New partnership gives security analysts simplicity when sifting through data, thorough readouts of compliance options, and streamlined response to incidents.

**SANTA CLARA, Calif., Oct. 19, 2022** — Revelstoke has partnered with BreachRx to unify automated incident response and compliance capabilities with the Revelstoke next-generation enterprise Security Orchestration, Automation, and Response (SOAR) platform.

BreachRx has created the security industry’s first incident reporting and response automation solution. It is designed to help people find answers to security and regulatory compliance questions in real time and at the height of a crisis. Similarly, Revelstoke has developed a next-level-SOAR solution that allows Security Operations Centers (SOCs) to sift through incoming data and identify the most dangerous cyber threats. The two solutions together give organizations an off-the-shelf solution that holistically addresses problems like no other product currently on the market.

“In the past, security teams relied on trained people and manual processes, but given the scale of today’s threats and growing regulatory landscape, teams can't continue to throw people at the problem,” said Matt Hartley, Chief Product Officer and co-founder of BreachRx. “Our solutions together allow businesses to streamline and automate their response to threats, whether they’re criminals, nation-states, or whatever else could come their way, while ensuring the company meets all legal and contractual incident reporting requirements in tandem.”

Revelstoke’s Unified Data Layer (UDL) — the unique technology that allows different products to communicate seamlessly — will make it easier for analysts working in Security Operations Centers (SOC) to document incident findings. With the power of the UDL, incident response requirements can be managed faster and easier. Additionally, by using automation to help address security and compliance matters, the products can help users get solutions to legal, regulatory, communications, and marketing issues faster than ever before.

“Partnering with BreachRx allows us to help customers in a way we haven’t been able to do before,” said Bob Kruse, Revelstoke’s CEO and co-founder. “We know we make security easier for security analysts, but we also know that more security analysts are concerned about new rules and regulations than ever before. Compliance concerns are rising and there’s no one better at helping organizations sift through the complex maze of new laws like BreachRx. Our two companies approach these problems with a very similar mindset and range of concerns. This partnership makes sense for both the companies and, most importantly, the customers looking for better outcomes.”

**About BreachRx**

BreachRx is the leading automated incident reporting and response platform that security and technical leaders use to overcome one of their biggest challenges — reducing cybersecurity regulatory and incident compliance risks. Our SaaS platform’s automated workspace streamlines collaboration and frees internal bandwidth across the business while ensuring compliance with the most stringent global cybersecurity and privacy frameworks. BreachRx is the only automated approach that creates tailored, effective incident response plans and protects privilege in the market today.

Learn how to turn incident reporting and response into a routine business process today at breachrx.com.

**About Revelstoke**

Revelstoke is the only next-generation Security Orchestration, Automation and Response (SOAR) solution built on a Unified Data Layer that offers no-code automation and low-code customization. Revelstoke empowers CISOs and security analysts to automate analysis, eliminate software development needs, optimize workflows, prevent vendor lock, scale processes, and secure the enterprise.

For more information, contact: \[email protected\]

Revelstoke Teams Up With BreachRx, Offering Users Automated Incident Response and Compliance Solutions

Why — and how — companies should consider shifting day-to-day security responsibilities out to operations teams. The move would elevate the team's level of decision-making and help address the challenge of finding professionals with security-specific credentials.

Security leaders have been raising the alarm for years about the ongoing cybersecurity skills shortage. Even as cyberattacks become increasingly sophisticated, and frequent, corporate defense teams are having more trouble filling open positions. The problem can seem insurmountable, but it shouldn't be.

One solution that few companies have considered is extricating the security team from operations. Consider how much less daunting the skills gap problem would look if corporate security narrowed its focus to governance, oversight, supervision, and auditing, while pushing the implementation and management of security systems out to the operational teams that use them.

Such a change would be dramatic. The corporate security function would shrink substantially, both in staffing and in the number of specific tasks it's responsible for, but it would become more strategic — and more effective.

**Today's Less-Efficient Approach**

The typical security team today involves themselves in all manners of operational activities. For example, when the development group is creating a new application, security staff may get involved in design details, settings for underlying technologies, and determining which users can access development servers.

But the centralized security team may not immediately have the operational knowledge to make those decisions. They may have to dedicate significant time to understanding the business drivers behind the application, the structure, and expertise of individuals on the development team, etc.

The development team managers already have the requisite expertise in operational aspects of putting together their solution. The corporate security team has expertise in the controls needed to prevent specific attacks. Why not let each group specialize in their core competency?

**How It Would Work**

As I envision it, the security team could take responsibility for establishing, at an abstracted level, the controls needed to protect the application, both during development and after launch. But they could hand off responsibility to the development group for building those controls. The development team could decide which security software and configurations they need, set specific security policies, and determine user permissions. Then, the corporate security team could inspect the development environment — and the resulting application — to ensure that the requested controls were implemented and are performing as expected.

This approach would put detailed decision-making in the hands of the people closest to those decisions. The security team would need to know a little bit about the technologies the development group uses, but mostly they would just need to be controls experts who set expectations for the security outcomes the operations groups should achieve.

Consider access control. How should people get authenticated to enter the company's development environment? What credentials are sufficient to prove they are who they say they are? It makes sense for the corporate security group to own the high-level governance of access control, but they would need to learn a great deal about the development environment and development team to effectively answer these questions. Meanwhile, people on the development team already have this knowledge. Letting them make the decisions down in the weeds of their group's access control policies is only logical.

Development processes are one example. The security team I'm envisioning wouldn't be involved in building networks; they would provide control requirements to the networking team, then make sure those requirements were followed. In a cloud setting, the security team might set high-level expectations, then do inspection scanning, looking for anomalies. But that would be the extent of their involvement in cloud security decisions.

**What This Change Would Mean**

Obviously, my vision would require a total restructuring of IT. In some ways, it would move security activities more toward where they were a quarter century ago. Back when security was usually not a separate function, companies taught security best practices to operational subject-matter experts throughout the organization. Expertise was widely distributed, but security was only a small slice of anyone's job responsibilities.

Consolidating security activities into a centralized function has created experts who specialize in the subject. These highly qualified and hard-to-find professionals should focus on setting the overall direction of the company's security strategy, dictating the controls necessary to prevent certain types of attacks, and providing governance and oversight to ensure those controls are effective.

I would like to see the industry re-evaluate whether other, more operational responsibilities — routine firewall maintenance or configuration of SaaS apps, for example — are appropriate for the central security group. I think those tasks are better suited for the individuals who are connecting, architecting, designing, implementing, and configuring the company's systems. They have the expertise to make correct decisions about securing systems and processes with which they are intimately familiar.

An organizational structure that shifts security decisions out to operations groups may shrink some of the day-to-day responsibilities of the security team. However, it would also elevate the team's level of decision-making, free staff time for more strategic activities, and provide a tidy solution to the perpetual challenge of finding professionals with security-specific credentials.

A New Solution to the Cybersecurity Skills Gap: Building Security into Operational Teams

Cybersecurity company RCS Secure announces round of Series A funding and name change as it rebrands to Third Wave Innovations.

**FRISCO, Texas, Oct. 18, 2022 /PRNewswire/** — RCS Secure is thrilled to announce the completion of a Series A funding round. The funding round was led by Socii Capital, LLC., a venture investment firm focused on healthcare IT with investments in MedOne, ScriptCyle, and ProviderScience.

This round of funding will allow us to grow the customer base we serve and invest in new parts of our core products and services.

RCS Secure has always been committed to being a leading provider of Managed Security, Data, and IT Services. As we have looked to expand our offerings and align the company's strategic growth, it has been decided that a rebrand is appropriate. As of October 17th, 2022, RCS Secure will be known as **Third Wave Innovations**.

"I am both grateful and humbled with our success and accomplishments as an organization," says Randal Asay, CEO of Third Wave Innovations. "From the inception, the advancement of this company has been built on the partnerships and relationships developed over the past 30 years. It is with gratitude and appreciation that as we progress to further heights, that we are worthy of such an amazing and accomplished group of professionals, Socii Capital, to help guide and drive our pathway. The quote 'If you want to go fast, go alone, if you want to go far, go with others' describes our past, our present, and our growth in the future!"

"Properly securing your IT environment to protect your data and the data of your patients is paramount in today's healthcare environment. Health care providers throughout the country are struggling to fill critical gaps in IT security needs with limited internal resources." said George Lazenby, a co-Founder and Partner at Socii Capital. "We were introduced to Third Wave Innovations through one of our portfolio companies utilizing their services. We were immediately impressed with their capabilities, management team and future plans for growth. We are excited to introduce Third Wave to health care providers through our network and portfolio companies."

Since day one, RCS Secure has been driven to innovate and provide cutting-edge solutions within its competitive market. The goal has always been to leverage our family of employees, partners, and clients, using technology to create a more secure world, and the company is committed to accelerating its efforts. We're investing in additional people, processes, and technology to deliver a broader and more robust set of services to our clients. Our commitment to this will remain our highest priority.

We look forward to what the future holds for Third Wave Innovations and can't wait to catch this wave with you.

**About Third Wave Innovations**

Third Wave Innovations is a privately owned corporation offering a full spectrum of cybersecurity safeguards, managed IT services, and a comprehensive data platform that empowers organizations to experience their own data in new ways.

**About Socii Capital, LLC**

Socii is a private investment capital firm founded in Fort Worth in 2015 with investments in SAAS technology companies with a primary focus on solving healthcare provider issues. Based on our team's deep experiences in the healthcare IT sector: operational management, product knowledge, and industry relationships, coupled with our hands-on approach, we add significant value to our portfolio companies.

**Contact Info:  
**Third Wave Innovations  
5 Cowboys Way, Suite 300  
Frisco, TX 75034  
844-267-6100  
**\[email protected\]**

**SOURCE:** Third Wave Innovations

RCS Secure Catches Its Next Big Wave

The Winnti APT was spotted dropping several variants of Spyder Loader and other malware as part of the so-called Operation Cuckoobees.

The Winnti cyber-espionage group out of China was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong.

Researchers at Symantec's Threat Hunter Team recently observed malicious activity in which attackers remained active on some targeted networks for more than a year to steal critical data in what they believe is an extension of the group's previously identified Operation Cuckoobees, they said in a blog post published this week.

"While we did not see the ultimate payload in this campaign, based on the previous activity seen alongside the Spyder Loader malware it seems likely the ultimate goal of this activity was intelligence collection," researchers wrote.

Researchers at Cybereason first identified the Cuckoobees campaign in May as a massive cyber-espionage campaign against manufacturing and technology companies in North America and Asia that had been stealing immense stores of intellectual property and other sensitive data for years when it was discovered.

At that time, researchers estimated that Winnti — aka APT41, Wicked Panda, and Barium — so far had stolen hundreds of gigabytes of data, including trade secrets, blueprints, formulas, diagrams, and proprietary manufacturing documents, from more than 30 global organizations. They also harvested details about a target organization's network architecture, user accounts, credentials, customer data, and business units to leverage in future attacks.

The latest activity against Hong Kong organizations appears to be part of that broad campaign, which is likely to continue and ensnare more victims in its cyber-espionage web before it's over, researchers said. "The fact that this campaign has been ongoing for several years … indicates that the actors behind this activity are persistent and focused adversaries, with the ability to carry out stealthy operations on victim networks over a long period of time," they wrote.

**Unpacking a Trojan**

During the activity they observed Symantec researchers got a good look under the hood at Spyder Loader, which Winnti already had been spotted using as the initial payload in previous malicious activity.

Researchers at SonicWall were the first to discuss the malware publicly in March 2021, according to Symantec, which is part of Broadcom Software. At the time researchers identified the malware being used for targeted attacks on information storage systems to collect information about corrupted devices, execute mischievous payloads, coordinate script execution, and communicate with command and control systems, they said in their report.

The malware later was spotted being used in the Cuckoobees campaign and now again against Hong Kong organizations, with various variants being deployed this time around. All of them "displayed largely the same functionality" to load next-stage payloads and perform functions similar to those described by SonicWall, using obfuscation to hide malicious activity, the researchers said.

Winnti is believed to be working on behalf of, or with the support of, the Chinese government since at least 2010. Some security vendors have described Winnti as an umbrella group comprised of multiple threat actors operating under the control of China's state intelligence agencies.

In addition to Cuckoobees, Winnti also has been linked to attacks in 2010 on scores of US firms that included such heavy-hitters as Google and Yahoo. Its activity eventually led the US government to indict five members of the threat group, which in the end did little to stop its malicious activities.

**Technical Details**

Symantec researchers analyzed a sample of Spyder Loader compiled as a 64-bit PE DLL, a modified copy of sqlite3.dll with the addition of a malicious export, sqlite3\_prepare\_v4, which expects a string as its third argument, they said.

"Reportedly, whenever an export is executed by rundll32.exe, the third argument of the called export should contain part of the process command-line," researchers explained. "When this loader is executed, it extracts the file name from its third argument, and the referred file is expected to contain a sequence of records."

The malware executes a created wlbsctrl.dll file that likely acts as a next-stage loader that runs the content of a previously stored blob\_id 2 record — which it encrypts using the AES algorithm in Ciphertext Feedback (CFB) mode with segment\_size of 0x80 bits — from the created FileMapping, researchers explained. The encryption key is based on the name of an affected computer per GetComputerNameW() API, they said.

Spyder Loader also used other obfuscation techniques to prevent its activity from being analyzed, researchers said. In addition to AES encryption, the malware sample also used the ChaCha20 algorithm encryption to obfuscate one of the strings, as well as cleaned up created artifacts by overwriting the content of the dropped wlbsctrl.dll file before deleting it, for example, they said.

There are several similarities between the Spyder Loader activity seen in the Hong Kong campaign and its original functionality as described by Cybereason. They include: use of a modified version of sqlite3.dll; use of the third parameter of its malicious export that's consistent with the rundll32.exe command-line example seen in Cybereason’s research; and use of the CryptoPP C++ library.

In addition to Spyder Loader, credential-stealer Mimikatz and a Trojanized ZLib DLL were among the malware loaded onto victim machines, the researchers said.

The researchers included in their report a list of indicators of compromise for Spyder Loader in the post so enterprises can detect if their systems have been infected. They also encouraged organizations to stay up to date on the latest threats and malware in circulation that may require security updates by referring to Symantec's Protection Bulletins page.

China-Linked Cyber-Espionage Team Homes In on Hong Kong Government Orgs

The extension allows cloud security teams to protect their organization's infrastructure at the source and collaborate with developers.

**PARIS, Oct. 18, 2022** — GitGuardian, the enterprise-ready automated secrets detection and remediation platform, is expanding its capabilities to new security verticals. GitGuardian is now building a comprehensive platform to help development and security teams write, maintain, and run secure code anywhere.  

The everything-as-code movement GitGuardian is securing has taken multiple domains by storm and elevated code to the ranks of the most valuable asset an organization can own. Often overlooked in the inventories of organizations, security teams have just awakened to the need to secure, protect, and continuously monitor the software development lifecycle (SDLC) for risks like tampering, code leakage, hardcoded credentials, and more.  

GitGuardian's product suite already provides such capabilities, but the company is now looking to consolidate everything into one single platform:

*   Secrets detection and remediation; GitGuardian helps security and development teams reduce the risks of secrets exposure in the software development lifecycle.
*   Public GitHub monitoring; GitGuardian helps organizations secure their extended attack surface by monitoring GitHub for leaked secrets and sensitive data.
*   Source code leakage detection; GitGuardian continuously scans public GitHub to look for proprietary code leaked from private repositories.
*   SDLC intrusion detection; GitGuardian enables security teams to deploy canary tokens at scale in their DevOps environments and lure attackers into revealing themselves.  
    

This movement has also blurred the boundaries between Application Security and Cloud Security. With Infrastructure-as-Code (IaC), both the application and cloud infrastructure layers have collapsed onto one another in git-based Version Control Systems.  

While software-defined infrastructure has unlocked automated cloud resource deployment with more speed and consistency for engineering teams, it is still fraught with risks. Gartner expects that through 2023, at least 99% of cloud security failures will be the user's fault, mainly misconfigurations. Such errors propagate from code to cloud-native environments, exposing critical workloads and resources on the way.  

To help Cloud Security teams protect their organization's infrastructure at the source, GitGuardian is adding Infrastructure-as-Code scanning for security misconfigurations to its platform. And in the spirit of Shift Left security, the company is enabling this through its popular open-source command-line interface (CLI) for developers, ggshield.  

“With this initial release, developers and Site Reliability Engineers will be able to find and fix over 60 types of security misconfigurations in Terraform files — while they develop.” says Eric Fourrier, GitGuardian co-founder and CTO.  

GitGuardian’s initial focus in Infrastructure-as-Code security is Terraform and AWS. Still, it plans to enrich its Infrastructure-as-Code policies directory, support additional cloud services providers like Azure and Google Cloud Platform, and integrate scanning natively in developer workflows on GitHub, GitLab, or Bitbucket.  

In its ongoing efforts to build a code security platform for the DevOps generation, GitGuardian is also actively exploring opportunities in areas such as Static Application Security Testing (SAST) and Software Composition Analysis (SCA).

**About GitGuardian**

GitGuardian, founded in 2017 by Jérémy Thomas and Eric Fourrier, has rapidly emerged as the leader in automated secrets detection and is now focused on providing a comprehensive code security platform. The company has raised a $56M total investment from Eurazeo, Sapphire, Balderton, and notable tech entrepreneurs such as Scott Chacon, co-founder of GitHub, and Solomon Hykes, co-founder of Docker.  

GitGuardian Internal Monitoring helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across their VCS, DevOps tools, and infrastructure-as-code configurations.  

Widely adopted by developer communities, GitGuardian is used by over 200,000 developers and is the #1 app in the security category on the GitHub Marketplace. GitGuardian is also trusted by leading companies, including Instacart, Genesys, Orange, Iress, Beyond Identity, NOW: Pensions, and Stedi.  

GitGuardian Internal Monitoring is an automated secrets detection and remediation platform. By reducing the risks of secrets exposure across the SDLC, GitGuardian helps software-driven organizations strengthen their security posture and comply with frameworks and standards.

Its detection engine is trained against over a billion public GitHub commits yearly. It covers 350+ types of secrets, such as API keys, database connection strings, private keys, certificates, and more.  

GitGuardian brings security and development teams together with automated remediation playbooks and collaboration features to resolve incidents quickly and thoroughly. Organizations can achieve higher incident closing rates and shorter fix times by pulling developers closer to the remediation process. Please visit the official website to learn more about GitGuardian Internal Monitoring, the enterprise-ready automated secrets detection, and remediation platform.

GitGuardian Extends Code Security Platform, Adding Infrastructure-as-Code Scanning for Security Misconfigurations

Organizations without the time or talent to patch may find patching-as-a-service to be a way to improve security.

Patching is a critical method to isolate risks and to ensure workflows are not interrupted due to allowing software to fall out of supportable versions.

The security risk resulting from unpatched vulnerabilities is substantial — Verizon's 2022 Data Breach Investigations report found around 70% of successful cyberattacks exploited known vulnerabilities with available patches.

Too often, however, IT teams must choose which urgent items get their attention, which creates a scenario where the urgent tasks get in the way of important tasks. By outsourcing patch management, also known as patching-as-a-service, organizations can shift the burden of ensuring that the patch process completes consistently to a third party.

**Control, Transparency Must Be Maintained**

Outsourcing patching can save an organization time and money. It can also lead to improved security. The outsource model provides security leaders with a verifiable service level agreement (SLA) to guarantee that the investment protects the organization.

"There are some challenges that come with outsourcing patching," cautions Darryl MacLeod, vCISO at Lares Consulting, an information security firm. "For example, an organization may lose some control over patch management, and the patch management process may not be as transparent as it would be if patch management was done in-house."

He adds that patching-as-a-service is probably most effective for small and midsized organizations that do not have the resources to patch in-house, but it can also be beneficial for organizations with complex patch management needs.

Data management and analytics company Aunalytics recently added a co-managed patching-as-a-service platform to its security solution suite. The company's vice president, Steven Burdick, points out the security challenges for every organization are evolving every day.

"Bad actors are knocking on any door they can find hopeful that you have not patched a workstation or key third-party application such as Acrobat Reader," he says. "Yet, despite your efforts to secure your environment by battening down the hatches, new, not yet discovered exploits continue to show up."

He argues that outsourcing security patching and antivirus/malware protection platforms allow organizations to invest the time of their team members in the areas where the business can get the best value.

"Assigning an FTE or part of an FTE to someone to manage patching and security platforms requires additional investments in time, travel, and training that do little more than prepare your IT staff for their next role in another company," he says.

**Paying a Third Party to Take Responsibility**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, explains that outsourcing patching to a patching-as-a-service vendor is a subset of outsourcing IT operations, in that an organization is shifting responsibility to a third party.

"There are a lot of reasons organizations outsource these tasks, though cost savings and not having to manage an internal IT department are two common reasons," he says.

Like MacLeod, he points out there are also challenges. For one, the organization has to rely on the efficiency and integrity of the vendor to take on mission-critical issues without the oversight that comes with in-house assets.

Parkin says a successful program will require accurate and robust asset management tools, so the vendor knows what's live in the client's environment.

"They'll need an included, or compatible, patch management function," he adds. "Ideally, they will have inputs from vulnerability scanners and a risk management platform to help them prioritize the most important patches."

**Patching Services Rely on Automation**

MacLeod predicts that as patch management becomes more complex, patching-as-a-service providers will likely offer more comprehensive solutions that include patch management software, patch repositories, patch deployment tools, and other services.

Patch management software automates the patching process; a patch repository stores and manages patches; and patch deployment tools are used to deploy patches to systems.

"Service providers will likely continue to expand their customer base by offering patching services to more types of organizations," he adds.

He points out that the patching-as-a-service market has been growing in recent years as more organizations outsource patch management.

"This growth is expected to continue as patching becomes an increasingly complex and time-consuming task," MacLeod says.

**Outsourcing Makes up for Scarce Human Resources**

Burdick says Aunalytics is seeing a lot of interest in the healthcare industry, professional services firms, and government, where IT talent is hard to attract and retain.

He adds that manufacturers are often early adopters of this type of solution because they recognize that they must constantly evolve to compete.

Paying for these services in an "as-a-service" model precludes organizations from having to pay for the training and travel costs of IT security team members, Burdick says, as well as the cost to replace and retrain staff when the company's internal resource leave.

"Businesses today do not struggle buying technology; it's the people to use the technology and to keep it running efficiently who are very hard to source in this economy," Burdick says.

Patching-as-a-Service Offers Benefits, Challenges

Identity verification and identity authentication are neither synonymous nor interchangeable, and implementing both is essential to fighting fraud.

**Question: What is the difference between identity verification and authentication?**

**Shai Cohen, senior vice president of global fraud solutions, TransUnion:** As more services shift to a virtual format, consumers and organizations are threatened by more efficient and evolved forms of fraud. To confirm that a customer is who they say they are requires both identity verification and identity authentication.

These two terms are not synonymous or interchangeable, and the organizations that don't know the difference make themselves vulnerable to increased fraud losses. Treating a verified identity ("this identity exists") as authenticated or proofed ("this user is who they claim to be") makes an organization vulnerable to account takeover fraud and synthetic identities.

**Securing Account Creation and Use**

The combination of a name, address, phone number, and email on an online form can provide enough information for a company to verify a consumer's identity and establish a layer of trust when an account is first created. This information can be checked against multiple data sources, such as utilities or telephone carriers, to ensure the name matches the other qualifying data.

It's critical to note, however, that verifying that the identity exists does not prove it belongs to the person entering that information. Criminals can use illicitly obtained identifying information to apply for new accounts or benefits in victims' names. Some create synthetic identities where credentials have been fabricated and are not associated with a real person but can fool verification processes.

This type of identity theft has prompted a shift toward proofing or authentication practices. These approaches require significantly more rigor than simply verifying that an identity exists. Organizations work to confirm that the identifiers supplied to create a new account belong to the person entering the information — i.e., that the applicant is who they say they are. Some identity-proofing systems may request a selfie and government photo ID for a facial recognition match from new customers.

Authentication, on the other hand, is an ongoing identity-proofing process that both checks the identity of digital users and ensures the integrity of the devices they use. Two-factor authentication and one-time passcodes are both commonly used authentication methods that help grant account access to the right person in real time.

Note that security measures have to balance consumer needs. A 2021 study from the CMO Council reported that authentication frustration caused 61% of consumers to abandon a transaction, and TransUnion's 2022 "Global Digital Fraud Trends Report" showed that approximately two-thirds of consumers would switch companies for a better digital experience. Organizations should incorporate both identity verification and authentication processes so that they can ensure safe interactions and create a trusted virtual channel that keeps consumers coming back.

What Is the Difference Between Identity Verification and Authentication?

Younger workers surveyed are less likely to follow established business cybersecurity protocols than their Gen X and baby boomer counterparts, a new survey finds.

A new survey shows Generation Z and millennials, younger workers who have grown up as digital natives, are surprisingly more careless about their employer's cybersecurity than their senior Gen X and baby boomer colleagues. 

According to Ernst & Young LLP's 2022 Human Risk in Cybersecurity survey, although 83% of workers in the US report they understand their company's cybersecurity policies, younger Gen Z and millennial workers are less likely to comply with them. 

For instance, 48% of Gen Z and 39% of millennial employees confessed to being more cautious with their own devices compared to their work-issued devices; they also admitted to widely disregarding IT updates; reusing passwords for personal and professional accounts; and accepting browser cookies in far greater numbers than Gen X or baby boomer workers. 

"This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual," Tapan Shah, EY Americas' consulting cybersecurity leader, said in a statement. "There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages, and rewards everyone in the enterprise."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Gen Z, Millennial Workers Are Bigger Cybersecurity Risks Than Older Employees

Head of German national cybersecurity agency was fired over ties to a member of Russian intelligence once honored by Vladimir Putin.

The chief of Germany's national cybersecurity agency, Arne Schönbohm, has lost his job as a result of allegations about his ties to a cybersecurity firm called Protelion (formerly Infotecs), which was founded by a reported member of Russian intelligence.

Interior Minister Nancy Faeser formally dismissed Schönbohm on Tuesday, according to Deutsche Welle (DW).

"The background to this is not least the allegations, which are well known and widely discussed in the media, and which have permanently damaged the necessary public confidence in the neutrality and impartiality of the conduct of his office as president of Germany's most important cybersecurity authority," the spokesperson told DW.

Schönbohm has held the post since February 2016 but faced mounting scrutiny following the Russian invasion of Ukraine, the report explained. A public-private advisory group Schönbohm founded 10 years ago called the Cyber Security Council of Germany included Protelion, which was run by someone whose ties to the Kremlin were so close they were reportedly honored by Vladimir Putin. Protelion has since been removed from the Council.

Although the Council declares itself politically neutral, according to DW, Minister Faeser began to question Schönbohm's affiliation with the group after he attended the organization's anniversary party last month.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

German Cybersecurity Boss Sacked Over Kremlin Connection

Manage the company's often-overlooked security certificates as the valuable assets they are, essential for security hygiene and to prevent issues.

Any activity conducted on the Internet must ultimately rely upon security certificates. These Secure Sockets Layer (SSL) certificates are what businesses and organizations trust and rely on when it comes to ensuring that any sort of transaction is kept secure and encrypted. Digital certificates and SSL are everywhere.

Due to their ubiquity, certificates are increasingly targeted by bad actors, who have become more creative in looking for a route into networks or to access applications. Just this year, code-signing certificates stolen from multinational technology company Nvidia were used to certify malware as genuine software tools, allowing bad actors to bypass security controls and attempt attacks.

**Why You Should Pay Attention to Certificates**

Alongside increasing attacks, there's also the matter of operational management. An expired certificate can lead to your website and services failing, interrupting staff, and stopping customers from making purchases. In May 2022, Spotify's service was down due to a lapsed certificate owned by a company it acquired, ultimately stopping millions of users from listening for several hours. In another example, Let's Encrypt saw one of its root certificates expire in September 2021, which led to downtime for a range of Internet services and websites, including Shopify and Netlify, which support thousands of companies doing business online.

Tracking SSL certificates is seen as a nuisance or low priority for IT teams, but any missed or overlooked certificate can lead to potential headaches around service availability. While it's easy to take these certificates for granted, they should be treated as valuable assets.

Looking at over 3 million certificates in our service inventory, we found that more than 7% of the certificates deployed have already expired and nearly 21% would expire in the next 90 days. Similarly, approximately 9% of websites have inadequate security based on the grade of the current certificate, according to their SSL Labs ratings. For these expired certificates, 48% were still using TLS1.2, 43% were using TLS1.1, and those using RC4 accounted for 12%.

If your organization provides a service online, then it is only as available as your SSL certificate. If you provide technology that is embedded in other companies' products — such as a cloud platform — then it can affect all the clients that rely on you, scaling up the problem. Keeping certificates current and secure should be a priority.

**Why Do Issues Around Certificates Exist?**

There are four main reasons why a security certificate might have inadequate security.

*   The first is the use of self-signed certificates, when someone chooses to use their own security certificate as a token to prove that their service is valid and can be trusted. This is the equivalent of marking your own homework at school — while you might trust yourself, this may not be enough for others that will rely on that certificate over time. There's also no external proof that your self-signed certificate was generated by you, rather than someone else.

*   Next is the problem that comes with using certificates created by an untrusted certificate authority. Certificate authorities _have_ to be trusted for what they certify to be widely used. This level of trust can be revoked if that company starts exhibiting poor business practices, or if their IT systems are compromised.

*   There can also be issues when certificates rely on older protocols for encryption, such as SSL v3 or TLS1.0/TLS1.1. As with many things, these standards were appropriate for the times when they were created, but they're now unsafe to use given the increases in computing power available. Attacks on sites can attempt to downgrade the encryption standard from modern versions to older protocols that are easier to break, or take advantage of flaws in how they're implemented to access data.

*   The last problem is the ability to understand what certificates you have, and what their status is. If you aren't aware that a certificate exists, then you can end up with an application that fails to work. This can lead to further problems for the application, and for any service that depends on it.

**Preventing Problems Is Better**

To prevent these kinds of problems, certificates must be treated as valuable assets rather than afterthoughts. Where to start?

Build an inventory of certificates with status information. With a multitude of certificates involved for most enterprises, automating this process will ensure that it is more efficient and easier to manage at scale.

Maintaining this list of certificates should help you spot gaps, such as self-signed certificates or ones that are close to their expiration date. By preventing issues before they lead to downtime, you can improve the overall approach to security and what the rest of the business sees.

For external-facing websites that use certificates, free tools like SSL Labs can easily demonstrate how well any site is set up, from a security perspective. This will include recommendations on what to do to improve security and remove problems. For developers building sites, this should be a standard part of their process.

Similarly, any developer working on internal applications should know how they use certificates in their applications internally, and they should be tracked, too. For other teams that might have to support certificates, from IT operations through to IT security teams, this insight into what certificates exist should be very useful as well. If developers aren't tasked with this, then carrying out discovery and inventory will be necessary to track certificates just like any other IT asset across the business.

Security certificates are necessary to make applications work, and to ensure that those services can be trusted. Managing them well and treating them as valuable assets is essential for security hygiene and to prevent issues. Even the littlest things can make a difference to security and delivering services.

Source

DARKReading