A technique, dubbed the "Near-Ultrasound Inaudible Trojan" (NUIT), allows an attacker to exploit smartphones and smart speakers over the Internet, using sounds undetectable by humans.

The sensitivity of voice-controlled microphones could allow cyberattackers to issue commands to smartphones, smart speakers, and other connected devices using near-ultrasound frequencies undetectable by humans for a variety of nefarious outcomes — including taking over apps that control home Internet of Things (IoT) devices.

The technique, dubbed a Near-Ultrasound Inaudible Trojan (NUIT), exploits voice assistants like Siri, Google Assistant, or Alexa and the ability of many smart devices to be controlled by sound. According to researchers at the University of Texas at San Antonio (UTSA) and the University of Colorado at Colorado Springs (UCCS), most devices are so sensitive that they can pick up voice commands even if the sounds are not in the normal frequency range of human voices. 

In a series of videos posted online, the researchers demonstrated attacks on a variety of devices, including iOS and Android smartphones, Google Home and Amazon Echo smart speakers, and Windows Cortana. 

In one scenario, a user might be browsing a website that is playing NUIT attack commands in the background. The victim might have a mobile phone with voice control enabled in close proximity. The first command issued by the attacker might be to turn down the assistant's volume so that responses are harder to hear, and thus less likely to be noticed. After that, subsequent commands could ask the assistant to use a smart-door app to unlock the front door let's say. In less concerning scenarios, commands could cause an Amazon Alexa device to start playing music or give a weather report.

The attack works broadly, but the specifics vary per device.

"This is not only a software issue or malware," said Guenevere Chen, an associate professor in the UTSA Department of Electrical and Computer Engineering, in a statement. "It's a hardware attack that uses the internet. The vulnerability is the nonlinearity of the microphone design, which the manufacturer would need to address."

    

Using inaudible sounds played through a speaker, an attacker can issue commands to smart devices. Source: UTSA and UCCS

Attacks using a variety of audible and non-audible frequencies have a long history in the hacking world. In 2005, for example, a group of researchers at the University of California, Berkeley, found that they could recover nearly all of the English characters typed during a 10-minute sound recording, and that 80% of 10-character passwords could be recovered within the first 75 guesses. In 2019, researchers from Southern Methodist University used smartphone microphones to record audio of a user typing in a noisy room, recovering 42% of keystrokes.

The latest research appears to use the same techniques as a 2017 paper from researchers at Zhejiang University, which used ultrasonic signals to attack popular voice-activated smart speakers and devices. In the attack, dubbed the DolphinAttack, researchers modulated voice commands on an ultrasonic carrier signal, making them inaudible. Unlike the current attack, however, the DolphinAttack used a bespoke hardwired system to generate the sounds rather than using connected devices with speakers to issue commands.

**Defenses Against NUIT Cyberattacks**

The latest attack allows any device compatible with audio commands to be used as a conduit for malicious activity. Android phones could be attacked through inaudible signals playing in a YouTube video on a smart TV, for instance. iPhones could be attacked through music playing from a smart speaker and vice versa.

In most cases, the inaudible "voice" does not even need to have to be recognizable as the authorized user, said UTSA's Chen in a recent statement announcing the research.

"Out of the 17 smart devices we tested, \[attackers targeting\] Apple Siri devices need to steal the user's voice, while other voice assistant devices can get activated by using any voice or a robot voice," she said. "It can even happen in Zoom during meetings. If someone unmutes themselves, they can embed the attack signal to hack your phone that's placed next to your computer during the meeting."

However, the receiving speaker has to be turned up fairly loud for an attack to work, while the length of the malicious commands has to be less than 0.77 seconds, which can help mitigate drive-by attacks. And devices that are hooked into earbuds and headsets are less likely to be vulnerable to being used by an attacker, according to Chen.

"If you don't use the speaker to broadcast sound, you're less likely to get attacked by NUIT," she said. "Using earphones sets a limitation where the sound from earphones is too low to transmit to the microphone. If the microphone cannot receive the inaudible malicious command, the underlying voice assistant can't be maliciously activated by NUIT."

The technique is demonstrated in dozens of videos posted online by the researchers, who did not respond to a request for comment before publication.

Hey, Siri: Hackers Can Control Smart Devices Using Inaudible Sounds

IoT risk and security must get more attention from vendors and support from the marketplace.

The Internet of Things (IoT) is and always will be a contentious subject for cybersecurity. Not because of the convenience these devices add but for the risk they inject into the lives of people and businesses.

As cybersecurity professionals, we often quote cynical jokes to laugh and cope with the reality of our jobs. So stop me if you've heard this one: Did you know that the S in IoT stands for security? Half of you chuckled at it, and the other half probably took a second to realize that there is no S or security in the IoT acronym.

As cybersecurity professionals, we're often stuck between a rock and a hard place when assessing the risk these devices pose to us personally and professionally. There are more than a billion IoT devices on the Internet, each with the potential to be exploited. A business might have a compelling business imperative an IoT solution can enable, but that solution may inject an undue security risk into protecting safety and productivity. A Wi-Fi-connected security camera may give a homeowner peace of mind about securing a property, but may also expose that property to additional risk from hackers who can take control of the camera and abuse the platform.

**Market Forces vs. IoT Vendors**

So how did we get here? The easy answer is: IoT vendors continue to fail us on implementing solid cybersecurity controls. The difficult answer is: The market continues to push many IoT vendors into offering the lowest cost and most competitive products. They achieve this by sacrificing or outright neglecting cybersecurity for their solutions.

By choosing to not address security, vendors are pushing the risk to the consumers who are often oblivious to the dangers. In commercial solutions, this can have serious consequences. A medical facility that relies on IoT devices to manage patient care cannot weather an outage without endangering patients. Nor would they want patient data inadvertently exposed due to insecure IoT devices, or worse, have actual medical care disrupted.

So how did we, as consumers and dependents of IoT, get here to this untenable state of IoT risk and security? The answers, as they always seem to do, eventually lead back to money.

There are quite a few big-name players in the commercial and residential IoT space. These are name brands that most everyone can recognize: Google, Huawei, Microsoft, and others. While these companies are mature and responsive to security threats in IoT, it's the more niche companies that are more concerning.

**IoT Cost Points**

So, here's a thought experiment. Imagine you're a small IoT company and you want to develop a niche product that will enter an already crowded IoT market. What kind of costs does it take to develop the IoT product? Some cost points to consider:

**1\. Qualified development personnel are hard to come by for IoT.** You will need a solid team of hardware, networking, application design, business intelligence and automation experts to help bring your product to market.

**2\. Hardware and software costs can range from small to huge sums of money.** The more complex the device and service, the higher the cost.

**3\. What is the connection model?** Wi-Fi, Bluetooth, cellular? Each adds more to the cost, some more than others.

**4\. You must design a product UI!** If you intend to win on the merits of your product, a smooth user experience is a must.

**5\. What about security?** Do we have to use encryption? How about a secure protocol, or hardware that has secure firmware? Well, unless there's a regulatory requirement, there's no money for it. We have to keep costs down if we intend to compete.

**Best IoT Security Development Steps**

While the scenario is a generalization, it's not far from the truth. Developing an IoT product with security features adds to costs many companies either do not consider, or have deliberately chosen to neglect. Further complicating things, what if the company that makes an IoT device no longer supports it? Or what if that company simply goes out of business?

Is any of this resolvable? To an extent, yes. Companies can usually push over-the-air (OTA) updates to products that can address security issues. They can also utilize cloud service frameworks that mandate security between the device, the cloud, and the company. Vendors can also employ outside third parties to audit and evaluate the IoT solution. An outside third party can fairly evaluate and help the vendor address vulnerabilities in the hardware or software. Application developers can be trained in secure software development. The product can be designed with hardware robust enough to accommodate secure implementations.

However, all these things represent monetary investments a company has to willingly make. And the investments are continuous — with every device patch or new feature offering, the same security evaluations have to be performed again and again.

**It's Time to Step Up**

What do we do? The first step is educating the consumers. As security professionals, we must do our best to help others have situational awareness and help evaluate risk. This in turn can help for security investments that can help mitigate the vulnerabilities that some IoT devices inject into our risk models.

Helping call out insecure practices and companies can also help. We have a unique opportunity and position to help advocate for everyone who utilizes an IoT device and should use our voices to help wherever we can.

Spend on Safety Measures & Call Out Insecure Practices for Safer IoT

Without proof that it was collected legally, purchased data can threaten an enterprise's security compliance and even expose the company to litigation.

Purchasing databases from data brokers can create a problem for enterprise security executives. While there are tools to scan the files for malware, there is no automated way to make sure that the data contained in the database is accurate and, even more importantly, was obtained with proper consent. Without that assurance, those files can pose a threat to the enterprise's security compliance and may even open up the company to litigation.

Consider this scenario: Business unit leaders perform an exhaustive due diligence effort before purchasing databases from a data broker. The data has been widely distributed within the organization's global systems. Six months later, law enforcement authorities move against the data broker and report that all of its data was improperly obtained. The organization now has a compliance nightmare on its hands.

The organization might want to delete all of that data to comply with regulations. However, if the team did not tag the data when it was initially loaded into the system, it will be difficult to track and remove it. Even if the data was tracked successfully, it could have become so interwoven with petabytes of other data that it is no longer viable to extract.

On top of this, some regulators may apply the legal concept of "the fruit of the poisonous tree." That doctrine is typically used when law enforcement is accused of not obtaining a search warrant properly. If a judge finds that they indeed did act improperly, the fruit doctrine would not only exclude any evidence found during the search, but also anything found as a result of what was found in the search.

In the case of data, a strict regulator might insist that not only must a company delete the data broker's information, but also any information that resulted from processing that data. In other words, the analytics done on that data might have to be deleted as well.

**Tracking Data as It Flows**

Another major complicating factor with data compliance is that the folders of information that come from data brokers often reflect work done over many years. That means much of it stems from a time, a place, and a vertical where the rules were different.

"Due to the increasing regulatory compliance framework regarding data collection notice and consent, there are data brokers that have huge subsets of their data that is not 'clean' and they cannot make reps and warranties about it to third parties that want to leverage that data," says Sean Buckley, an attorney with law firm Dykema who specializes in data privacy issues. "The risk to the data broker circles back to whether their data is 'clean' and whether they can prove it if necessary."

ClearData CISO Chris Bowen argues that data tracking is critical when dealing with purchased files, but it can also prove quite difficult — even impossible — if the organization didn't tag it sufficiently from the beginning.

"You need to closely track where the data lives and where it flows," Bowen says. "You need to tag the source of each field in the database. You need consistent links through petabytes of data, structured and unstructured."

Most security executives are not comfortable with this approach because dataflow analysis is outside of their usual remit, he adds.

"Where \[data\] flows and how it's distributed and how it is archived and destroyed, that's usually more the purview of the privacy office," Bowen says. "You need to protect and track the data through every element of its life cycle."

Critically, Bowen stresses that once new datasets are built on top of the data broker information, "it's darn near impossible to uncouple that data. It would take an act of AI to decouple and unwind all of that."

**Putting AI to Work**

That AI point is exactly where some other data specialists see this argument headed. They anticipate large language models (LLMs), such as ChatGPT, will be able to track the data through unlimited analytics efforts. In two to five years, the LLM approach may be effective enough for regulators to rely on it.

"Companies today use \[the difficulty of data tracking\] as an excuse to not produce the evidence. With the advent of machine learning models, that is no longer the case," says Brad Smith, a managing director at consulting firm Edgile.

Detailed tracking of the data throughout its life cycle is key to solving the data broker problem, he says.

"When you pull data in from an external organization, there is always going to be some level of liability. The solution is to maintain data lineage. Generally, when you move information, transfer or copy, or the data somehow morphs from one system to another, that lineage is broken," Smith says. "With the large language model, every piece of data exists in its original state. Those mappings exist in the neural network they have created."

The cloud also plays a critical role here, he adds.

"The only thing that they have to do is move their data into a hyperscale infrastructure," Smith says. "When regulators become aware of this and the \[enterprise\] hasn't sufficiently invested in Azure or AWS, they'll ask, 'Why haven't you moved to that platform?'"

**Avoiding Tainted Data**

Fundamentally, some believe that businesses purchase third-party data from data brokers too quickly and that they should first do serious examination of the data they already have or can collect directly.

"There is an open acknowledgement that the quality of third-party data is not good and that it's collected in a pretty dubious manner. Their definition of consent is spotty. Overall, the way data brokers get their data flies in the face of global privacy laws," says Stephanie Liu, a privacy analyst with Forrester.

"It's shocking how quickly we've normalized the aggregation of data that, just a few years ago, would have been considered an egregious intrusion of privacy," adds Rex Booth, the CISO for SailPoint. "Now the only delineation of right and wrong regarding brokers is whether they broke laws in gathering their data."

When figuring out the data broker challenge, CISOs must factor in how the data is being used now and how it will likely be used in a year," he says. "Is it being used to make decisions about who gets a loan or an apartment? Is the resultant data visible to customers, or is it entirely internal, such as data to help sales know who to contact?

Saugat Sindhu, a senior partner who heads the strategy and risk practice at consulting firm Wipro, says almost all data brokers provide deliverables in an anonymized fashion, but it often doesn't stay that way. "You can easily deanonymize an identity," he says.

In some cases, Sindhu says, the compliance remedy may go beyond data deletion to assessing revenue generated by the improperly created data: "You didn't do anything wrong knowingly, but you still made profits off of it and that may raise a fair trade issue," he says. "At the end of the day, tainted data is tainted data."

How CISOs Can Reduce the Danger of Using Data Brokers

CISA released the hunt and response tool to help defenders extract cloud artifacts without performing additional analytics.

The Untitled Goose Tool is the latest tool from the United States Cybersecurity and Infrastructure Security Agency to help enterprise security teams respond to attacks.

Developed in conjunction with Sandia National Labs, the Untitled Goose Tool “offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services,” CISA said in its announcement, which specifically listed Microsoft Azure, Microsoft 365, and Azure Active Directory. With this tool, defenders can run a full investigation by interrogating and collecting Azure Active Directory sign-in and audit logs, Microsoft 365 unified audit log, Azure activity logs, Microsoft Defender for IoT (Internet of Things) alerts, and Microsoft Defender for Endpoint data for suspicious activity, CISA said in its Untitled Goose Tool fact sheet. Defenders can also query, export, and investigate Azure Active Directory, Microsoft 365, and Azure configurations.

The hunt and incident response tool was designed to assist incident response teams export cloud artifacts after an incident for environments that aren’t ingesting logs into the organization’s Security Information and Events Management (SIEM) platform, CISA said on the Untitled Goose GitHub repository page. The defenders can then ingest the JSON results into an existing SIEM, web browser, text editor, or database, for additional analysis.

The Untitled Goose Tools was announced on the same day as the Pre-Ransomware Notification Initiative, which aims to warn organizations about ransomware attacks early enough so that organizations can block the attempt to steal or encrypt data. Earlier in March, CISA announced the Decider tool, which will help organizations map adversary behavior to the MITRE ATT&CK framework to find gaps in their defenses, as well as the Ransomware Vulnerability Warning Pilot, to warn critical infrastructure entities about flaws in their systems.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA Releases Hunt Tool for Microsoft's Cloud Services

After several weeks and more than 130 ransomware victims, GoAnywhere parent company Forta issues a statement.

A vulnerability in a commonly used file transfer service called GoAnywhere has allowed the Clop ransomware group to breach about 130 organizations. Weeks later, details are still emerging about the sprawling attack.

Up until now, those details weren't coming from GoAnywhere parent company Fortra. It's been the victim organization making headlines with public data breach disclosures. GoAnywhere customers which have disclosed that they were breached through the GoAnywhere MFT remote code execution vulnerability, tracked under CVE-2023-0669, so far include Community Health Systems, Hatch Bank, cybersecurity company Rubrik, Hitachi Energy, and the City of Toronto, which, when totaled up, represent the exposure of millions of people's private data to the worst cybercriminal elements.

Clop cybercriminals were eager to provide details of their campaign, claiming on their leak site they used the exploit over the course of 10 days to breach more than 130 companies, according to reports.

For its part, Forta has remained publicly quiet about the steady stream of disclosures. But today, it gave Dark Reading a statement with reassurances that it's committed to helping its customers navigate what is evolving into a communications, as well as a cybersecurity, crisis for the company.

"On January 30, 2023, we were made aware of suspicious activity within certain instances of our GoAnywhere MFTaaS solution," Fortra says in a statement issued to Dark Reading. "We immediately took multiple steps to address this, including implementing a temporary outage of this service to prevent any further unauthorized activity, and sharing mitigation guidance, which includes instructions to our on-prem customers about applying a developed patch."

Fortra added that it remains committed to supporting its affected users.

"We are working diligently to notify customers who may have been impacted and we coordinated with CISA to add information about this vulnerability to their CVE catalog to broaden the reach of information about this issue," Fortra's spokesperson's statement adds. "We are taking this very seriously and continue to help our customers implement mitigation steps to address this issue."

**Fortra's Communications Under Fire**

First reports of the GoAnywhere zero-day were shared on Feb. 2 by cybersecurity news site KrebsOnSecurity, which, after finding the advisory stuffed behind a login page, simply pasted the information for the public to see. Days later a patch was issued by Fortra. Betting on patch lagging, in the ensuing days, the Clop ransomware threat actors were able to take advantage. On Feb. 10, the Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its list of known exploited vulnerabilities catalog. 

Nonetheless, companies have continued to get caught up in the ongoing campaign. And despite Fortra's assurances, cybersecurity analysts, experts, and watchers are widely critical of the company's lack of communication and slow response in offering guidance to victims and targets. The attack surface is broad, too, it should be noted: According to its website, GoAnywhere is used at more than 3,000 organizations to manage documents of all kinds. And according to data from Enlyft, most of those are large organizations — with at least 1,000 and often more than 10,000 employees — mostly based in the United States.

"This one wasn't communicated well, challenging even the best security teams to respond," Heath Renfrow, co-founder of Fenix24 tells Dark Reading in response to the freshly issued statement from Fortra. "This is a good example of how it is necessary for security professionals to have multiple sources of threat intelligence — beyond just their providers — to cover every base. That said, it has been communicated now and anyone using the solution should patch immediately."

Slow communication can be especially detrimental in a software supply chain attack scenario, Dirk Schrader, vice president of security research at Netwrix said.

"To prevent further evolvement of a supply chain attack, it is crucial for the first victim in line to communicate openly and in detail about what happened," he noted via email. "It helps other links in this chain to be prepared for an upcoming threat and minimizes possible damage. It is likely that the current attack was accelerated due to details about this zero-day not being disclosed in a timely manner."

Dark Reading asked Fortra for a response to the criticism of its handling of the cybersecurity incident but has not received a response. Meanwhile, Forta's customer, the City of Toronto, when asked about its communications with Fortra regarding the breach, gave a simple response by email: "Fortra has been communicating with the City and continues to do so."

This isn't the first time users of Clop ransomware have pulled off a mass breach like this. Russian-based FIN11 used Clop ransomware in December 2020 to jump on a similar Accellion zero-day flaw.

Clop Keeps Racking Up Ransomware Victims With GoAnywhere Flaw

Indicators point to Twitter's source code being publicly available for around three months, offering a developer security object lesson for businesses.

Some of Twitter's proprietary source code had been publicly available on Github for nearly three months, according to information gleaned from a DMCA Takedown request filed on March 24.

GitHub is the world's largest code hosting platform. Owned by Microsoft, it serves more than 100 million developers and contains nearly 400 million repositories in all.

On March 24, GitHub honored a Twitter employee's request to remove "proprietary source code for Twitter's platform and internal tools." The code had been published in a repository called "PublicSpace," by an individual with the username "FreeSpeechEnthusiast." The name is an apparent reference to Elon Musk's _casus belli_ for taking over Twitter back in October (a philosophy which has been unevenly implemented in months since).

The leaked code was contained in four folders. Though inaccessible as of March 24, some of the folder names — like "auth" and "aws-dal-reg-svc" — seem to give some hint at what they contained within.

    

Source: TorrentFreak

According to Ars Technica, FreeSpeechEnthusiast joined Github on Jan. 3 and committed all the leaked code that same day. That means, in all, the code was entirely accessible to the public for nearly three months.

**How Enterprise Source Code Leaks Happen**

Major software companies are built on millions of lines of code and every so often, for one reason or another, some of it can leak.

"Bad actors, of course, play a major role," says Dwayne McDaniel, developer advocate for GitGuardian. "We saw it last year in cases like Samsung and Uber involving the Lapsus$ group."

Hackers aren't always a part of the story, though. In Twitter's case, circumstantial evidence points to a dissatisfied employee. And "a good deal of it also comes from code ending up where it does not belong unintentionally, as we saw with Toyota, where a subcontractor made a copy of a private codebase public," he adds. "The complexity of working with git and CI/CD combined with an ever-growing number of repos to deal with for modern applications means code on private repos can become public by mistake."

**The Problem of Source Code Leaks for Enterprises**

For Twitter and companies like it, source code leaks can be a much bigger problem for cybersecurity than copyright infringement. Once a private repository becomes public, all kinds of harm can follow.

"It's important to remember that source repositories often contain more than just the code," notes Tim Mackey, principal security strategist for the Synopsys Cybersecurity Research Center. "You'll find test cases, potentially sample data along with details on how the software should be configured."

There may also be sensitive personal information and authentication information hidden in the code. For example, "for some applications that are never intended to be shipped to customers, the default configuration contained in the source code repository might just be the running configuration," Mackey says. Hackers can use stolen authentication and configuration data to carry out bigger and better attacks against the victim of a leak.

That's why "companies should adopt a more secure secrets management strategy, combining secrets storage with secrets detection," says GitGuardian's McDaniel. "Organizations should also audit their current secret\[s\] leakage situation to know what systems are at risk if a code leak does occur and where to focus prioritization."

But in cases where the leak comes from the inside — like Twitter's — even greater caution is warranted. It requires thorough threat modeling and analysis of an enterprise's source code management, says Mackey.

"This is important because if someone can trigger a source code leak, then they may also have the ability to change the source code," he says. "If you're not using multifactor authentication for access, enforcing limited access to only approved users, enforcing access rights, and access monitoring, then you may not have a full picture of how someone might exploit the assumptions your development teams have made when they secured their source code repository."

Twitter's Source Code Leak on GitHub a Potential Cyber Nightmare

From rising stars to veterans heading up research teams, check out our profiles of women making a big impact in cyber defense as the threat landscape expands.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

7 Women Leading the Charge in Cybersecurity Research & Analysis

Key vaults, aka key-management-as-a-service (KMaaS), promise to allow companies to encrypt sensitive data across cloud and third parties with granular control.

As cloud infrastructure and compliance regulations become more complicated, companies are looking to simplify data security by adopting more pervasive encryption of sensitive data and consolidating key management into a single repository or service.

On March 22, email and file security firm Virtru became the latest data-protection firm to offer customers a single vault for key management, when it announced a private keystore that works with Google Workspace, Google Cloud, and the company's other products. The product manages encryption keys, configures policies, and allows audits of access to encrypted data.

Virtru had already offered encryption for email and files stored in the cloud, but the sensitivity of data and need for complying with government requirements led customers to ask for a "hold-your-own-key," or HYOK, capability, says Mike Morper, senior vice president of product at Virtru.

"We have customers that have come to us, who ... want to ensure absolutely no entity other than the intended recipient has access to \[a particular piece of\] information," Morper says. "We first started hearing this rooted in a lot of data-sovereignty conversations, particularly with some of our customers in Europe ... and it was paramount to them that they would have the ability to manage their own private keys."

As companies increasingly look to protect data with pervasive encryption, consolidated key management is coming into its own. Currently, 62% of companies have an encryption policy that is consistently applied, up from 50% in 2021, but more than half of companies still have trouble identifying all sensitive data, and 59% of businesses find key management to be very painful, according to Entrust's "2022 Global Encryption Trends Study."

Moreover, a set of headaches — including managing keys, limiting who can access data, and auditing that access — have grown more severe as companies need to comply with privacy regulations from multiple countries and ensure the security of data across multiple clouds, says Kevin McKeogh, vice president of product management for data protection solutions at Entrust.

"Encrypting data is easy. Managing the keys that are used to encrypt the data is what becomes increasingly challenging for organizations as they scale operations," he says. "With a growing volume of data now processed across distributed systems — on-premises and in multicloud environments — organizations need to maintain control of the keys to ensure data is protected and available to the applications that need to use the data, and to stay compliant to regulations."

**Key Management Plus Granular Access Control**

Take the move to multiple clouds — a significant operational challenge for data protection systems. By 2024, international data residency and privacy requirements will push more than 40% of organizations to adopt a third-party, multicloud key-management-as-a-service (KMaaS) offering instead of relying on the bespoke key management services offered by many cloud providers, states a Gartner report on KMaaS offerings commissioned by Thales, a data-protection provider.

The challenge of managing encrypted data, permissions, and access lists across multiple clouds and their associated key management systems has resulted in at least half of companies encrypting less than 40% of their sensitive data in the cloud, according to the "2022 Thales Data Threat Report."

"The typical enterprise has at least five different key managers deployed, so key sprawl is an issue," says Todd Moore, vice president of encryption products at Thales. "This complicates things like key rotation and retiring keys. The best practice is to have one centralized key management platform that can support the vast majority of your key management operations."

A central vault for sensitive keys can help make even complex situations simpler. This year, for example, at least 81% of companies are expected to use multiple cloud infrastructures, up from 60% in 2022, according to Forrester Research's "Unlocking Multicloud's Operational Potential" report, commissioned by secrets management firm HashiCorp. For those companies, encrypting data across cloud services and using a centralized vault to manage access to that data through keys allow for more control.

In addition, companies that rely on a single cloud provider's key management solution may be at greater risk. Privacy and data-protection regulations, such as the European General Data Protection Regulation (GDPR) and the Payment Card Industry's Data Security Standard (PCI-DSS), explicitly require — or heavily imply — that encrypting sensitive data is necessary and that self-custody of keys is preferred, says Andy Manoske, principal product manager for cryptography and security at HashiCorp.

"This is especially the case if data sovereignty requirements attempting to protect against a privileged adversary within a client's cloud service infrastructure are at play," he says. "While an adversary may not be able to compromise that key management system, they could render it inoperable if they have privilege within a single cloud hosting both data encryption and key management."

**Private Keystore or Key Management as a Service?**

While a private keystore is a solution, it is not the only one. Key-management services that provide HYOK can satisfy government regulations and business security requirements, while still giving companies the expertise and support they need to manage a complex task. Keys need to be protected, but defenders must understand the company's threat model and what types of attacks are likely in order to best select the appropriate encryption technologies.

Deploying encryption and maintaining a private keystore require some deep expertise within a company, Manoske says.

"Private keystores usually provide flexibility in how keys are retrieved and used for cryptography — a flexibility usually necessary when deploying cryptography within high-performance applications with significant automation," Manoske says. "This flexibility comes at the cost of usually requiring more sophistication from the defender in protecting against side-channel attacks — attacks that 'go around' the mathematical protections of cryptography to tamper with or steal keys."

While a company can retain ownership of critical keys, some KMaaS offerings can simplify the business' data security and provide necessary capabilities, such as access control and auditability, says Virtru's Morper.

"That's the hard part and, frankly, probably where the preponderance of adoption and friction come into play," he says. "So it really starts to become a balance for organizations. It's a security-policy decision and a business decision they need to make — what level of friction is appropriate and against what degree of risk?"

Drive to Pervasive Encryption Boosts Key Management

Don't assume stakeholders outside security understand your goals and priorities, but consider how you'll communicate with them to gain their support.

In the two decades I've spent in cybersecurity, I've observed and experienced the fighting spirit of security professionals: When tasked with safeguarding information assets, we envision ourselves erecting defenses to keep threat actors at bay, or we emulate malicious actions to find flaws in the organization's security measures before attackers exploit them. We fight.

The combative mindset of security professionals finds its way into our interactions with colleagues within our organization. We witness and sometimes contribute to conflicting opinions regarding the urgency with which security issues should be addressed, and we disagree on the best ways to address security risks. And we fight for a share of the budget that might shrink if other departments' needs are prioritized above our own.

This cybersecurity vs. everyone way of operating is counterproductive because it contributes to security professionals being seen as detractors and distractors. To succeed in today's workplace, we must operate as business enablers, not blockers. We can do this by adjusting our mindset, developing empathy for the role and objectives of colleagues throughout the organization, and communicating security benefits in business terms.

**Collaboration: The Future of Security**

Security teams are often seen as separate entities by the rest of the organization. To increase integration and understanding, all teams at the company need to have open conversations about their shared goals and objectives. After all, each team may have different skill sets and roles, but both ultimately want the organization to succeed. 

Start here: Have those in each team define what success looks like to them. Then look at how that can be achieved within the context of broader business objectives. Differences are OK and expected, but finding the thread that ties us together is the only way to find common ground. Looking at wider business objectives makes it easier to understand how teams can work together to shift the organization closer to those goals.

Agreeing on shared objectives — while recognizing each team's unique roles and interdependencies — will allow everyone to collaborate more smoothly.

**Invest in Persuasion, Communication for Security Buy-in**

Like it or not, cybersecurity leaders often have to work harder than others to justify our presence and initiatives. Yet our initiatives often span multiple departments and depend on buy-in from other executives. Therefore, we need to put extra care into how we persuade and communicate outside the security team to get support for our efforts.

To gain others' support for a security request or project, there are multiple considerations.

*   **Who needs persuading?** Understand the dependencies of your security effort to determine which teams — and which specific individuals — are stakeholders in your effort. Depending on whether they'll be initially supportive or skeptical, you'll need to tailor your communications accordingly.

*   **What are their objectives?** Presumably, you already understand why you're pursuing a particular security project, but how does it support the needs of your stakeholders outside security? Understand what's important to them, so they'll be more inclined to support you.

*   **What do they need to know?** Some want to see technical details, but not everyone. Some people focus on costs, others on revenue, others don't think in financial terms at all. Present the information appropriate for the individual to get their buy-in.

*   **Why should they trust you?** Whether you're seeking funding, expertise, or time from others, consider how you'll demonstrate that their support will not go to waste. To signal credibility, present metrics from earlier security projects or point to your initiatives that succeeded in the past.  

Instead of assuming that others understand what you're looking to achieve and why the effort is important, consider what steps you'll take to persuade and communicate with non-security stakeholders to gain their support.

**Link to Business Needs in Budget Discussions**

The importance of positioning security in business, rather than technology terms is most important during budget discussions. While it's good news that cybersecurity is one area where spending remains fairly stable, any security leader needs to firmly justify their requests.

Start by answering the persuasion and communication questions above to establish the foundation for your budget discussion with the CFO or other relevant parties. 

Next, understand the business scenarios that the company is considering for its next year: Is the organization expecting its revenue to shrink? Will some product lines likely expand? Any changes in the geographic regions the company services? Can you expect business as usual, or will the company's activities likely to experience significant disruption?

Continue by outlining your security objectives, then link them to the company's business objectives. Since the exact future is unknown, be prepared to discuss how your requests might change based on the scenario in which your company might find itself. For example, if the firm might open an office in a new country, you might need to hire a security person to support that region. Or if your firm will introduce a new product, you might need to fund the training of your application security team in the corresponding technologies.

Be ready to not only clarify how the security expense item benefits the company but also why now is the time to invest in that project, person, or initiative. Explain how the company might be affected if that item doesn't get funded, but do so without spreading fear, uncertainty, and doubt, which often dominate security discussions with stakeholders.

Cybersecurity vs. Everyone: From Conflict to Collaboration

The joint partnership represents expanded market opportunities.

**BETHESDA, Md.****,** **March 24, 2023** **/PRNewswire/ --** Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to combine their unique offerings to address the rapidly increasing threat to critical infrastructures around the world. This partnership couples the CyberSecure IPS Manhole Protection System with Lockdown's suite of security devices to strengthen the Defense in Depth (DiD) critical infrastructure security portfolio. This combination presents a series of defensive mechanisms which are layered in order to protect valuable data and information. In the unlikely event one mechanism fails, another is triggered immediately to thwart an attack. This multi-layered approach with intentional redundancies increases the security of a system as a whole and addresses many different attack vectors.

"Our emphasis in developing time-tested software disciplines for the critical infrastructure/enterprise market is a natural fit for the products and services pioneered by LockDown. Our software already meets government-standards for the broad-based cyber-physical security sector. Working together with David and the LockDown team we can ensure current and new customers have access to the industry's leading capabilities, taking our customer focus to another level," states Scott Rye, CEO and Co-Founder of CyberSecure.

David Barton, VP of LockDown, continues, "Our company's founding and growth reflects a focus on solving customer problems at each turn. We see this strategic alliance as a springboard to expand our addressable customer market building upon our long history within underground infrastructure and government installations. CyberSecure's industry leading software solutions and Manhole Protection System will ensure that customers truly have confidence to meet the ever-growing requirements for best-of-breed security."

Scott concluded, "Aligning with LockDown as every area of critical infrastructure demands greater capabilities just makes good business sense. We together can now address Power systems, Chemical, Energy, Telecommunications and a host of critical infrastructure sectors in a way that brings complete one-stop solutions to the table for security officers and their Boards."

**About CyberSecure IPS**

A global leader in the cybersecurity space, CyberSecure IPS constantly innovates its suite of patented software and hardware solutions which integrate to bring the physical realm under constant surveillance and provide holistic protection. The most advanced national governments and biggest data centers worldwide look to CyberSecure IPS to protect their critical infrastructure. Learn more at cybersecureips.com.

**About Lockdown Inc.**

LockDown Inc. is the most trusted and installed provider of infrastructure security devices in the world. We have installed 100,000+ devices at more than 150 military bases and hundreds of other secure locations in 30+ countries. Since 1996, we have secured infrastructure at major universities, data centers, telecoms, municipalities, utilities, corporations and manufacturers. Our devices even secure the White House and the Pentagon. Learn more at https://lockdowninc.com

Source

DARKReading