The European Union's Digital Operational Resilience Act requires financial entities to focus on third-party risk, resilience, and testing.

Source: Sikov via Adobe Stock Photo

COMMENTARY 

January 2025 is a big month for the finance industry – and the clock is ticking. The Digital Operational Resilience Act (DORA) is set to shape how financial entities, such as banks, insurance companies, and investment firms, approach their IT infrastructure and data security. According to Article 3 (1), this regulation will enhance "the ability of a financial entity to build, assure and review its operational integrity and reliability."

Although IT security and digital resilience form a part of the reforms that followed the 2008 financial crisis, they've taken a back seat over the years. DORA aims to address the rising cyber threat.  

Member states across the European Union have until January to comply with this new regulation or risk severe fallout. A breach could result in fines of up to 2% of an organization's total annual worldwide revenue or up to 1% of the company's average daily worldwide revenue.  

Despite the urgent call to action, delays are making it difficult for institutions to prepare. While the scoping and harmonization templates were due to the commission in July, public release is uncertain. There are currently no sets of controls or technical standards, so how are those being impacted meant to prepare? 

But with time running out, financial entities do not have the luxury of watching and waiting. Without any real guidance, it's in their best interest to take matters into their own hands and do what they can with the information they have.

**Size Equals Complexity **

As with many new regulations, one of the key challenges is complexity – and DORA takes that to a whole new level, with six chapters and over 280 articles. It introduces a series of new standards and controls that companies must meet and for which a complete restructure of processes may be required.

Remember, DORA is a regulation, not a framework, so comprehending the many requirements is job No. 1 for organizations. To ensure compliance, organizations need full visibility over all company assets. This allows organizations to continuously monitor all systems and identify and address any potential gaps in security. 

**You Can't Protect What You Can't See **

Technology is a borderless entity; DORA calls for complete visibility, despite the vast array of interconnected devices used by firms. The new regulation focuses heavily on data and providing clear and actionable evidence. DORA places a particular emphasis on third-party risk, resilience, and testing – areas currently without an existing framework and becoming more vulnerable every year. 

PCI security standards, for example, focus solely on protecting credit card information. NIST's Cybersecurity Framework covers certain elements of recovery and fills the gap left by PCI, but it still doesn't cover reporting. DORA, on the other hand, doesn't focus so much on penetration testing but more on threat-based testing, requiring organizations to emulate a threat rather than conduct a vulnerability scan.  

So instead of monitoring for any existing cybersecurity vulnerabilities, the new regulations require organizations to monitor for any potential weaknesses – identifying and rectifying them before they can trigger unnecessary risk. This approach minimizes the risks of vulnerabilities developing and ensures organizations have real-time updates on the state of their security. 

**What Can Business Do at This Stage? **

One thing DORA is very clear on is an emphasis on results and the need to continually monitor for threats. This regulation should not to be taken lightly. Under DORA, authorities have the power to request data and execute powers to assess a company's compliance with these regulations.  

As a first step, organizations should conduct a thorough gap-analysis exercise to identify areas in need of improvement – within their own business as well as across their supply chains. Ahead of January, organizations must ensure that their risk management strategies are up to date. Right or wrong, DORA assumes firms have a sufficient risk management framework in place. The same is expected of parties in the supply chain, although how far down the chain is yet to be determined.  

All parties involved need to obtain and maintain detailed knowledge of all critical assets at any given time. Tools that continuously monitor all assets provide real-time critical information on processes across the company. Only through continuous monitoring can organizations understand where the gaps in their security are and ensure they are properly addressed. 

Regardless of delays, DORA is coming and businesses must be prepared. Organizations that view this incoming regulation as more than just another push for compliance – and instead a platform from which to truly enhance their security posture – will gain that all-important competitive edge. Through continuous monitoring and effective threat management, organizations will achieve a new level of protection across their entire network.  

**About the Author**

CEO, Quod Orbis

Martin Greenfield is the CEO of Continuous Controls Monitoring solutions provider, Quod Orbis. He has over two decades in the cyber security space. With his team, Martin helps deliver complete cyber controls visibility for our clients via a single pane of glass, through Quod Orbis’ Continuous Controls Monitoring (CCM) platform. Their clients can see and understand their security and risk posture in real time, which in turn drives their risk investment decisions at the enterprise level.

Preparing for DORA Amid Technical Controls Ambiguity

The journey toward a successful DevSecOps implementation is complex, requiring a strategic approach to overcome the myriad challenges it presents.

Debrup Ghosh, Principal Product Manager, F5 Inc.

November 8, 2024

4 Min Read

Source: Maskot via Alamy Stock Photo

COMMENTARY

In the evolving landscape of software development, the integration of DevSecOps has emerged as a critical paradigm, promising a harmonious blend of development, security, and operations to streamline feature delivery while ensuring security. However, the path to achieving this seamless integration is fraught with hurdles — ranging from the lack of security training among developers to the complexity of security tools, the scarcity of dedicated security personnel, and the generation of non-actionable security alerts.  

Historically, there has been a palpable tension between members of development teams, who prioritize rapid feature deployment, and security professionals, who focus on risk mitigation. This discrepancy often results in a "the inmates are running the asylum" scenario, where developers, driven by delivery deadlines, may inadvertently sideline security, leading to frustration among security teams. However, the essence of DevSecOps lies in reconciling these differences by embedding security into the development life cycle, thereby enabling faster, more secure releases without compromising productivity. Let's explore strategies for embedding security into the development process in a harmonious manner, thereby enhancing productivity without compromising on security. 

**The DevSecOps Imperative**

The adoption of DevSecOps marks a significant shift in how organizations approach software development and security. By weaving security practices into the development and operations processes from the outset, DevSecOps seeks to ensure that security is not an afterthought but a fundamental component of product development. This approach not only accelerates the deployment of features but also significantly reduces the organizational risk associated with security vulnerabilities. Yet, achieving this delicate balance between rapid development and stringent security measures requires overcoming substantial obstacles. 

**Understanding Your Risk Portfolio**

The foundation of effective DevSecOps implementation lies in gaining a comprehensive understanding of the organization's risk portfolio. This involves a thorough assessment of all software resources, including the codebase of applications and any open source or third-party dependencies. By integrating these assets into a centralized system, security teams can monitor security and compliance, ensuring that risks are identified and addressed promptly. 

**Automating Security Testing**

Automating security testing represents another cornerstone of effective DevSecOps. By embedding risk management policies directly into DevOps pipelines, organizations can shift the responsibility of initial security assessments away from developers, allowing them to focus on their core tasks while still ensuring that security is not compromised. This automation not only streamlines the security testing process but also ensures that vulnerabilities are promptly flagged to the security teams for further action. 

**Continuous Monitoring for Proactive Security**

Continuous monitoring is a critical component of DevSecOps, enabling organizations to maintain a vigilant watch over their repositories. By automatically triggering security tests upon any change in the codebase, this approach minimizes the need for developer intervention, ensuring that security checks are an integral, ongoing part of the development life cycle. 

**Simplifying the Developer Experience**

To truly integrate security into the development process, it is imperative to simplify the developer experience. This can be achieved by enabling developers to access information about security vulnerabilities within their familiar working environments, such as the integrated development environment (IDE) or bug-tracking tools. By making security an intrinsic aspect of their daily tasks, developers are more likely to embrace these practices, reducing the friction associated with external security mandates. 

**Conclusion**

The journey toward a successful DevSecOps implementation is complex, requiring a strategic approach to overcome the myriad challenges it presents. By fostering a culture of collaboration, automating security processes, and integrating security into the fabric of development workflows, organizations can mitigate risks without sacrificing speed or innovation. The goal of DevSecOps is not to hinder development with security but to empower developers with the tools and processes needed to build secure, high-quality software efficiently. By adopting these principles, companies can move beyond the "inmates running the asylum" paradigm to a more balanced, productive, and secure software development life cycle.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of his employer.

**About the Author**

Principal Product Manager, F5 Inc.

Debrup Ghosh is a seasoned product management leader with extensive experience in cybersecurity, SaaS, and AI-driven solutions. Currently a principal product manager at F5 Networks, he leads the development of cutting-edge Web application and API protection (WAAP) products with a focus on AI/ML innovations. Debrup has a proven track record of driving product success at major companies including Synopsys, Verizon, and Michelin. His leadership has earned him multiple global awards, including the 2024 Stevie Awards. A recognized thought leader, his insights have been featured in media outlets such as CNN and Forbes. Debrup holds an MBA from the University of California, Irvine, and a bachelor of technology from the National Institute of Technology, Tiruchirappalli.

How Developers Drive Security Professionals Crazy

PRESS RELEASE

Clearwater, Fla. – October 29, 2024 – According to a new AI Opportunity Report from remote connectivity and workplace digitalization solution company TeamViewer, 80% of U.S. business leaders say their organization’s AI adoption is mature, and 65% are sick of the hype and demand practical implementations of AI for their businesses. Leading from the C-suite, 81% of U.S. key decision makers currently use AI at least weekly, up from 60% last year, a notable 35% increase year-over-year. 

Most U.S. business leaders (72%) also agree that AI is vital to improving their organization’s financial outcomes. Along these lines, two-thirds (66%) agree that AI will positively affect revenue over the next year, with respondents saying that the technology makes an average of 249% revenue growth possible. Nearly a quarter of U.S. respondents (23%) believe that not implementing AI technology risks falling behind competitors and 24% foresee increased costs due to a lack of automation.

Successfully integrating AI into remote connectivity support is a prime example of how efficiencies can lead to better financial outcomes. Enter TeamViewer’s new AI-powered Session Insights.

AI-Powered Session Insights 

Aimed at helping IT teams boost efficiency and streamline operations, Session Insights is now being added to TeamViewer’s Tensor remote connectivity solution to automate session documentation and provide analytics, enabling faster handovers and smarter decision-making. By optimizing resources and capturing valuable knowledge, the new capabilities empower IT support teams to resolve issues faster, improve customer satisfaction, and scale expertise, even with limited staff.  

The new features will help internal IT teams better manage employee help desk requests and will also aid customer support teams providing remote assistance to keep their products onsite and customers up and running and aligned with uptime agreements. 

“AI adoption is growing rapidly as businesses increasingly recognize its tangible benefits in driving productivity and streamlining operations. Our research reveals that 81% of decision-makers now engage with AI at least weekly, a substantial rise from last year’s 60%. With the launch of TeamViewer’s new AI-powered Session Insights, we're enabling organizations to make smarter decisions and optimize processes while adhering to the highest security and data privacy standards. We uphold stringent encryption practices to safeguard customer data, ensuring secure processing, while also providing admins the control to enforce company-wide policies and keeping users informed every step of the way,” said Mei Dent, Chief Product and Technology Officer, TeamViewer. 

Trust, Security, Career Advancement & Equality

The report also delves into a variety of other topics gauging business leaders’ current perceptions of AI, including: 

*   Trust in AI: 50% of U.S. business leaders trust AI to act on business forecasts and make business decisions with an impressive 42% trusting AI to make decisions without human oversight.
    
*   Security: 75% of U.S. business leaders are concerned about data management in the use of AI and 67% would consider banning the use of AI outside of the IT team.
    
*   Career Advancement: 75% of U.S. business leaders believe AI is a key skill to enhance their career and 73% say AI has given them the chance to learn new skills they otherwise would not have.
    
*   The Great Equalizer: 72% of U.S. business leaders believe AI can help create equal job opportunities for parents and caregivers while 79% think AI can help increase accessibility in the workplace.
    

With 73% of U.S. respondents believing AI will drive the biggest productivity boom in a century and business leaders reporting that AI saves U.S. IT professionals approximately 16 hours per month, there is clearly huge momentum for increasing AI use in business, including TeamViewer’s AI-powered Session Insights, which integrates with Microsoft Teams and ServiceNow. More information can be found here.  

Survey Methodology 

In The AI Opportunity Report, TeamViewer uncovers the attitudes of 1,400 (500 in the U.S.) information technology, business, and operational technology decision makers towards Artificial Intelligence, across the UK, France, Germany, Australia, Singapore, and the U.S. The research was conducted online by Sapio Research in August and September 2024. 

About TeamViewer

TeamViewer is a leading global technology company that provides a connectivity platform to remotely access, control, manage, monitor, and repair devices of any kind – from laptops and mobile phones to industrial machines and robots. Although TeamViewer is free of charge for private use, it has more than 640,000 subscribers and enables companies of all sizes and from all industries to digitalize their business-critical processes through seamless connectivity. Against the backdrop of global megatrends like device proliferation, automation and new work, TeamViewer proactively shapes digital transformation and continuously innovates in the fields of Augmented Reality, Internet of Things and Artificial Intelligence. Since the company’s foundation in 2005, TeamViewer’s software has been installed on more than 2.5 billion devices around the world. The company is headquartered in Göppingen, Germany, and employs more than 1,500 people globally. In 2023, TeamViewer achieved a revenue of around EUR 627 million. TeamViewer SE (TMV) is listed at Frankfurt Stock Exchange and belongs to the MDAX. Further information can be found at www.teamviewer.com.

Business Leaders Shift to Tangible AI Results, Finds New TeamViewer Study

PRESS RELEASE

ESPOO, Finland, and LONDON, UK, 30th October, 2024:  Xiphera, a provider of highly-optimised, hardware-based cryptographic security, today announced its partnership with Crypto Quantique, a provider of quantum-driven IoT device security. The combination of Xiphera’s nQrux® Hardware Trust Engines and quantum-secure cryptographic IP, with Crypto Quantique’s QDID PUF (Physically Unclonable Function), offers quantum-resilience and immutable device identity for cryptographic hardware modules.  
The QDID PUF generates quantum-derived, secure, unclonable identities based on manufacturing variations unique to each semiconductor chip. The PUF, alongside other cryptographic primitives, forms the essential hardware root-of-trust IP required in security implementations.  
nQrux Hardware Trust Engines offer customisable cryptographic security modules with hardware-level trust and security services for the most critical environments and applications. nQrux IP cores enable full isolation of cryptographic operations and application-specific data into secure hardware elements. Xiphera’s extensive portfolio of cryptographic IP cores includes both traditional cryptographic algorithms, as well as Post-Quantum Cryptography (PQC) fighting against the looming quantum threat.  
“Many industrial and governmental entities recommend implementing quantum-resilient hardware solutions to prevent quantum attacks on current and future data. Cryptographic root-of-trust forms the security foundation of modern hardware infrastructures”, said Kimmo Järvinen, co-founder and CTO of Xiphera. “Upgrading these critical components to quantum-resilient algorithms and integrating Crypto Quantique’s PUF technology enables our customers to protect the identities and core security of their hardware devices into the foreseeable future.”  
Crypto Quantique’s CEO, Shahram Mossayebi, said, “The combination of nQrux Hardware Trust Engines and QDID provides the adaptability and upgradeability required for the security of connected devices. QDID creates random numbers on demand, so there is no need to store cryptographic keys in flash memory. This eliminates the danger of side-channel memory attacks revealing the keys. In addition, because PQC algorithms have large cryptographic keys, the PUF technology reduces the size of flash memory needed, reducing both power consumption and saving silicon area.”  
Learn more about Xiphera’s nQrux Hardware Trust Engines, and Crypto Quantique’s QDID IP cores.

You May Also Like

Xiphera &amp; Crypto Quantique Announce Partnership

Chinese APT groups increasingly lean on open source platform SoftEther VPN for network access. Now they're lending their know-how to Iranian counterparts.

Source: Owen McGuigan via Alamy Stock Photo

Infamous Chinese advanced persistent threat (APT) group "MirrorFace" has made notable moves into diplomatic espionage in the European Union using SoftEther VPN, the emerging tool of choice among these threat groups.

MirrorFace gained wide notoriety with its 2022 efforts to interfere in Japanese elections, and it has maintained operations in the country ever since. But researchers at ESET noticed the group recently popped up in the EU with espionage attacks against an unidentified diplomatic entity.

"For the first time, we observed MirrorFace targeting a diplomatic organization within the EU, a region that remains a focal point for several China-, North Korea-, and Russia-aligned threat actors," Jean-Ian Boutin, director of threat research at ESET, said in a statement about the findings. "Many of these groups are particularly focused on governmental entities and the defense sector."

**SoftEther VPN Abuse Surges Among Beijing-Backed APT Groups**

Beyond expanding operations to an entirely new continent, ESET said MirrorFace has started increasingly relying on SoftEther VPN to maintain access, but it is not the only group. Other China-backed APTs — Flax Typhoon, Gallium, and Webworm — have also shifted to the open source, cross-platform VPN software favored by many cybercriminals.

In February, a previously unknown adversary group called Hydrochasma was discovered abusing SoftEther VPN in a cyber-espionage campaign against Asia-based shipping companies. In April, Chinese language-speaking threat group ToddyCat was discovered using SoftEther VPN to steal data from government and defense targets in the Asia-Pacfic region on an "industrial scale."

Now, researchers warn, those tactics have landed in Europe.

"Some China-aligned APT groups have shifted to rely more on SoftEther VPN for various reasons. It’s a legitimate software, which helps avoid detection," says Mathiew Tartare senior malware researcher at ESET. "Setting an HTTPS VPN tunnel between the compromised network and the attacker’s infrastructure allows them to easily blend the malicious traffic in the legitimate HTTPS traffic."

Tartare adds SoftEther VPN also lets attackers appear to be an authorized remote user accessing the network using everyday remote desk protocol (RDP) tools.

"We would not be surprised to observe an increase in the use of SoftEther VPN and other legitimate VPN or remote access tools to bypass detections and blend into legitimate traffic," he says.

Notably, Chinese-backed APTs are also lending their cybercrime know-how to Iranian-backed adversaries for cyber-espionage against Iraq and Azerbaijan, as well as French diplomats, according to ESET. Additionally, Iran is putting its hackers to work gaining unauthorized access into financial services organizations across Africa.

Both Chinese and North Korean threat actors have upped the intensity of attacks on educational institutions in the US, South Korea, and Southeast Asia, the ESET report added.

China-Backed MirrorFace Trains Sights on EU Diplomatic Corps

PRESS RELEASE

TORONTO, Oct. 30, 2024 /PRNewswire/ -- In 2024, Canadian banks have seen just 34% of the reported fraud cases they experienced a year ago. And yet, Canadian retail banking customers appear on pace to lose as much as or more than the $569 million they lost to fraud in 2023 (triple what they lost in 2021). BioCatch – the global leader in digital fraud detection and financial crime prevention powered by behavioral biometric intelligence – says these findings suggest fraudsters have altered their strategies, honing attacks to target fewer Canadians for more money per scam.

"While fraud volumes have decreased significantly over the last year, we're observing an increase in the average value of these cases," BioCatch Director of Global Fraud Intelligence Tom Peacock said. "We can attribute much of this to the rise in social engineering scams in Canada, particularly impersonation scams, which are notoriously higher value than other fraud types. More than 70% of impersonation scam losses in Canada originate from five-figure cases, greatly boosting the country's scam-loss average."

BioCatch's 2024 Digital Banking Fraud Trends in Canada report, also highlights that most Canadian fraud victims are now ages 20-49 instead of 50-89, debunking the common misconception that older people provide easier and more lucrative targets.

"Artificial Intelligence is super-charging fraud," BioCatch Global Advisory Director Seth Ruden said, "compounding its impact, and allowing bad actors to scale and sophisticate their scams with deepfakes and other devices. As the industry deploys the newest authentication methods in both account opening and account takeover processes, fraudsters will undoubtedly attack these as well."

BioCatch also found one in seven scam sessions in Canada showed signs of remote access trojans (RAT), whether active RAT (where the fraudster tricks the victim into granting them control of the session so they can execute the fraud themselves) or passive RAT (where the fraudster guides the victim through payment process).

Click here to access BioCatch's complete 2024 Digital Banking Fraud Trends in Canada report.

BioCatch fraud prevention experts Tom Peacock and Seth Ruden will hold a live conversation about the growth of social engineering scams in Canada and the other latest fraud trends in the country on Nov. 14. To register for that exclusive session, click here.

About BioCatch:

BioCatch stands at the forefront of digital fraud detection, pioneering behavioral biometric intelligence grounded in advanced cognitive science and machine learning. BioCatch analyzes thousands of user interactions to support a digital banking environment where identity, trust, and ease coexist. Today, 32 of the world's largest 100 banks and 210 total financial institutions rely on BioCatch Connect™ to combat fraud, facilitate digital transformation, and grow customer relationships. BioCatch's Client Innovation Board – an industry-led initiative featuring American Express, Barclays, Citi Ventures, HSBC, and National Australia Bank – collaborates to pioneer creative and innovative ways to leverage customer relationships for fraud prevention. With more than a decade of data analysis, 92 registered patents, and unmatched expertise, BioCatch continues to lead innovation to address future challenges. For more information, please visit www.biocatch.com.

Canadians Expected to Lose More Than $569M to Scams in 2024

Questions remain over what a corporate ban will achieve, since Canadians will still be able to use the app.

Source: SOPA Images Limited via Alamy Stock Photo

ByteDance is being exiled from Canada, though the TikTok app is not.

Following the US's example, Canada has spent recent years rubbing up against the world's most popular Chinese app. In February 2023, TikTok was banned from all government devices, citing security concerns. Later that year, the government called for a broader national security review under the 1985 Investment Canada Act, which empowers the government to scrutinize foreign investments.

In concluding that review, the minister of Innovation, Science and Economic Development Canada (ISED) — a federal agency responsible for regulating and supporting various aspects of the country's economy, industry, and scientific endeavors — unveiled a significant, though not comprehensive, development in his country's approach.

To address "specific national security risks," the minister said yesterday, the offices of TikTok Technology Canada Inc. — the Canadian subsidiary of ByteDance, TikTok's parent company — must now be shuttered. However, he noted, the government will not actually block any Canadians from using the app, as "the decision to use a social media application or platform is a personal choice."

**TikTok vs. Governments**

Ever since TikTok blew up during the COVID-19 pandemic, governments worldwide have struggled with how to administer: Ban it, to the chagrin of millions, or don't, and risk consequences to mass privacy and national security.

Concern is widespread that the Chinese Communist Party (CCP) could conduct data gathering and spying through TikTok, since it wields potentially unlimited authority over Chinese companies. And "The CCP has long been known for having an enormous capability to gather otherwise benign-looking datasets, and to process them to produce intelligence to further its national interests," notes Casey Ellis, founder and adviser at Bugcrowd. "While it can easily be argued that Western governments and companies are capable of the same, the CCP's national interests are at best competitive, and at worst disruptive to the national interests of the West."

Blocking the app to prevent CCP data gathering is controversial, however, since it's massively popular, and there is no definitive, significant proof of such malicious activity to date. A few scattered countries have done so (for varying reasons), most notably India in 2020, but most have taken up solutions somewhere in the middle.

In 2020, President Trump signed executive orders effectively forcing ByteDance to sell TikTok to an American company, or else face a national ban. President Biden's No TikTok on Government Devices Act banned the app in government settings, and his Protecting Americans from Foreign Adversary Controlled Applications Act carried the forced sale idea from the Trump administration. US policy is likely to subside now that Trump has been elected again. "Trump has made strong moves against ByteDance in the past," Ellis notes. "He has a reputation for being tough on China, and for operating on the assumption that China is competitive to the US as a great power. I think we'll see more activity around addressing 'creeping threats' from ByteDance and other Chinese companies, particularly those with a larger and established presence, both in the US and amongst its allies, over the coming year."

Meanwhile, in 2023, the Canadian government took parallel actions. And just as it had in the US, TikTok says it will challenge Canada's latest ruling in court.

**What Would Actually Solve TikTok Privacy?**

Debate has now begun over whether banning the corporate half of the TikTok operation will be helpful, if not abjectly harmful to Canada's national security aims.

As Canadian academic Michael Geist argued in a blog post, "banning the company rather than the app may actually make matters worse since the risks associated with the app will remain but the ability to hold the company accountable will be weakened," since it will no longer have a domestic presence. "It is hard to envision it prioritizing (or perhaps even complying) with Canadian regulatory processes if it is banned from formally operating in the jurisdiction."

Dark Reading has asked the ISED for its view of how the ban will benefit Canadian national security. This article will be updated when ISED's response is received.

A separate development poised to directly affect TikTok data collection in Canada is the legislation C-27, which would supersede the Personal Information Protection and Electronic Documents Act, Canada's primary privacy legislation since 2000.

C-27 packages three separate Acts: the Consumer Privacy Protection Act, the bit most relevant for TikTok user privacy; the Electronic Documents Act; and the Artificial Intelligence and Data Act. Though it may be viewed as efficient and ambitious to address so many issues at once, ongoing debates primarily around the artificial intelligence component are currently holding up the passage of the other two along with it.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Canada Closes TikTok Offices, Citing National Security

Though Cisco reports of no known malicious exploitation attempts, three of its wireless access points are vulnerable to these attacks.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Cisco is warning of a bug found in its Unified industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) access points that could allow an unauthenticated remote attacker to release command injection attacks.

An attacker could exploit the vulnerability by sending HTTP requests to the Web-based management interface of an affected system. If successful, the attacker could execute arbitrary commands with root privileges in the affected device's underlying operating system.

The vulnerability exists due to an improper validation of input to the Web-based management interface. It affects the three Cisco wireless access points (APs) if they have the URWB operating mode enabled and are running a vulnerable release: Catalyst IW9165D, Catalyst IW9165E (both APs and clients), and Catalyst IW9167E.

Devices not running URWB operating mode remain unaffected by this vulnerability. To ascertain whether URWB is enabled, users should use the "show mpls-config" CLI command.

"If the command is available, the URWB operating mode is enabled and the device is affected by this vulnerability," Cisco said. "If the command is not available, the URWB operating mode is disabled and the device is not affected by this vulnerability."

Cisco said it's unaware of any public exploitation of the vulnerability and has released a fix for the flaw, but there are no other workarounds to address it.

**About the Author**

Cisco Bug Could Lead to Command Injection Attacks

The malware combines a miner and data stealer, and it packs functions that make detection and mitigation a challenge.

Source: Wirestock Creators via Shutterstock

Thousands of people — including many using applications such as AutoCAD, JetBrains, and the Foxit PDF editor — have become victims of a sophisticated data-stealing and cryptomining malware campaign that's been active since at least February 2023.

The as-yet-unidentified threat actor behind it is distributing the malware via forum posts and illegal torrents. What makes the malware challenging to mitigate is its use of SSL pinning and TLSv1.3 encryption to protect its command-and-control (C2) communications and data exfiltration activities against interception and analysis.

Researchers at Kaspersky who discovered the malware are tracking it as "SteelFox." In a report this week, they described the threat as not targeting any user, group, or organization specifically. "Instead, it acts on a mass scale, extracting every bit of data that can be processed later," the security vendor's researchers noted. "The highly sophisticated usage of modern C++ combined with external libraries grant this malware formidable power."

More than 11,000 people appear to have fallen victim to the malware bundle, mostly across 10 countries, including Brazil, China, Russia, Mexico, and the United Arab Emirates.

The initial access in each case resulted from people acting on posts that advertised SteelFox as an efficient application activator — i.e., a tool that allows users to bypass licensing mechanisms and activate a commercial application for free. The apps that SteelFox purported to be an activator for included Foxit PDF Editor, JetBrains, and AutoCAD.

"While these droppers do have the advertised functionality, they also deliver sophisticated malware right onto the user’s computer," the researchers wrote.

**Sophisticated Execution Chain**

Kaspersky's analysis of the SteelFox activator for JetBrains showed that once it has initial access, the malware asks for administrative access to the user's system. It then uses that access to begin installing the application activator in the computer's Progra Files folder. During the process, SteelFox also drops a malicious Portable Executable file for 64-bit Windows systems (PE64). The file goes through a series of execution steps before retrieving and deploying a modified version of the XMRig coin miner with hardcoded credentials to a mining pool.

The malware then connects to its C2 server, at which point a separate data stealer component is triggered. The stealer first enumerates or determines the browsers on the victim's systems and deploys functions for stealing a range of data, including credit card data, cookies, browsing history, and a list of sites the user might have visited. Other data that Kaspersky found the stealer pilfering from compromised systems included information on all installed software, network info such as wireless interfaces and passwords, drive names and types, user information, and RDP session information.

The security vendor pointed to several mechanisms that the authors of the malware have implemented to make it hard for defenders to detect and mitigate against the threat. The initial stage executable, for instance, is encrypted, making analysis harder. The initial PE64 payload is modified, after deployment, by overwriting time stamps and inserting random junk data to avoid detection. For persistence, the second-stage payload creates a Windows service and configures it to auto start ensuring the malware remains active through system reboots. Before actual payload execution the malware launches and loads from inside a Windows service that requires privileges unavailable to most users.

"This makes any user actions against this loader impossible because even copying this sample requires NT\\SYSTEM privileges," Kaspersky said.

**A Growing Challenge for Defenders**

SteelFox's use of SSL pinning — where a client application or device uses a specific certificate or public key — and the TLSv.3 encryption protocol for C2 communication is another issue because they allow the malware to operate covertly with a low risk of detection.

"SteelFox has emerged recently, and it is a full-featured crimeware bundle. It is capable of stealing various user data that might be of interest to the actors behind this campaign," Kaspersky's researchers wrote.

SteelFox is only the latest manifestation of what security researchers have described as the growing sophistication that threat actors have begun incorporating into their malware and tactics. Another recent example is CRON#TRAP, a campaign, where a threat actor is using custom-emulated QEMU Linux environments to stage malware and execute malicious commands in near-undetectable fashion. In May, Elastic Security reported GhostEngine a multimodal malware toolkit that, among other things, has functions for effectively killing endpoint detection and response mechanisms. The proliferation and easy availability of generative AI (GenAI) tools also has fueled some of the recent innovation around malware tactics, especially in influence operations and misinformation campaigns.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

While training and credentialing organizations continue to talk about a "gap" in skilled cybersecurity workers, demand — especially for entry-level workers — has plateaued, spurring criticism of the latest rosy stats that seem to support a hot market for qualified cyber pros.

Source: Gorodenkoff via Shutterstock

When training and credential provider ISC2s released its latest workforce analysis recently, the report's continued focus on a gap between the number of "needed" cybersecurity professionals and the estimate of the current workforce touched off a backlash.

Following discussions with dozens of unemployed cybersecurity professionals, field CISO Ira Winkler of CYE Security wrote an open letter to ISC2, criticizing ISC2's continued focus on the gap as a measure of true demand. Ben Rothke, a senior information security manager at Experian, also took issue with the data, as well as the marketing that fuels get-rich-in-cybersecurity training programs.

Rather than a healthy market for cybersecurity labor, workforce estimates have plateaued — both in North America and worldwide — suppressed by a lack of budget to pay for cybersecurity hires. It's something even the ISC2 even flagged in its report. Essentially, no matter how much businesses may want to hire additional cybersecurity professionals — and 59% of professionals surveyed by ISC2 claim to need skilled workers — budgets are tight and being spent elsewhere, resulting in stagnating demand for cybersecurity workers.

It's high time to sit down prospective cybersecurity professionals for a real-world talk, Winkler says.

"My gut reaction was, hey, whatever the number of openings is, that should not be \[ISC2's\] concern — they should be worried about the members who are long-term unemployed, of which there are many," he says. "Many of these people are really frustrated hearing that there's all these openings, and they can't get one."

For years now, reports from a number of organizations estimating the cybersecurity workforce size (and its potential size) have focused on the "cybersecurity workforce gap" between the number of workers that security managers claim they need and the estimate of actual workers they have in place. The perceived gap has attracted potential students to train — or increasingly, retrain — for a job in cybersecurity. In late October, when the ISC2 released its aforementioned "2024 Cybersecurity Workforce Study" report, the organization estimated the gap had grown 4% to 543,000 for cybersecurity workers needed in North America, while its estimate of the existing workforce shrank by 2.7% to 1.45 million.

Overall, the cybersecurity jobs market continues to struggle with factors including overestimates of demand, a lack of well defined career paths, and subpar training, industry watchers say.

**Skills Gaps & Job Postings**

The ISC2's survey of more than 15,8000 practitioners and decision-makers is a good-faith attempt at determining how much cybersecurity expertise is needed by businesses worldwide. But even with the majority of those surveyed claiming a need to hire more help, when paired with other data — such as job openings and government data — the ISC2 noted that "the cybersecurity workforce growth is slowing" worldwide, essentially plateauing with a 0.1% growth rate.

Still, using the same data, the shortfall in cybersecurity workers is estimated to be 4.8 million globally.

"For clarity, that doesn't mean there is 4.8 million jobs out there," acknowledges Jon France, CISO for ISC2. "It means the profession — by asking nearly 16,000 people and using secondary data sources — reckons that to become secure as we need to be, 4.8 million people need to come into the market."

The cybersecurity workforce peaked in North America in 2023 and has plateaued globally, while the overall "needed" workforce continues to grow globally. Source: Author, using data from ISC2's Cybersecurity Workforce Studies 2021-2024

Cyberseek — a collaboration between certificate group CompTIA, workforce analysis firm Lightcast, and the US National Institute of Standards and Technology (NIST) — estimates that there are 457,000 cybersecurity-related job openings in the United States and a total workforce of 1.25 million, according to its website. The analysis counts any worker with significant cybersecurity responsibilities as related to cybersecurity, and it focuses on counting actual job postings with an emphasis on deduplicating, says Will Markow, formerly with Lightcast but now senior vice president of Workforce Solutions for Cyberwarrior, a training and consulting services firm.

"That's gives us a view into how many jobs there actually are, not how many jobs companies would like there to be," he says. "You can think of the estimates as two ends of the spectrum: They both still show a gap, but the data from Cyberseek is going to show a smaller gap, because it's looking at how many jobs are companies actively recruiting for and trying to fill, as opposed to how many in an ideal world security leaders would be hiring for if they had as much budget as they could possibly want."

**"Ghost Jobs" & Reverse Pyramids**

Jobseekers are likely also running afoul of the trend in ghost-job posting. Nearly half of hiring managers have admitted to keeping job postings open, even when they are not looking to fill a specific position. That's being used as a way to keep employees motivated, give the impression the company is growing, or to placate overworked employees, according to a survey conducted by Clarify Capital.

These ghost jobs are a significant problem for cybersecurity job seekers in particular, with one resume site estimating that 46% of listings for a cybersecurity analyst in the United Kingdom were positions that would never be filled--compared with about a third for all roles.

Budgets are getting tighter as well, with nearly half of security teams (49%) facing cutbacks in the past year, up from 48% in 2023, according to ISC2. Cutbacks include hiring freezes experienced by 38% of companies, budget cuts faced by 37% of teams, freezes on promotions (32%), and layoffs (25%).

Those economic pressures are another reason that purported jobs are not materializing, says Jon Brandt, director of professional practices and innovation at ISACA, an information-technology certification organization.

"People can respond to any survey and say, hey, we have a need for 20 more people," he says. "But at the end of the day, unless an organization is taking active steps to hire, then that's not a data point we should be looking at right now."

For entry-level workers without significant experience, the picture is especially grim. Cyberseek's career pathway data shows that demand for workers resembles a reverse pyramid. Entry-level jobs are more rare, with about 20,000 jobs available, while there are 34,000 midlevel positions and 73,000 advanced positions.

Entry-level cybersecurity professionals are not in high demand because most security positions require and automation and AI is exacerbating the issues, says Experian's Rothke.

"To a degree, entry-level security is a misnomer," he says. "Security roles really aren't entry level to begin with, because hiring managers want you to have this technical level of IT. So spend a few years to get work experience, and then you're going to get into security."

Job seekers with significant technical experience are still in demand, while those fresh out of a degree program are finding the job search more difficult.

**False Hopes & Expectations: "It's Criminal"**

While there remains a lot of potential in the industry for technical people, especially as the profession expands in the future, job seekers are not currently being well served, cybersecurity recruiter Jeff Combs said recently during a streamed discussion with ISACA's Brandt.

"I think one of the disservices that is being done to many people who are entering the field," Combs said, "is the promise of this new exciting field where, if you finish your degree or you go through this bootcamp or you get this specific certification, you're guaranteed an entry point into a $100,000 per year career path. Honestly, I think it is criminal."

In the end, between economic pressures on security budgets, a pipeline that does not adequately account for training, and training that struggles to provide the right mix of skills, the workforce trials of cybersecurity professionals will likely continue, says Cyberwarrior's Markow.

"I like to think of it right now as a tale of two job markets, because on the one hand, you do see strong evidence of a gap overall within cyber, but there are two different camps of workers who have very different job-hunting experiences," he says.

He adds: "Many companies are still asking for heightened experience requirements, heightened degree requirements, and heightened certification requirements that effectively constrain the talent pipeline into cyber security, and that means that we actually see very different dynamics across different corners of the workforce."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Source

DARKReading