The manufacturer is working to fix a vulnerability — similar to a previous problem in Lenovo laptops — that allows threat actors to modify or disable Secure Boot settings to load malware.

Acer is working to fix a firmware flaw affecting five of its laptop models. An exploit could allow attackers to disable a machine's Secure Boot settings to bypass key security measures and load malware, researchers have found.

ESET Research researcher Martin Smolar discovered the flaw, tracked as CVE-2022-4020, in the HQSwSmiDxe DXE driver on some versions of consumer Acer Aspire and Extensa notebooks. An attacker with elevated privileges can use the flaw to modify UEFI Secure Boot settings via an NVRAM variable, ESET disclosed in a series of tweets posted Nov. 28.

"#CVE-2022-4020 is found in the DXE driver HQSwSmiDxe, which checks for the 'BootOrderSecureBootDisable' NVRAM variable," according to ESET. "If the variable exists, the driver disables Secure Boot."

Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, OS files, and unauthorized option ROMs by validating their digital signatures. The feature blocks any malicious activity before it can infect the system.

By exploiting the flaw, threat actors can bypass this feature and run whatever code they want on the machine, malware or otherwise, even achieving persistence in a case in which an OS is reinstalled, the researchers said.

**Different Manufacturer, Similar Security Vulnerability**

Specifically, CVE-2020-4020 affects Acer Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G notebooks. The flaw creates a similar opportunity for attackers to the one caused by vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 that ESET researchers found in early November in various Lenovo Yoga IdeaPad and ThinkBook devices, and subsequently detailed extensively in a series of tweets.

As in that case, ESET also reported the vulnerability to the computer manufacturer for remediation. Acer quickly responded on Nov. 29 with a security update corroborating Smolar's findings and stressing the serious nature of the flaw.

"By disabling the Secure Boot feature, an attacker can load their own unsigned malicious bootloader to allow absolute control over the OS loading process," the company said. "This can allow them to disable or bypass protections to silently deploy their own payloads with the system privileges."

Acer is working on a BIOS update to resolve the issue that it will post on the Acer Support site, and recommends that affected users update their BIOS, once available, to the latest version to resolve the problem. The patch also will be included as a critical Windows update, the company said.

**Common NVRAM Variable Problem**

In both the Lenovo and Acer scenarios, attackers can exploit the Acer bug by creating special NVRAM variables, the actual value of which is not important—the existence of the variable itself is the only thing an affected firmware driver checks, the researchers noted.

NVRAM variables define a name for the boot option that can be displayed to a user. The variable also contains a pointer to the hardware device and to a file on that hardware device that contains the UEFI image to be loaded.

This problem appears to be quite well known, with researchers already advising against firmware developers storing security-sensitive components in these variables. Firmware security engineer Nikolaj Schlej even tweeted a plea to firmware developers in October to "stop using common NVRAM as trusted storage" because of the security problem it poses.

"It is indeed really tempting to use NVRAM or CMOS SRAM for storing triggers for various things, but both need to be assumed being under full attacker control," he said in a response to his own tweet. "Even volatile NVRAM variables aren't completely safe because there is still a chance of incorrect attribute check."

In the case of the Lenovo flaws, it does appear that developers already were aware of the issue before it made its way into the company's laptops, as some of the affected components were only meant to be used during manufacturing and were mistakenly included in production, according to ESET.

Acer Firmware Flaw Lets Attackers Bypass Key Security Feature

Nok Nok’s S3 Suite brings next-level MFA to UberEther’s IAM Advantage Platform to protect the US federal government and its suppliers.

**San Jose, CA - November 29, 2022 —** Nok Nok, a leader in FIDO (Fast IDentity Online) authentication solutions and a founder of the FIDO Alliance, today announced it is partnering with UberEther, a leading provider of identity and access management solutions to the federal government. Together they will extend FedRAMP certification of UberEther's IAM Advantage platform with innovative cybersecurity capabilities requested by some of the world’s highest-profile agencies and organizations.

FedRAMP’s standards-based approach to security assessment and authorization enables federal agencies, customers, and their suppliers to transition from insecure legacy IT infrastructure to mission-enabling, secure, and continuously-monitored cloud solutions with an increased focus on securing and protecting federal information.

UberEther’s IAM Advantage model is FedRAMP High and DoD Impact Level 5 ready, which means that even the most closely monitored companies can run their identity in the cloud more securely, efficiently, and effectively. Once UberEther is fully FedRAMP authorized, it will have one of the only private-tenant, cloud identity solutions available in the federal marketplace that government agencies use to find compliant, FedRAMP-approved cloud services. This designation builds on UberEther’s highest commitment to security standards.  

“Nok Nok is very honored to partner with UberEther to deliver trusted IAM solutions to the largest government agencies with built-in next-level MFA that meets the highest levels of security,” said Nok Nok CEO Phillip Dunkelberger. “Nok Nok’s FIDO authentication solutions add key features and benefits per the federal mandate in the White House’s 2021 Cybersecurity Executive Order that defines how the government will lead by example in adopting best of breed cybersecurity capabilities. Nok Nok and UberEther’s partnership adds new innovation to mandated FedRAMP solutions that enables government agencies and their supplier networks to become phishing-resistant and therefore more secure, while also becoming easier to use.”

“At UberEther, we're extremely excited to be working with Nok Nok on this opportunity to bring phishing-resistant credentials to the federal government,” said Matt Topper, President and CEO, UberEther. “We're not only focused on enabling citizens and partners of the federal government to connect to services more securely, but we're also enabling service members, civilians, government employees, and contractors to work with mission-critical systems more easily.”

“We all know that zero trust is the future of security within the federal government and worldwide, and identity is the first pillar of zero trust that we need to protect the nation. With Nok Nok inside, government agencies and their suppliers will be able to offer more secure sign-in and a great user experience that's better than anything we've been able to provide before,” continued Topper.

Robert Lentz, a member of Nok Nok’s Board of Advisors and who served our nation as Deputy Assistant Secretary of Defense and the first Chief Information Security Officer for the Department of Defense added, “I am excited about the future that Nok Nok and UberEther are creating. With FIDO passkeys built into device hardware and software applications, and now FedRAMP standards incorporating phishing-resistant MFA, we are keeping our nation’s networks safe along with the agencies, partners, civilians, and government employees who use these networks”.

**About UberEther**

UberEther effectively builds and efficiently runs the security, identity, and access management services that protect many of our nation’s most critical assets. Identity is the core foundation for secure services in every organization, and we pride ourselves on protecting it. Our established and dependable UberEther team delivers identity solutions for some of the most trusted government agencies and supplier networks.

Since 2009, the UberEther team has been building simple, secure, sustainable customer solutions for local and Federal Government agencies and within the Intelligence Community. We are passionate about using technology to solve problems, and we use this passion to prove innovative solutions on our own time before bringing these innovations to our customers. Our diverse background of development, integration, and operations skills allows our team to take into account all aspects of a solution and ensure that what works great in the lab will excel in production.

For more information, visit UberEther.com, read our company blog, and follow us on LinkedIn, Twitter, and YouTube.

**About Nok Nok**

Nok Nok is a global leader in passwordless customer authentication. Delivering the most innovative FIDO solutions for the authentication market today, Nok Nok empowers global organizations to dramatically improve their user experience and security, and reduce operating expenses while meeting the most advanced privacy and regulatory requirements. TheNok Nok™ S3 Authentication Suite integrates into existing security environments to deliver proven, FIDO-enabled passwordless customer authentication. Headquartered in Silicon Valley, California, the company has delivered unique inventions and innovations protected by a robust global patent portfolio. As a founder of the FIDO Alliance and an innovator of FIDO standards, Nok Nok is an expert in next-level, multi factor authentication. Global customers trust their customer authentications with Nok Nok’s S3 Suite for their user registrations, sign-ins, and payment confirmations. Nok Nok’s customers and partners include Verizon, Intuit, T-Mobile, BBVA, NTT DOCOMO, NTT DATA, MUFG Bank, AFLAC Japan, Standard Bank, Fujitsu Limited, and Hitachi.

For more information on Nok Nok and phishing-resistant FIDO MFA, visit www.noknok.com, read our company blog, follow us on LinkedIn, see our company videos on YouTube, and read (_Director, CISA)_ Jen Easterly’s blog post on next-level-mfa-fido-authentication.

Nok Nok and UberEther Partner to Deliver Phishing-Resistant MFA FedRAMP-Certified IAM Solutions

Today's cyber environment requires less emphasis on detection and perimeter defenses and more focus on bolstering security with resilience.

The federal government has once again signaled that our traditional approach to cybersecurity, one predicated solely on prevention and perimeter defenses, is failing us. In the past two years alone, 76% of organizations were attacked by ransomware, and 66% experienced at least one software supply chain attack. Now, the Cybersecurity and Infrastructure Security Agency (CISA) is the latest federal entity to shake up cybersecurity best practices — underscoring that we need drastic change to withstand today's dynamic threat landscape. 

CISA, the group tasked with strengthening our national approach to cybersecurity and securing critical infrastructure, has released a strategic plan that outlines four goals that must be met to address the "diverse and dynamic challenges facing our nation." The CISA Strategic Plan 2023-25 is the first of its kind for the agency, which was founded four years ago. The plan is light on details, but it's notably marked with a move away from traditional prevention and detection approaches toward "resilience."

The first of CISA's outlined objectives is to "enhance the ability of federal systems to withstand cyberattacks." Federal agencies should be prepared for and able to rapidly recover from cyberattacks and incidents, as well as maintain mission continuity during and after cyberattacks and incidents.

That the agency places this goal above the ability to actively detect cyberthreats (Objective 1.2) speaks volumes about today's priorities. Instead of focusing first on preventing and detecting breaches, CISA is acknowledging that breaches will occur. This marks a subtle but dramatic shift in thinking. Only by recognizing that cyberattacks and breaches are inevitable can we effectively reduce their impact.  

**A Marked Shift Away From Prevention**

Detection, firewalls, and perimeter defenses represent cybersecurity’s status quo — fundamentally, the same strategy employed since the dot-com era. But in the past decade, hyperconnectivity and hybrid work have become the norm — drastically expanding the attack surface. The painful takeaway from the long string of ransomware attacks and breaches we've witnessed during the past three years (Colonial Pipeline, Kaseya, SolarWinds, and many more) is that legacy solutions and traditional cyber approaches focused solely on keeping bad actors out no longer provide adequate protection.

If we consider CISA's plan in combination with the Biden Administration's May 2021 Executive Order on Improving the Nation’s Cybersecurity, which mandated that federal agencies must implement zero-trust architectures, it's clear that protecting our most critical infrastructure is now more about ensuring continuous operations, proactive risk mitigation, and resilience than preventing digital break-ins entirely. In fact, CISA's strategic plan mentions the word "resilience" 30 times.

Withstanding attacks through resilience is among zero trust's core principles, along with the concepts of assume breach, least privilege, and "never trust, always verify." In fact, zero trust is the rational response to the current threat landscape, with our hyperconnected, multicloud environments and sophisticated cyberattackers constantly changing strategies.  

Breaches are inevitable today, but zero-trust tools and technologies are designed to shrink the initial attack surface and curtail the larger implications of attacks — for example, preventing a single breach from turning into a larger supply chain failure.

**Driving Real Change**

CISA's plan is encouraging. For one thing, it is recognition that the government believes zero trust is the way forward. It's also another indication that federal security leaders are serious about shoring up our national resilience in cyberspace.

We know that our critical infrastructure will continue to be a top target for digital adversaries. In 2021, according to the FBI, ransomware attacks hit 649 US critical infrastructure entities, and nearly 90% of all US critical infrastructure sectors were hit by a successful ransomware attack.

Still, the devil is in the details. CISA's plan offers rough specifics, but goals, standards, and deadlines must be set. Accountability must be mandated.

For the CISA plan to accomplish any of its goals, it will require cooperation from both the government and private stakeholders. Fueling these objectives will also require a commitment to continuous funding and resources. Without sufficient finances and personnel, agencies don’t have the bandwidth to act on their goals, let alone be held accountable. CISA's goals are admirable and a step in the right direction, but without a clear outline of funding priorities, there's little assurance that goals and plans like these will come to fruition.

Today's most daunting cyber challenges boil down to this: History has proven that the concept of preventing intrusions by building digital moats and walls is a fantasy. Modern organizations — private or public — are bound to be breached. What we need is more emphasis on breach containment, end-to-end visibility, and more private-public cooperation. We need more accountability, and we need to move faster toward zero trust to fuel national resilience.

CISA's Strategic Plan Is Ushering in a New Cybersecurity Era

**MILWAUKEE, Nov. 29, 2022 /PRNewswire/ —** In an effort to understand key factors and concerns impacting U.S. Internal Audit executives, Jefferson Wells, the Finance & Accounting, Internal Audit, Risk & Compliance, and Tax professional services firm, part of ManpowerGroup (NYSE: MAN), announced today results from its sixth annual Internal Audit Priorities survey. While cybersecurity continues as the number one risk, Environmental, Social, and Governance (ESG) jumped up to number two on the list of emerging risks.

"Cybersecurity remains the top concern for many executives, who are seeing their audit teams expand their coverage of Information Technology Governance," said Jim Gusich, ManpowerGroup's Chief Audit Executive. "But this year's survey also reveals the growing importance of ESG as more organizations are increasing their commitment to developing comprehensive ESG strategies in 2023 and beyond."

Many Internal Audit leaders expressed concern about Internal Audit Departments struggling to keep fully staffed, amid the ongoing pandemic and shifts in how and where auditors work. The survey shows 53% are working hybrid and 25% are fully remote.

"Today's Chief Audit Executives are faced with balancing constrained audit resources with the consistent pressure to expand audit coverage within their organizations," Tim Lietz, National Practice Director, Risk & Compliance at Jefferson Wells, said. "Companies are experiencing a 100% increase, year-over-year, in audit departments deferring audits because resources aren't available. Due to the current state of the job market, many internal audit departments have not been fully staffed over the past 12-18 months."

**KEY FINDINGS**

*   The top five areas for Audit Committees are Data privacy and cybersecurity (43%), Emerging risks and impacts on major initiatives (37%), Strategic risk (33%), ESG (31%), and Employee retention (29%).
*   With the growing importance of ESG, 71% of Chief Audit Executives (CAE) are including an assessment of ESG in their audit plans.
*   As ransomware and other attacks have exponentially increased in both frequency and ferocity, Internal Audit departments are now shifting more attention to preventative, strategic methods of cyber defense.
*   As operational involvement increases, internal audit leaders are looking for other ways to enhance their audit function. Two areas with the highest return on investment are data analytics (52%) and other internal audit specific technologies (48%).

For the complete 2022 Internal Audit Priorities survey results, visit www.jeffersonwells.com.**ABOUT JEFFERSON WELLS**

Jefferson Wells is a professional services firm delivering solutions in Finance & Accounting, Internal Audit, Risk & Compliance, and Tax. We provide consulting, thought leadership, integrated resourcing, and executive search. Jefferson Wells is a part of the ManpowerGroup family of companies.

**ABOUT MANPOWERGROUP**

ManpowerGroup® (NYSE: MAN), the leading global workforce solutions company, helps organizations transform in a fast-changing world of work by sourcing, assessing, developing, and managing the talent that enables them to win. We develop innovative solutions for hundreds of thousands of organizations every year, providing them with skilled talent while finding meaningful, sustainable employment for millions of people across a wide range of industries and skills. Our expert family of brands – Manpower, Experis, and Talent Solutions – creates substantially more value for candidates and clients across more than 75 countries and territories and has done so for over 70 years. We are recognized consistently for our diversity – as a best place to work for Women, Inclusion, Equality, and Disability, and in 2022 ManpowerGroup was named one of the World's Most Ethical Companies for the 13th year – all confirming our position as the brand of choice for in-demand talent.

Cybersecurity and ESG Among Top Areas of Concern for Audit Leaders in 2023

Senior cybersecurity professionals reveal their number one frustration is the inability to continuously measure enterprise-wide security posture and identify control failures.

**LONDON and NEW YORK, Nov. 29, 2022 /PRNewswire/ —** Panaseer, a leader in security posture management using Continuous Controls Monitoring, today released the third edition of its Security Leaders Peer Report looking at the concerns and constraints currently faced by CISOs and other senior cybersecurity leaders across the US and UK. The survey of over 800 respondents from large organisations conducted by Censuswide found that almost 9 in 10 security leaders see the failure of controls expected to be in place as the primary reason for data breaches, and 79% of enterprises have experienced cyber incidents that should have been prevented with existing safeguards. As a result, most breaches are preventable but are still occurring – and security leaders are becoming increasingly frustrated.

For the first time, the 2023 report examines how security professionals are personally impacted by the high-pressure environment they work in. Many revealed that a lack of visibility and understanding of their security posture is the leading cause of their frustrations – specifically, the inability to continuously measure enterprise-wide security posture and identify control failures (ranked as number one, with 70% frustrated). Incidents that should have been stopped by an expected control followed closely, with 68% exasperated by this inability to stop preventable breaches. Respondents also pointed to issues with data and tooling as a bigger driver for security team resignations than demands for higher salary and greater seniority.

Each year, the report also looks at how much time security teams dedicate to manually collecting and reporting on security data. This year, Panaseer found that teams spend 59% of their time on these tasks – a 9% increase on the previous year's research, and a 64% rise from the first survey in 2019. In fact, 70% of security teams now spend more than half of their time on manual reporting, leaving less time for threat detection and vulnerability patching.

As explained by Andreas Wuchner, Field CISO at Panaseer, "To effectively reduce the significant amount of time spent manually reporting, CISOs and their teams need to be looking to automation. As well as freeing up qualified security professionals to dedicate time to higher value tasks – from threat detection to business continuity planning – automation provides the road to accurate, trustworthy data. We need to prioritise the maturation of automation, metrics and risk management in order to help teams cope with heavy reporting workloads."

**Measuring risk**In overcoming the issue of preventable breaches and frustrated security teams, only 44% of organisations are extremely confident in their ability to continuously measure their control gaps. Respondents have pointed to a lack of internal resources (39%), inability to evidence remediation (38%), ineffective tooling (34%) and poor control failure visibility (34%) as the reasons behind this lack of confidence.

However, 82% agree that monitoring and addressing expected controls failure and risk would likely have a bigger impact on their security posture than buying additional tools. This is particularly pertinent given the issue of tool sprawl – the two previous reports have found that it's not uncommon for organisations to use more than 75 or even 100 security tools.

Fortunately, awareness of how these control failures can be addressed is growing. 88% of security leaders stated they are likely to implement a Continuous Controls Monitoring (CCM) platform in the next two years, a solution critical to measuring and advising on security control effectiveness. That compares to 79% who said the same in 2022.

"Unfortunately, the majority of breaches we see occur because of a preventable security control failure," says Jim Doggett, CISO at Semperis. "By going back to basics, reducing complexity and truly knowing their security stack – the tools they have and their utilisation – security leaders can achieve an end-to-end view of their organisations' security posture. And increasingly, they are converging on CCM to provide the single source of truth they need to do so."

Other key findings from the report point towards a lack of confidence in _what_ to measure to improve security posture. These include:

*   Nearly all (99%) security leaders are actively engaged in trying to benchmark their security metrics, policies and standards, but almost three-quarters (72%) admit they are not absolutely satisfied with their ability to do so currently
*   Less than half of respondents are highly confident they are continuously evaluating best practice security metrics specifically aligned to their organisational size and industry
*   Of the remainder, 47% simply don't know the right metrics to monitor and 51% don't have the resources to help them do it

To find out more, read the full Security Leaders Peer Report here.

**About Panaseer**Panaseer is an enterprise cybersecurity automation and data analytics company that helps organisations stop preventable breaches by ensuring security controls are fully deployed and working effectively — maximising their security investments and resources. Control failures are the biggest problem in cybersecurity, with 79% of organisations admitting to being surprised by a security event that evaded existing controls.

Panaseer's Continuous Controls Monitoring platform gives a complete, trusted view of security controls, with metrics and measures guidance aligned to best practice frameworks that improve collaboration and prioritisation. With $262 billion spent on cybersecurity tools in 2021, CCM means organisations can do more for less by getting the most out of their existing security investments.

For more information visit: **www.panaseer.com**

9 Out of 10 Security Leaders State That Control Failures Are the Primary Reason For Data Breaches

Once isolated occurrences, nation-state attacks are now commonplace; security professionals should know the elements of defense.

Throughout the ongoing war on Ukraine, known and suspected Russian nation-state actors have compromised Ukrainian targets. They’ve used a combination of techniques including phishing campaigns, exploiting unpatched vulnerabilities in on-premises servers, and compromising upstream IT service providers. These threat actors have also developed and used destructive wiper malware or similarly destructive tools on Ukrainian networks.

Between late February and early April 2022, Microsoft saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine. After each wave of attacks, threat actors modified the malware to better avoid detection. Based on these observations, we’ve developed strategic recommendations to global organizations on how to approach network defense in the midst of military conflict.

**Common Russian Intrusion Techniques**

Russia-aligned cyber operations have deployed several common tactics, techniques, and procedures. These include:

*   Exploiting public-facing applications or spear-phishing with attachments/links for initial access.

*   Stealing credentials and leveraging valid accounts throughout the attack life cycle, including within Active Directory Domain Services and through virtual private networks (VPNs) or other remote access solutions. This has made identities a key intrusion vector.

*   Using valid administration protocols, tools, and methods for lateral movement, relying on compromised administrative identities in particular.

*   Utilizing known, publicly available offensive capabilities, sometimes disguising them with actor-specific methods to defeat static signatures.

*   “Living off the land” during system and network discovery, often using native utilities or commands that are nonstandard for the environments.

*   Leveraging destructive capabilities that access raw file systems for overwrites or deletions.

**5 Ways to Safeguard Your Operations**

Based on our observations in Ukraine so far, we recommend taking the following steps to safeguard your organization.

**1\. Minimize credential theft and account abuse:** Protecting user identities is a critical component of network security. We recommend enabling multifactor authentication (MFA) and identity detection tools, applying least-privilege access, and securing the most sensitive and privileged accounts and systems.

**2\. Secure Internet-facing systems and remote access solutions:** Ensure your Internet-facing systems are updated to the most secure levels, regularly evaluated for vulnerabilities and audited for changes to system integrity. Anti-malware solutions and endpoint protection can detect and prevent attackers, while legacy systems should be isolated to prevent them from becoming an entry point for persistent threat actors. Additionally, remote access solutions should require two-factor authentication and be patched to the most secure configuration.

**3\. Leverage anti-malware, endpoint detection, and identity protection solutions:** Defense-in-depth security solutions combined with trained, capable personnel can empower organizations to identify, detect, and prevent intrusions impacting their business. You can also enable cloud-protections to identify and mitigate known and novel network threats at scale.

**4\. Enable investigations and recovery:** Auditing of key resources can help enable investigations once a threat is detected. You can also prevent delays and decrease dwell time for destructive threat actors by creating and enacting an incident response plan. Ensure your business has a backup strategy that accounts for the risk of destructive actions and is prepared to exercise recovery plans.

**5\. Review and implement best practices for defense in depth:** Whether your environment is cloud-only or a hybrid enterprise spanning cloud(s) and on-premises data centers, we have developed extensive resources and actionable guidance to help improve your security posture and reduce risk. These security best practices cover topics like governance, risk, compliance, security operations, identity and access management, network security and containment, information protection and storage, applications, and services.

**What This Means for the Global Cybersecurity Landscape**

As the war in Ukraine progresses, we expect to discover new vulnerabilities and attack chains as a result of the ongoing conflict. This will force already well-resourced threat actors to reverse patches and carry out “N-day attacks” tailored to underlying vulnerabilities. All organizations associated with the conflict in Ukraine should proactively protect themselves and monitor for similar actions in their environments.

Microsoft respects and acknowledges the ongoing efforts of Ukrainian defenders and the unwavering support provided by the national Computer Emergency Response Team of Ukraine (CERT-UA) to protect their networks and maintain service during this challenging time. For a more detailed timeline of Russia’s cyber assault on Ukraine, explore the full report.

What Every Enterprise Can Learn From Russia’s Cyber Assault on Ukraine

The enterprise's shift to the cloud means digital forensics investigators have had to adopt new remote techniques and develop custom tools to uncover and process evidence off compromised devices.

With more organizations moving to the cloud for storage, applications, and processing, digital forensics investigators increasingly require new tools and techniques capable of conducting investigations on systems where they have no physical access.

Gone, for the most part, are the days when the forensics investigator could pop out the hard drive of an on-premises server for a forensic image and simply analyze it for clues on what happened. Hands-on evaluations of physical evidence, formerly the norm in forensic investigations, are now the exception. Today’s cloud-based network could be located almost anywhere — for European Union cloud infrastructures, servers generally have to be in the same country as where the data was created, but that’s as specific as the law gets. For the most part, investigators have no direct access to the servers.

Instead, companies need to work with their cloud providers in advance to articulate clearly what access they can have before an event occurs, says Thomas Brittain, former managing director of cyber risk at Kroll who recently joined Amazon Web Services as a security leader for cloud response.

For example, ask the cloud provider up front about any limitations during an investigation, Brittain recommends. Questions include: What logging or log sources are available from each of your cloud vendors? How do you ensure that your personnel have the training and the understanding to do an investigation in that cloud environment?

Considering that investigators will not have physical access to compromised disk drives, enterprises need to ensure ahead of time that the investigators will have the ability to obtain a forensic image of the hard disk even without having actual physical access. That may mean the provider’s staff would need to create and provide the image to the investigators, or the provider would allow the investigators virtual access to the compromised devices.

**Cloud-Ready Forensics Tools**

New digital forensics tools and techniques are necessary to uncover electronic evidence for processing into actionable intelligence for cloud-based data breaches, ransomware attacks, and other cases of malfeasance.-

Because there are no standardized tools designed to meet every cloud vendors’ network needs, many forensics teams develop custom applications. But there is still a problem. “It's insane, trying to figure out standardized training, there is no, there are no standardized tools,” Brittain says.

“We've had to adapt from more of a forensic standpoint to more of a live-by-instant-response in triage,” concurs Aaron Crawford, senior security consultant with NCC Group’s North America Incident Response. “The lines between triage and forensics have absolutely blurred with the introduction of the cloud. It's even more complicated because you have several flavors of clouds out there and providers such as Tencent, Google, Amazon, and Microsoft — the primary Big Four out there.”

Crawford also acknowledges the lack of industry-standard tools. “We've had to become our own tool smiths now. We've had to write our own tools \[and\] create our own custom solutions to address a lot of these issues to help relieve the burden for our clients,” he says. “One of the biggest things that's changed is that immediacy for information and updates is absolutely critical. And that's because the threat landscape changed. The threat landscape got significantly more malicious, and the repercussions are even greater than they were before.”

While forensics teams are creating tools for the various environments, they also need to ensure that their tools will interoperate with existing security tools. Custom tools need to be “sustainable, explainable, \[and\] repeatable. If I go to court as an expert witness, I have to make sure that those tools are repeatable, and you can understand them, and someone else other than me can use them.”

Wayne Johnson, director of Global Cyber Incident Response and leader of the forensics practice at Protiviti, also sees challenges and possibilities with custom forensic tools. “From an interoperability perspective, I think that's incumbent on those that are that are making those one-off tools, \[that\] as the different coding languages change, as the different coding capabilities increase, the digital forensics domain has to be able to move with them right and be able to understand those," he says.

“Even with traditional architectures that are that are on-prem, there are many organizations that still have their own custom code and custom applications. So be those in the cloud or on prem., the same concept applies.”

**Soliciting Board Support**

As the attack surface grows, in part due to the explosion of internet of things (IoT) devices, cybersecurity experts need a place at the table with the board of directors and general counsels, Johnson notes. Ultimately, combining the digital forensics capabilities with incident response is “an area where we've really seen the board's taking notice and realizing that there's definitely a conversation there.”

The added benefit to having a cyber-savvy board member is to help the other board members “understand and interpret what’s coming from the CISO and the CIO.” The addition of cybersecurity experts on the board, combined with a cyber-knowledgeable general counsel, will further bolster the board’s understand on what cybersecurity and forensics can do to protect corporate assets.

“I think we're seeing, we're seeing a much more sophisticated and cyber-savvy boards starting to emerge as you start looking across various industries,” Johnson says.

How the Cloud Changed Digital Forensics Investigations

Don’t fuss now — just another spoonful of multifactor authentication to keep the organization strong and the data safer.

Don’t fuss now — just another spoonful of multifactor authentication to keep the organization strong and the data safer.

Like it or not, vegetables are good for us. They reduce our risk of chronic diseases and deliver the vitamins our bodies need. And yet, the CDC reports that only 10% of American adults eat enough veggies — even though they likely know they should. Companies are the same when it comes to security.

There are 921 password attacks every second — almost double what we saw a year ago. Basic security hygiene like multifactor authentication (MFA) can protect against 98% of attacks, but 38% of large companies and 62% of small to midsize companies don’t do it. Enabling MFA adds another layer of protection to prevent threat actors from accessing internal networks. But if strengthening a company’s cybersecurity posture is as easy as enabling MFA, it begs the question: Why won’t companies eat their vegetables?

**What’s Stopping Companies From Enabling MFA?**

Although every enterprise is different, there are a few common trends when it comes to the reasons they don’t deploy MFA.

*   **MFA costs too much:** Security team resources are already limited, so adding an additional tool to their portfolio can be a tough sell. Luckily, some security providers offer MFA for free as part of their security defaults. Security defaults were created to make managing security a little easier. The goal is to ensure that all organizations have at least a basic level of security enabled at no extra cost.
*   **They think their users will hate MFA:** Users want to be productive wherever and whenever they are working without sacrificing their organization’s security. Conditional access is one modern approach to MFA. Instead of prompting a user for a second factor every time they authenticate, security programs can look at several different elements to determine if something has changed or is unusual about this user before prompting them. It looks at things like where the user is signing in from, whether their device is healthy, and if there’s any suspicious behavior — for example, if the user typically signs in from France and someone tries to sign in with their credentials from Seattle at the same time, something is definitely wrong.
    
    End users can also choose how they want to supply the second factor when they do get a prompt. No fancy equipment is required. Users can choose something as simple as an SMS message or phone call, though we recommend stronger authentication methods like an app or specific security key. They can even have multiple devices that use different methods for different environments and have backup devices in case they lose one or forget one at home.
    
    **MFA’s Too Hard to Deploy**
    
    Another reason enterprises give for not implementing MFA is that it’s too difficult to deploy. However, organizations can leverage conditional access policies to protect cloud implementations, as opposed to relying on a physical server or software.
    
    We’ve recently added conditional access templates to make configuring the policies even easier. Security teams can quickly create a new policy from any of the 14 built-in templates. They help companies provide maximum protection for their users and devices and align with the most commonly used policies. These include things like “Require multifactor authentication for admin,” or “Require password change for high-risk users.” Cloud service providers often offer a list of recommended policies, and organizations can target conditional access policies to a specific set of users, apps or devices to easily deploy different policies at scale.
    
    Ultimately, an enterprise must be able to protect its own operations, and its users, from ongoing cybersecurity threats. And enabling MFA is just one tool in a security team’s kit.
    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Jeffrey Schwartz, Contributing Writer, Dark Reading

Tara Seals, Managing Editor, News, Dark Reading

Elizabeth Montalbano, Contributor, Dark Reading

Dark Reading Staff, Dark Reading

Webinars

*   How to Protect Your Legacy Software Applications
*   Developing and Testing an Effective Breach Response Plan
*   Cloud Security Essentials
*   Seeing Your Attack Surface Through the Eyes of an Adversary
*   Security Considerations for Working with Cloud Services Providers

Reports

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Implementing Zero Trust In Your Enterprise: How to Get Started
*   2021 Data Breach Investigations Report (DBIR)
*   Cloud & Hybrid Security Tooling Report
*   Future Proofing Your Network for 5G

White Papers

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Ransomware Resilience and Response: The Next-Generation
*   Ransomware Is On The Rise
*   How Hybrid Work Fuels Ransomware Attacks
*   Implementing Zero Trust In Your Enterprise: How to Get Started

Events

*   Cybersecurity Outlook 2023 - December 13 Event
*   Black Hat Europe - December 5-8 - Learn More
*   \[FREE Virtual Event\] The Identity Crisis

Is MFA the Vegetable of Cybersecurity?

Financing and acquisitions are trending toward smaller deals, which means fewer high-valuation purchases and funding, but likely fewer post-merger layoffs as well.

As the US economy has tightened, the venture capital and acquisition landscape has quickly shifted to become a buyers' market, with startups failing to command the high valuations that were common in past years.

While the sheer number of financing deals is on track to match the more than 1,000 cybersecurity-related investments announced in 2021, the value of those deals has dropped by more than a quarter, according to data from cybersecurity-focused advisory firm Momentum Cyber. The value of purchased companies is also on track to drop by a quarter in 2022, although the absolute number of acquisitions will only drop by about 8%.

The leaner times for startups and their venture-capital backers come as the private sector is cutting costs and refocusing on the most profitable lines of business to ready themselves for a possible recession, says Eric McAlpine, a managing partner at Momentum Cyber.

"We have already seen larger venture-backed companies consolidate significantly to cut costs and refocus on profitability," he says. "Strategic acquirers often have a tough time justifying new acquisitions to their board and taking on companies with new employees in a time where they are already cutting resources and headcount internally."

The worry of a downturn has spread across industries. The majority of companies — 83% — are concerned about a recession coming in 2023, with half of organizations taking concrete steps to prepare for an economic slow down, according to Spiceworks Ziff Davis's "2023 State of IT" report. Three-quarters of businesses are planning to reduce the number of security vendors they use, a significant move toward consolidation from two years ago when 29% aimed to reduce their vendor count.

    

Source: Momentum Cyber

As the business landscape changes, so, too, are companies changing the way they operate. The vast majority of firms — 83% — are placing a greater focus on digital capabilities and operations, according to a survey of CEOs conducted by business intelligence firm Gartner. The analyst firm stressed in a March 2022 advisory that such efforts require cybersecurity teams to adapt and take an integrated role in protecting and enabling the business.

Companies' security teams should "transform the security function into a true business-enabling capability by shifting away from risk-averse, control-driven security operating models toward a more agile, advisory-centric way of delivering security services," Gartner stated.

**Smaller Companies, Smaller Investments, Fewer Layoffs**

Venture money is currently following these trends. Overall, the era of big valuations for newcomers has come to "a standstill," says Momentum Cyber's McAlpine, who sees founders not receiving the same high valuations compared with the recent past, leaving many to hold off on being acquired in the current market. 

There are some exceptions, such as Broadcom's massive deal to acquire VMware — a deal valued at $69 billion. And October saw a surge in deal-making, with two large acquisitions — KnowBe4 and ForgeRock — by private equity firms. But those were outliers, with the number of deals reaching a low point in September, according to McAlpine. Overall, smaller and more specialized firms will make up the vast majority of acquisition targets in the near future, he says. 

So far, in 2022, the average (mean) financing deal amounted to $21 million, down from $28 million in 2021. , and the average acquisition price was $21 million (after dropping the deal for VMware), also down from $28 million.

The good news? Employee layoffs will not necessarily be part of the post-merger landscape, McAlpine says. Typically, general business and administration departments represent most of the duplication between merged companies, leading to cuts in employees in those departments, while the engineering and development teams at startups are sought after for their expertise, he says.

"Employee cuts aren't very common after a merger, even in a down market," McAlpine says. "Many smaller firms and startups are lean to begin with, and their employees are typically viewed as a valuable part of the acquisition."

**No Recession in cybersecurity?**

The good news for cybersecurity companies is that the business demand for products and services is not going away anytime soon, and there are signs that the sector will continue to grow — albeit much more slowly than prior years. 

Slightly more than half of companies (51%), for example, expect to increase their IT budgets, and only about 40% of those attribute the increases to inflation, according to Spiceworks Ziff Davis's "2023 State of IT" report. The Bureau of Labor Statistics currently pegs inflation for end-user prices at approximately 9% year-over-year, but the average IT spending is expected to grow by 13% in 2023 compared with the prior year, says Peter Tsai, head of technology insights at Spiceworks Ziff Davis. 

Companies are updating outdated infrastructure, increasing their focus on IT projects like digital transformation, and adding employees to critical areas — all of which represents cybersecurity risk, which requires increased spending on defenses.

"Both the size of the overall tech spending pie was expected to increase, in addition to the security slice of the pie getting a bit larger," Tsai says. "Inflation will certainly be a factor influencing many 2023 budget increases, but it won't be the top reason driving budget growth."

Cybersecurity Consolidation Continues, Even as Valuations Stall

More than 1,000 systems are exposed to a campaign hunting weak Windows servers and more.

The "Bleed You" campaign is trying to take advantage of a known remote code execution (RCE) vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions, and more than 1,000 systems are unpatched and vulnerable to compromise. 

The critical flaw, tracked as CVE-2022-34721, has been under active attack since September, a new report from Cyfirma warns, affecting vulnerable Windows OS, Windows Servers, along with Windows protocol and services. Once they achieve compromise the threat actors move laterally to deploy ransomware and other malware, the team observed.

The threat actors speak Mandarin but also have ties to the Russian cybercriminals, according to Cyfirma, which adds that the attacks aren't limited to a specific sector with targets across retail, government, IT services, and more. Victims likewise were spread across a number of mostly Western countries, including Canada, the UK, and the US. 

"Attackers are actively exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug. Users are recommended to apply patches and fixes as soon as possible to reduce the severity of exploitation of the vulnerability," Cyfirma's researchers advised. "The researchers observed that unknown hackers are sharing the exploit link on the underground forums as well." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading