Security leaders from a media corporation, a commercial real estate company, and an automotive technology company share how they address cyber-risk.

Every organization is at risk of a cyberattack, but each organizations addresses risk differently. No one expects SMBs to take the same approach to cybersecurity as a large enterprise, or a legacy organization to have the same appetite for risk as a startup. Similarly, how an organization defends itself from attack depend on various factors, including its size, type of industry, supply chain resources, approach to outsourcing and remote work, and global presence.

Security leaders from three very different industries sat down with Dark Reading to discuss their respective cybersecurity programs.

John McClure is the CISO at Sinclair Broadcast, a major new and sports broadcasting provider in the United States, with nearly 200 televisions stations, streaming and digital platforms, and almost two dozen sportscasts. McClure says that while Sinclair faces many of the same cybersecurity threats that any organization faces, it is also considered part of the critical infrastructure because it carries emergency broadcast signals. One of the challenges that McClure has seen over the past five years is the disappearing network borders and finding ways to protect the network as the way people work continues to change.

Doug Shepherd is the senior director of the offensive security services team at Jones Lang LaSalle (JLL), a worldwide commercial real estate company with 90,000 employees in more than 60 countries. For a long time, JLL was more of a brand than a company, Shepherd explains, but in recent years, it has become more cohesive and working together under the JLL model. The company's cybersecurity concerns revolve around integrating all the different office networks into a unified model and consolidating individual security practices into one companywide policy, Shepherd says.

Luis Cunha is the director of security engineering at Aptiv, an automotive technology company with 170,000 employees in 165 manufacturing plants around the world. Operational technology security is as important to Aptiv as information technology, with endpoint security across all technologies a major concern, Cunha says.

**Size of Security Team**

There is no "right" size when it comes to the security team. Some organizations have large teams, and others partner with third-party providers to offset small teams. That difference is very clear with Sinclair, JLL, and Aptiv.

When Shepherd first came to JLL, most security was outsourced, but now there are 100 people on the security team, he says. However, Shepherd believes the team is a little undersized considering the size of the company.

Outsourcing in such a distributed company meant that each office was setting its own policies. JLL's focus on unifying security is driving its decision to move away from outsourcing. The goal is to reduce its reliance on outsourcing and eventually bring in contractors who work directly with the security staff, Shepherd says.

Sinclair's McClure didn't provide exact numbers — he just says his security team meets the industry average. At Sinclair, security is handled both in-house and outsourced. Sinclair relies on outsourcing for skills that are difficult to recruit and retain in-house, such as threat hunting, McClure says.

And then there is Aptiv, with 35 people on its security team — up from five on the engineering team a year ago, according to Cunha. Cunha thinks Aptiv has outsourced too much, which has an impact on the organization's agility and flexibility. When you outsource, you lose the ability to change and react to security problems quickly, Cunha says.

**Investing in Security Tech**

What kind of security technologies an organization invests in depends on factors such as regulatory and compliance requirements, the type of threats the organization sees, and its technology stack. As organizations move more of their operations to the cloud, they are investing in cloud security. With the shift to distributed computing, identity becomes an even more critical area of focus.

McClure says Sinclair is investing in a number of technologies, including endpoint detection and response (EDR), extended detection and response (XDR), and endpoint security, with an emphasis on identity and cloud security.

The broadcasting provider is also relying on automation to support the volume and velocity of data that is driven across its networks, says McClure. While some of the automation capabilities are native to the technology in use, the company also utilizes security orchestration, automation, and response (SOAR) technologies across multiple platforms.

In contrast, automation is in "very early days" for JLL, Shepherd says, as the organization moves away from outsourcing to in-house security. The company is focusing on endpoint and cloud security, and that is also where the focus is for automation. Shepherd is designing automation that pulls data from every endpoint every 15 minutes to look for indicators of risk in real time.

In the past, security was siloed at Jones Lang LaSalle, so the current focus is to set up technology that will allow the security team to have better visibility into the whole environment, Shepherd says.

Aptiv's focus is a little different, as the company is looking to adopt technology that brings more security efficiency and quality, with a greater focus on secure access service edge (SASE), Cunha says. Aptiv also invests in operational technology security for its manufacturing plants. There are a lot of different vendors for both types of security, and a goal for Cunha is better consolidation of technology and vendor solutions. Orchestration and automation tools play a very important role integrating security tools.

**Road to Data-Driven Security**

As far as Aptiv's Cunha is concerned, you can't have orchestration and automation without solid data analytics. Engineering teams use data analytics to improve security tools, Cunha says, bringing search capabilities to the SOC. Cunha's team performs its own data analytics rather than relying on a platform.

Like automation, data analytics is still in the early stages at JLL, but that doesn't mean data is not still useful, Shepherd says. JLL uses analytics to help determine what’s happening on the perimeter, he says.

Data analytics are used to control coverage and control efficiency, as it helps Sinclair understand the business and the assets that need to be protected, McClure says.

**Biggest Security Concerns**

Ransomware is the threat that keeps Shepherd up at night. It is the biggest concern for JLL because of how it disrupts business operations, he says.

Aptiv's Cunha's worries center around threats that impact data liability and organizational reputation, he says. While phishing is a common attack vector, Cunha also has to contend with lesser-known threats against operational technologies.

For McClure, ransomware and cybercrime are the biggest concerns, but he points out that cyber threats have not become more sophisticated. Instead, he thinks the barrier to entry for attackers has gotten lower, and as a result, there are more attacks. The attack vectors themselves, he says, haven't changed much over the years, and cybercriminals are using the same methods to get into the system.

It is the volume of attacks that is the greater challenge for organizations, McClure says, not increased sophistication in attacks.

3 Industries, 3 Security Programs

Attackers are harvesting credentials from compromised systems. Here's how some commonly used tools can enable this.

The majority of cyberattacks rely on stolen credentials — obtained by either tricking employees and end-users into sharing them, or by harvesting domain credentials cached on workstations and other systems on the network. These stolen credentials give attackers the ability to move laterally within the environment as they pivot from machine to machine — both on-premises and cloud — until they reach business-critical assets.

In the Uber breach back in September, attackers found the credentials in a specific PowerShell script. But there are plenty of less flashy, yet just as damaging, ways attackers can find credentials that would allow them access to the environment. These include common local credentials, local users with similar passwords, and credentials stored within files on network shares.

In our research, we faced the question of what kind of information can be extracted from a compromised machine — without exploiting any vulnerabilities — in order to move laterally or extract sensitive information. All the tools we used here are available on our GitHub repository.

Organizations rely on several tools to authenticate to servers and databases using SSH, FTP, Telnet, or RDP protocols — and many of these tools save credentials in order to speed up authentication. We look at three such tools — WinSCP, Robomongo, and MobaXterm — to show how an attacker could extract non-cleartext credentials.

**WinSCP: Obfuscated Credentials**

When a domain controller is not available, a user can access system resources using cached credentials that were saved locally after a successful domain logon. Because the user previously was authorized, the user can log into the machine using the domain account via cached credentials even if the domain controller that authenticated the user in the past is not available.

WinSCP offers the option to save the credential details used to connect to remote machines via SSH. While the credentials are obfuscated when saved in the Windows registry (Computer\\HKEY\_CURRENT\_USER\\SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions), they are not encrypted at all. Anyone who knows the algorithm used to obfuscate can gain access to the credentials.

Since WinSCP's source code is available on GitHub, we were able to find the obfuscation algorithm. We used a tool that implemented the same algorithm to de-obfuscate the credentials, and we gained access to the credentials in cleartext.

Implementing an obfuscation algorithm to secure credentials stored is not best practice, as it can be easily reversed and lead to credentials theft.

**Robomongo: Not a Secret Key**

Robomongo (now Robo 3T) is a MongoDB client used to connect to Mongo database servers. When you save your credentials, they are encrypted and saved in a _robo3t.json_ JSON file. The secret key used to encrypt the credentials is also saved locally, in cleartext, in a _robo3t.key_ file.

That means that an attacker who gains access to a machine can use the key saved in cleartext to decrypt the credentials.

We looked at Robomongo's source code on GitHub to understand how the key is used to encrypt the password and learned that it uses the SimpleCrypt lib from Qt. While Robomongo uses encryption to securely store credentials, the fact that the secret key is saved in cleartext is not best practice. Attackers could potentially read it, because any user with access to the workstation can decrypt the credentials. Even if the information is encoded in a way that humans cannot read, certain techniques could determine which encoding is being used, then decode the information.

**MobaXterm: Decrypting the Password**

MobaXterm is a powerful tool to connect to remote machines using various protocols such as SSH, Telnet, RDP, FTP, and so on. A user who wants to save credentials within MobaXterm will be asked to create a master password to protect their sensitive data. By default, MobaXterm requests the master password only on a new computer.

That means that the master password is saved somewhere, and MobaXterm will retrieve it to access the encrypted credentials. We used Procmon from the Sysinternals Suite to map all the registry keys and files accessed by MobaXterm, and we found the master password saved in the Windows registry (Computer\\HKEY\_CURRENT\_USER\\SOFTWARE\\Mobatek\\MobaXterm\\M). Credentials and passwords are saved in the C and P registry keys, respectively.

Initially, we were unable to decrypt the master password, which was encrypted using DPAPI. We eventually figured out that the first 20 DPAPI bytes, which are always the same when using DPAPI, had been removed. When we added the first 20 bytes, we were able to decrypt the DPAPI cipher to obtain the SHA512 hash of the master password. This hash is used to encrypt and decrypt credentials.

Here, the encryption key used to securely store the credentials is saved using DPAPI. That means that only the user who saved the credentials can access them. However, a user with administrator access, or an attacker who gains access to the victim's session, can also decrypt the credentials stored on the machine.

**Know the Risks**

Developers, DevOps, and IT use various tools to connect to remote machines and manage these access details. Vendors have to store this sensitive information in the most secure way. However, encryption is always on the client side, and an attacker can replicate the tool behavior in order to decrypt the credentials.

As always, there isn't a magic solution that can solve every problem we've discussed here. Organizations might, however, begin by examining the services they are now using. They can construct an accurate risk matrix and be better prepared for data breaches by having a stronger understanding of the types of sensitive data and credentials they are storing.

Extracting Encrypted Credentials From Common Tools

How CISOs handle the ethical issues around data breaches can make or break their careers. Don't wait until a breach happens to plot the course forward.

The recent conviction of Joe Sullivan, Uber's chief information security officer (CISO), for failing to report the company's 2016 data breach came as an unwelcome surprise to some and as a justified consequence of Mr. Sullivan's actions to others.

As a fellow CISO and information security leader for over 30 years, I respect Sullivan's distinguished career and, at the same time, fully support the verdict. Sullivan found himself in an ethical dilemma that most CISOs find themselves in sooner or later. How a CISO decides to handle that dilemma can make or break their career.

**What Are a CISO's Responsibilities?**

The role and responsibilities of the CISO are constantly evolving and are scrutinized even more so thanks to the growing publicity around large breaches, such as that seen at Uber.

For CISOs considering what these recent events mean for them, it's a suitable time to ask three important questions.

**1)** **As CISO, what is my responsibility when there's a data breach?** 

While the Uber trial may have brought the CISO's role into sharper focus, I don't think it changes the responsibility or liability associated with the role. When a breach occurs, the CISO's responsibility is clear: be transparent and provide all the necessary disclosures. Sometimes these disclosures are mandated by regulatory bodies, and sometimes they are just considered a responsible disclosure by the company to its constituents.

I don't know if Sullivan's first reaction was to take the correct action and report the breach as required by law. Considering his long career, I certainly hope that was the case. That said, depending on the reporting structure within the company, many CISOs may not have the final say about whether the company will disclose the breach. As is often the case, the CISO may be overruled and pressured to find a way to reframe the breach as something other than a breach. This reframing can help the company avoid potential negative consequences, including regulatory fines, remediation costs (for example, providing credit monitoring services to affected customers), and impact on customer trust and company reputation.

A breach is, quite correctly, viewed as a failure of the company to protect the data that was breached. It can also ultimately be viewed as a failure of the CISO. This raises the age-old questions: Where does the buck stop? And who bears the ultimate responsibility for the breach? Regardless, it's not a simple thing for a company to admit or disclose.

The CISO's ethical dilemma is: Do I maintain the integrity of my role and follow my responsibility? Or do I try to reframe the incident so that my company doesn't bear the consequences?

I would like to think that if I were in Sullivan's shoes, I would be willing to resign my position rather than betray the integrity of my role and, frankly, the trust of my constituents. To paraphrase US President Harry S. Truman, "The cybersecurity buck stops with the CISO."

**2) What is my company's plan for when (not if) we get breached?**

As the CISO for a security vendor, I know all too well the motivation and determination of bad actors and nation states. I also understand the odds organizations face in falling victim to an attack — organizations must assume they'll be breached. What will you do when that happens?

Addressing worst-case scenarios and having a contingency plan in place before you get breached can minimize the financial and operational fallout when you do. What's the cost of downtime if an attacker takes your customer support or supply chain operation offline? Where are your systems most vulnerable? How do you contain the damage, and how quickly can you recover? How do you communicate what happened to your employees, customers, and the board?

The CEO and other company officers must proactively work with the CISO to address these questions and develop a comprehensive plan that is ready when a breach occurs. Immediate action — and honesty — count above all else. But such a plan will only be successful if it has been created, vetted, and rehearsed well in advance.

**3) What is my role with the board of directors?**

The most resilient companies commit to security at the top and drive it down through every level of the organization. This means establishing a strong cybersecurity culture with the board, as well as with employees. Many CISOs may have to contend with the biases of boards that say, "that'll never happen to us" or "it's going to happen anyway, so why invest in cybersecurity."

**Manage the CISO Relationship Like a Business Relationship**

One way for CISOs to enhance their relationship with the board is to serve as the bridge between technology and business. We need to show the board that we manage cybersecurity as a business risk, and align with performance, growth, and other business goals of the organization. Be sure to use business terms and outcomes, not just technical acronyms and concepts. Help answer the question "Why should I care about this?" And if you succeed in being granted resources by the board, it's important to follow up with a report that connects the resources you requested to the business results and outcomes that followed.

In my own experience, to be most effective, it's important for the CISO to nurture a relationship with their board members outside of regularly scheduled meetings. This gives us the opportunity to better understand what our board members are expecting from the CISO, and likewise, to start educating the board. In the end, the practice of cybersecurity is about managing risk, but the truth is that we can never eliminate risk completely. Daily breach headlines have put every CISO in the hot seat. The CISO has a daunting job: they must manage their organization's day-to-day defense, while simultaneously creating an action plan for that inevitable future attack. It takes integrity and honesty for a CISO to successfully lead and thrive today in this challenging and critical role.

After the Uber Breach: 3 Questions All CISOs Should Ask Themselves

Concerns about recessionary trends impacting the cybersecurity sector in 2022 remained largely unfounded in Q4, as investment activity surged after a Q3 slowdown.

Mergers and acquisition (M&A) activity and investments in cybersecurity picked up once again in the fourth quarter after dropping off somewhat sharply in Q3. The activity put the sector on track to close out the year in better shape than many had expected, with overall funding topping 2020's pace (even though it dipped compared to 2021).

"M&A and financing deal count and volume in 2022 are still above 2020 levels despite current economic uncertainty," says Eric McAlpine, managing partner at Momentum Cyber. "Cybersecurity is still a very active market relative to historical levels over the past decade."

McAlpine says Momentum tracked a total of 37 M&A deals in Q4 through November. That compares to 50 total acquisitions in Q4 2021.

"M&A activity in the cybersecurity services market continues to be higher than any other sector in the industry," he says. In fact, M&A volumes in 2021 and 2022 year-to-date in cybersecurity services top total volumes for the previous five years combined, he adds.

To boot, McAlpine predicts that M&A activity in cybersecurity will continue its momentum in 2023 as startups run into challenges with raising more capital, or run out of money, or adjust their valuation expectations downward. He predicts a "sea change in thinking by investors away from growth at all costs to funding profitable growth."

**M&A Activity Regained Momentum After 3Q Slowdown**

Two major cybersecurity acquisitions in October had an outsize impact on overall deal volumes in the last quarter of the year. One was Vista Equity Partners' $4.6 billion acquisition of KnowBe4 on Oct. 12. Like many other private equity (PE) firms, Vista plans to make the publicly traded KnowBe4 a private firm once the acquisition is complete.

The other major fourth-quarter deal was PE giant Thoma Bravo's all-cash purchase of ForgeRock for $2.3 billion on Oct. 11.

But that's not to say there weren't other significant deals during the quarter. As examples, McAlpine points to Palo Alto Networks' $195 million acquisition of Cider Security in November; Proofpoint's purchase of Illusive for an undisclosed sum in December; and 1Password's acquisition of Passage in November, for an unknown sum.

According to numbers that S&P Global Market Intelligence tracked, the first three weeks of October alone saw more M&A money move through the cybersecurity sector than the entire third quarter.

"Between Oct. 1 and Oct. 24, cybersecurity acquirers disclosed an aggregate $6.90 billion in deal values from nine announced transactions," the analyst firm said in a recent market report. In comparison, the aggregate deal values for all M&A transactions with disclosed values during the third quarter was just $3.06 billion — down more than 75% from the $13.77 billion during the same period in 2022, S&P Global Market Intelligence said.

**A Flurry of Funding Activity**

Meanwhile, the last quarter of 2022 also had its fair share of funding activity in the cybersecurity sector. Notable examples include Arctic Wolf's closing of a $401 million convertible notes offering in October; Drata's $200 million Series C funding round in December that valued the firm at $2 billion; and a BlackRock-led $120 million pre-IPO financing round in Versa Networks.

"Keeping in mind that the year is not over yet, there have been 396 funding rounds totaling $16.6 billion in new investments" in 2022, says Richard Stiennon, chief research analyst at IT-Harvest. "While this does not match last year's $24 billion, it exceeds the record funding of 2020 by 60%."

The numbers are not too shabby for a year for which disaster was predicted, Stiennon notes: "And the year is not over. I would not be surprised if we hit $17 billion."

By IT-Harvest's count, there were nearly two dozen cybersecurity funding rounds disclosed in the last three months of 2022. These included a $196.5 million series G funding round at Snyk that valued the firm at a $7.4 billion; NetSPI landing $410 million in growth funding; and Akeyless raising $65 million for its secrets management technology.

Data that Momentum tracked showed that through the end of November, the most active sectors for M&A deals were managed security service providers; risk and compliance; and security consulting and services segments. The most active segments for financing deals during the same period were risk and compliance; identity and access management; application security; and network and infrastructure security.

**The Impact of Industry Activity on Enterprise Security Teams**

Marc van Zadelhoff, CEO at Devo, expects that the cybersecurity market will weather any recession that might materialize, better than other sectors.

"In the second half of 2022, security was the last industry to observe a slowdown in spending, let alone IT spending," he says. "Before midway through 2023, I firmly believe that security will be the first industry to emerge out of the recession, given the explosion of data and threats and the need for a solid security posture."

However, security teams must show their capabilities and provide immediate ROI, van Zadelhoff says. "Now is the time to lay the groundwork for cybersecurity investment and for security decision-makers to learn the language of the CFO and practice their cyber pitch."

At the same time, some say a prolonged recession — or fears of one — could put a damper on security spending and trigger other changes in the industry over the next year and in the short term. They advocate that enterprise security team be aware of the potential implications of these changes and be prepared for them.

Security teams, for instance, need to be prepared to show measurable return on investments and do more with less in situations where their organizations might be looking to cut security spending, says Richard Caralli, senior cybersecurity advisor at Axio.

This is in anticipation of a slowdown in core spending in 2023 on technology acquisition, which could lead to some contraction in certain cybersecurity sectors and more potential consolidation and acquisition activity.

"At that point, you can expect to have to reevaluate any technologies that are caught up in these activities," Caralli says.

The fact that CISOs and people in charge of purchasing decisions are increasingly looking for more integrated platforms could be another driver for funding activity in the cybersecurity sector in 2023.

"The cybersecurity market is approaching bloated status," says Hank Thomas, CEO at Strategic Cyber Ventures. "There are far too many vendors chasing the same dollars with comparable technology. PE firms and other later-stage investors are looking to bring in larger players to serve as anchors for rollups and bolt-on acquisitions. This will create new more comprehensive, cost efficient, and effective security platforms."

New Year's Surprise: Cybersecurity M&A, Funding Activity Snowballs in Q4

According to the FBI and Internet Crime Complaint Center, 25% of ransomware complaints involve healthcare providers.

While ransomware groups have not spared any industry, attackers have put the healthcare sector at the top of their preferred targets. The surge in hospitals falling victim to breaches has raised concerns among regulators and government officials who have moved to push through new policies and legislation.

CommonSpirit, one of the largest nonprofit healthcare systems in the US, posted a privacy breach notice on Dec. 1, warning that 623,774 patient records were exposed after a breach on Sept. 16. The nationwide network of 140 hospitals and over 1,000 care facilities in 21 states confirmed that ransomware attackers accessed the patient records, but said there is currently no evidence that personal information was misused. The potentially affected patients were those treated at CommonSpirit’s Franciscan Medical Group and Franciscan Health in Washington. The four hospitals are now known as Virginia Mason Franciscan Health, a CommonSpirit affiliate.

The current spike builds on last year's 35% increase in overall attacks on healthcare providers compared with 2020, according to Critical Insight, a managed detection and response (MDR) service provider. According to Critical Insight, cyberattacks on healthcare providers affected 45 million individuals last year, compared with 34 million in 2020 and 14 million in 2018.

In October, the FBI Internet Crime Complaint Center (ICA) reported that among 16 critical infrastructures, the healthcare and public health sector accounts for 25% of ransomware complaints. The US Department of Health and Human Services (HHS) in April issued a warning about Hive, an aggressive ransomware group that has targeted healthcare organizations.

The HHS Health Sector Cybersecurity Coordination Center (HC3) noted that Hive is known to have been in operation since June 2021, and "in that time has been very aggressive in targeting the US health sector."

Another recent hacker group to emerge that is targeting healthcare providers with ransomware is Daixin Team. In October, HHS joined the Cybersecurity and Infrastructure Agency (CISA) and the FBI with an advisory warning that Daixin Team is actively pursuing healthcare providers with ransomware that uses Babuk Locker, source code that encrypts files in VMware EXSi servers.

Daixin Team's ransomware encrypts healthcare providers' electronic health records, diagnostics, imaging, and intranet services, according to the advisory. The group has also exfiltrated personally identifiable information (PII) and patient health information (PHI) and has extorted ransoms by threatening to release that data.

**Impact of Ransomware on Healthcare**

During the Disruptive Innovators CIO Forum in New York earlier this month, a conference focused on emerging technology for the healthcare industry, a panel discussion addressed the surge in ransomware. "Ransomware is now probably the No. 1 security issue for most healthcare organizations today," said Christopher Kunney, SVP of digital innovation at Divurgent, an IT advisory firm for healthcare organizations.

Kunney, one of the panelists, warned ransomware will remain a growing threat in healthcare "as we expand the footprint outside the four walls of the hospital and we look at things like virtual care, and other technologies that can now sit on top of our network infrastructure."

Saket Modi, who moderated the panel and is co-founder and CEO of Safe Security, noted that one of the first known deaths attributed to ransomware, a newborn in Alabama, occurred last year. "A ransomware attack is no longer just financial and reputational; it can have an actual impact to the life of people," Modi said. Besides the risk of data exfiltration, ransomware attacks are a risk to the delivery of patient care, especially when attackers access systems responsible for keeping patients alive.

"We have to realize that cybersecurity isn't just about data security; it's also a matter of life and death," added Michael Archuleta, CIO of Mt. San Rafael Hospital and Clinics in Trinidad, Colo.

Noting that COVID forced healthcare providers to accelerate their digital transformation efforts in recent years, many organizations haven't adequately addressed the security risks associated with the implementation technology and systems that are now accessible.

"We're living in the digital age of healthcare, and we need to start incorporating initiatives technology outcomes that better enhance our overall experience and better enhancing patient outcomes, but also keep secure the entire organization moving forward," Archuleta said.

**Healthcare Cybersecurity Act of 2022**

Looking to stem the mounting attacks, Rep. Jason Crow (D-CO) sponsored the Healthcare Cybersecurity Act. The bill, introduced in September, would require CISA to collaborate with HHS to improve cybersecurity in the healthcare industry.

According to the bill's summary, CISA and HHS would provide resources "including cyber-threat indicators and appropriate defense measures, available to federal and nonfederal entities that receive information through HHS programs."

The bill also calls for CISA to provide cybersecurity training and remediation strategies to those who own or provide health care services. Archuleta, the CIO of Mt. San Rafael Hospital and Clinics, said that 91% of targeted ransomware attacks came from phishing emails directed at employees, many of whom haven't received adequate training. "We are not focusing on developing a human firewall within our organization," he said.

Meanwhile, Senator Mark Warner (D-VA) published a policy options white paper that details existing cybersecurity threats and potential responses from the federal government. The paper draws on Warner's staff and cybersecurity experts' research and a broad set of options for the federal government to collaborate with healthcare providers to improve their cyber protection capabilities and a blueprint for recovering from attacks.

"The healthcare sector is uniquely vulnerable to cyberattacks, and the transition to better cybersecurity has been painfully slow and inadequate," Warner said in a statement. "The federal government and the health sector must find a balanced approach to meet the dire threats, as partners with shared responsibilities."

Healthcare Providers and Hospitals Under Ransomware's Siege

This is what happens when a CISO gets tired of reacting to attacks and goes on the offensive.

Like a member of any profession, a chief information security officer (CISO) grows into their role. They exhibit a maturity curve that can be roughly split into five attitudes:

1.  **Protection:** When a CISO first steps into their role, they look to perfect the basics and build a fortress for themselves in the form of firewalls, server hardening, and the like.
2.  **Detection:** Once they determine how the framework is built, the CISO moves on to more and more sophisticated monitoring tools, incorporating in-depth monitoring and packet filtering.
3.  **Response:** The journeyman CISO will start crafting detailed response plans to various scenarios, weaving them into the overall BC/DR planning and making sure that the team is ready for anything.
4.  **Automation:** Next they'll focus on making everyone's life easier by incorporating automation, AI/ML learning, and third party intelligence into their already-robust defenses.

You may have seen or experienced this kind of four stage evolution yourself. But there's a much rarer _fifth stage_ that is reached much later in a CISO's career. Upon seeing the multitude of annoyances buzzing around them, probing, trying to gain access to _their_ territory ... they become restless. They get tired of waiting for their enemies to strike.

The fifth and final stage is proactivity. And it’s at this stage that CISOs go on the hunt, using techniques of modern defense.

**Leaving the Comfort Zone**

The demarcation point is traditionally where everything becomes "somebody else's problem." If anything breaks or gets hacked, it isn't on the company's dime.

At least, that's how it used to be. Veteran CISOs know that in the era of the cloud and heavy federation, nothing could be further from the truth. Every hack has ripples. Every DDoS has collateral damage. An attack on your ISP, on a federated partner, on your supply chain, on the company's bank, or on utility providers might as well be an attack on your turf.

Most importantly, social engineering and fraud ignore internal demarcations entirely! They don't respect traditional boundaries. If they need to use your federated partner to get in, they will. If they need to infiltrate your employees' social media to gain leverage, they won't hesitate.

But what can be done? Your tools, your monitoring ... absolutely everything you've built is designed to cover your own territory. How can you have an impact on the other side of the demarcation?

Part of the proactivity that comes with stage five of a CISO's career is the ability to process threats that have the potential to impact your business. This means combining the resources that are available to the entire cybersecurity community and the intelligence gleaned from your own monitoring efforts.

Now you're in what Tom Petty once called "The Great Wide Open." The bad news is that your activities are more exposed out here. The good news? You aren't alone.

**Resources for Fraud Prevention Beyond the Demarcation**

In order to get ahead of the curve, you need to work with others and assess emerging threats. Two traditional resources are still effective here: CERT and OWASP. These two organizations have been tirelessly tracking cybersecurity trends for over a generation.

But there are some newer kids on the block that can help you on your hunt. PortSwigger's BURP suite can help you to perform intelligent Web application and network analysis (just make sure you get permission from your business partners before you go full white-hat on their infrastructure). Some subscription advisory services like Black Duck can be worth their weight in gold.

But those are all solutions on the technical side, and fraud isn't always technical. To hit fraudsters where it hurts, you need to embrace the human element.

**A Global Defense Effort**

One of the advantages of using an antifraud suite such as that made by Human Security is that the breach information it gathers is shared anonymously across Human's entire client base. That means when a new fraud attempt is registered with any customer, updates to combat it are shared with all customers across every impacted system: training, automated scans, spam rejection, firewall rules, and packet filtering, to name a few.

Additionally, internal and external attempts to misuse or compromise corporate resources are compared to events taking place elsewhere on the Human network. If there's a pattern, the cybersecurity team is informed, and additional resources can be dedicated to monitoring the situation. MediaGuard can do the same for impersonation attempts or attacks on brand integrity.

**What Do You Do When You Catch Something?**

All of these resources allow you to hunt well beyond the demarcation point. But what do you do when you actually track something down?

When you find vulnerabilities in your supply chain or within a federated resource, you need to share them with your counterpart at the company in question. Assuming you've done everything above board and with their permission, this isn't a problem. If you accidentally hunted outside your domain without permission, see if the impacted business has an anonymous tip line for fraud or security.

Then, make sure your own detection and filtering process is adapted to deal with the new threat before the fraudsters or hackers can even make the attempt. Report any new technical vulnerabilities to your preferred advisory service, and then start planning your next hunt.

When CISOs Are Ready to Hunt

It's time companies build a multilayered approach to cybersecurity.

As global cyberattacks continue to become more sophisticated, so should corporations' risk mitigation strategies. Of these high-stakes attacks, financial motivation is the most common reason for cybercriminals to target businesses, with the IBM "Cost of a Data Breach" report finding that the average breach in 2022 cost organizations up to $4.35 million in damages. With consequences this detrimental to business, it's critical that companies build a multilayered approach to cybersecurity with a number of experts involved to ensure effective prevention, detection, and response to cyber threats.

To create the most effective cyber-risk prevention and recovery team, companies must leverage financial and technology talent to collaborate on prevention strategies. While cybersecurity professionals focus on the who, what, where, and how of a potential breach, accountants can monitor the potential impacts to a corporation's funds and controls to determine priority functions and vulnerable financial business data that need safeguarding. This is typically done most effectively by forensic accountants who are trained in auditing and investigating risk factors within the finances of individuals or businesses. When these two roles find synergy, they can combat even the most complex of corporate cybercrimes.

Here are some of the ways these professionals can effectively work together to prevent and recover from highly intelligent attacks on financial data.

**Prevention**

Proper prevention of financial cybercrimes takes a diversified skill set, tapping into financial and IT specialties to create the strongest possible defenses against breaches. For cyber professionals, this includes identifying and closing gaps in internal controls and technologies, and implementing the proper safeguards — from two-factor authentication programs to file encryptions and more. Meanwhile, forensic accountants are well-versed on corporate finances and have the ability to detect the misappropriation of funds before losses are incurred.

Cyber professionals are also invaluable assets to financial teams in alerting them to new threats as the digital landscape changes so that proper preventative measures can be implemented. For example, there is a new trend of hackers using Meta business accounts as an entry point to breach financial information. This typically involves the stealing of customer credit card and bank information when they make transactions through the social media platform.

Obviously, suffering from an attack of this kind can lead to a damaged reputation, monetary consequences, and a loss of consumer trust. Establishing open lines of communication between cyber professionals and those in charge of monitoring business transactions can mean that forensic accountants know what threats they need to be wary of and can make business decisions that are in the best interest of their clients and customers. Also, it can ensure quicker detection of odd transactional activity for early intervention.

Instituting safeguards to proactively defend financial information — and consistently reviewing and updating them — can help to keep corporate funds safe in an era where sophisticated cybercriminals can steal financial information at the click of a key.

**Recovery**

Even the best laid plans can fail, especially when the enemy continues to get smarter and stealthier as technology evolves. That's the case when it comes to cybercrime, so planning to fail is just as important as working to avoid failure.

Collaboration between cybersecurity professionals and forensic accountants can ensure that swift, immediate defenses are deployed when an attack is executed and that the damage to a business's financial bottom line is as minimal as possible.

In the event of a breach, these professionals must work together to block the attacker and protect as much data and capital as they can. For example, a seasoned forensic accountant brings experience and knowledge of the many forms of corporate fraud, as well as the necessary steps to employ investigative techniques to spot trends and outliers in large data sets as they develop. Immediately upon noticing suspicious activity, they can alert their company's cyber team to quickly employ a variety of techniques to close the digital path to systems while they investigate.

While losses are not ideal, they are difficult to avoid once a cybercrime is effectively executed, even if it was caught and stopped quickly. Post-incident, it is the task of forensic accountants to calculate potential losses, assess and disclose accounting requirements, and assist the cyber team with evidence collection for insurance claim purposes.

Generally, forensic accountants and cybersecurity professionals have the same goal: to safeguard important information. When they use their unique skill sets to collaborate effectively, a corporation has the best chance of evading the consequences of a devastating cyberattack.

Why Cyber Pros and Forensic Accountants Should Work Together to Mitigate Security Risk

Will the bottom falling out of the cryptocurrency market have a profound impact on cybercriminal tactics and business models? Experts weigh in on what to expect.

With the implosion of the FTX exchange putting a punctuation mark on the cryptocurrency crash of 2022, one of the natural questions for those in the cybersecurity world is, how will this rapid decline of cryptocurrency valuations change the cybercrime economy?

Throughout the most recent crypto boom, and even before then, cybercriminals have used and abused cryptocurrency to build up their empires. The cryptocurrency market provides the extortionary medium for ransomware; it's a hotbed of scams against consumers to steal their wallets and accounts. Traditionally, it's provided a ton of anonymous cover for money laundering on the back end of a range of cybercriminal enterprises.

Even so, according to cybersecurity experts and intelligence analysts, while there certainly have been some shifts in trends and tactics that they believe are loosely tied to the crypto crash, the jury's still out on long-term impacts.

**Shifting Crypto Trends & Tactics in 2022**

Regardless of crypto values, cybercriminals this year have definitely become more sophisticated in how they use cryptocurrencies to monetize their attacks, says Helen Short, cyber-threat intelligence analyst for Accenture, who points to the use by some ransomware groups taking advantage of yield farming within decentralized finance (DeFi), as an example.

"The concept of yield farming is the same as lending money, with a contract in place that clearly shows how much interest will need to be paid," she explains. "The advantage for ransomware groups is that the 'interest' will be legitimate proceeds, so there will be no need to launder or hide it."

Her analysis has shown that threat actors are increasingly turning toward 'stablecoins,' which are usually tied to fiat currencies or gold to stem their volatility. She says that in many ways, the downturn in crypto values has increased the risk appetite of cybercriminals and is spurring them into more investment fraud and cryptocurrency scams.

"Threat actors are also playing on people’s desperation to recoup their losses," she says.

While some consumers who have lost their wallet value may be desperate, others have simply lost their interest and aren't watching their accounts as closely, which is driving another trend, says Brittany Allen, trust and safety architect and fraud researcher at Sift.

"Plummeting crypto prices have led to consumers paying less attention to their crypto wallets than they were early this year and in 2021, and fraudsters noticed," Allen says. "This has led to a 79% rise in crypto account takeover attacks."

By point of example, she explains that her team discovered a new type of crypto cash-out scam this year on Telegram and Dark Web forums, where account takeover fraudsters teamed up to target the crypto market during the crash.

"In this scheme, cybercriminals use stolen wallets, bank accounts, or crypto exchange accounts to move or launder illicitly obtained funds. Fraudster A will advertise their access to stolen funds on Telegram, then find another fraudster who specializes in crypto account takeover and KYC (know your customer identity verification) bypass methods," she says. "Once Fraudster B offers access to stolen wallets or crypto exchanges, Fraudster A sends the stolen funds to Fraudster B’s accounts, where they funnel the money out and split the profits. Each party takes a risk trusting the other, but if successful, they stand to make tens of thousands of dollars each."

This is in line with another shift in cybercriminal tactics in 2022 that Short says she's witnessed. It's not necessarily a response to cryptocurrency devaluation, but it is a business model shift to maximize revenue.

"We're seeing threat actors partnering together to facilitate an attack, rather than paying each other for their specialist services. This reduces the overall cost of the attack as the agreement is a set cut of the proceeds," she says.

**Ransomware Is Here to Stay**

One point that cybersecurity pundits are almost unanimous on is that even with a ton of cryptocurrency volatility, ransomware isn't going anywhere. There was a slight downturn in ransomware activity in 2022, but according to Aamil Karimi, threat intelligence analyst at Optiv, that's more attributable to other variables like the war in Ukraine. 

There was some significant regrouping of ransomware cartels that were more likely to result in the decline of activity than anything else, and he says cryptocurrency will still be a favored extortion demand for a long time.

"It’s likely cryptocurrency will still be the payment of choice demanded in extortionary incidents. As of right now, it’s the safest medium for cybercriminals to conduct transactions," Karimi says. "I don’t estimate any slowdown in cybercriminal or extortionary activity."

Bob Rudis, vice president of data science for GreyNoise Intelligence, agrees. There are simply too many soft ransomware targets ripe for attack for criminals to ignore, Rudis says. And it's not as if they lose any money with lower values of the currency since they are the ones setting the ransom, and they're likely going to convert it into tangible funds before further volatility impacts the total.

"Attackers care not if they receive one or a hundred units of a given cryptocurrency when asking for, say, $100,000 USD," Rudis says. "They have the means, markets, and processes to convert any ill-gotten crypto gains into something more tangible, and will likely always be one step ahead of law enforcement and market regulators." 

In spite of headline stories about authorities using crypto mechanisms to hurt adversaries financially, Rudis says there are "still real law enforcement hurdles to curb that flow," which is why he believes cryptocurrency will still be heavily used for cybercriminal money laundering for some time to come.

Not everyone sees it the same way, though. Short of Accenture points out that law enforcement this year has increasingly taken a real bite out of the crooks' bottom line through claw-back transactions, seizures, and more.

"Law enforcement took aggressive measures in 2022, including fund seizures, sanctions, and high-profile arrests," she says. "It is becoming harder to launder and cash out illicit funds, resulting in the trend of threat actors exchanging ‘dirty cash’ for other services as they cannot get the illicit funds out."

Ryan Kovar, distinguished strategist and leader of Splunk's SURGe research team, also points out that perhaps the cybercrime impact of the crypto crash of 2022 will have less to do with a potential future divestment of cryptocurrency in cybercriminal enterprises than it will with changes in the crypto market's perceived anonymity.

“Ransomware gangs are going to move away from cryptocurrency not because of financial instability, though that’s a factor, but more due to the traceability," Kovar says. "Ultimately, crypto is not really anonymous."

He adds, "If you’re a criminal who lives in a country that supports, sponsors, or doesn’t care about cybercrime, then you’re probably not getting prosecuted easily unless you really tick people off.” 

**Evolution to Expect in 2023**

Experts also believe that increased law enforcement friction will likely influence an evolution in cybercriminal operations around other types of attacks beyond ransomware. Especially proven ones that already don't depend on cryptocurrency, like business email compromise (BEC).

"The FBI's annual IC3 report \[PDF\] shows business email compromise (BEC) to be top of the list when it comes to attackers banking fiat coin. Advanced technology that mimics writing, speech, and even live video of humans is now almost trivial to use and will evolve rapidly in quality," GreyNoise's Rudis says. "Ransomware groups are, first and foremost, businesses, and it would seem logical to assume they'd apply their technical skills to conduct more advanced BEC schemes as well. 

In the meantime, attackers will also be likely to keep advancing technology to stay a step ahead of the authorities with regard to traceability and laundering.

"Attackers will become more sophisticated, breaking the sequence of blockchain transactions to try and obfuscate their illicit funds," Short says. "We will likely see a professionalization in cryptocurrency mixers, such as Tornado cash, with threat actors offering fast and high value 'cash out as-a-service' offerings."

She believes that in 2023, this could drive up the value of personally identifiable information (PII), as it will further push the demand for account takeovers to create mule accounts for cashing out on the back end of various scams.

"It is likely that cybercriminals will continue to convert to stable assets to secure value," she says, "and we will see an increase in threat actors using more privacy focused cryptocurrencies that are harder for law enforcement to trace."

Will the Crypto Crash Impact Cybersecurity in 2023? Maybe.

Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Securing and Improving User Experience for the Future of Hybrid Work

The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.

Last week Okta announced a security breach that involved an attacker gaining access to its source code hosted in GitHub. That's just the latest example in a long string of attacks gaining access to company source code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts targeted before.

With 90 million active users, GitHub is the most popular source code management tool for both open source and private enterprise code repositories. It's a major piece of fundamental infrastructure and the keeper of some of the most sensitive assets and data in the world.

It's no wonder that attackers are increasingly going after source code. In some cases, such as Okta, they might be trying to gain access to the source code. More often, the attackers are looking for sensitive information to use in a subsequent attack.

An attacker who can gain access to private source code can examine it for vulnerabilities and then exploit those vulnerabilities in subsequent attacks. Attackers can also harvest hardcoded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.

Shiny Hunters, an attack group known to specifically target private GitHub repositories, has breached tens of companies using this technique, and sold their data across various Dark Web marketplaces.

**Securing the Organization's GitHub Environment**

There is no question that GitHub is a critical part of the organization's infrastructure, but locking it down is a complex and challenging identity security problem. The beauty of the GitHub model is that it allows for unfettered collaboration, but that also creates one of the biggest headaches in modern IT security.

Just think about it: Anyone remotely technical in 2022 has a GitHub account. And you can use your GitHub account for everything. We can use these accounts for personal side projects, open source contributions, and our work in public and private code repositories that are ultimately owned by our employers. That is a lot of heavy lifting for a single identity!

You can also use the "Sign in with GitHub" feature to use your GitHub identity in other websites and services outside of just GitHub itself. And there's more: GitHub is unique in that you don't just sign in to their website, you also pull, push, and clone code from GitHub's servers down to your local machine via git operations over HTTPS and SSH, which themselves require your GitHub identity.

Clearly GitHub picked up on these security implications when it announced the deprecation of usernames and passwords for git operations last year — a step in the right direction.

**7 Tips for Securing Your GitHub**

While GitHub provides tools to lock down the environment, organizations need to know how to use them. Unfortunately, some of the most important security capabilities require GitHub Enterprise. Nonetheless, here are seven principles for better GitHub security.

1.  **Don't allow personal accounts for work.** We get it, your company has a few public repositories and you can build your credibility by showing off some public contributions in your next job interview. Your personal GitHub account is part of your brand. Unfortunately, this is also one of the biggest holes in organizations using GitHub today: They do not strictly govern the use of personal accounts for work purposes. As tempting as it might be, personal accounts should not be used for work. There's just no way to control who has access to that personal Gmail address that you used to create your personal GitHub account.
2.  **Require authentication via company SSO.** Unfortunately, GitHub shows up prominently on the SSO Wall of Shame. That's right — you need to pay extra for SSO integration. Once you have GitHub Enterprise, you can connect GitHub to your company SSO, such as Okta or Azure AD or Google Workspace, and you can lock down your organization to only allow authentication via SSO.
3.  **Require 2FA on all accounts.** Even if you enforce two-factor authentication (2FA, aka MFA) via your SSO and also require SSO authentication, the safest option is to still enforce 2FA for all GitHub users in your organization. Exemption groups and policy exceptions in your SSO provider can make SSO MFA easy to bypass.
4.  **Use SSH Keys for git operations.** While GitHub has introduced fine-grained permissions control with personal access tokens (PATs), they remain susceptible to phishing as these tokens are often copied around in plaintext. By using SSH keys for authentication for git operations, your organization can use thoughtful PKI to govern how SSH keys are provisioned, and can also tie this to your company's device management and your own certificate authority (CA).
5.  **Restrict repository member privileges using roles.** GitHub offers several different repository roles that can be assigned based on the principle of least privilege. Base permissions can be controlled at the organization level. Always take care to assign the least privileged role that a member needs to be productive. Don't make everyone an admin.
6.  **Don't allow outside collaborators.** Working with contractors is a normal part of managing large software projects. However, the governance surrounding outside collaborators in GitHub is insufficient to keep your organization secure. Instead, force outside collaborators to authenticate via your company SSO, and do not allow repository admins to invite them directly to your organization's repositories.
7.  **Audit, analyze, and audit again.** No organization is perfect; even with the best policies in place, accounts fall through the cracks and mistakes are made. Even before locking down your GitHub organization, take the time to implement a regular audit process to look for dormant accounts that are not using their access and to limit the number of privileged roles in your repositories. Once your environment is locked down, keep an eye out for policy violations, such as a user who is somehow still authenticating outside of your SSO or not using 2FA.

The breach of Okta's GitHub repository is a powerful example of just how hard it is to protect identities within enterprises, but it isn't a unique one. Every day we see what happens when employees and contractors experience account takeover. We see the effects of weak authentication, lax policies for personal email accounts, and the ever-expanding size of the identity attack surface.

Unfortunately, this latest incident is just one part of a growing trend of identity-related breaches to watch for in 2023.

Source

DARKReading