Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users About Modification menu and the Notifications feature. A user can send malicious notifications and execute JavaScript code in the browser of every user who has enabled notifications. This is a stored XSS, and can lead to privilege escalation in the context of the application. (Another issue is present in the Favorites tab. The name of a favorite or a folder of favorites is interpreted as HTML, and can thus embed JavaScript code, which is executed when displayed. This is a self-XSS.)

��ܥ�!U�sЕ������'��.�yZB<�|�iHF�ҁ!%�m���m/7}�3i��<�vD�|;�눩|�u\`H U)�����3��������9�;��p)P����!� 6��Un��?��PHˋ�i\[e ���a�v� �e?�5�<�F>b�\],a��w�KÓ8�K�\` �1�:�F�ţl�"�5�9�F~R�Y�p0O���|2 �IAa���s0|��b�p!����b�c#?&�ϓ88흷 i��������e�o�E,�����L�1�͋�P���$f�s8���b�/�N�B�\]qp���s0����"-ҡ9���A�/c�\[o���%�����dR�HD�\_��\[��ՒW���K%�l�(��eڈ��M�0N{�?�D�a��8���W����K%�l�(�Xeڈ �PdJ,O�Ȓ��~�%�z��tRUȎ�b�O��@:�Cq�)q��.�8��-�b�u1�$ن7t�� Y�ȨM���7p��a��"�6j��k\]1I����8H��Z� "�e��%�+-y�F��v{��Q^E��L qȷ���'�%�r}�{-V��(iQE�� �Ƿaψ�8H�8HKw�t���z,&�Ea��ڰ���0�jL�.,q��Wư���K:d�'=�J�o�����������2��K�e���<��m\_�y8�%�!�f�y�1>-u��2�����!T�e�$�qTQ���o������j���Ϟc�$z��w/ q���yc�z�e,u�/I�6\_�F@bi��Ak�\`I��n�,�F'o��"�?�A�V~�K�$/�9s��;�n��uce���.���pp�Z$���Kp�߮UƎ����Fuq0Y{�P(�R�,Mؐa� \_��c��\`K\\o�����d��>�MV�i�=\\dG

CVE-2022-34322

The effectiveness of attacks largely depends on organizations' distributed denial-of-service defenses.

As Russian ground troops prepared to enter Ukraine in February 2021, Ukrainian governmental departments, online media organizations, financial firms, and hosting providers were slammed with a surge of distributed denial-of-service (DDoS) attacks. These attacks only increased in frequency and impact as Russian tanks rolled across the border, adding to the frenzy and chaos of that time.

Quick to hit back, Ukraine's IT Army sprang to life during the early days of the conflict. Much like Ukraine's volunteer army on the ground, recruits flooded in from all over the world to take part in the brewing war being waged online between Russia and Ukraine, with observed DDoS attacks focused on Russian targets increasing by 236% between February and March.

What seems clear is that whether issued by hacktivists or nation-states, DDoS attacks are often the opening salvo between opposing forces in today’s geopolitical conflicts. Compared with other types of cyberthreats, DDoS attacks can be launched relatively quickly. In addition, while DDoS attacks can cause significant disruption on their own, they can also mask or distract attention from more significant threats.

And, as seen in Ukraine and elsewhere, the use of DDoS attacks on the digital battlefield seems to be increasing. This article will examine the history of DDoS attacks for geopolitical conflict compared with recent attacks, providing insights that organizations can use to protect themselves from collateral damage.In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

**2022: A Record-Setting Year for DDoS**

The use of DDoS attacks to gain geopolitical advantage is nothing new, but the frequency at which these types of attacks are growing is noteworthy. In the latest "DDoS Threat Intelligence Report," Netscout reported more than 6 million attacks in the first half of 2022. Of these attacks, a majority corresponded with national or regional conflicts.

To continue with the Ukraine example, the frequency of DDoS attacks directed at Ukraine leveled off by April 2022, while cyberattacks ratcheted up against perceived allies of Ukraine. This likely is attributable to Ukrainian Internet properties migrating to countries like Ireland, as instability in the intra-Ukraine Internet forced many network segments to rely upon connectivity in other countries.

Echoes of this conflict continue to resonate across the global Internet. In March 2022, India experienced a measurable increase of DDoS attacks following its abstentions from United Nations Security Council and General Assembly votes condemning Russian actions in Ukraine. Similarly, during the first half of the year, Belize endured its single highest number of DDoS attacks on the same day that it made public statements in support of Ukraine.

Elsewhere, the nation of Finland — a close neighbor of Russia — experienced a 258% percent year-over-year increase in DDoS attacks coinciding with its announcement to apply for membership in NATO. Poland, Romania, Lithuania, and Norway, meanwhile, all were targeted with DDoS attacks by adversaries linked to Killnet, a group of online attackers aligned with Russia.

But these examples rooted in the conflict between Russia and Ukraine are not the only online battlegrounds where fights over geopolitics are being waged. As tensions between Taiwan and China and Hong Kong and China escalated during the first half of the year, DDoS attack campaigns often coincided with public events. For example, in the run-up to Nancy Pelosi's historic visit to Taiwan this summer, the website of Taiwan's presidential office and other government websites went dark due to DDoS attacks. And in Latin America, during a contentious election in Colombia this past year, waves of successive DDoS attacks were launched during the initial vote and the contested runoff.

One common thread is that many of these attacks use known attack vectors and readily available DDoS-for-hire services, also known as booter/stressor services, found on the Dark Web. These illicit services typically offer a restricted tier of free demonstration DDoS attacks to prospective customers, lowering the bar for would-be attackers to rapidly spin up attacks at very little to no cost. However, because these attack vectors are well-known, they can be easily mitigated in most circumstances.

**Don't Become Collateral Damage**

DDoS attacks have the potential to seriously disrupt Internet operations for their intended targets, but they can also cause a significant collateral impact footprint for bystander organizations and Internet traffic. This risk is particularly high as data hosting and services flow from war-torn regions like Ukraine to locations abroad.

In many of the examples listed above, the effectiveness of attacks largely depended upon whether targeted organizations had organized DDoS defenses. In Ukraine and other countries, disruption was quickly remedied for unprotected organizations as global DDoS defense companies stepped in to help Ukrainian organizations that needed it. However, ongoing defenses are still needed for most organizations.

Amid this environment, the most prudent course of action to prevent collateral damage is to regularly assess DDoS risk factors, especially related to direct service delivery elements, supply chain partners, and other dependencies. Organizations should ensure that critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected. They also should check to make sure DDoS defense plans reflect ideal current configurations and operational conditions, and that the plans are periodically tested to verify that they can be successfully implemented as required.

In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

War and Geopolitical Conflict: The New Battleground for DDoS Attacks

Dark Reading's panel of security experts deliver a magnum of bubbly hot takes on what 2023 will look like, featuring evil AIs, WWIII, wild workplace soon-to-be-norms, and more.

The end of the year is upon us, and that means predictions — lots and lots of predictions. And no wonder: With 2022 in the books, cybersecurity professionals worth their salt are starting to think about what's around the next bend; one needs to be prepared, after all.

This year, we wanted to break out of the mold of covering predictable predictions ("more automation is on the horizon," anyone?) to focus on some of the more out-there views on what the cybersecurity landscape might hold for the next revolution around the sun. In this, our stable of experts didn't disappoint.

Security experts from near and far gave Dark Reading their most outrageous/boldest security predictions for 2023. Whether that's something that will happen on the threat side of things (hackers will start WWIII), an impending crazy cyberattack (looking at you, evil Santa elves), a prediction for insane futuristic tech on the defensive side (bot vs. bot), nutty enterprise trends (spyware for employees), what have you — these crystal ball-isms will hopefully make you think about what is in store.

For instance, David Maynor, director of the Cybrary Threat Intelligence Team (CTIG), offered up a slew of hot takes for 2023 that run to the dystopian. And we're here for it:

"Information security practitioners will continue to be divided into topics, such as active defense, to the point that pseudo-religious cults may form," he opines. "DEF CON will be canceled. A reboot or sequel of one of the following movies will be greenlit: Hackers, Sneakers, WarGames, The Net, Swordfish."

Nicely done, David. And that's just the beginning.

**Cookies to the Rescue: A Seasonally Appropriate Hacking Collective**

To kick things off, Dean Agron, CEO and co-founder of Oxeye Security, flagged an impending cyberattack that's sure to hit everyone on Santa's list, not just the naughty ones.

>   
> "The 'Santa's Gift' attack, from a Greenland-based hacking group called '\[email protected\]'s 3lves' will allow attackers to bypass input sanitation mechanisms by using a specific combination of 🎅🏼 🦌 🧝 🎄 🎁 🛷 emojis (Santa, reindeer, elf, Christmas tree, gift, and sleigh). Every input that allows inputting emojis is vulnerable, and the right permutation of emojis will immediately enable root access to your cloud infrastructure. Privacy and security advocates who have been fighting to eliminate cookies are rethinking their posture, as an overflowing stack of cookies (and a glass of milk) is the only known measure to combat this attack." — Dean Agron, CEO and co-founder of Oxeye Security

Yes, he was just kidding. But it made you wonder for a minute, didn't it? Onto the real predictions!

**Automation Is Finally Ready for Prime Time**

Sure, predicting the use of more security automation is like saying there might be more political division in Congress in the new year. But at least one of the experts we tapped took it an extra step further.

>   
> "The drive to use automation to replace human workers will evolve into automating away the need for useless middle management where both workers and executives rejoice." — John Bambenek, principal threat hunter at Netenrich

Ouch.

**Scary AI & Machine Learning Gets ... Scarier**

The idea of weaponized deep fakes becoming a go-to method for attackers was a theme for many of the bold predictions that Dark Reading received.

>   
> "We haven't really seen it at scale yet, but with the trouble we already have getting our users to follow policy and not fall for social engineering attacks, how much worse will it be if (when) we have to deal with videos of their boss telling them that it's totally cool to give that random caller your password?" — Mike Parkin, senior technical engineer at Vulcan Cyber

Others also warmed to this theme.

>   
> "In 2023, fraudsters will devise new ways to hack into accounts, including new ways to spoof biometrics, new ways to create fraudulent identity documents, and new ways to create synthetic identities." — Ricardo Amper, founder and CEO at Incode

Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, points out that scary-level AI can juice the D, too.

>   
> "2023 will be the first year of bot vs. bot. The good guy's threat hunting and vulnerability-closing bots will be fighting against the bad guy's vulnerability-finding and attacking bots, and the bots with the best AI algorithms will win. 2023 is the year where AI becomes good enough that the humans turn over defense and attacks to self-traveling and replicating code for the entire attack chain from initial root exploit to extraction of value." — Roger Grimes, data-driven defense evangelist at KnowBe4

**Chatbot AIs: A Particularly Nasty Strain**

Sometimes the dark view of AI use has to do with unintended consequences, with Maynor linking back to his WarGames reboot note.

>   
> "A person with no programming or security knowledge may accidentally create a destructive, self-propagating worm using an AI chatbot and then accidentally release it on the Internet, causing almost a trillion dollars in damage worldwide." — Cybrary's Maynor

Hmmmm, what AI chatbot could he possibly be referring to? At least one person we talked to has no qualms naming names, with a dark prediction about AI-assisted phishing.

>   
> "Hackers will use ChatGPT to develop multilingual communications with unsuspecting users in business supply chains. Many of the most notorious cybercriminal gangs and state-sponsored cybercriminals operate in countries like Russia, North Korea, and other foreign countries \[which makes them\] somewhat easier for end users to detect. This technology can develop written communications in any language, with perfect fluency. It will be very difficult for users to recognize that they are potentially communicating via email with an individual who barely speaks or writes in their language. The damage this technology will cause is almost a certainty." — Adrien Gendre, chief tech & product officer and co-founder at Vade

Of course, these are early days for ChatGPT and its ilk. Imagine the risk once development really gets going.

>   
> "It's only now that the AI algorithms have evolved where good bot vs. bad bot becomes a realistic threat. ChatGPT showed us what was possible ... and it's not even the latest AI version. I'm not scared of ChatGPT. I'm scared of its children and grandchildren." — KnowBe4's Grimes

**Apocalypse Now? Critical Infrastructure Is Set to Burn...**

Evil AIs are forever tied in most of our minds with taking over the world and bringing about apocalypse (save John Connor!). But some experts tell Dark Reading that the apocalypse doesn't need to wait for the sentient robots.

>   
> "In 2023 we'll see a disruption to network supply chain unlike anything we've ever seen before: A new tactic that will be added to the warfare arsenal is the sabotage of fiber cable. It has long been a war tactic to target communication lines, but the attacks will be farther reaching and wipe out Internet access for entire continents." — Daniel Spicer, chief security officer at Ivanti

Sure, the Internet disappearing overnight could cause major dysfunction, but what about a long-term lack of power?

>   
> "The skills gap, recession and tensions abroad are forming a perfect storm for a major attack on the power grid in 2023. At the beginning of 2022, Homeland Security warned that domestic extremists had been developing plans to attack the US electric power infrastructure for years. The combination of aforementioned factors makes the US's power grid more vulnerable to cyberattacks than it has been in a long time." — Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence

Ian Pratt, global head of security for personal systems at HP Inc., even offers Dark Reading a potential attack vector for such a scenario.

>   
> "Session hijacking — where an attacker will commandeer a remote access session to access sensitive data and systems — will grow in popularity in 2023. If such an attack connects to operational technology (OT) and industrial control systems (ICS) running factories and industrial plants, there could also be a physical impact on operational availability and safety — potentially cutting off access to energy or water for entire areas." — HP's Pratt

**... Or Maybe Not**

There's a contrarian in every bunch. Ron Fabela, CTO and co-founder at SynSaber, laid one such prediction on Dark Reading: that 2023 will be remembered for the ICS cyberwar that wasn't.

>   
> "While everyone in industrial cybersecurity will continue to fear all-out cyberwar, with predictions of turning off the power grid and poisoning our water shouted from rooftops and Capitol Hill, one thing is for certain: It's a paper dragon, all hot air and no teeth. The security operator in the SOC and the industrial operator in the control center deserve our attention rather than Russian APTs." — SynSaber's Fabela

**WWIII Started by Hackers?**

So if fears that the Bad Guys will take out our critical infrastructure are overblown, does anything have the power to light off a firestorm of kinetic war?

Why, messing with our finances, of course.

>   
> "An attack against the Securities & Exchange Commission (or IRS, or some similar fundamental agency to the US government) would likely be as clear a flash point for war as the assassination of Archduke Franz Ferdinand. So, if it were to happen, it would be a very carefully calculated and planned, state-sponsored attack." — Simon Eyre, CISO and managing director at Drawbridge

**Cybersecurity Consolidation? Less Vendor Choice? Nope & Nope**

Speaking of finances, anyone who has been following the volatile vagaries of the cybersecurity market from an M&A, valuation, and funding perspective will be aware that most analysts believe that enterprises will rapidly consolidate their cyber-defense tools under just a handful of vendor names — meaning that security Big Kahunas will just keep snapping up small fry and rivals until the choices end up very limited indeed.

Enterprises seem to want that too, according to survey after survey, given the upside in terms of interoperability and management.

Richard Stiennon, chief research analyst at IT-Harvest, says bah humbug to all that.

>   
> "I have been hearing this since there were less than 100 vendors. Now, I count more than 3,200 cybersecurity vendors covering 17 major categories and 660 subcategories. There are always going to be new threats, and new threat actors creating demand for new products that will come from startups. Yes, there will be lots of M&A action in 2023, probably close to 400 transactions. Every acquisition whets the appetite of investors to get in on the action. It also creates founders who are now wealthy who start their next company as soon as they earn out." — IT-Harvest's Stiennon

**Big Brother IS Watching You**

We would be remiss if we wrapped up without mentioning the myriad predictions that Dark Reading received regarding the future of remote and hybrid working. It isn't going anywhere — that genie is well and truly out of the bottle, we all agree. But there's a rather horrific side effect of that reality: The use of creepy productivity monitoring tools by employers, which for all intents and purposes, is spyware by another name, says one expert.

>   
> "Many leaders are resistant to remote work because they are used to leading based on observations, i.e. who is sitting at their desk the longest? In today’s ‘anywhere work’ environment, ‘observation leadership’ is causing managers to implement spy-like tools that measure activity and working hours which invade privacy and create a feeling of distrust among employees." — Dean Hager, CEO of Jamf

Silver lining alert: Hager adds that this kind of completely whacked-out employee tracking will backfire, leading to an outcome-based leadership that will have a positive effect on employee morale and company culture.

Beyond the Obvious: The Boldest Cybersecurity Predictions for 2023

New web targets for the discerning hacker

New web targets for the discerning hacker

  

As 2022 draws to a close, HackerOne has revealed that cloud-based vulnerabilities became increasingly common this year as organizations embark on digital transformation.

The bug bounty platform reported that researchers uncovered more than 65,000 software vulnerabilities through its service during the year, up 21% on 2021.

Misconfiguration vulnerabilities also rose 150% and improper authorization issues by 45% – largely because organizations are instituting ever-more granular permissions as they migrate to the cloud.

Intel recently paid out a $10,000 bug bounty to Julien Ahrens of RCE Security – despite disputing the seriousness of the flaw.

Ahrens bypassed Intel Data Center Manager (DCM) authentication by spoofing Kerberos and LDAP (Lightweight Directory Access Protocol) responses, claiming this led to remote code execution (RCE).

Intel acknowledged the vulnerability and gave it a severity score of 8.8, but says the issue amounted only to a privilege elevation flaw. It was persuaded to make the payout anyway as a one-off.

Meanwhile, a security researcher known by the moniker Peter M demonstrated this month how he bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).

He says it took 500 crafted attempts and over 14 hours to find an entry point as part of a private Bugcrowd program.

The attack, carried out with the assistance of Synack pentester Usman Mansha, used Spring Expression Language (SpEL) injection.

Read more of the latest bug bounty news

In other bug bounty news, Intigriti says it has paid out nearly three times as much this year compared to last, with the average amount having doubled.

It says ethical hackers increasingly see bug bounty hunting as a full-time career, with 96% saying they’d like to spend more time on it. The biggest draw is the money, along with the ability to work anywhere in the world, the ability to work alone, and the chance to outsmart cybercriminals.

And Meta’s review of its own bug bounty program this year has revealed that it paid out more than $2 million, receiving around 10,000 reports in total, of which it paid out on 750.

Meta also released updated payout guidelines for mobile RCE bugs, and there are new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities, too. These go up to $130,000 for ATO reports and $300,000 for mobile RCE bugs.

Finally, bug bounty and security services platform for web3 Immunefi says it has paid out just under $66 million this year, with the biggest bounty amounting to $10 million for a vulnerability discovered in Wormhole, a generic cross-chain messaging protocol.

Critical vulnerabilities took the lead with a total of $61 million paid out, accounting for 92.7% of all bounties paid.

**The latest bug bounty programs for January 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Axis Communications**

Program provider:  
Bugcrowd

Program type:  
Public

Max reward:  
TBC

Outline:  
Video surveillance vendor Axis Communications has launched a bug bounty program to find vulnerabilities in its network security products, excluding its 2N products.

Notes:  
Axis Communications has yet to release details of payment rewards for finding such bugs, but has released details of how these bugs are scored using the CVSS method.

Check out the Axis Communications bug bounty page for more details

**Contentsquare**

Program provider:   
YesWeHack  

Program type: Public

Max reward: €2,500 ($2,670)

Outline: UX analytics provider Contentsquare has launched a bug bounty program focussed on finding issues with its mobile software development kit and collection endpoints, details of which are listed on its bug bounty page.

Notes: Contentsquare asks ethical hackers to consult the list of in-scope topics beforehand, as the targets are specific.

Check out the Contentsquare bug bounty page for more details

**Doppler**

Program provider:  
HackerOne

Program type: Public

Max reward: $2,500

Outline: Doppler bills itself as a “SecretOps platform developers and security teams trust to provide secrets management at enterprise scale”.

Notes: Again, there are multiple domains to explore plus Doppler’s source code. There are also five domains that are out of scope for testing.

Check out the Doppler bug bounty page for more details

**Engel & Völkers Technology GmbH**

Program provider:  
HackerOne

Program type: Public

Max reward: $1,000

Outline: IT consulting firm Engel & Völkers Technology GmbH has opened its domains to testing by bug bounty hunters.

Notes: There are more than 10 domains available to attack, ranging from critical to medium severity. There are also a handful of domains that are out of scope and shouldn’t be tested.

Check out the Engel & Völkers Technology GmbH bug bounty page for more details

**Harman International**

Program provider:  
YesWeHack

Program type: Public

Max reward: $5,000

Outline: Electronics manufacturer Harman, a Samsung company, is asking for help with “hardening of the entire ecosystem” related to JBL devices.

Notes: There are 16 targets in scope including physical devices, web APIS, and applications, so there’s something for everyone to get stuck into.

Check out the Harman International bug bounty page for more details

**Moonpay**

Program provider:  
HackerOne

Program type: Public

Max reward: $20,000

Outline: Crypto exchange platform Moonpay is offering big rewards for security vulnerabilities in multiple domains and its source code.

Notes: There are four domains out of scope, so these should be checked before proceeding. Moonpay also details an extensive list of vulnerabilities that aren’t eligible for reward, so this should be checked, too.

Check out the Moonpay bug bounty page for more details

**Navitas**

Program provider:  
Bugcrowd

Program type:  
Private

Max reward:  
$2,500

Outline:  
Australian education provider Navitas is offering rewards for reproducible bugs in its services, with rewards based on the severity of the issue.

Notes:  
Although the company is based in Australia, the rewards are open to ethical hackers worldwide, on an invite basis.

Check out a press release regarding the Navitas bug bounty program for more details

**OVO**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
$3,000

Outline:  
Indonesian payment, rewards and financial services platform is asking hackers to find bugs in four of its mobile and web apps, providing plenty of opportunity to seek a reward.

Notes:  
OVO has explicitly noted that staging environments are out of scope, as are any other targets that aren’t specifically listed on its bug bounty page.

Check out the OVO bug bounty page for more details

**Swapcard**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
€2,000 ($2,140)

Outline:  
Swapcard describes itself as an event app and matchmaking platform powered by artificial intelligence, which holds events in the sectors of security, government, and health.

Notes:  
There is an extensive list of applications and APIs that can be targeted, so this is worth checking out before making a start. Also note that Swapcard states that reports with a detailed proof of concept will be rewarded at a quicker rate, if eligible, than those without.

Check out the Swapcard bug bounty page for more details

**VFS**

Program provider:  
YesWeHack

Program type:  
Public

Max reward:  
$1,500

Outline:  
VFS manages the administrative and non-judgmental tasks related to visa, passport and consular services for its client governments.

Notes:  
The maximum reward is for vulnerabilities deemed as ‘critical’. Examples include, but aren’t limited to, the leaking of visa applicant personally identifiable information, Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information, and scripts that can automate the completion of the user registration flow.

Check out the VFS bug bounty page for more details

**Yuga Labs**

Program provider:  
HackerOne

Program type:  
Public

Max reward:  
$25,000

Outline:  
Yuga Labs is offering an impressive $25,000 for the discovery of critical vulnerabilities in its web3 platform.

Notes:  
The company is asking for reports on bugs in not only its domains but its Discord servers too. Anyone wanting to attack the Discord servers should check out the separate policy on Yuga Labs’ bug bounty page first.

Check out the Yuga Labs bug bounty page for more details

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for December 2022

Bug Bounty Radar // The latest bug bounty programs for January 2023

Any multifactor authentication adds protection, but a physical token is the best bet when it really counts.

In August,  the internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching numerous tech companies. While some Cloudflare employees were tricked by the phishing messages, the attackers couldn't burrow deeper into the company's systems. That's because, as part of Cloudflare's security controls, every employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a collaboration with the hardware authentication token-maker Yubikey to offer discounted keys to Cloudflare customers. 

Cloudflare wasn't the only company high on the security protection of hardware tokens, though. Earlier this month, Apple announced hardware key support for Apple IDs, seven years after first rolling out two-factor authentication on user accounts. And two weeks ago, the Vivaldi browser announced hardware key support for Android.

The protection isn't new, and many major platforms and companies have for years supported hardware key adoption and required that employees use them as Cloudflare did. But this latest surge in interest and implementation comes in response to an array of escalating digital threats.

“Physical authentication keys are some of the most effective methods today for protecting against account takeovers and phishing,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “If you think about it as a hierarchy, physical tokens are more effective than authentication apps, which are better than SMS verification, which is more effective than email verification.” 

Hardware authentication is very secure, because you need to physically possess the key and produce it. This means that a phisher online can't simply trick someone into handing over their password, or even a password plus a second-factor code, to break into a digital account. You already know this intuitively, because this is the whole premise of door keys. Someone would need your key to unlock your front door—and if you lose your key, it's usually not the end of the world, because someone who finds it won't know which door it unlocks. For digital accounts, there are different types of hardware keys that are built on standards from a tech industry association known as the FIDO Alliance, including smart cards that have a little circuit chip on them, tap cards or fobs that use near-field communication, or things like Yubikeys that plug into a port on your device.

You likely have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens it would be difficult to manage physical keys for all of them. But for your most valuable accounts and those that are a fallback for other logins—namely, your email—the security and phishing resistance of hardware keys can mean significant peace of mind.

Meanwhile, after years of work, the tech industry finally took major steps in 2022 toward a long-promised passwordless future. The move is riding on the back of a technology called “passkeys” that are also built on FIDO standards. Operating systems from Apple, Google, and Microsoft now support the technology, and many other platforms, browsers, and services have adopted it or are in the process of doing so. The goal is to make it easier for users to manage their digital account authentication so they don't use insecure workarounds like weak passwords. As much as you might wish it, though, passwords aren't going to disappear anytime soon, thanks to their sheer ubiquity. And amid all the buzz about passkeys, hardware tokens are still an important protection option.

“FIDO has been positioning passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a fair characterization,” says Jim Fenton, an independent identity privacy and security consultant. “While passkeys will probably be the right answer for many consumer applications, I think hardware-based authenticators will continue to have a role for higher-security applications, like for staff at financial institutions. And more security-focused consumers should also have the option to use hardware-based authenticators, particularly if their data has previously been breached, if they have a high net worth, or if they are just concerned about security.”

While it may feel daunting at first to add one more best practice to your digital security to-do list, hardware tokens are actually easy to set up. And you'll get plenty of mileage from just using them on a couple of, ahem, _key_ accounts.

The Password Isn’t Dead Yet. You Need a Hardware Key

The toasts, triumphs, and biggest security wins of the year

The toasts, triumphs, and biggest security wins of the year

  

As 2022 draws to a close, The Daily Swig is revisiting some of the year’s most notable web security wins and egregious infosec fails.

Yesterday we showcased the year’s biggest fails – the security disasters, industry calamities, and the emergence of vulnerabilities so stupid they’ll make your eyes roll.

Today, we’re celebrating the times that organizations, governments, and the infosec community have shown laudable skill, judgement, and commitment to better securing the cyber sphere in 2022.

**CCFA changes**

This year saw major progress made in protecting ethical hacking from unfair legal consequences. Current laws worldwide often enable prosecution of security researchers motivated to protect rather than harm users, creating risks for ethical hackers in the course of doing their job.

In the US, the Department of Justice (DoJ) announced it will no longer prosecute security researchers who act in “good faith” under a landmark revision to its policy regarding computer crime laws.

The amendment, announced back in May, laid out changes to prosecution criteria under the Computer Fraud and Abuse Act (CFAA).

Good faith in this case refers to an individual accessing a computer solely for purposes of good-faith testing, investigation, or correction of a security flaw or vulnerability.

RELATED Stupid security 2022 – this year’s infosec fails

**Decriminalizing UK ethical hackers**

Across the pond, UK legislators proposed an amendment to the Product Security and Telecommunications Infrastructure (PSTI) bill back in June that would give cybersecurity professionals a legal defence for their activities under the Computer Misuse Act (CMA).

Critics argue that the law, which came into effect in 1990, is outdated and unduly prosecutes security researchers, ethical hackers, and pen testers who responsibly hunt for or report vulnerabilities.

Campaigners continue to call for legal clarification of legitimate hacking activities, which they argue include responsible vulnerability research and disclosure, proportionate threat intelligence, best practice internet scanning, enumeration, use of open directory listings, and honeypots.

The UK government continues to hold talks on the proposed law changes. A call for information was closed in September.

**Making disclosure smoother**

Progress was also made in helping security researchers to make the vulnerability disclosure process smoother.

HackerOne encouraged customers to adopt its new standard policy, released in November, that goes further to protect hackers from legal problems.

The Gold Standard Safe Harbour agreement “is a short, broad, easily-understood safe harbor statement that’s simple for customers to adopt”, said HackerOne.

“This standardization also reduces the burden on hackers for parsing numerous different program statements.”

Catch up on the latest bug bounty news

Meanwhile, the maintainers of open source repositories can now receive private vulnerability reports, remediate them, and issue CVEs via GitHub, the Microsoft-owned software development platform announced at the GitHub Universe conference in November.

The news went down well with at least one infosec pro, with vulnerability researcher and The Daily Swig interviewee Alex Chapman calling it an “amazing feature”.

**In defence of Ukraine**

The Russian invasion of Ukraine dominated headlines this year, and as individuals across the world stepped up to help, so did the hacking community.

In March, Hackers Without Borders (HWB) a Geneva-based non-governmental organization (NGO), was launched to offer emergency infosec assistance to other NGOs and providers of critical services affected by conflicts around the world.

Staffed by volunteer hackers and infosec experts, the organization helps individuals or organizations handle the fallout of cyber-attacks, protect them from further assaults, and bolster their cyber-resilience – free of charge.

In an interview with The Daily Swig, co-founder Florent Curtet said: “We are here to be like firefighters for people, companies, institutions that don’t have the money, skills, or information to protect themselves from today’s digital threats.”

Also speaking in defence of Ukraine, WithSecure’s Mikko Hyppönen told the cybersecurity company’s first ever conference attendees this year that “Russia is trying, but it is largely failing”, in its efforts to ignite cyberwarfare.

Speaking at Sphere 2022 in neighbouring Finland, Hyppönen said: “Taking a stand here is really simple, it’s really obvious. I think we all choose to stand with Ukraine. We choose to stand with democracy, and we choose to stand against evil.”

**Back to Hacker Summer Camp**

This year saw the return of in-person conferences, in particular Black Hat, which was held online in previous years due to the coronavirus pandemic.

In May, Black Hat Asia attendees in Singapore heard keynote speaker Samir Aran warn that “if democracy is to survive, technology will have to be tamed”.

At Black Hat USA, held in Las Vegas in August, former CISA director Chris Krebs also spoke out about geopolitical tensions, urging organizations worldwide to bolster their online infrastructure amid Taiwan tensions.

And at Black Hat Europe, held in London in November, renowned security researcher Daniel Cuthbert told attendees that a defendable internet is possible – “but only with industry makeover”.

The conferences also saw the release of various hacking tools built by the community for the community.

**Securing the open source ecosystem**

Finally, efforts to secure the open source supply chain were ramped up for 2022, with a number of new initiatives launched.

The Secure Open Source Rewards (SOS.dev) scheme was set up to reward developers and security researchers who make improvements to critical infrastructure based on open source technology.

The program will “harden critical open source projects” and help protect against application and software supply chain attacks by encouraging researchers and developers to suggest security improvements.

Rewards range from $505 for small improvements up to $10,000 or more for “complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities”.

The Open Source Security Foundation (OpenSSF) also launched a project to improve the security of the open source software ecosystem, backed by a $5 million investment from Microsoft and Google.

And a summit held at the White House resulted in a plan to better secure the government’s software supply chain, in the wake of the Log4j incident back in 2021.

DON’T MISS Lean, green coding machine: How sustainable computing drive can reduce attack surfaces

Security done right – infosec wins of 2022

Concerns about recessionary trends impacting the cybersecurity sector in 2022 remained largely unfounded in Q4, as investment activity surged after a Q3 slowdown.

Mergers and acquisition (M&A) activity and investments in cybersecurity picked up once again in the fourth quarter after dropping off somewhat sharply in Q3. The activity put the sector on track to close out the year in better shape than many had expected, with overall funding topping 2020's pace (even though it dipped compared to 2021).

"M&A and financing deal count and volume in 2022 are still above 2020 levels despite current economic uncertainty," says Eric McAlpine, managing partner at Momentum Cyber. "Cybersecurity is still a very active market relative to historical levels over the past decade."

McAlpine says Momentum tracked a total of 37 M&A deals in Q4 through November. That compares to 50 total acquisitions in Q4 2021.

"M&A activity in the cybersecurity services market continues to be higher than any other sector in the industry," he says. In fact, M&A volumes in 2021 and 2022 year-to-date in cybersecurity services top total volumes for the previous five years combined, he adds.

To boot, McAlpine predicts that M&A activity in cybersecurity will continue its momentum in 2023 as startups run into challenges with raising more capital, or run out of money, or adjust their valuation expectations downward. He predicts a "sea change in thinking by investors away from growth at all costs to funding profitable growth."

**M&A Activity Regained Momentum After 3Q Slowdown**

Two major cybersecurity acquisitions in October had an outsize impact on overall deal volumes in the last quarter of the year. One was Vista Equity Partners' $4.6 billion acquisition of KnowBe4 on Oct. 12. Like many other private equity (PE) firms, Vista plans to make the publicly traded KnowBe4 a private firm once the acquisition is complete.

The other major fourth-quarter deal was PE giant Thoma Bravo's all-cash purchase of ForgeRock for $2.3 billion on Oct. 11.

But that's not to say there weren't other significant deals during the quarter. As examples, McAlpine points to Palo Alto Networks' $195 million acquisition of Cider Security in November; Proofpoint's purchase of Illusive for an undisclosed sum in December; and 1Password's acquisition of Passage in November, for an unknown sum.

According to numbers that S&P Global Market Intelligence tracked, the first three weeks of October alone saw more M&A money move through the cybersecurity sector than the entire third quarter.

"Between Oct. 1 and Oct. 24, cybersecurity acquirers disclosed an aggregate $6.90 billion in deal values from nine announced transactions," the analyst firm said in a recent market report. In comparison, the aggregate deal values for all M&A transactions with disclosed values during the third quarter was just $3.06 billion — down more than 75% from the $13.77 billion during the same period in 2022, S&P Global Market Intelligence said.

**A Flurry of Funding Activity**

Meanwhile, the last quarter of 2022 also had its fair share of funding activity in the cybersecurity sector. Notable examples include Arctic Wolf's closing of a $401 million convertible notes offering in October; Drata's $200 million Series C funding round in December that valued the firm at $2 billion; and a BlackRock-led $120 million pre-IPO financing round in Versa Networks.

"Keeping in mind that the year is not over yet, there have been 396 funding rounds totaling $16.6 billion in new investments" in 2022, says Richard Stiennon, chief research analyst at IT-Harvest. "While this does not match last year's $24 billion, it exceeds the record funding of 2020 by 60%."

The numbers are not too shabby for a year for which disaster was predicted, Stiennon notes: "And the year is not over. I would not be surprised if we hit $17 billion."

By IT-Harvest's count, there were nearly two dozen cybersecurity funding rounds disclosed in the last three months of 2022. These included a $196.5 million series G funding round at Snyk that valued the firm at a $7.4 billion; NetSPI landing $410 million in growth funding; and Akeyless raising $65 million for its secrets management technology.

Data that Momentum tracked showed that through the end of November, the most active sectors for M&A deals were managed security service providers; risk and compliance; and security consulting and services segments. The most active segments for financing deals during the same period were risk and compliance; identity and access management; application security; and network and infrastructure security.

**The Impact of Industry Activity on Enterprise Security Teams**

Marc van Zadelhoff, CEO at Devo, expects that the cybersecurity market will weather any recession that might materialize, better than other sectors.

"In the second half of 2022, security was the last industry to observe a slowdown in spending, let alone IT spending," he says. "Before midway through 2023, I firmly believe that security will be the first industry to emerge out of the recession, given the explosion of data and threats and the need for a solid security posture."

However, security teams must show their capabilities and provide immediate ROI, van Zadelhoff says. "Now is the time to lay the groundwork for cybersecurity investment and for security decision-makers to learn the language of the CFO and practice their cyber pitch."

At the same time, some say a prolonged recession — or fears of one — could put a damper on security spending and trigger other changes in the industry over the next year and in the short term. They advocate that enterprise security team be aware of the potential implications of these changes and be prepared for them.

Security teams, for instance, need to be prepared to show measurable return on investments and do more with less in situations where their organizations might be looking to cut security spending, says Richard Caralli, senior cybersecurity advisor at Axio.

This is in anticipation of a slowdown in core spending in 2023 on technology acquisition, which could lead to some contraction in certain cybersecurity sectors and more potential consolidation and acquisition activity.

"At that point, you can expect to have to reevaluate any technologies that are caught up in these activities," Caralli says.

The fact that CISOs and people in charge of purchasing decisions are increasingly looking for more integrated platforms could be another driver for funding activity in the cybersecurity sector in 2023.

"The cybersecurity market is approaching bloated status," says Hank Thomas, CEO at Strategic Cyber Ventures. "There are far too many vendors chasing the same dollars with comparable technology. PE firms and other later-stage investors are looking to bring in larger players to serve as anchors for rollups and bolt-on acquisitions. This will create new more comprehensive, cost efficient, and effective security platforms."

New Year's Surprise: Cybersecurity M&A, Funding Activity Snowballs in Q4

ISOS firmwares from versions 1.81 to 2.00 contain hardcoded credentials from embedded StreamX installer that integrators are not forced to change.

**Published Firmwares in 2022**

**V2.01 : 11.11.2022**

2304

Bug fix

Moxa Real TTY driver update

2397

Security

OpenSSL: fix CVE-2020-1971

2406

Security

PAM: fix 'Empty Password improper authentication' (CWE-287)

2424

Bug fix

DA-820 and DA-820C: fix 'empty slot' command

2438

Bug fix

DA-820C: fix network error messages at bootup

2442

Security

sudo: fix CVE-2021-3156

2455

Security

OpenLDAP: fix multiple CVE

2464

Bug fix

Cellular modems: fix USB disconnect/connect problem

2470

Security

OpenSSL: fix multiple CVE (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)

2482

Bug fix

Postgres: fix the running state view

2491

Bug fix

Firmware update: improved the management of the postgresql service

2556

Add-on

Virtual: VirtIO NIC driver added for some KVM based hypervisors

2560

Add-on

DA-820C: support for I350-T4 and CP102U cards added

2561

Bug fix

DA-820C: fix comment update on slot 2

2590

Bug fix

Mono: moved "ApplicationData" and "CommonApplicationData" folders to /opt partition

2620

Bug fix

DA-820C: improvement of the firmware update (TPM related)

2743

Add-on

APU2: support for additional serial ports from P3

2812

Bug fix

IG2: fix EtherCAT driver for ARM64.

2857

Security

DA-820C: SysRq commands disabled

2858

Bug fix

Boot process, automatically fix potential mount errors

2873

Bug fix

NTP Server, fix the 'jump backwards in time

2878

Security

rsyslog: fix CVE-2022-24903

2897

Security

Force password change during the first login (CVE-2022-4780)

2940

Security

Virtual, open-vm-tools: fix CVE-2022-31676

2951

Bug fix

OpenLDAP: files integrated into the backup

2970

Bug fix

RADIUS: files integrated into the backup

 

Add-on

IG2: support for digital inputs/outputs

 

Security

RADIUS Integration

 

Security

Firmware Integrity Check integration

 

Security

Manage rate limiting (avoid DoS)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup 6.05.00 (StreamConfig: version 35 of the parameters)

**V2.00d - 22.04.2022 (only for CX9020)**

2825

Add-on

Staging: images for 2GB and 4GB SD cards.

 

Bug fix

StreamX Setup v6.04.25 of 07.04.2022 (StreamConfig: version 34 of the parameters)

**V2.00c - 24.02.2022 (only for CX9020)**

 

Add-on

earlyoom: memory watchdog to protect EtherLAB from an 'out of memory'.

 

Bug fix

StreamX Setup v6.04.17 of 18.02.2022 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2021**

**V2.00 : 24.02.2021**

1279

Bug fix

Fix StreamView HTML serialization errors

1715

Bug fix

Fix StreamDaemon is no more responding on ARM architectures

1867

Bug fix

Fix general Mono memory leaks

1980

Bug fix

Mono: major upgrade to version 6.10.0.104

2135

Security

Sudo: fix potential vulnerability (CVE-2019-18684)

2157

Security

Fix CVE-2019-14899 : Inferring and hijacking VPN-tunneled TCP connections

2175

Bug fix

EtherCAT: etherlab stack update

2189

Bug fix

CX9020: fix speed of second LAN which was sometimes fixed at 10 Mbit/s

2283

Bug fix

Virtual: open-vm-Tools produces no more messages continuously.

2297

Add-on

Support of stunnel for all hardwares

2298

Add-on

CX9020: support of the LEDs TC, FB1, FB2

2327

Add-on

Backup of Postgresql configuration files

2332

Add-on

Postgresql: log file rotate mechanism

2340

Bug fix

Network: fix manual lan won't goes up at boot

2343

Bug fix

APC910: fix lan1 detection on TS17.04

2362

Security

OpenLDAP: fix CVE-2020-25709 and CVE-2020-25710

2382

Add-on

APC910: support for USB1 to USB4 ports added for model TS17

2429

Bug fix

Cellular modems: fix the enable/disable NMEA feature

 

Add-on

First integration of the hardware Elvexys IG2

 

Add-on

CX9020: bootloader version 5 for kernel compatibility

 

Security

CX9020: StreamBridge is no more executed with root account (least privilege)

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup v6.02.90 of 10.02.2021 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2020**

**V1.99 : 17.06.2020**

1827

Add-on

Cellular: PPP as default gateway is now listed into the network section in StreamConsole

1880

Add-on

Virtual hardware: OVF file compatibility for ESX 5.5

1893

Security

PostgreSQL: fixed multiple vulnerabilities

1897

Add-on

Virtual hardware: changed from generic to Intel network adapter

1906

Security

StrongSwan: upgrades to fix CVE-2018-16151 / CVE-2018-16152

1908

Security

Kernel: upgrades to fix CVE-2018-14634

1931

Bug fix

Cellular: fix for the configuration migration

1939

Bug fix

Cellular: fix USAN management when receiveing a SMS

1940

Bug fix

Fix to no more generate duplicate paths after a firmware migration

1954

Security

OpenSSL: fix multiple vulnerabilities

1984

Bug fix

LEDs: swapped the management of Storage and SNMP Agent

1985

Bug fix

Firmwares files with special chars are now possibles

2002

Bug fix

LEDs: no more turned off after a long period of time

2023

Bug fix

Bonds on B&R APC910 are now working as expected

2060

Add-on

CX9020: compatibility with HW rev. 3

2088

Security

Kernel: upgrades to fix CVE-2019-11477 (SACK Panic)

2095

Add-on

Virtual hardware: drivers for VMXNET3 added

2106

Bug fix

Cellular: fix infinite loop in ppp restart Under certain conditions

2112

Security

SysRq commands over serial ports is now disable for all hardware

2127

Security

Sudo: fix CVE-2019-14287 Potential bypass of Runas user restrictions

2138

Security

Unable to use SCP anymore

2142

Bug fix

APC910: fix the use of lan2 without the additional 4 lans board

2150

Add-on

Firmware update: error codes 24 and 25 added

2151

Bug fix

Default Gateway no more lost after changing the IP on the interface binded to the default gateway

2165

Security

OpenSSL : fix CVE-2019-1551

2167

Bug fix

SSL Certificates for StreamX applications are now backuped

2180

Add-on

Beckhoff CX9020: support of the new HW revision of TOSIBOX 4G modem (based on Quectel EC25 chip)

2199

Add-on

Firewall: extend ports range for StreamX services.

2218

Add-on

Fsck package added (File System Consistency Check)

2269

Bug fix

Moxa DA-820, fix the receive mechanism on serial ports P1 and P2 when used in RS485 2 wires mode.

 

Bug fix

PFC100/PFC200: use Wago BSP v. 2.8.35

 

Add-on

First integration of the hardware B&R APC910

 

Add-on

First integration of the hardware APU4

 

Add-on

First integration of the hardware Moxa DA-820C

 

Add-on

APU2 and APU4: support for the LEDs and the dual power boards

 

Add-on

APU2: support for two dual LAN mPCIe boards

 

Add-on

APU4: support for one dual mPCIe board

 

Add-on

UC-8112: first LEDs management

 

Add-on

Support of PRP for Moxa DA-820 and Moxa DA-820C from StreamConsole

 

Add-on

Support of stunnel for Virtual hardware

 

Add-on

Firewall: added UDP port 123 for NTP server

 

Security

Update of the Linux kernels

 

Security

Update of the Linux packages

 

Bug fix

StreamX Setup of 08.05.2020 (StreamConfig: version 34 of the parameters)

**Published Firmwares in 2018**

**V1.98 : 05.07.2018**

1738

Security

Kernel: upgrades to fix Meltdown and Spectre vulnerabilities

1826

Security

Moxa DA-820, fix the process to disable physical USB ports

 

Add-on

PostgreSQL, migration process updated for future major upgrades

 

Add-on

First integration of virtual hardware (VMWare) with the configinit tool

 

Bug fix

Moxa DA-681A, fix the RS485

 

Bug fix

Moxa DA-720, fix the RS485 2 wires mode on P2

 

Add-on

Moxa UC-8100, new bootloader for Linux kernel 4.1

 

Bug fix

All libraries: update to the latest stable version

 

Security

Improving hardening like using ASLR and Stack Smaching Protection

 

Bug fix

Cellular: fix the use of CTS and DTS signals

 

Bug fix

StreamX Setup of 22.06.2018 (StreamConfig: version 32 of the parameters)

**V1.97 : 05.03.2018 (only for DA-681A, DA-720, UC-81xx and APU2)**

1743

Security

Moxa Nport: the owner of the remote serial ports is now the group streamx\_apps instead of root

1729

Bug fix

WD Cellular: prevent rebooting the system if a firmware upgrade is in progress

1782

Bug fix

WD Cellular: don't block anymore in case of huge system time changes

 

Add-on

WD Cellular: the RSSI and the cellular antenna ID are now published in memory files for other programs

1748

Add-on

DHCP Client: new default settings for interoperability with slow DHCP servers

 

Add-on

First integration of the hardware Moxa DA-720

 

Bug fix

StreamX Setup of 27.02.2018 (StreamConfig: version 32 of the parameters)

CVE-2022-4780: ISOS release notes - Elvexys SA

This is what happens when a CISO gets tired of reacting to attacks and goes on the offensive.

Like a member of any profession, a chief information security officer (CISO) grows into their role. They exhibit a maturity curve that can be roughly split into five attitudes:

1.  **Protection:** When a CISO first steps into their role, they look to perfect the basics and build a fortress for themselves in the form of firewalls, server hardening, and the like.
2.  **Detection:** Once they determine how the framework is built, the CISO moves on to more and more sophisticated monitoring tools, incorporating in-depth monitoring and packet filtering.
3.  **Response:** The journeyman CISO will start crafting detailed response plans to various scenarios, weaving them into the overall BC/DR planning and making sure that the team is ready for anything.
4.  **Automation:** Next they'll focus on making everyone's life easier by incorporating automation, AI/ML learning, and third party intelligence into their already-robust defenses.

You may have seen or experienced this kind of four stage evolution yourself. But there's a much rarer _fifth stage_ that is reached much later in a CISO's career. Upon seeing the multitude of annoyances buzzing around them, probing, trying to gain access to _their_ territory ... they become restless. They get tired of waiting for their enemies to strike.

The fifth and final stage is proactivity. And it’s at this stage that CISOs go on the hunt, using techniques of modern defense.

**Leaving the Comfort Zone**

The demarcation point is traditionally where everything becomes "somebody else's problem." If anything breaks or gets hacked, it isn't on the company's dime.

At least, that's how it used to be. Veteran CISOs know that in the era of the cloud and heavy federation, nothing could be further from the truth. Every hack has ripples. Every DDoS has collateral damage. An attack on your ISP, on a federated partner, on your supply chain, on the company's bank, or on utility providers might as well be an attack on your turf.

Most importantly, social engineering and fraud ignore internal demarcations entirely! They don't respect traditional boundaries. If they need to use your federated partner to get in, they will. If they need to infiltrate your employees' social media to gain leverage, they won't hesitate.

But what can be done? Your tools, your monitoring ... absolutely everything you've built is designed to cover your own territory. How can you have an impact on the other side of the demarcation?

Part of the proactivity that comes with stage five of a CISO's career is the ability to process threats that have the potential to impact your business. This means combining the resources that are available to the entire cybersecurity community and the intelligence gleaned from your own monitoring efforts.

Now you're in what Tom Petty once called "The Great Wide Open." The bad news is that your activities are more exposed out here. The good news? You aren't alone.

**Resources for Fraud Prevention Beyond the Demarcation**

In order to get ahead of the curve, you need to work with others and assess emerging threats. Two traditional resources are still effective here: CERT and OWASP. These two organizations have been tirelessly tracking cybersecurity trends for over a generation.

But there are some newer kids on the block that can help you on your hunt. PortSwigger's BURP suite can help you to perform intelligent Web application and network analysis (just make sure you get permission from your business partners before you go full white-hat on their infrastructure). Some subscription advisory services like Black Duck can be worth their weight in gold.

But those are all solutions on the technical side, and fraud isn't always technical. To hit fraudsters where it hurts, you need to embrace the human element.

**A Global Defense Effort**

One of the advantages of using an antifraud suite such as that made by Human Security is that the breach information it gathers is shared anonymously across Human's entire client base. That means when a new fraud attempt is registered with any customer, updates to combat it are shared with all customers across every impacted system: training, automated scans, spam rejection, firewall rules, and packet filtering, to name a few.

Additionally, internal and external attempts to misuse or compromise corporate resources are compared to events taking place elsewhere on the Human network. If there's a pattern, the cybersecurity team is informed, and additional resources can be dedicated to monitoring the situation. MediaGuard can do the same for impersonation attempts or attacks on brand integrity.

**What Do You Do When You Catch Something?**

All of these resources allow you to hunt well beyond the demarcation point. But what do you do when you actually track something down?

When you find vulnerabilities in your supply chain or within a federated resource, you need to share them with your counterpart at the company in question. Assuming you've done everything above board and with their permission, this isn't a problem. If you accidentally hunted outside your domain without permission, see if the impacted business has an anonymous tip line for fraud or security.

Then, make sure your own detection and filtering process is adapted to deal with the new threat before the fraudsters or hackers can even make the attempt. Report any new technical vulnerabilities to your preferred advisory service, and then start planning your next hunt.

When CISOs Are Ready to Hunt

It's time companies build a multilayered approach to cybersecurity.

As global cyberattacks continue to become more sophisticated, so should corporations' risk mitigation strategies. Of these high-stakes attacks, financial motivation is the most common reason for cybercriminals to target businesses, with the IBM "Cost of a Data Breach" report finding that the average breach in 2022 cost organizations up to $4.35 million in damages. With consequences this detrimental to business, it's critical that companies build a multilayered approach to cybersecurity with a number of experts involved to ensure effective prevention, detection, and response to cyber threats.

To create the most effective cyber-risk prevention and recovery team, companies must leverage financial and technology talent to collaborate on prevention strategies. While cybersecurity professionals focus on the who, what, where, and how of a potential breach, accountants can monitor the potential impacts to a corporation's funds and controls to determine priority functions and vulnerable financial business data that need safeguarding. This is typically done most effectively by forensic accountants who are trained in auditing and investigating risk factors within the finances of individuals or businesses. When these two roles find synergy, they can combat even the most complex of corporate cybercrimes.

Here are some of the ways these professionals can effectively work together to prevent and recover from highly intelligent attacks on financial data.

**Prevention**

Proper prevention of financial cybercrimes takes a diversified skill set, tapping into financial and IT specialties to create the strongest possible defenses against breaches. For cyber professionals, this includes identifying and closing gaps in internal controls and technologies, and implementing the proper safeguards — from two-factor authentication programs to file encryptions and more. Meanwhile, forensic accountants are well-versed on corporate finances and have the ability to detect the misappropriation of funds before losses are incurred.

Cyber professionals are also invaluable assets to financial teams in alerting them to new threats as the digital landscape changes so that proper preventative measures can be implemented. For example, there is a new trend of hackers using Meta business accounts as an entry point to breach financial information. This typically involves the stealing of customer credit card and bank information when they make transactions through the social media platform.

Obviously, suffering from an attack of this kind can lead to a damaged reputation, monetary consequences, and a loss of consumer trust. Establishing open lines of communication between cyber professionals and those in charge of monitoring business transactions can mean that forensic accountants know what threats they need to be wary of and can make business decisions that are in the best interest of their clients and customers. Also, it can ensure quicker detection of odd transactional activity for early intervention.

Instituting safeguards to proactively defend financial information — and consistently reviewing and updating them — can help to keep corporate funds safe in an era where sophisticated cybercriminals can steal financial information at the click of a key.

**Recovery**

Even the best laid plans can fail, especially when the enemy continues to get smarter and stealthier as technology evolves. That's the case when it comes to cybercrime, so planning to fail is just as important as working to avoid failure.

Collaboration between cybersecurity professionals and forensic accountants can ensure that swift, immediate defenses are deployed when an attack is executed and that the damage to a business's financial bottom line is as minimal as possible.

In the event of a breach, these professionals must work together to block the attacker and protect as much data and capital as they can. For example, a seasoned forensic accountant brings experience and knowledge of the many forms of corporate fraud, as well as the necessary steps to employ investigative techniques to spot trends and outliers in large data sets as they develop. Immediately upon noticing suspicious activity, they can alert their company's cyber team to quickly employ a variety of techniques to close the digital path to systems while they investigate.

While losses are not ideal, they are difficult to avoid once a cybercrime is effectively executed, even if it was caught and stopped quickly. Post-incident, it is the task of forensic accountants to calculate potential losses, assess and disclose accounting requirements, and assist the cyber team with evidence collection for insurance claim purposes.

Generally, forensic accountants and cybersecurity professionals have the same goal: to safeguard important information. When they use their unique skill sets to collaborate effectively, a corporation has the best chance of evading the consequences of a devastating cyberattack.

Tag

#intel