Microsoft warns enterprises should pay attention to a new botnet used to launch DDoS attacks on private Minecraft Java servers.

The persistence and spread of a newly identified botnet targeting private Minecraft Java servers has far wider ramifications for enterprises than bumming out a Biome.

Microsoft researchers revealed in a report published Dec. 16 that this new botnet is used to launch distributed denial-of-service (DDoS) attacks on Minecraft servers, which might sound like kid stuff. But enterprises should take note because of the botnet's ability to target both Windows and Linux devices, spread quickly, and avoid detection, the Microsoft team added.

It starts with a user downloading a malicious downloads of "cracked" Windows licenses.

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices," the Defender team reported. "Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet."

The threat researchers suggest that organizations harden their device networks against these kinds of threats.

The group's analysis revealed most of the infected devices were in Russia.

**Enterprises Beware**

Factors including the sheer number of potential server targets and the general lack of cybersecurity protections on private Minecraft servers make this botnet something security teams should take seriously, Patrick Tiquet, vice president of security architecture at Keeper Security, tells Dark Reading.

"The concern in this scenario is that there are a large number of servers that can potentially be compromised and then weaponized against other systems, including enterprise assets," Tiquet explains. "Gaming servers such as Minecraft are typically managed by private individuals who may or may not be interested in or capable of patching and following cybersecurity best-practices. As a result, this vulnerability could continue unmitigated on a large scale for an extended period of time and could potentially be leveraged to target enterprises in the future."

Beyond this particular malware, Microsoft's recommendations are a good idea for protecting the enterprise from all sorts of botnets besides just the Minecraft-focused sort, according to Vulcan Cyber's Mike Parkin.

"They're industry best practices — restricting access, changing default passwords to strong ones, enabling multifactor authentication, etc. — and should be implemented regardless," Parkin says. "While some of the techniques can be challenging to implement on some low-power IoT devices, deploying to best practices is the absolute minimum that should be happening."

New Botnet Targeting Minecraft Servers Poses Potential Enterprise Threat

Cybercriminal rats are at play: Several food suppliers and distributors have experienced hundreds of thousands of dollars in losses after fulfilling fraudulently placed orders for food and ingredient shipments.

Threat actors have typically used business email compromise (BEC) attacks to steal money from unwary organizations in recent years. But in a new twist, cybercriminals are using them to steal food shipments and ingredients from suppliers and distributors around the country.

The FBI and the Food and Drug Administration Office of Criminal Investigations (FDA OCI) on Dec. 16 issued an alert warning that the attacks have been going on since at least the beginning of this year and have cost several organizations hundreds of thousands of dollars in losses so far.

"While BEC is most commonly used to steal money, in cases like this, criminals spoof emails and domains to impersonate employees of legitimate companies to order food products," the two agencies said in the joint cybersecurity advisory.

While the behavior has a certain rat-like scavenging quality to it, the goal behind these thefts often is to repackage and resell the stolen food items without regard for safety and sanitation regulations, they said.

**A Fridge-Full of Incidents**

The advisory highlighted several examples — the earliest one going back to February — where companies have fallen victim to the scam. In one incident in August, a food distributor received an email order supposedly from the chief financial officer of a multinational snack and beverage company for two full truckloads of powered milk. The attacker used the actual name of the CFO but had an email address that contained an extra letter in the domain name than that of the real company. The food distributor fell for the scam and later had to pay their supplier more than $160,000 for the fraudulent shipment.

Also in February, a food manufacturer experienced more than $600,000 in losses after receiving and shipping orders for whole milk powder and nonfat dry milk from four different fraudulent companies. In each instance, the attackers used real employee names and emails with slight variations of domain names belonging to legitimate companies to place the orders.

In another incident in April, an ingredient supplier received a request — purportedly from the president of another large food manufacturer — for pricing information for whole milk powder via the company's Web portal. In this instance, the supplier ran a credit check on the spoofed food manufacturer, extended a line of credit to the company, and made the first of two $100,000 shipments to the criminals, before realizing something was amiss. 

The FBI and FDA OCI alert mentioned other incidents as well where criminals attempted to pull off similar heists but were not successful. 

In each of these attacks, the criminals have created email accounts and websites that look nearly identical to those of a legitimate company but contain nearly indiscernible differences — for example, an extra letter or substitute character such as a "1" instead of a lowercase "l." Their tactics have often included gaining access to a legitimate company's email system and using that to send fraudulent emails to targeted victims.

To add further legitimacy to their fraudulent communications, the attackers have used the actual names of executives and employees at legitimate businesses and used copied company logos in their emails and other documents. The attackers have also used the actual business information of legitimate companies to pass credit checks and obtain lines of credit for fraudulently purchasing food supplies and ingredients from victim companies.

Losses continue to mount from BEC attacks, although the food theft scams are different from usual tactics where threat actors scam organizations into making fraudulent money transfers. In 2021, losses from BEC attacks totaled nearly $2.4 billion, making it one of the most financially damaging online crimes, according to the FBI's Internet Crime Complaint Center (IC3). Many BEC attacks target small and midsize companies, though large organizations are often victims as well. 

A report that IC3 released earlier this year showed that BEC attacks are only continuing to grow and evolve. IC3 estimated that between June 2016 and last December, there were some 241,206 BEC attacks that cumulatively caused organizations worldwide a staggering $43 billion in losses.

**The Big Takeaway**

The takeaway from these attacks is that threat actors can be clever and will adapt their techniques to find ways around an organization's defenses, says Mike Parkin, senior technical engineer at Vulcan Cyber. 

"While using the BEC vector to steal finished food shipments or raw materials seems like a lot more work than simply fooling the victim into sending cash, that may have been the point," he says. "The threat actors here went for a novel scheme in order to slip under the radar and, possibly, steal more than they might have gotten from a single faked invoice."

Mika Aalto, co-founder and CEO at Hoxhunt, says the attacks on the food industry are a reminder of why BEC is the costliest form of cybercrime worldwide. "We've called BEC the kingpin of cybercrime in the past. Advanced technologies will make BEC a monster, particularly for global companies."

The FBI and FDA OCI urged organizations in the food sector to play closer attention to vetting new customers and vendors, especially to things like the new company's name and branding. 

"Carefully check hyperlinks and email addresses for slight variations that can make fraudulent addresses appear legitimate and resemble the names of actual business partners," they noted. 

Organizations should look for additional punctuation, changes in the top-level domains, misspellings, and added prefixes or suffixes. They should also conduct periodic Web scans to ensure that attackers are not spoofing their domain and brands, the advisory said.

FBI: Criminals Using BEC Attacks to Scavenge Food Shipments

A comprehensive data privacy program requires involvement from all parts of the business that deal with personal data.

Most organizations are ill-equipped when it comes to meeting upcoming compliance standards for data privacy, according to a new CYTRIO report focused on GDPR and California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) Data Subject Access Request (DSAR) requirements.

However, the results also indicated that noncompliant companies are making progress moving up the compliance maturity curve by moving to automate processes.

A major stumbling block for nearly all organizations surveyed is the cost and complexity of data privacy management solutions.

Vijay Basani, CEO of CYTRIO, says the most concerning surveying finding was that 52% of respondents who said they need to comply with the CCPA and CPRA do not provide a mechanism for consumers to exercise their data privacy rights.

"This means more than half the companies are electing to ignore data privacy and do not feel they need to respect the rights of consumers and their customers," he says.

Organizations that are still using error-prone and time-consuming manual processes for GDPR and DSAR requirements could be doing so because they are receiving a very low volume (one to five per year) of data requests.

"This could be a function of consumers not being aware of their data rights, such as right to access, right to delete or do not sell my information, and lack of active enforcement and fines for noncompliance in the U.S.," Basani says.

Bryan Cunningham, advisory council member at Theon Technology, explains that many compliance programs are run mostly by lawyers or financial professionals ill-equipped to evaluate technology and often "somewhat luddite" in their adoption of new technology.

"They are also highly risk averse and, partly because of their lack of understanding, skeptical that automated processes can ensure compliance without manual, human supervision," he says.

In addition, highly performant, trustworthy, and affordable technologies to do this type of work are not yet readily available, despite many vendors working to develop and sell solutions.

**Privacy Management Solutions Complex, Costly**

Most first-generation data privacy management solutions offer effective workflow automation capabilities but do not provide automated data discovery capabilities, Basani says.

Data discovery and identifying all personal information (PI) data belonging to a specific individual is the most time-consuming task.

"A typical company will save bits and pieces of PI data in many data stores, including structured databases and unstructured data stores, such as SharePoint, Office 365, Mailchimp, AWS S3, and so on, as well as SaaS applications such as Salesforce, HubSpot, and Shopify," he explains.

Developing technology to discover PI data in structured, unstructured, and software-as-a-service (SaaS) applications is not easy and requires significant investment.

"Technology tools that do this are costly to procure and take time to deploy," Basani says. "It requires various data stakeholders to collaborate during deployment and to respond to a data request."

To effectively respond to data subject requests, the solutions need to have visibility across a broad variety and significant volume of data store types and cloud environments, according to Claude Mandy, chief evangelist of data security at Symmetry Systems.

"The permissions and integrations required for responding to these requests are a challenge of complexity and scale," he says.

Adding to the cost for most solutions is the fact that many organizations have taken a traditional SaaS approach, requiring them to index this data to the solution provider's only environment, driving up storage and network costs.

**Keys to Holistic Data Privacy Management**

From Basani's perspective, a holistic data privacy policy should include both outward-facing communication clearly informing consumers that their PI data is being collected, and educating internal users and partners about the need to respect privacy and comply with data privacy regulations.

"Discuss what PI data is being collected, obtain consent from the consumers, share how the data is used, shared, stored, and processed," he says. "A privacy policy should clearly state what specific rights a consumer has about their personal data collected by the company."

It should also provide an easy mechanism for a consumer to exercise their data privacy rights, such as right to access or delete their information.

Stakeholders include legal and compliance teams, data owners, data processors, and data users in an organization.

Symmetry Systems' Mandy says a holistic data privacy policy should always start with an accurate and precise understanding of the personal information that an organization collects, uses, stores, and shares.

"It's only from an accurate understanding of information that organizations can reliably and transparently create a data privacy policy that reflects their actual practices," he says.

Refining the policy from the actual practice to desired state will require involvement from general counsel, security, privacy, and data teams.

"Most important are business stakeholders, who can describe how the personal information is used and why it is necessary," Mandy adds.

**Compliance Requirements Likely to Grow in 2023**

The CYTRIO report comes as a growing number of states weigh their own privacy legislation, following moves by California, Colorado, Virginia, and, most recently, Utah.

"We should expect data privacy compliance to continue to move forward in several states in 2023," Basani says.

He notes that as enforcement begins in several states, in addition to CPRA going to effect on Jan. 1, 2023, there will be enhanced consumer education about their data privacy rights.

"As CPPA turns its attention to CPRA enforcement with significantly more resources, we expect a meaningful increase in CPRA enforcement action and fines under CCPA/CPRA," he says.

Increased numbers of CCPA/CPRA fines and media coverage will result in greater consumer education about their data privacy rights, Basani adds.

"We saw this happen under GDPR in Europe, and we will see this happen with CCPA/CPRA," he says. "Employees’ rights to data privacy under CPRA should also increase the number of complaints and potential fines for noncompliance under CPRA."

As more states develop their own flavor of state privacy laws, the privacy landscape will continue to become more complex, adds Mandy Pote, managing principal of strategy, privacy, and risk at Coalfire.

"Organizations may find it difficult to keep up with new requirements – understanding applicability and determining reporting requirements," she says.

From her perspective, the best solution is to adopt a comprehensive data privacy program with the objective of implementing the most stringent set of privacy control requirements such that they follow current and future privacy laws.

"Rather than applying this program to certain systems or a certain subset of data, privacy should be blanketly implemented across the organization to ensure proper coverage," she notes.

Organizations Unprepared for Upcoming Data Privacy Regulations

Even without an overarching dictionary of common definitions, the concept of a secure access service edge (SASE) has spread, but a standard could help cloud services work better together.

During the coronavirus pandemic, organizations had to quickly adjust to the disappearance of central offices, employees working from home, and applications moving to the cloud.

The solution usually involved a combination of technologies — such as flexible networking infrastructure, identity and device-base security, and cloud-native applications and capabilities — continuing a trend identified by business analyst firm Gartner in 2019, which dubbed it the secure access service edge, or SASE (pronounced "sassy").

The SASE collection of cloud-centric technologies focuses on the identity of users and devices, granular access controls, functionality pushed to the network edge, and a de-emphasis on data centers — essentially, it's a combination of security technologies and software-defined wide area network infrastructure, commonly referred to as SD-WAN.

The term, however, quickly became a buzzword in the industry, with companies claiming to be SASE-compliant or have products that supported SASE. For that reason, nonprofit industry association MEF — a global industry association focused on network, cloud, and technology — decided this week to create a standard lexicon for SASE technologies and services that defines service attributes, a framework and common definitions, and a zero-trust framework.

The goal is to make services communicate better about capabilities and to make features — especially security features — interoperable across infrastructure, says Stan Hubbard, principal analyst with MEF.

With SASE, "the user can be anything and anywhere, and security and network functions can be distributed away from the enterprise data center to maximize the availability of high-performance edges and security clouds," Hubbard says, adding that "SASE standards are key to addressing the top two SASE service provider challenges which impact growth and efficiency in the market — customer education and lack of an industry standard."

**SASE Deployment Won't Wait for a Standard**

Gartner predicts that SASE will continue to grow quickly. By 2025, about 80% of companies expect to unify their Web, cloud services, and private application access using SASE, up from 20% in 2021, according to Gartner.

Yet, don't expect companies to wait for standards, says Andrew Lerner, vice president and analyst at Gartner.

"We don’t expect the lack of standards to limit adoption, and we also don’t expect the ratification or creation of a new standard to instantly change anything in the market," he says. "With time, we suspect that more offerings will emerge to achieve a certification, but vendors are not waiting, and enterprises aren't waiting either at this point."

The adoption is also driven by industry consolidation and organization's focus on simplifying their enterprise infrastructure. By 2025, about two-thirds (65%) of enterprises will consolidate a variety of SASE components into one or two SASE vendors, a massive increase from the 15% of companies that did so in 2021, according to Gartner.

Network technology and security firm Palo Alto Networks has seen similar industry consolidation. One customer, for example, simplified from nine products and five vendors down to a single SASE product, says Matt De Vincentis, vice president for SASE for the company, which is not a member of MEF.

"Almost every enterprise is trying to reduce the number of security tools and vendors that they have," he says. "Every time there is a new security vulnerability or availability issue, a new group of startups pop up to propose a solution. It's becoming unmanageable for customers."

**MEF Boosts the SASE Conversation**

Yet, with vendors and service providers claiming to have SASE products, both customers and partners need to establish a common dictionary and a common understanding of what capabilities SASE products should have, says MEF's Hubbard.

MEF has created standards, certification programs, and automation tools for the network, cloud, and service provider industries. The latest effort defines standards that define the attributes of SASE services and provides a framework for those services, while a second proposal creates a zero-trust framework for security services using identity, authentication, policy management, and access control to protect and secure organizations' data, systems, and networks.

"The SASE vendor ecosystem lacks common terminology leaving organizations challenged to compare SASE feature sets and solutions," Hubbard says. "Standards help simplify offerings and provide clarity for organizations when selecting SASE services. Choices can be made based on industry-standard features and common definitions allowing for easier evaluation and faster decision making and implementation."

With SASE Definition Still Cloudy, Forum Proposes Standard

The not-so-charming APT's intelligence-gathering initiatives are likely being used by the Iranian state to target kidnapping victims.

State-sponsored advanced persistent threat (APT) Charming Kitten (aka TA453), which is purportedly linked to the Islamic Revolutionary Guard Corps (IRGC), has updated its phishing techniques, and is using malware and more confrontational lures, possibly in service to kidnapping operations.

Since 2020, Proofpoint researchers have observed variations in phishing activity by the APT (which also overlaps with the groups Phosphorous and APT42), with the group employing new methods and targeting different targets than in the past. In the latest campaigns, researchers have observed more aggressive activity, which could be used to support attempted "kinetic operations" from the IRGC, including murder for hire and kidnapping, researchers said.

"TA453, like its fellow advanced persistent threat actors engaged in espionage, is in a constant state of flux regarding its tools, tactics, techniques, and targeting," a Proofpoint report out this week concluded. "Adjusting its approaches, likely in response to ever-changing and expanding priorities, the outlier campaigns are likely to continue and reflect IRGC intelligence-collection requirements, including possible support for hostile, and even kinetic, operations."

**Hacking E-Mail Accounts**

In 2021, Proofpoint documented TA453 spoofing two scholars at the University of London to try and gain access to email inboxes belonging to journalists, think tank personnel, academics, and others. In August, Google researchers said the hacking team had started employing a data-theft tool targeting Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials. Intelligence gathered from email conversations could be used for location tracking and more. 

One campaign that researchers observed against a former member of the Israeli military was threatening and disturbing in that regard, Proofpoint's report noted.

"TA453 utilized multiple compromised email accounts, including those of a high-ranking military official, to deliver a link to the target," researchers explained. "The use of multiple compromised email accounts to target a single target is unusual for TA453. While each of the URLs observed were unique to each compromised email account, each linked to the domain gettogether\[.\]quest and pointed to the same threatening message in Hebrew."

The message read: "I'm sure you remember what I told you. Every email you get from your friends may be me and not someone who it claims. We follow you like your shadow, in Tel Aviv, in \[redacted\], in Dubai, in Bahrain. Take care of yourself."

**Updated Cyber-Targets for Charming Kitten**

Previous Charming Kitten email campaigns had almost always targeted academics, researchers, diplomats, dissidents, journalists, and human rights activists, using web beacons in message texts before eventually attempting to tap the target's credentials. Such campaigns can start with weeks of innocuous conversations on accounts created by the actors before launching the actual attack.

The new campaigns have targeted specific researchers in the medical field, an aerospace engineer, a real estate agent, and travel agents, among others, wrote Proofpoint researchers Joshua Miller and Crista Giering in a post this week.

In some cases, TA453 relies on a fictitious person, "Samantha Wolf," as bait. Proofpoint researchers first identified the persona in mid-March when the associated Gmail account was included in the bait content of a malicious document.

"Samantha's confrontational lures demonstrate an interesting attempt to generate engagement with targets not seen from other TA453 accounts," the report noted.

The Proofpoint report said it could state "with moderate confidence" that the more aggressive activity could represent collaboration with another branch of the Iranian state, including the IRGC Quds Force, which carries out physical operations.

In May, Israeli intelligence agency Shin Bet identified Iranian intelligence services' phishing activity designed to lure targets to kidnap them, Proofpoint noted.

"Based on the indicators provided, Proofpoint correlated this activity with TA453 campaigns from December 2021 in which campaigns attributed to TA453 used a spoofed email address of a reputable academic ... to give a researcher an 'Invitation to Zurich Strategic Dialogue Jan-2022,' " according to the report.

Iran-Backed Charming Kitten APT Eyes Kinetic Ops, Kidnapping

The MirrorFace group has deployed popular malware LodeInfo for spying and data theft against certain members of the Japanese House of Representatives.

The Chinese APT group MirrorFace attempted to influence the elections for the Japanese House of Representatives this year, an investigation has revealed.  

According to researchers at European IT security vendor ESET, the group used spear-phishing attacks on individual members of a political party. The research team, which calls the campaign Operation LiberalFace, found the fraudulent emails contained the well-known malware LodeInfo, a backdoor used to spread malware or steal credentials, documents, and emails from its victims.

MirrorFace is a Chinese-language threat actor that targets companies and organizations based in Japan. It launched the attack on June 29, 2022, before the Japanese elections in July.

Under the pretext of being the PR department of a Japanese political party, MirrorFace asked the recipients of the emails to share the attached videos on their own social media profiles. This was allegedly to further strengthen the party's perception and secure victory in the Chamber of Deputies.

The message also contains clear instructions on the publishing strategy for the videos and was supposedly sent in the name of a prominent politician.

**Malicious Attachments**

All spear-phishing messages contained a malicious attachment that, when executed, triggered the LodeInfo malware program on the compromised machine.

LodeInfo is a MirrorFace backdoor that is under continuous development. Its functions include taking screenshots, keylogging, terminating processes, exfiltrating data, executing additional malware, and encrypting certain files and folders.

The sophisticated and ever-evolving LodeInfo has earlier been deployed against media, diplomatic, government, public sector, and think-tank targets, according to researchers at Kaspersky, who have been tracking the malware family since 2019.

A previously undocumented credential stealer, named MirrorStealer by ESET Research, was also used in the attack. It's capable of stealing credentials from various applications such as browsers and email clients.

"During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims," wrote ESET researcher Dominik Breitenbacher. "Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes."

There is speculation that this hacker group may be connected to APT10, but ESET could not find clear evidence of this or of cooperation with other APT groups in its analysis and is therefore pursuing MirrorFace as a separate entity.

The group reportedly primarily targets media, defense contractors, think tanks, diplomatic organizations, and academic institutions, with the goal of spying on and exfiltrating files of interest.

State-sponsored cyberattackers affiliated with China are actively building out a large network of attack infrastructure by compromising targets in the public and private spheres, according to a joint alert from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI.

The state-sponsored group RedAlpha APT, for example, has for years been targeting organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses.

Chinese APT Group MirrorFace Interferes in Japanese Elections

Effective customer data management helps companies avoid data breaches and the resulting cascade of issues. From validating "clean" data to centralized storage and a data governance strategy, management steps can help keep data safe.

Did you know that over 83% of companies experience data breaches because of inaccurate data management?

Data breaches can cause serious issues, such as information leaks, file corruption, and stolen property.

**Effective Data Management Steps**

The good news is that you can avoid all those issues with proper customer data management. Here's what you need to know about effective customer data management for keeping your business safe, secure, and profitable.

**1\. Keep Data Clean**

One factor of misinformed decisions involves something called dirty data. To get a better idea of what dirty vs. clean data looks like, we've broken things down in the table below:

**CLEAN DATA**

**DIRTY DATA**

*   Complete records for a corresponding database

*   Comes from the people and the system

*   Any information that's unique, valid, and accurate

*   Inaccurate, inconsistent, and duplicated data

*   Readily accessible

*   Mistaken information during data recording

Keeping data clean includes validating and updating email addresses, home addresses, and phone numbers as needed. It also involves deleting obsolete contacts and removing any duplicated data.

Data cleansing can also involve the following:

*   Performing a data audit;
*   Establishing customer data centralization across departments instead of silos; and
*   Following a consistent company data format.

When you do all these, you're enhancing your data's current value. Having clean data within your organization ensures no miscommunications or missed opportunities when interacting with current and potential customers.

**2\. Centralize Your Data Storage**

Data storage centralization focuses on keeping data in a single location to help streamline processes and prevent inaccurate or incorrect data.

Centralizing your data storage also promotes better control and mobility of the information, enhancing your business' overall workflow and boosting efficiency.

Also, having a single data storage system allows quicker and easier maintenance. Imagine running multiple storage systems with different nodes — this makes it difficult to locate the problem whenever a failure occurs.

Finally, centralized data storage systems are easier to safeguard. In contrast, distributed storage systems become more vulnerable and difficult to analyze once a data breach occurs.

Here are a few examples of data storage that you can implement:

*   **On-premises storage:** A local data center set up in your physical office.
*   **Cloud storage:** Involves maintenance by a service provider and an internet connection for easy access.
*   **Hybrid cloud storage:** Combined on-premises and cloud storage, giving you more flexibility.

**3\. Implement Data Sharing**

Data sharing is a give-and-take process that involves various departments gaining access to the company's data.

Implementing data sharing can help the company's data and analytics personnel access the data they need when they need it. This results in better analytics strategies for the business's enhanced digital transformation.

When companies allow data sharing, they also improve efficiency. This is because more employees can access the information they need, speeding up the workflow.

Of course, when implementing data sharing, you must ensure you're doing so carefully. Otherwise, you can easily run into data breach issues. And, of course, informing customers of data breach issues is never fun.

So, use trusted and encrypted data-sharing systems that allow you to transfer information among users safely.

**4\. Create a Data Governance Strategy**

Data governance is another important part of data security and proper management and organization of information.

Essentially, it refers to managing the integrity, usability, accessibility, and security of your company's data.

Creating a data governance strategy also ensures all employees have the same goal for managing your company's customer data.

The three main parts of an effective data governance strategy include:

*   **Alignment:** Standardizing step in customer data collection across all departments.
*   **Validation:** Confirmation that data collection is performed correctly.
*   **Enforcement:** Changes in data collection should pass through the right channels.

The goal of a data governance strategy is a data dictionary, or a tracking plan. It should explain each piece of data collected, its owner, and the purpose of its collection.

**5\. Back up your data**

Roughly 58% of small businesses haven't considered backing up their data. This is a big problem because if that data gets corrupted or goes missing, those businesses won't have a way of restoring it.

One key method of managing your customer data relies on backing it up. A backup protects your business against data leaks, lost data, corrupted data, and other loss-related issues.

The three most common backup methods are:

*   **Full backup:** Which copies all your data in storage.
*   **Incremental backup:** Copies all the changed data since the last backup.
*   **Differential backup:** A full backup at first that later switches to incremental during the succeeding updates.

Any of these methods can help protect your customer data against any type of loss.

**Best Practices**

Effective customer data management helps protect customer privacy and prevent internal and external communication. It can prevent serious issues such as information leaks and data corruption.

A good data management strategy should involve centralized data storage, data sharing, and data governance, clean data, and regular backups.

By implementing these best practices, you'll be able to protect your company's data while ensuring your customers stay confident in your business's reliability.

Compliance Is Not Enough: How to Manage Your Customer Data

Accelerating security challenges and the increasing footprint of edge and IoT devices call for zero-trust principles to drive cyber resiliency.

As businesses ramp up their adoption of edge and Internet of Things (IoT) infrastructure, security risks that already challenge IT organizations stand to become trickier than ever. The distributed nature of edge devices, the scale of IoT, and the limited compute capacity of devices at the edge heap on added difficulties to the increasingly shaky traditional security practices of yesteryear. In the era of edge, it simply won't be feasible anymore to cling to the castle-and-moat security tactics that practitioners have held on to for probably a decade too long as it was.  

Zero-trust principles are going to be key to meeting the security challenges of today and tomorrow — and fundamental to that will be architecting secure server hardware that stands at the bedrock of edge architecture.

**The Challenges Calling for Zero Trust**

Edge and IoT notwithstanding, security threats keep growing. Recent statistics show that global attack rates are up by 28% in the last year. Credential theft, account takeovers, lateral attacks, and DDoS attacks plague organizations of all sizes. And the costs of cybercrime keep ticking upward. Recent figures by the FBI's Internet Crime Complaint Center (IC3) found that cybercrime costs in the US topped $6.9 billion, up dramatically from $1.4 billion in 2017.

Throwing transformative technology architectures into this mix will only exacerbate matters if security isn't baked into the design. Without proper planning, securing assets and processes at the edge becomes more difficult to manage due to the rapidly proliferating pool of enterprise devices.

Market stats show that there are already more than 12.2 billion active IoT and edge endpoints worldwide, with expectations that by 2025 the figure will balloon to 27 billion. Organizations carry more risk because these devices are different than traditional on-premises IT devices. Devices at the edge — particularly IoT devices — frequently:

*   Process critical data away from data centers, with data including more private information
*   Are not supported or secured as strongly by many device manufacturers
*   Don't control passwords and authentication as strongly as traditional endpoints
*   Have limited compute capacity to implement security controls or updates
*   Are geographically distributed in nonsecured physical locations with no barbed wire, cameras, or barriers protecting them

All of this adds up to an enlarged attack surface that is extremely difficult to manage due to the sheer scale of devices out there. Policies and protocols are harder to implement and manage across the edge. Even something as "simple" as doing software updates can be a huge task. For example, often IoT firmware updates require manual or even physical intervention. If there are thousands or even tens of thousands of those devices run by an organization, this quickly becomes a quagmire for an IT team. Organizations need better methods for pushing out these updates, doing remote reboots, and performing malware remediation, not to mention monitoring and tracking the security status of all of these devices.

**More Than Authentication: The Promise of Zero Trust**

Zero trust is a set of guiding principles and an architectural approach to security that's well-suited to start addressing some of the edge security challenges outlined above. The heart of the zero-trust approach is in conditional access. The idea is that the right assets, accounts, and users are only granted access to the assets they need — when they're authorized, and when the situation is safely in line with the org's risk appetite. The architecture is designed to continually evaluate and validate all of the devices and behaviors in the IT environment before granting permissions and also periodically during use. It's great for the fluidity of the edge because it's not tied to the physical location of a device, network location, or asset ownership.

It's a sweeping approach, and one that can help reduce the risk surface at the edge when it is done right. Unfortunately, many organizations have taken a myopic view of zero trust, equating it solely as an authentication and authorization play. But there are a whole lot of other crucial elements to the architecture that enterprises need to get in place.

Arguably the most critical element of zero trust is the verification of assets before access is granted**.** While secure authentication and authorization is crucial, organizations also need mechanisms to ensure the security of the device that's connecting to sensitive assets and networks — including servers handling edge traffic. This includes verifying the status of the firmware in place, monitoring the integrity of the hardware, looking for evidence of compromised hardware, and more.

**Enabling Zero Trust With the Right Hardware**

While there is no such thing as zero-trust devices, organizations can set themselves up for zero-trust success by seeking out edge hardware that's more cyber resilient and enables easier verification of assets to stand up to the rigors of a strong zero-trust approach to security.

This means paying close attention to the way vendors architect their hardware. Ask questions to ensure they're paying more than just marketing lip service to the zero trust ideal. Do they follow a framework like the US Department of Defense's seven-pillar zero-trust standards? Looking for important controls for device trust, user trust, data trust, and software trust baked into the products that organizations choose to make up their edge architecture will in turn help them build zero trust into their own architecture.

Zero Trust in the Era of Edge

Check out our slideshow detailing the emerging cybersecurity trends in cloud, creating a defensible Internet, malware evolution, and more that lit up audiences in London.

Live From London: Next-Gen Cybersecurity Takes Stage at Black Hat Europe

SHA-1 was deprecated in 2011. NIST has set the hashing algorithm's final retirement date to Dec. 31, 2030.

It is time to retire SHA-1, or the Secure Hash Algorithm-1, says the US National Institute of Standards and Technology (NIST). NIST has set the date of Dec. 31, 2030 to remove SHA-1 support from all software and hardware devices.

The once-widely used algorithm is now easy to crack, making it unsafe to use in security contexts. NIST deprecated SHA-1 in 2011 and disallowed using SHA-1 when creating or verifying digital signatures in 2013.

"We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible," NIST computer scientist Chris Celi said in a statement.

SHA-1 was among the seven hash algorithms originally approved for use in the Federal Information Process Standards (FIPS) 180-4. The next version of the government's standard, FIPS 180-5, will be final by the end of 2030 -- and SHA-1 will not be included in that version. That means after 2030, the federal government will not be allowed to purchase devices or applications still using SHA-1.

Developers need to make sure their applications don't use any components that support SHA-1 by that time. While it may seem like plenty of time to make updates, developers need to submit the applications to be certified as meeting FIPS requirements. It's better to get verified and recertified earlier rather than later, as there may be a backlog of revised code to review, NIST said.

"By completing their transition before December 31, 2030, stakeholders – particularly cryptographic module vendors – can help minimize potential delays in the validation process," NIST said.

Along with updating FIPS, NIST will revise NIST Special Publication (SP) 800-131A to reflect the fact that SHA-1 has been withdrawn, and will publish a transition strategy for validating cryptographic modules and algorithms.

SHA-1 has been on its way out for years. Major web browsers stopped supporting digital certifications based on SHA-1 in 2017. Microsoft dropped SHA-1 from Windows Update in 2020. But there are still legacy applications that support SHA-1.

While hashing is supposed to be one-way and not reversible, attackers have taken SHA-1 hashes of common strings and stored them in lookup tables, making it trivial to launch dictionary-based attacks.

Also, collision attacks – initially described as a theoretical attack in 2005 – became more practical in 2017. While individual strings produce unique hashes most of the time, the collision attack creates a situation where two different messages generate the same hash value, allowing attackers to use a different string to crack the hash.

Source

DARKReading