The Colonial Pipeline attack highlighted the risks of convergence. Unified security provides a safer way to proceed.

This month marks the first anniversary of the Colonial Pipeline shutdown — a hugely impactful ransomware attack against critical US infrastructure that has had significant diplomatic and legislative consequences. Among the numerous talking points the attack raised was the issue of IT/OT convergence.

The attack, orchestrated by ransomware group DarkSide, targeted the pipeline's IT billing systems rather than its operation technology (OT), but Colonial was still forced to shut down physical operations for several days. Despite its oil-pumping systems retaining functionality, Colonial believed the risk of continuing operations with an IT compromise was too great. This was largely due to the proximity of its IT and OT systems: Had the attackers moved laterally to the company's operational networks, they could have imposed a longer and more costly shutdown, potentially tampering with safety mechanisms and damaging equipment — even endangering the pipeline's employees.

The risk of IT attacks spilling over into OT has grown as the organizations operating these systems look to gain an edge over their competitors. IT/OT convergence makes industrial control systems (ICS) cheaper, easier to manage, and more rapidly available to different administrators. At the same time, as the Colonial Pipeline instance showed us, it presents new risks and avenues for cyber disruption.

This is partly because most OT security tools today look at industrial systems in isolation — as a disconnected silo, separate to the rest of the business. The same is true of network security, email systems, and the cloud. And when many of these tools were being developed, there was nothing wrong with this approach. But as these digital environments converge, relying on disjointed point solutions to stop cyberattacks isn't effective, especially because a single attack can now target and traverse multiple fields of operation.

By unifying their security stack, defenders can use IT/OT convergence to their advantage and turn vulnerability into strength.

This requires a move away from tools trained on historical attacks and toward self-learning technology that can learn its digital surroundings from scratch, without any prior assumptions. By understanding the unique behavior of every IT and OT device — no matter how bespoke or complex the technology — this approach enables the detection of novel threats. By definition, a cyberattack causes a machine or user account to behave in a way it normally does not, and these deviations can be picked up, no matter where they appear.

**How Ransomware Groups Exploit IT/OT Convergence**

The risk of connecting cloud platforms to ICS was demonstrated in an attack against a European OT R&D investment firm last year.

Two of the firm's Industrial Internet of Things (IIoT) devices, which ran Windows OS and made regular connections to an industrial cloud platform, were compromised when they used the server message block (SMB) protocol to connect to an infected domain controller and read a malicious executable file. Security teams are often stymied by IIoT devices, which can lack CPUs, traditional operating systems, or sufficient disk space for putting security measures in place.

A malicious payload lay dormant for almost a month within the two IIoT devices, one of which was a human-machine interface (HMI) and the other an ICS historian. Darktrace's investigation showed that, while network segregation was sufficient to stop the attack's command-and-control (C2) communications on the HMI device, connections from the ICS historian reached around 40 unique external endpoints.

Both devices then wrote suspicious shell scripts to network servers and, finally, used SMB to encrypt files stored in network shares. A ransomware note was written by the ICS to targeted devices, and the attack was complete. This kind of attack life cycle, which demonstrates the limitations of network segregation and air-gapping, has been the basis for widespread concerns around IT/OT convergence.

No signatures or threat intelligence were associated with this attack, and so it flew under the radar of the company's traditional security tools. Only through self-learning technology from Darktrace was the security team able to gain full visibility into the attack.

**Riding the Changing Tides**

Reference architectures that rely on air-gapping ICS from IT are increasingly incompatible with the technological advancements many organizations are making in order to remain competitive. If attackers no longer view IT and OT as distinct, partitioned regions, neither should security teams.

It is possible for businesses to safely embrace interconnectivity, with all of its advantages, by adopting security that learns the business from the ground up to address sophisticated threats across both their IT and OT environments.

Unified security efforts reflect the reality of converging systems and ensure that no gaps are left for attackers to exploit. When the entire digital environment can be viewed through a single pane of glass and no single, exploitable system is left without protection, organizations will be able to interconnect systems without taking on undue risk.

Taking the Danger Out of IT/OT Convergence

Microsoft Dev Box will make it easier for developers and hybrid teams to get up and running with workstations already preconfigured with required applications and tools.

Microsoft's cloud-based developer workstation comes preconfigured with all of the required applications so that developers and hybrid teams have access to everything they need directly through the Web browser.

Microsoft Dev Box is a virtual machine that provides developers with a "ready-to-code" workstation, Microsoft said this week during Build 2022, its annual developer conference. Teams can configure images, assign or remove team members, and start coding on a new project without first dealing with a complex and time-consuming set-up process.

Application testing becomes easier, since each Dev Box can be set up to re-create a specific customer environment. Developers who have to support multiple versions of the same software can have multiple Dev Boxes and switch back and forth between different environments. There is no need to worry about software conflicts and dependency issues, the company says.

Dev Box is based on the same cloud foundations as Windows 365, which offers users Windows machines in the cloud. As a result, Dev Box has similar security benefits as Windows 365 Cloud PC, such as the fact that workstations will automatically be fixed up with the latest security updates and administrators can apply Azure’s access control and authentication policies to control how developers access Dev Box. IT administrators can manage Dev Boxes and Cloud PCs together in Microsoft Intune and Microsoft Endpoint Manager, wrote Kathleen Mitford, corporate vice president of Azure Marketing, on the Azure blog.

Dev Box can wind up making it easier to securely manage remote development teams. Since the developer is going through the Web browser to access the workstation, security teams don’t have to worry about the security of the physical device the developer is using or whether source code and other corporate intellectual property are being downloaded onto a personal device.

While Microsoft did not announce an exact release data for Dev Box, there is a waiting list for private preview.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Unveils Dev Box, a Workstation-as-a-Service

Massive merger will put Broadcom's Symantec and VMware's Carbon Black under one roof.

Semiconductor vendor Broadcom plans to buy cloud computing firm VMware for a whopping $61 billion in cash and stock.

Broadcom described the acquisition as part of its move to create a global infrastructure technology company. The company also announced that its Broadcom Software Group will be rebranded as VMware.

"VMware has long been recognized for its enterprise software leadership, and through this transaction we will provide customers worldwide with the next generation of infrastructure software. VMware's platform and Broadcom's infrastructure software solutions address different but important enterprise needs, and the combined company will be able to serve them more effectively and securely," said Tom Krause, president of Broadcom Software Group, in a statement. "We have deep respect for VMware's customer focus and innovation track record, and look forward to bringing together our two organizations."

Security-wise, the deal will bring Broadcom's Symantec security division and VMware's Carbon Black unit under one roof. Broadcom acquired Symantec in for $10.7 billion in August 2019, and VMware bought cloud-native endpoint security firm Carbon Black for $2.1 billion in October 2019. 

The deal is expected to close in Broadcom's fiscal year 2023, pending regulatory and VMware shareholder approvals.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Broadcom Snaps Up VMware in $61B Deal

The cloud-security company blames "seismic" market shifts for shakeup.

Lacework co-CEOs David "Hat" Hatfield and Jay Parikh have announced that the cloud security company will restructure and lay off an undisclosed number of employees.

The move comes less than a year after Parikh, a former Facebook VP, joined the Lacework board of directors and was brought on as a co-CEO to manage the company's product, engineering, and infrastructure.

The CEOs said in an announcement of the Lacework layoffs that the move was prompted by a "seismic shift ... in both public and private markets" that has occurred "over the past several weeks and months." It's not clear to which specific incidents the statement is referring.

"Lacework, as we know, is the disruptive leader in cloud security, a growing market that is still in the early innings," the statement said. "Our opportunity ahead remains unchanged, but to preserve and strengthen our leadership position in this market for the long term, we must make these changes."

The execs added that despite the headcount reduction, Lacework will continue to expand its technology teams.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lacework Announces Layoffs, Restructuring

Nearly half of the world's largest websites use externally generated JavaScript that makes them ripe targets for cyberattackers interested in stealing data, skimming credit cards, and executing other malicious actions.

Many organizations may be significantly more vulnerable to risks from third-party JavaScript in their websites than they think.

New analysis from Source Defense finds there to be a high prevalence of third-party (and even fourth-party) scripts on most websites — which is concerning because of the relative ease with which they could be used to sneak in malicious code. 

Typically, when a webpage calls a third-party script, it is loaded directly into a browser from an external server belonging to the third party. This means the script bypasses controls such as perimeter and Web application firewalls and network monitoring tools, according to the security vendor. The process gives threat actors a way to introduce malicious code into the environment via third-party scripts. The problem is exacerbated by the fact that developers of third-party scripts often include code from other developers that in many cases have sourced code from another developer, Source Defense said.

Yet most organizations use third-party scripts for integrating shopping carts, dynamic forms, processing orders and payments, presenting social media buttons, visitor tracking, and a variety of other functions. The scripts are readily available — often for free — from numerous sources, including open source organizations, social media companies, cloud providers, advertising networks, and content delivery networks, the Source Defense report says.

In an analysis of 4,300 of the world's largest websites, the firm found that each site had 15 externally generated scripts on average — with an average of 12 of them on sensitive pages, such as those for collecting user information or for processing orders and payments. Nearly half (49%) of the websites in Source Defense's study had external code with functionality for retrieving form input and monitoring users' button clicks. More than 20% had external code that could modify forms. Most sites had multiple scripts on every single webpage.

Source Defense found that websites belonging to organizations in some sectors had a substantially higher than average number of third-party scripts than others. Financial services websites, for instance, had an average of 19 scripts on sensitive pages, or 60% more than the average across all sectors. Healthcare organizations had 15 of them on average.

**A Tempting Attack Vector for Adversaries**

"Adversaries remain hyper-focused on data theft from websites that conduct transactions or capture sensitive data," says Hadar Blutrich, CTO and co-founder of Source Defense.

In recent years, there have been numerous incidents where attackers have manipulated or used third-party scripts to steal user and payment card data, to redirect users to malicious sites, log keystrokes, and carry out a variety of other malicious activity. One well-known example is Magecart, a hacker collective that over the years has pilfered data on hundreds of millions of payment cards by sneaking card-skimming software into third-party scripts on retail websites. 

Such attacks can have big consequences for businesses. For example, in one incident in 2018, Magecart hackers sneaked a few lines of code into a British Airways website page that ended up exposing personal data belonging to some 380,000 customers. The airline was later hit was a massive fine of more than $200 million over the incident.  

"The attack vector remains broad and open for even the world's largest sites, and the risk of significant material loss is quite real," Blutrich says.

To compromise third-party scripts, threat actors sometimes infiltrate public code repositories, he notes. In other instances, they identify organizations that have large networks of clients and compromise scripts from those organizations to perpetrate one-to-many attacks, he says. As one example, Blutrich points to an attack earlier this year in which over 100 sites related to real estate were compromised after an attack planted malware in a cloud-video component on a site belonging to Sotheby's real-estate arm.

**How to Combat External Script Risk**

The maturity of enterprise processes for mitigating risk from third- and fourth-party scripts tends to vary, Blutrich notes. In some instances, there's no oversight: Digital and marketing teams act on their own to implement new website functionality and engage with third parties, without involving the enterprise security team. 

However, "in more mature cases, we've heard of 'script councils' being in place where digital must work with security/compliance to vet and approve any supply chain partners," he says.

Regardless of the internal processes for approval, more must be done for managing and securing the script, Blutrich says. "Once on the site, even if approved, benign changes from the partners themselves may jeopardize compliance and, obviously, malicious changes from threat actors can lead to major data theft and fraud concerns."

Third-Party Scripts on Websites Present a 'Broad & Open' Attack Vector

Twitter is charged with using emails and phone numbers ostensibly collected for account security to sell targeted ads.

The Federal Trade Commission (FTC) has issued a $150 million fine against Twitter for misrepresenting its security and privacy practices.

The FTC, in cooperation with the Department of Justice (DoJ), says that Twitter has been using the email addresses and phone numbers it collects from users to enable two-factor authentication to serve targeted advertising.   

In addition to the fine for the violation, Twitter has been given a list of do's and don'ts: It's prohibited from making a profit on data collected under the guise of security; it must allow users to use mobile authentication apps and security keys for multifactor authentication, which don't require a user to provide their phone number; it must notify users if their data has been misused; it must implement a comprehensive information security policy; it must limit employee access to personal user data; and it must notify the FTC of any company breaches. 

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina M. Khan in a statement about the Twitter security data misuse ruling. "This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Twitter Fined $150M for Security Data Misuse

The new draft guidance on premarket submissions incorporates quality system regulations and doubles down on a life-cycle approach to product security.

It's hard to believe, but medical device manufacturers who are subject to Food and Drug Administration premarket approval — the FDA process of review to evaluate the safety and effectiveness of Class III medical devices — are still operating under the FDA's original medical device cybersecurity guidance from 2014 and a subsequent update in 2018. But that is about to change in a major way.

Instead of finalizing the 2018 premarket cybersecurity draft guidance, the FDA has decided to issue a new 2022 version to reflect the rapid evolution of cybersecurity, incorporating a new set of quality system regulations (QSRs) with significant changes to its 2018 predecessor.

**New FDA Draft Guidance  
**The new draft guidance, titled "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions," deals with myriad design, labeling, and documentation issues that will have to be addressed by medical device manufacturers before their new devices can gain FDA premarket approval.

The FDA's original guidance on cybersecurity was just nine pages while the 2022 version swells to 50 pages, reflecting advancements in the cybersecurity ecosystem and best practices. It appears that, when approving connected medical devices for market, the FDA will be taking a long look at how cybersecurity is implemented, especially regarding levels of risk to patient safety.

**Updated Regulations: Why Now?  
**Requiring greater cybersecurity measures to protect medical devices and their operational and patient data is vital since the healthcare industry has become a massive target of cyberattacks. Data breaches hit an all-time high in 2021, exposing a record volume of protected health information. Besides pilfering data, a growing number of breaches attempt to disrupt the smooth operation of medical devices like computed tomography and magnetic resonance imaging machines, potentially causing incorrect diagnoses, unnecessary medical procedures, or direct harm to patients.

The American Hospital Association's senior adviser for cybersecurity and risk has stated that medical devices used in hospital rooms suffer from an average of 6.2 vulnerabilities. As devices become more complex and interconnected, opportunities for cyberattackers to exploit vulnerabilities are becoming greater, hence the need for updated regulations.

**Incorporating Cybersecurity into Quality System Regulations to Boost Safety  
**With the new guidance, the FDA seeks to ensure that the next generation of medical devices will be far safer and secure throughout the entire device life cycle, from premarket and throughout the entire useful life, beginning from the earliest stages of design (shift-left) to post-production (shift-right).

With the proposed guidance, the FDA is doubling down on its efforts to incorporate cybersecurity into quality regulations to address the complexity of modern devices and today's evolving threat landscape.

**From CBOM to SBOM: What's the Difference?  
**Surprisingly, one of the major changes that the new guidance brings is a leniency in the requirement for manufacturers to provide a complete software bill of materials (SBOM) instead of a more tedious cybersecurity bill of materials (CBOM), as was required in the 2018 draft. Medical device manufacturers were balking at the 2018 guidelines because of this stringency.

An SBOM is more in line with cybersecurity standards across most industries and aligns with the Biden administration's recently issued Executive Order 14028, "Improving the Nation's Cybersecurity." It contains all of the required software packages (commercial and open source) and their versions.

The much more complicated CBOM, according to the 2018 guidance, demands "a list of commercial, open source, and off-the-shelf software and hardware components to enable device users (including patients, care providers, and healthcare delivery organizations) to effectively manage their assets, understand the potential impact of identified vulnerabilities to the device — and the connected system — and to deploy countermeasures to maintain the device's essential performance."

**A Secure Product Development Framework for Every Device  
**The latest guidance asks medical device manufacturers to consider using a secure product development framework (SPDF) to achieve the goals of the QSR: "An SPDF encompasses all aspects of a product's lifecycle, including development, release, support, and decommission."

Besides compliance with the draft guidance, the call for using an SPDF can add significant value to medical devices. As the draft guideline states: "Using SPDF processes during device design may prevent the need to re-engineer the device when connectivity-based features are added after marketing and distribution, or when vulnerabilities resulting in uncontrolled risks are discovered."

**Is the New FDA Draft Guidance Binding?  
**Until July 7, the FDA is inviting medical device manufacturers and the public to comment on the new draft, which is expected to be finalized later this year when it will become the new FDA cybersecurity guidance for medical devices. While FDA guidance is nonbinding, the approved version will provide a road map for how medical device manufacturers should address cybersecurity in their products to ensure compliance and patient safety.

The FDA is not the only federal agency looking to strengthen cybersecurity regs. Legislation called the Protecting and Transforming Cyber Health Care (PATCH) Act was recently introduced in the US Congress. The act, the EO, and other proposed bills contain provisions that will strengthen the FDA's ability to require medical device manufacturers to meet certain cybersecurity objectives.

In order to future-proof for impending legislation, medical device manufacturers should start investigating solutions that can generate detailed SBOMs and continuously detect vulnerabilities and mitigate risks in order to stay compliant with the FDA's 2022 guidance and beyond.

The FDA's New Cybersecurity Guidance for Medical Devices Reminds Us That Safety & Security Go Hand in Hand

Global ransomware incidents target everything from enterprise servers to grounding an airline, with one India-based group even taking a Robin Hood approach to extortion with the "GoodWill" strain.

Ransomware incidents are on the rise and this week proved no exception, with the discovery of a Linux-based ransomware family called Cheerscrypt targeting VMware ESXi servers and an attack on SpiceJet, India’s second largest airline.  

Meanwhile, an oddball "GoodWill" variant purports to help the needy.

The Cheerscrypt ransomware variant was uncovered by Trend Micro and relies on the double-extortion scheme to coerce victims to pay the ransom – i.e., stealing data as well and threatening to leak it if victims don’t pay up.

Because of the popularity of ESXi servers for creating and running multiple virtual machines (VMs) in enterprise settings, the Cheerscrypt ransomware could be appealing to malicious actors looking to rapidly distribute ransomware across many devices.

Meanwhile, low-cost carrier SpiceJet faced a ransomware attack this week, causing flight delays of between two and five hours as well as rendering unavailable online booking systems and customer service portals.

While the company’s IT team announced on Twitter that it had successfully prevented the attempted attack before it was able to fully breach all internal systems and take them over, customers and employees are still experiencing the ramifications.

**GoodWill: The Altruistic Ransomware  
**Then there's this: Researchers with CloudSEK announced this week they had discovered a Robin Hood-esque ransomware group called GoodWill, which demands that its victims perform three acts of charity in exchange for a decryption key.

GoodWill was discovered in March and uses a ransomware worm that encrypts documents and databases — among other important files — and renders them inaccessible without the decryption key.

The charitable actions that are accepted include taking poor children to fast-food restaurants, donating clothes to the homeless, and providing financial assistance to those in need of medical care. These actions must be backed up by photos posted to social media, the gang demands.

**Businesses Struggle to Keep Pace With Evolving Attacks  
**This week’s spate of ransomware attacks indicated no clear pattern but are rather more akin to the efforts of a marketing and sales department, says Stan Black, CISO at Delinea, a provider of privileged access-management solutions.

“Think about it: They harvest your information, alter their method delivery, they keep coming back until you bite, and when they get you on the hook, they demand a ransom,” he tells Dark Reading. “They are unregulated, don’t answer to legal, a board, or auditors, and don’t care whose business or lives they ruin.”

Black points out that there needs to be a recognition that malicious actors know more about IT operations than organizations think they do.

“For 24 hours a day, they are crawling every facet of our digital footprint and exhaust trail,” he says. “Through automation, they distill our telemetry and create the perfect go-to-market strategy: a cyberattack. These days, ransomware is targeting our identity and access-control security technology — the very tech we thought would protect us.”

Matthew Warner, CTO and co-founder at Blumira, a provider of automated threat detection and response technology, says it’s extremely important that organizations focus on detecting the first three steps of a ransomware attack: discovery, gaining a foothold, and escalating privileges.

"Detection, in addition to being aware as to what data you hold, will allow you to quickly respond to attacks and worst case be sure of post-exploitation handling of a ransomware event," he tells Dark Reading.

He adds that going forward, it also becomes clearer that time to respond and patch has been reduced, down to hours at the most.

“Evaluating your exposed attack surface should be the first item on your list, to ensure that your infrastructure is protected,” Warner says.

**DBIR Report Finds Ransomware Attacks Ballooning  
**Verizon also published its 15th annual "Data Breach Investigations Report" (DBIR), this week, which highlighted the emergence of ransomware-as-a-service (RaaS) as one of the factors behind the ballooning number of ransomware incidents.

The report, which analyzed 23,896 security incidents — of which 5,212 were confirmed breaches — found email phishing and desktop-sharing software were the most common ransomware attack points.

Overall, ransomware accounts for 25% of the total breaches, and was present in 70% of the malware breaches this year.

From Warner’s perspective, ransomware techniques have not necessarily evolved but, rather, have expanded over the last five years. For instance, previously, only certain groups would have the capability to perform advanced attacks that leverage zero-days within days of release. Now, it's no longer required to find your own.

“Now we see ransomware operators either buying or identifying their zero-days and leveraging zero-days as soon as possible within their campaigns,” he notes.

Warner also points out that ransomware operators are leveraging tooling improvements such as Cobalt Strike, enabling their evolution into a virtuous cycle: More funds allow for better tooling, processes, and execution across the environment, which leads to more funds.

That also paves the way for the gangs to expand their teams, as well.

“The ability to perform passive phishing attacks while also actively attacking vulnerable infrastructure with a team of paid hackers creates a unique and powerful environment for ransomware operators,” he explains.

VMware, Airline Targeted as Ransomware Chaos Reigns

Credential-stuffing attacks against online accounts are still popular, and they work thanks to continuing password reuse.

It has been a week of data breach news, with General Motors, Chicago Public Schools, and wedding-planner startup Zola all reeling from the exposure of customers' personal information. In the latter's case, customers were also riffed for stored funds and suffered fraudulent payment-card charges.

Credential stuffing was to blame in two of the incidents. In credential stuffing, attackers use automated scripts to try high volumes of stolen username and password combinations against online accounts in an effort to take them over. The stolen credentials are usually taken from data breaches of other sites — cybercriminals bank on password reuse and the use of common or easy-to-guess passwords, like “123456.”

Once in, cybercriminals can use the compromised accounts for various purposes: as a pivot point to penetrate deeper into a victim's machine and network; to drain accounts of sensitive information (or monetary value); and, if it's an email account, to impersonate the victim in attacks on others.

And such attacks are costly: The Ponemon Institute's Cost of Credential Stuffing report found that businesses lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers, and increased IT costs.

They're also wildly common. According to recent PerimeterX data, malicious login attempts out of total logins trended upward during 2021, reaching a staggering 93.8% of all login attempts in August, which was an 8% increase on the 2020 peak.

Verizon's 2022 Data Breach Investigations Report (DBIR), released this week, noted that the use of stolen credentials for kicking off data breaches is the top attack vector, accounting for around 42% of all of the breaches analyzed by the carrier.

**General Motors Drives into Trouble**  

GM has alerted customers that a successful credential-stuffing attack last month on its customers resulted in a raft of account compromises. The incident exposed personal information for customers and allowed hackers to fraudulently redeem rewards points for gift cards.

The customer data involved lends itself to a veritable cornucopia of follow-on attacks, including convincing social-engineering efforts, spoofing attacks, and, alarmingly, potential physical threats at the extreme end of the spectrum. The info included first and last name, personal email address, personal address, username and phone number for registered family members tied to an account, last known and saved favorite location information, your currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile picture, search and destination information, and reward-card activity.

"Some may suggest that breaches that don't involve payment-card numbers or SSNs are not as serious, but other information (family member names, phone numbers, and addresses) is just as damaging as it will be used in future social engineering attacks and will forever place these people in danger," noted John Gunn, CEO at Token, via email. "How easy is it to change family member names, phone numbers, and addresses? This type of attack is eminently preventable simply with better multi-factor authentication."

GM is reinstating any lost loyalty points and forced a password reset for customers.

**Chicago Public Schools Face Student Exposure**

Also this week, news emerged of a wide-ranging data breach that involved the personal information of nearly 500,000 students in Chicago Public Schools (CPS), and more than 56,000 employees.

The information was stolen as part of a ransomware attack on one of the district's third-party technology suppliers, Battelle for Kids, which maintains a server used to store the CPS student and staff information. The data was for the 2015-2019 school years.

CPS issued a data-breach notification flagging the exposed information, which included name, date of birth, gender, grade level, school, and district and state student ID numbers, as well as information about the courses students took.

The exposed staff records included name, school employee ID number, CPS email address, and scores on tasks used to evaluate teachers during the time period, the district said.

Perhaps most notably, the breach occurred months ago, on Dec. 1, but Battelle for Kids didn't notify CPS until April 26. It took that long for the vendor to verify the authenticity of the breach and commission an independent forensic analysis, and for law enforcement authorities to investigate, CPS noted.

The data was old and there's no evidence that the ransomware gang has made a move to exploit the data, but students and staff should still be on the lookout for phishing efforts, the district warned. It's offering everyone involved a year of free credit monitoring in response to the incident.

"Ransomware attacks have become a growing threat to education centers across the United States," says Erfan Shadabi, cybersecurity expert with data security specialists Comforte AG. "Schools are becoming more dependent on a computing infrastructure to support their daily functions, and they also hold a vast amount of sensitive information. School districts and universities need to understand that they are high-profile targets, and they need to assume that a cyberattack is imminent."

**Zola Customer Accounts Hijacked**

Wedding-planning site Zola has discovered that 3,000 customer accounts were compromised in an apparent brute-force or credential-stuffing attack on its customers.

The site allows couples to create wedding destination websites, build gift registries, and access a variety of financial tools. Over the weekend, customers began reporting on Reddit that their accounts had been hijacked, with the cyberattackers making off with stolen funds or racking up fraudulent credit-card charges. Zola didn't reveal how high the losses have mounted.

TechCrunch, which first reported the breach, said that it saw posts on a Dark Web Telegram channel from hackers, who swapped tips, posted screenshots of pwned accounts, and discussed ordering gift cards using the credit card on file with Zola.

"Credential stuffing attacks continue to fuel the web-attack lifecycle, potentially using these stolen user credentials on other e-commerce sites," said Uriel Maimon, vice president of emerging products at PerimeterX, via email. "We can expect that these credentials will soon be tested on other apps that we use daily to power our lives. The responsibility lies on app providers and website owners to make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks. This means stopping the theft, validation, and fraudulent use of account and identity information everywhere along a consumer's digital journey."

He added that that one way to do that is by tracking behavioral and forensics signals of users logging in, in order to differentiate between real users and attackers.

Big Cyber Hits on GM, Chicago Public Schools, & Zola Showcase the Password Problem

Let the threat landscape guide your company's timeline for complying with new data security standards for credit cards. Use the phase-in time to improve security overall — security as a process — not just comply with new standards.

In March, the PCI Council released the latest update to its Data Security Standard (DSS). The PCI DSS 4.0 is a major refresh of the current version, 3.2.1, which was released in May 2018. The threat landscape has certainly changed in the last four years, so it's not surprising to see significant changes to this version of the DSS, which is meant to reduce the risk of debit and credit card data loss and protects merchants and cardholders.

However, none of the changes in version 4.0 will require immediate action. Version 3.2.1 won't be retired until the second quarter of 2023, and many of the newer requirements in version 4.0 are considered best practice — i.e., not required — until March 2025. For affected organizations, it's not uncommon to see this deadline and create a plan based on an extended, two-year timeline. That said, delaying implementation is also the strategy that includes accepting the most risk.

**Full Compliance Is Difficult  
**The reality is that compliance with version 3.2.1 hasn't been an easy task for most organizations. Verizon's most recent "Payment Security Report" (registration required), published in 2020, found that only 27.9% of organizations were able to maintain full compliance with the PCI DSS, which is down 8.8% from the prior year. That decline is part of a longer trend, with compliance down 27.5% since 2016, when full compliance peaked at 55.4%.

Faced with this reality and the changes in version 4.0, there's an opportunity for organizations to take a different approach through this transition. Rather than creating a plan to meet compliance deadlines, organizations should create a plan to improve security that also meets compliance requirements. It's rare to have this kind of runway for a requirement, and it's an opportunity that shouldn't be squandered.

To illustrate this point, it's important to look at the changes to the DSS in groups, and by identifying trends. After all, these changes aren't arbitrary. They've been carefully made based on the threat landscape.

As an example, there are three changes to consider. First, Requirement 2 has been updated from "Do not use vendor-supplied defaults for system passwords and other security parameters" to "Apply secure configurations to all systems." Requirement 8.3.9 now provides an option to use dynamic assessment of security posture of assets in place of password rotation. Finally, Requirement 8.5.1 specifies secure configuration requirement for the implementation of multifactor authentication.

It's possible to consider each of these changes as separate items to be addressed in a transition plan, but they collectively point to a common underlying security control: security configuration management. Rather than address them individually, an organization should implement a comprehensive SCM program that also meets compliance needs. As a relevant aside, the Center for Internet Security documents in its Community Defense Model "that establishing and maintaining a secure configuration process (CIS Safeguard 4.1) is a linchpin Safeguard for all five attack types, which reinforces the importance of configurations, such as those found in the CIS Benchmarks." In other words, there's more security benefit to be gained than just PCI compliance.

There are certainly other examples to consider as well. Requirement 8.3.9 might be combined with Requirements 8.4 and 8.5 around MFA to drive a more comprehensive zero-trust architecture (ZTA) project. PCI compliance certainly doesn't require ZTA, but the data suggests that security can be enhanced with a best-practice ZTA implementation. By prioritizing a security-oriented objective and using the transition in PCI as a driver, organizations can maximize their benefits from a required project.

This type of a strategy isn't limited to new requirements, either. The Verizon report shows that Requirement 11, "Regularly Test Security Systems and Processes," has been the most problematic for organizations since the report's inception 10 years back. While one could argue that there haven't been major changes in Requirement 11, there are certainly changes that will cause work. For example, Requirement 11.3.1.2 now requires authenticated vulnerability scanning for internal assets. Such changes present an opportunity to address long-standing obstacles to both security and compliance with a more comprehensive approach to vulnerability management.

**Compliance as Tool, Not Burden  
**The other side of the equation is the cost of addressing the changes as individual requirements. It's possible to take the full two years to implement some of these requirements and remain fully compliant with PCI, but doing so also adds avoidable risk to your business. First, you're not escaping PCI compliance in the meantime. You'll simply have to comply with version 3.2.1, which still consumes resources. More importantly, the changes in version 4.0 were made to address the threat landscape we currently face, and by delaying implementation of things like expanded MFA and monitoring of security controls, you're allowing recognized, known risks to persist in your environment.

While PCI compliance serves to protect the card brands themselves, the security controls you choose to implement should protect your organization and its data. Set security as the priority and leverage compliance as a tool rather than seeing it as a burden.

Source

DARKReading