Craft specific awareness training for high-exposure teams like finance, and reinforce other critical awareness training across the organization.

After hardening our corporate environment and improving our device management as the chief information security officer (CISO) with other organizations, I began to notice the threat landscape changing and evolving rapidly. Specifically, social engineering and phishing tactics shifted seemingly overnight and continued to stay steps ahead of our awareness training.

Instead of sending emails to corporate addresses protected with multiple security solutions, cybercriminals started doing their homework, using social media sites like LinkedIn to capture names, roles, and photos to build dossiers on individual users.

They then started engaging our employees through messaging apps like WeChat, Facebook Messenger, WhatsApp, and Signal. The cybercriminals set up accounts under the names of senior managers or executives from our company. They used names and photos they found on social media to mimic the person's name and likeness. They became very effective at becoming the person they were imitating.

After creating these social accounts, the cybercriminals then used them to reach out to unsuspecting employees. The employees saw the name and photo, and immediately assumed they were chatting with someone they knew. The fake account holder then asked them to make changes or process requests. They used the pretext that they'd been locked out of their corporate account or that they were looking at a merger and acquisition and didn't want to put the request into the corporate system as cover for instigating the request from a personal account. Next, they asked for a purchase order to be paid or for a bank account number to be changed.

When done legitimately, these requests typically followed standardized processes to prevent these exact types of scams. Yet, over and over again I saw how powerful these fake identities were in causing my employees to forget these processes. Instead, they genuinely wanted to help and truly believed that's what they were doing.

We had a few of these reported over the course of a week. This led to us crafting specific awareness training — a unique program for high-impact teams, including finance, human resources, accounting, and others. We adapted our annual awareness training to reflect this change in tactics. We also added examples of these types of attacks to our internal newsletters and communicated them to our entire organization.

Attackers will learn how to get to our end users. They have every incentive to do so. If they don't get to our employees, then they don't make money. They are financially motivated, and they will continue to adapt to find a way to be successful.

Here are six ways your organization can adapt to protect your employees and your business.

**Conduct security awareness training**

Ensure your organization is trained. Every user needs to be aware of these types of attacks and fraud attempts. They can detect, report, or simply ignore them if they have the right knowledge. This will not only help to protect the business, it will also help protect our employees in their personal lives, as they will be less likely to fall for these types of attacks against their personal accounts.

**Update apps and mobile devices**

All software has flaws. When a patch is available, it's always best to update it. Even if there isn't a listed security fix, things that are not part of the updated notes are being updated or fixed.

**Encourage use of privacy settings**

Most applications have privacy settings. Warn employees against leaving their accounts, profiles, and posts up for anyone to see. Apply privacy to prevent unsanctioned eyes from seeing your content. Don't allow pictures and personal information to be downloaded without the user’s consent. This won't be available on every platform, but it's always wise to set privacy settings to see the available options.

**Focus on credentials**

Encourage employees to use strong credentials when signing up for accounts. The last thing you want is for someone to compromise your account and then use it to trick your contacts. Mandate strong passwords and enable two-factor authentication where available or, better yet, multifactor authentication.

**Think before you click**

Explain the importance of being mindful of clicking links. Not every link is legitimate. Teach users to consider the context surrounding the link being shared before clicking on it. Where possible, hover over the link and see if the link is going to the domain you'd expect. When in doubt, don't follow odd requests.

**Ignore sketchy messages**

Establish a protocol for giving strange requests greater scrutiny. If it's a stranger, ignore it. If it claims to be from a known person, verify. Reach out via another method, like a corporate messaging solution such as Slack or Teams, or verify using a mobile number. Remember, often, employees want to help or avoid bothering a superior, so make sure they know that will not be the case.

In all my interactions with executives and senior business leaders, I have never had one complaint when I reached out to verify their identity or confirm one of their requests. So don't be afraid to do it. It's easier to confirm ahead of time than to explain why a predetermined process that led to the company losing money got ignored.

Cybercriminals and scammers are good at their jobs, and we wouldn't have ours if they weren't. They are social engineering experts. They know how to appeal to emotions and get people to act the way they want. But following these steps can reduce the risk of falling victim to their requests.

Stay safe out there, friends!

Read more _Partner Perspectives_ from Zscaler.

As Social Engineering Tactics Change, So Must Your Security Training

Ensuring that data can be easily discovered, classified, and secured is a crucial cornerstone of a data security strategy.

The explosion of data and applications has made multicloud – where the organization's data is stored on multiple cloud platforms and applications -- a reality for many organizations. Along with expanding the attack surface, the multicloud makes the task of securing and managing data even more challenging.

Almost 20% of CISOs responding to a data security survey from Eureka Security and YL Ventures say they don't know what database/platform they use to store the organization's sensitive data.

The survey defined sensitive data as personally identifiable information (PII), personal health information (PHI), secrets such as passwords and application tokens, and payment card information (PCI). In this survey, PII was the most common sensitive data stored (84%), followed by secrets (55%), PHI (29%) and PCI (29%).

Most CISOs say they employ tools and methodologies for limiting access to data. The majority of respondents say they rely on dedicated groups (92%) and network policies (51%).

**Sensitive Data Stored in the Cloud**

There are organizations still leery about migrating application workloads to the cloud because of concerns about storing sensitive data in servers they don't have full control over. However, the survey suggests that most organizations are not letting data security concerns hold them back from the cloud. About 45% of respondents say they store sensitive data in public clouds, and the same number of respondents say they rely on a hybrid approach, with sensitive data stored across cloud and on-premise systems. Just 2% of respondents say sensitive data are stored on-premises.

In fact, 22% of respondents stated that more than half of their cloud data is sensitive.

Respondents were also asked to list the top three databases/platforms used to store sensitive data. PostgreSQL was by far the most popular database (41%) and MySQL, MsSQL, Oracle, and Snowflake had the same usage rates (22%). The report notes that many CISOs are relying on "lift-and-shift" – where they are moving from on-premises to cloud without adopting cloud-specific data security controls, such as classification and masking policies.

There is also a bit of a disconnect between the number of respondents who say they store sensitive data in cloud systems and the number of respondents who use cloud platforms. Of the top 5 platforms, Snowflake is the only one specifically built for the cloud with end-to-end cloud data security features.

The Addressing Cloud Data Security in the Multi-Cloud Era report is available from Eureka Security and YL Ventures.

Data Security in Multicloud: Limit Access, Increase Visibility

Without noncompetes, how do organizations make sure employees aren't taking intellectual property when they go work to work for a competitor?

**Question: How would the FTC rule on noncompetes affect data security?**

**Jadee Hanson, CIO and CISO, Code42:** The Federal Trade Commission's proposed rule grants employees well-deserved autonomy regarding where they work, and when. However, it also complicates the relationship between employer and employee when it comes to data ownership, and security teams need to be aware that, if passed, their employees could easily leave their company for a competitor, with sensitive data and intellectual property (IP) in tow.

One reason noncompetes exist is to keep company data and intellectual property from leaking to competitors. It's easy to verify when a former employee takes a new position with a competitor, but not so easy to know if that employee took company data with them. I would argue that companies should not be relying solely on noncompete agreements to keep their valuable IP safe — but their potential ban makes it even more important to have the proper data security in place.

Organizations should incorporate technologies and processes that can identify risky file movements without inhibiting the organization's collaborative culture and employee productivity. They need technology that can see movement across a variety of cloud applications, automate security alerts, and prioritize insider risk concerns. Today, data is highly portable, and users are doing their jobs off the company network — greatly decreasing security's visibility into file movements. Potential risk indicators could include file movements made while users are off-hours, changing file extensions, or having access to the files of a highly confidential project. Without technology providing the right visibility, it's nearly impossible for security to focus on the right protections and mitigate the overall data exposure risk.

There's an assortment of tools that business leaders can choose from, but the most effective data protection technology can tell the difference between trusted and untrusted locations and allows employees to openly collaborate. In particular, insider risk management tools allow you to monitor, filter, and prioritize risk events, detecting when files are moving to noncorporate locations, including personal devices and cloud storage solutions.

This being said, it's not solely about the tools. Security and HR teams should also be sure to define formal onboarding and offboarding policies for employees, proper data handling training, and processes to address insider risks as they are found. A good security culture starts with a security team that is willing to empower the entire organization to get its job done. Using a "trust but verify" approach allows leaders to facilitate positive, trusting relationships with employees, using monitoring tools to ensure they're only intervening when it's absolutely necessary. The way organizations manage the relationship between their security teams and the broader employee and user base has decisive effects on retention and the overall employee experience. If security, legal, and HR teams approach insider risk events in the same combative, and sometimes hostile, manner they do external threats, it can increase tension between themselves and the rest of the organization, sowing the seeds for a culture of distrust among employees.

At the end of the day, it's on every employee in the workforce to do their part in keeping the company secure, and creating a security-aware culture from the get-go is a great way to create this vigilance.

By embodying a security-focused attitude and having a holistic data protection program in place internally, security leaders can have peace of mind knowing that they're maintaining a positive work environment for their teams while also feeling confident that important competitive data is not leaving with employees.

How Would the FTC Rule on Noncompetes Affect Data Security?

These specialized database servers, which collect and archive information on device operation, often connect IT and OT networks.

Databases are a common point of attack by threat actors, but an uncommon type of database is gaining attention as a potentially critical target: data historian servers.

On Jan. 17, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that a set of five vulnerabilities found in the the GE Proficy Historian server could leave unpatched servers vulnerable to exploitation of poor access controls and the upload of dangerous files. GE is not alone: In the past, security researchers have found security issues in Schneider Electric's Vijeo Historian Web server and Siemens' SIMATIC Process Historian.

The servers could be used as a bridge between an organization's information technology (IT) network and its operational technology (OT) network, Uri Katz, a security researcher for cybersecurity firm Claroty's Team82 stated in its advisory on the GE Proficy vulnerabilities. 

"\[D\]ue to its unique position in between the IT and OT networks, attackers are targeting the historian, and could use it as a pivot point into the OT network," Katz said, adding that "historians often contain valuable data about industrial processes, including data about process control, performance, and maintenance."

Data historian servers — also called operational historians or process historians — give companies the ability to monitor and analyze data from their industrial control systems and physical-device networks. Essentially a data lake to store time-series data in an industrial setting, historians collect real-time information on critical infrastructure, manufacturing, and operations. 

For attackers, however, the historian server represents an opportunistic bridge between the IT and OT segments of a network because it is typically a centralized database connected to both. Because of this, historian servers have been identified as a likely target of attack in ICS networks, including adversary-in-the-middle attacks and database injection attacks, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

**DMZ**

While combining IT and OT networks can make industrial technology more agile and cost effective, "multi-network integration strategies often lead to vulnerabilities that greatly reduce the security of an organization, and can expose mission-critical control systems to cyber threats," CISA stated in its Control Systems Cyber Security Defense in Depth Strategies document.

While only one of the four advisories for industrial control systems published by the agency on Jan. 17 had to do with historian servers, CISA has warned in the past about vulnerable historian servers, such as Siemens SIMATIC Process Historian in 2021. In its previous incarnation as the ICS-CERT, the organization also warned about default passwords in Schneider Electric's Wonderware Historian in 2017 and vulnerabilities in Schneider Electric's Vijeo Historian Web Server in 2013.

Claroty's Team 82 research group installed the historian software, enumerated the structure of the messages it uses to communication, and looked for authentication bypasses to compromise the server. It found vulnerabilities that could allow an attacker to bypass authentication, delete a code library, replace the library with malicious code, and then run that code.

So far, no attack using a historian server has caused a publicized breach, Claroty's Katz said in an email interview. Yet historian servers do represent an interconnection between operational and information networks that will likely be exploited in the future, he added.

"Historian servers are generally not Internet-facing, but they are often located in the DMZ layer between the enterprise network and OT network," he said. "Some of the vulnerabilities can be chained to bypass authentication and gain pre-authentication remote code execution."

**History Lessons**

Industrial and critical-infrastructure organizations should include historian servers in their cybersecurity planning, experts say. In a list of five scenarios that companies should perform as industrial control system (ICS) tabletop exercises, the SANS Institute's Dean Parsons included a breach that uses a data historian to gather data on sensitive devices and controls.

"A set of compromised IT Active Directory credentials \[could be\] used to access the Data Historian, then pivot into the industrial control environment," said Parsons, who is also CEO and a principal consultant of ICS Defense Force. "It is critical that ICS networks be segmented from the Internet and from the IT business network."

Organizations should ensure historian servers are up to date and separated from other parts of the network, Claroty's Katz said. "Network segmentation is ... a mitigation that could help against these vulnerabilities and keep attackers from using them as a pivot point from IT to OT," he says.

Some ICS cybersecurity vendors, such as Waterfall Security and Clarify, limit access to the historian servers. They instead clone the system in the IT network segment or offer an intermediary service, allowing engineers and technicians to access the data while preventing attackers from executing code or changing data.

Vulnerable Historian Servers Imperil OT Networks

The founder and majority owner of a cryptocurrency exchange, Bitzlato Ltd. (Bitzlato), was arrested last night in Miami for his alleged operation of a money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements. 

Anatoly Legkodymov, 40, a Russian national who resides in Shenzhen, People’s Republic of China, is scheduled to be arraigned this afternoon in the U.S. District Court for the Southern District of Florida. French authorities and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) are taking concurrent enforcement actions.

"Today the Department of Justice dealt a significant blow to the cryptocrime ecosystem," said Deputy Attorney General Lisa O. Monaco. “Overnight, the Department worked with key partners here and abroad to disrupt Bitzlato, the China-based money laundering engine that fueled a high-tech axis of cryptocrime, and to arrest its founder, Russian national Anatoly Legkodymov. Today’s actions send the clear message: whether you break our laws from China or Europe – or abuse our financial system from a tropical island – you can expect to answer for your crimes inside a United States courtroom.”

“As alleged, the defendant helped operate a cryptocurrency exchange that failed to implement required anti-money laundering safeguards and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division. “The National Cryptocurrency Enforcement Team’s tremendous efforts to disrupt Bitzlato and arrest the defendant demonstrate that we will continue to work with our partners – both foreign and domestic – to combat cryptocurrency-fueled crimes, even if they transcend international borders.”

According to court documents, Legkodymov is a senior executive and the majority shareholder of Bitzlato, a Hong Kong-registered cryptocurrency exchange that operates globally. Bitzlato has marketed itself as requiring minimal identification from its users, specifying that “neither selfies nor passports \[are\] required.” On occasions when Bitzlato did direct users to submit identifying information, it repeatedly allowed them to provide information belonging to “straw man” registrants.

“Institutions that trade in cryptocurrency are not above the law and their owners are not beyond our reach,” said U.S. Attorney Breon Peace for the Eastern District of New York. “As alleged, Bitzlato sold itself to criminals as a no-questions-asked cryptocurrency exchange, and reaped hundreds of millions of dollars’ worth of deposits as a result. The defendant is now paying the price for the malign role that his company played in the cryptocurrency ecosystem.”

As a result of these deficient know-your-customer (KYC) procedures, Bitzlato allegedly became a haven for criminal proceeds and funds intended for use in criminal activity. Bitzlato’s largest counterparty in cryptocurrency transactions was Hydra Market (Hydra), an anonymous, illicit online marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services that was the largest and longest running darknet market in the world. Hydra users exchanged more than $700 million in cryptocurrency with Bitzlato, either directly or through intermediaries, until Hydra was shuttered by U.S. and German law enforcement in April 2022. Bitzlato also received more than $15 million in ransomware proceeds.

“The FBI will continue to pursue actors who attempt to mask their criminal activity behind keyboards and use means such as cryptocurrency to evade law enforcement,” said Assistant Deputy Director Brian Turner of the FBI. “We, along with our federal and international partners, will work relentlessly to disrupt and dismantle these types of criminal enterprises. Today’s arrest should serve as a reminder the FBI will impose risk and consequences upon those who engage in these activities.”

“As alleged today, Legkodymov knowingly allowed Bitzlato to become a perceived safe haven for funds used for and resulting from a variety of criminal activities,” said Assistant Director in Charge Michael J. Driscoll of the FBI New York Field Office. “The FBI and our partners remain steadfast in our commitment to keeping cryptocurrency markets – as with any financial market – free from illicit activity.  Today’s action should serve as an example of this commitment as Legkodymov will now face the consequences of his actions in our criminal justice system.”

As alleged in the complaint, Bitzlato’s customers routinely used the company’s customer service portal to request support for transactions with Hydra, which Bitzlato often provided, and admitted in chats with Bitzlato personnel that they were trading under assumed identities. Moreover, Legkodymov and Bitzlato’s other managers were aware that Bitzlato’s accounts were rife with illicit activity and that many of its users were registered under others’ identities. For instance, on May 29, 2019, Legkodymov used Bitzlato’s internal chat system to write to a colleague that Bitzlato’s users were “known to be crooks,” using others’ identity documents to register their accounts. Legkodymov was repeatedly warned by colleagues that Bitzlato’s customer base consisted of “addicts who buy drugs at \[\] Hydra” and “drug traffickers,” with one senior executive even stressing that Bitzlato should combat drug dealers only “nominally,” to avoid hurting the company’s bottom line. An internal spreadsheet saved in Bitzlato’s shared management folder encapsulated the company’s view of itself: “Positives: No KYC. . . . Negatives: Dirty money. . . .”

As alleged in the complaint, although Bitzlato claimed not to accept users from the United States, it did substantial business with U.S.-based customers, and its customer service representatives repeatedly advised users that they could transfer funds from U.S. financial institutions. Moreover, Legkodymov – who himself administered Bitzlato from Miami in 2022 and 2023 – received reports reflecting substantial traffic to Bitzlato’s website from U.S.-based Internet Protocol addresses, including over 250 million such visits in July 2022.

Legkodymov is charged with conducting an unlicensed money transmitting business. If convicted, he faces a maximum penalty of five years in prison.

Concurrent with the arrest announced today, French authorities, working with Europol and partners in Spain, Portugal, and Cyprus, dismantled Bitzlato’s digital infrastructure, seized Bitzlato’s cryptocurrency, and took other enforcement actions.

In addition, the Treasury Department’s FinCEN announced an Order pursuant to section 9714(a) of the Combating Russian Money Laundering Act, as amended, identifying Bitzlato as a “primary money laundering concern” in connection to Russian illicit finance. The order imposes a special measure prohibiting certain transmittals of funds involving Bitzlato by any covered financial institution.

National Cryptocurrency Enforcement Team (NCET) Trial Attorneys Alexander Mindlin, Scott Meisler, and Matthew Blackwood of the Justice Department’s Criminal Division and Assistant U.S. Attorney Artie McConnell for the Eastern District of New York are prosecuting the case, with assistance from Paralegal Specialist Mary Clare McMahon.

The Justice Department investigated this case in close coordination with French law enforcement authorities and the Treasury Department’s FinCEN, both of which took separate enforcement actions today under their respective authorities. The Justice Department’s Office of International Affairs and the FBI’s Legal Attaché in France provided critical assistance in this case, with significant support from the department’s Cyber Operations International Liaison. The NCET and U.S. Attorney’s Office for the Eastern District of New York also extend their appreciation to the Cyber Division of the Paris Prosecution Office and to France’s Gendarmerie Nationale Cyberspace Command (Cyber Crime Investigation Unit / C3N). Assistance was also provided by the Customs and Border Protection, the Transportation Safety Administration, and the New York City Police Department. EUROPOL and Dutch and Belgian authorities have contributed to the overall investigation with respect to operational expertise, coordination, and information-sharing.

The NCET was established to combat the growing illicit use of cryptocurrencies and digital assets. Under the Criminal Division, the NCET conducts and supports investigations into individuals and entities that enable the use of digital assets to commit and facilitate a variety of crimes, with a particular focus on virtual currency exchanges, mixing and tumbling services, and infrastructure providers. The NCET also sets strategic priorities regarding digital asset technologies, identifies areas for increased investigative and prosecutorial focus, and leads the department’s efforts to collaborate with domestic and foreign government agencies as well as the private sector to aggressively investigate and prosecute crimes involving cryptocurrency and digital assets. 

_A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law._

Founder and Majority Owner of Cryptocurrency Exchange Charged With Processing Over $700 Million of Illicit Funds

Layoffs intended to cut costs, help company shift its focus on cybersecurity services, Sophos says.

A slowing economy and a strategic push into the cybersecurity services market were reportedly behind a decision to cut some 450 jobs at Sophos.

Although reports haven't confirmed the exact number of layoffs at Sophos, a company spokesperson, Jitendra Bulani, told TechCrunch the restructuring could potentially impact as much as 10% of the global Sophos workforce.

"Sophos is taking these steps for two main reasons: first, to ensure that we achieve the optimal balance of growth and profitability to support Sophos’ long-term success, which is particularly important in the midst of a challenging and uncertain macro environment, and second, to allocate our investments across the company to support our strategic imperative to be a market leader in delivering cybersecurity as a service," Jitendra said.

Sophos was acquired by Thoma Bravo for $3.9 billion in March 2020.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Sophos Cuts Jobs to Focus on Cybersecurity Services

The powerful AI bot can produce malware without malicious code, making it tough to mitigate.

The newly released ChatGPT artificial intelligence bot from OpenAI could be used to usher in a new dangerous wave of polymorphic malware, security researchers warn.

One of the many spectacular tricks ChatGPT has been able to pull off is writing highly advanced malware that actually contains no malicious code at all, making it difficult to detect and mitigate, researchers at CyberArk explained in its recent threat research report.

The CyberArk team also detailed how the chatbot can be used to both generate injection code, as well as mutate it.

This new wave of cheap and easy ChatGPT polymorphic malware is something cybersecurity professionals should pay attention to, the analysis added.

"As we have seen, the use of ChatGPT's API within malware can present significant challenges for security professionals," the report said. "It's important to remember, this is not just a hypothetical scenario but a very real concern."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ChatGPT Could Create Polymorphic Malware Wave, Researchers Warn

New module introduces shadow SaaS application discovery, monitoring, and remediation to protect businesses from supply chain attacks.

**NEW YORK****,** **Jan. 18, 2023** **/PRNewswire/ --** DoControl, the automated Software-as-a-Service (SaaS) security company, today announced a platform expansion with the launch of its comprehensive Shadow Apps solution. Building on prior innovations that address mission-critical use cases, DoControl's newest module introduces shadow SaaS application discovery, monitoring, and remediation to better protect businesses from SaaS supply chain attacks.

SaaS application-to-application connectivity features increase risk by introducing machine identities that are often overprivileged, unsanctioned, and unmonitored. Compromised machine identities can easily gain permission to read, write, and delete sensitive data on improperly managed applications, significantly increasing security, business, and compliance risk for organizations. DoControl's SaaS Security Platform expansion provides complete visibility and control across all sanctioned and unsanctioned SaaS applications to close compliance gaps and remediate supply chain-based attack vectors automatically.

The significant growth of SaaS applications, the demand to integrate them, and the economic pressures to consolidate vendors are contributing to a market need for a single service platform that provides centralized security across disparate applications. Offering CASB, DLP, Insider Risk, Workflows, and now Shadow Apps, DoControl has emerged as the end-to-end SaaS Security platform provider to help security teams do more with less overhead.

The expansion of the DoControl SaaS Security Platform enables comprehensive "shadow application" governance through:

*   **Discovery and Visibility**: Organizations can discover all interconnected first, second, and third-party SaaS applications – sanctioned and unsanctioned – within a business's estate. With a complete mapping and inventory, businesses can identify issues of non-compliance and understand the riskiest SaaS platforms, applications, and users exposed within the SaaS estate.
*   **Monitor and Control**: Organizations can perform application reviews with business users through pre-approval policies and workflows that require end users to provide a business justification to onboard new applications. Security teams can also quarantine suspicious applications, reduce excessive permissions, and revoke or remove applications or access.
*   **Automated Remediation**: Using low-code/no-code tools, organizations can automate security policy enforcement across the entire SaaS application stack. DoControl's Security Workflows reduce exposure introduced by third-party applications and prevent unsanctioned or high-risk application usage through automated remediation of potential threat vectors.

"Data security is paramount, yet many tools lack the granularity and suite of capabilities modern businesses need to secure sensitive data and operations – particularly in the complex and interconnected world of SaaS applications," said Adam Gavish, CEO and Co-founder, DoControl. "Our expanded platform offers a fully unified solution for seamlessly securing both human and machine access so businesses can avoid sensitive data loss, regulatory penalties, and revenue impacts stemming from the mismanagement of the SaaS estate."

The Shadow Applications Module is currently available to existing customers and will enter general availability in Q1 of 2023. To learn more, please review the list of supporting resources below:

*   View the Solutions webpage
*   Register for the Webinar
*   Read the Blog
*   Download the Solution Brief

**About DoControl**

DoControl is an agentless, event-driven SaaS Security Platform that secures business-critical SaaS applications and data. DoControl helps organizations expose their SaaS risk, remediate it quickly, and automatically remediate over time through granular, no-code workflows. DoControl uncovers all SaaS users, third-party collaborators, assets and metadata, OAuth applications, groups, and activity events. DoControl helps reduce risk, prevent data breaches, and mitigate insider risk without slowing down business enablement. To learn more about DoControl, visit www.docontrol.io, read the DoControl blogs, or follow us on Twitter and LinkedIn.

DoControl Announces SaaS Security Platform Expansion With Shadow Apps Module Launch

KnowBe4 releases overall 2022 and Q4 2022 global phishing test reports and finds business-related emails continue to be utilized as a phishing strategy and reveal top holiday email phishing subjects.

**Tampa Bay, FL (January 18, 2023)—** KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced the results of its 2022 and Q4 2022 top-clicked phishing report. The results include the top email subjects clicked in phishing tests, top attack vector types, holiday phishing email subjects and more insightful information that reveal the most popular phishing email tactics.  

Phishing emails continue to be one of the most common and effective methods to maliciously impact a variety of organizations around the world – everyone is a potential victim. Cybercriminals constantly refine their strategies to outsmart end users and organizations by changing phishing email subjects to be more believable and attention grabbing. This shift in phishing tactics over time is evident in the increasing trend of cybercriminals using business-related email subjects.

Business phishing emails are lucrative and successful because of their potential to affect a user’s workday and routine. These include emails from HR, IT, managers and web services such as Google and Amazon. KnowBe4’s 2022 phishing test results reveal that for the year, nearly 50% of email subjects were HR related, while the other half were related to career development, IT and work project notifications. These types of emails bait recipients into opening them and are likely successful because they create a sense of urgency in users to act quickly, sometimes without thinking and taking the time to question the email’s legitimacy. 

Additionally, this year’s phishing tests revealed the top vector for the year to be phishing links in the body of an email, which has stayed consistent for the last three consecutive quarters. The combination of these phishing tactics is clearly a working strategy for cybercriminals but detrimental to users and organizations as they can lead to cyber attacks such as business email compromise and ransomware.

Along with an increased utilization of more business-related emails and links within emails, the Q4 2022 phishing test also shares the top holiday phishing email subjects. The holiday season is one of the busiest times of year for online activities and cybercriminals count on end users having their guards down when it comes to staying alert and spotting phishing emails. Like general phishing email subjects, holiday phishing email subjects consist of emails from HR and IT, however, they are also tailored to the holiday season and the festivities that typically happen during that time of the year by mentioning holiday parties, gifts, food and more. 

“Cybercriminals are smart and pay attention to what works and what does not when it comes to effective phishing emails,” said Stu Sjouwerman, CEO, KnowBe4. “This is why we see email subjects evolve and upgrade over time to keep up with end users and what they may be susceptible to. Phishing emails are a year-round threat and remain a challenge during the holiday season as well – holiday phishing emails are the one gift that no one wants to receive in their inbox. KnowBe4’s phishing test reports emphasize the importance of new-school security awareness training that educate users on the latest and most common cyber attacks and threats. A strong security culture and an educated workforce is an organization’s best defense to remain vigilant and stay safe online from cybercriminals and their attempted threats.”

To download a copy of the 2022 and the Q4 2022 KnowBe4 Phishing Infographics, visit here and here.

**About KnowBe4**

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 54,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

KnowBe4 2022 Phishing Test Report Confirms Business-Related Emails Trend

From updating employee education and implementing stronger authentication protocols to monitoring corporate accounts and adopting a zero-trust model, companies can better prepare defenses against chatbot-augmented attacks.

Over LinkedIn, Slack, Twitter, email, and text messages, people are sharing examples created using ChatGPT, the new artificial intelligence (AI) model from the team behind OpenAI.

Using ChatGPT, you can produce authentic-sounding dialogue that can be used for almost anything — from answering follow-up questions in an online chat dialogue to writing poetry. There are plenty of opportunities for enterprises to take advantage of the new chatbot technology, including helping with enterprise support and customer interactions. Its ability to quickly generate content, and, according to its developers, "answer follow-up questions, admit its mistakes, challenge incorrect premises, and reject inappropriate requests," opens many opportunities and some new challenges.

AI and machine learning (ML) is shifting quickly from niche solutions in corporate scenarios that have been high cost/high reward toward solutions to more expansive implementations that can solve a range of enterprise challenges, particularly those which focus on end users. Cybersecurity, for example, is now embracing AI-based approaches to provide greater protection with smaller security teams. One example highlights how organizations can use AI/ML to perform dynamic, risk-based checks when someone tries to access sensitive applications or data. This replaces older, policy-based approaches, which can take significant time and human interaction to develop and maintain the individual access policies. In a larger company, maintaining those policies could include hundreds or even thousands of applications and data repositories.

**Using AI for Greater Efficiency**

Interest in AI is continuing to explode as modern attacks require rapid detection and response to anomalous user behavior — something an AI model can be trained to quickly identify, but which takes significant human power to try and replicate manually. The goal of AI is to increase efficiency and trust while reducing friction and improving the user interface for typical users. Self-driving cars, for example, are designed to increase the safety and security of end users. In cybersecurity, specifically in the authentication of users (human and nonhuman), AI-based approaches are advancing rapidly, working with rule-based systems to improve the experience for end users.

In an increasingly digital world, attackers can already sidestep detection of binary identity authentication, including location, device, network, and other checks. Inevitably, cybercriminals will also look at the new opportunities ChatGPT opens up. AI tools that interact in a conversational way can be leveraged by cybercriminals to launch convincing phishing campaigns or account takeovers. In the past, it may have been easier to spot a phishing attack due to the poor grammar, unusual phrasing, or frequent spelling errors so common in phishing emails. That is quickly evolving with solutions like ChatGPT, which use natural language processing to create the initial message and then generate realistic responses to a target user's questions without any of those telltale markers.

**Rethink Security Approaches**

To prepare for chatbot-augmented attacks, organizations need to rethink security approaches to mitigate potential threats. Five measures they can take include:

1.  **Updating employee education** regarding the risks of phishing. Employees who understand how ChatGPT can be leveraged are likely to be more cautious about interacting with chatbots and other AI-supported solutions, and thereby avoid falling victim to these types of attacks.
2.  **Implementing strong authentication protocols** to make it more difficult for attackers to gain access to accounts. Attackers already know how to take advantage of users tired of reauthenticating through multifactor authentication (MFA) tools, so leveraging AI/ML to authenticate users through digital fingerprint matching and avoiding passwords altogether can help increase security while reducing MFA fatigue.
3.  **Adopting a zero-trust model.** By only granting access after verification and ensuring least-privileged access, security leaders can create an environment where even if an attacker leverages ChatGPT to get around unsuspecting users, the cybercriminals will still have to verify their identity and, even then, will only have access to limited resources. Limiting the access not only of developers but also leadership, including technical leadership, to the least access needed to perform their jobs effectively, may initially meet with resistance, but will make it harder for an attacker to leverage any unauthorized access for gain.
4.  **Monitoring activity** on corporate accounts and using tools, including spam filters, behavioral analysis, and keyword filtering, to identify and block malicious messages. Your employees cannot fall victim to a phishing attack, no matter how sophisticated the language is, if they never see the message. Quarantining malicious messages based on the behavior and relationship of the correspondents rather than specific keywords is more likely to block malicious actors.
5.  **Leveraging AI.** Cyberattacks are already leveraging AI, and ChatGPT is just one more way that they will use it to gain access to your organization's environments. Organizations must take advantage of the capabilities offered by AI/ML to improve cybersecurity and respond faster to threats and potential breaches.

Account takeover via social engineering, leveraging passwords from data breaches, and phishing attacks will become more frequent and more successful — despite our best defenses — given that ChatGPT can provide authentic-sounding responses to target inquiries. By updating and adopting these five approaches, organizations can help to reduce the risks to themselves and their employees when chatbots and other AI tools are used for malicious purposes.

Source

DARKReading