A free resource, updated monthly, lists the most-popular, highly rated OSS projects.

In the past decade or so, open source software has become a critical component of many companies' tech stacks. The proliferation of cloud computing and artificial intelligence (AI) accelerated this trend, making open source projects such as Kubernetes, TensorFlow, Jenkins, and OpenCV more attractive to developers and infrastructure teams alike.

And security operations are no exception. Open source software has found its way into cybersecurity engineering and operations. Snort, OpenSSL, Yara, Wireshark, etc., are often found in organizations' arsenal of security tools. Open source is now fundamental to security operations, and building, supporting, and using open source tools is an integral part of InfoSec culture.

To better track the proliferation of open source software in cybersecurity infrastructure and applications, Andrew Smyth of Atlantic Bridge and I created The Open Source Security Index as a free resource for developers and security engineers to find and identify the best open source security technology. The index lists the top 100 most popular and fastest-growing security projects on GitHub. We emphasize _fast growing_ as we believe modern security operations are different from security in the past, when most deployments happened on-premises. As such, many of the fast-growing OSS projects are newer initiatives designed for modern infrastructure environments.

To build this index, we use the GitHub API to pull projects based on tags and topics, and manually added projects that lack labels. To constrain our scope, we limited the search to projects that are considered direct security tools. Those that have security implications but fall more into infrastructure capabilities, such as Terraform, Elastic, Istio, and Envoy, are not included here.

**How We Ranked the Entries**

Once we had the raw list, we ranked entries based on an "Index Score," which is a weighted average of six metrics retrieved from GitHub. They include:

*   Number of stars: 30%
*   Number of contributors (excluding bots and anonymous accounts): 25%
*   Number of commits the project had in the last 12 months: 25%
*   Number of watchers: 10%
*   Change in the number of watchers over the last month: 5%
*   Number of forks: 5%

Based on this scoring methodology, we list the top 100 GitHub projects on the The Open Source Security Index website. The index is an evolving, live project. We will refresh the data monthly to keep the list current.

While the top 25 list includes familiar tools like Metasploit, Wireshark, and OS Query, there are also relatively new entrants, such as Cilium, Checkov, and Calico, that are designed specifically for modern and cloud-native infrastructure.

Looking across the top 25 list, a few interesting trends emerge. They are:

*   **Attack and red-team open source tools remain popular:** Projects that provide effective attack and testing tools are prominently positioned on the list. Metasploit, OSS Fuzz, Atomic Red Team, and Zap are a few examples.
*   **Security for modern infrastructure is gaining popularity:** Unlike traditional security utilities, projects such as Cilium, Trivy, Calico, and Sysdig are becoming increasingly popular. Those projects are designed to work with newer, cloud-native infrastructure, such as Kubernetes, containers, and microservices. The fact that these projects are listed among the most popular shows that cloud computing is now mainstream with security operations.
*   **Automation and "as-code" workflow utilities have emerged:** It's also worth noting that projects that enable automation and "as-code" workflows have also appeared in the top list. For instance, Nuclei, a project that focuses on vulnerability-management-as-code, is a fast-growing project used by bug researchers, red teams, and defenders. Sigma is another project that enables automation and sharing of attack detection methods.

We believe that the evolution of open source security (OSS) will follow the same trajectory as enterprise infrastructure in embracing OSS models. An increasing number of security practitioners choose open source as a fundamental strategy because of its extensibility, flexibility, and transparency of implementation. In addition, sophisticated security teams have adopted the "shift-left" mindset, where managing security policies and operations is like managing "code." To this end, an open source strategy provides a clear advantage compared with the traditional way of developing and deploying proprietary software artifacts.

We created this index because we had a challenging time finding a good, representative list of open source security projects. Although imperfect, this index represents a starting point to build a structured and comprehensive list of meaningful open source tools for security practitioners to consider. We worked with many open source creators to build this list, and we welcome feedback at @OSecurityIndex.

Where to Find the Best Open Source Security Technology

Common mistakes in network configuration can jeopardize the security of highly protected assets and allow attackers to steal critical data from the enterprise.

Common misconfigurations in how Domain Name System (DNS) is implemented in an enterprise environment can put air-gapped networks and the high-value assets they are aimed at protecting at risk from external attackers, researchers have found.

Organizations using air-gapped networks that connect to DNS servers can inadvertently expose the assets to threat actors, resulting in high-impact data breaches, researchers from security firm Pentera revealed in a blog post published Dec. 8.

Attackers can use DNS as a command-and-control (C2) channel to communicate with these networks through DNS servers connected to the Internet, and thus breach them even when an organization believes the network is successfully isolated, the researchers revealed.

Air-gapped networks are segregated without access to the Internet from the common user network in a business or enterprise IT environment. They are designed this way to protect an organization's "crown jewels," the researchers wrote, using VPN, SSL VPN, or the users' network via a jump box for someone to gain access to them.

However, these networks still require DNS services, , which is used to assign names to systems for network discoverability. This represents a vulnerability if DNS is not configured carefully by network administrators.

"Our research showcases how DNS misconfigurations can inadvertently impact the integrity of air-gapped networks," Uriel Gabay, cyberattack researcher at Pentera, tells Dark Reading.  

What this means for the enterprise is that by abusing DNS, hackers have a stable communication line into an air-gapped network, allowing them to exfiltrate sensitive data while their activity appears completely legitimate to an organization's security protocols, Gabay says.

**DNS as a Highly Misconfigurable Protocol**

The most common mistake companies make when setting up an air-gapped network is to believe they are creating an effective air gap when they chain it to their local DNS servers, Gabay says. In many cases, these servers can be linked to public DNS servers, which means "they have unintentionally broken their own air gap."

It's important to understand how DNS works to know how attackers can navigate its complexities to break into an air gap, the researchers explained in their post.

Sending information over DNS can be done by requesting a record that the protocol handles — such as TXT, a text record, or NS, a name server record — and putting the information into the first part of the record’s name, the researchers explained. Receiving information over DNS can be done by requesting a TXT record and receiving a text response back for that record.

While DNS protocol can run on TCP, it is mostly based on UDP, which does not have a built-in security mechanism — one of two key factors that come into play for an attacker to take advantage of DNS, the researchers said. There also is no control over the flow or sequence of data transmission in UDP.

Thanks to this lack of error detection in UDP, attackers can compress a payload prior to sending it and immediately decompress after sending, which can be done with any other type of encoding, such as base64, the researchers explained.

**Using DNS to Break an Air Gap**

That said, there are challenges for threat actors to communicate successfully with DNS to break an air gap. DNS has restrictions on the types of characters it accepts, so not all characters can be sent; those that can't are called "bad characters," the researchers said. There also is a limit on the length of characters that can be sent.

To overcome the lack of control over data flow in DNS, threat actors can notify the server which packet should be buffered, as well as what is expected as the last package, the researchers said. A package also should not be sent until an attacker knows that the previous one successfully arrived, they said.

To avoid bad characters, attackers should apply base64 on data sent right before sending it, while they can slice data into pieces to be sent one by one to avoid the DNS character length limit, they said.

To get around a defender blocking a DNS request by blocking access to the server from which it is being sent, an attacker can generate domain names based on variables that both sides know and expect, the researchers explained.

"While the executable is not necessarily difficult, an attacker or group would need the infrastructure to continue to buy root records," they noted.

Attackers also can configure malware to generate a domain in DNS based on a date, which will allow them to constantly send new requests over DNS using a new, known root domain, the researchers said. Defending against this type of configuration "will prove challenging to organizations using static methods or even with basic anomaly detection to detect and prevent," they said.

**Mitigating DNS Attacks on Air-Gapped Networks**

With DNS attacks occurring more frequently than ever — with 88% of organizations reporting some type of DNS attack in 2022, according to the latest IDC Global DNS Threat Report — it's important for organizations to understand how to mitigate and defend against DNS abuse, the researchers said.

One way is to create a dedicated DNS server for the air-gapped network, Gabay tells Dark Reading. However, organizations must take care to ensure that this server is not chained to any other DNS servers that may exist in the organization, as this "will ultimately chain it to DNS servers on the Internet," he says.

Companies should also create anomaly-based detection in the network utilizing an IDS/IPS tool to monitor and identify strange DNS activities, Gabay says. Given that all enterprise environments are unique, this type of solution also will be unique to an organization, he says.

However, there are some common examples of what abnormal type of DNS behavior should be monitored, including: DNS requests to malicious domains; large amounts of DNS requests in very short period of time; and DNS requests made at strange hours. Gabay adds that organizations also should implement a SNORT rule to monitor for the length of requested DNS records.

Report: Air-Gapped Networks Vulnerable to DNS Attacks

Security researchers share their biggest initial screwups in some of their key vulnerability discoveries.

BLACK HAT EUROPE 2022 – London – Researcher Douglas McKee was having no luck extracting the passwords in a medical patient-monitor device he was probing for vulnerabilities. The GPU password-cracking tool he had run to lift the layers of credentials needed to dissect the device came up empty. It wasn't until a few months later when he sat down to read the medical device's documentation that he discovered that the passwords had been right there in print the whole time.

"I finally got around reading the documentation, which clearly had all the passwords in plaintext right in the documents," McKee, director of vulnerability research at Trellix, recounted in a presentation here today. It turned out the passwords were hardcoded into the system as well, so his failed password-cracking process was massive overkill. He and his team later discovered bugs in the device that allowed them to falsify patient information on the monitor device.

Failing to pore over documentation is a common misstep by security researchers eager to dig into the hardware devices and software they are studying and reverse-engineering, according to McKee. He and his colleague Philippe Laulheret, senior security researcher at Trellix, in their "Fail Harder: Finding Critical 0-Days in Spite of Ourselves" presentation here, shared some of their war stories over mistakes or miscalculations they made in their hacking projects: mishaps that they say serve as useful lessons for researchers.

"At all conferences we go to \[they\] show the shiny results" and successes in security research like zero-days, Laulheret said. You don't always get to hear about the strings of failures and setbacks along the way when sniffing out vulns, the researchers said. In their case, that's been everything from hardware hacks that burned circuit boards to a crisp, to long-winded shellcode that failed to run.

In the latter case, McKee and his team had discovered a vulnerability in the Belkin Wemo Insight SmartPlug, a Wi-Fi-enabled consumer device for remotely powering on and off devices connected to it. "My shellcode was not getting through to the stack. If I had read the XML library, it was clear that XML filters out characters and there's a limited character set allowed through the XML filter. This was another example of lost time if I had read through the code I was actually working with," he says. "When we deconstructed it, we found a buffer overflow that allowed you to remotely control the device."

**Don't ASSume: Schooled by Distance-Learning App 'Security'**

In another project, the researchers studied a distance-learning software tool by Netop called Vision Pro that, among other things, includes the ability for teachers to remote into students' machines and exchange files with their students. The Remote Desktop Protocol-based feature seemed straightforward enough: "It allows teachers to log in using Microsoft credentials to get full access to a student's machine," McKee explained.

The researchers had assumed that the credentials were encrypted on the wire, which would have been the logical security best practice. But while monitoring their network captures from Wireshark, they were shocked to discover credentials traveling across the network unencrypted. "A lot of times assumptions can be the death of the way you do a research project," McKee said.

Meantime, they recommend having in hand multiple versions of a product you're researching in case one gets damaged. McKee admitted getting a bit overzealous in deconstructing the battery and internals of the B Bruan Infusomat infusion pump. He and his team took apart the battery after spotting a MAC address on a sticker affixed to it. They found a circuit board and flash chip inside, and they ended up physically damaging the chip while trying to get to the software on it.

"Try to do the least invasive process first," McKee said, and don't jump into breaking open the hardware from the start. "Breaking things is part of the hardware hacking process," he said.

Hacker Fails for the Win

A ransomware attack on the company's Hosted Exchange environment disrupted email for thousands of mostly small and midsize businesses.

A Dec. 2 ransomware attack at Rackspace Technology — which the managed cloud hosting company took several days to confirm — is quickly becoming a case study on the havoc that can result from a single well-placed attack on a cloud service provider.

The attack has disrupted email services for thousands of mostly small and midsize organizations. The forced migration to a competitor's platform left some Rackspace customers frustrated and desperate for support from the company. It has also already prompted at least one class-action lawsuit and pushed the publicly traded Rackspace's share price down nearly 21% over the past five days.

**Delayed Disclosure?**

"While it's possible the root cause was a missed patch or misconfiguration, there's not enough information publicly available to say what technique the attackers used to breach the Rackspace environment," says Mike Parkin, senior technical engineer at Vulcan Cyber. "The larger issue is that the breach affected multiple Rackspace customers here, which points out one of the potential challenges with relying on cloud infrastructure." The attack shows how if threat actors can compromise or cripple large service providers, they can affect multiple tenants at once.

Rackspace first disclosed something was amiss at 2:20 a.m. EST on Dec. 2 with an announcement it was looking into "an issue" affecting the company's Hosted Exchange environment. Over the next several hours, the company kept providing updates about customers reporting email connectivity and login issues, but it wasn't until nearly a full day later that Rackspace even identified the issue as a "security incident."

By that time, Rackspace had already shut down its Hosted Exchange environment citing "significant failure" and said it did not have an estimate for when the company would be able to restore the service. Rackspace warned customers that restoration efforts could take several days and advised those looking for immediate access to email services to use Microsoft 365 instead. "At no cost to you, we will be providing access to Microsoft Exchange Plan 1 licenses on Microsoft 365 until further notice," Rackspace said in a Dec. 3 update.

The company noted that Rackspace's support team would be available to assist administrators configure and set up accounts for their organizations in Microsoft 365. In subsequent updates, Rackspace said it had helped — and was helping — thousands of its customers move to Microsoft 365.

**A Big Challenge**

On Dec. 6, more than four days after its first alert, Rackspace identified the issue that had knocked its Hosted Exchange environment offline as a ransomware attack. The company described the incident as isolated to its Exchange service and said it was still trying to determine what data the attack might have affected. "At this time, we are unable to provide a timeline for restoration of the Hosted Exchange environment," Rackspace said. "We are working to provide customers with archives of inboxes where available, to eventually import over to Microsoft 365."

The company acknowledged that moving to Microsoft 365 is not going to be particularly easy for some of its customers and said it has mustered all the support it can get to help organizations. "We recognize that setting up and configuring Microsoft 365 can be challenging and we have added all available resources to help support customers," it said. Rackspace suggested that as a temporary solution, customers could enable a forwarding option, so mail destined to their Hosted Exchange account goes to an external email address instead.

Rackspace has not disclosed how many organizations the attack has affected, whether it received any ransom demand or paid a ransom, or whether it has been able to identify the attacker. The company did not respond immediately to a Dark Reading request seeking information on these issues. In a Dec. 6. SEC filing, Rackspace warned the incident could cause a loss in revenue for the company's nearly $30 million Hosted Exchange business. "In addition, the Company may have incremental costs associated with its response to the incident."

**Customers Are Furious and Frustrated**

Messages on Twitter suggest that many customers are furious at Rackspace over the incident and the company's handling of it so far. Many appear frustrated at what they perceive as Rackspace's lack of transparency and the challenges they are encountering in trying to get their email back online.

One Twitter user and apparent Rackspace customer wanted to know about their organization's data. "Guys, when are you going to give us access to our data," the user posted. "Telling us to go to M365 with a new blank slate is not acceptable. Help your partners. Give us our data back."

Another Twitter user suggested that the Rackspace attackers had also compromised customer data in the incident based on the number of Rackspace-specific phishing emails they had been receiving the last few days. "I assume all of your customer data has also been breached and is now for sale on the dark web. Your customers aren't stupid," the user said.

Several others expressed frustration over their inability to get support from Rackspace, and others claimed to have terminated their relationship with the company. "You are holding us hostages. The lawsuit is going to take you to bankruptcy," another apparent Rackspace customer noted.

Davis McCarthy, principal security researcher at Valtix, says the breach is a reminder why organizations should pay attention to the fact that security in the cloud is a shared responsibility. "If a service provider fails to deliver that security, an organization is unknowingly exposed to threats they cannot mitigate themselves," he says. "Having a risk management plan that determines the impact of those known unknowns will help organizations recover during that worst case scenario."

Meanwhile, the lawsuit, filed by California law firm Cole & Van Note on behalf of Rackspace customers, accused the company of "negligence and related violations" around the breach. "That Rackspace offered opaque updates for days, then admitted to a ransomware event without further customer assistance is outrageous,” a statement announcing the lawsuit noted.

**Did the Attackers Exploit "ProxyNotShell" Exchange Server Flaws?**

No details are publicly available on how the attackers might have breached Rackspace's Hosted Exchange environment. But security researcher Kevin Beaumont has said his analysis showed that just prior to the intrusion, Rackspace's Exchange cluster had versions of the technology that appeared vulnerable to the "ProxyNotShell" zero-day flaws in Exchange Server earlier this year.

"It is possible the Rackspace breach happened due to other issues," Beaumont said. But the breach is a general reminder why Exchange Server administrators need to apply Microsoft's patches for the flaws, he added. "I expect continued attacks on organizations via Microsoft Exchange through 2023."

Rackspace Incident Highlights How Disruptive Attacks on Cloud Providers Can Be

Cyberattackers focused on ad fraud and clickjacking stole millions during Black Friday by hijacking shopper accounts and tying up transactions.

Online fraudsters posing as consumers likely siphoned off more than $360 million from the marketing budgets of online businesses by generating fake clicks during Black Friday, while 20% of visits to retail sites on Cyber Monday were bots posing as shoppers and not humans, Web security firms said this week.

The surge in fraud included techniques such ad injection, search engine redirects, and affiliate fraud — and shows the trouble that cybercriminal automation such as bots can cause for online commerce providers. The increase in fraud matched the annual upswing of US holiday sales that start the week of Thanksgiving though the following Monday, also known as Cyber Monday. Overall, online retailers saw a nearly 12% increase in sales during November and a 2.3% increase in purchases on Black Friday.

The lockstep growth of sales and fraud underscores the opportunistic nature of attackers, says Guy Tytunovich, CEO of Cheq.

"Fraud is always there, but it is very seasonal in terms of peak times," he says. "\[The trigger\] could be anything — it could be political, like an election, or it could be like Black Friday or Cyber Monday."

Fraudsters have had a significant impact on online businesses, according to data provided to Dark Reading by Cheq and online network-services provider Akamai. By donning the disguise of legitimate consumers, bots can cost advertisers and retailers real money on marketing — typically a loss of 10% to 15% — that is not being seen by human eyes. In addition, bots can be used to buy out popular items, enable credit card fraud, and tie up inventory.

The largest cost to businesses comes during peak times. During the peak on Cyber Monday, consumers spend $12 million every minute, according to Adobe, which collects information on consumer activity. Yet 46 million of those shoppers were bots, leading to $368 million in fake clicks on retail ads, Cheq estimates.

About 20% of sessions overall are "being distorted" because of something happening on the client side, says Patrick Sullivan, chief technology officer for security strategy at Akamai. While businesses tend to focus on attacks against their own infrastructure — the server side — they pay less attention to what is going on with visitors' systems and browsers, he says.

"In general, we've seen over the last five years that no longer can security be focused on the crown jewels just being on the server side," Sullivan says. "Across a number of industries, we see attackers more focused on the client side. We've seen supply chain attacks where the fraudsters gain control of the javascript running on the client side, for example."

**Scalper Bots & Denial-of-Inventory Attacks**

One major fraud scheme enabled by client-side bots are scalper bots/sneaker bots — automated programs running on clients that scrape retailers' sites looking to buy particularly popular items, sometimes purchasing the items with stolen credit cards, says Cheq's Tytunovich.

While credit card fraud continues to be a significant concern for retailers, the increase in attacks that deplete inventory or make inventory unavailable to legitimate buyers is more worrisome, he says.

"While they are not as malicious as other \[cyberattacks\], retailers are extremely scared about scalper bots," he says. "The bots that are wholly aimed at getting those Jordan Ones or PlayStation 5s or whatever, and get the entire stock."

Another major inventory-impacting attack are bots that abandon shopping carts, which typically puts a hold of 10 to 15 minutes on an items — a small amount, but one that can add up quickly with the intensity that only automation can provide. These denial-of-inventory attacks can cause chaos with retailers' visibility into the state of their stocks, Akamai's Sullivan says.

"There are certain industries that almost engineer scarcity — they want people to queue up for sneakers or handbags — but now we have seen it across multiple industries — groups that have traditionally never seen that," he says. "Because of the supply chain issues now, a lot more industries are impacted by these inventory-grabbing bots out there."

**Unwanted, But Legitimate**

However, most of the invalid traffic, or IVT, that companies such as Akamai and Cheq track are not necessarily fraud, but just unwanted by retailers.

In many cases, the influx of non-human traffic included user-installed price-comparison tools, such as Honey and Rakuten, which retailers might prefer that their visitors did not use, but which are not fraudulent nor malicious. In the US during Cyber Week, for example, retailers saw 25% to 30% more sessions that used browser extensions for price comparison, Akamai stated.

Yet such traffic also skews retailers' understand of consumer demand, which can lead to inefficiencies, according to Cheq. Unique site visits are increased by 22% by automated traffic, while sessions duration can dive 41% and the number of new users overestimated by 21%, the company found.

Fraudsters Siphon $360M From Retailers Using 50M Fake Shoppers

Out of more than 80 flaws fixed this month, the most critical was a system component bug that could allow RCE over Bluetooth.

Android's Framework, Kernel, and Google Play were among components that received security updates this month, but the most severe was a critical bug in the System component that, if exploited, could allow remote code execution (RCE) over Bluetooth, without any escalation privileges required. 

In addition to the System vulnerability, tracked under CVE-2022-20411, there are three additional critical flaws addressed by Android this month, including an ID bug in the System component (CVE-2022-20498) and two critical RCE bugs in the Framework component (CVE-2022, 20472 and CVE-2022-20473). 

In total, the Android security update addressed more than 80 vulnerabilities. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Android Serves Up a Slew of Security Updates, 4 Critical

At AWS re:Invent last week, the cloud giant previewed security services including Amazon Security Lake for security telemetry, Verified Permissions for developers, and a VPN bypass service.

Cloud threats will continue to grow and proliferate in 2023, but organizations can meet the challenges head-on with the right security fundamentals in place, Amazon Web Services CISO CJ Moses said during AWS re:Invent 2022 conference last week.

Malicious activity is on the rise: The volume of DDoS events in AWS between January and September of this year rose 35% compared with the same period in 2021. AWS saw a 256% increase in compromised instances compared with the fourth quarter of 2021.

AWS unveiled new security tools to help enterprise security teams with analyzing security telemetry, permissions management, and key management.

**Gathering Threat Telemetry**

First up was Amazon Security Lake to manage threat intelligence data. AWS CEO Adam Selipsky said Amazon Security Lake would allow organizations to gather security telemetry and data from many sources, clean it up, and make it accessible for analysis. The challenge lies in the fact that security data exists in multiple formats. The new Open Cybersecurity Schema Framework standard, announced last August during Black Hat USA, can be used to normalize security logs and events data across a wide range of products and services, Selipsky said.

Asked whether supporting OCSF members have conducted comprehensive interoperability tests or certification efforts, Splunk distinguished engineer Paul Agbabian explained to Dark Reading how the data is normalized. 

"For an event class to be considered in OCSF, there must be a real implementation of the class via one of the member's example logs," he said. "In addition, OCSF uses a server that can test each implementation of the schema for validation, which includes showing notable errors and violations."

"Increasing threats and risks continue driving the shift to the cloud, where security will be built into everything organizations do up and down their technology stack and across their teams," Moses said. "More and more security can be thought of as a data science problem."

AWS said FINRA, Salesforce, and Tinder are the first customers using Amazon Security Lake. Fernando Montenegro, a senior principal analyst at Omdia, said Amazon Security Lake was the most significant new security offering announced at last week's conference.

"Security Lake is obviously notable as it addresses some of the security 'undifferentiated heavy lifting' that AWS likes to address," Montenegro told Dark Reading. "It's still early, but the expectation is that it can help simplify security analytics at scale. The use of the OCSF standard is also notable, as it can herald easier data integration even outside of AWS environments."

**Verified Permissions for Developers**

A preview of Amazon Verified Permissions is now available, which Moses described as a scalable, fine-grained permissions management and authorization service for custom applications. 

"It gives developers a consistent way to define and manage fine-grained permissions across applications, simplifies changing permission roles without a need to change code, while also improving visibility to permissions," he explained.

Amazon Verified Permissions gives application administrators "a comprehensive audit capability that scales millions of policies using automated reasoning," Moses added. "Authorization requests running through Amazon Verified Permissions are evaluated in milliseconds to provide dynamic real-time decisions."

**Remote Access Without a VPN**

Amazon also released the preview of AWS Verified Access, a new connectivity service that provides secure remote access to corporate applications without requiring a VPN. According to AWS, the new service only grants access to applications if users and their devices meet defined security requirements.

AWS noted that Verified Access validates each application request, regardless of user or network, before granting access. 

"AWS Verified Access should help with the burden of accessing AWS resources in a 'zero trust' manner,'" Omdia's Montenegro said.

**External Key Store (XKS) for AWS KMS**

Amazon also announced its AWS Digital Sovereignty Pledge, which the company describes "as its commitment to offering all AWS customers the most advanced set of sovereignty controls and features available in the cloud."

Previously, customers have had to choose between "the full power of AWS and a feature-limited sovereign cloud solution that could hamper their ability to innovate, transform, and grow. We firmly believe that customers shouldn't have to make this choice," explained AWS senior VP Matt Garman in a blog post.

Effectively, AWS is promising to enable its complete offerings to maintain the growing set of digital sovereignty industry and regional regulations. Moses said the new External Key Store (XKS) for the AWS Key Management Service (KMS) supports the pledge because it lets organizations store and utilize their encryption keys outside of AWS.

"Customers can now store AWS KMS customer-managed keys outside of AWS on hardware security modules, whether they operate on-premises or anywhere else they would like to do so," he said. "XKS supports all the critical features of KMS and works with the over 100 AWS services that already integrate with KMS customer keys."

A user can encrypt data with external keys for most AWS services that support AWS KMS customer-managed keys, including Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services. The external key store forwards API calls to securely connect with a customer's hardware security module (HSM). According to an AWS blog post, the data describing the key never leaves the HSM.

Key Security Announcements From AWS re:Invent 2022

Cybercrooks allegedly stole personal data, used it to file IRS tax documents, and routed refunds to bank accounts under their control.

Three Nigerian nationals and one UK citizen are facing extradition to the US following their recent arrest for cybercrimes related to a tax refund scam. 

The Department of Justice unsealed indictments of Akinola Taylor, Olayemi Adafin, Olakunle Oyebanjo, and Kazeem Olanrewaju Runsewe, who are accused of breaching US company servers, stealing personal information, and using that data to file fraudulent Internal Revenue Service (IRS) tax documents and collect refunds. 

The group, on at least once occasion, used cybercrime forum xDedic Marketplace to purchase access to compromised servers and users all over the world, which were then leveraged to steal enough information on US citizens to file false tax returns, the DoJ said. The four men would allegedly direct the returns to accounts under their control and convert the proceeds to purchase prepaid debit cards for their use. 

"Adafin and Oyebanjo assisted in the collection fraud proceeds directed to prepaid debit cards in their possession or to addresses or bank accounts they controlled or to which they had access and transferred a share of the fraud proceeds to other conspirators," according to the DoJ announcement. 

If convicted, each will face a maximum penalty of up to 20 years in prison, the DoJ said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

4 Arrested for Filing Fake Tax Returns With Stolen Data

Learn how BOD 23-01 asset inventory mandates can help all organizations tighten cybersecurity.

Do you know what IT devices are in your business or on your network right now? If not, you may have cybercriminals _and_ the White House knocking on your door very soon.

Binding Operational Directive 23-01, or BOD 23-01, is a new directive from the US Cybersecurity and Infrastructure Security Agency (CISA) that orders federal agencies to keep track of their IT assets and any vulnerabilities on their networks. The guidance is designed to improve the way systems are tracked, managed, and protected against unauthorized access and attacks such as ransomware.

**What Is BOD 23-01?**

The wide-ranging BOD 23-01 cybersecurity directive orders all US Federal Civilian Executive Branch (FCEB) agencies to create a complete and accurate inventory of all software assets. The intention of the new directive is to prevent situations such as the 2020 SolarWinds attack, in which several government agencies and organizations were compromised by malicious code injected into software systems.

BOD 23-01 also is designed to make federal civilian agencies more accountable for their own systems and what resides on their networks, as well as for any cyber breaches or attacks on their systems. The directive covers only federal civilian agencies in the US, but CISA also has urged the private sector and state governments to review and implement similar asset and vulnerability practices.

**What Issues Does BOD 23-01 Address?**

Threat actors continue to target critical infrastructure, networks, and devices to exploit weaknesses within unknown, unprotected, or under-protected assets. Previous and even current methods of preventing infiltration and attacks have had varying levels of success — hence, the need for another layer of protection.

At a basic level, businesses still aren’t tracking the devices and software beneath their own roof, with about one in three IT teams saying they don't actively track the software used by employees within the business.

The hope with the new directive is that, at minimum, agencies and government departments have access to an up-to-date inventory of assets. You can't protect what you can’t see, so by providing this visibility organizations will be one step ahead of the game.

Of course, there's no point in knowing what's under threat if you can't prevent or stop an attack.

The vast majority of companies are vulnerable to external attackers breaching their network perimeters and gaining access to sensitive data.

**What Does the Order Mean for IT Teams?**

The attack surface — the points of entry and vulnerabilities that serve as attack vectors — is expanding rapidly. New technologies, recent changes to implement remote and hybrid workplaces, and the BYOD model again gaining momentum are threatening to overpower IT teams, which is why new methods of cyber asset attack surface management (CAASM) are becoming vital in managing and protecting organizations.

For agencies looking to become compliant with the new directive, creating an IT asset inventory will be seen as a significant administrative challenge. We're talking about having to locate, identify, record, and report on potentially hundreds or thousands of pieces of hardware and software.

**Asset Visibility and Vulnerability Detection**

There are two key areas IT teams need to focus on: asset inventory and vulnerability scans. Together, these are seen as vital in gaining the visibility needed to protect federal organizations against outside threats.

By April 3, 2023, asset discovery scans will need to be run every seven days, while vulnerability assessments across those assets every 14 days. Agencies will also have to prove that they have the ability to run such tests on demand, with CISA requesting proof within 72 hours of receiving a written request.

If IT teams don’t have one already, they will need to create and maintain an up-to-date inventory of IT assets on their network, as well as identify vulnerabilities and share relevant information with CISA at regular intervals.

IT teams are already under pressure, and the only realistic and cost-effective way organizations can become compliant is to automate IT inventory. With new devices added on an almost daily basis and current tech needing to be constantly updated, it's virtually impossible to handle this manually.

Knowing what's on your network is necessary for any organization to reduce risk. In today's digital-first world, with more attack surfaces than ever before, taking stock of what you have is the first step in protecting and preventing the worst from taking place.

Will New CISA Guidelines Help Bolster Cyber Defenses?

Data protection company Piiano officially launches a vault for sensitive customer data, the first among a suite of privacy tools for developers.

**TEL AVIV, Israel, Dec. 07, 2022 (GLOBE NEWSWIRE)** — Piiano, a data protection company co-founded by celebrated security experts Gil Dabah, CEO and Ariel Shiftan, CTO, today announced the release of the Piiano Vault, a secure database for enterprises to safely store and use sensitive personal data and comply with evolving privacy regulations. Basic functionality is now available for free. Deployed directly in an enterprise’s own cloud environment, the Vault provides complete control over critical customer data and was designed to be the most secure database on the market.

Enterprises that collect sensitive data face mounting pressure to protect it and maintain customer privacy in the wake of high-profile data leaks and broadening regulations. Gartner findings demonstrate intensifying budgetary spending across data privacy and security by 14.2% and 16.9%, respectively. According to a survey conducted by Piiano on privacy best practices, 80% of companies now attempt to treat sensitive data differently, with 45% highly prioritizing Personal Identifiable Information (PII) protection.

However, operationalizing such practices at scale requires the involvement of developers tasked with embedding security into the very frameworks of their enterprise environments. This is an enormous undertaking, and many developers find themselves scrambling to retrofit privacy and security into existing environments and workflows. In most cases, such a feat requires companies to embark on a years-long, expensive development project even as the underlying risk grows and becomes a moving target. By contrast, Piiano intends to significantly accelerate such transformations and deliver unprecedented ROI on related initiatives.

As enterprise R&D outpaces security efforts, the safety and protection of customer data remains disorganized and consequently highly vulnerable to potential breaches. Piiano’s solution is based on embedding security and de-identifying data as part of product development. The company’s approach starts by isolating customer secrets and similar types of sensitive data in a separate, zero-trust vault. It is a best practice already exercised by large companies like Google, Netflix, USAA and JPMC. Both Dabah and Shiftan assert that keeping sensitive data separate and untouchable can all but nullify the true privacy risk.

“By centralizing sensitive data into one place with Piiano, developers can easily integrate with existing building blocks like field-level encryption, tokenization, masking, data retention and granular access control. Even more exciting are the major breakthroughs we’ve made in providing capabilities to search through encrypted data,” says Shiftan. “In this way, the Piiano Vault simplifies regulatory compliance by providing developers with out-of-the-box support for staples of GDPR and CCPA requirements, such as data subject access rights, consent, retention, minimization, traceability and more.”

In praise of Piiano’s approach, author of "Data Privacy: A Runbook for Engineers" and Piiano board advisor Nishant Bhajaria said, “Gil and Ariel’s groundbreaking technology has the potential to be an incredible service to enterprises in an age where the sale of stolen sensitive customer data has become so widespread and lucrative. I commend them for helping companies seamlessly incorporate privacy into day-to-day operations.”

For more information visit: https://piiano.com/pii-data-privacy-vault/

**About Piiano**

Piiano provides developer infrastructure to protect customer secrets and ensure their privacy — even in the event of a breach. Safely use and store sensitive data in our Vault and leverage our Scanner to quickly identify PII usages across source code for full visibility into your privacy issues. With Piiano’s building blocks, engineers and security leaders can save time, effort and resources while achieving secure and compliant applications.

Source

DARKReading