Security teams are considering how to get the most out of user entity behavioral analytics by taking advantage of its strengths and augmenting its limitations.

Rogue insiders and external attackers have become a growing concern in enterprise business applications.

External attackers leverage stolen credentials to impersonate an insider and connect to applications, while at the same time insiders are not sufficiently monitored in SaaS and home-grown applications. This poses a risk from employees and admins who might misuse and engage in malicious activities.

Detection solutions for users, networks and devices are based on two main technologies: rules and patterns that define illegal or malicious behavior; and statistical volumetric/frequency methods based on averages and standard deviations of activities, such as the number of logins or number of emails.

These technologies are often referred to as user entity behavioral analytics (UEBA). They set baselines for average, standard deviation, median, and other statistical metrics, and then detect abnormal values using these baselines.

**Users Don't Always Follow Rules**

Doron Hendler, co-founder and CEO of RevealSecurity, says rules and UEBA have been effective due to major commonalities in the network, device, and user access layers: The market by and large uses a limited set of network protocols and a handful of operating systems.

"However, when it comes to the application layer, UEBA has failed due to the vast dissimilarities between applications," he says.

Hendler explains that over a decade ago, the security market adopted statistical analysis to augment rule-based solutions to provide more accurate detection for the infrastructure and access layers.

"However, UEBA failed to deliver as promised to dramatically increase accuracy and reduce false positive alerts due to a fundamentally mistaken assumption: that user behavior can be characterized by statistical quantities, such as the average daily number of activities," he says.

He argues this mistaken assumption is built into UEBA, which characterizes a user by an average of activities. "In reality though, people don't have average behaviors, and it is thus futile to try and characterize human behavior with quantities such as 'average', 'standard deviation', or 'median' of a single activity," he says.

**UEBA Only Works With the Right Data**

David Swift, principal security strategist at Netenrich, says too many companies go into UEBA without changing their thinking about how security event management should work.

"Before ever talking to a vendor, a customer should identify the most important data to the business — these will indicate log data needed — and define the use cases that would constitute a threat, which define the individual indicators and triggers used to build content," he says. Then they must build models that correlate multiple events and multiple correlations for positive confirmation.

"UEBA only works with the right data," Swift adds. "Most failed implementations never pulled in identity data, or key applications. Without identity, there is no 'user' in UEBA. Without application events, it's still solving the same old problem — malware detection."

From his perspective, UEBA is highly successful when a company-critical application and IAM data are included in the deployment.

"When a new business-critical application is analyzed for anomalies, the value to the business when we find insiders and compromised accounts is high," he explains. "When UEBA is used as better malware detection and new data sources aren't used, it's destined to fail."

Relative to false positives, which UEBA is supposed to help reduce, Swift adds that anomaly-based rules were never meant to have zero false positives.

"Threat chains were always meant to combine multiple indicators into a model with low false positives," he explains. "It's always been about models that link multiple indicators together, if we're going to reduce false positives." He adds that when done well, threat chains do yield a low (roughly 3%) false-positive rate.

**Use Cases for UEBA**

Mike Parkin, senior technical engineer at Vulcan Cyber, says that UEBA can be successful in cases where the user's behavior is very consistent.

For example, with call center personnel, who work from specific locations at specific times, changes in their behavior are obvious.

"On the other hand, people who work in the field, such as salespeople visiting customers, are much more difficult to predict," he says.

Although he says he doesn't think the assumption of individuals possessing "average behaviors" is entirely mistaken, the margin of error for people's behavior is "very, very" broad.

He notes some characteristics, such as typing cadence, can be very distinct, but work patterns, including locations and resource access, can be much more variable. "Keeping UEBA applications focused on the kind of behaviors they can accurately predict will make them more effective, as will the applications themselves improving their analytics to better predict a broader range of behaviors," he adds.

From Swift's perspective, there is no "average" — there is only learned behavior and anomalous behavior.

"People are creatures of habit," he says. "Learning what's unique about a user or a machine isn't hard."

In database terms, this means building a second database outside of the events. SQL statements like "select from where unique" identify normal events; then they must be counted and summed up.

"It's pretty simple to build behavior profiles, and they do work," Swift says. "Peer anomalies — you did something others like you don't do — are a bit less cut and dry, and many are snowflakes. But even with peer groups like title and department, most fall within the norms."

Parkin points out not every UEBA application is created equal and there is a lot of variation in effectiveness between them, even within the same application as it looks at different aspects of behavior.

"Overall, \[UEBA\] can be a valuable addition to the stack, but it's not a silver bullet that can magically identify every threat," he says.

How to Get the Most out of UEBA

Inaccurate information from data brokers can damage careers and reputations. It's time for US privacy laws to change how law enforcement and legal agencies obtain and act on data.

"Predictive policing" sounds like something from the plot of the movie _Minority Report_. However, it's a very real practice that relies heavily on data collected and disseminated by two of the largest data brokers in the United States — RELX and Thomson Reuters.

When we talk about big data, we tend to focus on companies such asAmazon, Equifax, Experian, Google, and Meta (formerly known as Facebook). These are mostly companies that commercialize data for marketing efforts, business decisions, product insights, and financial reasons. RELX and Thomson Reuters operate a little differently. These data giants broker data access, analytics tools, news, and research to libraries, scientists, large corporations, law enforcement, and other government agencies.

They are sometimes referred to as "law enforcement data brokers" due to the breadth of information they make available to legal and law enforcement agencies. Unfortunately, this is also a major point of contention with the public.

**What Do Law Enforcement Data Brokers Do?**

Law enforcement data brokers have used technology to expand the scope of public surveillance far beyond traditional surveillance means. While RELX and Thomson Reuters are secretive about their data-collection resources, there are many obvious information veins, including court records, news collections, research studies, and any information you make public that they feel is valuable.

It's not just the massive amount of data they have on every one of us that's a problem, it's also how they analyze this data to make human risk predictions. The information they combine uses past activities, legal records, personal associations, and even ZIP codes to determine the risk that a person will break the law or conduct illegal activity. It's effectively high-tech profiling, and often perpetuates systemic racism.

These data brokers also provide vast amounts of information to the US Immigration and Customs Enforcement (ICE) Agency, which it then uses to target immigrants. This has led to a collective public outrage that has produced petitions, lawsuits, and increased interest in how law enforcement and the government obtain and use data.

**Law Enforcement Has Found a Workaround to Data Privacy Laws**

Many of us are aware that we, as Americans, have a right to privacy. And there are laws that prohibit law enforcement and government agencies from gathering and using our data under most circumstances. However, these laws say nothing about them buying this data access from third parties.

Since the government isn't collecting and processing this data itself, these agencies can skirt federal privacy laws, operating in a legal gray area.

While we all deserve to live in a safe environment, we also deserve to not have our privacy violated and data used to inform legal opinions about our potential for certain actions.

**The Data They're Using Isn't Always Accurate**

It's unsettling to imagine that information being used to assess the risk you pose isn't necessarily accurate. It's not just related to law enforcement targeting; it's also related to any legal decisions. Custody decisions, civil suit outcomes, insurance decisions, and even hiring decisions can all be influenced by the RELX-owned LexisNexis system, which gathers and aggregates data.

Unfortunately, there's little recourse for someone who was unfairly treated due to a data-based risk assessment because people are rarely privy to the way these decisions are made. So, a corporate HR manager or Family Court judge could be operating off bad or incomplete data when making decisions that could effectively change lives.

RELX and Thomson Reuters have disclaimers freeing them from liability for inaccurate data, which means your information could be mixed in with someone else's, causing serious repercussions in the wrong circumstances.

In 2016, a man named David Alan Smith successfully sued LexisNexis Screening Solutions when the company provided his prospective employer with an inaccurate background check. LexisNexis failed to make sure that Smith's middle name was the same across all the data, resulting in the reporting of a criminal history that was not his. Smith's potential employer withdrew its job offer based on this report, showing just how significantly bad data can impact someone's life.

Fortunately, the courts held LexisNexis accountable for this gross negligence, but this is not always the case.

**How Can We Stop This Misuse of Data?**

Because privacy laws are still young and poorly structured in the US, the best recourse is to be knowledgeable and vocal. There are online petitions and organizations that are working to change how law enforcement and legal agencies obtain and act on data.

Hopefully, with enough public support, we can push legislators to act. Every person has a right to be in control of their own data. Any entity that threatens that right should be held accountable, and protections need to be put in place to prevent it from continuing to happen.

The Threat of Predictive Policing to Data Privacy and Personal Liberty

A variety of initiatives — such as memory-safe languages and software bills of materials — promise more secure applications, but sustained improvements will require that vendors do much better, researchers agree.

Can we build a defensible Internet? To improve the security of the Internet and the cloud applications it supports in 2023, we need to do better, experts say. Much better.

At the beginning of 2022, companies famously scrambled to hunt down and mitigate a critical vulnerability in a widespread component of many applications: the Log4j library. The following 12 months of Log4Shell woes highlighted that most companies do not know all the software components that make up their Internet-facing applications, do not have processes to regularly check configurations, and fail to find ways to integrate and incentivize security among their developers. 

The result? With the post-pandemic increase in remote work, many companies have lost their ability to lock down applications and remote workers and consumers are more vulnerable to cyberattacks from every corner, says Brian Fox, chief technology officer for Sonatype, a software security firm.

"Perimeter defense and legacy behavior worked when you had physical perimeter security — basically everyone was going into an office — but how do you maintain that when you have a workforce that increasingly works from home or a coffee shop?" he says. "You've stripped away those protections and defenses."

As 2022 nears its close, companies continue to struggle against insecure applications, vulnerable software components, and the large attack surface area posed by cloud services.

**The Software Supply Chain's Gaping Holes Persist

Even though software supply chain attacks grew 633% in 2021, companies still do not have the processes in place to do even simple security checks, such as weeding out known vulnerable dependencies. In March, for example, Sonatype found that 41% of downloaded Log4jcomponents were vulnerable versions.

Meanwhile, companies are increasingly moving infrastructure to the cloud and adopting more Web applications, tripling their use of APIs, with the average company using 15,600 APIs, and traffic to APIs quadrupling in the last year.

This increasingly cloudy infrastructure makes users' human fallibility the natural attack vector into enterprise infrastructure, says Tony Lauro, director of security technology and strategy at Akamai.

"The unfortunate truth is that no matter what is happening in the enterprise and how well you lock it down and secure it, there is opportunity to attack the users," he says. "With ransomware and malware, phishing and scams, even if the back end is secure, they can take advantage of the user."

****Cyberthreats Against Applications Only Loom Larger**

To see an example of how little progress cybersecurity has made in the past three decades, companies do not have to look further than phishing. The social engineering technique has been around for almost as long as email, yet the vast majority of companies (83%) have suffered a successful email-based phishing attack in 2022. Phishing easily leads to credential harvesting and then to compromises of Web applications and cloud infrastructure.

The simple technique can bypass multiple layers of application security and give attackers access to sensitive data, systems, and networks, Daniel Cuthbert, global head of cyber security research at Banco Santander, said at this month's Black Hat Europe security conference.

"You should be able to click on something and not have it push a reverse shell out to somebody else," he lamented. "Is it that hard to ask?"

Attackers are also focusing on targeting applications in ways that get by many of the security controls that are operating at the edge of the network.

At the Black Hat Asia conference in May, researchers outlined ways to sneak attacks past web application firewalls (WAFs) to deliver malicious payloads to otherwise-protected applications and their databases. In December, cybersecurity firm Claroty demonstrated more general attacks using JSON to bypass five major WAFs, including those of Amazon Web Services and Cloudflare. In the same month, a pair of researchers used a vulnerable version of Spring Boot to bypass Akamai's WAF.

Companies have to be more tactical about how they rely on WAFs, says Akamai's Lauro. So-called "virtual patching" — when the WAF is used to block the exploit of vulnerabilities that are not yet, or cannot yet be, patched — is an important capability. Yet, too many companies use WAFs to protect poorly designed applications, he says.

"You need to identify how that vulnerability could be attacked from the Internet, and virtual patches helps there, but once you are inside the network, the first thing I'm going to do as an attacker is look for some of these zero-days and use them to move laterally," he says.

**Future AppSec Requires Innovation**

Efforts to protect the fundamental components of software by securing the software supply chain will be a key source of innovation in the near future. These advances take time to implement and are not silver bullets, but they can result in far more robust software development and end product, experts say.

Providing developers more information about the components they import into their own software through systems like Scorecard, for example, has significant security benefits. Scorecard checks a variety of software project attributes, such as whether there are binary code included in the software, have dangerous development workflows, or has signed releases. Just that information can determine whether a project is vulnerable with 78% accuracy, according to the Open Software Security Foundation (OpenSSF).

Sigstore, which allows each software component to be signed, is another technology that will help developers understand and secure their supply chains, says John Speed Meyers, principal security scientist at Chainguard, a software security firm.

"A key building block for preventing software supply chain compromises is the widespread use of digital signatures," he says. "This helps reduce the chance of software supply chain compromises and reduce the blast radius when they do happen."

**Companies Can Make Cyber-Secure Application Choices**

While those advances in the software development process can result in more secure software, the choice of language can make a significant difference as well. Memory-safe languages can all but eliminate pernicious classes of software flaws, such as buffer overflows and use-after-free vulnerabilities. 

Google, for example, found that the use of memory-safe languages, such as Java and Rust, rather than C and C++ resulted in lowering the number of vulnerabilities from 223 to 85 over three years.

Companies need to give developers more support and leeway in selecting secure tools and frameworks, not just focus on productivity and features, says Sonatype's Fox.

"There is a new reality that companies need to wake up to and deal with, and that is that the developers at the end of the day are the ones that have to make these changes, and the organizations need to recognize their problems and support them," he says. "Developers are finding their own tools, and they know that's a problem, but they are not getting the support from the company, so even in a world where developers want to do the right thing, their companies are holding them back."

At the executive level, companies also need to be using their buying power to focus on holding their vendors accountable for security of their products, Banco Santander's Cuthbert said during his Black Hat Europe keynote.

"When we look at buying product, and we look at buying software, the reality is that we have zero input to make sure that those vendors, those products are secure," he said. "We just don't have that power and we don't have meaningful influence."

Internet AppSec Remains Abysmal & Requires Sustained Action in 2023

A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware.

A high-severity security vulnerability in the Kyverno admission controller for container images could allow malicious actors to import a raft of nefarious code into cloud production environments.

The Kyverno admission controller offers a signature-verification mechanism designed to ensure that only signed, validated container images are being pulled into a given Kubernetes cluster. This can ward off any number of bad outcomes, given that boobytrapped container images can contain payloads as varied as cryptominers, rootkits, exploit kits for container escape and lateral movement, credential stealers, and more.

However, the bug (CVE-2022-47633) can be exploited to subvert that mechanism. "The vulnerability enables an attacker … to inject unsigned images into the protected cluster, bypassing the image verification policy," explained researchers at ARMO, in a blog post on Dec. 21. The stakes are high: The attacker can effectively take control of a victim’s pod and use all of its assets and credentials, including the service account token to access the API server, they warned.

"The vulnerability enables a complete bypass of image signature verification. In the case of a Kubernetes cluster, this gives an attack a wide range of targets. Any workload can mount cluster secrets and data volumes," Ben Hirschberg, CTO and co-founder of ARMO, tells Dark Reading. "This means the attacker can inject code that can steal data and credentials from the Kubernetes cluster of the victim. This also enables the attacker to inject his/her own code and use the CPU of the victim for things like cryptocurrency mining."

**Inside the Bug: Subverting the Container Admission Controller**

When a new workload, defined via an image with a tag, is requested from a Kubernetes API server, the API server asks the Kyverno admission controller to validate the new workload. To determine whether a workload can be admitted to the cluster, the admission controller requests the image manifest and a signature from the container registry.

If they check out, the image gets the green light, and the container runtime starts a new workload based on said image.

The vulnerability arises because the controller's signature validation process downloads the image manifest twice — but only verifies a signature for one of the downloads, according to the advisory.

Thus, the attack looks like this: An administrator is social-engineered into pulling a container image from a malicious registry or proxy. When the image is first imported, the malicious registry returns a valid, benign, signed image to the admission controller. So far, so good.

However, then the admission controller requests the manifest of the signed image for a second time, to get the digest for mutation — i.e., to update the container's human-readable tag. This time, no signing validation occurs, allowing the malicious registry to return a different, unsigned and malicious image, which is ultimately the one that is spun up and run.

"This is a classic example of a \[time-of-check-to-time-of-use\] TOCTOU problem that allows the attacker to pull a bait-and-switch," according to ARMO's analysis. "Since the image manifest which will eventually be used is not the same as the one which was verified, this enables the attacker to trick the client."

The vulnerability was introduced in version 1.8.3 and was fixed in version 1.8.5; Kyverno users should update as soon as possible. The patch ensures that the same image hash is used to change the workload specification as was used to verify the signature.

This specific vulnerability affects only Kubernetes with Kyverno, but other image signature verification tools need to take care not to be vulnerable to the same method, Hirschberg warned.

**Social Engineering a Malicious Container Attack**

To carry out a real-world attack, threat actors can use either compromised accounts on existing registries to host malicious images, or they can establish their own private container registry and then set about convincing an admin to trust it.

From a practical standpoint, "creating a malicious registry for an experienced attacker is not a challenge," Hirschberg says. "An attacker can take any open source registry software, make some minor modifications to make the attack work, and run it in the cloud under a custom domain."

The next step is to convince an admin to trust the malicious container, which is also not that difficult. Container images from third parties are often used to spin up ready-made applications, in much the same way that app developers source prebuilt code blocks from open repositories like npm — the idea is to not have to reinvent the wheel for common functions and utilities.

Hirschberg notes that only a fraction of Kubernetes users have strictures on where they can pull container workloads from, so cloud admins are not likely to be immediately on their guard when it comes to using third-party registries — particularly if they have image signature verification in place.

"The attacker could go phishing and publish in multiple forums a notification that there is a new version of software XYZ, and here are the Kubernetes YAML or Helm to run it," he explains. "Since some people feel protected by image signature verification, their guard would be down and would not be afraid to run the image."

**Container Security: A Rising Concern**

Containers are a good target for cybercriminals because they mostly run in the cloud with access to plenty of computational resources, which are precious and expensive, Hirschberg points out — so, this enables attackers to steal computational resources and data, while also going unnoticed for a relatively long period of time.

"We don’t have exact statistics, but it is very clear that with the wide adoption of containers, this is becoming a more prevalent issue," he says. "Security teams are learning how to handle them, and Kubernetes in general. I don't think that it is a true 'blind spot,' but container security teams are still learning the whole environment with many neglected areas."

With the adoption of image signature verification still in its early stages, admission controllers represent one of those potentially neglected areas. But they're also part of a broader conversation about supply chain software security, that should be put in the spotlight.

"The SolarWinds attack showed the world how sensitive this issue is when it comes to trusting the security of external code," Hirschberg says. "Kyverno is among the first security tools to implement signature validation, and with new features can come new bugs. Hopefully, this finding makes this a more secure mechanism and will help the industry to overcome the problem of verifying software in Kubernetes."

Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes

The follow-on attack from August's source-code breach could fuel future campaigns against LastPass customers.

LastPass has issued a statement acknowledging that a recent cyberattack has resulted in the theft of customer data, in addition to offering cybercrooks access to encrypted customer vaults.

The attack was a follow-on from a previous breach in August that resulted in the theft of the LastPass source code.

"To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the company statement said.

LastPass added that a backup copy of encrypted customer vault data was also stolen, including website usernames, passwords, secure notes, and form-filled data.

The company warns customers to be on the lookout for phishing, credential stuffing, and brute-force attacks as a result of the compromise.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

LastPass Cops to Massive Breach Including Customer Vault Data

Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.

It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.

But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.

Organizations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.

However, a recent Aite-Novarica Group report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.

Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.

"The risks include the potential for interruptions, unauthorized access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information," says Craig Lurey, CTO and co-founder at Keeper Security.

**Threats Targeting Video Communications Platforms Multiply**

The use of videoconferencing software by remote workers makes it an easy target for various types of attacks in the wild. For instance, "Zoom-bombing" and other attacks came to the fore in the wake of the first work-from-home wave during the pandemic.

Other threats include DDoS attacks, according to the FBI's Internet Crime Report, and malware. In May, for instance, threat hunters discovered a vulnerability chain in Zoom's chat functionality that could be exploited to allow zero-click remote code execution (RCE).

Security firm Vectra also recently discovered a vulnerability in Microsoft Teams, which found that the platform stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. The weakness gives attackers the ability to move through a company’s network much more easily.

But while zero-day exploits and other high-profile attacks get a lot of attention, Mike Parkin, senior technical engineer at Vulcan Cyber points out that many, if not most, attacks still target the users.

"That usually means phishing emails or other social engineering attacks that lead to compromise, or business email compromise attacks that can lead to direct losses through fraud," he says.

**SMBs at Particular Risk From Videoconferencing Threats**

The risk is especially piquant for small and medium-sized businesses (SMBs), researchers say. This segment relied heavily on video collaboration to cut travel costs even before the pandemic, and now represents a class of superusers.

At the same time, SMBs may not have the security awareness or in-house expertise necessary to shore up their defenses. Parkin says SMBs often wrestle to implement and manage a proper cybersecurity program.

"That lack of resources can manifest in not knowing, or being able to implement, proper security on their videoconferencing usage," he says.

George Waller, co-founder and executive vice president of Zerify, agrees that SMBs typically don't have the financial and technical resources that larger companies have.

"Therefore, they are far more vulnerable to even the most basic attacks such as email, phishing and ransomware," he says. "Post-pandemic, many SMBs are still working with limited staff and budgets. Therefore, it's easier to trip them up and cause a devastating data breach."

Meanwhile, this sector often faces financial constraints that could make a cyberattack an extinction-level event. According to a recent IBM breach report, the average size of a data breach in the US is now $9.44 million, and 60% of small businesses go out of business within six months of a data breach.

"When cybercriminals steal sensitive, confidential, or classified data, they can make you pay a ransom to get it back," Waller explains. "They can also sell it to other nefarious people, who can use that data to embarrass or profit from your organization."

Unfortunately, amid the challenges, SMBs are often more of a target than they realize.

"While an attacker’s potential take is smaller, the effort is low, the risk is low, and SMB organizations often have less investment in cybersecurity than a larger organization," Parkin explains. "They can be particularly susceptible to ransomware and business email compromise attacks."

**2FA, Zero Trust Help Secure Video Conferencing**

Fortunately, there are some basic steps that businesses of any size can take to ensure the videoconferencing system they're using doesn't fall into the "low-hanging fruit" category for cybercriminals.

For one, they should ensure their platforms and apps offer two-factor authentication (2FA) for both the meeting creator as well as for the meeting participant, and make sure that login links cannot be shared; most videoconferencing platforms have such basic security features and offer advice on how to use them.

Ricardo Villadiego, CEO and founder of Lumu, says businesses for instance should enable security features such as ID and password and end-to-end encryption that allow SMBs to control access to conversations.

"Avoid repeating passwords, lock down microphones and speakers, and authenticate every user prior to entering a videoconference," he says. "Limit the kind of files and links that can be shared via videoconferencing tools, keep meeting recordings only accessible with a password, and don't discuss information that you wouldn't discuss over the telephone."

Waller adds that snooping on video calls via spyware is a threat that SMBs should be aware of, too.

"Make sure that your camera, microphone, and audio-out data streams are locked down and cannot be spied on with malware," he says. "Organizations should also use an anti-keylogging and anti-screen scraping technology and make sure that AV software is up to date."

Lurey, meanwhile, advises SMBs to protect videoconferencing platforms with a zero-trust security architecture that requires all users be authenticated, authorized, and continuously validated before they can access the application.

"Choose a provider wisely and check that it provides end-to-end encryption," he says. "Most major platforms do."

He adds that it's also imperative to configure the platform correctly by enabling built-in security capabilities and providing consistent enforcement to ensure those security features are never disabled.

Finally, Parkin advises that there are other vulnerabilities in some videoconferencing platforms that require specific steps to counter and stresses the importance of keeping the videoconferencing software up to date. Security teams should also proactively monitor network behavior for anomalous activity and make sure to read terms and conditions of the videoconferencing platform being used.

He adds that with a changing threat landscape, the challenge for SMBs in particular is finding the balance between defending against known threats, being positioned to stay ahead of emerging ones, and managing the risk specific to their environment.

"Small businesses are often resource restricted when it comes to cybersecurity, which means they need to be efficient with the resources they do have," he says. "But focusing on things like user education, which can deliver a lot of value for the investment, can help."

Videoconferencing Worries Grow, With SMBs in Cyberattack Crosshairs

APIs are key to cloud transformation, but two Google surveys find that cyberattacks targeting them are reaching a tipping point, even as general cloud security issues abound.

Web application programming interfaces (APIs) are the glue that holds together cloud applications and infrastructure, but these endpoints are increasingly under attack, with half of companies acknowledging an API-related security incident in the past 12 months.

According to a survey conducted by Google Cloud, the most troublesome security problems affecting companies' use of APIs are security misconfigurations, outdated APIs and components, and spam or abuse bots — with 40% of companies suffering an incident due to misconfiguration and a third coping with the latter two issues. 

Two-thirds of companies (67%) found API-related security issues and vulnerabilities during the testing phase, but most companies — greater than 60% — discovered issues during the software development process, during application deployment, and by using real-time monitoring, according to the survey of more than 500 technology leaders.

Despite these issues, more than three-quarters (77%) have confidence that they will catch issues, saying they have the required API tools and solutions, says Vikas Anand, head of product for business application platforms at Google Cloud.

"There's a perception of confidence with existing tooling that isn’t matched by evidence," Anand says. "The landscape for security has changed — with the dramatic growth in API volume, APIs are the new battleground for application security."

The interest in Web APIs comes as companies have accelerated their digital transformations over the past two years following the business disruptions caused by the coronavirus pandemic. Nearly all (93%) of companies surveyed by Google in a second study of 770 technology leaders characterized their operations as based on "mostly cloud," up from 83% two years ago. 

In contrast, business decision-makers characterizing their operations as "mostly on-premises" dropped by half to 7%, from 16%, in the same time period.

    

Source: Google Cloud

By one estimate, API-related security incidents caused $12 billion to $23 billion in losses since 2020. And the attack surface is getting bigger: The average large company has three times the number of APIs — 15,600 — as a year ago.

**APIs: Key to Cloud Transformation**

While 46% of organizations surveyed reserved their use of APIs to only within their own organization, more than half (54%) allow partners, customers, and other external developer use the APIs as a way to spur third-party development, Google found.

"APIs are critical to application modernization and digital transformation because, along with microservices, they enable rapid delivery of new experiences to customers, while cutting the cost of development and maintenance," Google Cloud stated in its _"_The Digital Crunch Time: 2022 State of APIs and Applications" report.

Because APIs are critical to their digital transformation, companies have wisely prioritized API security investments, with 60% aiming to improve their ability to proactively identify security threats, and 57% adopting more security automation and orchestration, according to Google Cloud's second report, "API Security: Latest Insights & Key Trends." 

About half of companies also intend to expand their real-time monitoring of API servers and using artificial intelligence and machine learning (AI/ML) systems to better discover flaws and detect attacks.

"As organizations move from being reactionary to proactively addressing these threats, we’ll see AI/ML models become more widely adopted within security tooling," Anand says. "ML-based rules are the natural evolution of this — not just automating, but continuously learning from those experiences."

**API Maturity Brings Cloud Success**

Unsurprisingly, companies that have had more experience with APIs have also found more success with their transition to more cloud-native operations.

About a third of companies (34%) classified themselves as having a mature approach to APIs, pushing an API-first strategy across the organizations and using an API management platform. Those companies also had more success increasing efficiency, better collaboration, and improved agility, compared with organizations with lower API maturity. 

Google Cloud defined low-maturity organizations as those with siloed APIs, no centralized management of APIs, and perhaps an API gateway for security.

"Our study shows that mature API organizations are considerably ahead in their digital transformation efforts compared to low-maturity API organizations," according to the vendor. "Technology leaders already understand the value that APIs bring."

For companies moving to API-based application infrastructure, API security is considered the most significant component of an API program, with 66% of companies considering it important, according to Google's report. Other top concerns included API performance analytics and API governance.

"API security ultimately needs to be part of the overall end-to-end security strategy," Anand says. "Seamless integrations between all security products make enhancing the overall security value from your portfolio easier."

Google: With Cloud Comes APIs & Security Headaches

To stay safer, restrict access to data, monitor for breaches in the supply chain, track relevant data that is sold on the Dark Web, and implement best safety practices.

The danger of being hit by a ransomware attack is scary enough, but in many cases, criminals can still extort your business after the ransom has been paid and things have seemingly returned to normal. Double and even triple extortions are becoming increasingly common, with ransomware gangs now demanding additional payments to keep the private information captured in their attacks from being leaked. These added threats are driving up the collective cost of ransomware, which is forecast to reach $265 billion by 2031, according to some sources.

In traditional ransomware attacks, the attackers hijack and encrypt valuable data to force organizations to pay a ransom in exchange for the safe restoration of data and network functionality. CISOs have responded by adopting stronger cyber protections, such as creating secure offsite backups and segmenting their networks, and attackers have quickly evolved to subvert these methods. 

**One Extortion, Two Extortion, Three**

The cat-and-mouse game that is ransomware took an ugly turn over the past year or so as attackers realized the value that organizations put on not releasing their sensitive information publicly: The brand and reputation hit can sometimes be just as damaging as being locked out of files and systems. Capitalizing on this unfortunate reality, attackers began adding the threat of leaking sensitive data as a follow-up to successful or even unsuccessful ransomware attacks when organizations were able use backups to restore their systems.  

With double extortion being so successful, attackers figured: Why stop there? In cases of triple extortion, attackers threaten to release data about downstream partners and customers to extract additional ransom payments, potentially putting the initial organization at risk of lawsuits or fines.  

Some bad actors have even created a search function that allows victims to find leaked data about partners and clients as proof of the data's damaging value. A ransomware operation known as ALPHV/BlackCat may have started this trend in June, when cybercriminals posted a searchable database containing the data of nonpaying victims. The BlackCat gang went as far as to index the data repositories and give tips on how to best search for information, as if it was providing customer service. These kinds of leaks not only raise ransom costs for victims, but they send a clear message to those who think they are clever enough to avoid paying the ransom.

**Guarding Against Multiple Extortion Attempts**

For CISOs who want to become more proactive in safeguarding their organizations against such extortion events, the first step is monitoring for breaches within their supply chains and corporate relationships, while tracking relevant data that is sold on the Dark Web or released in breach dumps. 

Regular backup practices provide a strong initial defense against a standard ransomware attack, but backups alone are no longer enough. Because criminals have recognized that backups are a standard option to avoid payment, they will seek to corrupt the backups, in addition to threatening future leaks. This growing problem has created a need for offline backups and out-of-band incident communications: Any system connected during an incident — such as email — should no longer be trusted.  

The trouble with double or triple extortion attempts is that even if the initial pay-for-decryption ploy is unsuccessful (because an organization was able to use backups), the attackers may still gain access to sensitive data and threaten to leak it. These attacks highlight the need to prioritize the protection of the most critical data. 

**Best Practice Defenses**

The only true defense against double and triple extortion is ensuring that attackers don't get access to the most\-sensitive information.  

The top priority should be to categorize critical data so that when malicious actors do get past the first lines of defense, they can't steal the most valuable items in the vault. This oversight process involves restricting who has access to data and what tools directly interact with it. The fewer access points, the easier it is to secure the data.  

Some other best practices include:  

*   Understanding where your data lives and adopting solutions with near-real-time alerts that show when sensitive data is saved, transferred, or stored insecurely. When you focus your efforts to protect your most\-critical information, you help limit alert fatigue and keep a closer watch on exactly who and what interacts with that data.
*   Staying on top of the dynamic risks associated with new devices entering your network when employees get onboarded or when devices associated with former employees should have access or credentials removed.
*   Establishing a baseline understanding of "normal behavior" in your environment so you have a better sense when something untoward is afoot.

**Recommended Post-Breach Behavior**

If you still experience a breach, make sure you limit attackers' chances of accessing private data by:  

*   Vigilantly changing used passwords that may be associated with compromised systems. 
*   Verifying that breach information comes from a legitimate source, as compromised emails may seem official when they are, in fact, fraudulent.
*   Ensuring recovery efforts go beyond "wipe and reimage" to include thorough checks that find residual signs of compromise.

*   Identifying the initial access points that were breached to avoid reintroducing the attack vector during recovery efforts.

The crippling effects of a ransomware attack can be devastating for any business. But now the stakes are much higher due to the expanded attack surface that threatens a company's extended ecosystem of partners, customers, and investors. As a result, all organizations need to develop a game plan to defend their data and protect themselves not only from the initial ransomware attacks, but from double and triple ransomware ploys as well.

Fool Me Thrice? How to Avoid Double and Triple Ransomware Extortion

Vendors and operators attempt to balance power and security, but right now, power is the highest goal.

SUPERCOMPUTING 2022 — How do you keep the bad guys out of some of the world's fastest computers that store some of the most sensitive data?

That was a growing concern at last month's Supercomputing 2022 conference. Achieving the fastest system performance was a hot topic, like it is every year. But the pursuit of speed has come at the cost of securing some of these systems, which run critical workloads in science, weather modeling, economic forecasting, and national security.

Implementing security in the form of hardware or software typically involves a performance penalty, which slows down overall system performance and the output of computations. The push for more horsepower in supercomputing has made security an afterthought.

"For the most part, it's about high-performance computing. And sometimes some of these security mechanisms will reduce your performance because you are doing some checks and balances," says Jeff McVeigh, vice president and general manager of Super Compute Group at Intel.

"There's also a 'I want to make sure I'm getting the best possible performance, and if I can put in other mechanisms to control how this is being securely executed, I'll do that,'" McVeigh says.

**Security Needs Incentivizing**

Performance and data security is a constant tussle between the vendors selling the high-performance systems and the operators who are running the installation.

"Many vendors are reluctant to make these changes if the change negatively impacts the system performance," said Yang Guo, a computer scientist at the National Institutes for Standards and Technology (NIST), during a panel session at Supercomputing 2022.

The lack of enthusiasm for securing high-performance computing systems has prompted the US government to step in, with the NIST creating a working group to address the issue. Guo is leading the NIST HPC Working Group, which focuses on developing guidelines, blueprints, and safeguards for system and data security.

The HPC Working Group was created in January 2016 based on then-President Barack Obama's Executive Order 13702, which launched the National Strategic Computing Initiative. The group's activity picked up after a spate of attacks on supercomputers in Europe, some of which were involved in COVID-19 research.

**HPC Security Is Complicated**

Security in high-performance computing is not as simple as installing antivirus and scanning emails, Guo said.

High-performance computers are shared resources, with researchers booking time and connecting into systems to conduct calculations and simulations. Security requirements will vary based on HPC architectures, some of which may prioritize access control, or hardware like storage, faster CPUs, or more memory for calculations. The top focus is on securing the container and sanitizing computing nodes that pertain to projects on HPC, Guo said.

Government agencies dealing in top-secret data take a Fort Knox-style approach to secure systems by cutting off regular network or wireless access. The "air-gapped" approach helps ensure that malware does not invade the system, and that only authorized users with clearance have access to such systems.

Universities also host supercomputers, which are accessible to students and academics conducting scientific research. Administrators of these systems in many cases have limited control over security, which is managed by system vendors who want bragging rights for building the world's fastest computers.

When you place management of the systems in the hand of vendors, they will prioritize guaranteeing certain performance capabilities, said Rickey Gregg, cybersecurity program manager at the US Department of Defense's High Performance Computing Modernization Program, during the panel.

"One of the things that I was educated on many years ago was that the more money we spend on security, the less money we have for performance. We are trying to make sure that we have this balance," Gregg said.

During a question-and answer session following the panel, some system administrators expressed frustration at vendor contracts that prioritize performance in the system and deprioritize security. The system administrators said that implementing homegrown security technologies would amount to breach of contract with the vendor. That kept their system exposed.

Some panelists said that contracts could be tweaked with language in which vendors hand over security to on-site staff after a certain period of time.

**Different Approaches to Security**

The SC show floor hosted government agencies, universities, and vendors talking about supercomputing. The conversations about security were mostly behind closed doors, but the nature of supercomputing installations provided a birds-eye view of the various approaches to securing systems.

At the booth of the University of Texas at Austin's Texas Advanced Computing Center (TACC), which hosts multiple supercomputers in the Top500 list of the world's fastest supercomputers, the focus was on performance and software. TACC supercomputers get scanned regularly, and the center has tools in place to prevent invasions and two-factor authentication to authorize legit users, representatives said.

The Department of Defense has more of a "walled garden" approach, with users, workloads, and supercomputing resources segmented into a DMZ-stye border area with heavy protections and monitoring of all communications.

The Massachusetts Institute of Technology (MIT) is taking a zero-trust approach to system security by getting rid of root access. Instead it uses a command line entry called sudo to provide root privilege to HPC engineers. The sudo command provides a trail of activities HPC engineers undertake on the system, said Albert Reuther, senior staff member in the MIT Lincoln Laboratory Supercomputing Center, during the panel discussion.

"What we're really after is that auditing of who is at the keyboard, who was that person," Reuther said.

**Improving Security at the Vendor Level**

The general approach to high-performance computing has not changed in decades, with a heavy reliance on giant on-site installations with interconnected racks. That is in sharp contrast to the commercial computing market, which is moving offsite and to the cloud. Participants at the show expressed concerns about data security once it leaves on-premises systems.

AWS is trying to modernize HPC by bringing it to the cloud, which can scale up performance on demand while maintaining a higher level of security. In November, the company introduced HPC7g, a set of cloud instances for high-performance computing on Elastic Compute Cloud (EC2). EC2 employs a special controller called Nitro V5 that provides a confidential computing layer to protect data as it is stored, processed, or in transit.

"We use various hardware additions to typical platforms to manage things like security, access controls, network encapsulation, and encryption," said Lowell Wofford, AWS principal specialist solution architect for high performance computing, during the panel. He added that hardware techniques provide both the security and bare-metal performance in virtual machines.

Intel is building confidential computing features like Software Guard Extensions (SGX), a locked enclave for program execution, into its fastest server chips. According to Intel's McVeigh, a lackadaisical approach by operators is prompting the chip maker to jump ahead in securing high-performance systems.

"I remember when security wasn't important in Windows. And then they realized 'If we make this exposed and every time anyone does anything, they're going to worry about their credit card information being stolen,'" McVeigh said. "So there is a lot of effort there. I think the same things need to apply \[in HPC\]."

Security Is a Second-Class Citizen in High-Performance Computing

What is the worst that can happen when a developer's machine is compromised? Depending on the developer's position, attackers gain access to nearly everything: SSH keys, credentials, access to CI/CD pipelines and production infrastructure, the works.

**Question: What kind of data can an attacker steal after compromising a developer?**

**Louis Lang, security researcher, CTO of Phylum**: We have spent a long time convincing people they shouldn’t open email attachments from unknown senders. We have spent considerably less time convincing the wider developer community that installing packages from unknown sources is a terrible idea.

While phishing campaigns remain effective, they often land the attacker in some unrelated part of the organization and still require a pivot to the final target. Supply chain attacks cut to the heart of the organization, compromising the developer and their privileged accesses. In some cases, like typosquatting and dependency confusion, these attacks are carried out without direct communication between the attacker and the developer. There is no email attachment to open since the developer willingly pulls in the code (which contains the malware).

So what can an attacker steal if they compromise a developer? Depending on the developer's position, nearly everything. Assuming a compromise has occurred, in the absolute best case, the attacker may have gained access to a junior engineer's machine. We’d expect this engineer to, at the very least, have commit access to source code. If the organization has poor software engineering practices (e.g., no code reviews and no limits on who can commit to the main branch), the attacker has free reign to modify the organization's source code at will; to modify and infect the product that you ship to customers.

In the worst and equally likely case, the attacker will gain access to a senior developer with more privileges. This developer will have access to source code, SSH keys, secrets, credentials, CI/CD pipelines, and production infrastructure and likely the ability to bypass certain code checks. This scenario, where this kind of an engineer is compromised, would be devastating for an organization.

This is not hypothetical, either. Malware packages are routinely being published into open-source ecosystems. Nearly all of this malware is tailor-made to exfiltrate credentials and other files deemed sensitive or important. In more recent campaigns, attackers have even attempted to drop ransomware directly onto developer machines as a way to extort cryptocurrency from the organization.

Software developers sit in a privileged position in any technical organization. With their upstream access to the products shipped to customers and access to production systems and infrastructure, they are the lynchpin in any modern organization. A failure to defend the developer is a failure of the security organization as a whole and could lead to catastrophic consequences.

Source

DARKReading