Too much access and privilege, plus a host of unsafe cyber practices, plague most workplaces, and the introduction of tools like GenAI will only make things worse.

Source: Yuri Arcurs via Alamy Stock Photo

NEWS BRIEF

A survey of more than 14,000 employees across a variety of industries shows that employee behaviors when it comes to sensitive data often put organizations at risk.

The findings show that 80% of those surveyed access workplace applications from personal devices that lack necessary security controls. In addition, privileged access extends beyond IT admins, and 40% of respondents habitually download customer data. A third of respondents are able to alter sensitive data without controls, and roughly 30% can approve large financial transactions on their own.

In addition to this, the CyberArk study found that employees often practice bad cybersecurity habits. About half (49%) of respondents admitted to reusing the same login credentials for multiple work applications, while 36% use the same credentials for both work and personal applications; about 65% copped to bypassing cybersecurity policies for personal ease. All of these practices heighten the risk of organizations falling victim to leaks and data breaches.

The security firm warned that such behaviors will only continue with the growing use of on-the-rise tools, such as artificial intelligence, which are increasingly being introduced into the workplace. Roughly 72% of employees use AI tools, which can pose a threat when sensitive data is inputted into them — a likely scenario as 38% of employees only sometimes, if ever, adhere to guidelines dictating the handling of sensitive data when it comes to AI.

Cyber-Unsafe Employees Increasingly Put Orgs at Risk

A novel backdoor malware and a loader that customizes payload names for each victim have been added to the threat group's cybercriminal tool set.

Source: Photo Spirit via Shutterstock

A known threat actor in the malware-as-a-service (MaaS) business known as "Venom Spider" continues to expand capabilities for cybercriminals who use its platform, with a novel backdoor and loader detected in two separate attacks in a recent two-month period.

Researchers at Zscaler ThreatLabz uncovered campaigns between August and October of this year that leveraged a backdoor called called RevC2, as well as a loader called Venom Loader, in attacks that use known MaaS tools from Venom Spider (aka Golden Chickens), according to a blog post published Dec. 2.

RevC2 uses WebSockets to communicate with its command-and-control (C2) server and can steal cookies and passwords, proxy network traffic, and enable remote code execution (RCE). Venom Loader meanwhile uses the victim's computer name to encode payloads, thus customizing them for each victim as an extra personalization tactic.

Venom Spider is a threat actor known for offering various MaaS tools such as VenomLNK, TerraLoader, TerraStealer, and TerraCryptor that are widely used by groups such as FIN6 and Cobalt for cyberattacks. In fact, FIN6 was seen leveraging Venom Spider's MaaS platform in October, in a spear-phishing campaign spreading a novel backdoor dubbed "more\_eggs" capable of executing secondary malware payloads.

Related:Ransomware's Grip on Healthcare

**Even "More\_Eggs"**

That platform apparently has been enhanced yet again, this time with two new malware families observed in recent phishing campaigns. RevC2, observed by researchers in a campaign that occurred from August to September, used an API documentation lure to deliver the novel payload.

The attack began with with a VenomLNK file that contains an obfuscated batch (BAT) script that when executed downloads a PNG image from the website hxxp://gdrive\[.\]rest:8080/api/API.png. The PNG image aims to lure the victim with a document that is titled "APFX Media API Documentation."

Upon execution, RevC2 used two checks for specific system criteria and then executed only if they both pass, to ensure it's launched as part of an attack chain, and not in analysis environments such as sandboxes.

Once launched, the backdoor's capabilities include the ability to: communicate with the C2 using a C++ library called "websocketpp"; steal passwords and cookies from Chromium browsers; take screenshots of the victim's system; proxy network data using the SOCK5 protocol; and execute commands as a different user using the stolen credentials.

A second campaign occurring between September and October used a cryptocurrency lure to deliver Venom Loader, which in turn spread a JavaScript backdoor providing RCE capabilities that the researchers dubbed "More\_eggs lite." The malware is so-named because it has fewer capabilities than the previously discovered "more\_eggs," ThreatLabz security researcher Muhammed Irfan V A noted in the post.

Related:2 UK Hospitals Targeted in Separate Cyberattacks

"Although it is a JS backdoor delivered via VenomLNK, the variant only includes the capability to perform RCE," he wrote.

One notable feature of Venom Loader is that the DLL file it used in the observed campaign is custom built for each victim and is used to load the next stage, according to ThreatLabz.

The loader is downloaded from :hxxp://170.75.168\[.\]151/%computername%/aaa, "where the  %computername% value is an environment variable which contains the computer name of the system," Irfan V A wrote.

Venom Loader then uses %computername% as the hardcoded XOR key to encode its stages of attack, which in this case executes the More\_eggs lite backdoor for attackers to carry out RCE.

**MaaS Capabilities Expected to Expand**

ThreatLabz believes that the new malware included in Venom Spider's MaaS platform "are early versions, and expect more features and anti-analysis techniques to be added in the future," Irfan V A wrote.

Zscaler detected the malware using both a sandbox and its cloud security platform, which detected the following threat-name indictors related to the campaign: LNK.Downloader.VenomLNK; Win32.Backdoor.RevC2; and Win32.Downloader.VenomLoader.

Related:Incident Response Playbooks: Are You Prepared?

Zscaler also is providing a Python script that emulates RevC2's WebSocket server on its GitHub repository as well as included a long list of indicators of compromise (IoCs) in the blog post so defenders can check their respective organization's systems for evidence of the malware.         

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Venom Spider Spins Web of New Malware for MaaS Platform

Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

Ransomware attacks keep increasing day to day, and healthcare systems are one of the prime targets. Despite ongoing efforts to patch vulnerabilities, the problem persists. Patching, long considered a cornerstone of cybersecurity defense, is no longer enough. The consequences of the attack for healthcare organizations go far beyond reputational and financial damage — they are a matter of patients' lives.

The reason is that all healthcare organizations are treasures of highly critical information: Medical records, personal information, and financial details all command a high price in the black market. What's more important, healthcare services cannot afford any downtime, and because these systems need to be online and working at all times, victims usually pay the ransom.

The growing sophistication of ransomware, combined with the complex IT environments in healthcare, means that traditional defenses like patching fall short. Meanwhile, attackers are finding a way to expose the open gaps that patching alone cannot close, even with regular updates.

**The Patching Problem**

Many believe patching is a line of defense that stops ransomware in its tracks, but patching has gradually reached its threshold of limitations. Most healthcare IT systems are amalgamating old legacy technology, critical life-supporting medical devices, and modern infrastructure, making it very difficult to implement patching. For instance, most medical devices run operating systems that are no longer supported by vendors. Patching is very risk-prone and might involve downtime, which affects patient service.

Patching covers only the known vulnerabilities. On the other side, ransomware attackers are increasingly leveraging zero-day vulnerabilities, those that have not yet been discovered, or do not have any patch available for them. Even fully patched systems can be vulnerable to such an attack, leaving the organization at risk for ransomware.

Then, we need to think about a lateral movement problem. Once inside a network, ransomware can easily cross over into unpatched or misconfigured systems. One more factor in the case of ransomware attacks is that there are no more single-entry points; the attackers simply use stolen credentials and/or unprotected routes of access to move across the network, infecting multiple systems and amplifying resultant damage.

**Expanding the Scope of Defense**

With such challenges, health organizations really do need to rethink their approach toward ransomware defense; patching, though necessary, represents only one piece of a much larger jigsaw puzzle.

The first recommended strategy is implementing advanced threat protection (ATP) solutions to provide an extra layer of security. These utilities use artificial intelligence and machine learning to detect suspicious activities and block ransomware before they actually cause serious damage. Instead of waiting for a patch that will fix a vulnerability, ATP systems can detect emergent threats in real-time, offering a proactive approach to defense.

Segmentation of a network can prevent ransomware from spreading; this is where healthcare organizations isolate the network into smaller segments. This is important, as once a part of the network is compromised, then the rest of it will always be safe. This is a very crucial tactic in containing ransomware and limiting its damage.

Phishing remains one of the most common methods for deploying ransomware, and healthcare staff are often targeted. Training employees to recognize phishing attempts, combined with multifactor authentication (MFA), adds an essential layer of protection. Even if attackers manage to steal credentials, MFA can stop them from gaining access to critical systems.

Incident response planning is also essential. Organizations need to be prepared for the worst-case scenario. Regularly updated backups, stored separately from the main network, are important for recovery after an attack. These backups ensure that healthcare services can be restored without paying a ransom. These plans should be tested periodically to make sure they work when needed most.

**Healthcare Can't Afford to Ignore the Need for a Broader Defense**

Ransomware is not just a technical issue; it's most definitely a business problem that no healthcare organization can afford to dismiss. Recent high-profile attacks have proved how vulnerable the providers of healthcare are; while patching remains an essential process, it only forms one part of the much larger total solution.

Security in healthcare must go beyond patching and involve a more strategic approach. This can be shown by the ever-increasing pressure placed by regulatory bodies, such as DHHS, to even further restrict cybersecurity guidelines for providers. Patch management falls under compliance, but it seems obvious that a more encompassing proactive approach to security must be enacted if patient data and operations are to be secured.

Healthcare leaders need to take this into consideration and invest a larger focus on enterprise-wide risk management. Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.

**About the Author**

Lead Security Engineer, C4HCO

Claudio Gallo is a lead security engineer of the Colorado Marketplace Exchange, dedicated to protecting critical information in the healthcare and insurance industries. With expertise in application security, cloud architecture, and compliance, Claudio designs innovative strategies to safeguard sensitive data and ensure trust in important services. Passionate about making a meaningful difference, he is equally committed to mentoring aspiring professionals in the information security industry, sharing knowledge, and fostering the next generation of cybersecurity talent.

Ransomware's Grip on Healthcare

Websites these days know everything about you — even some details you might not realize. Hackers can take advantage of that with a sharp-toothed attack that exploits Europe's GDPR-mandated data portability rules.

Source: Design Pics Inc Alamy Stock Photo

Researchers are warning that an otherwise positive European data regulation has introduced massive risks to individuals and the companies they work for.

Ever since the passage of the General Data Protection Regulation (GDPR), Internet users in Europe — and in many places around the world following suit — have been able to download the entirety of the data that websites save about them. Besides the obvious benefits to privacy and transparency, the idea was portability: Anyone could take the data one site possessed about them and transfer it to another.

In a new blog post, CyberArk highlights a theoretical yet severe cost to this new right to data portability. Before the rule, everyone's most sensitive data was protected behind brick walls at ultrasecure data centers. Now that users can retrieve that data via a cloud-based mechanism, hackers can access their accounts and steal it all. Considering the extent of the data that websites collect about us today, the possibilities for malfeasance are endless.

"It's my legal right, and it's perfectly fine that I'm capable \[of seeing\] what information is being kept about me," says Lior Yakim, threat researcher at CyberArk Labs, who dubs the attack "White FAANG," since the vulnerable data could be exported from services provided by major tech companies like Facebook, Amazon, Apple, Netflix, and Google (FAANG).

Related:'Bootkitty' First Bootloader to Take Aim at Linux

However, he warns, "Because it's so easy to get all of that highly intrusive information — together with the fact that people use the same devices for corporate and personal purposes — there's a major risk."

**The Data Sites Have on You**

Companies hoard gobs of sensitive information, especially the largest technology companies most central to our online lives. They possess everything from our most sensitive personally identifying information (PII) to the long histories of our online activity. But even the most jaded Internet users might be surprised just how deep this hole goes.

Meta, for example, records not only your documented Facebook activity, but also plenty of undocumented data, like what posts you viewed, and exactly how long you viewed them.

Google, likewise, saves not only your entire search history, but even searches you typed but didn't ultimately execute.

GDPR's well-intentioned data portability regulations forced companies to make all of this information exportable at the click of a button, in a machine-readable format. And what's stopping a hacker in possession of your account from doing just that? "The most common protection is, indeed, multifactor authentication (MFA). But as we know, MFA can be bypassed," Yakim notes.

Related:China's Cyber Offensives Built in Lockstep With Private Firms, Academia

**The Risks to Individuals and Corporations**

With export data, there is no limit to what an attacker can do. They can use your Google search history to blackmail you, your GPS data from Meta to find where you live, and your Apple calendar history to know where you've been and where you'll be, to say nothing of the endless possibilities for cyberattacks.

Beyond all that, there's the risk to employers. Individual accounts can house all kinds of data that pertains to, or can otherwise be used to attack the companies they work for.

Again, the scenarios are limitless. With an Apple export, for example, a hacker could take the MAC address associated with an employee's unpatched AirPods, spoof a Bluetooth connection, exploit CVE-2024-27867 to gain access to them, then listen in on corporate meetings. Or, Yakim suggests, they can leverage information like the operating system version of the employee's mobile phone. "If I know, for example, that the mobile device of the employee is not up to date, I can search for specific, known vulnerabilities in order to target this employee," he says.

And there are far simpler, more present dangers than that. CyberArk surveyed 14,000 employees, finding that around 63% use personal accounts on their work computers, and 80% access work applications from their personal computers. Thanks to this comingling, work passwords tend to end up stored in far less secure personal accounts, from which they can be exported. This was how Cisco got breached in 2022, and Okta in 2023, a case that affected every one of its customers as well.

Related:VISO TRUST Secures $24M to Accelerate Innovation in AI-Powered Third-Party Risk Management

To prevent that from happening, employees need to draw a clear line in the sand between their business and pleasure online. "Personal accounts are less secure than corporate accounts," Yakim says. "That's the message that we're trying to deliver here."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'White FAANG' Data Export Attack: A Gold Mine for PII Threats

Though it's still just a proof of concept, the malware is functional and can evade the Secure Boot process on devices from multiple vendors.

Source: Alexander56891 via Shutterstock

Researchers have spotted what they believe is the first ever malware capable of infecting the boot process of Linux systems.

"Bootkitty" is proof-of-concept code that students in Korea developed for a cybersecurity training program they're involved in. Though still somewhat unfinished, the bootkit is fully functional and even includes an exploit for one of several so-called LogoFAIL vulnerabilities in the Unified Extensible Firmware Interface (UEFI) ecosystem that Binarly Research uncovered in November 2023.

**A Novel Proof-of-Concept**

Bootkits operate at the firmware level and execute before the operating system loads, allowing them to bypass the Secure Boot process for protecting systems from malware during startup. Such malware can persist through system reboots, operating system reinstallation, and even physical replacement of certain parts, like hard drives.

Researchers at ESET who analyzed Bootkitty after finding a sample on VirusTotal just last month described it as the first UEFI bootkit for Linux they have come across. That's significant because, until now, bootkits — the most notorious of which includes BlackLotus and FinSpy — have been Windows-specific.

"\[Bootkitty's\] main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)," ESET researchers Martin Smolar and Peter Strycek wrote.

Binarly, which also analyzed Bootkitty, found the malware to contain an exploit for CVE-2023-40238, one of several image parsing LogoFAIL vulnerabilities in UEFI that the company reported last year. The Bootkitty exploit leverages shellcode embedded within bitmap image (BMP) files to bypass Secure Boot and get the OS to trust the malware, Binarly said. The vendor identified Linux systems from multiple vendors as being vulnerable to the exploit, including those from Lenovo, Fujitsu, HP, and Acer.

"While this appears to be a proof-of-concept rather than an active threat, Bootkitty signals a major shift as attackers expand bootkit attacks beyond the Windows ecosystem," Binarly wrote. "The operating system bootloaders present a vast attack surface that is often overlooked by defenders, and the constant growth in complexity only makes it worse."

The UEFI — and prior to that the BIOS ecosystem — has been a popular target for attackers in recent years because of how malware operating at that level can remain virtually undetectable on compromised systems. But concerns over UEFI security really came to a head with the discovery of BlackLotus, the first malware to bypass Secure Boot protections even on fully patched Windows systems.

The malware took advantage of two vulnerabilities in the UEFI Secure Boot process, CVE-2022-2189, also known as Baton Drop, and CVE-2023-24932, to install itself in a virtually undetectable and unremovable manner. The relatively easy availability of the malware and Microsoft's struggles in addressing it, prompted a call from the US Cybersecurity and Infrastructure Security Agency (CISA) for improved UEFI protections.

"Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode," CISA noted at the time. "In particular, UEFI secure boot developers haven't all implemented public key infrastructure (PKI) practices that enable patch distribution."

**Functional Bootkit**

ESET found Bootkitty to contain capabilities for modifying, in memory, functions that normally verify the integrity of the GRand Unified Bootloader (GRUB), which is responsible for loading the Linux kernel during startup. However, the specific functions that Bootkitty attempts to modify in memory are supported only on a relatively small number of Linux devices, suggesting the malware is more proof of concept than an active threat. Bolstering that theory is the presence of several unused artifacts in the code, including two functions for printing ASCII art and text during execution, ESET said.

The Korean students who developed the bootkit informed ESET after the security vendor published its analysis. ESET quoted the students as saying they had created the malware in an effort to spread awareness about the potential for bootkits becoming available for Linux systems. Details of the malware were only supposed to have become available as part of a future conference presentation. However, a few samples of the bootkit ended up being uploaded to VirusTotal, they noted.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'Bootkitty' First Bootloader to Take Aim at Linux

Chalk up another win for global cooperation among law enforcement, this time targeting seven types of cyber fraud, including voice phishing and business email compromise.

Source: Olena Bartienieva via Alamy Stock Photo

Following a global five-month operation involving law enforcement from 40 countries and regions, more than 5,500 financial crime suspects have been arrested and more than $400 million in virtual assets seized.

Operation HAECHI V spanned from July to November of this year and targeted seven types of cyber frauds: voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise fraud, and e-commerce fraud.

As part of the operation, authorities from Korea and Beijing dismantled a voice-phishing syndicate responsible for $1.1 billion in losses, affecting more than 1,900 victims. 

During the length of the operation, Interpol also issued a Purple Notice related to cryptocurrency fraud practices involving stablecoin; Purple Notices are used to seek or provide information about operating methods as well as how suspected criminals conceal themselves. Interpol also alerted countries to the "USDT Token Approval Scam," in which threat actors access and control their victims' cryptocurrency wallets as part of Operation HECHI V.

"The effects of cyber-enabled crime can be devastating — people losing their life savings, businesses crippled, and trust in digital and financial systems undermined," Interpol Secretary General Valdecy Urquiza said. "The borderless nature of cybercrime means international police cooperation is essential, and the success of this operation supported by Interpol shows what results can be achieved when countries work together."

**About the Author**

Interpol Cyber-Fraud Action Nets More Than 5K Arrests

AWS Security Incident Response will help security teams defend their organizations from account takeovers, breaches, ransomware attacks, and other types of security threats.

Source: Leo Wolfert via Adobe Stock Photo

Amazon Web Services (AWS) has launched a new incident response service to help security teams respond to threats faster and reduce the time it takes for organizations to recover from attacks.

AWS Security Incident Response, unveiled ahead of the company's re:Invent 2024 conference in Las Vegas this week, relies on machine learning to automatically triage and analyze security signals from Amazon GuardDuty and other supported third-party threat detection tools available through the AWS Security Hub cloud security posture management service.

The new service will help security teams investigate incidents, coordinate responses across multiple stakeholders, manage permissions across environments, and document actions taken and decisions made. The automated triage feature filters security alerts based on customer-specific information to identify incidents that require immediate attention.

"Security teams often face an overwhelming number of daily alerts, leading to potential misplaced priorities of resources and reduced effectiveness," wrote Betty Zheng, senior developer advocate at AWS, in a blog post announcing AWS Security Incident Response. "Manual investigation of findings strains resources and may cause customers to overlook critical security alerts."

The service offers preconfigured notification rules and permission settings. It can also be configured to execute containment actions, leading to faster incident response times and potentially reduced impact of security incidents, Zheng wrote. The service will create security cases for alerts that cannot be automatically resolved. For high-priority threats, the service connects to the AWS Customer Incident Response Team (CIRT), which provides support 24 hours a day, seven days a week.

The service provides self-service investigation tools, as well as capabilities such as secure data transfer (to share logs and other forensics data), messaging and video conference scheduling (to communicate with key stakeholders and investigators), and automated case history tracking and reporting. Security teams can either handle incidents independently or collaborate with third-party security vendors, based on their needs and requirements.

Security teams can monitor, measure, and improve their incident response performance over time via a service dashboard that displays critical metrics, such as mean-time-to-resolution (MTTR), number of cases addressed within a specific time period, and number of triaged findings.

AWS Security Incident Response is now available in 12 AWS Regions globally: US East (N. Virginia, Ohio), US West (Oregon), Asia Pacific (Seoul, Singapore, Sydney, Tokyo), Canada (Central), and Europe (Frankfurt, Ireland, London, Stockholm). Interested organizations can enable it via the AWS management console and service-specific APIs. For the service to be able to monitor and analyze security alerts, administrators need to enable the proactive response feature to create service-level permissions. Once done, the alerts are automatically sorted and remediated using service automation and customer-specific data, including common IP addresses, AWS Identity and Access Management (IAM) principals, and other relevant attributes. 

"To experience the full service, we recommend activating Amazon GuardDuty and AWS Security Hub as well," AWS said in its post.

AWS Launches New Incident Response Service

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

What a mess! Things are in a real bind here. Link us to your best cybersecurity-related captions to describe the above scene and our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Dec. 31 deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 gift card — to Matthew Tompkins, federal senior intelligence coordinator at the Federal Energy Regulatory Commission, for back-to-back wins. The winning caption for last month's "Aerialist's Choice" cartoon is below. Some noteworthy contenders included: "We’ll definitely have a zero trust environment after this," "Strong defenses rely on team work. Be ready to catch every threat," and "You can only catch so much. Hope the net catches the rest." A big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Shackled!

With cybersecurity talent hard to come by and companies increasingly looking for guidance and best practices, virtual and fractional chief information security officers can make a lot of sense.

Source: Gorodenkoff via Shutterstock

Numerous paths lead a company to retain a virtual chief information security officer (vCISO).

Companies that work with managed security service providers (MSSPs) may need to expand their security strategy and thus engage a vCISO. Following a breach, an incident response firm may recommend that the business develop a proactive security and response plan by hiring a part-time CISO. Venture capitalists may need a security expert to do due diligence during a merger or acquisition. Even cyber insurers now recommend vCISOs to policyholders to shepherd them through the process of developing best practices.

In the end, a virtual CISO gives a company an expert who can manage the security program of the business in a consistent way and often brings a different perspective, helping security teams see the forest and not just the trees, says Thomas Siu, CISO at Inversion6, a provider of virtual CISO services.

"We have a chance to step back from the business process or even the client because we're distant enough that we can look at the whole big picture," he says. "As a CISO, I could still bring in a fractional CISO to look at specific problem space for me — sometimes, the tree-forest issue does occur."

Virtual and fractional CISOs are taking off. While the shortage in cybersecurity-skilled executives makes hiring a full time CISO an expensive proposition, paying for a part-time leader to manage the overall security strategy often makes sense. While a consultant might fit the bill, often companies want an expert who could provide a consistent viewpoint based on an agreed-upon strategy or a fractional CISO who has specific skills or knowledge, such as in operational technology or a certain region's regulations.

Whether the hiring impetus is a merger, a cyber-insurance policy, or a security incident, a virtual CISO can help a company develop a long-term strategy, says Adam Tyra, general manager of security services at cyber-insurance firm At-Bay, which offers managed services and vCISO services.

"Most companies are only having that insurance conversation once a year, and then they don't have it again until it's time for the policy to renew, but the threat landscape is going to change continuously," he says. "You should be doing a lot more than the minimum that's required just to get insurance, and that's where your vCISO can help."

**Lost Your CISO? Consider a vCISO**

For Inversion6's Siu, the path to becoming a virtual CISO started with his work for an MSSP, handling discrete projects for clients. A former CISO at Michigan State University and Case Western Reserve University, Siu acted as a vCISO for a company doing executive protection, where he would create a cybersecurity plan for the company at risk and regularly check in to make sure the plan was being followed. Companies would also contact Siu to fill a gap when an existing CISO decided to move on.

"Somebody would lose their CISO, and they needed someone step in to do the program — it turned out to be a different economic model to have a vendor run that kind of strategic business advisory service long term," he says. "You weren't so much involved operationally. You were helping them with their budgets. You were helping them with their strategy. So you could dial it up as much as you want or dial it back, but you had to always be on call."

Typically companies in need of a vCISO reach out for one of three reasons: to meet their regulatory or contractual security requirements, to meet or exceed industry norms for cybersecurity, or to build a security program as a competitive differentiator, says At-Bay's Tyra.

"If you are a company that has a robust IT capability where you can implement all your own systems, and you're good at managing all your technology, a vCISO service may be all that you need," he says. "You get pointed in the right direction, with a punch list of projects to go execute, and then you have the IT capability to go do those things."

**When a vCISO Is Not Enough**

Yet often having a plan is not the same as executing a plan. In those cases, companies may want to seek out managed security services to acquire specific cybersecurity capabilities. Determining whether a company needs more than a vCISO is, oddly enough, a good job for a vCISO, says At-Bay's Tyra.

"This is an area where I think a lot of companies are not honest with themselves about whether or not they have those capabilities internally," he says. "That's another area where a vCISO could potentially provide input, helping people figure out if the advice going to be good enough or \[if\] you need actual hands on your systems to get where you're trying to go."

Finally, as new threats arise, companies often want to know how they could be impacted. Because vCISO services often have a depth of expertise that companies cannot retain on staff, they can come in and provide recommendations to deal with new technologies, like artificial intelligence, or changes to the threat landscape, says Inversion6's Siu.

"Even if someone has a security program already, they bring us in to touch places that they just don't have the depth for, which they might not even be able to hire for, because it's so specialized," he says. "We can use that to help people understand where those particular \[threats\] fit into their overall risk profile."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Does Your Company Need a Virtual CISO?

Alder Hey Children's Hospital got hit with a ransomware attack, while the nature of an incident at Wirral University Teaching Hospital remains undisclosed.

Source: Dennis Gross via Alamy Stock Photo

Two hospitals affiliated with the UK's National Health Service (NHS) were victims of cyberattacks in the past week, though the incidents are not believed to be connected.

Alder Hey Children's Hospital said patient records and other information were compromised and has launched an investigation.

"We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust," the hospital wrote in a statement. "We are working with partners to verify the data that has been published and to understand the potential impact."

Inc ransomware claimed responsibility for the hack, adding Alder Hey to its leak site, alleging that the stolen data, which includes patient records and donor reports, dates back to 2018.

The second cyberattack affected Wirral University Teaching Hospital, which reported that it detected suspicious activity, prompting it to isolate systems resulting in certain IT systems going offline. 

"While \[medical\] services continue to be available, there has been disruption to planned services, for example, some scheduled appointments are affected," the hospital stated in its update. "Unfortunately we have had to postpone some procedures, which will be rescheduled."

As it works to resolve the "cybersecurity incident," it remains unclear who the perpetrator was and or the kind of attack they used.

**About the Author**

Source

DARKReading