The NSS Labs archive, available with free registration, consists of over 800 test reports, analyst briefs, and research published by NSS Labs from 2013 — 2020.

**AUSTIN, Texas, Nov. 29, 2022 /PRNewswire/** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, has launched The NSS Labs archive, a library of over 800 test reports, analyst briefs and research published by NSS Labs from 2013 – 2020. Once available only to paid subscribers, CyberRatings.org is providing The NSS Labs archive to the community at no charge.

NSS Labs was an independent analysis and testing company recognized for its fact-based cybersecurity guidance that ceased operations on Oct. 15, 2020. Based in Austin, Texas, NSS Labs tested security products protecting networks, data centers, and endpoints for security effectiveness, evasions, performance, stability, and usability. It was in the early stages of producing methodologies for cloud testing when the company closed.

Following the NSS Labs closure, CyberRatings.org acquired some of the assets from the custodians of NSS Labs, including domain name, test data, and reports previously published on their website. The website also holds press releases and blogs over the last six years of the company's existence showing a timeline for the former company's development.

"The NSS Labs team produced a tremendous amount of volume year over year that can now serve as historical reference on security product efficacy," says Vikram Phatak, CEO of CyberRatings.org. "For example, some product scores demonstrated improvement over time while others went the opposite direction. We believe this is a good way to help consumers see how products have evolved."

Product reports and comparative reports from 2013 — 2020 listed below are now available in the following technology verticals:

*   Data Center Security
*   Endpoint Security (including Advanced Endpoint Protection and Browser)
*   Next Generation Firewall (NGFW)
*   Next Generation Intrusion Prevention System
*   Secure Sockets Layer / Transport Layer Security (SSL / TLS)
*   Software-Defined Wide Area Network (SD-WAN)

The NSS Labs archive can be accessed through www.nsslabs.com and www.cyberratings.org.

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a nonprofit 501(c)6 entity dedicated to quantifying cyber-risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

SOURCE: CyberRatings.org

CyberRatings.org Revives NSS Labs Research

Cloud-native application protection platforms can apply machine-learning algorithms on cloud data to identify accounts with abnormal permissions and uncover potential threats.

Over the past decade, we've seen a dramatic uptick in cloud migrations. On-premises solutions are becoming a thing of the past, and the cloud is becoming the default in the present. But why cloud, and why now?

Many organizations are currently undergoing a digital transformation. Much of this is expedited, due to the COVID-19 pandemic. Moving to the cloud offers numerous benefits—scalability, agility, and cost reduction being some of the most significant. Legacy solutions require setting up more physical servers, which increases complexity and operational effort, leading to higher costs. Meanwhile, cloud lets us do everything—and more—with just a few clicks.

The move to the cloud poses new challenges. One of the simplest ways attackers can get to an organization's crown jewels in the cloud is by clearing attack paths through a combination of network access and permissions. In what's quickly becoming a go-to method, many attackers use cloud-native privilege escalation techniques like PassRole to gain privileged access. The smallest drift in an environment can open up these attack paths in seconds, creating utter madness for a business. With the right privileges, data exfiltration takes mere moments and is almost impossible to detect.

To expose these types of attack paths, DevOps and security teams can use machine-learning capabilities embedded in a cloud-native application protection platform (CNAPP) solution to detect abnormal permissions, correlate all the signals, and search for privileges that collide with public exposures and vulnerabilities.

One of the problems we've seen most frequently, and one that's difficult to track and catch, is extra permissions being granted to many users within a tenant. In these cases, most permissions are unused, and attackers can take advantage. A CNAPP solution can detect abnormal permissions of identities within a tenant using specific machine learning methodologies.

Our definition for "abnormal" is simple: actionable + most risky = abnormal. For instance, when users in a given group each have more or less the same set of permissions in an environment, but one user has extra permissions in another environment, we consider the extra permissions abnormal.

In case of outliers over data that consists of a large number of features, the native machine learning models would usually be PCA, DBSCAN, LOF, or Isolation Forest. However, we discovered that the perfect model is a _genetic algorithm_. Genetic algorithms aim to detect mutations within a series of genes.

How exactly do we do that? Let’s have a look at a specific example.

    

In the table above, we can see that Amos has some extra permission in the production environment, which we consider abnormal. Let's now convert that graph to a DNA vector (DNA assignment).

    

We see here that Amos has mutations. The goal is to search for close communities that have extra important permissions—only then may it be considered an anomaly. Also, if the communities are far from each other, it's not necessarily anomalous.

    

After more in-depth ML calculations to eliminate false positives, you'll end up with a genetic algorithm that can help detect outliers with abnormal permissions. It's fast, simple, and effective. Trying to perform this kind of analysis with a legacy approach would require a massive manual effort to first understand the business impact of each permission, and then detect the excessive permissions. On the other hand, an ML-based approach suggests a self-learning method without the need to understand each and every permission, helping to expedite the process.

With cloud threats constantly evolving, machine/deep-learning detection-based methods are going to become a necessity when evaluating CNAPP solutions. Don't wait for that next drift to activate a chain of catastrophic events—get ahead of the curve of detecting your next breach with the power of machine learning.

_Read more_ _Partner Perspectives from Zscaler._

Connect the Dots with Genetic Algorithms on CNAPP

The new Microsoft Defender for Endpoint capabilities include built-in protection and scanning network traffic for malicious activity.

Microsoft has announced several new capabilities for Microsoft Defender. The new features will protect devices from advanced attacks and emerging threats, the company said on Monday.

**Security Enabled by Default**

Built-in protection is generally available for all devices using Microsoft Defender for Endpoint, according to Microsoft.

Built-in protection is a set of default security settings for Microsoft's endpoint security platform to protect devices from ransomware attacks and other threats. Tamper protection, which detects unauthorized changes being made to security settings, is the first default setting being enabled, according to a Microsoft 365 knowledgebase article. Tamper protection prevents unauthorized users and malicious actors from making changes to security settings for real-time and cloud-delivered protection, behavior monitoring, and antivirus.

Microsoft enabled tamper protection by default for all customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses last year.

Enterprise administrators have the ability to customize built-in protection, such as setting tamper protection for some but not all devices, toggling protection on or off on an individual device, and temporarily disabling the setting for troubleshooting purposes.

**Zeek Comes to Defender**

Microsoft also partnered with Corelight to add Zeek integration to Defender for Endpoint, helping to reduce the time required to detect network-based threats. With Zeek, an open source tool that monitors network traffic packets to uncover malicious network activity, Defender can scan inbound and outbound traffic. The Zeek integration also allows Defender to detect attacks on nondefault ports, show alerts for password spray attacks, and identify network exploitation attempts such as PrintNightmare.

"The integration of Zeek into Microsoft Defender for Endpoint provides a powerful ability to detect malicious activity in a way that enhances our existing endpoint security capabilities, as well as enables a more accurate and complete discovery of endpoints & IoT devices," Microsoft stated.

Zeek won't replace traditional network detection and response technology, as it is designed to act as a complementary data source providing network signals. "Microsoft recommends that security teams combine both data sources — endpoint for depth, and network for breadth — to gain full visibility across all parts of the network," the company said.

**Detect Firmware Vulnerabilities**

Related, Microsoft provided some more details on the Microsoft Defender Vulnerability Management service, which is currently available under public preview. When it becomes publicly available, the service will be sold as a standalone product and as an add-on to Microsoft Defender for Endpoint Plan 2.

The Microsoft Defender Vulnerability Management now can assess the security of the device's firmware and report if the firmware is missing security updates to fix vulnerabilities. IT pros will also get "remediation instructions and recommended firmware versions to deploy," according to a Microsoft article on the vulnerability management service.

The hardware and firmware assessment will display a list of hardware and firmware in devices across the enterprise; an inventory of systems, processors, and BIOS used; and the number of weaknesses and exposed devices, Microsoft said. The information is based on security advisories from HP, Dell, and Lenovo and relates to processors and BIOS only.

Microsoft Defender Gets New Security Protections

Organizations must be prepared to root out bad actors by any means possible, even if it means setting traps and stringing lures.

As software supply chain attacks increase, cybersecurity talent wanes, and alert fatigue leads to burnout, an always-on, defense-first mentality will no longer suffice. While many defense strategies aim for zero incidents across an entire network, it's time to reevaluate that thinking. Take a page out of the bad actors' book by implementing new strategies that ensure fast detection and intelligence collection.

Enter cyber deception. Cyber deception is a proactive cyber defense methodology that, when executed well, puts the defender in the driver's seat. It enables defenders to lead the attacker and gather intelligence about the adversary's tools, methods, and behaviors via a system of honeypots, lures, tripwires, and much more. It is a strategy that cyber professionals deploy to gain the upper hand in operations against attackers, decreasing dwell time, obtaining valuable cyber threat intel, and mitigating data loss.

However, people oftentimes have a hard time grasping how cyber deception is going to assist them. The word "deception" has a negative connotation, making cyber professionals unclear about how effective it can really be. But organizations must accept that the cyber process is quickly shifting to be more proactive. Playing catch-up is no longer an option.

Understanding who benefits most from cyber deception, knowing the skill sets and technologies that must be applied throughout, and learning how organizations can successfully deploy this defense mechanism are crucial steps to getting started.

**Who Benefits Most**

The most frequently asked question is who will benefit from cyber deception — and who won't. When it comes to knowing whether your organization is up for the task, first consider your environment. If you have existing cybersecurity solutions, such as endpoint detection and response (EDR) and security operations centers (SOCs), systems that require high-fidelity alerting, or robust threat intelligence capabilities that can conduct analysis, produce reports, and shape public security postures, you're a good candidate.

However, deception will never be an effective solution for a team that does not have the resources to address alerts in a timely manner. It is meant to give the defenders an opening by producing high-fidelity alerts on top of existing solutions; without the proper staffing, these alerts become useless. Cyber deception would be inappropriate for even a large enterprise environment if it doesn't have a dedicated team to help manage the deception.

**What Skill Sets and Technologies Are Required**

Staffing a highly skilled and experienced team, with a breadth of experience working in blue team/red team scenarios, is key. Adequate training helps these teams deploy high-interaction decoys, lures, and services that will truly entice threat actors. For an even stronger approach, having logging/alerting solutions that help them respond to these "tripwires" in a timely manner will make all the difference.

On the technology front, honeypots, breadcrumbs, lures, and canary tokens are all crucial tools to trip high-fidelity alerts that identify threat actors. These deception tactics work by simulating critical infrastructures, services, and configurations so attackers can interact with these false IT assets. This effectively increases the cost of an attack.

However, these techniques can present logistical deployment issues and challenges. They are difficult to distribute widely and require significant resources to maintain and implement, so security teams can usually only deploy a limited number. That means, at times, there are not enough tools and resources to effectively detect cyber threats as a method of moving-target defense.

**How to Deploy Cyber Deception Successfully**

To deploy cyber deception using a commercially available product, it is important to start with a plan that considers what comes with the product. From there, you should:

*   Take time to fully understand the product in place, establishing what it can and cannot do. After an initial pilot, prioritize a strategy around your high-value assets first if your organization is ill-prepared for an enterprise deployment.
*   Ensure that your staff is fully trained on the platform well in advance of the actual product deployment. They must be prepared to fuse this actionable data into routine SOC operations.
*   Identify and understand where within your environment stakeholders are comfortable using these deception products. If your CISO is not comfortable with a robust deception strategy, consider at least seeding false administrative credentials to defend against that common threat vector.

And if you don't want to use a commercially available product? The deployment plan would include similar preparation as the items outlined above, replacing the product with in-house experience and tools. These steps should include but are not limited to:

*   Develop the servers, services, and shares in a manner that is enticing to an attacker while also being able to alert immediately when they are interrogated.
*   Deploy and manage multiple sensors to feed back to an operations center.
*   Train and enable network defenders to be able to respond to these threats in a timely manner.

Without a framework, threat actors can easily work their way around a cyber deception plan, likely giving them the upper hand in such a time-sensitive environment.

Cyber deception tactics, techniques, and procedures (TTPs) have been around for quite some time, but they have recently gained mainstream attention because they can assist in credential compromise detection in zero-trust approaches. Deception technology will likely become more commonplace as an effective tool to complement existing defenses and tactics; however, the proper education, skill sets, and training are needed to make it a formidable defense mechanism for cyber generations to come.

How to Use Cyber Deception to Counter an Evolving and Advanced Threat Landscape

The vulnerability, disclosed In October, gives an unauthenticated attacker a way to take control of an affected product.

Fortinet customers that have not yet patched a critical authentication bypass vulnerability that the vendor disclosed in October in multiple versions of its FortiOS, FortiProxy, and FortiSwitch Manager technologies now have an additional reason to do so quickly.

At least one threat actor, operating on a Russian Dark Web forum, has begun selling access to multiple networks compromised via the vulnerability (CVE-2022-40684), and more could follow suit soon. Researchers from Cyble who spotted the threat activity described the victim organizations as likely using unpatched and outdated versions of FortiOS.

**Selling Access to Compromised Networks**

Dhanalakshmi PK, senior director of malware and research intelligence at Cyble, says the company's available intelligence indicates the threat actor might have access to five major organizations via the vulnerability. Cyble's analysis showed the attacker attempting to add their own public key to the admin user's account on the compromised systems.

"An attacker can update or add a valid public SSH key to a targeted account on a system and can then typically gain complete access to that system," Dhanalakshmi says. "Additionally, the threat actor could launch other attacks against the rest of the IT environment with the foothold and knowledge gained through exploiting this vulnerability."

Cyble said a scan it conducted showed more than 100,000 Internet-exposed FortiGate firewalls, a substantial number of which are likely exploitable because they remain unpatched against the vulnerability

Fortinet publicly disclosed CVE-2022-40684 on Oct. 10, a few days after privately notifying customers of affected products about the threat. The vulnerability essentially gives an unauthenticated attacker a way to gain full control of an affected Fortinet product by sending it specially crafted HTTP and HTTPS requests. Security researchers have described the vulnerability as easy to find and trivial to exploit because all that an attacker needs to do is gain access to the management interface of a vulnerable system.

**Popular Target for Attackers**

When Fortinet disclosed the vulnerability, it urged customers to immediately update to patched versions of the affected products and warned of active exploit activity targeting the flaw. It also urged companies that could not update to immediately disable HTTPS administration on their vulnerable Internet-facing Fortinet products. The US Cybersecurity and Infrastructure Security Agency (CISA) promptly listed the flaw its catalog of known exploited vulnerabilities and gave federal civilian agencies until Nov. 1, 2022, to address the issue.

Much of the concern stemmed from the popularity of Fortinet products — and technologies from other vendors in the same network edge category — among threat actors. Soon after Fortinet disclosed the flaw, proof-of-concept code for exploiting it became publicly available, and security vendors reported large-scale scanning activity targeting the flaw. The number of unique IP addresses targeting the flaw soared in a matter of days from the single digits to more than 40.

And that number has grown. James Horseman, exploit developer at Horizon3ai, a security vendor that did much of the initial research around the vulnerability, says the number of unique IPs currently targeting the Fortinet flaw has risen to 112, according to data from GreyNoise, which tracks malicious scanning activity on the Internet.

"These Fortinet devices are typically Internet-facing for corporations and are seldom monitored," adds Zach Hanley, chief attack engineer at Horizon3ai. "This combination makes it great for sustained initial access into a network for threat actors who are looking to conduct reconnaissance, deploy ransomware, steal data, etc."

Threat actors have hammered away in similar fashion at other Fortinet flaws for the same reason. Notable examples include CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591, a set of three flaws that Iran-backed threat groups were observed exploiting in numerous attacks. In April 2021, the FBI and CISA warned of other advanced persistent threat groups exploiting the same set of flaws in attacks against organizations in the US and elsewhere.

.

Cyberattackers Selling Access to Networks Compromised via Recent Fortinet Flaw

The bug could allow unauthorized access and takeover, earning it a spot on the Known Exploited Vulnerabilities Catalog.

A critical bug in Oracle's Fusion Middleware Access Manager has landed on the Cybersecurity and Infrastructure Security Agency's list of known exploited vulnerabilities. 

The critical flaw, tracked under CVE-2021-35587, could allow a threat actor to compromise and take over the Oracle Access Manager.

Oracle's Fusion Middleware is an enterprise cloud platform used by customers that include large telecom carriers and factories, according to its site.

CISA labeled it an an "unspecified" vuln. "Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to take over the Access Manager product," CISA warned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Oracle Fusion Middleware Flaw Flagged by CISA

Expect to see attackers expand their use of current consumer-targeting tactics while exploring new ways to target Internet users — with implications for businesses.

A combination of maturing and emerging consumer-facing cyber threats could add to the many challenges that enterprise security teams will need to contend with in 2023.

Researchers at Kaspersky, looking at how the cyber threat landscape will likely evolve over the next year, expect that threat actors will expand use of many of their current tactics while exploring new avenues for attack via social media, streaming services, and online gaming platforms.

For business admins, the expansion of brands into the world of the metaverse (the theoretical universal and immersive virtual world of the Internet, facilitated by the use of virtual reality and social media) could open them up to attack. And in the era of remote work and bring-your-own-device (BYOD), any consumer threat is potentially an enterprise one, so IT security teams would do well to follow the trends in this space.

**Attacks Using Current Techniques Will Grow...**

The security vendor for example expects that cybercriminals will continue to take advantage of the post-pandemic surge in consumer interest around online streaming services to try to distribute malware, steal data, and execute other malicious activity.

Many of the attacks will target individuals looking for alternate sources for downloading a legitimate streaming app, or a particular episode of a show. Expect to see cybercriminals use widely anticipated titles and streaming service provider names such as Netflix, Hulu, and Amazon Prime Video as lures to get users to download malware or to direct them to phishing sites, according to Kaspersky.

Consumers will also face more gaming subscription fraud and scams that involve online currencies and artifacts. Attackers will primarily target games that use currencies and allow sale of in-game items and boosters because they give threat actors a way to process money obtained from other illegal activities.

In a report earlier this year, Kount, an Equifax-owned fraud protection service, also identified online currencies as offering a plethora of opportunities for adversaries to launder money and carry out payment card fraud. "For example, a fraudster creates a free account for an online multiplayer game then uses stolen credit cards to fill up the account with in-game currency and skins," Kount researchers had noted, adding, "Once the account is loaded, the fraudster sells it on a trading site," for anywhere between several hundreds to several thousands of dollars.

Kaspersky expects that attackers will also try to exploit a continuing shortage in the availability of popular gaming consoles via fake pre-sale offers as well as fraudulent giveaways and discounts from online stores purporting to sell hard-to-find consoles.

**...Even as Threat Actors Explore New Attack Avenues**

Meanwhile, the metaverse, online education platforms, and certain categories of health-related apps will all become new avenues for attack in 2023, Kaspersky said.

Privacy will emerge as a major concern in the metaverse, Kaspersky predicted. "As the metaverse experience is universal and does not obey regional data protection laws, such as GDPR, this might create complex conflicts between the requirements of the regulations regarding data breach notification," Kaspersky said.

Others have also expressed concern over the increased amount of personal information that will be collected in fully immersive environments via VR headsets and their collection of cameras, microphones, and motion trackers. Many expect the data will reveal a lot about a user's location, appearance, and other private information while also enabling attackers to carry out more sophisticated phishing and social engineering scams.

At least some of the attacks in virtual reality and augmented reality environments will involve virtual abuse and sexual assault — such as that involving cases of avatar rape, Kaspersky said.

The security vendor pointed to an incident where an avatar associated with a researcher at a nonprofit advocacy group was raped on a metaverse platform owned by Meta as one example of the kind of issues consumers can increasingly run into.

Despite efforts by technology companies to build protection mechanisms into metaverses, "virtual abuse and sexual assault will spill over into metaverses," Kaspersky said. "As there are no specific regulation or moderation rules, this scary trend is likely to follow us into 2023."

"The metaverse represents an area where consumer threats will be different from years past," says Anna Larkina, a security expert at Kaspersky. "Fake, malicious VR and AR apps, as well as privacy risks and potential abuse associated with this new frontier, will account for threats we haven't necessarily seen before," she says.

Certain kinds of apps — such as those related to meditation or those where a consumer might offer a hint of their current emotional state — could become another new attack avenue, Larkina says.

"It is easy enough to imagine a variety of applications for meditation, in which you indicate your current state/emotions, and they select the appropriate course for you," she explains. "Such data can easily be collected and stored in order to track the state of the user and offer them suitable meditation practices." An attacker that gains access to such data could execute successful spear-phishing and social engineering scams in a highly targeted manner, she notes.

Attacks targeting consumers should matter to enterprise security teams because attacks on companies quite often involve the human factor, Larkina says. "If the system is technically secure enough, then you can get inside the system by 'hacking' employees of the company."

The Metaverse Could Become a Top Avenue for Cyberattacks in 2023

Elon Musk-owned Starlink, WhiteHouse.gov, and the Prince of Wales were targeted by Killnet in apparent retaliation for its support of Ukraine.

Killnet and its band of hacker collaborators are claiming they were able to pull off a trio of symbolic distributed denial-of-service (DDoS) attacks aimed at punishing some of the most critical supporters of Ukraine against the Russian invasion — Elon Musk's Starlink satellite broadband service and the websites of the White House in the US and the Prince of Wales in the UK. 

Researchers at Trustwave were able to find evidence corroborating the Russian-backed threat group's claims. 

Killnet claimed it took down Starlink service on Nov. 18, which has been critical for providing the Ukraine war effort with Internet connectivity. Indeed, Trustwave found Starlink customers on Reddit on the same day complaining they couldn't log in to their accounts for several hours. 

"You've been waiting for this comrades," Killnet posted on Telegram, according to Trustwave. "Collective DDoS attack on Starlink! No one can log into Starlink." 

Other threat groups, and known past Killnet collaborators, also claimed they were involved in the Starlink and other DDoS takedowns, including Anonymous Russian, Msidstress, Radis, Mrai, and Halva. 

**White House, Prince of Wales' Websites Targeted **

Besides Starlink, Killnet also bragged that it was able to successfully run "30 minutes of a test attack" on the White House's website on Nov. 17. 

"Of course, we wanted to take longer, but did not take into account the intensity of the request filtering system," Killnet added. "But!!! The White House was banged up in front of everyone!" 

Trustwave added that the White House uses military-grade protection against DDoS attacks from Automattic. 

Days later, on Nov. 22, the group launched yet another DDoS attack, this time against the Prince of Wales' site, and warned that the UK healthcare system would be next, the Trustwave team reported. Killnet also threatened future attacks against the London Stock Exchange, the British Army, and more. 

Along with its claim of the UK DDoS attack, Killnet added ominously, "today it does not work, perhaps this is due to the supply of high-precision missiles to Ukraine!" 

Although the targets are ambitious, Trustwave said Killnet and its cybercrime cohort aren't advanced enough to pull off more than basic DDoS attacks. 

"We should expect to see more of these low skill attacks from Killnet targeting an ever-growing list of targets that it considers to be in opposition to Russian interests," Trustwave said in its Tuesday report on the Killnet DDoS attacks. "However, it remains to be seen whether the group can graduate to attacks that cause damage, exfiltrate data, or do more than take down a website for a short period of time."

Killnet Gloats About DDoS Attacks Downing Starlink, White House

A lack of federal regulatory legislation leaves US privacy concerns to battle for attention with other business priorities.

Over the past 15 years, several events have reshaped how we think about data — what it means from a business perspective and what rights individuals have regarding how their personal information is used. Data security governance undoubtedly will play a large role in the future; however, conversations are still in relatively early stages. 

In 2016, when European regulators created the General Data Protection Regulation (GDPR) as a legislative framework that clearly mandates rules and fines, a fundamental shift occurred that elevated privacy to a board-level discussion. This resulted in CEOs taking part in the conversation while empowering the C-suite to make more decisions. 

Next, the data culture quickly evolved from one of implicit trust (where organizations freely used data without much restriction) to limiting risk (controlling data access based on regulations and customer feedback). While the data protection industry in Europe has made great strides since GDPR came into existence, we still have a long way to go because, for decades, technology solutions were built without privacy in mind. 

In the United States, the picture is quite different, as the lack of federal regulatory legislation leaves privacy concerns to battle for attention with other business priorities. Let's dig deeper into what the future of data privacy looks like across the pond. 

**Beyond Cookies: Delving Beneath the Data Veneer**

Marketplaces built around selling data need to pivot, because the future is about protecting individual data rights and that change goes far beyond a website pop-up asking to approve the use of cookies. Historically, data brokers have cashed in on users' data, which precipitated state laws in Vermont and California that aim to protect consumers by identifying the brokers and determining how they use the information. 

Tech giants like Apple and Google have also increased privacy protections with app-tracking transparency and plans to phase out third-party cookies. These titans of industry are pioneering an important movement that other companies need to follow. There's hope that legislation may spark further change, especially with privacy receiving bipartisan support.

If the American Data Privacy and Protection Act (ADPPA) takes effect in the United States, the biggest win would be a common standard for how to handle data. States like California have already established stricter standards for data privacy through the California Consumer Privacy Act (CCPA). Compliance requirements and hefty fines would be important accelerators in protecting consumer data. 

**Privacy Needs Security **

A comprehensive data security strategy is essential and a prerequisite to an overall privacy-centric posture for data-driven organizations. It's imperative to implement scalable, fine-grained access controls so policies can keep the data safe in the first place.

As the pendulum shifts toward implementing broader and complete data security strategies, companies need to adjust. The work of chief information security officers (CISOs), chief data officers (CDOs), and chief information officers (CIOs) alongside their actions is more critical than ever, because they are responsible for implementing tools and processes that help align companies toward their privacy-related goals. The increased focus on a complete data security strategy applies to data-driven organizations of any size. 

A Cisco study cites that 92% of organizations claim privacy to be integral to their culture, but it comes with a technical challenge. Oftentimes, CISOs and CIOs are confronted with data spread across their organization and they need to gain visibility into all their siloed, heterogeneous data to understand who controls, maintains, processes, and accesses which parts of the data. 

This challenge is exacerbated by the need to modernize with cloud-native technologies so companies have a better understanding of how data is used and that it is used in accordance with privacy guidelines, principles, and any governing legislation. 

**A Look into the Future**

None of this happened by accident. Consumers didn't like data collection practices and they spoke up. Legislators heard from their constituents and started creating regulations like the ADPPA. Companies started serving consumers differently and taking data privacy seriously.

Consumer awareness of how data is collected and used is becoming mainstream. According to HubSpot's "2022 State of U.S. Consumer Trends Report," 80% of consumers consider data privacy a human right and believe individuals should have complete control over how companies use their data. As a result of these growing trends, more businesses should leverage privacy as a differentiator. 

There is still a gap between companies' intent to satisfy data privacy concerns and the action that protects that information. As consumers become better educated about how their data is used, and legislation inches closer to reality, it becomes even more critical. Making the right investments in data security provides visibility, access control, and insights into your data while ensuring compliance, and can help make all the difference.

Why the Culture Shift on Privacy and Security Means Today's Data Looks Different

**SINGAPORE, Nov. 29, 2022 /PRNewswire/ —** CDNetworks, the global-leading CDN (Content Delivery Network) and Edge Service Provider, released its annual State of Web Security Report for H1 2022. The Security Report notes that distributed denial-of-service (DDoS), bot, and Application Programming Interface (API) attacks increased at an alarming rate in H1 2022. Web application attacks also increased over the same period, but at a much slower rate than DDoS attacks. CDNetworks believes this trend shows that security tools focusing on single attacks are no longer effective against today's multiple cyber threat landscape. Leveraging a comprehensive security solution has never played a more important role for businesses and individuals.

**Surging Trend for All Types of Attacks:**

Of particular note are the following indicators noted in the Security Report:

*   The level of DDoS attacks topped 2.09 TBPS, which broke the record level of traffic-induced DDoS attacks.
*   The number of web application attacks increased by 12.56% over the same period last year, reaching 62.8875 million per day.
*   Malicious bot attacks surged 2.27 times over the same period in 2021, with 77.366 billion incidents recorded.
*   The number of API attacks had a 168.80% increase over the same period in 2021, with 9.0865 million API attacks blocked daily in H1 2021.

The Security Report goes on to say that data generated by the CDNetworks' security platform shows that risks of data breaches continue to escalate. This risk stems from the fact that increasing amounts of data and devices are being exposed to the network, making them vulnerable to the dual threat of external attacks and internal breaches. At the same time, API security threats continue to rise at breakneck speed, and the security challenges they present exceed those of traditional webpages. The end result is confirmation that the cybersecurity environment continues to change dramatically.

"As enterprises shift their business to the cloud, we found that some traditional web-protection rules no longer offer the capabilities they once did in combatting today's complex and virulent cyberthreats. What enterprises actually need are security solutions that address cloud and hybrid environments holistically in a comprehensive and systematic security architecture." said Doyle Deng, head of Global Marketing and Product of CDNetworks. "For this reason, we strongly recommend that enterprises adopt CDNetworks' WAAP services to secure their data and their business with more beyond rule-based web protections. Features such as web application firewall, DDoS protection, bot management, and API management capabilities empower enterprise users of our WAAP services to establish a comprehensive cornerstone that has been proven effective in combatting API and web application attacks."

The Security Report also monitored security associated with telecommuting within today's enterprises. As the long-term global impact of COVID-19 takes hold, organizations are starting to accept remote a remote workforce and cloud-based applications as an alternative to on-premise workers. The Security Report compared policies governing centrally managed corporate devices to policies aimed at Bring Your Own Devices (BYODs), which allow employees to use their own devices — phone, laptop, tablet, or other device — to access business applications and data, rather than forcing employees to use company-provided devices for that purpose. The Security Report found that BYOD rules generally lack a clear security management policy, making them vulnerable to targeted hacking attacks. To address this, CDNetworks recommends that enterprises select Enterprise Secure Access (ESA), our zero-trust access solution, to establish a secure, efficient, and easy-to-use hybrid networking environment.

Click here to download State of Web Security Report for H1 2022 or visit at www.cdnetworks.com.

**About CDNetworks  
**As a global-leading CDN (Content Delivery Network) and Edge Service provider, CDNetworks delivers fully integrated cloud and edge computing solutions with unparalleled speed, ultra-low latency, rigorous security and reliability. Our diverse products and services include web performance, media delivery, enterprise applications, cloud security, and colocation services — all of which are designed to spur business innovation.

Source

DARKReading