Economic anxiety, staffing challenges, and growing supply chain threats are among other factors impacting cybersecurity spending and planning.

**NEW YORK and TEL AVIV, Israel, Nov. 16, 2022 /PRNewswire/** — Cymulate, the leader in cybersecurity risk validation and exposure management, today announced the results of a global survey of more than 1,000 IT and security professionals examining the influence of ongoing uncertainties in cybersecurity and cyber resilience. The 2022 Cymulate Global Readiness Survey investigated the impact of increased geopolitical tensions, economic concerns, and the Great Resignation, as well as more technical aspects such as the rise of supply chain attacks and the efficacy of best practices, on cybersecurity and cyber-readiness within enterprises.

Consolidation of cybersecurity solutions was a key theme within the findings, with 60% reporting their organization is seeking to reduce the number of solutions in use. Notably, only 20% of respondents reported affordability as the main reason, while 23% and 22% cited usability and the need to right-size their security setup as the primary driver of consolidation. "Businesses of all sizes shared that it is no longer about point solutions. With the volume of security tools and data, the need has shifted towards an integrated security suite," said Carolyn Crandall, chief security advocate at Cymulate. Economic anxiety has delayed purchasing, with most respondents noting project delays of three to six months. Interestingly, rising geopolitical tensions like the conflict in Ukraine and the standoff over Taiwan were not cited as having an impact on budget reductions or purchasing decisions.

Additional key highlights of the survey include:

*   **Cybersecurity workers are twice as likely as the overall labor market to be part of the Great Resignation**: Twice as many respondents say they are frustrated by their jobs and actively looking for new roles than the average. The rate quadrupled when cybersecurity teams are short-staffed and work conditions have worsened, or the enterprise declined to prioritize basic cyber hygiene principles.
*   **The industry remains challenged with adopting essential cybersecurity hygiene best practices:** Though a critical component of shoring up cyber resiliency, roughly one-third to almost one-half of respondents said their enterprises had yet to adopt multi-factor authentication (MFA), improved identity access management (IAM), least privileges adoption, EDR adoption, web protection, and phishing education.
*   **Frequent supply chain attacks are driving cybersecurity preparation**: 52% of respondents indicated that they believe supply chain issues to be responsible for up to a quarter of all attacks, while 26% believe it may be as high as half of all attacks. The threat of supply chain attacks is affecting organization's strategies, with 45% of respondents reporting that the vulnerability of the supply chain has led to increased cybersecurity proactiveness and preparation.
*   **The adoption of proactive cybersecurity testing is key to reducing risk and staying in front of evolving threats**: 80% of respondents said their organization had adopted some degree of proactive measures. However, only 29% reported their organization had incorporated penetration testing or other baseline measures. Additionally, only 30% of respondents said their organization had incorporated advanced proactive solutions that include breach attack simulation (BAS), attack surface management and vulnerability management, indicating significant room for growth.

With the increasing number of cyber threats and their devastating effects on business revenue, productivity and reputation, Frost & Sullivan projects the global BAS market to increase at a CAGR of 38.5% between 2021 and 2026.

The global survey was conducted on LinkedIn and gathered responses from more than 1,000 IT and security professionals representing a wide range of industries, organization sizes, and specific roles. Of the respondents, 81% occupy a technical role, such as cybersecurity, IT, or DevOps, and 70% are considered decision-makers in the organization, including individuals at the manager, director, and executive levels. The survey includes respondents from North America, Latin America, APAC, and EMEA representing companies ranging in size from less than 500 employees to more than 50,000. In addition, nearly every major industry is represented, including finance, healthcare, manufacturing, retail, and others, yielding a broadly representative sample.

**About Cymulate**

The Cymulate cybersecurity risk validation and exposure management solution provides security professionals with the ability to continuously challenge, validate and optimize their on-premises and cloud cybersecurity posture with end-to-end visualization across the MITRE ATT&CK® framework. The platform provides automated, expert and threat intelligence led risk assessments that are simple to deploy, and easy for organizations of all cybersecurity maturity levels to use. It also provides an open framework for creating and automating red and purple teaming exercises by generating tailored penetration scenarios and advanced attack campaigns for their unique environments and security policies. For more information, visit www.cymulate.com.

SOURCE: Cymulate

Cymulate Survey Finds Consolidation Is Happening, but Only 20% Cite Cost As the Reason

The race is actually a relay — one that requires collaboration to win.

As the low Earth orbit market prepares to double over the next five years, to the tune of around $20 billion, we sit on the edge of a new space race. However, amid rapidly falling launch costs and a host of technological advancements, it's safe to say that this race is heading into new territory.

These digitizations relate to the role of sensors and data processing, and a plethora of applications that aid ground control and observation operations.

One segment of the race that is still yet to pick up speed, however, relates to cybersecurity. The implications of attacks on satellites are self-evident, but the resilience and protection of these galactical systems require further exploration and a mass team effort.

**Familiarity in Space**

The difficulties that come with protecting devices in space comprise multiple complex systems within systems — each playing different roles and being deployed by different players.

Satellites are effectively just platforms with embedded systems and interfaces, including radio communications, telemetry tracking control systems, and ground segment connections. These are all essentially enterprise networks, but that also makes them avenues of opportunity for cybercriminals.

These systems are underpinned by a complex supply chain — another prime target for attackers, as we've seen on the ground through examples like SolarWinds, where the supply chain served as a gateway to all other interfaces.

Not only does this make systems in space more familiar than you might think, it also makes them more challenging to defend.

As such, the satellite door is potentially being left ajar to hacktivists, financial crusaders, and state-acting spies who can use their significant resources to target other countries' prized space assets.

**The "How" and "Why" of Space Attacks**

Why attack space when there are systems on land?

The answer is twofold, based on how familiar these satellite platforms actually are, and what attackers stand to gain by infiltrating them.

Addressing the former, "under the hood" of a satellite is a platform. More often than not, the embedded system within that platform may be as recognizable as a Linux operating system. And while the operations of the satellites themselves have traditionally been bespoke to offset that vulnerability, that too is now changing, as the market becomes more commercialized and accessible.

Any good hacker or threat actor will be familiar with the operating system, and once administration rights are attained to the environment, access to cameras, orientation, and all other interfaces becomes much more plausible.

And this "how," leads to the "why." A case study from earlier this year saw an outage of the Viasat network across Europe, at almost the exact time Russian troops entered Ukraine. As well as being a commercial broadband provider, Viasat is also used by the Ukrainian military. On closer inspection, the main damage seemed to be collateral across the continent, as a result of a misconfiguration sent down to modems.

However, upon even closer testing of the memory chips from these modems, it was revealed that they had essentially been wiped out, akin to wiping the operating system from a PC. The most plausible theory is that attackers gained access to the internal management system through a misconfiguration, developed malware to deploy across the network to wipe the modems, and pushed that malware through on the day of the invasion. It wasn't the satellite itself that was being targeted — it was merely a portal to impact connections and operations on the ground.

**Recognizable Defenses**

This link between space and Earth is what makes cybersecurity advancements in this sector so critical. Satellites in themselves are fascinating and mysterious because of the technology behind them and their locations. But, more often than not, they're simply portals to information we're trying to acquire, monitor, or use to inform decisions down on the ground.

Yes, this makes their breaches more concerning, but on a positive note, it also means the response in terms of defense can lean on familiar processes and technologies used in more reachable areas of our lives.

For example, running trusted code from equally trusted sources can be achieved through Trusted Platform Module (TPM) chips, which we find in mobile phones. Novel encryption approaches that we use to defend enterprise networks could also be applied to the data equation to offset the risk of jamming, spoofing, or relay attacks. Segmentation and using zero-trust architectures are further examples of enterprise strategies, alongside stronger authentication protocols for users, to better protect ground stations.

And all of this must be backed up by enhanced supply chain security where software bills of materials (SBOMs) should become more common practice.

**A Sprint and a Marathon**

The space race is just that: a race. Just as the landscape has evolved rapidly in recent years, it will continue to do so moving forward, and scenario planning will form a big part of cybersecurity strategy to ensure better futureproofing than we've had until now.

We're on the precipice of a new space era, and have time to get these agile and adaptable best practices in place before the attack landscape evolves in tandem. Building systems that can withstand attacks, segment risks, and contain breaches needs to be a culmination of this more concerted testing and scenario planning.

But it can't be done in isolation. The space race is a relay — a team sport where information must be generated through collaboration. Not only will this ensure a speedier launch from the new starting line, but it will give this effort endurance as the sprint turns into a marathon over the years to come.

Cybersecurity Best Practice Is Critical for Winning the New Space Race

Security executives are leaning into the powerful twinning of XDR and automated management to reduce the risk and impact of ransomware.

CISOs have a unique perspective on the world. They see security threats to which most people are oblivious, and they face challenges keeping one step ahead of hackers who are looking to penetrate their networks. This threat landscape is outlined four times a year in the "CISO Insider" — an actionable report that explores the top three issues that are most relevant in today’s threat landscape.

This quarter, rising ransomware rates, the promise of extended detection and response (XDR) in helping rapidly address emergent threats, and the need for increased automation and better tools to empower security teams to do more with limited resources have come to the forefront. Keep reading to learn how you can apply these insights to your own operations.

**How Organizations Can Respond to Extortion — and Rising Ransomware**The risk profile of ransomware is changing as cybercriminals gain easier access to improved tools and automation. When combined with the economics of successful attacks, it has put ransomware on a rapid growth trajectory.

CISOs differ on which is the more catastrophic cost to the business: business disruption or data exposure. Regardless, preparation is key. Here are some of the top ways that CISOs can guard against rising ransomware.

*   **Prepare to defend and recover:** By adopting an internal culture of zero trust with assumed breach while also deploying a system of data recovery, backup, and secure access, organizations can isolate attacks and make it much harder for threat actors to move laterally across the network. This strategy has the added benefit of minimizing an attack’s impact thanks to backups and encryption, both of which can help defend against data loss and exposure.
*   **Use a privileged access strategy:** This can minimize the potential for credential theft and lateral movement. Privileged credentials are foundational to all other security assurances — an attacker in control of your privileged accounts can undermine all other security assurances. We recommend teams focus on building a closed-loop system for privileged access that ensures only trustworthy “clean” devices, accounts, and intermediary systems are used for privileged access to business-sensitive systems.
*   **Leverage comprehensive, integrated threat detection and response capabilities:** Siloed point solutions often result in preventative gaps and slow down the detection and response to pre-ransom activities. By integrating security information and event management (SIEM) and XDR, organizations can extend prevention, detection, and response across the entire multicloud, multiplatform digital estate.

**XDR Can Help Accelerate Threat Detection and Response**Beyond prevention, how should enterprises respond in the event of an attack? Many security leaders are turning to XDR for a cross-platform vantage point. XDR helps coordinate signals across the entire ecosystem — not just endpoints — to facilitate faster threat detection and response. And while endpoint detection and response (EDR) is a proven asset that many CISOs in the "CISO Insider" report have already implemented, XDR is the next evolution.

XDR helps bring together data from disparate systems, allowing security teams to visualize the entire incident from end to end. Point solutions can make this comprehensive visibility difficult because they only show part of the attack and rely on an often-overwhelmed security team to manually correlate multiple threat signals from different portals. When we think about today’s dynamic threat landscape, XDR is particularly compelling because of its coverage and speed in helping detect and contain threats.

**Automate to Elevate the Security Team**Security leaders are faced with a security talent shortage. Automation is one way for them to help free up their existing workforce from mundane tasks so they can focus on defending against threats.

Most CISOs report adopting event-triggered or rule-based automation, but there’s a greater untapped opportunity to capitalize on built-in artificial intelligence and machine learning capabilities that enable real-time, risk-based access decisions. Automation can serve as an early warning system for future cyberattacks, and its inconveniences can be mitigated or eliminated. The most effective automation runs alongside human operators so that its artificial intelligence can both inform and be checked by human intelligence.

**Customize Cybersecurity to Meet Your Team’s Unique Needs**Ultimately, while cyber threats continue to grow and evolve alongside the Internet, security teams can still take preventative measures to help safeguard their operations. Some are more prescriptive than others — like leveraging zero trust, privileged access, and integrated threat detection and response. But it’s also important that organizations leverage their existing toolsets to its fullest capacity through automation features and built-in security detections. By learning from CISOs who are on the front lines of cybersecurity, organizations can better understand how to defend their own operations.

What Is Top of Mind for CISOs Right Now?

Leaders in operational technology/Internet of Things (OT/IoT) discovery and remediation partner to deliver best-in-class IoT enterprise security management solution.

**MOUNTAIN VIEW, Calif., Nov. 16, 2022 /PRNewswire/** — Viakoo, the leader in IoT vulnerability remediation, today announced a partnership with Nozomi Networks, the leader in OT and IoT security. Together they deliver the industry's first end-to-end, agentless IoT enterprise security management solution that discovers and remediates vulnerabilities rapidly and at scale. Customers can now rest easy knowing their IoT devices are not representing a security liability.

Unlike traditional IT devices, OT/IoT devices typically lack the same level of visibility and vulnerability management, leaving a massive attack surface that presents an open door for cyber criminals. Nozomi Networks discovers all connected OT/IoT devices, assesses them for noncompliance or vulnerabilities and automates policy-driven workflows that govern how the OT/IoT device should be configured and behave on the network. In turn, Viakoo analyzes the vulnerabilities and remediates them at scale with its patented, agentless Viakoo Action Platform. Further, Viakoo has the only OT/IoT remediation solution that addresses both the OT/IoT application and the device itself.

"The OT/IoT Security attack surface continues to grow which warrants a comprehensive, automated solution. Addressing OT/IoT security, device by device, is an arduous, expensive, and tedious task for organizations," said Frank Rubio, VP of Alliances at Viakoo. "Together with Nozomi Networks, our joint solution enables customers to quickly identify and repair OT/IoT vulnerabilities to reduce risk and administrative overhead."

In addition, together Nozomi Networks and Viakoo create a bi-directional data stream, enriching the value of both solutions and assisting in enforcing a Zero Trust environment complete with certificates, firmware patching and password management.

"Viakoo helps customers accelerate Mean Time To Repair (MTTR) with their automated remediation platform", said Chet Namboodri, Senior Vice President of Business Development and Alliances at Nozomi Networks. "Helping to close known vulnerabilities with fewer resources at scale is a key business driver for our customers which we can deliver through this partnership."

The solution is available to Viakoo and Nozomi Networks customers now.  

**About Viakoo**

Viakoo enables customers to defend their IoT attack surface. Viakoo's vision is for every connected enterprise device to be 100% visible, operational, and secured. The agentless Viakoo Action Platform keeps distributed unmanaged and IoT environments secure and continuously operational at the lowest risk and cost. Automated device cyber hygiene is reliably updated at scale with firmware, passwords, and certificates to elevate security posture and system performance to enterprise IT expectations. Viakoo Inc. is a leader in cyber hygiene for connected devices, located in Mountain View, California, USA. Follow us on Twitter, LinkedIn, and Facebook.

SOURCE: Viakoo

Viakoo Announces Strategic Alliance With Nozomi Networks to Deliver Agentless, End-to-End IoT Security at Scale

Safal Partners is helping to close the American cyber talent and diversity gap in cybersecurity.

**HOUSTON, Nov. 15, 2022 /PRNewswire/** — U.S. Department of Labor (DOL) national industry intermediary, Safal Partners, announced today that it has helped shrink our nation's critical cybersecurity workforce gap by bringing more than 1,000 new apprentices into the field over the past 12 months. Of those, 83% of new apprentices came from a diverse or historically underrepresented population, including women, minorities, Veterans, or people with disabilities.

Today's announcement was made in conjunction with Safal's participation at a White House event celebrating the culmination of the National Cybersecurity Apprenticeship Sprint launched by the White House, DOL, and U.S. Department of Commerce in July.

"We are enormously proud of our work to create a stronger and more diverse, work-ready cybersecurity and tech workforce for public and private employers nationwide," said Mukta Pandit, President of Safal Partners. "In a field that has struggled to create a more inclusionary workplace, we can point to the fact that 8 in 10 of the new apprentices we supported are from populations that are not well-represented in cyber roles."

Safal brought the new apprentices into the workforce both through its own national Registered Apprenticeship (RA) program and through development of 20 new or expanded RA programs over the past year sponsored by employers and training providers, including the first-ever national program for people with visual impairments sponsored by the Blind Institute of Technology.

Safal also announced a new partnership with the Information Systems Security Association (ISSA) to accelerate industry awareness and adoption of apprenticeship for hiring and training cyber professionals. According to Cyberseek.org there are currently more than 769,000 open cyber roles.

ISSA is a globally recognized industry nonprofit organization committed to promoting effective cybersecurity and workforce development. Safal's partnership includes work to support the association's new Apprenticeship, Internship and Mentorship initiative to be announced shortly.

ISSA is launching this initiative to bridge the gap from all paths to employment as a cyber professional. "There is a critical need to provide an opportunity to gain valuable skills and experience to begin a career in cybersecurity. Quality apprenticeships, internships and mentoring programs are the key to building the future cybersecurity workforce," said Candy Alexander, ISSA International President. "We are pleased to be partnering with Safal to launch this program."

"ISSA recognizes and is actively working toward addressing our national need for more skilled cyber professionals," said Katie Adams, Senior Director. "As the DOL cyber industry intermediary, we look forward to providing ISSA members no-cost expertise, program support, and access to resources and funding streams to adopt registered apprenticeship."

To learn more about Safal Partners RA program, visit https://cyber.safalpartners.com/national-program or contact Katie Adams, Senior Director at \[email protected\].

SOURCE: Safal Partners

More Than 1,000 New Cybersecurity Apprentices Joined Workforce in Past 12 Months

An in-depth analysis of system-destroying malware families presented at Black Hat Middle East & Africa shows a growing nuance in terms of how they're deployed.

Destructive wiper malware has evolved very little since the "Shamoon" virus crippled some 30,000 client and server systems at Saudi Aramco more than 10 years ago. Yet it remains as potent a threat as ever to enterprise organizations, according to a new study.

Max Kersten, a malware analyst at Trellix, recently analyzed more than 20 wiper families that threat actors deployed in various attacks since the beginning of this year — i.e., malware that makes files irrecoverable or destroys whole computer systems. He presented a summary of his findings at the Black Hat Middle East & Africa event on Tuesday during a "Wipermania" session.

**A Comparison of Wipers in the Wild**

Kersten's analysis included a comparison of the technical aspects of the different wipers in the study, including the parallels and differences between them. For his analysis, Kersten included wipers that threat actors used extensively against Ukrainian targets, especially just before Russia's invasion of the country, as well as more generic wipers in the wild.

His analysis showed the evolution of wipers, since Shamoon, is vastly different from other types of malware tools. Where, for example, the malware that threat actors use in espionage campaigns has become increasingly sophisticated and complex over the years, wipers have evolved very little, even though they remain as destructive as ever. A lot of that has to do with how and why threat actors use them, Kersten tells Dark Reading.

Unlike spyware and other malware for targeted attacks and cyberespionage, adversaries have little incentive to develop new functionality for concealing wipers on a network once they have managed to sneak it on there in the first place. By definition, wipers work to erase or overwrite data on computers and are therefore noisy and easily spotted once launched.

"As the wiper’s behavior needn’t stay unnoticed per se, there is no real incentive for evolvement," Kersten says. It's usually only when malware needs to remain hidden over a prolonged period of time that threat actors develop advanced techniques and carry out thorough testing before deploying their malware. 

But wipers needn't be that complex, nor well tested, he notes. For most threat actors using wipers, "the current methods are working and require little to no tweaking, other than the creation of a new wiper to use in a next attack."

Kersten found that a wiper can be as simple as a script to remove all files from the disk, or as complex as a multistage piece of malware which modifies the file system and/or boot records. As such, the time for a malware author to develop a new wiper might range from just a few minutes to a significantly longer period for the more complex wipers, he says.

**A Nuanced Threat**

Kersten advocates that enterprise security teams keep a few factors in mind when evaluating defenses against wipers. The most important one is to understand the threat actor's goals and objectives. Though wipers and ransomware can both disrupt data availability, ransomware operators tend to be financially motivated, while the goals of an attacker using wiper malware tend to be more nuanced.

Kersten's analysis showed, for instance, that activists and threat actors working in support of strategic nation-state interests were the ones who mainly deployed wipers in cyberattacks this year. In many of the attacks, threat actors targeted organizations in Ukraine, particularly in the period just prior to Russia invasion of the country in February. 

Examples of wipers that threat actors used in these campaigns included WhisperGate and HermeticWiper, both of which masqueraded as ransomware but actually damaged the Master Boot Record (MBR) on Windows systems and rendered them inoperable. 

Other wipers that attackers deployed against targets in Ukraine this year include RURansom, IsaacWiper and CaddyWiper, a tool that Russia's infamous Sandworm group attempted to deploy on Windows systems associated with Ukraine's power grid. In many of these attacks, the threat actors that actually carried them out appear to have sourced the wipers from different authors.

Another factor that security responders need to keep in mind is that wipers don't always delete files from the target system; sometimes wipers can cripple a target system by overwriting files as well. This can make a difference when attempting to recover files following a wiper attack. 

"Deleting a file often leaves the file on the disk as-is while marking the size as free-to-use for new write operations," Kersten wrote in a blog post on his research, released in tandem with his Black Hat talk on Nov. 15. This makes it possible to recover files in many instances, he said.

When a wiper tool corrupts files by overwriting them, the files can be harder to recover. In the blog post, Kersten pointed to the WhisperGate wiper, which corrupted files by repeatedly overwriting the first megabyte of each file with 0xCC. Other wipers like RURansom use a random encryption key for each file while some wipers overwrite files with copies of the malware itself. In such instances, the files can remain unusable.

The main takeaway is that organizations need to prepare for wipers in much the same way as they prepare for ransomware infections, Kersten says. This includes having backups in place for all critical data and testing recovery processes often and at scale.

"Nearly every wiper is able to corrupt a system until the point that either all files are lost or the machine wont function properly anymore.," he notes. "Since wipers are easy to build, attackers can build a new one daily if needed."

So, the focus for organizations be on the adversary’s tactics, techniques, and procedures (TTPs) — such as lateral movement — rather than the malware itself. 

"It’s better to brace for impact \[from a wiper attack\] when there is none," Kersten says, "than to be struck with full force without prior notice."

Wipermania: Malware Remains a Potent Threat, 10 Years Since 'Shamoon'

YL Ventures CISO-in-Residence Frank Kim weighs in on the top security concerns facing CISOs in a Dark Reading Q&A interview.

Industry veteran and SANS Institute fellow Frank Kim has joined joined YL Ventures as its new full-time CISO-in-residence. YL Ventures connects startup entrepreneurs with CISOs to provide advice and guidance as they develop their cybersecurity solutions and grow their business. As a CISO-in-residence, Kim will focus on the business impact of cybersecurity solutions. Kim, the founder of ThinkSec, a security consulting and CISO advisory firm, as well as the former CISO of the SANS Institute, brings his in-depth perspective from key facets of cybersecurity to his new role. Kim took part in the following Q&A with Dark Reading.

_(The contents have been edited for length and clarity)_

**Dark Reading: What is the CISO's role in a startup? How can CISO advisors help fast-track tech startups?**

**Frank Kim, YL Ventures:** Over my 20+ years in cybersecurity, I’ve advised my share of security startups and mentored many more during my time at the SANS Institute. Today, as the CISO-in-Residence at cybersecurity VC, YL Ventures, I begin working with the firm’s entrepreneurs even before we invest in them and continue to do so across their entire company-building journey. Being a CISO-in-Residence offers experienced CISOs who have been deep in operational security for years, the chance to impact and drive the growth of the next generation of top-tier cybersecurity vendors. I work closely and directly with cybersecurity startup founders on their ideation, product-market-fit and value realization, on an in-house and regular basis. I provide them with what can be considered an invaluable vantage point into the needs of modern CISOs, security teams and businesses, and I specifically guide them on making sure security solutions provide business value at business speed, resolving the gap between business and tech latency. We need better, more modern approaches for securing today’s digitally led businesses so that security transforms from a potential hindrance to a proper enabler.

This career path is a natural progression from my role at SANS, where I grew the cloud security and CISO cybersecurity leadership curricula to help shape and develop future security leaders. Every YL Ventures founder that I've spoken with is inherently building for the cloud-first world of today and tomorrow where leadership, coupled with innovative ways of securing the modern ecosystem, matters more than ever. My goal is to help founders and entrepreneurs bring these new capabilities to light.

**Dark Reading: What are the top emerging CISO cyber concerns? Is ransomware still public enemy No. 1?**

**Frank Kim, YL Ventures:** Regarding ransomware, it’s still a concern. YL Ventures recently published a unique report on ransomware risk, in which half of the CISOs surveyed stated that their organization had been the target of a ransomware attack - but at the same time, many did not believe they need a dedicated ransomware solution, but a multi-layered security approach.

Data security is another growing concern, specifically the ability of businesses to use, share and leverage data securely. If we look at future revenue streams for startups, the key is driving and enabling the adoption and use of data. It has become such a pivotal part of business and such a lucrative target for attackers, that it’s justified in becoming a top priority for CISOs. In the modern, dynamic business environment with M&As and consolidation - data keeps moving and changing, and we have to keep up.

Security operations teams struggle with alert fatigue and challenges with leveraging automation to remediate security issues in the cloud, and this is concerning as the volume of attacks only continues to grow. Now that tools like cloud security posture management (CSPM) have increased visibility and security teams have the information they need, they don’t always know how to use it - increasing the risk and the time from detection to remediation. Visibility is no longer enough.

Resiliency and recovery are top of mind for businesses now due to high-profile attacks. Organizations want to cut down on time and resources needed to bounce back after cyber-attacks and minimize potential damage.

Finally, GRC and risk measurement. Security is becoming a board-level discussion and an acute business risk for organizations. CISOs must have the right tools to be able to govern their program, measure cyber risks and mature their program/stack over time. They are looking for solutions that will enhance their ability to assess risks and run security programs more efficiently, in a data-driven way, measure efficacy and translate it to top executives and board members.

**Dark Reading: Are CISOs pretty much a position only for larger organizations, or would smaller organizations benefit from having the CISO role?**

**Frank Kim, YL Ventures:** Security should be a business priority from the earliest stages of company-building, regardless of size or sector. It’s about more than just hardware and software - getting security on board early speaks to the type of culture you’re creating in your organization, and it should be in a company’s DNA from day one. CISOs and security teams need to be part of the core business and grow along with other critical positions on the team such as HR, operations, development and others. Many organizations - especially the bigger ones - actually fumble the basics and including security when you’re building your foundations will ensure that the most fundamental security hygiene priorities are taken care of. These will be valuable as the organization scales, and the security team scales with it.

**Dark Reading: How do you advise organizations on addressing security workforce talent shortages?**

**Frank Kim, YL Ventures:** In my time as a Fellow at the SANS Institute, I made it my mission to grow and support the next generation of security professionals. Unfortunately, it has been well-documented that there aren’t enough of us. ISC² places the global shortage of cybersecurity jobs at nearly 3 million, and there simply aren’t enough young professionals to support growing security needs.

CISO burnout is a real thing. Security teams have about 14 balls in the air at all times, as they try to do incident-response, provide clarity to business leaders, address new vulnerabilities and more. Organizations must address this as a hazard and prioritize automation tools and other streamlining processes to reduce the load and turn CISOs from firefights to strategic actors. The characteristics of a CISO’s job are also to blame. Being a CISO can be a lonely, solitary job that is detached from the rest of the organization.

Fostering a collaborative and engaged working environment is key to ensuring that the security talent you have will want to remain in your organization.

**Dark Reading: How is the integration with the rest of the C-suite working out? Are we seeing an improvement in overall security posture for the organization?**

**Frank Kim, YL Ventures:** CISOs are constantly between a rock and a hard place. Our responsibilities are growing in importance, but we bring doom and gloom into the boardroom and that isn’t always appreciated.

That being said, we are witnessing a dramatic shift in perception of both security itself and its practitioners. CISOs are no longer security officers; they have strategic value for business and their insights are sought after in almost every decision-making process. This is to be celebrated, as it will definitely improve visibility into the organization’s security posture and it will strengthen accountability and ensure that the right processes and people are in place in a proactive, rather than reactive, approach.

Modern CISO: More Than a Security Officer

Part 2 in our series addressing the top 10 unanswered questions in security: How will TPGRM evolve?

Sophisticated breaches like SUNBURST (aka the SolarWinds hack that made headlines in late 2020) make the risk associated with third-party platforms abundantly clear. Modern organizations are increasingly depending on a variety of third parties for SaaS — everything from finance to supply chain to IT service management (ITSM).

From an operations perspective, this is great. Organizations focus less on "keeping the lights on" and more on their core value proposition. However, there's also an uncomfortable tradeoff when it comes to security. If you don't control the platform, you don't completely control your — or your customer's — data, which has security and compliance implications. Similarly, the availability of critical business functions often depends on multiple external platforms, many of which can be a single point of failure.

For many organizations, simply navigating the complex dependencies and clearly defining risk appetites and mitigations is a real challenge. Third-party governance and risk management (TPGRM) aims to solve this problem by analyzing and performing due diligence on risks stemming from third-party relationships.

While there are plenty of TPGRM/TPRM tools, effective risk management takes more than just tech. Deloitte's 3-step process for TPGRM provides a realistic breakdown of the transformation required to leverage a TPGRM framework. To summarize the steps:

1.  **Change risk and governance positioning:** This step deals with the reframing of risk in an organization. Traditionally, risk has been something we _eliminate_. It needs to become something we _manage_.
2.  **Understand risk appetite and lines of defense:** The next step is broken into quantifying an organization's risk appetite in different contexts and identifying lines of defense against those risks.
3.  **Establish a TPGRM framework:** This is where the rubber hits the road. Organizations must implement strategies that leverage people, processes, and tech to help manage risk and deliver value.

Clearly, a large part of TPGRM will require qualitative input from humans, such as developing strategies or conducting detailed audits. That said, we can expect a shift towards more automation thanks to drivers like cyber insurance actively developing standards and measurable ways to quantify risk with analytics platforms like CyberCube.

**Quantifying TPGRM Metrics**

With that in mind, I expect to see the use of security portals and dashboards that quantify TPGRM metrics spike in the coming years. These portals will do for risk management what uptime monitoring platforms like Uptime Robot and Pingdom do for website monitoring: roll up the most important metrics in an easily digestible way. Like the website monitoring world, we'll see a varying level of sophistication and depth across solutions, but a standard baseline of "table stakes" metrics will emerge.

We're already seeing platforms like SafeBase make substantial progress here by automating security questionnaires and enabling vendors to share security posture across multiple categories. The risk management company Prevalent is solving similar problems with a focus on providing both IT solutions and services.

Additionally, solutions with a narrower focus are already leveraging automation to solve TPGRM problems in specific industries. For example, SignalX is addressing the problem space of financial and legal analysis in India to enable organizations to perform better due diligence before entering contracts or partnerships with vendors.

Fundamentally, these solutions demonstrate the broader trend toward standardization and automation in the TPGRM space. Tools alone aren't going to solve third-party risk management, but there is an emerging need for automated visibility into third-party risk, and that's where TPGRM tech can make a real impact.

In the years to come, I expect the winners in the space to be the tools that provide visibility into the "headline" TPGRM metrics required for cyber insurance and compliance for organizations with relatively immature TPGRM framework implementations, as well as those that can "go deep" and provide detailed analysis using AI/ML for enterprises.

_Read part 1, which asks_ _what will replace EDR__._

Where Can Third-Party Governance and Risk Management Take Us?

Weak configurations for encryption and missing security headers topped the list of software issues found during a variety of penetration and application security tests.

Nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability, a new study shows.

Weak SSL and TLS configuration, missing Content Security Policy (CSP) header, and information leakage through server banners topped the list of software issues with security implications, according to findings in software and hardware tools conglomerate Synopsys' new  Software Vulnerabilities Snapshot 2022 report published today. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe.

Configuration issues are often put in a less severe bucket, but both configuration and coding issues are equally risky, says Ray Kelly, a fellow with the Software Integrity Group at Synopsys.

"This really just points out that, \[while\] organizations may be doing a good job performing static scans to lower the number of coding vulnerabilities, they are not taking configuration into account, as it may be more difficult," he says. "Unfortunately, static application security testing (SAST) scans cannot perform configuration checks as \[they have\] no knowledge of the production environment where the code will be deployed."

The data argues for the benefits of using multiple tools to analyze software for vulnerabilities and misconfigurations. 

Penetration tests, for example, detected 77% of the weak SSL/TLS configuration issues, while dynamic application security testing (DAST) detected the issue in 81% of tests. Both the technologies, plus mobile application security testing (MAST), led to the issue being discovered in 82% of tests, according to the Synopsys report.

    

Most common application vulnerabilities. Source: Synopsys

Other application security firms have documented similar results. Over the past decade, for example, three times more applications are scanned, and each one is scanned 20 times more frequently, Veracode stated in its "State of Software Security" report in February. While that report found that 77% of third-party libraries still had not eliminated a disclosed vulnerability three months after the issue was reported, patched code was applied three times faster.

Software firms that use dynamic and static scanning in concert remediated half of flaws 24 days faster, Veracode stated.

"Continuous testing and integration, which includes security scanning in pipelines, is becoming the norm," the firm stated in a blog post at the time.

**Not Just SAST, Not Just DAST**

Synopsys released data from a variety of different tests with each having similar top offenders. Weak configurations of encryption technology — namely, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) — topped the charts for static, dynamic, and mobile application security tests, for example.

Yet, the issues star to diverge further down the lists. Penetration tests identified weak password policies in a quarter of applications and cross-site scripting in 22%, while DAST identified applications lacking adequate session timeouts in 38% of tests and those vulnerable to clickjacking in 30% of tests.

Static and dynamic testing as well as software composition analysis (SCA) all have advantages and should be used together to have the highest chance to detect potential misconfigurations and vulnerabilities, says Synopsys's Kelly.

"Having said that, a holistic approach takes time, resources, and money, so this may not be feasible for many organizations," he says. "Taking the time to design security into the process can also help find and eliminate as many vulnerabilities as possible — whatever their type — along the way so that security is proactive and risk is reduced."

Overall the company collected data from nearly 4,400 tests on more than 2,700 programs. Cross-site scripting was the top high-risk vulnerability, accounting for 22% of the vulnerabilities discovered, while SQL injection was the most critical vulnerability category, accounting for 4%.

**Software Supply Chain Dangers**

With open-source software comprising nearly 80% of codebases, it's little surprise that 81% of codebases have at least one vulnerability and another 85% have an open-source component that is four years out of date.

Yet, Synopsys found that, despite those concerns, vulnerabilities in supply-chain security and open-source software components accounted for only about a quarter of issues. The Vulnerable Third-Party Libraries in Use category of security weaknesses was uncovered in 21% of the penetration tests and 27% of the static analysis tests, the report said.

Part of the reason for the lower-than-expected vulnerabilities in software components may be because software composition analysis (SCA) has become more widely used, says Kelly.

"These types of issues can be found in the early stages of the software development lifecycle (SDLC), such as the development and DevOps phases, which reduces the number that make it into production," he says.

Misconfigurations, Vulnerabilities Found in 95% of Applications

Testing is an ongoing mission, not a one-and-done fix.

Cybersecurity must evolve beyond reactively handling breaches and pivoting to protect an organization's data after the fact. Without proper precautions, cybercriminals from all over the world can easily take advantage of vulnerabilities within a company's Web applications, mobile applications, APIs, and more. Penetration testing, also known as pen testing, is a method of cybersecurity in which an expert plays the role of a malicious actor to expose the holes and flaws within a security infrastructure or codebase. 

Pen testing is primarily facilitated by dedicated pen testers — some hired internally and others externally through an agency or freelance service. My six years at Cobalt have taught me new, unique, and hidden best practices. It's my ongoing mission and commitment to spread my knowledge and lessons with other security executives to enhance organizations' protection efforts.

**What Is the Goal of Pen Testing?**

Simply put, penetration testing is when a dedicated group of cybersecurity professionals simulate different cyberattacks on an application or network to test for potential vulnerabilities. The goal is to improve the security posture of an organization and discover easily exploitable vulnerabilities within a security system so the company can proactively fix them. Bugs are bound to occur, but being aware of where vulnerabilities lie can polish your product and tighten up your security. 

While many companies invest heavily in building up their infrastructure, the majority of the steps needed to protect investments happen _after_ deployment. Thus, companies are left with a reactive response in place, addressing breaches and attacks on their network once it's too late. Given the fact that cyberattacks have the potential to ripple both internally and externally, leaders must take a proactive approach to cybersecurity, developing at-the-ready responses to squash incoming threats as they appear.

The merits of pen testing come into the limelight once organizations recognize the cycle of destruction caused by cyberattacks. This cycle entails more than the data potentially stolen. It involves the time not only to address the initial vulnerability but to recover and secure any data that could have been potentially stolen. Needless time and resources are spent cleaning up the mess, rather than developing new code. A cycle develops wherein an organization launches new code into their network, an unforeseen vulnerability shows up, and the team has to scramble to fix the issue before it grows even larger. By taking the necessary steps before the new code goes into production, companies can remove themselves from this vicious circle of destruction.

According to Cobalt's "State of Pentesting Report 2021," pen testing can be a time-consuming task. In fact, 55% of organizations said it takes weeks to get a pen test scheduled, with 22% saying it takes months. Modern pen testing practices use both automated tools and skilled manual testers to ensure maximum security in an efficient and timely fashion. Staying agile in your organization's cybersecurity practices will help cut down on the amount of time it takes to schedule the proper precautions.

**What Are the Outside Benefits?**

Pen testing has benefits outside of just vulnerability identification. Code often is dependent on other code, so frequent pen testing allows for new code to be tested before it's deployed into the live build, thus streamlining the development process and lowering development costs. Frequent pen testing also provides more timely results, enabling teams to be at the ready for emerging threats — compared with the standard annual pen test, where developers won't be aware of vulnerabilities for months on end. 

In 2021, many security professionals had to quickly respond to the Log4j threat, but those who frequently pen tested were prepared to patch the exploitable vulnerabilities it caused. Due to the insight these developers obtained from previous pen tests, future code will become more secure, and engineers will learn from mistakes when developing future versions of their products. The more often these pen tests happen, the more compliant your products and code will become.

**When to Schedule a Pen Test**

The best time to schedule a pen test is — of course — before an attack occurs. While we cannot predict exactly when a breach will come, staying proactive and regularly testing and retesting vulnerabilities can save the company from a vicious cyberattack. Organizations can use pen testing to prepare new products, updates, and tools for customer or employee use, all while staying compliant and secure. But for those products to safely go into the hands of the intended audience, they need to be tested.

Proactivity starts with internally evaluating where vulnerabilities already exist within a security system. If discovered early, these vulnerabilities can be dealt with before they take on a life of their own — ultimately saving the company's reputation. Take note of all of the assets your team has (websites, servers, live code, etc.), and set a clear plan for exposure detection. Once your team is clear on the future strategy and practices, your pen testers can begin identifying and exposing the vulnerabilities that may be in your company's resources. Once the test is concluded, developers can start remediating any discovered vulnerabilities.

The important takeaway here is, these tests should not be performed on a one-and-done basis. Pen tests must be executed regularly to ensure security remains up to date with modern breaching methods. Cybersecurity changes (and becomes more complex) each day, forcing organizations to be ready for what's to come at a moment's notice.

Source

DARKReading