ZecOps extends Jamf's mobile security capabilities by adding advanced detections and incident response.

**MINNEAPOLIS, Sept. 26, 2022 (GLOBE NEWSWIRE) —** Jamf (NASDAQ: JAMF), the standard in Apple Enterprise Management, today announced it signed a definitive agreement to acquire ZecOps Inc., a leader in mobile detection and response.

This acquisition uniquely positions Jamf to help IT and security teams strengthen their organization's mobile security posture, accelerating mobile security investigations from weeks to minutes, leverage known indicators of compromise (IOC) at-scale, and identify sophisticated 0- or 1-click attacks on a much deeper scale.

"I am very excited to bring ZecOps' market-leading advanced mobile detection and response capabilities into the Jamf platform," said Dean Hager, CEO, Jamf. "We believe ZecOps has built a differentiated solution that meets a very important need for many organizations — the ability to thoroughly detect and investigate threats that target mobile users so they can confidently use these powerful devices for work. This capability further propels our goal of continuing to bridge the gap between what Apple provides and the enterprise requires."

Mobile devices now account for 59% of global website traffic, and according to the 2022 Verizon Mobile Security Index, close to half (45%) of companies said that they have suffered a compromise involving a mobile device in the past 12 months.

ZecOps will bring important capabilities to the Jamf platform to help address the growing trend of targeted mobile attacks. Jamf offers robust management and mobile security capabilities for iOS devices; however, access to deeper insights into potential security exploits is technically challenging and requires physical access to the device, which is difficult in a remote work environment. ZecOps is a robust, unparalleled solution that provides the deepest layer of insight and assurance for security-conscious customers with high-value targets that need something more. ZecOps provides the same level of visibility currently available for macOS through Jamf Protect but for iOS, making it capable of detecting the kinds of sophisticated mobile threats that Apple's Lockdown mode aims to prevent. With ZecOps, users can have both Lockdown mode and ZecOps software operating at the same time.

**Advanced threat hunting on mobile devices**  
Advanced protection of mobile devices requires a layered approach. Proactive investigation and analysis complement device management and mobile threat defense for more advanced detections and preventative protections. ZecOps enables advanced threat hunting by capturing and analyzing logs from iOS and Android devices at the operating system layer, allowing security operations and incident response teams to perform automatic or on-demand mobile cyber investigations.

**Digital forensics and incident response**  
Security teams are already drowning in data. Event logs, analyst reports, third-party threat intelligence feeds, and more are produced regularly for applications, endpoints, and network infrastructure. Mobile has historically been left out of this data feed. Many investigation teams lack expertise in modern mobile platforms. ZecOps' sophisticated digital forensics capabilities provides Security Operation Center (SOC) teams with unique mobile threat intelligence to uncover zero-day attacks. ZecOps does the heavy lifting for SOC teams, saving months of work per investigation. The solution automatically constructs a timeline of suspicious events and indicators of compromise to demonstrate when and how a device was impacted.

**Privacy conscious**  
Data privacy is extremely important to Jamf. ZecOps shares Jamf's commitment to safeguarding user data by ensuring log collection doesn't include the user's material personal data such as photos, videos, text messages and call logs, and only leveraging low-level system information and diagnostics data to the cloud for analysis. ZecOps analysis can also take place on-premises to meet various organizations' and governments data privacy requirements.

"We founded ZecOps to catch hidden 0-click and 1-click attacks," said Zuk Avraham, co-founder and CEO, ZecOps. "By combining with Jamf, we can offer our customers a truly powerful mobile threat intelligence and threat hunting capabilities that will keep up with the evolving threat landscape without compromising the user experience."

This transaction is subject to the satisfaction of customary closing conditions and is expected to close in the fourth quarter. Terms of the transaction were not disclosed.

**About Jamf**  
Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. To learn more, visit www.jamf.com.

**About ZecOps**  
ZecOps develops the world's most powerful platform to discover and analyze mobile cyber attacks. Used by world-leading enterprises, governments and individuals globally, ZecOps Mobile Detection and Response platform provides a realistic and scalable approach to mobile threat hunting. ZecOps enables automated discovery of 0-day attacks and Advanced Persistent Threats (APTs), delivering anti cyber-espionage capabilities within minutes.

**Forward-Looking Statements**  
This release relates to a pending acquisition of ZecOps, Inc. ("ZecOps") by Jamf Holding Corp. ("Jamf", "we", our" or "us"). This release contains forward-looking statements within the meaning of the "safe harbor" provisions of the Private Securities Litigation Reform Act of 1995, regarding the anticipated benefits of the acquisition, and the anticipated impacts of the acquisition on our business, products, financial results, and other aspects of our and ZecOps' operations. You can identify forward-looking statements by the fact that they do not relate strictly to historical or current facts. These statements may include words such as "anticipate," "estimate," "expect," "project," "plan," "intend," "believe," "may," "will," "should," "can have," "likely," and other words and terms of similar meaning in connection with any discussion of the timing or nature of future operating or financial performance or other events. These risks, uncertainties, assumptions, and other factors include, but are not limited to: the effect of the announcement of the acquisition on the ability of Jamf or ZecOps to retain key personnel or maintain relationships with customers, vendors, developers, community members, and other business partners; risks that the acquisition disrupts current plans and operations; the ability of the parties to consummate the acquisition on a timely basis or at all; the satisfaction of the conditions precedent to consummation of the acquisition; our ability to successfully integrate ZecOps' operations; our and ZecOps' ability to execute on our business strategies relating to the acquisition and realize expected benefits and synergies; and our ability to compete effectively, including in response to actions our competitors may take following announcement of the acquisition. Further information on these and additional risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this release are included under the caption "Forward-Looking Statements" and elsewhere in our Form 10-Q for the quarter ended June 30, 2022, and other filings and reports we make with the Securities and Exchange Commission from time to time. Moreover, both we and ZecOps operate in a very competitive and rapidly changing environment, and new risks may emerge from time to time. It is not possible for us to predict all risks, nor can we assess the impact of all factors on our business or the acquisition, or the extent to which any factor, or combination of factors, may cause actual results or outcomes to differ materially from those contained in any forward-looking statements we may make. Forward-looking statements speak only as of the date the statements are made and are based on information available to us at the time those statements are made and/or our management's good faith belief as of that time with respect to future events. Except as required by law, we undertake no obligation, and do not intend, to update these forward-looking statements.

SOURCE: Jamf

Jamf Announces Intent to Acquire ZecOps, to Provide a Market-Leading Security Solution for Mobile Devices as Targeted Attacks Continue to Grow

Defend against phishing attacks with more than user training. Measure users' suspicion levels along with cognitive and behavioral factors, then build a risk index and use the information to better protect those who are most vulnerable.

Our approach to security awareness is flawed. And we must change it.

As Russian tanks creaked into Ukraine, CEOs and IT managers throughout the United States and much of the free world started sending out emails warning their employees about impending spear-phishing attacks.

It made sense: Spear-phishing was what Russians had used on Ukrainians many times in the past half of a decade, such as when they shut down the country's electrical grid on one of its coldest winter nights. It was also what the Russians had used against the Democratic National Committee and targets across the US.

At one end, the email missives from CEOs were refreshing. People were serious about the threat of phishing, which wasn't the case in 2014 when I started warning about its dangers on CNN.

At the other end, it was sobering. There wasn't much else organizations had figured out to do.

Sending messages to warn people was what AOL's CEO resorted to back in 1997, when spear-phishing first emerged and got its name. Budding hackers of the time were impersonating AOL administrators and fishing for subscribers' personal information. That was almost three decades ago, many lifetimes in Internet years.

In the interim, organizations have spent billions on security technologies and countless hours in security training. For context, a decade ago, Bank of America (BoA) was spending $400 million on cybersecurity. It now spends $1 billion per year on it. Yet thousands of its customer accounts in California were hacked last year.

And BoA isn't alone. This year, Microsoft, Nvidia, Samsung, LG, and T-Mobile — which recently paid out a $350 million settlement to customers because of a breach in 2021 — were hacked. All fell victim to spear-phishing attacks. No question that the employees in these companies are experienced and well-trained in detecting such attacks.

**Flawed Approach**

Clearly, something is fundamentally flawed in our approach, when you consider that after all this, email-based compromises increased by 35% in 2021, and American businesses lost over $2.4 billion due to it.

A big part of the problem is the current paradigm of user training. It primarily revolves around some form of cyber-safety instruction, usually following a mock phishing email test. The tests are sent periodically, and user failures are tracked — serving as an indicator of user vulnerability and forming the backbone of cyber-risk computations used by insurers and policymakers.

There is limited scientific support for this form of training. Most point to short-term value, with its effects wearing off within hours, according to a 2013 study. This has been ignored since the very inception of awareness as a solution.

There is another problem. Security awareness isn't a solution; it's a product with an ecosystem of deep-pocketed vendors pushing for it. There is legislation and federal policy mandating it, some stemming from lobbying by training organizations, making it necessary for every organization to implement it and users to endure it.

Finally, there is no valid measurement of security awareness. Who needs it? What type? And how much is enough? There are no answers to these questions.

Instead, the focus is on whether users fail a phishing test without a diagnosis of the why — the reason behind the failures. Because of this, phishing attacks continue, and organizations have no idea why. Which is why our best defense has been to send out email warnings to users.

**Defend With Fundamentals**

The only way to defend against phishing is to start at the fundamentals. Begin with the key question: What makes users vulnerable to phishing?

The science of security already provides the answers. It has identified specific mind-level or cognitive factors and behavioral habits that cause user vulnerability. Cognitive factors include _cyber-risk beliefs —_ ideas we hold in our minds about online risk, such as how safe it might be to open a PDF document versus a Word document, or how a certain mobile OS might offer better protection for opening emails. Many such beliefs, some flawed and others accurate, govern how much mental attention we pay to details online.

Many of us also acquire _media habits,_ from opening every incoming message to rituals such as checking emails and feeds the moment we awake. Some of these are conditioned by apps; others by organizational IT policy. They lead to mindless reactions to emails that increase phishing vulnerability.

There is another, largely ignored, factor: _suspicion_. It is that unease when encountering something; that sense that something is off. It almost always leads to information seeking and, armed with the right types of knowledge or experience, leads to deception-detection and correction.

It did for the former head of the FBI. Robert Muller, after entering his banking information in response to an email request, stopped before hitting Send. Something didn't seem right. In the momentary return to reason caused by suspicion, he realized he was being phished, and changed his banking passwords.

By measuring suspicion along with the cognitive and behavioral factors leading to phishing vulnerability, organizations can diagnose what makes users vulnerable. This information can be quantified and converted into a risk index, with which they can identify those most at risk, the weakest links, and protect them better.

Doing this will help us defend users based on a diagnosis of what they need, rather than a training approach that's being sold as a solution — a paradigm that we know doesn't work.

After billions spent, our best approach remains sending out email warnings about incoming attacks. Surely, we can do better. By applying the science of security, we can. And we must — because spear-phishing presents a clear and present danger to the Internet.

Time to Change Our Flawed Approach to Security Awareness

The "single pane of glass" that gathers and correlates all the information security professionals need doesn't exist, so it's up to us to create it.

When the Bloomberg Terminal was introduced in 1982, it changed Wall Street forever. The Terminal was a computing marvel, aggregating and correlating more data than ever imagined. From market data to global currencies, commodities and real estate to policy and politics, investors and traders had for the first time a centralized data platform for real-time, multidimensional visibility and analysis. 

After seeing the field differently, users developed new proprietary strategies that led to an explosion in new products, such as index options and mortgage-backed securities. Data analysis kicked off an age of discovery, and it made Wall Street the place to be in the 1980s and beyond.

Today, data analysis is a critical component of any cybersecurity program. Security teams must sift through a dizzying array of inputs and issues in order to separate the signals and noise. They must differentiate between legitimate and malicious activity and prioritize where to take action to mitigate risk and battle adversaries to protect their businesses and customers.

One could argue that artificial intelligence (AI) and machine learning (ML) are leading the much-needed age of advancement in cybersecurity. But thousands of companies are using AI and ML to develop thousands of cybersecurity solutions. Siloed implementations by vendors that have little incentive to collaborate have created massive complexity that ultimately still leaves businesses vulnerable to attacks and exploits. 

The Bloomberg Terminal for cybersecurity — the "single pane of glass" that gathers and correlates all the relevant information security professionals need to do their jobs efficiently — doesn't yet exist. So enterprises are left grappling with where they should begin.

**Protect the Most Critical Asset First**

The approach we have been using to reduce business risk and protect critical assets is not working or scaling to meet the complexity of today's environment or the attack landscape. The focus has been on protecting the infrastructure, the data center, and the devices using a complex web of barriers to limit access. Despite the attention that zero-trust security architectures have received, it seems that as an industry, we struggle to turn the rhetoric into architecture. Businesses are encouraged to move away from moats and castles and toward securing access and applications, but practitioners still tend to focus on building fences around their most critical assets instead of securing the assets themselves.

Yet data is arguably the enterprise's most important asset. Data breaches exposed 21 billion records in 2021. This is why cybercriminals target it and governments around the world regulate it. The business consequences of a data breach have never been higher. According to the 2022 "Cost of a Data Breach" report from IBM and Ponemon, the average cost of a data breach rose to a record $4.35 million in 2022.

As the enterprise transitions to the cloud, this shift dramatically increases the threat surface of an organization, since much of this activity is outside the visibility of the security teams. "The cloud" no longer means a public cloud vendor or two. The modern enterprise environment involves on-prem services, multiple cloud services, software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS) all securing managed and unmanaged devices, with hybrid employees and third parties all requiring access to business assets. Security professionals have no way to see it all, certainly not in a dashboard view.

**Protect the Whole Enterprise**

Few organizations speak with more CISOs than Gartner. According to "Gartner Predicts 2022," consolidated security platforms are the future:

_Vendors are increasingly divided into 'platform' and 'portfolio' camps, with the former integrating tools to make a whole that's greater than the sum of the parts, and the latter packaging products with little integration. Technology consolidation is not limited to one technology area or even to a closely related set of technologies; these consolidations are happening in parallel across many security areas._

The Bloomberg Terminal for cybersecurity may never exist in the way security professionals dream about, so it'll be up to them to envision and create their own version. This is harder than it might seem, as evidenced by the increasing disillusionment security practitioners feel with their security information and management (SIEM) implementations — where big data leads to big bills but not deep insights — and the growth of more specialized event management and extended detection and response (XDR) solutions. This will require a review of that sea of options to select the tools that make the most sense for each layer of the enterprise.

Could we end up with a handful of platforms built on open standards? For the sake of enterprise risk, and the people doing the work, let's hope so.

When Will Cybersecurity Get Its Bloomberg Terminal?

Malwarebytes achieves 250% year-over-year MSP partner growth, introduces new modules to enhance protection, detection, and resolution of threats for SMBs.

**SANTA CLARA, Calif., Sept. 27, 2022 / PRNewswire/ —** MalwarebytesTM, a global leader in real-time cyber protection, continues to expand its OneView platform capabilities as well as rapidly grow the company's Managed Service Provider (MSP) program. In addition to best-in-class endpoint security, MSPs can now access vulnerability assessment, patch management, and Domain Name System (DNS) filtering from Malwarebytes OneView.

"At Malwarebytes, we aim to serve the underserved, which is what our MSP partners are doing every day for SMBs," said Brian Thomas, Vice President of Worldwide MSP & Channel Programs at Malwarebytes. "I joined Malwarebytes with ambitious plans that are coming to life through our amazing team and unwavering commitment to help both new and existing MSP partners keep their clients safe while catapulting their businesses to new heights."

Delivering high-quality cybersecurity services and keeping customer environments free from malware requires a skilled team that can provide 24x7 coverage. Yet, many MSPs face constrained staff resources, skyrocketing costs and complexities of managing multiple solutions to uncover hidden threats. Today's MSPs require streamlined and simplified solutions to help them keep pace.

The Malwarebytes OneView platform empowers MSPs to deliver enterprise-class endpoint security products that drastically reduce customer malware infections and ransomware exposure. The easy-to-manage platform allows security analysts of all skill levels to be effective from a centralized cloud-based console. With different levels of protection capabilities and threat prevention modules, MSPs can offer the right product or service to each customer, tailored to their specific needs.

This quarter, Malwarebytes has continued to build upon OneView, adding three new modules that simplify breach prevention within the same cloud interface MSPs already trust for detection and remediation:

*   **Vulnerability and Patch Management**, which enables MSPs to take control of their full patching process, helping ensure defenses are up to date across their clients' environments.
*   **DNS Filtering**, which empowers organizations to regulate access to websites and other content on company-managed networks, which in turn reinforces the security of company data.
*   **Vulnerability Assessment**, which helps users understand exposure, identify vulnerabilities, and prioritize actions to update defenses across device and server operating systems and a wide range of third-party applications.

"The continued expansion of the OneView platform empowers us to help our customers with enhanced protection modules and expert support, reducing investments in time and resources needed to protect their organizations against increasingly complex vulnerabilities," said Daniel Mitchell, CEO of Alt-Tech. "Our partnership with Malwarebytes means stronger and simpler protection for our SMB customers, helping them successfully navigate potential threats."

Malwarebytes' initial MSP Program and OneView showed significant traction, resulting in over 250% YOY growth, with more than 2,700 new global MSP partners and strategic partnerships with Addigy, Atera, ConnectWise, Datto, GCN Group, Kaseya, Sherweb, TeamViewer and regional partner Soft Solutions. Based on business demand and future growth projections, Malwarebytes added more than 30 employees in the last six months across the MSP team, including Nadia Karatsoreos, who is dedicated to empowering MSPs to profitably grow their businesses. The company plans to continue expanding the MSP Program with further product innovation as well as additional resources and training.

"I am thrilled to be joining the Malwarebytes team during this pivotal time," said Nadia Karatsoreos, Senior MSP Growth Strategist at Malwarebytes. "MSPs have been tasked with keeping their clients safe from cyber threats, which is not an easy feat. They not only need the tools but also a supportive vendor so they can confidently sell and serve their customers. I'm so excited that I get to continue to help MSPs grow their businesses."

To read more about the latest threats and cyber protection strategies, visit our newsroom, or follow us on Facebook, Instagram, LinkedIn, TikTok, and Twitter.

**About Malwarebytes  
**Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, that mission has expanded to provide cyber protection for everyone. Malwarebytes provides consumers and organizations with device protection, privacy, and prevention through effective, intuitive, and inclusive solutions in the home, on-the-go, at work, or on campus. A world-class team of threat researchers and security experts enable Malwarebytes to protect millions of customers and combat existing and never-before-seen threats using artificial intelligence and machine learning to catch new threats rapidly. These capabilities have been lauded by independent third parties including, among others, MITRE Engenuity, MRG Effitas, AV-TEST (consumer and business), G2 Crowd and CNET. With threat hunters and innovators across the world, the company is headquartered in California with offices in Europe and Asia. For more information, visit https://www.malwarebytes.com.

**SOURCE:** Malwarebytes

Malwarebytes Expands OneView Platform for MSPs

Vulnerable configurations, software flaws, and exposed Web services allow hackers to find exploitable weaknesses in companies' perimeters in just hours, not days.

The average ethical hacker can find a vulnerability that allows the breach of the network perimeter and then exploit the environment in less than 10 hours, with penetration testers focused on cloud security gaining access most quickly to targeted assets. And further, once a vulnerability or weakness is found, about 58% of ethical hackers can break into an environment in less than five hours.

That's according to a survey of 300 experts by the SANS Institute and sponsored by cybersecurity services firm Bishop Fox, which also found that the most common weaknesses exploited by the hackers include vulnerable configurations, software flaws, and exposed Web services, survey respondents stated.  

The results mirror metrics for real-world malicious attacks and highlight the limited amount of time that companies have to detect and respond to threats, says Tom Eston, associate vice president of consulting of Bishop Fox.

"Five or six hours to break in, as an ethical hacker myself, that is not a huge surprise," he says. "It matches up to what we are seeing the real hackers doing, especially with social engineering and phishing and other realistic attack vectors."

The survey is the latest data point from cybersecurity companies' attempts to estimate the average time organizations have to stop attackers and interrupt their activities before significant damage is done.

Cybersecurity services firm CrowdStrike, for example, found that the average attacker "breaks out" from their initial compromise to infect other systems in less than 90 minutes. Meanwhile, the length of time that attackers are able to operate on victim's networks before being detected was 21 days in 2021, slightly better than the 24 days in the prior year, according to cybersecurity services firm Mandiant.

**Organizations Not Keeping Up**

Overall, nearly three-quarters of ethical hackers think most organizations lack the necessary detection and response capabilities to stop attacks, according to the Bishop Fox-SANS survey. The data should convince organizations to not just focus on preventing attacks, but aim to quickly detect and respond to attacks as a way to limit damage, Bishop Fox's Eston says.

"Everyone eventually is going to be hacked, so it comes down to incident response and how you respond to an attack, as opposed to protecting against every attack vector," he says. "It is almost impossible to stop one person from clicking on a link."

In addition, companies are struggling to secure many parts of their attack surface, the report stated. Third parties, remote work, the adoption of cloud infrastructure, and the increased pace of application development all contributed significantly to expanding organizations' attack surfaces, penetration testers said.

Yet the human element continues to be the most critical vulnerability, by far. Social engineering and phishing attacks, together, accounted for about half (49%) of the vectors with the best return on hacking investment, according to respondents. Web application attacks, password-based attacks, and ransomware account for another quarter of preferred attacks.

"\[I\]t should come as no surprise that social engineering and phishing attacks are the top two vectors, respectively," the report stated. "We've seen this time and time again, year after year — phishing reports continually increase, and adversaries continue to find success within those vectors."

**Just Your Average Hacker**

The survey also developed a profile of the average ethical hacker, with nearly two-thirds of respondents having between a year and six years of experience. Only one in 10 ethical hackers had less than a year in the profession, while about 30% had between seven and 20 years of experience.

Most ethical hackers have experience in network security (71%), internal penetration testing (67%), and application security (58%), according to the survey, with red teaming, cloud security, and code-level security as the next most popular types of ethical hacking.

The survey should remind companies that technology alone cannot solve cybersecurity problems — solutions require training employees to be aware of attacks, Eston says.

"There is not a single blinky-box technology that is going to repel all the attacks and keep your organization safe," he says. "It is a combination of people process and technology, and that has not changed. Organizations gravitate toward the latest and greatest tech ... but then they ignore security awareness and training their employees to recognize social engineering."

With attackers focused on exactly those weaknesses, he says, organizations need to change how they are developing their defenses.

Most Attackers Need Less Than 10 Hours to Find Weaknesses

Previously observed using fake Coinbase jobs, the North Korea-sponsored APT has expanded into using Crypo.com gigs as cover to distribute malware.

Researchers are warning that Lazarus has expanded its campaign using fake jobs with cryptocurrency exchanges to trick macOS users into downloading malware.

Just last month, researchers observed Lazarus using Coinbase job openings to trick macOS users into downloading malware. Now, SentinelOne says the same threat group has expanded its phishing campaign to include fraud job postings at another cryptocurrency exchange, Crypto.com.

According to the SentinelOne report on the new crypto job lure, the additional victims were initially contacted by Lazarus through LinkedIn messaging.

Lazarus is an advanced persistent threat (APT) group with ties to the North Korean state. SentinelOne pointed out that the attack group has been targeting cryptocurrency exchanges since 2018, and has specifically used fake cryptocurrency exchange jobs as lures since 2020.

"The Lazarus (aka Nukesped) threat actor continues to target individuals involved in cryptocurrency exchanges," the SentinelOne researchers wrote. "This has been a long-running theme going as far back as the AppleJeus campaigns that began in 2018."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lazarus Lures Aspiring Crypto Pros With Fake Exchange Job Postings

Why cyber teams are now front and center for business enablement within organizations, and the significant challenges they face.

The past two years have marked a host of changes for cybersecurity professionals, as the pandemic, the ransomware tsunami, and increasing political and regulatory scrutiny have all created mounting expectations as their role becomes part and parcel with the lifeblood of organizations.

In a session at next week's SecTor 2022 conference taking place in Toronto, Tony Anscombe, chief security evangelist at ESET, will address this recent period of upheaval and role evolution, and what cyberteams can expect going forward. The bottom line? They should be prepared for pressure, pressure, and more pressure.

**2020–2022: Cybersecurity Grows in Stature, Pressure Mounts**

During his panel on Oct. 5, entitled "Two Years of Accelerated Cybersecurity and the Demands Being Placed on Cyber Defenders," Anscombe will discuss how the importance of implementing a good cybersecurity team and platforms really became a conversation when the COVID-19 pandemic lockdowns sent everyone home — and more importantly, how it marked the beginning of a two-year evolution of cyber-defense having a central role in business discussions.

"The use of cloud technologies and remote desktop protocol (RDP) were hallmarks of 2020 being the year of digital transformation," he tells Dark Reading. "But it was also a year of cybersecurity transformation, because those teams began the move from a back-office role to the front office; they became the business enabler as opposed to the business obstacle. Companies were saying, 'OK, everybody's gone home — how do we keep going?' And realistically it was the security team that was the enabler for remote working, online ordering for the sandwich shops, taking remote payments, and other basic needs."

Thus, 2020 saw cybersecurity teams became far more visible in the daily life of businesses; but that was just the beginning of an ongoing elevation in stature, Anscombe explains — because then, ransomware attacks began accelerating, and ransom amounts started growing.

He explains that this period represents a tipping point for when it became commonplace for ransomware-as-a-service (RaaS) gangs to go after millions of dollars in a single hit, such as $4.4 million for Colonial Pipeline; $40 million for CNA Financial; and $70 million for Kaseya, to name just a few. Thus, ransomware became an important existential crisis for companies, and ransomware gangs became a near-ubiquitous threat.

"We saw an entire evolution of monetization in that particular year, which lured cybercriminals in and made it a business imperative to deal with, and then it became a frontline political issue after the attack on Colonial Pipeline," Anscombe says. "So you saw government stepping up and saying, 'Hey, we need to do something about cybercrime, we have voters lining up outside gas stations.'"

This year, the political aspects of cybercrime have only been exacerbated, he says, thanks to the conflict in Ukraine: "You see all the agencies around the world saying we need to protect critical infrastructure from nation-state attacks etc., so that's upping of the game again."

Defense is meanwhile easier said than done, as ransomware actors continue to grow in sophistication.

"At the moment, I think as a cybersecurity defender ... you've got these ransomware attacks that were once attachments of emails that are now advanced persistent threat (APT)-style attacks exploiting long-term vulnerabilities in systems, putting their markers in networks and coming back to them later on," Anscombe says.

**Regulation & Reporting Requirements Up the Ante**

Where cyberteams sit within the hierarchy of businesses has also been affected by additional regulation and cyber-incident reporting requirements, which creates the need for a cross-discipline discussion of risk with legal and compliance departments, Anscombe also notes. This creates enormous pressure on cyberteams thanks to fact that the sheer number of requirements is growing, creating thorny complexities.

"Imagine you're a public company, and you're in insurance or the finance industry, and you do business internationally, you've got to comply with privacy requirements for the California Consumer Privacy Act and GDPR, you've got to meet the FDIC's cyber-incident reporting requirements," he explains. "The SEC has proposed others. And if you're a water utility company, you might have to comply with the critical infrastructure reporting. This is becoming very bureaucratic, and it needs to be harmonized in some way."

He adds, "Most importantly, the role of the cyber-defender is about to change significantly again, because you're probably going to have to have a paralegal sitting at the end of the desk during incident response. And, one of the big, big challenges for a lot of businesses will be adhering to their cyber-risk insurance policy, which affects the finance department. It's kind of the backstop, you're going to have to fall back on these policies. And the policies are becoming more stringent."

Meanwhile, all of these increased and new pressures that security teams are feeling are exacerbating some of the existing challenges, such as the workforce-gap issue — which Anscombe believes will create even more change for cyber-defense teams.

"I think all of this change just puts more burden on the cybersecurity resourcing issue, and become even more challenging for companies that to find the right level of people," Anscombe says. "Does that mean companies then go to managed service providers (MSPs)? Does it mean they start dragging in more resource from partners? Does it mean more of it becomes outsourced? I think that's a maybe the thing to watch for the 2023 segment of cyber."

Amid Sweeping Change, Cyber Defenders Face Escalating Visibility — and Pressure

Initial reports suggest a basic security error allowed the attacker to access the company's live customer database via an unauthenticated API.

Australian telecommunication giant Optus is reportedly receiving help from the FBI in investigating what appears to have been an easily preventable breach that ended up exposing sensitive data on nearly 10 million customers.

Meanwhile, the apparent hacker or hackers behind the breach on Tuesday withdrew their demand for a $1 million ransom along with a threat to release batches of the stolen data till the ransom was paid. The threat actor also claimed he or she deleted all the data stolen from Optus. The apparent change of heart, however, came after the attacker already earlier had released a sample of some 10,200 customer records, seemingly as proof of intent.

**Second Thoughts**

The attacker's reason for withdrawing the ransom demand and the data leak threat remain unclear. But in a statement posted on a Dark Web forum — and reposted on databreaches.net — the alleged attacker alluded to "too many eyes" seeing the data as being one reason. "We will not sale data to anyone," the note read. "We can't if we even want to: personally deleted data from drive (Only copy)." 

The attacker also apologized to Optus and to the 10,200 customers whose data was leaked: "Australia will see no gain in fraud, this can be monitored. Maybe for 10,200 Australian but rest of population no. Very sorry to you."

The apology and the attacker's claims of deleting the stolen data are unlikely to assuage concerns surrounding the attack, which has been described as Australia's largest-ever breach.

Optus first disclosed the breach on Sept. 21, and in a series of updates since then has described it as affecting current and previous customers of the company's broadband, mobile, and business customers from 2017 onward. According to the company, the breach may have potentially exposed customer names, dates of birth, phone numbers, email addresses, and — for a subset of customers — their full addresses, driver's license information, or passport numbers.

**Optus Security Practices Under the Microscope**

The breach has stoked concerns of widespread identity fraud and pushed Optus into — among other measures — working with different Australian state governments to discuss the potential for changing driver's license details of affected individuals at the company's cost. "When we get in touch, we'll place a credit on your account to cover any relevant replacement cost. We’ll do this automatically, so you don’t need to contact us," Optus informed customers. "If you don’t hear from us, it means that your driver’s license doesn’t need to be changed."

The data compromise has put Optus security practices squarely under the spotlight especially because it appears to have resulted from a fundamental error. The Australian Broadcasting Corporation (ABC) on Sept. 22 quoted an unidentified "senior figure" inside Optus as saying the attacker was basically able to access the database via an unauthenticated application programming interface (API). 

The insider allegedly told ABC that the live customer identity database the attacker accessed was connected via an unprotected API to the Internet. The assumption was that only authorized Optus systems would use the API. But it somehow ended up getting exposed to a test network, which happened to be directly connected to the Internet, ABC quoted the insider as saying.

ABC and other media outlets described Optus CEO Kelly Bayer Rosmarin as insisting the company was the victim of a sophisticated attack and that the data the attacker claimed to have accessed was encrypted.

If the report about the exposed API is true, Optus was the victim of a security mistake that many others make. "Broken user authentication is one of the most common API vulnerabilities," says Adam Fisher, solutions architect at Salt Security. "Attackers look for them first because unauthenticated APIs take no effort to breach."

Open or unauthenticated APIs often are the result of the infrastructure team, or the team that manages authentication, misconfiguring something, he says. "Because it takes more than one team to run an application, miscommunication frequently occurs," Fisher says. He notes that unauthenticated APIs occupy the second spot in OWASP's list of the top 10 API security vulnerabilities.

An Imperva-commissioned report earlier this year identified US businesses as incurring between $12 billion and $23 billion in losses from API-linked compromises just in 2022. Another survey-based study that Cloudentity conducted last year found 44% of respondents saying their organization had experienced data leakage and other issues stemming from API security lapses.

**"Spooked" Attacker?**

The FBI did not respond immediately to a Dark Reading request for comment via its national press office email address, but the Guardian and others reported the US law enforcement agency as being called in to assist with the investigation. The Australian Federal Police, which is investigating the Optus breach, said it was working with overseas law enforcement to track down the individual or group responsible for it.

Casey Ellis, founder and CTO of bug bounty firm Bugcrowd, says the intense scrutiny the breach has received from the Australian government, public, and law enforcement may have spooked the attacker. "It's fairly rare for this type of interaction to be as spectacular as this one has been," he says. "Compromising nearly half the population of a country is going to garner a lot of very intense and very powerful attention, and the attackers involved here clearly underestimated this." 

Their response suggests the threat actors are very young and likely very new to criminal conduct, at least of this scale, he notes.

"Clearly, the Australian government has taken this breach very seriously and is going after the attacker voraciously," Fisher adds. "This strong response might have caught the attacker off guard," and likely prompted second thoughts. "However, unfortunately, the data is already out in the open. Once a company finds itself in the news like this, every hacker pays attention."

FBI Helping Australian Authorities Investigate Massive Optus Data Breach: Reports

Azure says cloud-native single sign-on with a passwordless option is most-requested new AVD feature in the product's history.

Microsoft Azure Virtual Desktop (AVD) users now have the option for single sign-on (SSO), as well as passwordless authentication, with the public preview of the latest Microsoft upgrade. 

"Today we're announcing the public preview for enabling an Azure AD-based single sign-on experience and support for passwordless authentication, using Windows Hello and security devices (like FIDO2 keys)," Microsoft's David Belanger explained in a blog post about the new feature's debut. 

According to the announcement of the public preview of the new cloud security feature, after users install the September Cumulative Update Preview, the features will be available on Windows 10 and 11, as well as Windows Server 2022. 

According to Belanger's post, the latest AVD upgrade will allow users to: 

*   Enable a single sign-on experience to Azure AD-joined and Hybrid Azure AD-joined session hosts when using the Windows and web clients
*   Use passwordless authentication to sign in to the host using Azure AD
*   Use passwordless authentication inside the session when using the Windows client
*   Use third-party Identity Providers (IdP) that integrate with Azure AD to sign in to the host

The Azure Academy tutorial for administrators explaining how to deploy the new updates said the new SSO option was the "most requested AVD feature of all time." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Rolls Out Passwordless Sign-on for Azure Virtual Desktop

There are numerous strategies to lessen the possibility and effects of a cyberattack, but doing so takes careful planning and targeted action.

Digital transformation is transforming every aspect of the way organizations compete and operate today. This radical change is reshaping the way that enterprises produce, store, and manipulate an ever-increasing amount of data — emphasizing the need to ensure data governance.

Computing environments are also more sophisticated than they used to be, frequently encompassing the public cloud, the enterprise data center, and a variety of edge devices — including remote servers and Internet of Things (IoT) sensors. This complexity increases the attack surface, making it more difficult to monitor and secure.

A lack of data protection, global pandemic effects, and an increase in attack complexity have allowed for a significant rise in compromised and hacked data that is increasingly common in the workplace. In fact, an external attacker may breach the network perimeter of an organization and access local network resources 93% of the time.

It's a good thing, however, that the sensitivity of distinct data sets and the accompanying regulatory compliance requirements are taken into account by adequate data security.

**Data Security Is More Important Than Ever**

During the pandemic, more customers also became remote customers as more workers became remote workers. As a result, keeping an online environment secure has increased in significance for companies.

When supply chain and labor concerns are already making business difficult, such interruptions can make things even more difficult. As a consequence, a cyberattack can harm a company's reputation with clients and business partners, result in lost revenue, and pose a risk of data loss.

In fact, according to the 2022 data breach report from IBM and the Ponemon Institute, the average cost of a data breach has increased to a record high of $4.4 million.

This highlights the importance of protecting confidential information, which must be a significant responsibility for businesses and organizations.

**Four Data Security Practices Your Organization Should Implement**

A recent study indicated that most businesses have weak cybersecurity procedures, leaving them open to data loss. Although data security isn't the be-all, end-all of cybersecurity defenses — like perimeter and file security, to mention a couple — it is still one of several essential techniques for assessing dangers and lowering the risk involved in managing and storing data.

Fortunately, practical methods and strategies have been created to prevent poor data security practices. Here are four of the best data security practices you should know about.

**1\. Implement Access Controls**

Access controls are crucial to data security because they regulate who has access to and uses business data and resources. Access control rules ensure users have the proper access to corporate data and are who they say they are through authentication and authorization.

They are essentially the selective limiting of data access. Authentication and authorization are two important parts of access control. There can be no data security without authentication and authorization.

Access control reduces the possibility of unapproved users entering logical and physical systems and jeopardizing security. It is an essential part of security compliance programs, as it ensures that access control policies and security technology are in place to protect sensitive data, such as customer information.

**2\. Utilize Endpoint Security Tools to Safeguard Your Data**

Endpoints on your network are continuously in danger. As a result, you must have a robust endpoint security infrastructure to reduce the likelihood of potential data breaches. Start by putting the following strategies into practice:

*   **Antivirus software:** Ensure it is set up on all workstations and servers. Run routine scans to keep your system healthy and detect any infestations, such as ransomware.
*   **Anti-spyware software:** Spyware is a type of harmful computer software frequently installed without the user's awareness. You can remove or block those with the aid of anti-spyware and anti-adware software.
*   **Firewalls:** These operate as a barrier between your data and fraudsters, which is why most experts consider them among the best data protection practices. Internal firewalls are another option for enhancing security.

**3\. Employ Data Encryption**

One of the most fundamental data security best practices is encryption, which is frequently disregarded despite its importance. Data encryption serves to protect digital data confidentiality while it is stored on computers and sent over the Internet or other networks. These algorithms ensure confidentiality and support key security initiatives such as authentication, integrity, non-repudiation, and authenticity.

**4\. Develop a Risk-Based Security Strategy**

Pay close attention to the minor things, such as the hazards your business may encounter and how they might damage employee and customer data. Here, a thorough risk assessment is necessary. The following are some actions that risk assessment enables you to take:

*   Determine the kind and location of your assets.
*   Determine the cybersecurity condition you are in.
*   Maintain an accurate security approach.

Using a risk-based approach, you can adhere to regulations and safeguard your company from potential leaks and breaches.

**Safeguard Your Organization's Data and Protect Your Business in the Future**

Although it frequently appears on the agenda of executive committee meetings, given the escalating concerns posed by the pandemic, strengthening data security must require additional attention. Businesses should be proactive in addressing the threats and develop strategies for preventing successful cyberattacks — rather than reacting when they are already happening. Despite the fact that recovery measures exist, prevention is always better than a cure.

This pandemic has shown us that minimizing the hazards associated with cyberattacks requires careful planning and stronger data security practices. The proper procedures, such as implementing access controls and data encryption, must be used in conjunction with the appropriate security software in order to avoid the magnitude of a data breach and the hidden costs that come with it.

There are numerous strategies to lessen the possibility and effects of a cyberattack, but doing so takes careful planning and targeted action. Businesses must improve the creation and implementation of security measures and make remote working methods resistant to cyberattacks. Start by following these data security practices so that you will be better equipped to handle the rising number of cyberthreats, and protect your company in the future.

Source

DARKReading