An ESA cybersecurity expert explains how space-based data and services benefit from public investment in space programs.

Source: NASA / Dembinsky Photo Associates via Alamy Stock Photo

Cybersecurity for space missions is not optional and should be taken seriously. The barrier to entry for threat actors has significantly shrunk, exposing organizations to attacks from hardened cybercriminals and script kiddies alike.

While Europe's burgeoning commercial space industry is facing some challenges, the European Space Agency (ESA) is taking specific steps to boost defenses, such as planning to provide access for organizations to its space cybersecurity operations center (C-SOC), which is currently under development, and providing tools to those in the space industry. In a Nov. 2 keynote presentation at this year's Software Defined Space Conference, in Tallinn, Estonia, I explained some of the immediate commercial challenges for Europe's burgeoning space industry and what the ESA is doing to shore up commercial space cybersecurity.

**Main Cyber Threats to Space Infrastructure**

The main threats that target space infrastructure are not new. In many cases they are well-known threats similar to those we see in many other business fields and in critical infrastructure outside of the space domain. The reason why those are now affecting the space domain so much is mainly due to a dramatic evolution in technology for space infrastructures.

Until a few years ago, space infrastructure used technology that did not exist elsewhere, was extremely expensive, and required special knowledge and insight to understand and attack. This created a high entry barrier for threat actors, and only large, state-level actors had the resources for a successful attack.

The situation has changed dramatically over the past decade. Commercialization is driving the fusion of standard IT technology and software solutions with the space business. That lowers the barrier for both space-based businesses and threat actors, bringing a number of everyday threats from the Internet into the space domain.

A spacecraft, even a small one, represents the most significant investment for companies that want to establish a business around space-based data and services. This is especially true for startups and smaller companies, where the survival of the company is directly connected to the operational availability of the spacecraft. As such, most companies take cybersecurity very seriously and have taken measures to protect their assets both in space and on the ground. These measures include the execution of cybersecurity controls in the ground segment and protection of the communications links by, for example, deploying telecommand authentication.

At the same time, space systems are no longer isolated. In many cases they are fully integrated with other networks, such as the Internet, to meet business needs. That means cybercriminals and "script kiddies" have access to the space domain, driven by the quick profits to be made through information theft or the ransoming of assets.

**Common Vulnerabilities for Space Projects**

The most common weaknesses and vulnerabilities targeted are the same as those we see elsewhere, such as in a financial system. Attackers pick at the whole space system stack, from network protocol and protocol implementation weaknesses; social engineering, application, and operating system exploits; through to sending malicious commands. And now all of this can be automated, significantly increasing the likelihood of a successful attack.

ESA's answer to this situation is to deploy a solid defense-in-depth security posture, a fully security-certified end-to-end mission ground segment called Ground Operation System Common Core — Multi-Mission Generation (EGOS-MG). All elements of this system will be available to the European space industry under European community license and, if deployed in an appropriate environment, can provide a similar level of protection for commercial ground segments.

This system is complemented with a Space Cybersecurity Operations Centre (C-SOC), deployed at the European Space Operations Centre (ESOC) and the European Space Security and Education Centre (ESEC). C-SOC will start initial operations in 2024 and will provide the ability to detect and act on emerging cyberattacks to ESA's space system infrastructures. The C-SOC services will also be available to the European space industry.

**How Technologies Can Improve Public and Private Space Cybersecurity**

Artificial intelligence (AI) and digitalization have a profound impact on space cybersecurity. AI can greatly enhance cybersecurity capabilities related to pattern recognition and automated testing. In the case of the C-SOC, AI will help human staffers understand which detected anomaly is really a cyberattack and which is a false positive. Machine learning will help the C-SOC reduce the number of false positives over time and detect novel attack patterns that did not occur before.

Likewise, digitalization — in particular, model-based system engineering (MBSE) — has the potential to significantly improve the cybersecurity engineering process for a complex system by allowing efficient threat and risk assessment. For example, the digital model will help system and security engineers to immediately understand the impact of introducing a certain security control (e.g., the encryption of telemetry) on the overall system. It could be that this encryption control requires changes to other parts of the system or updates to the risk assessment that are not immediately apparent.

However, new technologies also bring new threats. AI is particularly vulnerable to cyberattacks in the form of data poisoning. It is essential that organizations that deploy these new technologies are aware of the increased number of threats they allow for.

The ESA Directorate of Operations is currently working with the European space industry to mature these capabilities in a secure manner as part of the ESA General Support Technology Programme (GSTP), which will benefit the ESA and industry alike.

**About the Author(s)**

Head of Ground Segment System and Cybersecurity Engineering, European Space Agency

Dr. Daniel Fischer is Head of Ground Segment System and Cybersecurity Engineering at the European Space Agency (ESA). Cybersecurity is now a key topic in the agency's technology development programs, which Dr. Fischer encourages businesses across Europe's space sector to explore and participate in.

The European Space Agency Explores Cybersecurity for Space Industry

PRESS RELEASE

TEL AVIV, Israel, Nov. 30, 2023 /PRNewswire/ -- Flow Security, the pioneering Data Security Lifecycle Platform, announced today its extension to GenAI Security with the launch of a new GenAI DLP module. This move makes Flow Security the industry's first data security platform to safeguard the movement of data to GenAI services and applications, empowering enterprises to securely build with and consume GenAI. 

The widespread use of Generative AI, while leading to advancements across the enterprise and fueling exceptional innovation, has led to increasing concern over data security. As more companies adopt GenAI services for a wide array of uses, from content creation to back-end tasks by developers, the potential for personal and corporate data leakage, data mishandling, and the creation of shadow data is on the rise. A recent report found that 69% of executives say innovation takes precedence over cybersecurity for Generative AI, while at the same time, 96% say adopting GenAI makes a security breach likely in their organization within the next three years.

"Many companies that wish to venture into GenAI are hesitant to put themselves at risk due to concerns over data leakage, and they will continue to limit its usage as long as they remain unaware of how their data is moved, stored, and used by 3rd parties," said CEO of Flow Security, Jonathan Roizin. "With GenAI DLP, we offer a responsible, frictionless way to safeguard corporate digital assets, enabling the wider adoption of GenAI applications across a data-centric ecosystem." 

Analyzing data in motion, as opposed to traditional scanning of known databases, enables Flow's GenAI DLP to discover shadow data and proactively identify anomalies in real-time, regardless of where the data is located. For data-centric organizations this capability is critical to prevent violations and breaches that could lead to fines and be damaging to their reputation. In testing, Flow's GenAI DLP uncovered undetected data leakages despite seemingly robust infrastructure protection. In a test focusing on healthcare organizations where GenAI was used to classify patient data to gain insights into disease patterns and treatment effectiveness, Flow's GenAI DLP quickly identified sensitive PHI data at risk that would have led to a HIPAA violation if it had continued to go unnoticed. In another test for telecom providers, GenAI was used to optimize customer services by analyzing chatbot interactions for potential risk, and once again, Flow's GenAI DLP identified sensitive financial data leaks, thereby avoiding the potential repercussions. 

"GenAI tools have created a situation where the movement of data is expanding at an unparalleled pace and relying on traditional infrastructure protection methods is inadequate to cover this data sprawl. To effectively monitor data's whereabouts, companies need to see the full journey, they can't rely on scanning data where it's supposed to be and once it is at rest – they need to know where the data actually is at all times," said CPO of Flow Security, Natia Golan. 

See more details on Flow's new generative AI security module here.

About Flow Security:  

Flow Security is the only data security platform that identifies, categorizes, and protects data at rest and in motion. Utilizing advanced eBPF technology, Flow's solution uncovers unmanaged data on-prem and in the cloud, ensuring frictionless and comprehensive protection of sensitive information in ever-widening data landscapes. Founded in 2021, Tel Aviv-based Flow is backed by Amiti, GFC, Amdocs Ventures, and market-leading angel investors. 

To learn more about Flow Security, visit our website, or follow us on LinkedIn.

Flow Security Launches GenAI DLP

PRESS RELEASE

San Francisco, CA — November 30, 2023 – Delinea, a leading provider of solutions that seamlessly extend Privileged Access Management (PAM), today announced new features for Secret Server to improve usability and increase PAM adoption across organizations. These enhancements optimize how privileged users interact with the vault through Web Password Filler and Connection Manager, while new capabilities within the Delinea Mobile app reduce friction and improve workflows for users while providing better privileged access controls. 79% of employees knowingly engage in risky behavior to get their jobs done, according to Delinea research about balancing risk, security and productivity. IT and security leaders need PAM solutions that are fast to deploy and easy to use so that controls are easy to adopt, leading to lower risk. An enterprise vault is the foundation for any PAM strategy, and Secret Server provides several options to access privileged credentials with minimal disruption to users’ current workflows, thus reducing barriers to adoption. 

   
Seamless security for all users accessing privileged credentials

Administrators and business users leveraging Web Password Filler (WPF) to access web applications gain improved visibility of available credentials stored in Secret Server with new built-in search functionality. Moreover, users enjoy facilitated access to credentials requiring checkout and comments directly from the browser without the need to toggle between screens. They also experience a simplified login with the option to autofill temporary one-time password (TOTP) codes.

     
"The latest updates provide seamless access for users while ensuring appropriate security and governance. and demonstrate our focus on streamlining workflows to fit the way security and business teams work," said Phil Calvin, Chief Product Officer at Delinea. "By removing complexity for all users accessing privileged accounts and managing active sessions, we make every organization leveraging Secret Server more secure." 

  
Enhancements to Connection Manager make it easier for users who launch remote sessions using vaulted credentials to quickly manage multiple privileged sessions without jeopardizing security or productivity. Administrators can respond to Multi-Factor Authentication (MFA) challenges enabled on individual secrets within the same Connection Manager window. Users can also extend their credential checkout rights directly in Connection Manager, reducing the need to move between screens and applications.

  
The Delinea Mobile app now includes updates that augment ease of use in support of administrators' need to access, manage, and secure privileged accounts from anywhere. Among them are unlock options, the ability to generate passwords, and readability improvements that streamline workflows and increase productivity while ensuring secure access to vaulted credentials.

You May Also Like

The Latest Delinea Secret Server Release Boosts Usability With New Features

Enterprise security goes beyond tech leadership, and beyond the CISO's office. Achieving cybersecurity and resilience is a team effort, and requires building a culture of security awareness.

Source: Image Source via Alamy Stock Photo

A chain is only as strong as its weakest link. When it comes to cybersecurity and resilience, the entire organization should be involved. Good security hygiene needs to be a fundamental part of company culture, and the organization's executive leadership should make it clear that abiding by security practices is part of achieving business objectives.

Infusing security and operational resilience throughout the organization requires understanding the needs and workflows of all departments, how different teams use technology, where sensitive assets are stored, and who has access to them. To align security and business goals, company leaders must plan ahead, encourage proactive communication across departments, and foster and reward a collaborative culture.

**Everyone Has a Role to Play**

We believe cybersecurity risk should be viewed through the lens of overall business risk. A security breach can be devastating for an organization, with long-lasting impacts that reverberate across many facets of its operations. A data breach can significantly damage a company's reputation, erode customer trust, and make it challenging to attract and retain talent. With that in mind, cybersecurity hygiene is as much about business strategy as it is about technological tools.

With so much at stake, the responsibility for cybersecurity and resilience extends far beyond the office of the chief information security officer (CISO). Successful organizations understand the multifaceted nature of security, and recognize that successful CISOs closely partner with their peers to define and implement the organization's security strategy. In this article, we take a closer look at effective collaboration amongst these stakeholders, as further described below.

The CEO establishes the business strategy and is accountable for the operational risks that could impact the business, partnering closely with the chief operating officer (COO) who is responsible for the implementation of that strategy. It’s important that the CISO develop, communicate, and implement a security program that’s aligned to the business strategy, risk appetite, and strategic organizational goals, while simultaneously mitigating the organization's risk. This is an area where the CEO, COO, and CISO can provide executive leadership and speak with one voice to ensure a security-oriented mindset is considered when developing policies and deploying technical and operational controls.

Likewise, the CISO and the chief technology officer (CTO) should collaborate to articulate a cybersecurity strategy that closely aligns with the organization's technology plans, jointly assessing the risks inherent in existing and planned technology initiatives, and defining the controls posture needed to achieve compliance with relevant policies, rules and regulations.

We’ve observed that in many organizations, the roles of the CISO and the chief information officer (CIO) often overlap to some extent, with the CIO typically focusing on the features and functionality of information systems, while the CISO is more oriented toward security and compliance. Working together, these leaders can develop a highly functional system that aligns to the needs of the organization and helps deliver on business goals whilst enabling security, privacy, and compliance.

In addition to working closely with the stakeholders noted above, the CISO would benefit from forming ties with the organization’s chief risk officer (CRO) as well, with whom there are opportunities for collaboration to align on the overall scope of operational risk faced by the organization and identify opportunities to mitigate that risk through a strategy that appropriately balances people, process, and technology in a manner commensurate with its overall risk appetite.

Similarly, the CISO would be wise in also partnering with the chief compliance officer (CCO) to ensure that the development of the organization’s cybersecurity posture is informed by and aligned with relevant regulatory requirements which may span multiple regulatory jurisdictions and geographies.

A comprehensive understanding of the respective spheres of influence and requirements from the various stakeholders noted above can inform corporate policies and procedures, and serve as the basis for building a culture of cybersecurity awareness that's reinforced with regularly recurring training and communication throughout the organization.

**Organizational Principles **

Putting this approach into practice, organizations often turn to cybersecurity frameworks, such as those developed by NIST or the Cloud Security Alliance, which can be instrumental in holistically and programmatically assessing security risks. For instance, the NIST framework sets out its core elements as belonging to one of the functions noted below:

*   Identify: Assess the organization, including how work actually gets done in different business units and where potential vulnerabilities can be found.
    
*   Protect: Put safeguards in place for sensitive data and critical services.
    
*   Detect: Define how cybersecurity incidents will be detected.
    
*   Respond: Document plans for responding to a cybersecurity incident and make sure impacted stakeholders are scoped into the response.
    
*   Recover: Plan for how the company will recover from a cybersecurity incident, both in the short term and over time.
    

However, these frameworks are just tools, and should not be conflated with serving as a security strategy. Building and maintaining a resilient and secure company means cultivating a culture of security awareness throughout. Effective collaboration between leaders and departments is crucial for the successful execution of an organization's cyber strategy and its ability to provide a holistic picture of the state of cybersecurity in the organization, as well as individual team members' understanding of their roles in supporting and executing the overall strategy.

Ongoing professional development and building cross-functional security teams are crucial elements of developing this culture of security aimed at identifying and preventing incidents from occurring. However, it's equally important to consider how learnings can be gleaned from incidents in the unfortunate event that they do occur. That's where practices like blameless postmortems come in. A sense of teamwork and a "we're all in this together" approach are vital for building a cybersecurity culture that takes root throughout your organization. 

Read more Partner Perspectives from Google Cloud

**About the Author(s)**

AMERS Financial Services Executive Trust Lead, Google Cloud Office of the CISO

Marina supports Google Cloud’s financial services customers in the Americas on Trust topics throughout their cloud journey, focusing on regulatory compliance, risk management, governance and oversight, cybersecurity and privacy.

Prior to joining Google, Marina held Legal and Compliance roles on Wall Street, overseeing the broker dealer compliance program at Thomson Reuters (now Refinitiv), leading US Compliance for the Technology, Human Capital Management and Corporate Services divisions at Goldman Sachs, and most recently, running the Digital Compliance team at BNP Paribas where she specialized in advising on emerging technologies including AI/ML and digital assets, and oversaw programs related to cybersecurity, data privacy, and cloud digital transformation initiatives.

Office of the CISO, Financial Services, Google Cloud

David is in the Office of the CISO at Google Cloud where he shapes cloud security and risk management practices for the Financial Services Sector.  He has over 15 years of experience implementing security policies and strategies, protecting information assets, preparing and testing incident response plans, and developing security protocols.

David helps customers reduce operational risk by ensuring organizations have the people, technologies, and processes in place to enable business operations while preventing, detecting, and responding to threats. He also specializes in advising on compliance to laws, regulations, and standards that govern information security, including ISO, NIST, and FISMA frameworks.

Before Google, David worked in both the U.S. government at DoD and DHS and the financial services sector at JP Morgan Chase and Credit Suisse.

Cybersecurity is a Team Sport

Sanctions on Kimsuky/APT43 focuses the world on disrupting DPRK regime's sprawling cybercrime operations, expert says.

Source: Stuart Miles via Alamy Stock Photo

The US Department of the Treasury Office of Foreign Assets Control (OFAC) has announced it has sanctioned cyberespionage group Kimsuky (aka APT43) for collecting intelligence on behalf of the Democratic People's Republic of Korea (DPRK).

The OFAC said the sanctions are technically in retaliation for a North Korean military reconnaissance satellite launch on Nov. 21, but, more broadly, they are designed to block the DPRK from revenue, materials, and intelligence necessary to perpetuate its weapons of mass destruction development program the Treasury's sanctions announcement added.

Kimsuky is a well-known advanced persistent threat (APT) group active since 2013 that works on behalf of the Kim Jong Un regime.

The move to file the sanctions is an important step forward in stymying the DPRK's malicious cyber activities, according to a statement from Michael Barnhart, Mandiant principal analyst, Google Cloud.

"Recent actions, including the OFAC sanctions of today and increased global awareness of these cyber threats, are forcing North Korea to adapt its strategies," Barnhart explained via email. "While these measures have undoubtedly disrupted the regime's cyber activities, it is crucial to recognize that North Korea remains a formidable threat."

**Can the DPRK Cybercrime Machine Be Stopped?**

In October, Kimsuky waged a campaign abusing Remote Desk Protocols (RDP) and other tools to to take over targeted systems. The previous March, the group had already emerged as what researchers characterized "unusually aggressive" APT, becoming adept at achieving the dueling goals of using social engineering to gather intelligence, as well as operating a massive cryptomining operation to raise funds for the North Korean regime.

The wider strategy to shut down cyberattacks from the DPRK must include a combination of greater public awareness of their activities, robust cybersecurity measures, as well as additional targeted sanctions and other measures that help disrupt the regime's cyber threat, according to Barnhart.

"Despite the exposure of their operations, APT43 has demonstrated remarkable resilience, continuing to employ sophisticated social engineering tactics to target unsuspecting individuals and organizations," he added. "This highlights the need for heightened vigilance and a comprehensive approach to combating North Korea's cyber threats."

The US is joined in sanctioning the cyber-threat group with allied nations Australia, Japan, and the Republic of Korea, according to the OFAC announcement.

"As an intelligence gathering apparatus for the Reconnaissance General Bureau (RGB), APT43 operates with the full backing of the North Korean regime, tasked with gathering sensitive information on a wide range of topics, including nuclear technology, sanctions evasion, and unification efforts," Barnhart said. "APT43 and DPRK-aligned cyber threats pose a significant and evolving challenge to the global community."

North Korea APT Slapped With Cyber Sanctions After Satellite Launch

Hundreds of consumer and enterprise-grade x86 and ARM models from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable to bootkits and takeover.

Source: Tetra Images via Alamy Stock Photo

Researchers have uncovered "LogoFAIL," a set of critical vulnerabilities present in the Unified Extensible Firmware Interface (UEFI) ecosystem for PCs.

Exploitation of the vulnerabilities nullify essential endpoint security measures and provide attackers with deep control over affected systems.

The flaws originate in image-parsing libraries within the boot process, impacting all major device manufacturers on both x86 and ARM-based devices, according to a Binarly Research report that will be officially released at Black Hat Europe in London next week.

The severity of LogoFAIL is exacerbated by its widespread reach, researchers warn, noting that it affects the entire ecosystem, not just individual vendors here and there. The findings were reported via the CERT/CC VINCE system, with anticipated vendor patches scheduled for December 6, in tandem with the Black Hat talk, which is entitled, "LogoFAIL: Security Implications of Image Parsing During System."

**Hijacking the Boot Process With LogoFAIL**

Binarly researchers found that by embedding compromised images in the EFI System Partition (ESP) or unsigned firmware update sections, threat actors can execute malicious code during boot-up, enabling them to hijack the boot process.

This exploitation bypasses crucial security measures like Secure Boot and Intel Boot Guard, facilitating the insertion of a persistent firmware bootkit operating beneath the OS level.

"Because the attacker is getting the privileged code execution into the firmware, it's bypassing the security boundaries by design, like a Secure Boot," explains Alex Matrosov, CEO and founder of Binarly. "The Intel Boot Guard and other trusted boot technologies are not extended in runtime, and after the firmware is verified, it just boots further in the system boot flow."

He says the Binarly Research team originally was experimenting with logo modification on one of the Lenovo devices they have in the lab.

"One day, it suddenly started to reboot after showing the boot logo," he says. "We realized that the root cause of the issue was the change of the original logo, which led to a deeper investigation."

He adds, "In this case, we are dealing with continued exploitation with a modified boot logo image, triggering the payload delivery in runtime, where all the integrity and security measurements happen before the firmware components are loaded.”

This is not the first Secure Boot bypass ever discovered; in November 2022, a firmware flaw was found in five Acer laptop models that could be used to disable Secure Boot and allow malicious actors to load malware; and the BlackLotus or BootHole threats have opened the door to boot process hijacking before. However, Matrosov says that LogoFAIL differs from prior threats because it doesn't break runtime integrity by modifying the bootloader or firmware component.

In fact, he says LogoFAIL is a data-only attack, occurring when malicious input comes from the firmware image or the logo is read from the ESP partition during the system boot process — and thus, it's hard to detect.

"Such an approach with the ESP attack vector leaves zero evidence of the firmware attack inside the firmware itself, since the logo comes from an outside source," he explains.

**Majority of the PC Ecosystem Is Vulnerable**

Devices equipped with firmware from the three major independent BIOS vendors (IBVs), Insyde, AMI, and Phoenix, are susceptible, indicating a potential impact across diverse hardware types and architectures. Between them, the three cover 95% of the BIOS ecosystem, Matrosov says.

In fact, Matrosov says LogoFAIL affects "most devices worldwide," including consumer and enterprise-grade PCs from various vendors —Acer, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, Supermicro, Fujitsu, and "many others."

"The exact list of affected devices is still being determined, but it's crucial to note that all three major IBVs — AMI, Insyde, and Phoenix — are impacted due to multiple security issues related to image parsers they are shipping as a part of their firmware," the Binarly report warned. "We estimate LogoFAIL impacts almost any device powered by these vendors in one way or another."

For its part, Phoenix Technologies published an early security notification this week (now taken down but available as a cache until it goes back up Dec. 6) detailing that the bug (CVE-2023-5058) is present in all versions lower than 1.0.5 of its Phoenix SecureCore Technology 4, which is a BIOS firmware that provides advanced security features for various devices.

"The flaw exists in the processing of user-supplied splash screen during system boot, which can be exploited by an attacker who has physical access to the device," according to the notification, which noted that an updated version is available. "By supplying a malicious splash screen, the attacker can cause a denial-of-service attack or execute arbitrary code in the UEFI DXE phase, bypassing the Secure Boot mechanism and compromising the system integrity."

LogoFAIL is also tracked by Insyde as CVE-2023-40238, and by AMI as CVE-2023-39539 and CVE-2023-39538.

Matrosov says the company is actively collaborating with multiple device vendors to coordinate disclosure and mitigation efforts across the spectrum.

**Firmware Updates Key to Minimizing Risk**

To minimize firmware risk in general, users should stay updated with manufacturer advisories and promptly apply firmware updates, as they often address critical security flaws.

Also, vetting suppliers is a must. "Be picky about the device vendors you rely on daily as personal device or devices across your enterprise infrastructure," Matrosov adds. "Don't blindly trust the vendors, but rather validate the vendor's security promises and identify the gaps across your device inventory and beyond."

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Critical 'LogoFAIL' Bugs Offer Secure Boot Bypass for Millions of PCs

The agency, known as JAXA, has shut down parts of its network as it conducts an investigation to discover the scope and impact of the breach.

Source: Tofino via Alamy Stock Photo

Japan's Space Exploration Agency (JAXA) reported this week that it experienced a cyber incident this past summer stemming from a breach of Microsoft Active Directory (AD) — raising concerns that nation-state actors might be after the country's space program data.

Chief cabinet secretary Hirokazu Matsuno raised the topic of the incident in a morning briefing on Nov. 29, mentioning that the agency investigated and preliminarily found that illegal access had indeed taken place. The agency was allegedly unaware of the attack until it was contacted by the authorities.

As mentioned, the breach was located in the organization's AD environment, the central server that manages access control for JAXA's network, including admin passwords for corporate applications. According to The Japan News, an official related to JAXA reportedly stated that "as long as the AD server was hacked, it was very likely that most of the information was visible. This is a very serious situation," though there is much that has not yet been confirmed.

This is not the first time that this Microsoft component has led to a compromise of information. Just earlier this year, US Sen. Ron Wyden (D-Ore.) wrote to the heads of CISA, the Justice Department, and the FTC asking them to hold Microsoft responsible after a Microsoft 365 breach due to three vulnerabilities in its Exchange Online email service and the Azure Active Directory. And just prior to that, it was discovered that a stolen Microsoft account key could allow threat actors to create access tokens for a variety of different types of Azure Active Directory applications.

**State-Sponsored Hackers After Japan's Space Program Secrets?**

The breach raises concerns that Japan's space program has been exposed, according to Ted Miracco, CEO of mobile security company Approov, who noted that JAXA has been a target before; in 2016 and 2017, JAXA was among 200 Japanese companies and research institutes allegedly targeted by Chinese military hackers.

"The cyberattack on Japan's aerospace exploration agency bears all the characteristics reminiscent of past incidents, raising questions about the involvement of state-sponsored actors," Miracco said via email. "In the historical context, previous attacks were linked to Chinese military hackers, and the reported exploitation of a vulnerability disclosed by a network equipment manufacturer in June adds a layer of sophistication to the attack, indicating a state-sponsored attack.

He added, "The motivation behind the cyber intrusion, given the nature of JAXA's operations in satellite development and advanced missions, points towards an interest in strategic intelligence and technological advancements. Understanding the identity, methods, and motivations of the perpetrators becomes crucial in fortifying cybersecurity measures to mitigate future risks, as these attacks are unlikely to stop anytime soon."

Meanwhile, JAXA has shut down part of its network and launched a full investigation to determine the scope of the breach and its impact. The agency is working with the central government, as well as police, on the matter.

Japan's Space Program at Risk After Microsoft Active Directory Breach

UAE security leaders warn that people, tech, and process gaps are exposing their organizations to cybercrime.

Source: Chroma Craft Media Group via Alamy Stock Photo

A vast majority of security chiefs in the United Arab Emirates believe their organization must improve how their teams, processes, and tech function in order to mitigate future cyberattacks.

Research by Trellix recently found that 96% of CISOs — who have experienced security incidents — feel improvements are needed, while 52% of respondents say their organization doesn't possess the technical knowledge to handle complex security incidents.

**Reliance on Manual Processes**

Forty-eight percent of security leaders believe that their organization is too reliant on manual processes, which hampers the mean time to detect and repair cyber incidents.

In addition to this, 44% blame the failure to fight cybercrime on poorly documented and implemented processes, with another 44% warning that disconnected security controls caused a lack of context.

Jake Moore, global cybersecurity adviser at ESET, says continual investment in protection is crucial for companies as cyber threats are increasingly sophisticated and common.

"Furthermore, now with the introduction of AI threats we are seeing cyberattacks become even more relentless and powerful," he says. "Companies need to bear in mind that the cost of recovery from an attack usually outweighs the cost of preventive security measures."

**Mind the Gaps**

While gaps in technical resources make it difficult for organizations to spot and respond to cybersecurity incidents, stretched or ill-equipped security teams also make this difficult. More than half of respondents (52%) cited gaps in their security capabilities as contributors to a security incidents experienced by their organization. 

Meanwhile, 44% admitted that they hadn’t properly configured their IT stacks or enabled their detection policies. A further 40% said their IT and security tools don't offer “adequate visibility” of incidents. 

Moore says: "Neglecting cybersecurity in terms of the people and process can leave a business dangerously exposed to preventable or mitigable attacks with potentially severe consequences."

**About the Author(s)**

Technology Journalist

Nicholas Fearn is a freelance tech journalist from the Welsh valleys. He's written for major outlets like Forbes, Financial Times, The Guardian, The Independent, The Telegraph, HuffPost and Business Insider, as well as tech publications like Gizmodo, TechRadar, Laptop Mag, Computer Weekly, ITPro and many more. When Nicholas isn't geeking over the latest gadgets and tech trends, he's probably listening to Mariah Carey on repeat.

Emirates CISOs Flag Rampant Cybersecurity Gaps

Saudi companies are seeking extra help in droves, because of a lack of tools and personnel.

Source: Hakan Gider via Alamy Stock Photo

More than half of Saudi Arabian companies plan to outsource their cybersecurity measures in the next year, as a lack of resources continues to plague the region.

Up to 58% of respondents plan to invest in different forms of outsourcing cybersecurity in the next 12 to 18 months as a measure to strengthen their posture, according to research from Kaspersky. Reasons given include a lack of necessary tools for threat detection (22%), and a shortage of internal IT security staff (34%).

Also, 42% plan to outsource their cybersecurity to managed service providers (MSPs), while 10% want the help of external consulting specialists.

The push for outsourcing comes as 71% of Saudi companies reported a cyber incident over the last two years, and 74% said the incidents were "serious."

**About the Author(s)**

Saudi Companies Outsource Cybersecurity Amid 'Serious' Incidents

A more proactive approach to fighting cyberattacks for US companies and agencies is shaping up under the CISA's proposal to emphasize real-time attack detection and response.

Source: Wavebreakmedia Ltd IFE-210813 via Alamy Stock Photo

COMMENTARY

The United States faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies.

These attacks can have severe consequences, from the theft of sensitive information to the disruption of essential services. To effectively combat these threats, the US needs to adopt a comprehensive and proactive approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate.

Where are we now, and are we on the right track to adopt a similar mandate on this side of the Atlantic?

**The IT-SiG Approach Compared With the US's Current Capabilities**

One of the key features of the IT-SiG 2.0 mandate is its emphasis on real-time attack detection and response. This approach recognizes that preventing all cyberattacks is impossible and focuses on quickly identifying and mitigating the effects of successful attacks. This mitigation is achieved through advanced security technologies, such as intrusion-detection systems, security information and event management (SIEM) systems, and security orchestration, automation, and response (SOAR) systems, which can detect and respond to potential threats in near real time.

In contrast, the US has traditionally relied on patching vulnerabilities and responding to attacks after they have occurred and, ideally, been resolved. While this approach can effectively mitigate the effects of individual attacks, more is needed to keep pace with the rapidly evolving cyber-threat landscape. The US has needed a more proactive approach, like the IT-SiG 2.0 mandate, emphasizing real-time attack detection and response to stay ahead of potential threats.

**With This Strategy, Visibility Is Key**

Another critical aspect of the IT-SiG 2.0 mandate is its focus on improving visibility into the cybersecurity posture of organizations. Visibility is achieved through regular security assessments and penetration testing, which help identify vulnerabilities and weaknesses in an organization's systems and networks. By comprehensively understanding an organization's cybersecurity posture, the IT-SiG 2.0 mandate encourages organizations to identify issues and take steps to remediate them, improving overall security.

The United States has taken steps toward improving visibility into the cybersecurity posture of federal agencies with the Cybersecurity & Infrastructure Security Agency's Binding Operational Directive 23-01 in October 2022. However, this directive only applies to federal agencies and not to private-sector companies; many organizations may not have the same level of visibility into their cybersecurity posture as federal agencies.

According to Statista's Research Department, in the fiscal year 2020 the number of cybersecurity incident reports by federal agencies in the United States was over 30,000, around an 8% increase from the previous year.

To effectively combat cyber threats, it's essential that all organizations, not just federal agencies, have the necessary visibility into their cybersecurity posture. Therefore, the US should consider expanding the reach of Directive 23-01, like the IT-SiG 2.0 mandate, to include private-sector companies. This expansion would ensure that all organizations have visibility into their cybersecurity protection.

**Recent US Steps**

In brighter news, we might be beginning on the path toward a more effective national cybersecurity strategy akin to IT-SiG 2.0. In March, the Biden administration announced its National Cybersecurity Strategy. Among the plan's emphases are defending critical infrastructure; disrupting the ability for cybercriminals to attack agencies, organizations, and individuals; encouraging market forces to lead the way to broader security and resilience; and fostering international collaboration between private and public sectors to stay ahead of bad actors.

It appears the plan emphasizes less the cybersecurity tools that will be used and more the means of making sure they're being adopted and used correctly, shoring up weak links in complex business and government affairs. While the White House laid out this plan, a significant amount of the burden will fall on the shoulders of those most capable of fighting back against waves of cyberthreats — namely, the business world alongside the government. A redefinition of the "social contract" of cybersecurity seems to be what they're after here, with smaller businesses and individuals able to benefit from the processes put in place by larger organizations.

Taking up this plan and running with it, in August the Cybersecurity & Infrastructure Security Agency (CISA) released its Cybersecurity Strategic Plan for the fiscal years 2024 through 2026. "It's up to all of us, government and private sector, domestic and international, to execute \[the cybersecurity plan\]," Eric Goldstein, Executive Assistant Director for Cybersecurity wrote on the CISA website.

How does CISA's plan compare with IT-SiG 2.0? If we're going by real-time attack detection and visibility as the main driving points, then CISA's plan directly lines up, at least in concept. CISA's plan outlines three major goals: address immediate threats, harden the terrain, and drive security at scale.

So, visibility into vulnerabilities, quick real-time responses, and proactive mitigation of weaknesses that could be exploited are the primary focus. While this is still in plan form, it does seem like CISA has homed in on the same key points the IT-SiG 2.0 is going after.

**Looking Toward a More Secure Future**

Statista's Research Department found that in the first half of 2022, the number of data compromises in the US came in at 817 cases. Over 53 million individuals were affected by those data compromises, which included data breaches, data leakage, and data exposure.

The US faces an ever-growing threat of cyberattacks on its critical infrastructure, government agencies, and private sector companies. To effectively combat these threats, the United States needs to adopt a comprehensive and mandated approach to cybersecurity, similar to the one taken by Germany with its IT-SiG 2.0 mandate. This approach forces real-time attack detection and response, improves visibility into organizations' cybersecurity approach, and offers a solid beginning to a more secure digital world.

There's work to be done — by both government agencies and businesses, as the shift in the social contract implores everyone to do what they can — but by taking these first steps, the United States can improve its overall cybersecurity posture for all companies and better protect digital assets against potential threats.

**About the Author(s)**

CTO & Co-Founder, SecurityBridge

Ivan Mans is a long time SAP technology consultant, having worked in the SAP space since 1997 — the early days of R/3. In 2012, Ivan co-founded SecurityBridge, and in his current role as CTO, he is a motivated driver, inspires people, and pushes technology that contributes to the continuous innovation of the SecurityBridge Platform. In recent years, Ivan has been a regular speaker at SAP events, evangelizing SAP security.

Source

DARKReading