, 2020, an unexpected menace in the form of a ransomware intrusion shattered the jubilant spirit of the IT department of Oman United Insurance Company SAOG. 

The attackers hit the main servers, and infected and encrypted their data, leading to a loss of data dated from Dec. 10, 2019, to the day of the attack. Luckily, the attack lasted only for one day, and by Thursday, Jan. 2, 2020, the company was able to recover lost data, all thanks to a robust backup system.    

The Oman Insurance Company SAOG was undeniably fortunate, considering that that same year, Oman recorded a staggering 123 million Web application attempts with over 417,000 confirmed attacks and over $1 million in losses. 

The alarming number of confirmed attacks mentioned above actually represents a 13% decrease compared with the nearly 500,000 confirmed attacks reported by the Oman government in 2019. According to the annual report posted by the Ministry of Technology and Communication, this improvement in Oman's cybersecurity stance was due to the intense security assessments that government websites were subjected to. This assessment exposed over 41,000 vulnerabilities and 13,000 Internet Protocol addresses that were discovered, analyzed, and fixed by the ministry. 

Oman is one of the few Persian Gulf countries known for its high-level cybersecurity strategy, which was put in place in 2010 when the Oman Computer Emergency Readiness Team (OCERT) was launched. This organization was tasked to detect and analyze cyber-risks in the country and to raise cyber awareness at the nation's fundamental level. It's no wonder the number of attempted cyberattacks in Oman plummeted from 880 million in 2017 to 12 million in 2022. 

**A New Cybersecurity Framework by the Central Bank of Oman**

Speaking of a cybersecurity strategy and master plan, the Central Bank of Oman recently issued a new security framework to make it difficult for cyberattackers to successfully defraud its banks and citizens.

In September 2023, the Central Bank of Oman (CBO) issued a new Regulatory Framework for cybersecurity and Resilience. This new regulation mandates banks, financing and leasing companies, payment service providers, and money exchange companies to meet a set of minimum requirements to build a financial industry resilient against cybersecurity risks.

This new regulation is organized into six fundamental categories, referred to as "Control Domains" or pillars. Each domain represents a distinct area of focus and guidelines for implementing security measures. They include:

1.  Governance
    
2.  Compliance & Audit
    
3.  Technology & Operations
    
4.  Third-Party Supply Chain Management
    
5.  Online Financial Services
    
6.  Risk Management
    

By implementing this new framework, the CBO intends to establish guidelines for licensed institutions to have the ability to handle cybersecurity risks. The goal is to maintain the same standard of cybersecurity controls across all licensed financial institutions operating in Oman, ensuring uniformity in their ability to manage such risks. 

**Impacts**

By implementing and adhering to the regulatory Framework for Cybersecurity and Resilience, banks and financial institutions in Oman will have enhanced capabilities to safeguard themselves from various types of cyber threats. Not only this, but if the set minimum requirements are met, financial institutions in Oman will have predefined protocols in place to help them swiftly respond to cyber incidents and minimize potential damage control.

Since this new framework will decrease the likelihood of successful cyberattacks, Oman's financial industry can avoid significant financial losses associated with data breaches and cybercrimes. Moreover, a secure financial sector fosters confidence among investors and the general public, so this new framework could promote stability in Oman's financial market. 

By implementing this new framework, Oman's finance industry is a step closer to meeting international security standards and possibly attract international investments and partnerships. Also, it enhances customer trust as security measures assure customers that their financial transactions and sensitive information are safe.

Source

DARKReading