Client-side web app security solution introduces features that give real-time visibility and control of the website attack surface, enabling businesses to stop PII theft and comply with data privacy regulations.

**SAN MATEO, Calif., April 19, 2022 —** PerimeterX, the leading provider of solutions that detect and stop the abuse of identity and account information on the web, today announced the availability of the Spring Release of PerimeterX Code Defender. It includes a rich set of capabilities designed to enable organizations to combat the growing threat of client-side supply chain attacks on websites and web apps.

Code Defender, named the 2021 SIIA CODiE Award winner for Best Security Solution, is a client-side web app security solution that provides comprehensive real-time visibility and control into a modern website’s supply chain attack surface, to identify vulnerabilities and anomalous behavior and proactively mitigate compliance risk.

“Client-side supply chain attacks have become one of the top types of cyberattacks, and can cause tremendous damage to a brand’s reputation and its ability to comply with growing data privacy regulations including GDPR and CCPA. Every business is dependent on website code from partners and the open source community to enrich their visitors’ experience. At the same time they are worried about the risk of supply chain attacks that can result from the use of a vulnerable component. Code Defender is the premier solution for identifying and proactively mitigating these risks,” said Omri Iluz, CEO and co-founder of PerimeterX.

The Spring Release of Code Defender includes:

*   Comprehensive client-side mitigation capabilities to control legitimate JavaScript at a granular level, enabling customers to block specific actions without blocking the entire script. This adds to existing CSP mitigation capabilities that allow performance or prevention of specific script actions.
*   Full visibility into client-side scripts running in a customer’s environment, including how scripts are interacting with the site, additional scripts they are interacting with and exposure details.
*   An actionable dashboard offering an at-a-glance overview to quickly identify the high-risk PII, PCI, and vulnerability incidents that response teams should prioritize.
*   Persona-based filtering so users can configure the dashboard based on what is interesting to each team, for example, focusing reports based on compliance or scripts from trusted and untrusted vendors.

According to Osterman Research, more than 99% of websites use third-party scripts to simplify common functions such as ad tracking, payments, customer reviews, chatbots, tag management, and social media integration, but only one in three websites have the capability to detect potential problems arising from vulnerabilities in this supply chain of code. More than 70% of a typical website can be comprised of third-party code. Malicious Shadow Code in first-, third- and nth-party scripts can modify page elements, insert fake checkout buttons or skim personally identifiable information from a website, including credit card numbers and passwords.

Code Defender continuously monitors and analyzes the behavior of all client-side scripts in real users’ browsers. The solution inventories and baselines known expected behavior, and then applies machine learning models to help identify new malicious, suspicious or anomalous behavior that warrants attention with appropriate severity rankings based on the level of perceived risk to a website. The solution runs 24/7/365 giving security operations teams real time visibility and control over all downstream client-side risks, freeing up application development teams to focus on innovation.

To learn more about the risks to your website, run the free Website Risk Analyzer which provides fast, easy-to-understand insight into the scripts running on your site and the potential security risks they represent.

For more about how your business can benefit from the new enhancements to Code Defender, contact us here or read the blog here.

**About PerimeterX**

PerimeterX is the leading provider of solutions that detect and stop the abuse of identity and account information on the web. Its cloud-native solutions detect risks to your web applications and proactively manage them, freeing you to focus on growth and innovation. The world’s largest and most reputable websites and mobile applications count on PerimeterX to safeguard their consumers’ digital experience while disrupting the lifecycle of web attacks. PerimeterX is headquartered in San Mateo, California, and at www.perimeterx.com.

PerimeterX Code Defender Extends Capability To Stop Supply Chain Attacks

Collaboration aimed at connecting talent and employers.

ELLICOTT CITY, Md., April 19, 2022 /PRNewswire/ -- The national network of cyber communities, CyberUSA, has partnered with Superus Careers in launching the Cyber Career Exchange platform, aimed at supporting national, regional, and state level communities to fill a growing gap in cybersecurity jobs. Cybersecurity talent gaps exist across the country with nearly 600,000 unfilled positions, according to

CyberSeek

, a data analysis and aggregation project supported by the National Initiative for Cybersecurity Education (NICE). Closing these gaps requires detailed knowledge of the cybersecurity workforce.

The Cyber Career Exchange is a specialized recruiting platform focused specifically on cybersecurity. The specialized methodology provides a system for employers to find potential employees based on job skills and education; job seekers and employers to certify job skills and education; for the upkeep and maintenance of career related skills for candidates; a methodology for finding & developing candidates; and (future development) partnership workflow for associations, schools or other organizations to deploy the 'Cyber Career Exchange'.

"I am proud of our advancements over the past 6 years in connecting cyber communities across the country. Starting with seven statewide cyber communities and growing thirty states to date has provided tremendous value in shaping the cybersecurity landscape at both the state and federal levels," said CyberUSA's Co-founder David Powell, "With growing threats and talent shortage more has to be done. The most immediate solutions to filling the open cyber jobs is to provide a system, hosted within trusted communities across the US, designed specifically to help employers and candidates easily find one another. The Cyber Career Exchange accomplishes that goal and more."

"Having worked within and recruited for Financial Services and Healthcare organizations, I understand the vulnerabilities, especially with a shortage that exists in the workforce," said Superus Careers CEO, Larry Silver. "I am excited for us to play our role in filling that void from an employment standpoint, which will have a positive impact on generations to come,"

**About CyberUSA.us**

CyberUSA (CyberUSA.us) is a collaboration of leaders and states focused on a common mission purpose of enabling innovation, education, workforce development, enhanced cyber readiness and resilience – all while connecting the cyber ecosystem of the United States and its Allies. This non-profit "community of communities" is governed by its advisors and members, established to enhance information sharing between individuals, organizations and states and improve cyber resilience at all levels of participation – local, regional and national. CyberUSA provides a communication framework, a national summit and cyber related resources to communities across the United States.

**About Superus Careers**

Superus Careers (SuperusCareers.com) places talented professionals with exceptional organizations across the country. We are redefining recruiting by leveraging cutting-edge technology and business intelligence to guide personal relationships. This high-tech, high-touch approach yields efficient, accurate matches that focus on total alignment, bringing talent and organizations together. Every candidate is technically qualified for the role, culturally aligned and ready to add value to the organization. Attention to detail and passion for results is what makes candidates and companies choose Superus Careers. When the right person is in the right role at the right company, everyone wins.

CyberUSA, and Superus Careers Launch Cyber Career Exchange Platform

Orlando, FL, April 19, 2022 — Fortress Information Security (Fortress), the leading supply chain cybersecurity provider for critical industries, today announced that it received a $125 million strategic investment from funds managed by the Private Equity business within Goldman Sachs Asset Management (Goldman Sachs). This new investment will support Fortress’s mission of securing U.S. critical industries from cybersecurity and operational threats emanating from their supply chains. Existing investors, including co-founders Peter Kassabov and Alex Santos, ClearSky, First Analysis, American Electric Power, Caron Capital, KMMT, and Moquin Capital, will continue to support Fortress as investors.

Fortress is transforming how critical industry operators and government agencies secure their supply chains in the face of increasing supply chain cybersecurity threats. Founded in 2015, the Fortress platform is a deep, fit-for-purpose solution that enables customers in critical industries to assess, manage, and address risks associated with vendors, assets, and software in their supply chains. Fortress enhances cybersecurity postures and compliance with relevant regulations. The Fortress solution was co-developed with leading electric utilities and has since grown into a consortium tool that includes five of North America’s ten largest investor-owned utilities. Fortress’s platform secures 40% of the U.S. power grid, substantial national defense-related assets, and critical manufacturing industries.

As critical industries increasingly face cybersecurity threats emanating from the supply chains that underlie them, federal government and private sector stakeholders have recognized that securing critical supply chains is a national security issue. In response, authorities such as the Cybersecurity and Infrastructure Security Agency (CISA) and the North American Electric Reliability Corporation (NERC) have released supply chain cybersecurity guidelines in the past year.

“Supply chain cybersecurity is one of the most important challenges facing business and government leaders today. Supply chains represent a source of significant threats to the national economy and our ability to maintain our way of life,” said Peter Kassabov, executive chairman and co-founder of Fortress. “We started Fortress because we recognized major supply chain vulnerabilities in our country’s most critical industries. Many recent high-profile breaches have spawned a new wave of regulatory action in the U.S. that will likely expand for the foreseeable future.”

“The Goldman Sachs investment validates the hard work of our employees and clients who have brought collaborative cybersecurity to life,” said Alex Santos, Fortress CEO and co-founder. “This growth capital infusion will empower us to accelerate the execution of our vision of resilient supply chains.”

“Fortress has established itself as a market leader in end-to-end supply chain cybersecurity solutions for U.S. critical industries and we look forward to scaling the company’s Asset-to-Vendor network, which provides significant value to critical infrastructure suppliers and customers,” said Will Chen, managing director within Goldman Sachs Asset Management. “The depth and breadth of the Fortress platform are unmatched and we believe there is a meaningful opportunity to accelerate the expansion of the platform into compelling product adjacencies, including software and hardware bill of materials, workflow orchestration, and additional analytics and reporting capabilities.”

Foley & Lardner LLP acted as legal advisor, and DBO Partners acted as financial advisor to Fortress. Goodwin Procter LLP acted as legal advisor, and Goldman Sachs & Co. LLC served as financial advisor to Goldman Sachs Asset Management.

Further terms of the transaction were not disclosed.

**About Fortress Information Security**

Fortress Information Security secures critical industries from cybersecurity and operational threats stemming from vendors, assets, and software in their supply chains. Fortress is the only end-to-end platform that connects intelligence surrounding vendors, information technology and operational technology assets, and software through a holistic, fit-for-purpose approach. Fortress has also partnered with its customers and suppliers to form the Asset-to-Vendor (A2V) network, which facilitates the secure and seamless exchange of asset information and security intelligence, enabling collaborative workflows to better understand and remediate potential issues. Fortress serves critical industries such as energy, government, aerospace & defense, critical manufacturing, industrial automation, automotive, and healthcare.

About Goldman Sachs Asset Management Private Equity

Bringing together traditional and alternative investments, Goldman Sachs Asset Management provides clients around the world with a dedicated partnership and focus on long-term performance. As the primary investing area within Goldman Sachs (NYSE: GS), we deliver investment and advisory services for the world’s leading institutions, financial advisors and individuals, drawing from our deeply connected global network and tailored expert insights, across every region and market—overseeing more than $2 trillion in assets under supervision worldwide as of December 31, 2021. Driven by a passion for our clients’ performance, we seek to build long-term relationships based on conviction, sustainable outcomes, and shared success over time. Goldman Sachs Asset Management invests in the full spectrum of alternatives, including private equity, growth equity, private credit, real estate and infrastructure. Established in 1986, the Private Equity business within Goldman Sachs Asset Management has invested over $75 billion since inception. We combine our global network of relationships, our unique insight across markets, industries and regions, and the worldwide resources of Goldman Sachs to build businesses and accelerate value creation across our portfolios. Follow us on LinkedIn.

_For more information, contact Adam Benson at \[email protected\] or 202.999.9104._

Fortress Information Security Receives  $125M Strategic Investment from Goldman Sachs Asset Management

Comcast Business mitigated 24,845 multi-vector DDoS attacks in 2021, a 47 percent increase over 2020.

**PHILADELPHIA – APRIL 20, 2022 –** Comcast Business today published results from its 2021 Comcast Business DDoS Threat Report. The report provides an overview of the Distributed Denial of Service (DDoS) attack landscape, trends experienced by Comcast Business customers and insights for measuring and mitigating risks. The report found that mulit-vector DDoS attacks targeting Layers 3, 4, and 7 simultaneously represent a 47 percent increase from the record number set in 2020.

“DDoS attacks, when they occur, can be costly and difficult to defend. The risk of losing network, server and application availability is higher than ever,” said Shena Seneca Tharnish, Vice President, Cybersecurity Products, Comcast Business. “With threat actors constantly innovating, organizations must stay vigilant to help protect their infrastructure from bad actors determined to cause financial and reputational damage."

The report indicates that 2021 was another record year for DDoS attacks, as Comcast Business DDoS Mitigation Services successfully identified and helped defend 24,845 multi-vector attacks targeting Layers 3,4, and 7 simultaneously. Overall, 69 percent of Comcast Business customers experienced DDoS attacks, a 41 percent increase over 2020, while 55 percent were targets of mulit-vector attacks, as opposed to in 2020 where most customers experienced single vector attacks.

The data also shows that DDoS attackers were indiscriminate and persistent as no verticals were spared and everyone was fair game – from tow truck drivers to churches, government, utilities, IT companies, online gambling sites, and manufacturing operations. However, the healthcare and education sectors remain favorite targets.

Seventy-three percent of all multi-vector attacks targeted the education, finance, government and healthcare sectors, likely due to vulnerabilities brought on by the COVID-19 pandemic. Threat actors also used industry-specific seasonal trends and activities to guide attacks and maximize impact.

Attacks on education customers followed the cadence of a typical school year, starting strong in January before taking a significant dip over the summer when schools were out, while the financial sector experienced a 3X uptick in attacks during November and December compared to the rest of the year.

Other key findings from the 2021 Comcast Business DDoS Threat report include:

· Attacks on information technology customers grew steadily, ending the year at 10X the January numbers.

· 98 percent of all multi-vector attacks were under 5 Gbps, as bad actors often strike at low volumes to avoid detection, degrade site performance and map out network vulnerabilities for reconnaissance.

· 69 percent of all multi-vector attacks lasted under 10 minutes, as short duration attacks are harder to detect and give IT organizations less time to respond, quickly overwhelming defenses.

· The number of vectors deployed in a single multi-vector attack increased from five to 15, while the number of amplification protocols used in multi-vector attacks increased from three to nine.

· 99 percent of customers experienced repeat attacks, while the largest and most severe attack was delivered at a rate of 242 Gbps.

The 2021 Comcast Business DDoS threat report focuses on multi-vector attacks that target Layers 3, 4, and 7 simultaneously. To download the report, please visit: https://business.comcast.com/community/browse-all/details/2021-comcast-business-ddos-threat-report

Comcast Business 2021 DDoS Threat Report:  DDoS Becomes a Bigger Priority as Multivector Attacks are on the Rise

From increasing cybersecurity awareness in staff, students, and parents to practicing good security hygiene for devices, using endpoint protection, and inspecting network traffic, schools can boost cybersecurity to keep students safe.

Since the onset of the pandemic, cyberattacks on schools and educational institutions have skyrocketed. In fact, K12 Security Information Exchange, a Virginia-based nonprofit that helps schools defend against cybersecurity risk, tracked more than 1,200 cybersecurity incidents since 2016 in US public school districts, consisting of ransomware attacks, grading system breaches, and child stalkers.

Students, teachers, and parents are increasingly reliant on technology to execute virtual learning. Tech plays a role in everything from personal student information to attendance and grading records. This sensitive data is more vulnerable to breaches, demanding that educational institutions get serious about bolstering their cybersecurity strategies.

Most public schools are exactly known for having robust budgets. While many educational institutions lack the funds for a full-scale cybersecurity plan or full-time IT staff, there are things that can be done to ensure that devices managed by schools are kept safe and secure. To protect a school, it's important to understand why and how cybercriminals target schools, and to train students and employees in best practices for ensuring that school-managed devices are used properly and securely.

**Why Do Attackers Target Schools?  
**Compared with the financial stakes of corporations and critical identification information housed within government agencies, it seems odd that a hacker would target public schools. But it turns out that there is more to be stolen than just lunch money.

The fact is that K-12 schools possess _loads_ of data, especially since schools turned to remote learning. In the last three years, schools handed out millions of digital devices and mobile hotspots to students and employees. These devices are used to access an increasingly large portfolio of online programs and apps for instruction. Without proper policies or device management systems in place, students have unfettered access to the Internet and the dangers within it. Not only are hackers finding their own way in, but user-initiated risk is also a concern. With increased entry points, hackers have myriad opportunities to uncover important data that helps facilitate identity theft. Personal information such as children's Social Security numbers is exposed through a cyberattack on a school, creating a very real problem for those too young to protect themselves.

It turns out that cybercriminals know about school funding problems too. Armed with the assumption that a K-12 school doesn't have the budget to implement and maintain a sophisticated cybersecurity system, hackers find themselves with a roster of easy targets. Not even higher education institutions are immune to cyberattacks. In fact, a university or college's high tuition costs are actually a motivator. In these cases, cybercriminals can take a university's website hostage in order to receive payments.

While educational institutions might offer the best in higher learning, the level of security systems put in place can vary. Without basic training, students and teachers are especially unaware of the tactics used by cybercriminals to obtain information.

Additionally, the sustained use of legacy infrastructure combined with the use of unprotected personal devices can also make an institution more susceptible to bugs and data breaches.

**Common Ways Schools Are Being Targeted  
**Douglas Levin, national director at K12 Information Exchange, found in his research that schools are typically targeted in four major ways.

First, through ransomware. This malicious software can publish or block access to data or a computer system until the victim meets the cybercriminal's demands. Second, victims experience denial-of-service (DoS) attacks in which a cybercriminal interrupts services indefinitely and makes a network or device unavailable for use.

Third on the list is a classic DoS attack: zoombombing. This cyberattack in which an uninvited perpetrator hijacks a Zoom meeting occurred frequently during the pandemic, and became a disruption to learning. It's a concrete example of how modern education needs to evolve to achieve modern security, and a simple fix such as requiring a password to enter a Zoom meeting can help combat such disruptions. Finally, schools are often victims of phishing cyberattacks, in which the cybercriminal has the ability to steal user data like logins, personal addresses, and grading information.

**How Schools Can Protect Themselves  
**School IT teams can bolster cybersecurity with these steps:

*   **Increase cybersecurity awareness** through regular cybersecurity training and awareness campaigns. As students, parents, administrators, and teachers all face different cyber threats, it's essential that these training sessions are relevant to everyone in the system who has access to the school's network and devices.
*   **Practice good security hygiene** for devices. This includes updating software to the most current edition, backing up files, deleting redundant files, and uninstalling unwanted applications. Beyond the device, ensure websites are password protected, infrastructure is locked down, and default passwords are updated.
*   **Do regular checkups on your inventory of assets.** Compare and contrast how your current systems stack up against recommended cyber frameworks, keep a watchful eye on your inventory of assets, and invest in extra protections for legacy systems that are unable to be updated.
*   **Inspect network traffic and Internet use.** Don't allow users with school-issued devices to have free rein of the Internet. Restrict access to illegal or potentially malicious sites that don't meet safe Internet standards. Help your institution zero in on cybersecurity pain points to prioritize spending efforts when the budget is limited.
*   **Prevent unauthorized devices from operating on your networks**. This is best done by restricting administrative access and applying endpoint protection to all school-provided devices. Only IT departments should have administrative capabilities.
*   **Make your cyber policy easily accessible.** Ensure that all faculty, students, and parents are aware of the existing cyber policy, and where they can easily access it to reference. Provide security training sessions to help everyone understand the cyber policy details.

It's clear that educational institutions are at a higher risk for cyberattacks due to a lack of training and resources dedicated to cybersecurity. But savvy schools can keep their students and employees safer by understanding how attackers target schools, spreading cybersecurity awareness, and taking additional proactive steps to safeguard devices and systems.

Creating Cyberattack Resilience in Modern Education Environments

Ransomware and other financially motivated threat actors joined nation-state-backed groups in leveraging unpatched flaws in attack campaigns, new data shows.

Threat actors exploited more zero-day vulnerabilities in 2021 than any prior year and mostly in software from Microsoft, Google, and Apple.

State-backed advanced persistent threat actors remained the most prolific users of these exploits as has always been the case to date. However, they were not the only ones: financially motivated groups — particularly ransomware operators — sharply ramped up their use of zero-days and accounted for one in three of attackers exploiting these vulnerabilities.

Two separate advisories this week — one from Mandiant and the other from Google's Project Zero security team — identified a big jump last year in software flaws that threat actors exploited before a patch became available. Mandiant counted a total of 80 such flaws in 2021, while Google identified 58 zero-days that were exploited in the wild before being patched.

By Mandiant's count, the 80 zero-day exploits in 2021 represented a 167% increase over the 30 it logged in 2020, and it more than doubled the previous highest number of 32 in 2019. The 58 zero-day exploits that Google counted represented more than double the 25 that company observed in 2020. It was also more than double Google's highest-ever total of 28 zero-days back in 2015.

Vulnerabilities in Microsoft, Google, and Apple accounted for 75% of the zero-days that threat actors exploited last year — a number likely tied to the broad use and popularity of technologies from these three vendors, Mandiant said. A spreadsheet of zero-day flaws that Google has maintained since 2014 shows that 16 of the 58 zero-day exploits the company observed last year were in its own technologies; 21 involved Microsoft products; and 13 were in Apple products. The remaining vulnerabilities involved products from a total of nine other vendors including Qualcomm, Trend Micro, Sonic Wall, Accellion (now Kiteworks), and Pulse Secure, Mandiant said.

    

Source: Mandiant

The data underscores how organizations cannot ignore the potential for threat actors to hunt for and exploit zero-days in less widely used technologies, says James Sadowski, principal analyst at Mandiant.

"While popular vendors remain popular targets for zero-day exploitation, we've gradually seen expansion of both technologies and vendors targeted by zero-day exploitation outside of main vendors," he says.

"Like we observed in the exploitation of Accellion FTA, threat actors can exploit vulnerabilities in these systems and cause significant damage," Sadowski says, referring to a zero-day flaw in a near obsolete Accellion product that led to breaches at multiple large companies.

**Many Reasons Why**  
Mandiant identified multiple potential reasons for the explosion in threat actor use of zero-day exploits last year. The company perceived the increased enterprise adoption of cloud, mobile, and IoT technologies as increasing the volume of software that organizations are using and therefore resulting in the discovery of more bugs. The increase in the number of so-called exploit brokers trading in zero-day vulnerabilities has also been a factor, as have increased investments in research and development by zero-day exploits threat groups. Google, meanwhile, attributed the surge to improved detection and disclosure of zero-day bugs — a factor that Mandiant too said was likely at play.

The security vendor's analysis showed that state-sponsored groups — especially those from China — continue to dominate zero-day exploit use. But there was a noticeable increase in the number of ransomware and other financially motivated threat groups leveraging zero-days in their attacks.

Sadowski says these threat actors are likely acquiring zero-day exploits via underground exploit brokers and criminal service providers. Or they could be recruiting the requisite talent in-house to research vulnerabilities and develop zero-day exploits, as appeared to be the case with the Conti ransomware group — leaked Conti chat files showed the threat actors discussing recently disclosed vulnerabilities and assigning members to build a scanner to identify potentially vulnerable systems.

"As ransomware groups collect increasingly large sums from their operations, we have observed them more frequently employ zero-day exploits in their operations," Sadowski says. Generally, though, it is extremely difficult to identify where a threat actor might have acquired a zero-day exploit, he says.

Bud Broomhead, CEO at Viakoo, says the increased use of zero-day exploits shows that threat actors are shifting their attack vectors away from vulnerabilities that traditional threat assessment and detection solutions would uncover. "That's why not just zero-day threats, but also exploiting IoT vulnerabilities and leveraging open source software, are rapidly growing enterprise threats," he says. The challenge for organizations is figuring out how to limit damage from a successful zero-day breach and figuring out how to protect against exploits targeting new attack vectors.

The growing use of zero-days highlights the need for organizations to have rapid, out-of-band patching capabilities, says John Bambenek, principal threat hunter at Netenrich.

"Organizations need to remain flexible and agile getting these into production," he says. "Remove as many barriers as possible to patching, including streamlining testing and change management."

Zero-Day Exploit Use Exploded in 2021

Security has benefited from shifting many late-cycle disciplines left or earlier in the cycle.

**Question: What does it mean to shift left in security? What steps do I take to start?**

**Vishal Jain, Co-Founder and CTO at Valtix:** Shift left in security should go deeper than just code.

Security has always been an afterthought and was often improved only in reaction to a vulnerability or incident. With app developers shifting many late-cycle disciplines left or earlier in the cycle, security has benefited. Developers now test and scan code earlier, deploying many more secure applications; proactive processes reduce risk by creating robust applications that are less expensive to maintain and secure over time.

However, we are constantly reminded that there is no such thing as an invulnerable application. Log4j is a perfect example. You have ubiquitous code that turns into a _severity 10_ vulnerability. Even with secure development practices, many organizations are still grappling with the impact of the Log4j vulnerability. This highlights another important aspect of shifting security left: depth.

If we assume that there is no such thing as an invulnerable application, then we acknowledge the need for defenses that work outside of the app. And while there are many ways to deploy such defenses (network-based, agent-based, etc.), they all have one thing in common: It's much easier and cheaper to put them in place if we shift left. What does that mean for an organization? It means deploying these controls, the policies using as-code, and constructs like Terraform. In other words, think about, plan, and build these layered defenses when planning and building the app, and you'll skip the scramble when your app becomes vulnerable for a time (i.e., when the next Log4j hits).

These controls are not new, conceptually, but can be implemented in a variety of ways. In layman's terms, we should manage _who_ we are talking to, _how_ we are speaking, and what we are talking about. In other words, these controls (defenses) work outside the app and might look at:

*   **Who:** Controls that look at identification and authentication of users, what organizations they come from, and what countries their traffic originates from. These access controls might go deeper and include various segmentation schemes.
*   **How:** Controls that limit the methods and protocols that access the application, and the kinds of trustworthy/untrustworthy spaces (e.g., unregulated service accessing a compliance-impacted application or service).
*   **What:** Controls that look at the content of the conversation — whether sensitive/confidential information and data that indicates a threat or attack at any level (e.g., network, app).

Organizations react to vulnerable applications by deploying web application firewall (WAF) solutions, installing endpoint protection, and monitoring logs for cyberattacks. Where these defensive capabilities should have already been in place, the app remains vulnerable, and time is spent managing the risk instead of improving processes that secure it. Organizations need to make a hard shift-left on the proactive security processes they need to secure their app.

The practical advice is to think about the depth of your security at each layer of the application's stack. As you shift security left, with depth, you'll have a better, more secure application.

What Steps Do I Take to Shift Left in Security?

Acquisition will blend autonomous threat hunting with cloud-native security analytics for automating security tasks.

Cloud-native logging and security analytics company Devo Technology has acquired Kognos, a provider of autonomous threat hunting tools.

According to Devo, the deal will help the company provide an "autonomous SOC" tool to automate the threat lifecycle, including detection, triage, investigation, and hunting — boosting efficiency and minimizing burnout among security teams.

"For analysts to have any chance of keeping up with today's adversaries, we need to shift the SOC's focus from weeding through thousands of alerts every day to actionable attack stories — the full sequence of steps taken to carry out an attack and an understanding of its impact," Devo CEO Marc van Zadelhoff said in a statement. "Kognos does exactly this with AI that understands attack scenarios in real-time and anticipates the questions analysts ask of their data. Pairing Kognos with Devo enables analysts to move beyond focusing on just alerts and empowers them to take quick, decisive action against threats."

Financial details of the deal were not disclosed.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Devo Acquires Threat Hunting Company Kognos

Biometric measurements should be part of any multifactor authentication (MFA) strategy, but choose your methods carefully: Some only establish trust at the device level.

As the world continues to move essential functions to digital environments, companies need trustworthy methods for verifying who is behind the screen. Multifactor authentication (MFA) has become the standard for preventing cyberattacks, with the US National Cyber Security chief saying it could prevent 80% to 90% of attacks. MFA works by requiring multiple layers of authentication, such as one-time passwords (OTPs), physical hardware tokens, or soft tokens.

While these do a better job of securing access and data than traditional passwords, what are they really verifying? In the case of SMS-delivered OTPs, the system is verifying your access to a phone; with hardware tokens, it's access to a physical card or device. But none of these require the actual person to confirm they are who they say they are. These methods rely on the assumption that the only person accessing these devices is their owner. Clearly, it's a device, rather than a person, that is being verified. So what can organizations do to improve on traditional MFA methods and build trust with the people behind each digital interaction?

Some methods for MFA verification, including hardware tokens and SMS-based OTPs, have been widely adopted, but they present clear challenges for organizations. Phone-based options require access to a smartphone — not something everyone has and not something companies want out in all environments. Token-based systems are not much better; tokens can be lost, forgotten, or easily handed to another user. The clear solution is to have a biometric measurement that is entirely unique to the user as part of any MFA strategy. But not all biometric methods are created equal, and some still only establish trust at the device level.

**Limitations of Device-Based Biometrics**  
Device-based biometrics, such as a fingerprint captured using the built-in sensor on a phone, PC, or dongle, are stored within the device that they are captured on. These systems offer a high level of convenience for the user, as well as strong security for personal use cases. However, device-based biometrics fall into the same trap as other MFA methods — it is still the device, and oftentimes an encrypted key, being verified, rather than the individual person.

Another security concern is that a device-based biometric authentication method unwittingly places the high-trust function of enrollment, or determining access privileges, into the user's control. This opens the possibility for unauthorized delegation where access is granted to someone other than the original person it was assigned to. For example, if a user goes into their iPhone and has TouchID enabled, they can enroll any fingerprints they'd like, including one that isn't theirs. This fundamentally removes an organization's ability to trust who is using the device.

Once again we see that this method confirms a device, not a user. Device-based biometrics are convenient but still don't provide the level of security necessary for completing critical tasks with trust on both sides.

**Benefits of Identity Vetting Using Biometrics**  
Identity verification and binding with biometrics takes a different approach. It endeavors to verify the precise, unique individual human rather than the holder of a device. The first step here is creating a biometric measurement to use like a signature for a person — a piece of data that is uniquely tied to them and can confirm their presence at the authentication step. By first establishing a biometric signature and then storing that centrally rather than on a device, organizations can have something to compare biometric data to.

For example, our company's technique, identity-bound biometrics (IBB), has organizations enroll and store biometric data centrally so that it remains immutable. This returns to the organization the power of determining access privileges instead of leaving device access open to the user. IBB offers high integrity and trust that someone is who they say they are and has the capacity to positively identify the individual — not just their device, token, phone, or anything else. In the digital world we live in, this is how to establish trust.

By utilizing a centrally stored biometric method, organizations are able to support people who need to have access across multiple devices and locations without any additional enrollment or process. They can simply walk up to a workstation, scan their biometric, and quickly login. Storing the encrypted biometric data centrally allows access to be granted for multiple places and devices across the organization.

Lastly, with better sensors and larger sets of data points captured about the user's biometric, IBB is more accurate than most device-based biometric methods.

**How IBB Works as a Centralized Biometric Method**  
IBB utilizes hardware, such as a camera on a mobile device or a fingerprint scanner, to scan the user's biometric input, confirming thousands (rather than hundreds) of data points. Once the biometric is scanned, it is sent through an end-to-end encrypted process and algorithmically altered to create a biometric template. This means that there are no actual fingerprints or measurements stored on the company's server — rather, a unique template that acts like a lock with an individual's biometric data as the key.

Besides the end-to-end encryption, IBB eliminates bad actors who threaten other places in the process as well. Using isolated, non-recreatable single sessions for each interaction eliminates the threat of a man-in-the-middle style interception and replay of the data. This allows for biometric data to be safely stored and managed centrally, rather than tied to individual devices.

Consider, for example, a bank teller who works in multiple branches. They deal with highly sensitive financial data on a regular basis but still need to be able to work from multiple locations and at different workstations throughout their day. Rather than enrolling them on a series of individual devices, the bank can employ IBB to allow the teller to work across devices companywide, while verifying who specifically is gaining access and completing transactions. The bank knows who is enrolled in the system, it knows that enrollment hasn't changed, and it has the flexibility to allow access only where required. This setup makes it extremely convenient for the teller to log into the system but also provides a higher level of integrity and trust for the employer.

In a digital world where access is happening from everywhere, and people are all "behind the screens," being able to trust that a specific individual has completed a login or transaction is critical. The standard MFA methods many organizations employ can only establish trust through something the user knows (a password) or has (a smartphone). Identity verification and binding using biometrics should be part of every MFA strategy so that the organization can maintain security and control while users enjoy a convenient biometric authentication experience. With higher integrity and convenience, organizations can streamline operations and build trust for themselves, their employees, and their customers.

Exploring Biometrics and Trust at the Corporate Level

Annual ThreatLabz Report reveals phishing-as-a-service as the key source of attacks across critical industries and consumers globally; underscores urgency to adopt a zero-trust security model.

**Key Findings**

· Phishing attacks rose 29% globally to a new record of 873.9M attacks observed in the Zscaler**TM** cloud last year

· Retail and wholesale were the most targeted industries, experiencing over a 400% increase in phishing attacks over the last 12 months

· The United States, Singapore, Germany, Netherlands, and the United Kingdom were the most frequently targeted by phishing scams

· Emerging phishing vectors, such as SMS phishing, are increasing faster than other methods as end users become more wary of suspicious emails

· Rising phishing activity is directly linked to “phishing- as-a-service” options, which provide a marketplace of pre-built attack tools that reduce technical barriers to entry for criminals

**SAN JOSE, Calif. – April 20, 2022** – Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today released the findings of its 2022 ThreatLabz Phishing Report that reviews 12 months of global phishing data from the Zscaler security cloud to identify key trends, industries and geographies at risk, and emerging tactics. According to the FBI Internet Crime Complaint Center (IC3), phishing attempts are the most frequently-reported cyberattack. Zscaler’s ThreatLabz research team analyzed data from more than 200 billion daily transactions, and 150 million daily blocked attacks in order to identify emerging threats and track malicious actors from across the globe. This year’s report showed dramatic 29% growth in overall phishing attacks compared to previous years, with retail and wholesale companies bearing the brunt of the increase. The report also showed an emerging reliance on phishing-as-a-service methods, as well as new attack vectors, such as SMS phishing, becoming one of the more prevalent methods of intrusion.

“Phishing attacks are impacting businesses and consumers with alarming frequency, complexity, and scope - with the rise in phishing-as-a-service making it easier than ever for non-sophisticated actors to launch successful attacks. Our annual report highlights how cybercriminals continue to escalate their usage of phishing as a starting point to breach organizations to deliver ransomware or steal sensitive data,” said Deepen Desai, CISO and VP of Security Research and Operations at Zscaler. “To defend against advanced phishing attacks, organizations must leverage a multi-pronged defensive strategy anchored on a cloud native zero trust platform that unifies full SSL inspection with AI/ML-powered detection to stop the most sophisticated phishing attempts and phishing kits, lateral movement prevention and integrated deception to limit the blast radius of a compromised user, proactive controls to block high risk destinations such as newly registered domains that are often abused by threat actors, and in-line DLP to safeguard against data theft.”

Phishing has always been one of the most pervasive cyberthreats, with various methods used to steal private information. One of the reasons this type of attack grows in prevalence every year is its low barrier to entry. Cybercriminals use current events, such as the COVID-19 pandemic or cryptocurrency, to convince unwitting victims to hand over confidential data, such as passwords, credit card information, and login credentials.

The 2022 ThreatLabz Phishing Report found that phishing attacks lure victims by posing as top brands or promoting topical events. The top phishing themes in 2021 included categories such as productivity tools, illegal streaming sites, shopping sites, social media platforms, financial institutions, and logistical services.

**A Global Problem**

In 2021, the U.S. was the most-targeted country globally, accounting for over 60% of all phishing attacks blocked by the Zscaler security cloud. The next most frequently attacked countries include Singapore, Germany, the Netherlands, and the United Kingdom.

Not all countries experienced the same attention from phishing attacks. For example, the Netherlands experienced a decrease of 38 %, which may have resulted from recently-passed legislation that increased the penalties for online fraud.

Phishing attacks were also not evenly distributed across different industries. Retail and wholesale businesses experienced an increase of over 400% in phishing attempts - the most out of all tracked industries. These businesses were followed by financial and government sectors, with organizations in these industries seeing over 100% increases in attacks on average. However, some industries experienced partial relief from phishing attacks last year. Healthcare saw a notable drop of 59 %, while the services industry saw a decline of 33 %.

**Phishing-as-a-Service - The Growing Threat**

While phishing has long been one of the most common tactics used in cyberattacks by sophisticated threat actors, it's becoming more accessible to non-technical cybercriminals due to a maturing underground marketplace for attack frameworks and services. By selling their pre-built phishing tools and services on the dark web, cybercriminals are making it easier to deploy phishing scams at scale, creating a greater chance for more phishing activity in 2022.

**Countering Phishing Attacks**

According to the Zscaler ThreatLabz research team, an average-sized organization receives dozens of phishing emails every day. This means that employees at all levels must be aware of the most common phishing tactics and empowered to spot phishing attempts that can result in financial losses and damage to the business’ brand.

Facing the threats outlined in the 2022 ThreatLabz Phishing Report can be daunting, and while it's impossible to eliminate phishing risk, effective management can prevent business-critical information from falling into the hands of cybercriminals. Among other recommendations, Zscaler suggests the following tactics for countering phishing growth:

· Learning and understanding the risks posed by phishing to better inform policy and technology decisions

· Leveraging automated tools and actionable intelligence to empower employees with the tools needed to reduce phishing incidents

· Delivering timely employee training to build security awareness and promote user reporting

· Simulating phishing attacks to identify gaps in security policies and procedures

· Evaluating security infrastructure to ensure access to the latest research and system capabilities

**How the Zscaler Zero Trust Exchange****TM Can Mitigate Phishing Attacks**

User compromise is one of the most difficult security challenges to defend against. The Zscaler Zero Trust Exchange incorporates phishing prevention controls into a holistic zero trust architecture that disrupts every stage of attacks and minimizes damages. Capabilities include:

· **Preventing compromise** with full SSL inspection at scale, threat analysis using natively integrated threat intel and IPS signature detection, AI/ML phishing detection, and policy-defined high-risk URL categories commonly used for phishing such as newly observed and newly registered domains.

· **Eliminating lateral movement** by connecting users directly to apps, not the network, to limit the blast radius of a potential incident.

· **Shutting down compromised users and insider threats** with in-line application inspection and integrated deception capabilities to trick and detect attackers.

· **Stopping data loss** by inspecting data both in motion and at rest to prevent theft by an active attacker.

To download the full report, see the ThreatLabz 2022 Phishing Report.

**Methodology**

The ThreatLabz team evaluated data from the Zscaler security cloud, which monitors over 200 billion transactions daily across the globe. ThreatLabz analyzed a year’s worth of global phishing data from the Zscaler cloud from January 2021 through December 2021 to identify key trends, industries and geographies at risk, and emerging tactics.

Source

DARKReading