New approaches to identity access management are indispensable.

Take a moment to consider how frequently you authenticate your identity online: checking your email, logging in to your bank account, accessing cloud-based productivity tools, booking a flight, paying your taxes. We confirm our identities so many times every day that things like providing personally identifiable information and confirming a login attempt through our smartphones have become second nature. 

These are all reminders that identity is the foundation of cybersecurity — which is why it's also a major attack vector that can be exploited by cybercriminals. There are many tools that can prevent hackers from using the identities of their victims to infiltrate organizations and steal sensitive data, such as password managers and multifactor authentication. However, the adoption of these tools isn't as widespread as it should be — identity protection is often siloed, which means entire networks can be put at risk by single entry points. 

This is why many companies are moving toward a more comprehensive security architecture that will allow them to systematize their identity access management (IAM) protocols and defend many attack vectors at once. It has never been more critical for companies' cybersecurity platforms to be adaptive, automated, and distributed, which is why they're increasingly adopting flexible IAM systems that offer protection at every level. 

**Identity Is a Significant Attack Vector**

There are many reasons cybercriminals target IAM systems: these systems are often especially vulnerable because they're dependent on individual user behavior, fragmented cloud applications create many lines of attack, and a single access point often allows bad actors to break into entire networks. It's no surprise that, according to the 2022 Verizon "Data Breach Investigations Report," the use of stolen credentials is the top action variety in breaches. 

Verizon researchers outline yet another reason why cybercriminals prioritize identity: "We've long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system." When cybercriminals use credentials or other stolen forms of identity to access a network, they can operate undetected for long periods of time, which allows them to install malware, manipulate privileges, and deceive other users to steal sensitive data or gain deeper access.

This problem is all the more urgent with the proliferation of devices and cloud-based services employees use for work, as well as the continued reliance on remote and hybrid work. As employees sign in to their work accounts from home and around the world — sometimes using unsecured Wi-Fi at airports, coffee shops, and hotel lobbies — siloed IAM systems have become even more dangerous. 

**Poor Cybersecurity Hygiene and the Risks of Siloed IAM**

Human behavior is one of the most significant cybersecurity liabilities any company faces, and flawed IAM security architecture is one of the main reasons why. At a time when companies are simultaneously using an average of three clouds with many different apps and devices, IAM is more important than ever. But relying on individual users and disconnected security protocols dramatically increases the risk of a breach. 

Although there are plenty of digital tools that can make apps and other cloud-based services safer, many employees fail to use these tools. For example, despite the fact that password security habits are notoriously unhealthy — almost two-thirds of people reuse passwords, and 13% use the same password for every account — less than a quarter say they use a password manager. The same applies to other forms of access: a 2021 survey found that less than one-third of respondents use two-factor authentication across all applications. 

It's costly and inefficient to develop IAM protocols for the full range of devices and apps that employees use, and it isn't feasible for companies to redevelop all their legacy apps to meet emerging security requirements. This is why many companies feel like they're stuck with a status quo that leaves them susceptible to cyberattacks — they lack the robust, standardized security architecture necessary to protect their networks and systems across the board. But this perception is changing with the rapid evolution of IAM architectures. 

**The Emergence of Orchestrated IAM**

Many factors are coming together at the same time and forcing companies to revisit their IAM frameworks: digitization, more distributed workforces, and a profusion of cloud-based apps. These developments should cause companies to create more comprehensive, coherent, and adaptive IAM systems, but in too many cases they're having the opposite effect. Companies are scrambling to keep up with new technological developments and the shifting cyber-threat landscape, which is causing them to make even more disjointed decisions. 

A recent Gartner report emphasized these problems and argued that organizations should "evolve their identity and access management (IAM) infrastructure to be more secure, resilient, composable and distributed." Gartner explained that this evolution should involve the establishment of an "identity fabric using a standards-based connector framework across multiple computing environments, so that the organization can answer the question of who has access to what, regardless of where the resources and users are located." The answer to siloed IAM systems is the creation of an orchestrated and unified platform that will allow companies to make identity security more consistent across users and apps.

There's no sign that cybercriminals will stop using identity to penetrate secure systems and steal from companies. Although recent technological developments have increased the number of identity-based vulnerabilities for cybercriminals to exploit, companies are quickly learning how to keep their networks safe. The development of new approaches to IAM will be an indispensable part of this process.

A Better Way to Resist Identity-Based Cyber Threats

The Swiss Army knife-like browser extension is heaven for attackers — and can be hell for enterprise users.

A malicious browser extension that works on both Google Chrome and Microsoft Edge allows attackers to remotely take over someone's browser session and carry out a full range of attacks. It's built to steal cookies and other info, mine cryptocurrency, install malware, or take over the entire device for use in a distributed denial-of-service (DDoS) attack — among other things.  

Thanks to this multitool approach, the Cloud9 botnet basically acts like a remote access Trojan (RAT) for the Chromium browser, which is the framework for Chrome, Edge, and some other browsers, researchers at Zimperium zLabs revealed in a blog post Nov. 8.

The malware is comprised of three JavaScript files and has been active since as far back as 2017, with an update in 2020 that proliferated as a single JavaScript that can be included on any website using script tags, researchers said.

Researchers have linked Cloud9 to the Keksec malware group due to the activity of its command-and-control servers (C2s), which point to domains previously used by the gang. The well-resourced group — known for creating various botnets-for-hire — was seen in June weaponizing a Linux botnet called EnemyBot against vulnerabilities in enterprise services. In Cloud9's case, it's likely being sold "for a few hundred dollars" or offered for free to other groups on various hacker forums, researchers said.

"As it is quite trivial to use and available for free, it can be used by many malware groups or individuals for specific purposes," Zimperium zLabs malware analyst Nipun Gupta wrote in the post.

**Enterprise Users at Risk**

The malware offers a veritable buffet of nefarious activity, "purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta wrote. This includes enterprise users, where the botnet can be used to infiltrate a user's machine to propagate further malicious activity.

That said, "the Cloud9 malware does not target any specific group, meaning it is as much an enterprise threat as it is a consumer threat," Gupta wrote. "It is quite clear that this malware group is targeting all browsers and operating systems and thus trying to increase their attack surface."

Core capabilities of Cloud9 include: the ability to send GET/POST requests, which can be used to fetch malicious resources; cookie stealing to compromise user sessions; keylogging for nabbing passwords and other info; and the ability to launch a Layer 4/Layer 7 hybrid attack, which can be used to perform DDoS attacks from victims' machines.

Cloud9 also can detect a user's OS and/or browser to deliver next-stage payloads; inject ads by opening 'pop-unders'; execute JavaScript code from other sources for further malicious code delivery; silently load web pages for ad or malicious-code injection; mine cryptocurrency using the browser or the victim's device resources; or send a browser exploit to inject malicious code and take complete control of the device.

**Browser Escape and a Multifaceted Attack**

Researchers walked through an example of a Cloud9 attack on a Chrome browser, outlining several steps that ultimately perform a slew of nefarious tasks — including mining cryptocurrency from a victim's machine, stealing cookies and clipboard data, and even using exploits to "escape" the browser and execute malware on the victim's device.

The main functionality of the extension is available in a file named campaign.js, JavaScript that also can be used as a standalone and thus can redirect victims to a malicious website that contains the campaign.js script.

The campaign.js starts by identifying the victim's OS and then injects a JavaScript file that mines cryptocurrency using the victim's computer resources, both diminishing the performance of the device while reducing hardware lifespan and increasing energy usage — "which translates into a slow but steady monetary loss," Gupta noted.

Cloud9 then injects another script named cthulhu.js that contains a full-chain exploit for two vulnerabilities — CVE-2019-11708 and CVE-2019-98100 — that target Firefox on a 64-bit Windows OS. Upon successful exploitation, it drops Windows-based malware on the device, enabling the threat actor to take over the entire system.

Researchers also witnessed Cloud9 using other browser exploits for Internet Explorer (CVE-2014-6332, CVE-2016-0189) and Edge (CVE-2016-7200 that, if successful, gives the attacker the same user rights as the current user and can execute code on the victim's device accordingly. Further, if the user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, researchers said.

Cloud9 also can use its ability to send POST requests to any domain to carry out Layer 7 DDoS attacks if the attacker has a significant number of victims connected as botnets. In fact, true to its reputation, Keksec likely is selling the extension to provide a botnet service to perform DDoS, Gupta noted.

**Protecting the Enterprise**

Because of the broad capabilities of Cloud9 and the wide attack surface it can generate, enterprise customers should be on alert, researchers said. Indeed, traditional endpoint security solutions don't typically monitor this type of attack vector, which leaves browsers "susceptible and vulnerable," Gupta observed.

It's unclear how Cloud9 is being spread, but so far, Zimperium zLabs has seen no evidence of the malicious extension on the Google Play Store or any other legitimate mobile app shop. For this reason, enterprises should train users on the risks associated with browser extensions that they encounter outside of official repositories, he said. They also should consider what security controls they have in place for such risks in their security posture overall.

Cloud9 Malware Offers a Paradise of Cyberattack Methods

An annual HIPAA security risk assessment is required to meet HIPAA requirements.

**NEW YORK, Nov. 9, 2022 /PRNewswire/** — Compliancy Group reminds healthcare organizations of their obligation to complete their annual HIPAA security risk assessment.

HIPAA compliance largely depends on a HIPAA security risk assessment (SRA). By completing a security risk assessment, healthcare organizations can be better prepared against cyberattacks and other security incidents. To meet HIPAA requirements, healthcare organizations must complete an SRA each year.

Learn more about security risk assessments, SIGN UP for their webinar on Nov. 16th @ 2 pm ET.

"The healthcare industry has become a prime target for hackers. With the threat growing yearly, healthcare organizations must be vigilant to secure patient information. The best way to do that is to conduct a security risk assessment to identify risks so that you can implement additional security measures to prevent incidents from occurring." — Marc Haskelson, CEO and President, Compliancy Group.

Not sure where to start? Compliancy Group has a series of educational materials to help organizations meet their HIPAA requirements. You can find e-books, articles, and webinars that provide tips on meeting your annual SRA requirement.

HIPAA Resources

DOWNLOAD: HIPAA Security Risk Assessment e-book  
DOWNLOAD: HIPAA Compliance Checklist  
How to Conduct a Security Risk Assessment  
HIPAA SRA Requirements

About Compliancy Group

Compliancy Group gives healthcare professionals confidence in their compliance plan, increasing client loyalty, and profitability of their business while reducing risk. Using simplified software and dedicated Compliance Coaches, Compliancy Group removes the complexities and stress of HIPAA. Find out more about Compliancy Group and HIPAA compliance. Get compliant today!

**SOURCE:** Compliancy Group

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Compliancy Group Urges Healthcare Organizations to Complete Their HIPAA Security Risk Assessments

A lack of precision in our terminology leads to misunderstandings and confusion about the activities we engage in, the information we share, and the expectations we hold.

The words safety and security are often the same in many languages. That is also true in the world of cyber, where we frequently say cyber_security_ when we really mean cyber _safety_. They are, however, distinct concepts, and the lack of precision in our terminology leads to misunderstandings and confusion about the activities we engage in, the information we share, and the expectations we hold.

To simplify the distinction between safety and security, it helps to put another descriptor in front of these words. For example, food _safety_ practices include hygiene, third-party inspections, and checklists. Food _security_ evokes concerns about the shortage of baby formula, poisoning of the food supply, and starvation. Food safety and food security are not the same.

**Cyber Safety ≠ Cybersecurity**

Similarly, cyber safety and cybersecurity are not the same. If you believe that compliance does not equal security, perhaps it is because compliance is about safety. Adherence to good safety practices generally improves the quality of the output while security often delays the output. Good safety practices don’t eliminate the possibility of intentional compromise, but practices that promote higher quality outputs enable investigators to quickly rule out accidental causes.

If you wonder why some types of information in cyber are widely shared and others are not, consider that regardless of geopolitical affiliations, we openly share nuclear safety practices but not nuclear security practices. We naturally tend to be transparent about safety but not about security. We generally want safety measures to be very visible, obvious, and well known. Hotels and airlines prominently and repeatedly share the measures they have taken to ensure our safety. Most manufacturing environments prominently showcase a sign relaying how long they have gone without a safety incident. 

Conversely, we tend to keep security measures invisible and unknown (unless we explicitly want to deter attackers through overt displays of guns, guards, and gates). This mindset extends to information sharing and may explain our general reluctance to voluntarily share security information with outside parties (and even internally).

Safety measures may be hidden from view in some cases, such as with car airbags and elevator brakes. Even so we will see inspection certificates to demonstrate that the minimum safety standards have been met. We are subjected to numerous and different inspections in the world of cyber, but the results are often hidden from public view. If routine assessments such as SOC2 and ISO27001 are more akin to safety inspections, perhaps these results should be made public by default (as with SOC3) to communicate when we have met minimum cyber-safety measures.

**Taking Personal Responsibility**

Individual choices have a direct impact on our safety. For example, most of us know what steps we can take to improve our personal hygiene and are appalled when others neglect or ignore such simple steps. Security on the other hand, is often seen as someone else’s responsibility with the individual usually limited to a passive "see something, say something" role.

Safety requires active participation from everyone and most people embrace safety measures as a personal responsibility. Individuals can see how they can directly contribute to the improvement (or deterioration) of safety. We can instill a greater sense of personal responsibility and accountability among an organization's stakeholders to maintain proper cyber hygiene by appropriately recasting many common cyber activities that we ask of others (e.g., patching) as actions to promote cyber safety.

To remind us of our personal responsibility for safety, we receive safety awareness briefings with every flight (with the flight attendants pleading with us to pay attention even if we've already heard it before). If you try to drive away without buckled seat belts, our vehicles chime in with pleasant tones. In many other domains, safety awareness happens regularly and is not reserved for just one month in October.

**Making Safety Usable**

Framing our activities as safety can also help cyber practitioners understand that we cannot go overboard on cyber-safety measures. Many of us may desire for all vulnerabilities patched immediately but requiring food service workers to clean food preparation areas whenever a speck of dust falls would bring productivity to a grinding halt. Similarly, insisting on immediate patching of all code vulnerabilities may hamper software development. For safety measures to be truly effective, we must understand and establish reasonable margins of safety. The fact is that most vulnerabilities do not need to be patched right away, and we can increase our margin of safety by implementing compensating cyber-safety controls, allowing us to postpone patching for a more opportune time.

Importantly, these cyber-safety controls must be easy to use with little to no room for operator error. Unfortunately, we are far from that today. Our current cyber-safety mechanisms operate like child safety seats from the 1980s: Parents must figure out a complex harness system, and if they get it wrong, they are treated as idiots. In our digital environments today, the user is often blamed for being the weakest link despite confusing and unhelpful interfaces.

Making child safety seats easier to install required cooperation from both the car and seat manufacturers as well as a federal requirement to comply with a Latch system. Personal responsibility is still a factor, but the multiparty collaboration among federal regulators, carmakers, and child safety seat manufacturers enabled parents to avoid common mistakes.

Such coordination among producers, consumers, and regulators for cyber safety is sorely lacking in the digital world. But perhaps the starting point is to get everyone on the same page by understanding the real differences between cybersecurity and cyber safety.

What We Really Mean When We Talk About ‘Cybersecurity’

Teleport releases its second annual State of Infrastructure Access and Security report.

**OAKLAND, Calif., Nov. 9, 2022 /PRNewswire/** — Teleport, the leader in identity-native infrastructure access, today revealed its second annual State of Infrastructure Access and Security Report (PDF). The research seeks to uncover the specific challenges facing DevOps, security engineering and other security professionals. The survey found access built on secrets continues to represent the status quo, as 80% of respondents are still using passwords as a top security method. Concerningly, less than a quarter (24%) of respondents are fully confident that ex-employees no longer have access to company infrastructure.

The report offers a representative sample of the common beliefs and observations shared by industry professionals, as well as the actions they take to keep their organizations safe. Key findings include:

*   **Infrastructure is becoming more complex — with no signs of slowing down:** Organizations use on average 5.7 different tools to manage access policy, making it complicated and time-consuming to completely shut off access.
*   **Even the best-laid plans fall victim to complexity or apathy:** More than half (57%) of respondents said their organization has implemented new security methods that failed to be adopted by employees.
*   **Security spending is on the rise:** Even amid the ongoing inflation crisis, 85% of respondents say their security spending increased within the last 12 months.

"The 2022 Infrastructure Access and Security Report definitively shows that DevOps, security engineering and other security professionals understand the challenges they face, as well as the most effective tools for securing their infrastructure," said Ev Kontsevoy, CEO of Teleport. "But while the vision is clear, execution continues to lag behind."

**Infrastructure is only becoming more complex**

One year ago, the 2021 State of Infrastructure Access and Security Report highlighted the incredible complexity of technology architectures. While 77% of respondents said that moving to passwordless access was Important or Very Important, this year's survey reveals that number of respondents using passwords to grant access to infrastructure increased by 10% year over year, from 70% in 2021 to 80% in 2022.

**Crises of confidence and clarity**

When asked how confident they were that employees who leave the company can no longer use secrets to access company infrastructure, less than a quarter of respondents reported being 100% confident that the access had been revoked. Strikingly, nearly half of organizations are less than 50% confident that former employees no longer have access to infrastructure. This lack of confidence is trending in the wrong direction: the share of respondents with less than 50% confidence increased by 55% year over year.

The report found that respondents recognize the need to move toward passwordless access, and the share of those who view this shift as important increased over the last 12 months. Compared with 77% in 2021, 87% of respondents to this year's survey said moving towards a passwordless infrastructure is important or very important. This priority is reflected in company initiatives: 77% of respondents have an active initiative to move towards passwordless access; and 78% of respondents have an active initiative to move to biometric authentication, the most effective tool for establishing human identity for secure access.

While adoption of biometric authentication is promising — more than half (55%) of respondents already use biometrics in their systems — there are still significant barriers to widespread adoption. Notably, 62% of respondents cited privacy concerns as a leading challenge when replacing passwords with biometric authentication, while 55% pointed to a lack of devices capable of biometric authentication.

"With architectures growing in complexity, coupled with the rising number of threats and bad actors, DevOps and security engineering leaders cannot afford to delay any longer in turning their plans into actions," said Kontsevoy. "Secretless, identity-based infrastructure access is the only way forward."

**Methodology**

The 2022 Infrastructure Access and Security Report survey was based on a representative sample of DevOps, Security Engineering, and other security professionals with knowledge about how their company manages access to infrastructure. A total of 500 respondents completed the survey, which was conducted by Schlesinger Group, an independent research company.

The Teleport Infrastructure Access and Security report is available today and can be found here (PDF).  

**About Teleport**

Teleport is the first identity-native infrastructure access platform for engineers and machines. By replacing insecure secrets with true identity, Teleport delivers phishing-proof zero trust for every engineer and service connected to your global infrastructure. The open source Teleport Access Platform provides a frictionless developer experience and a single source of truth for infrastructure access. Teleport is used by leading companies including Elastic, Samsung, NASDAQ, and IBM. The company is backed by Bessemer Venture Partners, Insight Partners and Kleiner Perkins. Headquartered in Oakland, California, the company embraces a remote-first work culture. For more information, please visit goteleport.com.

**SOURCE:** Teleport

Research Finds Less Than a Quarter of Organizations Fully Confident Ex-Employees No Longer Have Access to Company Infrastructure

The market growth is driven by the convergence of IT and OT systems. By region, North America is estimated to account for the largest market size during the forecast period.

**CHICAGO, Nov. 9, 2022 /PRNewswire/** \-- The Global Industrial Control Systems (ICS) Security Market is projected to grow from USD 16.7 billion in 2022 to USD 23.7 billion by 2027, at a Compound Annual Growth Rate (CAGR) of 7.2% from 2022 to 2027, according to a new report by MarketsandMarkets™**.** The market growth is driven by the convergence of IT and OT systems.

**Download PDF Brochure:** https://www.marketsandmarkets.com/pdfdownloadNew.asp?id=1273

**By security type, network security to grow at the highest CAGR during the forecast period**

Network security is the technique of securing networks from advanced threats. Network security comprises ICS security services that provide security to various networking assets and resources used for managing critical infrastructure. It consists of multiple components, such as security software and appliances, which work together to provide network security. Sophisticated threats, such as sophisticated malware and other attacks, such as Advanced Persistent Threats (APTs), negatively impact the ICS ecosystem by evading network defenses and targeting vulnerabilities in the computing system. Organizations adopt ICS security services to prevent unauthorized access and the misuse of networking resources.

**Speak To Our Analyst:** https://www.marketsandmarkets.com/speaktoanalystNew.asp?id=1273

**By Region, North America is estimated to account for the largest market size during the forecast period**

North America has been at the forefront of the adoption of ICS security solutions in lieu of the rising number of cyberattacks on critical infrastructure. ICS security solutions are being widely used in a variety of industries, particularly manufacturing, chemicals, energy, and utilities. This region has also been extremely responsive toward the latest technological advancements, such as the integration of cloud and IoT with ICS security solutions, to establish a holistic secure access mechanism and enforce a security governance framework. With the growing awareness of ICS security among small and medium-sized businesses and the widespread use of data-driven methods in manufacturing operations, the adoption of emerging technologies opens the door to the substantial market share held by the North American region. Public-Private Partnerships (PPP) and international collaborations have led to effective ICS security and resilience in the region.

**Key Players:**

Major vendors in the global **Industrial Control Systems (ICS) Security Market** include Cisco (US), ABB (Switzerland), Lockheed Martin (US), Fortinet (US), Honeywell (US), Palo Alto Networks (US), BAE Systems (UK), Raytheon (US), Trellix (US), Darktrace (UK), Check Point (US and Israel), Kaspersky Labs (Russia), Airbus (France), Belden (US), Sophos (US), CyberArk (US), Claroty (US), Dragos (US), Nozomi Network (US), Cyberbit (Israel), Forescout (US), Radiflow (Israel), Verve Industrial Protection (US), Applied Security (Netherland), and Positive Technology (Russia).

**Browse Adjacent Markets:**

**Information Security Market Research Reports & Consulting**

**Digital Signature Market** - Global Forecast to 2027

**Cyber Security Market** - Global Forecast to 2027

**Anti-Money Laundering Solution Market** - Global Forecast to 2027

**Multi-Factor Authentication Market** - Global Forecast to 2027

**Zero-Trust Security Market** - Global Forecast to 2027

**About MarketsandMarkets™**

MarketsandMarkets™ provides quantified B2B research on 30,000 high -growth niche opportunities/threats which will impact 70% to 80% of worldwide companies' revenues. Currently servicing 7,500 customers worldwide, including 80% of global Fortune 1000 companies as clients. Almost 75,000 top officers across eight industries worldwide approach MarketsandMarkets™ for their painpoints around revenues decisions.

Our 850 full-time analysts and SMEs at MarketsandMarkets™ are tracking global high-growth markets following the "Growth Engagement Model – GEM". The GEM aims at proactive collaboration with the clients to identify new opportunities, identify most important customers, write "Attack, avoid and defend" strategies, identify sources of incremental revenues for both the company and its competitors. MarketsandMarkets™ now coming up with 1,500 MicroQuadrants (Positioning top players across leaders, emerging companies, innovators, strategic players) annually in high growth emerging segments. MarketsandMarkets™ is determined to benefit more than 10,000 companies this year for their revenue planning and help them take their innovations/disruptions early to the market by providing them research ahead of the curve.

MarketsandMarkets's flagship competitive intelligence and market research platform, "Knowledge Store" connects over 200,000 markets and entire value chains for deeper understanding of the unmet insights along with market sizing and forecasts of niche markets.

Research Insight: https://www.marketsandmarkets.com/ResearchInsight/industrial-control-systems-security-ics-market.asp

**SOURCE:** MarketsandMarkets

Industrial Control Systems (ICS) Security Market Worth $23.7B by 2027, Report Says

IT practitioners are developing ransomware response plans, but many of them are not confident in their data resiliency tools.

The good news: IT professionals recognize the important of data resiliency in ransomware defense. Less good: The recovery measures they are relying on may not be as effective as practitioners expect.

A recent IDC and Druva survey asked 505 respondents across 10 industries about their ransomware experiences and found that many organizations struggle to recover after an attack. In the survey, 85% of the respondents said their organizations had a ransomware recovery plan. The challenge seems to lie in effectively executing that plan.

"A majority of organizations suffered significant consequences from ransomware attacks including long recoveries and unrecoverable data despite paying a ransom," states the "You Think Ransomware Is Your Only Problem? Think Again" report.

Data resiliency is such an important element of cybersecurity that 96% of respondents considered it a top priority for their organizations, with a full 77% placing it in the top 3. What's striking about the survey results is that only 14% of respondents said they were "extremely confident" in their tools, even though 92% called their data resiliency tools "efficient" or "highly efficient."

"When data is spread across hybrid, cloud, and edge environments, data resiliency becomes much more complicated," said W. Curtis Preston, chief technology evangelist at Druva, in a blog post.

A plan might seem to cover everything, but then you realize that you lost your backup or can't find the latest restore point.

The ability to recover from an attack is vital, since the growth in ransomware makes it likely that your organization will get hit. This is why agencies like NIST recommend preparing for when an attacker pierces your defenses rather than trying to keep out every intruder. That mindset also shifts the priority to preparation and planning; you need to create a disasterrecovery plan that includes policy on restore points and recovery tools — and you need to practice implementing that plan before disaster strikes.

The report lists three key performance indicators that reveal the success of an organization's recovery from a cyberattack:

*   The ability to fully recover encrypted or deleted data without paying a ransom.
*   Zero data loss in the process of recovering the data.
*   Rapid recovery as defined by applicable service-level requirements.

"When a recovery fails to meet these criteria, then the organization may suffer financial loss, loss of reputation, permanently lost customers, and reduced employee productivity," the report warns.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Confidence in Data Recovery Tools Low

The CIS Benchmarks are unique for many reasons. None compare to the community consensus process that forms their hardening guidance. Learn how to get involved.

The Center for Internet Security (CIS) recently celebrated 20 years of bringing confidence to the connected world with consensus-based security guidance. The first CIS Benchmark was released in 2000.

Today, there are more than 100 CIS Benchmarks configuration guidelines across 25+ product vendor families. Without community participation, we would not have CIS Benchmarks, as the community is at the heart of what drives development and consensus across industries and technologies.

**What Is a CIS Benchmark?**

CIS Benchmarks cover operating systems, servers, cloud, mobile devices, desktop software, and network devices. The PDF versions are available to download at no cost from the CIS website, and additional file formats (XCCDF, Word, Excel, etc.) are available to CIS SecureSuite Members.

CIS Benchmarks are unique in the following ways:

*   Developed through a community consensus process
*   Provide vendor-neutral, technology-specific recommendations
*   Provide the necessary steps to configure a system
*   Recognized as an industry standard and referenced specifically by PCI DSS, FISMA, and more, as a way to be compliant with those standards
*   Map to the CIS Controls

Download CIS Benchmarks.

Although a number of factors have led the CIS Benchmarks to be trusted guidelines for a variety of industries, the way they are developed is also important. The CIS Benchmarks are created through a unique community consensus process on CIS WorkBench, our development platform.

**Guidance Driven by Community Consensus**

The CIS Benchmarks Communities on CIS WorkBench are open to anyone who wants to contribute to the development of Benchmark best practices. The communities are made up of subject-matter experts, vendors, technical writers, and CIS SecureSuite Members from around the world. Together with CIS, these volunteers develop, review, and maintain the CIS Benchmarks. Each community brings real-world experience and expertise to the process to ensure we are addressing the most prevalent security for various technologies.

CIS team members and volunteer subject-matter experts (SMEs) are key to creating the initial content, which is the foundation for the continued development and publication of the CIS Benchmark. Technical writers, testers, and contributors all play a role in the process, reviewing recommendations and determining the best solutions through discussions. Vendors are also welcome to participate.

Learn more about volunteer roles.

**Why You Should Get Involved**

Volunteers have the opportunity to be part of a large network of professionals and help shape security. Those who make significant contributions are recognized in the final published CIS Benchmark document.

**The CIS Benchmark Development Process**

CIS depends on our community and partners to assist in developing and maintaining the CIS Benchmarks. Using CIS WorkBench, tickets and discussion threads are established to continue dialogue until a consensus has been reached on proposed recommendations and the working drafts.

The typical development process:

1.  The initial development process defines the scope of the Benchmark and subject-matter experts begin the discussion, creation, and testing process of working drafts.
2.  After the initial draft is completed, we announce availability of the draft and invite folks to join the community to review, test, and provide feedback. This is the consensus process.
3.  All of the feedback that’s received is reviewed by the CIS lead for the community along with the subject-matter experts. They discuss and adjust the CIS Benchmark as necessary. This ensures the recommendations are complete and represent comprehensive guidance.
4.  Once all feedback has been reviewed and addressed, CIS makes a final call for participation in the community. The final review period lasts an average of two weeks, allowing for a final review of the CIS Benchmark before publishing.
5.  Any final feedback is addressed.
6.  Once consensus has been reached in the CIS Benchmark community, the final CIS Benchmark is published and made publicly available online.

    

**Join a Community Today!**

Why not join the CIS Benchmarks Community and lend your expertise?

Learn more here.

The CIS Benchmarks Community Consensus Process

Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.

Microsoft finally patched the publicly known "ProxyNotShell" and Mark of the Web (MotW) security vulnerabilities in its penultimate monthly security update for 2022 — two of six zero-day bugs under active exploit in the wild.

The targeted zero-days are part of a tranche of 68 security fixes for November's Patch Tuesday group, 11 of which are rated critical.

The fixes address CVEs that affect the gamut of the security giant's product line, including Azure, BitLocker, Dynamics, Exchange Server, Office and Office components, Network Policy Server (NPS), SharePoint Server, SysInternals, Visual Studio, Windows and Windows Components, and the Linux kernel and other open source software bugs affecting Microsoft products.

**Actively Exploited Zero-Day Vulnerabilities**

The group of zero-days listed as under active attack is the largest for Microsoft so far this year.

Two of them are the critical ProxyNotShell flaws affecting Exchange Server, first disclosed in September. Both carry a CVSS vulnerability-severity score rating of 8.8 out of 10. The bug tracked as CVE-2022-41040 is a server-side request forgery (SSRF) flaw that enables attackers to elevate privileges on a compromised system, and CVE-2022-41082 is a remote code execution (RCE) flaw when PowerShell is remotely accessible to the attacker. They can be chained together for full "pwning" of an Exchange Server.

"At long last, Microsoft released patches for the ProxyNotShell vulnerabilities that are being actively exploited by Chinese threat actors," Automox researcher Preetham Gurram said in a Nov. 8 analysis. "The elevation of privilege and remote code execution vulnerabilities have been exposed and exploited since late September, so we recommend applying patches within 24 hours if you have vulnerable on-prem or hybrid Exchange Servers where temporary mitigation has not been applied."

Microsoft also addressed the known and analyzed Mark of the Web issues — they're being tracked as CVE-2022-41091 and CVE-2022-41049, two separate vulnerabilities that exist in different versions of Windows. The important-rated bugs both allow attackers to sneak malicious attachments and files past Microsoft's MotW security feature — Microsoft says only the former is being exploited in the wild. 

Another zero-day being used in active campaigns is a critical RCE bug affecting Windows Scripting Languages (CVE-2022-41128, CVSS 8.8). Mike Walters, vice president of vulnerability and threat research at Action1, tells Dark Reading that it specifically affects the JScript9 scripting language, which is Microsoft’s legacy JavaScript dialect, used by the Internet Explorer browser.

"The new zero-day vulnerability … as low complexity, uses the network vector, and requires no privilege to use, but it needs user interaction, such as using a phishing email to convince the victim to visit a malicious server share or website," he explains. "It affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. … However, the proof-of-concept has not yet been publicly disclosed."

The remaining two bugs are important-rated elevation of privilege (EoP) issues carrying 7.8 CVSS scores. One is a memory bug that affects Microsoft's next-gen cryptography, the Windows CNG Key Isolation Service (CVE-2022-41125).

"With low privileges required and a local attack vector, this vulnerability does not necessitate any user interaction. Instead, an attacker would have to gain execution privileges on the victim’s device and run a specially crafted application to elevate privileges to exploit this vulnerability," Automox researcher Gina Geisel said in an emailed analysis. "With a long list of Windows 10 and 11 affected (in addition to Win 8.0, 7.0, Server 2008, 2012, 2016, 2019, 2022, and 2022 Azure), this vulnerability exposes industry-leading versions of Windows and could have wide-ranging impacts."

The second exists in Windows Print Spooler (CVE-2022-41073), and Action1's Walters describes it as a relative of last year's PrintNightmare bug.

"Microsoft continues to patch minions of the PrintNightmare vulnerability," he says. "This vulnerability has a local vector through which an attacker can gain system rights on the target server or desktop."

**Critical Bugs of Note for November**

Other issues in November's update that admins should prioritize include a vulnerability in Windows Kerberos RC4-HMAC (CVE-2022-37966). It earns a critical rating (CVSS 8.1), even though an attacker needs to have access and the ability to run code on the target system to exploit it.

That's likely because Kerberos is an authentication protocol to verify a user or the host's identity, noted Automox's Gurram. It provides a token that enables a service to act on behalf of its client when connecting to other services; when used within an organization's domain, it enables single sign-on (SSO).

"The primary encryption type used in Windows is based on the RC4 stream cipher, with an MD5-HMAC algorithm used for the checksum field," Gurram said. "RC4 encryption is considered to be the least secure and most attackable encryption algorithm. If being used for encrypting Kerberos tokens in the Active Directory domain, it can be exploited and take full control of any service accounts."

ZDI's Dustin Childs noted in a blog post that for this bug and another critical-rated issue in Kerberos tracked as CVE-2022-37967 (CVSS 7.2), admins will need to take additional actions beyond just applying the patch.

"Specifically, you’ll need to review KB5020805 and KB5021131 to see the changes made and next steps," he advised. "Microsoft notes this is a phased rollout of fixes, so look for additional updates to further impact the Kerberos functionality."

Childs also flagged three critical-rated fixes for the Point-to-Point Tunneling Protocol (PPTP), all carrying CVSS scores of 8.1, and all allowing RCE (CVE-2022-41039, CVE-2022-41088, and CVE-2022-41044).

"There seems to be a continuing trend of researchers looking for (and finding) bugs in older protocols," Childs said. "If you rely on PPTP, you should really consider upgrading to something more modern."

The remaining critical bugs are as follows:

*   CVE-2022-38015: A denial-of-service (DoS) bug in Hyper-V (CVSS 6.5), which Microsoft said "could allow a Hyper-V guest to affect the functionality of the Hyper-V host.”
*   CVE-2022-41118: An RCE bug affecting the Chakra and Jscript scripting languages (CVSS 7.5)
*   CVE-2022-39327: An Azure CLI RCE bug (no CVSS) — a previously released fix that is just being documented now.

**Patch ASAP**

Even though this month's update is relatively light, admins should get to patching ASAP, according to Bharat Jogi, director of vulnerability and threat research at Qualys — especially with so many zero-day exploits circulating.

"As we approach the holiday season, security teams must be on high alert and increasingly vigilant, as attackers typically ramp up activity during this time (e.g., Log4j, SolarWinds, etc.)," he said in emailed commentary. "It is likely we will see bad actors attempting to take advantage of disclosed zero-days and vulnerabilities released that organizations have left unpatched."

Microsoft Quashes Bevy of Actively Exploited Zero-Days for November Patch Tuesday

Ransomware-as-a-service lowers the barriers to entry, hides attackers’ identities, and creates multitier, specialized roles in service of ill-gotten gains.

Did you know that more than 80% of ransomware attacks can be traced to common configuration errors in software and devices? This ease of access is one of many reasons why cybercriminals have become emboldened by the underground ransomware economy.

And yet many threat actors work within a relatively small and interconnected ecosystem of players. This pool of cyber criminals has created specialized roles and consolidated the cybercrime economy, fueling ransomware-as-a-service (RaaS) to become the dominant business model. In doing so, they've enabled a wider range of criminals to deploy ransomware regardless of their technical expertise and forced all of us to become cybersecurity defenders in the process.

Microsoft Security doesn't just rely on open forum monitoring and ransomware claims to identify emerging cybercrime trends. We track ransomware attacks across the entire arc of the event — from incursion and exfiltration to ransom demand. This has allowed us to identify patterns in cybercriminal activity and turn cybercrime into a preventable business disruption. Following are some of our top tips.

**Understanding How RaaS Works**

Ransomware takes advantage of existing security compromises to gain access to internal networks. In the same way businesses hire gig workers to cut costs, cybercriminals have turned to renting or selling their ransomware tools for a portion of the profits rather than performing the attacks themselves.

This flourishing RaaS economy allows cybercriminals to purchase access to ransomware payloads and data leakage, as well as payment infrastructure. What we think of as ransomware gangs are actually RaaS programs like Conti or REvil, used by the many different actors who switch between RaaS programs and payloads.

RaaS lowers the barrier to entry and obfuscates the identity of the attackers behind the ransoming. Some programs can have 50 or more "affiliates," as they refer to their users, with varying tools, tradecraft, and objectives. Anyone with a laptop and credit card who is willing to search the Dark Web for penetration-testing tools or out-of-the-box malware can join this maximum efficiency economy.

So what does this mean for enterprises?

**Fresh Insight From a New Business Model**

This industrialization of cybercrime has created specialized roles in the RaaS economy. When companies experience a breach, multiple cybercriminals are often involved at different stages of the intrusion. These threat actors can gain access by purchasing RaaS kits off the Dark Web, consisting of customer service support, bundled offers, user reviews, forums, and other features.

Ransomware attacks are customized based on target network configurations, even if the ransomware payload is the same. They can take the form of data exfiltration and other impacts. Because of the interconnected nature of the cybercriminal economy, seemingly unrelated intrusions can build upon each other. For example, infostealer malware steals passwords and cookies. These attacks are often viewed as less serious, but cybercriminals can sell these passwords to enable other, more devastating attacks.

However, these attacks follow a common template. First comes initial access via malware infection or exploitation of a vulnerability. Then credential theft is used to elevate privileges and move laterally. This templatization has allowed prolific and detrimental ransomware attacks to be performed by attackers without sophisticated or advanced skills.

**Strategies for Businesses to Deploy**

Now that we understand the mechanics behind RaaS, let's examine several preventative measures that companies can take.

*   **Build credential hygiene:** Develop a logical network segmentation based on privileges that can be implemented alongside network segmentation to limit lateral movement. Failure to implement credential hygiene is one of the biggest security misconfigurations that we observe, and yet this simple tool can be a major factor in preventing threat actors from moving laterally and distributing a ransomware payload across the company. 
*   **Audit credential exposure:** Audit your credential exposure to better prevent ransomware attacks and cybercrime at large. IT security teams and security operations centers (SOCs) can work together to reduce administrative privileges and understand the level at which their credentials are exposed.
*   **Reduce the attack surface:** Establish attack surface reduction rules to prevent common attack techniques used in ransomware attacks. In observed attacks from several ransomware-associated activity groups, organizations with clearly defined rules have been able to mitigate attacks in their initial stages while preventing hands-on-keyboard activity.

Ultimately, carrying out a ransomware attack is easier than ever thanks to the commoditization of ransomware toolkits. But by implementing foundational security best practices and monitoring their credentials, companies will be less likely to fall victim to a ransomware attack.

Source

DARKReading