What is the future of working professional education?

The Executive MBA Council (EMBAC) published research which addresses how business education needs to evolve to keep pace with changing demands and expectations about professional development from both students and their employers over the next five years and beyond.

working professional education

The study draws on new original qualitative research from in-depth interviews with relevant decision makers at international business schools and within major employers who invest in working professional development. It also involved a survey of over 300 individual learners who were looking to take business school courses in the next five years.

“The relationship between employees and employers has been evolving for some time, and this study opens up what that means for the future of working professional education. Economic uncertainty, online learning, lifelong development, remote working, and digital transformation in business schools and other organizations are not new.

“However, the global pandemic is accelerating these trends. Our sector will benefit from a healthy and honest debate about how future ways of learning and work can help leaders in business and business education find new answers to the problems of our time,” said Michael Desiderio, executive director of EMBAC.

Working professional education: Key findings

  • 38% of individual learners said they rated blended learning (face to face and online) as their ideal skills development path for the next five years.
  • When choosing a business school, the top requirements are flexibility in how learning is delivered (45%), how much the school embraces digital transformation (42%) and how much the program will accelerate career prospects (37%).
  • More than three quarters of employer respondents believe that business schools need to develop short, inexpensive programs that deliver relevant skills for those working and be clear about how their offer positively impacts our wider society, not just the business industry.
  • While employers agree that leadership remains an important skill for development, new leadership models are emerging that have stronger roots in “soft skills” such as emotional intelligence, more agility and conscious, continuous learning.
  • Employers also point out that as the workforce ages, one of the most frequently sought-after development programs is how to manage effectively across generations since attitudes and lifestyles can vary significantly.

Fundamental shifts in the workforce were already taking place

While the COVID-19 may have accelerated change in the workforce, fundamental shifts were already taking place. There is no one-size fits all solution with the different circumstances – economic, political and social – having a significant impact on the approach that a school decides to take.

However, it is clear that institutions will need to evolve from the focus on quantity of degrees awarded to becoming a learning partner to companies and organizations; keenly understanding the needs of both the workforce and individual industries.

eBook: Secure Software Development

Secure software development and DevSecOps are growing in importance as organizations increasingly rely on cloud infrastructures for critical applications. Given these and other key industry trends, the value of (ISC)² CSSLP certification is surging.

eBook Secure Software Development

Globally recognized and respected, the vendor-neutral CSSLP creates significant advantages for security professionals and the organizations that employ them. In the (ISC)² eBook, The Art & Science of Secure Software Development, CSSLPs around the world share how becoming certified has helped them advance their careers – and avoid costly errors.

Find out how CSSLP certification will benefit YOU.

CSSLP snapshot

  • Recognizes leading application security skills.
  • Validates knowledge and skills necessary for authentication, authorization and auditing throughout the software development lifecycle using best practices and policies.
  • Developed for software architects, developers and engineers; project and security managers; penetration testers; software procurement analysts; application security specialists; software program managers; QA testers; and IT managers, directors.

Want to learn more? Find out what it takes to excel as a secure software developer.

QakBot operators abandon ProLock for Egregor ransomware

Group-IB has discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware. Egregor has been actively distributed since September 2020 and has so far hit at least 69 big companies in 16 countries. The biggest ransom demand detected by Group-IB team has been at $4 million worth of BTC.

Egregor ransomware

During recent incident response engagements Group-IB DFIR (Digital Forensics and Incident Response) team has noticed a significant change in QakBot operators’ tactics, the gang started to deploy a new Egregor ransomware family.

This ransomware strain emerged in September 2020, but the threat actors behind already managed to lock quite big companies, such as game developers Crytek, booksellers Barnes & Noble, and most recently a retail giant Cencosud from Chile.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators, whose campaigns have been described in Group-IB blog post in May.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock.

Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe. Hence, all of the above considered, Group-IB experts assess it’s very likely that QakBot operators have switched from ProLock to Egregor ransomware.

Geography and victims

The gang behind Egregor followed in Maze’s footsteps, who called it quits not long ago. Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand registered by the Group-IB team so far was at $4 million worth of BTC.

In less than 3 months Egregor operators have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Inside Egregor

While TTP’s of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password, so it is impossible to analyze Egregor if you don’t have command-line arguments provided by the attacker. Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

“Tactics, techniques and procedures observed are very similar to those seen in the past Qakbot’s Big Game Hunting operations,” said Oleg Skulkin, senior DFIR analyst at Group-IB.

“At the same time, we see that these methods are still very effective and allow threat actors to compromise quite big companies with high success rate. It’s important to note, that the fact many Maze partners started to move to Egregor will most likely result in the shift in TTPs, so defenders should focus on known methods associated with Maze affiliates”.

Week in review: Kali Linux 2020.4, AWS Network Firewall, speeding up malware analysis

Here’s an overview of some of last week’s most interesting news, reviews and articles:

Kali Linux 2020.4 released: New default shell, fresh tools, and more!
Offensive Security has released Kali Linux 2020.4, the latest version of its popular open source penetration testing platform. You can download it or upgrade to it.

Critical vulnerabilities in Cisco Security Manager fixed, researcher discloses PoCs
Cisco has patched two vulnerabilities in its Cisco Security Manager solution, both of which could allow unauthenticated, remote attackers to gain access to sensitive information on an affected system.

How do I select a security assessment solution for my business?
To select a suitable security assessment solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Researchers break Intel SGX by creating $30 device to control CPU voltage
Researchers at the University of Birmingham have managed to break Intel SGX, a set of security functions used by Intel processors, by creating a $30 device to control CPU voltage.

How to speed up malware analysis
The goal of malware analysis is to research a malicious sample: its functions, origin, and possible effects on the infected system. This data allows analysts to detect malware, react to the attack effectively, and enhance security.

Multi-cloud environments leaving businesses at risk
Businesses around the globe are facing challenges as they try to protect data stored in complex hybrid multi-cloud environments, from the growing threat of ransomware, according to a Veritas Technologies survey.

Cisco Webex vulnerabilities may enable attackers to covertly join meetings
Cisco has fixed three bugs in its Cisco Webex video conferencing offering. The flaws were discovered by IBM researchers, after the company’s research department and the Office of the CISO decided to analyze their primary tool for remote meetings.

How a move to the cloud can improve disaster recovery plans
Bad actors are well aware that endpoints are not being maintained at the same level as pre-pandemic, and they are more than willing to take advantage.

VMware patches serious vulnerabilities in ESXi hypervisor, SD-WAN Orchestrator
VMware has patched critical vulnerabilities affecting its ESXi enterprise-class hypervisor and has released a security update for its SD-WAN Orchestrator, plugging a handful of serious security holes.

Review: Group-IB Fraud Hunting Platform
In this review, we will take a close look at the Fraud Hunting Platform (FHP) developed by Group-IB, which helps web and mobile service owners monitor users’ usage and investigate potential misuses.

The effectiveness of vulnerability disclosure and exploit development
New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development.

Healthcare organizations are sitting ducks for attacks and breaches
Seventy-three percent of health system, hospital and physician organizations report their infrastructures are unprepared to respond to attacks. The survey results estimated 1500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a 300 percent increase over this year.

2021 predictions for the Everywhere Enterprise
As we near 2021, it seems that the changes to our working life that came about in 2020 are set to remain. Businesses are transforming as companies continue to embrace remote working practices to adhere to government guidelines.

Why biometrics will not fix all your authentication woes
In recent years biometrics have increasingly been lauded as a superior authentication solution to passwords. However, biometrics are not immune from problems and once you look under the hood, they bring their own set of challenges.

Accept your IT security limits and call in the experts
For IT security teams, the work-from-home switch meant even more work and struggling finding new ways to keep their organization and their employees secure from an increasing number and frequency of cyber threats.

AWS Network Firewall: Network protection across all AWS workloads
Amazon Web Services announced the general availability of AWS Network Firewall, a new managed security service that makes it easier for customers to enable network protections across all of their AWS workloads.

eBook: The security certification healthcare relies on
In the new (ISC)² eBook, HCISPPs around the world share how becoming certified has helped advance their careers – and keep healthcare IT healthy.

New infosec products of the week: November 20, 2020
A rundown of the most important infosec products released last week.

VMware patches serious vulnerabilities in ESXi hypervisor, SD-WAN Orchestrator

VMware has patched critical vulnerabilities affecting its ESXi enterprise-class hypervisor and has released a security update for its SD-WAN Orchestrator, plugging a handful of serious security holes.

vulnerabilities ESXi hypervisor

Vulnerabilities in ESXi hypervisor exploited during a hacking competition

During the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month, Xiao Wei and Tianwen Tang, two researchers from the Qihoo 360 Vulcan Team, exploited two previously unknown vulnerabilities to thoroughly compromise VMWare’s ESXi hypervisor:

  • CVE-2020-4004, deemed “critical”, is a use-after-free vulnerability in XHCI USB controller that can be used by attackers with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host
  • CVE-2020-4005, deemed “important”, is a VMX elevation-of-privilege vulnerability that can be used by attackers with privileges within the VMX process to escalate their privileges on the affected system

CVE-2020-4004 affects various versions of ESXi, but also VMware Fusion (Mac virtualization solution), VMware Workstation Player (desktop hypervisor application) and VMware Cloud Foundation (ESXi). CVE-2020-4005 affects ESXi and VMware Cloud Foundation. Most patches are already available, but those for Cloud Foundation are still pending.

Users are advised to peruse this advisory and see whether they should update their installations.

VMware SD-WAN Orchestrator vulnerabilities

VMware has also released security updates for both supported branches (3.x and 4.x) of SD-WAN Orchestrator, its enterprise solution for provisioning virtual services in the branch, the cloud, or the enterprise data center.

They fix six vulnerabilities, including SQL injection vulnerabilities, a directory traversal file execution flaw, and default passwords for predefined accounts which may lead to to a Pass-the-Hash attack. In that last instance, the update does nothing – it’s on administrators to change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use.

The vulnerabilities are not deemed to be critical, as attackers need to be authenticated in order to exploit them.

Nevertheless, admins have been advised to upgrade their SD-WAN Orchestrator installations to version 4.0.1, 3.4.4, or 3.3.2 P3.

Half of the vulnerabilities have been discovered and reported by Ariel Tempelhof of Realmode Labs, the other half by Christopher Schneider, Cory Billington and Nicholas Spagnola, penetration test analysts at State Farm.

There are currently no reports of these vulnerabilities being exploited in the wild.

56% of organizations faced a ransomware attack, many paid the ransom

There’s a continued proliferation of ransomware, heightened concerns around nation-state actors, and the need for acceleration of both digital and security transformation, a CrowdStrike survey reveals.

faced ransomware attack

Proliferation of ransomware leads to more frequent payouts, costing millions

Survey data indicates ransomware attacks have proven to be especially effective, as 56% of organizations surveyed have suffered a ransomware attack in the last year. The COVID-19 pandemic catalyzed increasing concerns around ransomware attacks, with many organizations resorting to paying the ransom.

The global attitude shifts from a question of if an organization will experience a ransomware attack to a matter of when an organization will inevitably pay a ransom. Notable findings include:

  • Concern around ransomware attacks continues to increase, with the stark increase in this year’s findings (54%) compared to 2019 (42%) and 2018 (46%).
  • 71% of cybersecurity experts globally are more worried about ransomware attacks due to COVID-19.
  • Among those hit by ransomware, 27% chose to pay the ransom, costing organizations on average $1.1 million USD owed to hackers.
  • The APAC region is suffering the most when paying the ransom with the highest average payout at $1.18 million USD, followed by EMEA at $1.06 million and the U.S. at $0.99 million.

Fear of nation-state cyberattacks can stifle business growth in post COVID-19 world

Nation-state activity continues to weigh heavily on IT decision makers, as 87% of respondents agree that nation-state sponsored cyberattacks are far more common than people think.

As growing international tensions and the global election year have created a nesting ground for increased nation-state activity, organizations are under increased pressure to resume operations despite the increased value of intellectual property and vulnerabilities caused by COVID-19. Key highlights include:

  • Even with the massive rise in eCrime over the course of 2020, 73% believe nation-state sponsored cyberattacks will pose the single biggest threat to organizations like theirs in 2021. In fact, concerns around nation-states have steadily increased, as 63% of cybersecurity experts view nation-states as one of the cyber criminals most likely to cause concern, consistently rising from 2018 (54%) and 2019 (59%).
  • 89% are fearful that growing international tensions (e.g. U.S.-China trade war) are likely to result in a considerable increase in cyber threats for organizations.
  • Approximately two in five IT security professionals believe a nation-state cyberattack on their organization would be motivated by intelligence (44%) or to take advantage of vulnerabilities caused by COVID-19 (47%).

Digital and security transformation accelerated as business priority

In the wake of these threats, cybersecurity experts have accelerated their digital and security transformation efforts to address the growing activity from eCrime and nation-state actors.

While spend on digital transformation continues to trend upward, the COVID-19 pandemic accelerated the timeline for many organizations, costing additional investment to rapidly modernize security tools for the remote workforce. Security transformation rollout findings include:

  • 61% of respondents’ organizations have spent more than $1 million on digital transformation over the past three years.
  • 90% of respondents’ organizations have spent a minimum of $100,000 to adapt to the COVID-19 pandemic.
  • 66% of respondents have modernized their security tools and/or increased the rollout of cloud technologies as employees have moved to work remotely.
  • 78% of respondents have a more positive outlook on their organization’s overarching security strategy and architecture over the next 12 months.

“This year has been especially challenging for organizations of all sizes around the world, with both the proliferation of ransomware and growing tensions from nation-state actors posing a massive threat to regions worldwide,” said Michael Sentonas, CTO, CrowdStrike.

“Now more than ever, organizations are finding ways to rapidly undergo digital transformation to bring their security to the cloud in order to keep pace with modern-day threats and secure their ‘work from anywhere’ operations.

Cybersecurity teams around the globe are making strides in improving their security posture by moving their security infrastructure to the cloud and remaining diligent in their incident detection, response and remediation practices.”

Attacks on biotech and pharmaceutical industry escalate

Attacks on the biotech and pharmaceutical industry had increased by 50% between 2019 and 2020, according to a BlueVoyant report.

attacks biotech

The report highlighted that nation-states are ramping up cyber attacks on companies that are developing vaccines, and this is likely to increase as production and distribution gets underway.

The analysis examined open source records of 25 publicly reported attacks that have taken place in the last four years. It set out to define key risks and how COVID-19 has changed the threat landscape.

Establishing that ransomware is still the number one threat vector for this industry, the report identifies the key risks that companies face and the steps they need to take to mitigate these.

Key findings

  • The number one emerging threat in 2020 is nation-state espionage aimed at stealing COVID-19 vaccine research data. That said, the top threat overall is still ransomware.
  • COVID-19 vaccines are the crown jewels in 2020 with eight of the most prominent companies in the race for a vaccine facing high volumes of targeted malicious attacks. These are often out of proportion to their size and larger attack volumes than well-known pharmaceutical giants.
  • Biotech and pharmaceutical companies are under daily attacks which include brute force, phishing attempts, and targeting of vulnerable web applications.
  • Attacks are escalating. Of the 25 attacks reported to the media since 2017, 10 (40%) took place in 2020.
  • Key defenses against such attacks such as securing open remote desktop access ports and phishing security had not been implemented across most of the observed companies.
  • 80% of the 20 companies analyzed showed signs of more targeted attack activity.

Commenting on the research, Jim Penrose, COO, BlueVoyant said: “Pharmaceutical companies develop highly lucrative IP, they handle large amounts of patient and healthcare data and as such are a prime target for criminals looking to compromise, steal and exploit information. Now they face an even more elevated risk environment in the current pandemic as well-resourced nation-state actors mount aggressive and focused campaigns.

“Most organizations in this sector are significantly scaling up their digital platforms but cyber posture lags. They need to continuously monitor new attack vectors. Importantly, once they have secured their own systems, they need to look outward to supply chain cybersecurity because this sector, more than most industries, has interconnected digital business ecosystems with many supply chain dependencies. Supply chain cybersecurity is a critical step in ensuring against third-party cyber risk.”

Key implications

  • First, 80% of companies targeted experienced malicious, intentional and focused efforts. Even more troubling, 7 out of 20 showed signs of compromise.
  • Second, attackers used automated tools and infrastructure and three quarters used programmatic brute force attacks, meaning they had acquired a credential database and then bought an automated program to target specific companies.
  • Third, these incidents occurred without regard to company size, area of focus or geography. The wide distribution of attacks did not follow a clear pattern, which means that organizations were under attack from sophisticated and knowledgeable cyber actors.

Jim Rosenthal, CEO, BlueVoyant, concludes: “The ongoing effort to find a vaccine and cure for COVID-19 is an endeavor we all want to succeed. The high level of cyber risk associated with the firms working on this critical mission ought to be a call for action to take immediate measures to drive down cyber risk.

“Around the globe all citizens want peace of mind that these firms will guarantee confidentiality, integrity, and availability in their research, development, manufacturing, and data management activities as they race against the clock to deliver life-saving breakthroughs.

“We have recently seen the first death of a patient in Germany attributed to ransomware paralysing a hospital’s networks. We need to ensure that the growing surge of attacks against the pharmaceutical sector does not disrupt the delivery of healthcare, and the production and distribution of COVID- 19 vaccines in 2021.”

Consumer behaviors and cyber risks of holiday shopping in 2020

While consumers are aware of increased risks and scams via the internet, they still plan to do more shopping online – and earlier – this holiday season, McAfee reveals.

holiday shopping cyber risks

Thirty-six percent of Americans note they are hitting the digital links to give gifts and cheer this year, despite 60% feeling that cyber scams become more prevalent during the holiday season.

While more than 124 million consumers shopped in-store during the 2019 Black Friday to Cyber Monday holiday weekend, the survey indicates consumers have shifted direction due to global events this year, opening their risk to online threats as they live, work, play, and buy all through their devices.

The survey shows shopping activity in general has increased, with 49% stating they are buying online more since the onset of COVID-19. 18% of consumers are even shopping online daily, while 34% shop online 3-5 days a week.

Online cybercrime continues to increase

The research team recently found evidence that online cybercrime continues to increase, observing 419 threats per minute in Q2 2020, an increase of almost 12% over the previous quarter.

With activity set to rise from both consumers and criminals, there is an added concern of whether consumers are taking security threats as seriously as they should – with key differences seen across generational groups:

  • 79% of those 65+ in age believe there is a greater cyber risk due to COVID-19 while 70% of those 18-24 state the same
  • 27% of respondents ages 18-24 report checking if emailed or text messaged discounts and deals sent to them are authentic

“Many are wondering what this year’s holiday season will look like as consumer shopping behaviors continue to evolve and adapt to the challenges faced throughout 2020,” said Judith Bitterli, VP of Consumer Marketing, McAfee.

“With results showing the growing prevalence of online shopping, consumers need to be aware of how cybercriminals are looking to take advantage and take the necessary steps to protect themselves- and their loved ones- this holiday season.”

This juxtaposition of increased online activity from both consumers and cybercriminals serves as the perfect catalyst for misdeeds, especially as 36% of consumers note that while they are aware of risks, they plan to increase their holiday online shopping. This less-than-cautious approach is further seen when respondents are offered deals or discounts, with 43% checking to see if Black Friday or Cyber Monday emails and text messages sent are authentic and trustworthy.

Consumers purchasing more online gift cards this year

Additionally, as the National Retail Federation (NRF) reports 54% of consumers wish to receive gift cards this holiday season, the survey proved that 35% of respondents plan to fulfill this request by purchasing more online gift cards this year.

With this alignment set to occur, there are potentially negative implications as 25% of respondents automatically assume gift card links are safe and don’t always take the necessary steps to ensure legitimacy.

In order to stay safe this holiday season, it is advised to:

  • Employ multi-factor authentication to double check the authenticity of digital users and add an additional layer of security to protect personal data and information.
  • Browse with caution and added security using a tool to block malware and phishing sites via malicious links.
  • Protect your identity and important personal and financial details using an identity theft protection tool, which also includes recovery tools should your identity be compromised.

Financial services lead when it comes to fixing open source flaws

The financial services industry has the best flaw fix rate across six industries and leads a majority of industries in uncovering flaws within open source components, Veracode reveals.

fixing open source flaws

Fixing open source flaws is critical because the attack surface of applications is much larger than developers expect when open source libraries are included indirectly.

The findings came as a result of an analysis of 130,000 applications from 2,500 companies.

Fixing open source flaws

The research found that financial services organizations have the smallest proportion of applications with flaws and the second-lowest prevalence of severe flaws behind the manufacturing sector.

It also has the highest fix rate among all industries, fixing 75% of flaws. Still, the research found that financial services firms require about six and a half months to resolve half of the flaws they find, indicating it is slower than other industries to remediate.

“Financial services firms have a median time to remediation of more than six months, despite having a high fix rate compared to other sectors,” said Chris Wysopal, CTO at Veracode.

“However, developers in the financial services industry are often limited by the nature of the environments they are working in, as applications tend to be older, have a medium flaw density, and aren’t consistently following DevSecOps practices compared to other industries.

“With some additional training and sticking to best practices, they can quickly remediate issues and start to reduce security debt.”

Financial services specific findings

The research found compelling evidence that certain developer behaviors associated with DevSecOps yield substantial benefits to software security. The findings detail that financial services firms:

  • Are a leading industry when it comes to fixing flaws in their open source software and establishing strong scan cadences.
  • Fall to middle-of-the-road for scanning frequency and integrating security testing, and are not likely to be using dynamic analysis (DAST) scanning technology to uncover vulnerabilities.
  • Outperform averages across all industries in dealing with issues related to cryptography, input validation, Cross-Site Scripting, and credentials management – all things related to protecting users of financial applications.

Cisco Webex vulnerabilities may enable attackers to covertly join meetings

Cisco Webex vulnerabilities

Cisco has fixed three bugs in its Cisco Webex video conferencing offering that may allow attackers to:

  • Join Webex meetings without appearing in the participant list (CVE-2020-3419)
  • Covertly maintain an audio connection to a Webex meeting after being expelled from it (CVE-2020-3471)
  • Gain access to information (name, email, IP address, device info) on meeting attendees without being admitted to the meeting (CVE-2020-3441)

About the Cisco Webex vulnerabilities

The three flaws were discovered by IBM researchers, after the company’s research department and the Office of the CISO decided to analyze their primary tool for remote meetings (i.e., Cisco Webex).

“These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants,” the researchers shared.

“These flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name. These technical vulnerabilities could be further exploited with a combination of social engineering, open source intelligence (OSINT) and cognitive overloading techniques.”

The vulnerabilities can all be exploited by unauthenticated, remote attackers, either by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site or by browsing the Webex roster.

More details about the possible attacks are available in this blog post, though details about the flaws will be limited until more users are able to implement the provided updates/patches.

Patches and security updates

The bugs affect both Cisco Webex Meetings sites (cloud-based) and Cisco Webex Meetings Server (on-premises).

Cisco addressed them in Cisco Webex Meetings sites a few days ago and no user action is required.

Users of Cisco Webex Meetings Server are advised to upgrade to 3.0MR3 Security Patch 5 or 4.0MR3 Security Patch 4, which contain the needed fixes.

CVE-2020-3419 also affects all Cisco Webex Meetings apps releases 40.10.9 and earlier for iOS and Android, so users are urged to implement the provided updates.

Google forces devs to reveal Chrome extensions’ data use, privacy practices

Starting January 2021, developers of Chrome extensions will have to certify their data use and privacy practices and provide information about the data collected by the extension(s), “in clear and easy to understand language,” in the extension’s detail page in the Chrome Web Store.

“We are also introducing an additional policy focused on limiting how extension developers use data they collect,” Google added.

Privacy practices get more attention

Two weeks ago Apple announced that developers of apps offered trough its App Store will have to provide privacy-focused labels so that users can review an app’s privacy practices before they download the app.

Chrome extensions privacy

“You’ll need to provide information about your app’s privacy practices, including the practices of third-party partners whose code you integrate into your app, in App Store Connect,” Apple told app developers. “This information will be required to submit new apps and app updates to the App Store starting December 8, 2020.”

Now Google is forcing developers to provide similar information for Chrome extension and, at the same time, the company is updating its developer policy to limit what extension developers can do with the data they collect.

The change means that extension developers are prohibited from selling user data, using it for personalized advertising or to establish users’ creditworthiness / lending qualification, transferring the data to data brokers or other information resellers. In addition to this, they must ensuring the use or transfer of user data primarily benefits the user and is in accordance with the stated purpose of the extension.

The privacy-related information will be shown in the Privacy practices tab of the extension’s Chrome Web Store listing:

Chrome extensions privacy

Will this be enough?

If developers fail to provide data privacy disclosures and to certify they comply with the Limited Use policy, starting with January 18, 2021, their listing on the Chrome Web Store will say that the publisher has not provided any information about the collection or usage of user data (but the extension apparently won’t be pulled from the store).

Will this stop users from downloading such an extension? Will most users actually read the information provided in the Privacy practices tab? Unfortunately, the answer to these questions is no. Does Google check whether extension developers were truthful when they “certified” their data use practices? Google doesn’t say, but the answer is likely no, as the task would be massive and the claims difficult (if not impossible) to confirm at that scale.

The problem with Apple’s and Google’s latest app privacy transparency push is that the companies shift the responsibility on app/extension users and developers, and that the sanctions for developers who don’t comply with the store policies are not enough to stop those that are set on abusing them.

The effectiveness of vulnerability disclosure and exploit development

New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development.

effectiveness vulnerability disclosure

The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space – namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem.

The research was conducted by Kenna Security and the Cyentia Institute. It examines how the common practices among security researchers impact the overall security of corporate IT networks.

The importance of timing

The analysis found that when exploit code is made public prior to the release of a patch, cybercriminals get a critical head start. At the same time, when exploits are released before patches, it takes security teams more time to address the problem, even after the patch is released.

“The debate over responsible disclosure has existed for decades, but this data provides an objective correlation between vulnerability discovery, disclosure, and patch delivery for the first time ever,” said Ed Bellis, CTO of Kenna Security.

“However, the results raise several questions about responsible exposure, demonstrating that the timing of exploit code release can shift the balance in favor of attackers or defenders.”

Whether exploit code is released first or a patch is released first, the research found that there are periods of time when attackers have the momentum and when defenders have momentum – a reflection of the fact that no matter when a patch is released, some companies simply don’t or can’t install it before attackers make their move.

For approximately nine of the 15 months studied in this analysis, attackers were able to exploit vulnerabilities at a higher rate than defenders were patching, while defenders had the upper hand for six months.

The vulnerability disclosure practice

At the heart of the vulnerability disclosure practice is a mix of competing incentives for software publishers, IT teams, and the independent security researchers that find software vulnerabilities.

When a vulnerability is found, researchers disclose its existence and the relevant code they used to exploit the application. The publisher sets about creating a patch and pushing the patch to its user base. Occasionally, however, software publishers don’t engage, declining to create a patch or notify users of a vulnerability.

In these cases, researchers will publicly disclose the vulnerability to warn the larger community and spur the publisher to take action. Google, for example, tells software publishers that it will release details of the vulnerabilities it discovers within 90 days of notification, except in a few scenarios.

Additional findings

  • When exploit code is publicly released before a patch, attackers get, on average, a 47 day head start
  • Only 6% of those exploits were detected by more than 1/100 organizations
  • Exploit code was already available for over 50% of the vulnerabilities in our sample by the time they were published to the CVE List
  • In great news for defenders, over 80% of exploited vulnerabilities have a patch available prior to, or along with, CVE publication
  • About one-third of vulnerabilities have exploit code published before a patch is made available
  • About 7% of vulnerabilities are exploited before a CVE is published, a patch is available, and exploit code is released

“For decision-makers and researchers across the cybersecurity community, this research provides a vital, never before seen window into the lifecycle of vulnerabilities and exploitations,” said Jay Jacobs, partner, Cyentia Institute.

“These findings offer prominent paths for future research that could ultimately make the IT infrastructure more secure.”

Despite the strong relationship between disclosure of exploitation code and weaponization, the research requires some caveats. It’s possible that release of exploit code doesn’t facilitate exploitation, but detection of exploits in the wild, because the release of the code enabled faster creation of anti-virus signatures.

“This new report reignites the conversation on responsible disclosure. More research will help draw more definitive conclusions, but for now, we can say that where there’s smoke, there’s fire,” said Wade Baker, partner and co-founder of Cyentia Institute. “Release of exploit code before a patch seems to have a negative effect on corporate security.”

A perspective on security threats and trends, from inception to impact

Sophos published a report which flags how ransomware and fast-changing attacker behaviors, from advanced to entry level, will shape the threat landscape and IT security in 2021.

security threats and trends

Increased gap between ransomware operators

The gap between ransomware operators at different ends of the skills and resource spectrum will increase. At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organizations with multimillion-dollar ransom demands.

In 2020, such families included Ryuk and RagnarLocker. At the other end of the spectrum, Sophos anticipates an increase in the number of entry level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, that allows them to target high volumes of smaller prey.

Another ransomware trend is “secondary extortion,” where alongside the data encryption the attackers steal and threaten to publish sensitive or confidential information, if their demands are not met. In 2020, Sophos reported on Maze, RagnarLocker, Netwalker, REvil, and others using this approach.

“The ransomware business model is dynamic and complex. During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative ‘cartels,’” said Chester Wisniewski, principal research scientist, Sophos.

“Some, like Maze, appeared to pack their bags and head for a life of leisure, except that some of their tools and techniques have resurfaced under the guise of a newcomer, Egregor. The cyberthreat landscape abhors a vacuum. If one threat disappears another one will quickly take its place.

“In many ways, it is almost impossible to predict where ransomware will go next, but the attack trends discussed in Sophos’ threat report this year are likely to continue into 2021.”

Everyday threats demand serious security attention

Everyday threats such as commodity malware, including loaders and botnets, or human-operated Initial Access Brokers, will demand serious security attention. Such threats can seem like low level malware noise, but they are designed to secure a foothold in a target, gather essential data and share data back to a command-and-control network that will provide further instructions.

If human operators are behind these types of threats, they’ll review every compromised machine for its geolocation and other signs of high value, and then sell access to the most lucrative targets to the highest bidder, such as a major ransomware operation. For instance, in 2020, Ryuk used Buer Loader to deliver its ransomware.

“Commodity malware can seem like a sandstorm of low-level noise clogging up the security alert system. From what Sophos analyzed, it is clear that defenders need to take these attacks seriously, because of where they might lead.

“Any infection can lead to every infection. Many security teams will feel that once malware has been blocked or removed and the compromised machine cleaned, the incident has been prevented,” said Wisniewski.

“They may not realize that the attack was likely against more than one machine and that seemingly common malware like Emotet and Buer Loader can lead to Ryuk, Netwalker and other advanced attacks, which IT may not notice until the ransomware deploys, possibly in the middle of the night or on the weekend. Underestimating ‘minor’ infections could prove very costly.”

Adversaries evading detection and security measures

All ranks of adversaries will increasingly abuse legitimate tools, well known utilities and common network destinations to evade detection and security measures and thwart analysis and attribution.

The abuse of legitimate tools enables adversaries to stay under the radar while they move around the network until they are ready to launch the main part of the attack, such as ransomware.

For nation-state-sponsored attackers, there is the additional benefit that using common tools makes attribution harder. In 2020, Sophos reported on the wide range of standard attack tools now being used by adversaries.

“The abuse of everyday tools and techniques to disguise an active attack featured prominently in Sophos’ review of the threat landscape during 2020. This technique challenges traditional security approaches because the appearance of known tools doesn’t automatically trigger a red flag. This is where the rapidly growing field of human-led threat hunting and managed threat response really comes into its own,” said Wisniewski.

“Human experts know the subtle anomalies and traces to look for, such as a legitimate tool being used at the wrong time or in the wrong place. To trained threat hunters or IT managers using endpoint detection and response (EDR) features, these signs are valuable tripwires that can alert security teams to a potential intruder and an attack underway.”

Additional trends

  • Attacks on servers: adversaries have targeted server platforms running both Windows and Linux, and leveraged these platforms to attack organizations from within
  • The impact of the COVID-19 pandemic on IT security, such as the security challenges of working from home using personal networks protected by widely varying levels of security
  • The security challenges facing cloud environments: cloud computing has successfully borne the brunt of a lot of the enterprise needs for secure computing environments, but faces challenges different to those of a traditional enterprise network
  • Common services like RDP and VPN concentrators, which remain a focus for attacks on the network perimeter. Attackers also use RDP to move laterally within breached networks
  • Software applications traditionally flagged as “potentially unwanted” because they delivered a plethora of advertisements, but engaged in tactics that are increasingly indistinguishable from overt malware
  • The surprising reappearance of an old bug, VelvetSweatshop – a default password feature for earlier versions of Microsoft Excel – used to conceal macros or other malicious content in documents and evade advanced threat detection
  • The need to apply approaches from epidemiology to quantify unseen, undetected and unknown cyberthreats in order to better bridge gaps in detection, assess risk and define priorities

Manufacturing industry overwhelmed by innovative threat actors

TrapX Security and Enterprise Strategy Group (ESG) have released findings of a research that surveyed 150 cyber and IT professionals directly involved in security strategy, control and operations within manufacturing organizations about their current and future concerns.

manufacturing threat

Manufacturing industry under threat

The research findings point to an industry whose security teams are seeing the IT and OT environments converging at a rapid pace. Yet manufacturing organizations are struggling to safeguard OT assets as they are using the same tools to safeguard their IT infrastructure as they are for OT.

As a result, IT teams can’t keep up with growing volumes of security data or the increasing number of security alerts. They lack the right level of visibility and threat intelligence analysis and don’t have the right staff and skills to handle the cybersecurity workload.

Consequently, business operations are being disrupted and cyber-risk is increasing as more than half of the manufacturing organizations surveyed have experienced some type of cybersecurity incident on their OT systems in the last 12 months taking weeks or months to remediate.

IT and OT convergence best practice for manufacturers

Manufacturing organizations have large and growing investments in IT and OT technology to combat a rising threat landscape and achieve more agile business processes. As the research reveals, IT and OT integration is fast becoming a best practice.

49% of organizations say that IT and OT infrastructure are tightly integrated while another 45% claim that there is some integration. This integration will only increase as 77% of respondents expect further IT and OT infrastructure convergence in the future.

However, only 41% percent of organizations employ an IT security team with dedicated OT specialists, while 32% rely on their IT security team alone to protect OT assets. 58% use network technology tactics like IP ranges, VLANs, or microsegmentation to segment IT and OT network traffic.

24% of organizations simply use one common network for IT and OT communications, reducing the visibility and response required for OT-focused attacks.

Common tools and staff may make operational sense, but deploying a plethora of IT security technologies to prepare for the specific threats of OT leaves IT teams unprepared and vulnerable to attack.

As illustrated through this research, IT teams are repeatedly overwhelmed by the growing volumes of security data, visibility gaps, and a lack of staff and skills.

IT teams overwhelmed by volumes of security data

Security teams are getting challenged by the growing volumes of security data, and the increasing number of security alerts. 53% believe that their security operations workload exceeds staff capacity.

37% admitted they must improve their ability to adjust security controls. 58% of surveyed organizations agreed that threat detection and response has grown more difficult.

When asked to provide additional detail on the specific nature of that growing complexity, 45% say they are collecting and processing more security telemetry and 43% say that the volume of security alerts has increased.

Manufacturers are still working in the dark though with 44% citing evolving and changing threats as making threat detection and response more difficult, particularly true as threat actors take advantage of the “fog” of COVID-19.

“The research illustrates a potentially dangerous imbalance between existing security controls and staff capabilities, and a need for more specialized and effective safeguards,” said Jon Oltsik, ESG Senior Principal Analyst and Fellow.

“Manufacturing organizations are consolidating their IT and OT environments to achieve economies of scale and enable new types of business processes. Unfortunately, this advancement carries the growing risk of disruptive cyber-attacks.

“While organizations have deployed numerous technologies for threat detection and response, the data indicates that they are overwhelmed by growing volumes of security data, visibility gaps, and a lack of staff and skills.

“Since they can’t address these challenges with more tools or staff, CISOs really need to seek out more creative approaches for threat detection and response.”

Manufacturing lacks the visibility needed for effective threat detection

As the IT/OT attack surface grows, security teams are spread thinner as they try to keep pace with operations tasks such as threat detection, investigation, incident response, and risk mitigation.

53% agreed that their organization’s OT infrastructure is vulnerable to some type of cyber-attack, while the same number stated that they had already suffered some type of cyber-attack or other security incident in the last 12-24 months that impacted their OT infrastructure.

When asked how long it typically takes for their firm to recover from a cyber-attack, 47% of respondents said between one week and one month, resulting in significant and potentially costly downtime for critical systems.

Manufacturing organizations lack the visibility needed for effective threat detection and response – especially regarding OT assets. Consequently, additional security complexity is unacceptable – any new investments they make must help them simplify security processes and get more out of existing tools and staff.

37% said they must improve their ability to see malicious OT activity, 36% say they must improve their ability to understand OT-focused threat intelligence and 35% believe they must improve their ability to effectively patch vulnerable OT assets.

44% of respondents highlighted deception technology’s invaluable role in helping with threat research (44%), and 56% said that deception technology can be used for threat detection purposes.

55% of the manufacturing organizations surveyed use deception technology today, yet 44% have not made the connection between deception technology and increased attack visibility.

“This research shows that manufacturing organizations are experiencing real challenges when it comes to threat detection and response, particularly for specialized OT assets that are critical for business operations,” said Ori Bach, CEO of TrapX Security.

“This data, and our own experience working with innovators in all sectors of manufacturing, demonstrate there is a clear need for solutions like deception, which can improve cyber defenses and reduce downtime without the need to install agents or disrupt existing security systems and operations.”

93% of businesses are worried about public cloud security

Bitglass released a report which uncovers whether organizations are properly equipped to defend themselves in the cloud. IT and security professionals were surveyed to understand their top security concerns and identify the actions that enterprises are taking to protect data in the cloud.

worried public cloud security

Orgs struggling to use cloud-based resources safely

93% of respondents were moderately to extremely concerned about the security of the public cloud. The report’s findings suggest that organizations are struggling to use cloud-based resources safely. For example, a mere 31% of organizations use cloud DLP, despite 66% citing data leakage as their top cloud security concern.

Similarly, organizations are unable to maintain visibility into file downloads (45%), file uploads (50%), DLP policy violations (50%), and external sharing (55%) in the cloud.

Many still using legacy tools

The report also found that many still try to use tools like firewalls (44%), network encryption (36%), and network monitoring (26%) to secure the use of the cloud–despite 82% of respondents recognizing that such legacy tools are poorly suited to do so and that they should instead use security capabilities designed for the cloud.

worried public cloud security

“To address modern cloud security needs, organizations should leverage multi-faceted security platforms that are capable of providing comprehensive and consistent security for any interaction between any device, app, web destination, on-premises resource, or infrastructure,” said Anurag Kahol, CTO at Bitglass.

“According to our research, 79% of organizations already believe it would be helpful to have such a consolidated security platform; now they just need to choose and implement the right one.”

Hybrid environments driving positive business impact amid pandemic

Nutanix announced the findings of its survey and research report, which measures enterprise progress with adopting private, hybrid and public clouds. This year, survey respondents were also asked about the impact of the COVID-19 pandemic on current and future IT decisions and strategy.

hybrid environments

Hybrid cloud is still the frontrunner as the ideal IT infrastructure model (86% of respondents think so), and respondents running hybrid environments are more likely to plan to focus on strategic efforts and driving positive business impact.

Shifting IT’s focus toward remote worker support

The pandemic has shifted IT’s focus toward remote worker support and enabling near-instant infrastructure deployments that reach geographically distributed workforces, spurring increased enterprise progress with cloud expansion.

Additionally, a greater number of respondents running hybrid environments said they were likely to offer more flexible work setups, strengthen their business continuity plans, simplify operations, and increase digital conferencing usage because of the pandemic.

76% of respondents reported the pandemic made them think more strategically about IT, and 46% said their investments in hybrid cloud have increased as a direct result of the pandemic, including public and private clouds.

Additionally, businesses also increasingly rely on multiple public clouds to meet their needs compared to previous years. The report showed that, among those who use public clouds, 63% of respondents use two or more public clouds, or multicloud, respondents are also expecting this number to jump to 71% in the next 12 months.

Enterprises taking key steps toward reaching their IT operating model of choice

Global respondents report taking the initial key steps to successfully run a hybrid environment, including adopting hyperconverged infrastructure in their datacenters and decommissioning non-cloud-enabled datacenters in favor of private and public cloud usage.

Global IT teams are also planning for substantial infrastructure changes; they foresee, on average, hybrid cloud deployments increasing by more than 37 percentage points over the next five years, with a corresponding 15-point drop in non-cloud-enabled datacenters.

Most notably of the many infrastructure categories, respondents reported running a mixed model of private cloud, public cloud, and traditional datacenter more often than any other (nearly 26%) which is likely a precursor to a hybrid cloud deployment.

Remote work is here to stay — and companies are planning for it

In last year’s survey, about 27% of respondent companies had no full-time at-home workers. That number fell 20 percentage points this year to only 7%, as a result of to COVID-19.

By 2022, respondents predict that an average of 13% of companies will have no full-time remote employees at that time, less than half as many as a year ago in 2019, before COVID struck. Improving IT infrastructure (50%) and work-from-home capabilities (47%) have therefore become priorities for the next 12 to 18 months.

Strategic business outcomes, not economics, drive change today

Respondents said their primary motives for modifying their IT infrastructures are to get greater control of their IT resources (58%), gain the flexibility to meet dynamic business requirements (55%), and improve support for customers and remote workers (46%). By contrast, just 27% mentioned cutting costs as a driver.

Educators face unique COVID-19-related challenges and needs

More education-industry respondents cited “ensuring that remote workers have adequate hardware” as a primary challenge than any other issue. 47% also cited providing “adequate communications channels among employees, customers, and clients” as a top challenge.

The education sector is taking the right steps toward transformation, ranking high in private cloud deployments, with 29% of respondents saying they were running private clouds only (substantially more than the 22% global average).

“In January, for many companies technology was considered a basic function of a business, enabling core organizational processes,” said Wendy M. Pfeiffer, CIO of Nutanix.

“Today, technology has taken on an entirely new meaning. It is a complex strategy and it makes or breaks a company’s long-term viability. COVID-19 has accelerated us into a new era of strategic IT and raised its profile considerably, and the findings from this year’s Enterprise Cloud Index reflect this new reality.

“Hybrid cloud is the frontrunner, and it will continue to be as we navigate our mixing of physical and virtual environments and move away from doing business in a single mode.”

Kali Linux 2020.4 released: New default shell, fresh tools, and more!

Offensive Security has released Kali Linux 2020.4, the latest version of its popular open source penetration testing platform. You can download it or upgrade to it. Kali Linux 2020.4 changes The changes in this version include: ZSH is now Kali’s new default shell on desktop images and cloud, Bash remains the default shell for other platforms (ARM, containers, NetHunter, WSL) for the time being. Users can, of course, use that which they prefer, but be … More

The post Kali Linux 2020.4 released: New default shell, fresh tools, and more! appeared first on Help Net Security.

Review: Group-IB Fraud Hunting Platform

Today’s Internet is a hectic place. A lot of different web technologies and services are “glued together” and help users shop online, watch the newest movies, or stream the newest hits while jogging. But these (paid) services are also constantly threatened by attackers – and no company, no matter how big, is completely immune. Take the recent Twitter compromise as an example: the attackers hijacked a number of influential Twitter accounts, including those belonging to … More

The post Review: Group-IB Fraud Hunting Platform appeared first on Help Net Security.

How do I select a security assessment solution for my business?

A recent research shows high-risk vulnerabilities at 84% of companies across finance, manufacturing, IT, retail, government, telecoms and advertising. One or more hosts with a high-risk vulnerability having a publicly available exploit are present at 58% of companies. Publicly available exploits exist for 10% of the vulnerabilities found, which means attackers can exploit them even if they don’t have professional programming skills or experience in reverse engineering. To select a suitable security assessment solution for … More

The post How do I select a security assessment solution for my business? appeared first on Help Net Security.

CISOs say a distributed workforce has critically increased security concerns

73% of security and IT executives are concerned about new vulnerabilities and risks introduced by the distributed workforce, Skybox Security reveals.

distributed workforce security

The report also uncovered an alarming disconnect between confidence in security posture and increased cyberattacks during the global pandemic.

Digital transformation creating the perfect storm

To protect employees from COVID-19, enterprises rapidly shifted to make work from home possible and maintain business productivity. Forced to accelerate digital transformation initiatives, this created the perfect storm.

2020 will be a record-breaking year for new vulnerabilities with a 34% increase year-over-year – a leading indicator for the growth of future attacks.

As a result, security teams now have more to protect than ever before. Surveying 295 global executives, the report found that organizations are overconfident in their security posture, and new strategies are needed to secure a long-term distributed workforce.

Key observations

  • Deprioritized security tasks increase risk: Over 30% of security executives said software updates and BYOD policies were deprioritized. Further, 42% noted reporting was deprioritized since the onset of the pandemic.
  • Enterprises can’t keep up with the pace: 32% had difficulties validating if network and security configurations undermined security posture. 55% admitted that it was at least moderately difficult for them to validate network and security configurations did not increase risk.
  • Security teams are overconfident in security posture: Only 11% confirmed they could confidently maintain a holistic view of their organizations’ attack surfaces. Shockingly, 93% of security executives were still confident that changes were correctly validated.
  • The distributed workforce is here to stay: 70% of respondents projected that at least one-third of their employees will remain remote 18 months from now.

distributed workforce security

“Traditional detect-and-respond approaches are no longer enough. A radical new approach is needed – one that is rooted in the development of preventative and prescriptive vulnerability and threat management practices,” said Gidi Cohen, CEO, Skybox Security.

“To advance change, it is integral that everything, including data and talent, is working towards enriching the security program as a whole.”