Insurance and legislation affect how enterprises balance between protecting against breaches and recovering from them.

In 409 A.D., when Flavius Honorius, the ruler of Rome, saw the invading hordes of Visigoths, he must have wondered whether he should have invested more gold into his perimeter defenses. History tells us that such an investment would have been appropriate, but perhaps Honorius' risk analysis never took into consideration the size and scope of a politically sponsored attack.

Centuries later, political and corporate leaders still face similar questions. Do we invest further in physical and digital security to protect our assets? Are our endpoints secure from malware and breaches? If attackers successfully enter the network, do we have the tools to defend it without compromising resources and data?

A key consideration today is whether enterprises should invest in proactive defenses to identify, detect, and protect the network, or whether they should focus on a reactive approach, responding and recovering from a cybersecurity event should one occur. These approaches are components of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which "integrates industry standards and best practices to help organizations manage their cybersecurity risks," according to the NIST website.

"Being proactive doesn't necessarily mean startups need heavy investments in technology," says John Hellickson, field CISO at Coalfire. "Instead, one could ensure the foundational elements, setting reasonable security policies and standards, implementing security from the start when standing up new IT infrastructure, and following secure coding guidelines when it comes to building applications is executed early on.

"As organizations grow, \[they\] should implement more comprehensive information security program elements, proactively assessing risks to mitigate those outside of the risk tolerance before likely threats are realized. Since every organization is unique, finding the right amount of investment is more of an art than science."

Enterprises have considerable motivations to be proactive at cybersecurity. Earlier this year, US Securities and Exchange Commission (SEC) Chairman Gary Gensler proposed several new rules that would put increased responsibility on C-suites and boards of directors to defend against data breaches. While the rules have yet to be ratified, some organizations already are implementing the proposed rules, including adding cybersecurity experts to corporate boards. To date, Gensler has proposed nearly 50 new rules.

**Cyber Insurance Influences Risk Assessment**

Another motivation is obtaining cyber insurance. Without appropriate security controls in place, enterprises can find it difficult to engage a broker or carrier that would risk writing a policy. Even if the policy is written, the prospect still needs to get underwriters' approval before the carrier binds the policy.

Robert Rosenzweig, national cyber risk practice leader and commercial New York metro regional leader at cyber insurance broker Risk Strategies, says his firm recommends that its clients manage risk appropriately to secure more comprehensive and competitive coverage, but it does not require clients to employ cybersecurity controls. Ultimately, he notes, it is the carrier's decision whether to approve the insurance application.

"We do have some information published about some of the top five to 10 controls that we have found to be most important when reducing the probability or cost and complexity of an incident, and also controls that carriers are most focused on when doing their underwriting analysis," he says.

However, Rosenzweig encourages organizations to invest in cybersecurity controls. 

"I think underwriters look favorably upon that. It's just another indicator that a prospective policyholder is investing in having the right culture of security and compliance," he says.

**Risk Goes Beyond Cybersecurity**

Potential fines for failing to properly contain risk could end up costing far more than the risk you were trying to mitigate, and it is not always a cybersecurity matter, says Joseph Williams, partner of cybersecurity at Infosys Consulting. He cites Burlington Northern Santa Fe Railway, which "just got hammered by the Illinois legislators for violating \[the state's new\] biometric \[law\]," as an example. The company must pay $228 million to some 45,000 truck drivers after a jury found the company collected the drivers' fingerprints without consent. This was the first court judgment related to the new Illinois Biometric Privacy Act.

"How would you have predicted that kind of vulnerability?" he asks, rhetorically. "This is my mantra: If you're not factoring, if you don't identify the risk, then you don't factor in that risk to the cost of the project. There's no way that biometric project was going to create $228 million in value, so somebody didn't calculate what that exposure would be. That wasn't cybersecurity; that was regulatory compliance."

Erika Andresen, a business continuity expert and founder of EaaS Consulting, as well as a longtime US Army lawyer, says she believes cybersecurity should be managed through regulatory oversight. 

"I would like to say it should be driven by regulation," she says. "But the problem is, you're going to have to pass that regulation through a series of senators and congressmen who have shares of companies that want to make money. And their interest is not to regulate those companies."

Andresen offers up that the SEC's Gensler has put forth proposed rules, but they have yet to be ratified. "They're supposed to be coming out, but they're going to be tied up," she says.

The Art of Calculating the Cost of Risk

Report reveals new top sources of fake login page referrals, rise of fake third-party cloud apps used to trick users.

**SANTA CLARA, Calif., Nov. 2, 2022 /PRNewswire/** — Netskope, a leader in secure access service edge (SASE), today unveiled new research that shows how the prevalence of cloud applications is changing the way threat actors are using phishing attack delivery methods to steal data.

The Netskope Cloud and Threat Report: Phishing details trends in phishing delivery methods such as fake login pages and fake third-party cloud applications designed to mimic legitimate apps, the targets of phishing attacks, where the fraudulent content is hosted, and more.

Although email is still a primary mechanism for delivering phishing links to fake login pages to capture usernames, passwords, MFA codes and more, the report reveals that users are more frequently clicking phishing links arriving through other channels, including personal websites and blogs, social media, and search engine results. The report also details the rise in fake third-party cloud apps designed to trick users into authorizing access to their cloud data and resources.

**Phishing Comes From All Directions**

Traditionally considered the top phishing threat, 11% of the phishing alerts were referred from webmail services, such as Gmail, Microsoft Live, and Yahoo. Personal websites and blogs, particularly those hosted on free hosting services, were the most common referrers to phishing content, claiming the top spot at 26%. The report identified two primary phishing referral methods: the use of malicious links through spam on legitimate websites and blogs, and the use of websites and blogs created specifically to promote phishing content.

Search engine referrals to phishing pages have also become common, as attackers are weaponizing data voids by creating pages centered around uncommon search terms where they can readily establish themselves as one of the top results for those terms. Examples identified by Netskope Threat Labs include how to use specific features in popular software, quiz answers for online courses, user manuals for a variety of business and personal products, and more.

"Business employees have been trained to spot phishing messages in email and text messages, so threat actors have adjusted their methods and are luring users into clicking on phishing links in other, less expected places," said Ray Canzanese, Threat Research Director, Netskope Threat Labs. "While we might not be thinking about the possibility of a phishing attack while surfing the internet or favorite search engine, we all must use the same level of vigilance and skepticism as we do with inbound email, and never enter credentials or sensitive information into any page after clicking a link. Always browse directly to login pages."

**The Rise of Fake Third-Party Cloud Apps**

Netskope's report discloses another key phishing method: tricking users into granting access to their cloud data and resources through fake third-party cloud applications. This early trend is particularly concerning because access to third-party applications is ubiquitous and poses a large attack surface. On average, end-users in organizations granted more than 440 third-party applications access to their Google data and applications, with one organization having as many as 12,300 different plugins accessing data – an average of 16 plugins per user. Equally as alarming, over 44% of all third-party applications accessing Google Drive have access to either sensitive data or all data on a user's Google Drive—further incentivizing criminals to create fake third-party cloud apps.

"The next generation of phishing attacks is upon us. With the prevalence of cloud applications and the changing nature of how they are used, from Chrome extensions or app add-ons, users are being asked to authorize access in what has become an overlooked attack vector," added Canzanese. "This new trend of fake third-party apps is something we're closely monitoring and tracking for our customers. We expect these types of attacks to increase over time, so organizations need to ensure that new attack paths such as OAuth authorizations are restricted or locked down. Employees should also be aware of these attacks and scrutinize authorization requests the same way they scrutinize emails and text messages."

Within the report, Netskope Threat Labs includes actionable steps organizations can take to identify and control access to phishing sites or applications, such as deploying a security service edge (SSE) cloud platform with a secure web gateway (SWG), enabling zero trust principles for least privilege access to data and continuous monitoring, and using Remote Browser Isolation (RBI) to reduce browsing risk for newly-registered domains.

Additional key findings from the report include:

*   **Employees continue to click, fall victim to malicious links**. It is widely understood that it takes just one click to severely compromise an organization. While enterprise phishing awareness and training continues to be more prevalent, the report reveals that an average of eight out of every 1,000 end-users in the enterprise clicked on a phishing link or otherwise attempted to access phishing content.

*   **Users are being lured by fake websites designed to mimic legitimate login pages.** Attackers primarily host these websites on content servers (22%) followed by newly registered domains (17%). Once users put personal information into a fake site, or grant it access to their data, attackers are able to capture usernames, passwords, and multi-factor authentication (MFA) codes.

*   **Geographic location plays a role in the access rate of phishing.** Africa and the Middle East were the two regions with the highest percentages of users accessing phishing content. In Africa, the percentage of users accessing phishing content is more than 33% above average, and in the Middle East, it is more than twice the average. Attackers frequently use fear, uncertainty, and doubt (FUD) to design phishing lures and also try to capitalize on major news items. Especially in the Middle East, attackers appear to be having success designing lures that capitalize on political, social, and economic issues affecting the region.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. Statistics in this report are based on the three-month period from July 1, 2022 through September 30, 2022.

Get the full Netskope Cloud and Threat Report: Phishing here.

Learn more about Netskope Threat Labs and gain insight from the Netskope Security Cloud Platform by visiting Netskope's Threat Research Hub.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

**SOURCE:** Netskope

Netskope Threat Research: Next Generation of Phishing Attacks Uses Unexpected Delivery Methods to Steal Data

A proposed plan to charge users for the platform's coveted blue check mark has, unsurprisingly, inspired attackers to try to dupe people into giving up their credentials.

One of Elon Musk's proposed first moves after his Twitter takeover seems to have backfired, at least from a security perspective. A teaser by the platform proposing to charge users a monthly fee to have verified accounts confirming them as a public persona or entity — and thus earn the distinction of a coveted blue check mark by their account name — has spawned a phishing campaign aiming to take advantage of the controversy surrounding the move.  

A number of Twitter users claim to have received phishing emails that use the lure of losing their verified status to try to fool them into supplying their credentials. The scam works via a Google doc made to look like a Twitter help page, according to users.

Several of those who were targeted (natch) took to Twitter to warn others about it on Monday, including two reporters: Zach Whittaker, security editor for TechCrunch, and Kevin Collier from NBC News.

"Twitter's ongoing verification chaos is now a cybersecurity problem," Whittaker tweeted, subsequently posting a report on TechCrunch about the scam. "It looks like some people (including in our newsroom) are getting crude phishing emails trying to trick people into turning over their Twitter credentials."

Collier reported that the email he received "apparently slipped right by Outlook's robust protections," though he himself was not fooled. "Didn't get me but I bet this gets somebody," Collier wrote in the post.

The email, according to screenshots both Whittaker and Collier posted, is sent from a Gmail account, twittercontactcenter\[at\]gmail.com, which Collier said is a "dead giveaway" that it's bogus. It warns the targeted user that "the verification badge will be $19.99 per month for some users after November 2, 2022," and that Twitter currently is unable to verify some "famous or well-known people."

The email goes on to inform targets that they need to provide a confirmation of who they are to receive the verification badge "for free," and provides a button to "Provide Information" and a link to the "Help Center" to find out about updated rules for the verification program.

Clicking on the button leads to a Google Doc with another link to a Google site that lets users host web content, according to Whittaker's report. The phishing page itself is designed to look like Twitter's help page and contains an embedded frame from another site, which is hosted by Beget, a Russian web hosting provider, according to the report.

The page asks users to provide their Twitter username, password, and phone number, which could allow an attacker to break into an account without two-factor authentication enabled.

To mitigate damage from the campaign, Google took swift action to take down the phishing site a short time after TechCrunch alerted the company, Whittaker wrote.

**Capitalizing on Controversy**

Security professionals noted that it's not surprising that a threat actor has taken advantage of the commotion currently surrounding Twitter. Leveraging a controversial situation that elicits an emotional response not only spells a cybercriminal opportunity, but also boosts the chance of a phishing campaign's success, Patrick Harr, CEO at SlashNext, an anti-phishing company, wrote in an email to Dark Reading.

"These types of social-engineering phishing attempts are very effective because they play on emotion and instigated immediate action," he said. "Before the victim has time to think if this is phishing, they quickly jump to action."

The obfuscation tactics used in the campaign also make it easier to hide from threat-detection engines because they likely won't flag Google Docs, a trusted service — which, at least in Collier's case, was exactly what happened, security professionals noted.

Indeed, the campaign and its ability to bypass email scanners stresses why it's important for people to remain vigilant when receiving emails from unknown sources, and protect all of their accounts with multifactor authentication (MFA) and other security buffers, observed Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM).

"Make sure you always use MFA, a password manager that creates strong unique passwords for every account, and never give over personal information or credentials details on websites without first verifying authenticity," he advised in an email to Dark Reading.

**Twitter Exodus?**

For his part, Musk in a tweet on Tuesday seemed to corroborate that implementing the controversial verification fee would be a first order of business — the news of which first surfaced in a report on The Verge Monday.

However, after some verified account holders claimed they would leave rather than pay the reported fee of $20 a month for their blue check mark — including high-profile users such as author Stephen King — Musk suggested lowering the price.

"Twitter's current lords & peasants system for who has or doesn't have a blue check mark is bull\*\*\*\*," he tweeted. "Power to the people! Blue for $8/month."

Musk's mere purchase of Twitter in a $44 billion deal — after a highly publicized, months-long back-and-forth between the company and the multibillionaire founder of Tesla — has already drawn the derision of celebrity users of the platform, some of whom already told followers they were closing their accounts.

The verification debacle occurring now is just fuel for the fire, adding to a growing controversy that is likely music to the ears of threat actors, who thrive on social, political, and economic conflict as an opportunity to commit cybercrime, security professionals observed.

"Cybercriminals have long exploited volatile situations for their own gain, especially newsworthy, current events," noted Darren Guccione, CEO and co-founder at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. "The recent acquisition and upheaval at Twitter is the latest example."

Musk's Twitter-Verification Payment Tease Spurs Cyberattackers

As vehicle security expands to cover cyber threats on the vehicle as well as the vehicle's external network, cross-industry collaboration and market opportunities are expected to increase.

**DUBLIN, Nov. 2, 2022 /PRNewswire/** — The "Automotive Cyber Security 2025: the Secure Connected Car" report has been added to **ResearchAndMarkets.com's** offering.

Over the next decade, vehicle security will expand to cover cyber threats on the vehicle as well as the vehicle's external network including the infrastructure. Therefore, effective Automotive Cyber Security requires cross-industry collaboration.

In the aftermath of the car hacks by cyber security researchers and US Sen. Ed Markey's report on the vulnerability of modern vehicles to malicious attacks, Automotive Cyber Security will unfold as the key topic in OEMs' and suppliers' agenda for the immediate future.

The outcome of these drivers will be a shift in car manufacturers' strategy toward Automotive Cyber Security in the form of new investment, M&A, and collaborations with suppliers and other cyber security companies. This could drive Connected-Cyber Security penetration up quite quickly and alter the competitive landscape. The key challenges here are how quickly the level of security and privacy in Connected Cars will rise to sufficient levels to avoid having vulnerable vehicles.

We expect that the landscape of the Automotive Cyber Security market will change rapidly over the next decade, especially after the expected mandate for standard fitment of cyber security solutions. Regulatory mandates on the standard fitment of cyber security solutions in modern vehicles will be the catalyst that will drive change in the competitive structure as competition intensifies and consolidation continues.

**Read this report to:**

*   Unlock the potential of the Automotive Cyber Security market by reading about investment, M&A, and partnerships in the marketplace
*   Discover the drivers of growth over the next decade
*   Read our penetration forecast of Hardware, Software-based solutions, and Services
*   Identify the leading suppliers of software and hardware equipment
*   Understand the competitive landscape by reading our exclusive interviews
*   A-Z: software, hardware solutions and service portfolio from leading companies

The recent white-hat hacking demonstrations will accelerate the outcome of the regulatory mandate in the US and pave the way for other countries to follow. Additionally, we expect that by the end of 2016, most of the currently ongoing or announced penetration tests will have finished, similarly to product evaluation for most OEMs. Therefore, talks about product integration will begin for their next-generation vehicles. This will fuel demand for both software/hardware solutions and services for Automotive Cyber Security over the next decade.

Additionally, more and more carmakers announce their intention to introduce OTA updates which, although most of them today serves more convenience purposes rather than security ones, it brings them one step closer to the task. As more carmakers exploit the benefits of the cloud, i.e. data storage, remote vehicle control, and wireless updates, demand for cloud security is expected to increase.

The necessity for industry-wide standardisation and collaboration is key for adoption. However, we expect that the regulation will set minimum standards in the form of a basic framework, on top of which carmakers will develop their solutions to help them in competitive differentiation.

What is more, the history of the automotive industry is full of examples of lack of collaboration and unwillingness to standardise procedures for innovative technologies on behalf of the OEMs (e.g. EV charging). Therefore, even though some common, voluntary standards will emerge, it is somehow unrealistic to expect them to cooperatively increase vehicle security unless the regulation demands so or a malicious car hack occurs-given fact that it constitutes an additional cost.

**Key Topics Covered:**

**1\. Executive Summary**

**2\. Automotive Cyber Security: State of the Art**

**3\. Automotive Cyber Security Forecast 2025**

**4\. Interviews with industry experts: insights from 7 buzzing startups**

**5\. 22 Leading suppliers in Automotive Cyber Security**

**Companies Mentioned**

*   Argus Cyber Security Ltd
*   Arilou Technologies Ltd
*   BT Security
*   Cisco Systems Inc.
*   ESCRYPT-Embedded Security
*   Harman
*   Intel Corporation
*   Karamba Security
*   NXP Semiconductors
*   SBD & NCC Group
*   Secunet AG
*   Security Innovation
*   Symphoty Teleca & Guardtime
*   Trillium Incorporated
*   Utimaco IS GmbH
*   APTIV
*   Bosh
*   Continental
*   Denso
*   Harman
*   Magna
*   Valeo

For more information about this report visit https://www.researchandmarkets.com/r/pfsrxc

**SOURCE:** Research and Markets

Global Automotive Cybersecurity Market Report 2022: Expected Mandate for Cybersecurity Protocols to Significantly Boost Sector

While the ransomware-for-hire group works to create ever more efficient exploits, companies can protect themselves with structured vulnerability management processes. Prioritize threats based on severity and risk.

LockBit ransomware is in the minority group of ransomware families that leverage auto-propagating malware and double encryption methods. After its breaches into security behemoth Entrust and the Italian Revenue Agency earlier this summer, LockBit has continued to gain notoriety while on the lookout for its next victim.

LockBit ransomware began its spree of high-profile attacks as early as September 2019 and has remained one of the most prolific groups to date. Motivated by large payouts, the group doesn't fear targeting larger corporations and enterprises.

The ransomware group is known for its particular qualities of a triple-extortion method, sophisticated technology, high-severity cyberattacks, and heavy marketing to affiliates. LockBit's presence is felt globally, and industries are afforded only short moments of respite when the group retreats to develop more devastating upgrades to their toolkit. Its attack frequency and strategy make the group a force to beware of in the cybersecurity world, demonstrating its determination to cause harm.

**LockBit: The Brief**

*   LockBit markets itself as ransomware-as-a-service (RaaS). It works in conjunction with other bad actors who perform attacks for hire, and then split the funds between the LockBit developer team and other accomplices.
*   The LockBit family targets both CVE-2021-22986 and CVE-2018-13379.
*   The Russian threat actor group, TA505 (also known as Hive0065) has been observed using the LockBit ransomware payload in its attacks.

**New Variants**

LockBit's origins began as an ABCD cryptovirus in 2019. Its main targets were government organizations in North America, Europe, and APAC regions and included private companies as well, with crypto as their form of ransom payment.

Early targets of LockBit in 2019 and 2020 included Windows systems within financial and healthcare institutions. The ransomware group then took a hiatus to improve its malware kit and operation strategy. To date, two LockBit versions in addition to the initial version have been released, with each subsequent release possessing increased attack capabilities.

**LockBit 2.0**

LockBit 2.0 was introduced in June 2021 and was documented in attacks in Taiwan, Chile, and the UK. In the 2.0 version, LockBit added the double-extortion technique and auto-encryption of hardware across Windows domains for which it became known. Later in the fall of 2021, the group began branching out into Linux servers, too, specifically attacking ESXi servers.

**LockBit 3.0, Also Known as LockBit Black**

After another brief hiatus, LockBit returned in June 2022 with the release of another improved version of the ransomware, including a bug bounty program that financially incentivizes researchers to share bug reports. In addition to the program, version 3.0 includes Zcash payments and developed new extortion tactics. Building on top of architecture found in BlackMatter and DarkSide, LockBit now has refined its evasion practices, passwordless execution, and implemented command-line features.

The updated LockBit ransomware was used to attack and steal data from the Italian Revenue Agency and a county office in Ontario, Canada. On top of encryption and the threat of data leaks, the ransomware group has included denial-of-service attacks to increase the pressure on victims.

In a surprising turn of events, an alleged LockBit developer leaked the group's builder used to design the 3.0 version on Twitter, citing frustration with the group's leadership as their motivation for the leak. A blow to the group but a potential risk to the cybersecurity field as the leaked information can equip new individuals with the necessary tools to start their own ransomware kit. In no more than a week after the leak, a new ransomware group was observed using the builder to target companies.

**How Dangerous Is LockBit?**

LockBit has a diverse arsenal of technologies and techniques to go after the largest organizations, regardless of industry. Here is a snapshot of the tools, tactics, and methods that make LockBit so dangerous:

*   StealBit, a malware tool first found in the 2.0 version, was designed for encryption and is believed to be the most efficient and quickest encryption tool.
*   StealBit automatically spreads to other connected devices along a network by taking advantage of Windows PowerShell and Server Message Block.
*   LockBit's malware can now infect both Windows and Linux systems when initially it could only exploit Windows systems.
*   The creation of the bug bounty program is the group's attempt at establishing itself as a professional group of hackers while simultaneously improving its defenses.
*   LockBit 3.0 introduced Zcash payment options for ransom collection and to avoid interference from law enforcement agencies.

**How to Prevent a LockBit Attack**

*   **Curb unnecessary permissions:** More restrictions on permissions are not a bad practice to get in the habit of applying, as more levels of authentication make it difficult for remote hackers to escalate permissions and gain greater access. Pay close attention to users with IT and admin-level permissions.

*   **Monitor your attack surface:** Incorporate a solution that scans your entire attack surface for potential entry points for attackers. Routinely monitor existing and newly added assets to your organization's network.

Security leadership can keep attackers away by cultivating a culture of vigilance with structured vulnerability management processes that prioritize threats based on severity and risk. Despite LockBit's capabilities, organizations do have options when it comes to protecting their organization and partners.

Everything You Need to Know About LockBit

New Aravo partnership provides organizations with comprehensive, standards-based third-party technical, financial, and compliance intelligence.

**SAN FRANCISCO and BOSTON,** **Nov. 2, 2022** — Aravo and Black Kite today announced a new partnership designed to empower organizations to improve their cybersecurity defenses by quantifying and monitoring cyber risk across the extended enterprise.

“The majority of B2B and B2C companies are expressing frequent interest and concern in the cybersecurity posture of the organizations that they do business with. And with ESG increasing in importance, it’s imperative for organizations to align cyber risk management with ESG objectives,” said Rick Goad, vice president of customer success and strategic alliances at Aravo. “As more customers continue to mandate cybersecurity risk as a significant determinant when conducting business, Aravo is excited to partner with Black Kite to provide our customers with a comprehensive security risk rating of their third parties.”

Incorporating Black Kite into Aravo’s Cyber Risk and InfoSec application strengthens cyber risk management programs across the extended enterprise of suppliers and third parties. Key features of the Black Kite integration include:

*   Technical cyber ratings – an easy-to-understand, trustworthy snapshot of the supply chain risk in the form of a letter grade, calculated using MITRE standards
*   Risk quantifications – insight into the probable financial impact to an organization if a third party experiences a breach
*   Compliance correlation – an external view of a third party’s compliance against common industry frameworks, such as NIST 800-53, PCI-DSS, ISO 27001, COBIT, GDPR, OTA, and Shared Assessments
*   Ransomware susceptibility – detects the likelihood of a ransomware attack on a third party

“We’re pleased to partner with Aravo and help simplify third-party risk management using our non-intrusive scans to continuously monitor and quantify third-party risk,” said Chuck Schauber, vice president of product and strategy at Black Kite. “Together, we’re enabling customers to build a more secure digital supply chain.”

The Aravo Third Party Management platform provides a flexible integration framework to connect with risk intelligence vendors, either through pre-configured Aravo Connectors or open APIs. Aravo Connectors include standard-defined data packages and best practices to help streamline onboarding, enrich risk reviews, enhance continuous monitoring, and trigger alerts and workflows to log issues and generate corrective actions. Aravo dashboards provide a unified view of risk scores for each third party across multiple risk domains, including ESG, InfoSec, ABAC, GDPR, financial, ethics, supply chain resilience, and business continuity.

**Additional Resources**

*   LinkedIn Live: Enhance Cyber Risk Management in Your Extended Enterprise
*   OCEG Webinar: Transform Your Cybersecurity Risk Management Program
*   Aravo for Information Security

**About Black Kite**

One in four organizations suffered from a cyberattack in the last year, resulting in production, reputation and financial losses. The real problem is adversaries attack companies via third parties, island hopping their way into target organizations. Black Kite is redefining vendor risk management with the world’s first global third-party cyber risk monitoring platform, built from a hacker’s perspective.

With 500+ customers across the globe and counting, Black Kite is committed to improving the health and safety of the entire planet’s cyber ecosystem with the industry’s most accurate and comprehensive cyber intelligence. While other security ratings service (SRS) providers try to narrow the scope, Black Kite providers the only standards-based cyber risk assessments that analyze your supply chain’s cybersecurity posture from three critical dimensions: technical, financial and compliance.

**About Aravo**

Aravo delivers the smartest third-party risk and resilience solutions, powered by intelligent automation. As a centralized system of record for all third-party data, Aravo provides organizations with a complete view of their third-party ecosystem throughout the lifecycle of the relationship and across multiple risk domains including ABAC, ESG, GDPR, InfoSec, financial, ethics, supply chain resilience, and business continuity. For more than 20 years, Aravo’s award-winning technology and unrivaled domain expertise has helped the world’s most respected brands accelerate and optimize their third-party management programs, delivering better business outcomes faster and ensuring the agility to adapt as programs evolve. Learn more at aravo.com.

Aravo Integration With Black Kite Helps Improve Cybersecurity Defenses

The project will advance understanding of how quantum-secure algorithms can be secured against side channel analysis through robust validation and countermeasures.

**London, UK, Nov. 2, 2022** — Riscure, a global security advisory lab and market leader in Side Channel Analysis (SCA), has partnered with PQShield, a cybersecurity company specializing in post-quantum cryptography, to evaluate PQShield’s SCA testing and validation processes.

The quantum threat is high on the global security agenda, with governments and their partners planning their transition to quantum-resistance via post-quantum cryptography (PQC). In July, the US National Institute of Standards and Technology (NIST) announced draft standards for post-quantum cryptography — an important and long-awaited information security milestone.

Even when PQC algorithms are mathematically secure, they can potentially be broken by a class of exploits known as side channel attacks. These attacks exploit algorithm implementation in hardware or software rather than the underlying mathematical problem, underlining how important it is that any side-channel vulnerabilities are identified and addressed before PQC solutions are widely rolled out.

PQShield is a market leader in quantum-ready cryptographic solutions for hardware, software and communications. The company is a major contributor to the NIST post-quantum standardisation project, and the draft standards it announced in July this year are all schemes contributed to by PQShield’s researchers and advisory board.

Riscure provides evaluation and validation services to reinforce the security of products and components, including hardware cryptographic engines, large SoCs, boot ROM, security-enhanced software applications and trusted execution environments. Riscure also provides Security Tools and Training to help companies improve the security knowledge and expertise of their development teams.

With this project, the two companies will evaluate PQShield’s SCA testing process. They will also share knowledge about post-quantum cryptography and its impact on side channel attacks, advancing companies’ and governments’ understanding of how new quantum-secure algorithms can be secured through robust validation and countermeasures.

**PQShield CEO & Founder, Ali El Kaafarani, said:** “Side channel attacks are a serious concern for cryptographers working on quantum-secure solutions. Not all devices running cryptographic operations provide the same level of assurance, so while many governments have encouraged organizations to upgrade their secure digital infrastructure, this must be tested and validated before it can stand up to the quantum threat.

“Riscure has a well-earned reputation when it comes to understanding and tackling complex security challenges. We are delighted to share our learnings in the face of the looming quantum threat to information security.”

**Marc Witteman CEO & Founder from Riscure added:** “We have seen a surge in interest from businesses and governments recently looking to secure sensitive data with PQC. We are looking forward to working alongside PQShield, experts in PQC software and hardware co-design, by educating and sharing best practices with industry. With this collaboration we also aim to provide the industry with robust quantum-resistant Side Channel Analysis and lead to integration of PQC into our leading tools — in turn helping all major businesses and governments mitigate the quantum-threat.”

**About PQShield**

PQShield is a cybersecurity company specialising in post-quantum cryptography, protecting data from today's attacks while readying organisations for the threat landscape of tomorrow. It is the only cybersecurity company that can demonstrate quantum-safe cryptography on chips, in applications, and in the cloud. Headquartered in the UK, with additional teams in the United States, France and the Netherlands, its quantum-secure cryptographic solutions work with companies' legacy systems to protect devices and sensitive data now and for years to come. PQShield is principally backed by Addition, Crane Venture Partners, Oxford Science Enterprises (formerly OSI), Kindred Capital, and InnovateUK. www.pqshield.com | LinkedIn | Twitter

**About Riscure**

Riscure is a leading vendor of security tools, services, and training for edge devices. Our tooling helps global technology leaders to build robust hardware and software solutions. Riscure security analysts bring top-notch security expertise to development teams and aim to run no-pain certification projects. Built on a wealth of security research and extensive practical experience, Riscure is well recognized for its technical leadership. Riscure serves Semiconductor, Mobile Security and Mobile Payment, Automotive and Premium Content industries as well as the Government sector. Follow us on Twitter @Riscure and LinkedIn.

PQShield and Riscure Collaborate on Post-Quantum Cryptography SCA Validation

Newly disclosed RCE flaw in Cosmos DB's Jupyter Notebook feature highlights some of the weaknesses that can arise from emerging tech in the cloud-native and machine learning worlds.

Researchers with the Microsoft Security Response Center (MSRC) and Orca Security drew the covers back this week on a newly fixed critical vulnerability in Microsoft Azure Cosmos DB that impacted its Cosmos DB Jupyter Notebooks feature. The remote code execution (RCE) no longer poses a danger to customers — and no evidence could be found of any incidents stemming from it when it was exploitable.

The public disclosure provides a portrait into how weaknesses in the authentication architecture of cloud-native and machine learning-friendly environments could be used by attackers. Dubbed CosMiss by Orca's research team, the vulnerability boiled down to a misconfiguration in how authorization headers are handled that let unauthenticated users gain read and write access to Azure Cosmos DB Notebooks, and inject and overwrite code.

"In short, if an attacker had knowledge of a Notebook's 'forwardingId', which is the UUID of the Notebook Workspace, they would have had full permissions on the Notebook, including read and write access, and the ability to modify the file system of the container running the notebook," wrote Lidor Ben Shitrit and Roee Sagi of Orca in a technical run-down of the vulnerability. "By modifying the container file system — aka dedicated workspace for temporary notebook hosting — we were able to obtain RCE in the notebook container."

A distributed NoSQL database, Azure Cosmos DB is designed for supporting scalable, high-performance apps with high availability and low latency. Among its uses are for IoT device telemetry and analytics; real-time retail services to run things like product catalogs and AI-driven personalized recommendations; and globally distributed applications such as streaming services, pick-up and delivery services, and the like.

Meantime, Jupyter Notebooks is an open source interactive developer environment (IDE) used by developers, data scientists, engineers, and business analysts to do everything from data exploration and data cleaning to statistical modeling, data visualization, and machine learning. It's a powerful environment built for creating, executing, and sharing documents with live code, equations, visualizations, and narrative text.

Orca researchers say that this functionality makes a flaw in authentication within Cosmos DB Notebooks particularly risky, since they're "used by developers to create code and often contain highly sensitive information such as secrets and private keys embedded in the code."

**Not the First Vulnerability Found in Cosmos**

The built-in integration of Jupyter Notebooks into Azure Cosmos DB is still a feature in preview mode, but this is definitely not the first publicized flaw found within it. Last year researchers with Wiz.io discovered a chain of flaws in the feature that gave any Azure user full admin access to other customers' Cosmos DB instances without authorization. At the time, researchers reported big brands like Coca-Cola, Kohler, Rolls-Royce, Siemens, and Symantec all had database keys exposed.

The risk and impacts of this latest flaw are arguable more limited in scope than the previous one due to a number of factors MSRC laid out in a blog published today. The flaw was disclosed to Microsoft by Orca in early October and fixed within two days, requiring no action from customers to roll out due to the distributed architecture of Cosmos DB. According to the MSRC blog, the exploitable bug was exposed for approximately two months after an update this summer in a backend API resulted in requests not being authenticated properly.

The security team conducted a thorough investigation of activity during that time and didn't find any signs of attackers leveraging the flaw.

"Microsoft conducted an investigation of log data from August 12th to Oct 6th and did not identify any brute force requests that would indicate malicious activity," wrote an MSRC spokesperson, who also noted that 99.8% of Azure Cosmos DB customers do not yet use Jupyter Notebooks.

Further mitigating the risk is the fact that the forwardingId utilized in the Orca proof-of-concept has a very short lifespan. Notebooks are run in a temporary notebook workspace that has a maximum lifetime of one hour, after which all the data in that workspace is deleted.

"The potential impact is limited to read/write access of the victim's notebooks during the time their temporary notebooks workspace is active," explained Microsoft. "The vulnerability, even with knowledge of the forwardingId, did not give the ability to execute notebooks, automatically save notebooks in the victim's (optional) connected GitHub repository, or access to data in the Azure Cosmos DB account."

Critical Vulnerability Found and Fixed in Microsoft Azure Cosmos DB

AI will help enterprises scale cybersecurity defenses to handle the growing complexity of modern networks and increased number of cyberthreats.

Shortly after Zscaler acquired TrustPath, (where I was the CEO and co-founder), I was out on a hike with a non-technical business friend. During the hike, my friend asked, “I know what AI can do for self-driving cars, but what can it do for the cybersecurity industry?”

For the next 20 minutes, I explained the fine details of why AI was needed in cybersecurity and how more companies should be leveraging it, but it didn’t resonate with my friend. I didn’t get that “ah-ha” moment that I was looking for, which told me I didn’t do a very good job explaining it to someone who wasn’t very technical. I likely lost my friend five minutes into the conversation.

When I got back to my work desk, I thought to myself, “_How can I better answer this next time, in a way that’s simple and easy to digest?_” I can talk day and night about AI because it’s what I’m passionate about. AI has shaped my career. So why didn’t it click this time?

For months, this question bothered me. Nearly every day, I thought about why AI is needed in cybersecurity. I drafted different elevator pitches on how the future of cybersecurity relies upon AI. Then it clicked with one word: scale.

**The Upcoming "Scale" Challenge**

Scale can mean so many things in a technology stack and can mean so many things in the cybersecurity world too.

Customers want a well-designed security architecture that can scale linearly and beautifully along with the capacity needed.The cyber industry has made a lot of good progress on this front in the last decade with the adoption of the cloud-native architecture.

However, the sophistication level and the elusive nature of modern cybersecurity threats have been increasing non-linearly, and the cybersecurity industry is facing a much higher “scale” challenge in the coming decade.

To my hiking friend, I should have talked about scale, because only AI and machine learning technology will be able to help the cyber industry meet the super-high scale challenge. Only AI and machine learning can cope with the exponential growth of cyberthreats and the order of magnitudes of higher scale requirements of the cyber world.

Gone are the days we could throw in cybersecurity professionals into reverse engineering, configuration management, and responding to alerts. Cyberthreats are so rampant that CISOs worldwide would love to have hundred more of the resources they currently have, but unfortunately, will never get.

**How AI Addresses Scale**

AI can help the cybersecurity industry deal with the scale challenge because AI technology is the force multiplier for cybersecurity professionals in two major areas.

**1\. The policy area.** The current policy scale is at a human scale and at a very coarse granularity. The enterprise users that belong to the same department often have the same static policy.

For the enterprise to have zero-trust security, they not only need a zero-trust architecture but also a zero-trust digital assistant to help them do the proper configurations. If a business wants to do granular, dynamic, and contextual zero-trust configurations in a shop with 10,000 users and 10,000 applications, you can’t simply hire 200 people and have them work 24/7. Instead, AI can make appropriate recommendations automatically so that humans only need to do the confirmation.

**2\. The threat area.** The conventional threat detection method is reasonably effective, yet at the same time, the bad guys have increased their rate of making variations of threats by several orders of magnitude. They also have become much more elusive. In order to detect such a large quantity of elusive threats, one needs a very large army as a starting point.

We are familiar with the elusive nature of the Solar Winds supply chain attack that impacted major companies like Microsoft, Cisco, and government agencies like the U.S. Department of the Treasury and the U.S. Department of State back in 2019. This threat could potentially have been discovered months earlier, had the industry had hundred times the amount security professionals monitoring various metrics, but it’s unrealistic to expect to have that many resources readily available. However, AI has the potential to uncover this type of stealthy threat by combining the power of data with the power of data science and domain knowledge.

Cloud-native security helped to deliver the scale requirements for the cyber industry in the last decade. Similarly, AI-native security will help to deliver the next phase of the scale requirement for the cyber world.

How AI Can Deliver the Next Phase of Scalability

Organizations should update to the latest encryption (version 3.0.7) as soon as possible, but there's no need for Heartbleed-like panic, security experts say.

Security experts described two highly anticipated vulnerabilities that the OpenSSL Project team patched Tuesday as issues that need to be addressed quickly, but not necessarily meriting a drop-everything-else type of emergency response.

The release of version 3.0.7 of the almost ubiquitously used cryptographic library addresses two buffer overflow vulnerabilities, which exist in OpenSSL versions 3.0.0 to 3.0.6.

Leading up to the disclosure, security experts had warned that one of the issues, originally characterized as a "critical" remote code-execution issue, could present a Heartbleed-level, all-hands-on-deck problem. Thankfully, that doesn't seem to be the case — and in disclosing the flaw, the OpenSSL project team said it had decided to downgrade the threat to "high" based on feedback from organizations that had tested and analyzed the bug.

**A Pair of Buffer Overflows**

The first bug (CVE-2022-3602) could indeed — under a specific set of circumstances — enable RCE, which originally led some security experts to worry that the flaw could have industry-wide repercussions. But it turns out that there are mitigating circumstances: For one, it's difficult to exploit, as explained below. Also, not all systems are impacted.

Specifically, only browsers that support OpenSSL 3.0.0 through 3.0.6, such as Firefox and Internet Explorer, are impacted at this time, according to Mark Ellzey, senior security researcher at Censys; notably unaffected is Google Chrome, which is the leading Internet browser.

"The impact is expected to be minimal due to the complexity of the attack and the limitations in how it can be carried out," he says. "Organizations should brush up on their phishing training and keep an eye on threat intelligence sources to ensure they are prepared if they are targeted by an attack such as this."

To boot, Alex Ilgayev, lead security researcher at Cycode, noted that the flaw can't be exploited on certain Linux distributions; and, many modern OS platforms implement stack overflow protections to mitigate against threats like these in any event, Ilgayev says.

The second vulnerability (CVE-2022-3786), which was uncovered while a fix for the original flaw was being developed, could be used to trigger denial of service (DoS) conditions. The OpenSSL team assessed the vulnerability as being of high severity but ruled out the possibility of it being used for RCE exploitation.

Both vulnerabilities are tied to a functionality called Punycode for encoding internationalized domain names.

"Users of OpenSSL 3.0.0 - 3.0.6 are encouraged to upgrade to 3.0.7 as soon as possible," the OpenSSL team said in a blog accompanying the bug disclosure and release of the new version of the cryptographic library. "If you obtain your copy of OpenSSL from your Operating System vendor or other third party then you should seek to obtain an updated version from them as soon as possible."

**Not Another Heartbleed**

The bug disclosure is sure to tamp down — for the moment, at least — the widespread concern sparked by the OpenSSL team's notification last week of its then-impending bug disclosure. The description of the first flaw as being "critical," in particular, had prompted several comparisons to 2014's "Heartbleed" bug — the only other bug in OpenSSL to earn a critical rating. That bug (CVE-2014-0160) impacted a wide swathe of the Internet and even now has not be fully addressed at many organizations.

"Heartbleed was exposed by default on any software that used a vulnerable version of OpenSSL, and it was very easily exploitable by attackers to see cryptographic keys and passwords stored in server memory," says Jonathan Knudsen, head of global research at Synopsys Cybersecurity Research Center. "The two vulnerabilities just reported in OpenSSL are serious but not of the same magnitude."

**OpenSSL Bugs Are Hard to Exploit...**

To exploit either of the new flaws, vulnerable servers would need to request client certificate authentication, which is not the norm, Knudsen says. And vulnerable clients would need to connect to a malicious server, which is a commonplace and defensible attack vector, he says.

"Nobody's hair should be on fire about these two vulnerabilities, but they are serious and should be handled with appropriate speed and diligence," he notes.

In a blog post, the SANS Internet Storm Center meanwhile described the OpenSSL update as fixing a buffer overrun during the certificate verification process. For an exploit to work, the certificate would need to contain a malicious Punycode-encoded name, and the vulnerability would be triggered only after the certificate chain is verified.

"An attacker first needs to be able to have a malicious certificate signed by a certificate authority the client trusts," SANS ISC noted. "This does not appear to be exploitable against servers. For servers, this may be exploitable if the server requests a certificate from the client."

Bottom line: The likelihood of exploitation is low since the vulnerability is complex to exploit, as is the flow and requirements to trigger it, Cycode's Ilgayev says. Plus, it affects a relatively small number of systems, compared to those using pre-3.0 versions of OpenSSL.

**...But Do Be Diligent**

At the same time, it is important to keep in mind that hard-to-exploit vulnerabilities have been exploited in the past, Ilgayev says, pointing to a zero-click exploit that the NSO Group developed for a vulnerability in iOS last year.

"\[Also\], like the OpenSSL team says, there is 'no way of knowing how every platform and compiler combination has arranged the buffers on the stack,' and therefore remote code execution may still be possible on some platforms," he cautions.

And indeed, Ellzey outlines one scenario for how attackers could exploit CVE-2022-3602, the flaw that OpenSSL team had originally assessed as critical.

"An attacker would host a malicious server and attempt to get victims to authenticate to it with an application vulnerable to OpenSSL v3.x, potentially through traditional phishing tactics," he says, although the scope is limited due to the exploit being predominantly client-side.

Vulnerabilities such as this highlight the importance of having a software bill of materials (SBOM) for every binary used, Ilgayev notes. "Looking at package managers is not enough as this library could be linked and compiled in various configurations that will affect the exploitability," he says.

Source

DARKReading